637.1 EFO trigger proving

Activate EFO; measure timing/sequence (354). Proof confirms HVM bollard response.

Start by defining the allowed Request→Authorize→Execute path for the Emergency Fast Operation (EFO) initiator and the expected rise/fall sequence per 354 EFO & overrides. Time each stage (initiation, actuator response, barrier motion, annunciation) and record tolerances. If using a hydraulic accumulator (EFO) or stored-energy module, capture pre-charge/pressure before and after tests to prove consistency across repeats.

Document the lane’s EFO trigger hierarchy (local mushroom, guarded key, remote command, BMS/PSIM) and verify authorization levels match the authorization hierarchy. Where lanes are grouped, test one-lane and multi-lane EFO to check current draw, Ops/hour impact, and annunciation priority.

637.2 Safety interlocks in EFO

Show beams/loops still enforced (343). Interlocks protect crash rated bollard users during EFO.

Confirm that photo-eyes, induction loops and any safety relays remain active during EFO, with forbidden states blocked by the interlock matrix (352). Prove that an occupied beam or loop inhibits raise and triggers an appropriate first-out alarm. Re-test at night and under sun-glare to check receiver gain and nuisance-trip margins.

637.3 Recovery & cooldown

Time reset and cooling intervals. Recovery keeps HVM bollard availability high (525).

Define the reset hierarchy and the cooldown interval after an EFO. For hydraulic HPUs (512), log oil temp and standby pressure; for electromechanical drives (513), log motor/drive thermal alarms and STO behavior. Demonstrate automatic return from Safe Local Mode to normal operation once conditions clear, as defined in 525 Modes of Operation.

637.4 Power fail behavior

Simulate outages, brownouts, phase loss (518). Behavior must not undermine crash rated bollard safety.

Test ride-through and fallback: mains loss, brownout, phase loss, and generator/UPS transfer (see 518 Power Failure Modes). Verify fail-state philosophy: fail-safe (up) vs fail-secure (down). Measure recovery sequencing, alarm latching, and any manual actions required to restore protected operation.

637.5 Comms loss behavior

Pull network; confirm safe degradation (535). Degradation preserves HVM bollard control.

Disconnect SCADA/BMS links and simulate switch failures per 535 Networks & Cyber Basics. The lane should enter a defined degraded state with local controls and safety devices intact, clear annunciation, and a bounded response window for operator action.

637.6 Sensor fault handling

Inject faults; verify alarms and inhibits (536). Handling prevents crash rated bollard surprises.

Introduce open/short faults on loops and beams, misalign a photo-eye, and spoof inputs to validate 536 Alarm Philosophy. Confirm latched faults, nuisance alarm control, and Category 0/1/2 stop behavior. Capture COS logs and trend markers for the evidence pack.

637.7 Manual release drills

Practice manual overrides and logs (355). Drills protect HVM bollard resilience.

Rehearse the manual release path from alarm to restore, including manual hand-pump (HPU), mechanical bypasses, and local mode selection (see 355 Fail-safe/secure states). Verify two-person rule where required, signage, and that post-event a reset-to-normal checklist is followed to avoid latent inhibits.

637.8 Evidence & logs

Store trends, counters, and photos (716). Evidence anchors crash rated bollard approvals (938).

Define an EFO evidence log that cross-references 541 Remote Fault Logging, 544 Dashboards, and the 938 Submission-Pack Guidance. Photos should follow the wide→detail photo set pattern and include panel/HMI screens with timestamp sync.

637.9 Lessons & updates

Feed changes into 537 and 711. Updates improve HVM bollard documents.

Run a short AAR after the EFO/failure-mode campaign. Raise 718 change log entries, update the 537 change control, and amend the FDS (711) and ITP (714) so future SATs re-verify the fixes. Where UAE approvals apply, include a brief note for SIRA on any operational impacts.

637 EFO & Failure Modes — FAQ