Railway applications - Systematic allocation of safety integrity requirements

The scope of this Technical Report is to define a method to determine the required Safety Integrity Level of railway signalling equipment taking in consideration • the operational conditions of the railway, and • the architecture of the signalling system. From a mechanistic point of view the task of this Technical Report is to define a method of calculation, which determines the integrity requirements (qualitatively and quantitatively) from the inputs stated above.

Bahnanwendungen — Systematische Zuordnung von Sicherheitsintegritätsanforderungen

Applications ferroviaires - Allocation systématique des exigences d'intégrité de la sécurité

Železniške naprave – Sistematična razporeditev zahtev varnostne integritete

General Information

Status
Withdrawn
Publication Date
15-May-2007
Current Stage
9960 - Withdrawal effective - Withdrawal
Completion Date
24-Oct-2018

Relations

Buy Standard

Technical report
TP CLC/TR 50451:2007
English language
87 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-oktober-2007
1DGRPHãþD
SIST R009-004:2002
äHOH]QLãNHQDSUDYH±6LVWHPDWLþQDUD]SRUHGLWHY]DKWHYYDUQRVWQHLQWHJULWHWH
Railway applications - Systematic allocation of safety integrity requirements
Bahnanwendungen — Systematische Zuordnung von
Sicherheitsintegritätsanforderungen
Applications ferroviaires - Allocation systématique des exigences d'intégrité de la
sécurité
Ta slovenski standard je istoveten z: CLC/TR 50451:2007
ICS:
45.020 Železniška tehnika na Railway engineering in
splošno general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT
CLC/TR 50451
RAPPORT TECHNIQUE
May 2007
TECHNISCHER BERICHT
ICS 45.020;93.100 Supersedes R009-004:2001

English version
Railway applications –
Systematic allocation of safety integrity requirements

Applications ferroviaires –  Bahnanwendungen –
Allocation systématique des exigences Systematische Zuordnung von
d'intégrité de la sécurité Sicherheitsintegritätsanforderungen

This Technical Report was approved by CENELEC on 2006-02-18.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Cyprus, the
Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia,
Slovenia, Spain, Sweden, Switzerland and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Central Secretariat: rue de Stassart 35, B - 1050 Brussels

© 2007 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. CLC/TR 50451:2007 E
Foreword
This Technical Report was prepared by SC 9XA, Communication, signalling and processing systems, of
Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways.

The text of the draft was circulated for vote in accordance with the Internal Regulations, Part 2,
Subclause 11.4.3.3 and was approved by CENELEC as CLC/TR 50451 on 2006-02-18.

This Technical Report supersedes R009-004:2001.
__________
- 3 - CLC/TR 50451:2007
Contents
Executive summary . 4
Introduction . 7
1 Scope. 8
2 References. 9
2.1 Normative references. 9
2.2 Informative references. 9
3 Definitions. 10
4 Symbols and abbreviations . 17
5 Safety Integrity Levels allocation framework . 18
5.1 Prerequisites. 18
5.2 Overview of the methodology . 18
5.3 Definition of Safety Integrity Levels. 22
5.4 Qualitative vs quantitative methods . 23
5.4.1 Qualitative assessment.23
5.4.2 Quantitative assessment.24
5.5 EN 50126-1 lifecycle context . 25
6 System definition. 27
7 Hazard identification. 28
7.1 General principles. 28
7.2 Empirical hazard identification methods. 30
7.3 Creative hazard identification methods. 30
7.4 Hazard ranking. 31
7.5 Existing hazard lists. 31
8 Risk analysis. 31
8.1 Risk tolerability. 31
8.2 Determination of Tolerable Hazard Rate. 32
8.2.1 Qualitative risk analysis . 32
8.2.2 Quantitative risk analysis. 34
8.2.3 GAMAB and similar approaches. 40
8.2.4 The MEM approach. 41
8.2.5 Other approaches. 42
9 System design analysis. 42
9.1 Apportionment of safety integrity requirements to functions. 43
9.1.1 Physical independence.44
9.1.2 Functional independence.45
9.1.3 Process independence. 46
9.2 Use of SIL tables . 46
9.3 Identification and treatment of new hazards arising from design. 47
9.4 Determination of function and subsystem SIL. 48
9.5 Determination of safety integrity requirements for system elements . 50

Annex A Single-line signalling system example. 52
Annex B Level crossing example. 67
Annex C Comparison of demand and continuous mode . 77
Annex D Frequently asked questions . 87

Executive summary
This Technical Report presents a systematic methodology to determine safety integrity requirements for
railway signalling equipment, taking into account the operational environment and the architectural design
of the signalling system.
At the heart of this approach is a well defined interface between the operational environment and the
signalling system. From the safety point of view this interface is defined by a list of hazards and tolerable
hazard rates associated with the system. It should be noted that the purpose of this approach is not to
limit co-operation between suppliers and railway authorities but to clarify responsibilities and interfaces.

It is the task (summarized by the term Risk Analysis) of the Railway Authority
• to define the requirements of the railway system (independent of the technical realisation),
• to identify the hazards relevant to the system,
• to derive the tolerable hazard rates, and
• to ensure that the resulting risk is tolerable (with respect to the appropriate risk tolerability criteria).

Definition
System Design Analysis
Figure 0.1 - Global process overview

The only requirement is that the tolerable hazard rates must be derived taking into account the risk
tolerability criteria. Risk tolerability criteria are not defined by this Technical Report, but depend on
national or European legislative requirements.

- 5 - CLC/TR 50451:2007
Among the risk analysis methods two are proposed in order to estimate the individual risk explicitly, one
more qualitative, the other more quantitative. Other methods, similar to the GAMAB principle, do not
explicitly determine the resulting risks, but derive the tolerable hazard rates from comparison with the
performance of existing systems, either by statistical or analytical methods. Alternative qualitative
approaches are acceptable, if as a result they define a list of hazards and corresponding THR. The
specification of the system requirements comprising performance and safety (THR) terminates the
Railway Authority’s task.
Near misses
SYSTEM Definition
withTarget
System DESIGN ANALYSIS
Figure 0.2 - Example Risk Analysis process

The supplier’s task (summarized by the term System Design Analysis) comprises
• definition of the system architecture,
• analysis of the causes leading to each hazard,
• determination of the safety integrity requirements (SIL and hazard rates) for the subsystems,
• determination of the reliability requirements for the equipment.

Causal analysis constitutes two key stages. In the first phase the tolerable hazard rate for each hazard is
apportioned to a functional level. Safety Integrity Levels (SIL) are defined at this functional level for the
subsystems implementing the functionality. The hazard rate for a subsystem is then translated to a SIL
using the SIL table.
During the second phase the hazard rates for subsystems are further apportioned leading to failure rates
for the equipment, but at this physical implementation level the SIL remains unchanged. Consequently
also the software SIL defined by EN 50128 would be the same as the subsystem SIL but for the
exceptions described in EN 50128.

The apportionment process may be performed by any method which allows a suitable representation of
the combination logic, e.g. reliability block diagrams, fault trees, binary decision diagrams, Markov models
etc. In any case particular care must be taken when independence of items is required. While in the first
phase of the causal analysis functional independence is required, physical independence is sufficient in
the second phase. Assumptions made in the causal analysis must be checked and may lead to safety-
relevant application rules for the implementation.

From Risk
Analysis
List of
hazards
and THR
Undetected failure Undetetced failure Undetected failure
of power supply of road-side of LC controller
warnings
Late or no switch-in Undetected failure Undetetced failure Undetected failure 1E-7 1E-7
1E-7
LC set back to
of power supply of road-side of LC controller
warnings normal position
1E-7 1E-7 1E-7
1E-7
Check
System
....
independence
Undetected failure Undetected architecture
of light signals failure of barriers

assumptions
7E-6 7E-6
Undetected failure
Undetected Undetected failure Undetected
of switch-in failute of distant
of light signals failure of barriers
function signal
1E-7
7E-6 7E-6
....
SIL and THR
Determine THR
for subsystems
SIL table
and SIL
Apportion SIL and FR
hazard rates to for
elements elements
Figure 0.3 - Example System Design Analysis process

Both, the risk analysis and the system design analysis, have to be approved by the Railway Safety
Authority.
However whilst the risk analysis may be carried out once at the railway level, the system design analysis
must be performed for every new architecture. It is prudent to review the risk analysis and system design
analysis when safety related changes are introduced.

- 7 - CLC/TR 50451:2007
Introduction
Historically the interoperability of European railways was not only hindered by incompatible technology
but also by different approaches towards safety. The common European market is the main driving force
behind the harmonisation of the different safety cultures. In a joint pan-European effort comprehensive
safety standards have been established for railway signalling by the European Electrotechnical
Standardisation Committee CENELEC:

• EN 50126-1, Railway applications - The specification and demonstration of Reliability, Availability,
Maintainability and Safety (RAMS) - Part 1: Basic requirements and generic
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.