CLC/TR 50451:2007

SLOVENSKI STANDARD
01-oktober-2007
1DGRPHãþD
SIST R009-004:2002
äHOH]QLãNHQDSUDYH±6LVWHPDWLþQDUD]SRUHGLWHY]DKWHYYDUQRVWQHLQWHJULWHWH
Railway applications - Systematic allocation of safety integrity requirements
Bahnanwendungen — Systematische Zuordnung von
Sicherheitsintegritätsanforderungen
Applications ferroviaires - Allocation systématique des exigences d'intégrité de la
sécurité
Ta slovenski standard je istoveten z: CLC/TR 50451:2007
ICS:
45.020 Železniška tehnika na Railway engineering in
splošno general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT
CLC/TR 50451
RAPPORT TECHNIQUE
May 2007
TECHNISCHER BERICHT
ICS 45.020;93.100 Supersedes R009-004:2001

English version
Railway applications –
Systematic allocation of safety integrity requirements

Applications ferroviaires –  Bahnanwendungen –
Allocation systématique des exigences Systematische Zuordnung von
d'intégrité de la sécurité Sicherheitsintegritätsanforderungen

This Technical Report was approved by CENELEC on 2006-02-18.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Cyprus, the
Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia,
Slovenia, Spain, Sweden, Switzerland and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Central Secretariat: rue de Stassart 35, B - 1050 Brussels

© 2007 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. CLC/TR 50451:2007 E
Foreword
This Technical Report was prepared by SC 9XA, Communication, signalling and processing systems, of
Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways.

The text of the draft was circulated for vote in accordance with the Internal Regulations, Part 2,
Subclause 11.4.3.3 and was approved by CENELEC as CLC/TR 50451 on 2006-02-18.

This Technical Report supersedes R009-004:2001.
__________
- 3 - CLC/TR 50451:2007
Contents
Executive summary . 4
Introduction . 7
1 Scope. 8
2 References. 9
2.1 Normative references. 9
2.2 Informative references. 9
3 Definitions. 10
4 Symbols and abbreviations . 17
5 Safety Integrity Levels allocation framework . 18
5.1 Prerequisites. 18
5.2 Overview of the methodology . 18
5.3 Definition of Safety Integrity Levels. 22
5.4 Qualitative vs quantitative methods . 23
5.4.1 Qualitative assessment.23
5.4.2 Quantitative assessment.24
5.5 EN 50126-1 lifecycle context . 25
6 System definition. 27
7 Hazard identification. 28
7.1 General principles. 28
7.2 Empirical hazard identification methods. 30
7.3 Creative hazard identification methods. 30
7.4 Hazard ranking. 31
7.5 Existing hazard lists. 31
8 Risk analysis. 31
8.1 Risk tolerability. 31
8.2 Determination of Tolerable Hazard Rate. 32
8.2.1 Qualitative risk analysis . 32
8.2.2 Quantitative risk analysis. 34
8.2.3 GAMAB and similar approaches. 40
8.2.4 The MEM approach. 41
8.2.5 Other approaches. 42
9 System design analysis. 42
9.1 Apportionment of safety integrity requirements to functions. 43
9.1.1 Physical independence.44
9.1.2 Functional independence.45
9.1.3 Process independence. 46
9.2 Use of SIL tables . 46
9.3 Identification and treatment of new hazards arising from design. 47
9.4 Determination of function and subsystem SIL. 48
9.5 Determination of safety integrity requirements for system elements . 50

Annex A Single-line signalling system example. 52
Annex B Level crossing example. 67
Annex C Comparison of demand and continuous mode . 77
Annex D Frequently asked questions . 87

Executive summary
This Technical Report presents a systematic methodology to determine safety integrity requirements for
railway signalling equipment, taking into account the operational environment and the architectural design
of the signalling system.
At the heart of this approach is a well defined interface between the operational environment and the
signalling system. From the safety point of view this interface is defined by a list of hazards and tolerable
hazard rates associated with the system. It should be noted that the purpose of this approach is not to
limit co-operation between suppliers and railway authorities but to clarify responsibilities and interfaces.

It is the task (summarized by the term Risk Analysis) of the Railway Authority
• to define the requirements of the railway system (independent of the technical realisation),
• to identify the hazards relevant to the system,
• to derive the tolerable hazard rates, and
• to ensure that the resulting risk is tolerable (with respect to the appropriate risk tolerability criteria).

Definition
System Design Analysis
Figure 0.1 - Global process overview

The only requirement is that the tolerable hazard rates must be derived taking into account the risk
tolerability criteria. Risk tolerability criteria are not defined by this Technical Report, but depend on
national or European legislative requirements.

- 5 - CLC/TR 50451:2007
Among the risk analysis methods two are proposed in order to estimate the individual risk explicitly, one
more qualitative, the other more quantitative. Other methods, similar to the GAMAB principle, do not
explicitly determine the resulting risks, but derive the tolerable hazard rates from comparison with the
performance of existing systems, either by statistical or analytical methods. Alternative qualitative
approaches are acceptable, if as a result they define a list of hazards and corresponding THR. The
specification of the system requirements comprising performance and safety (THR) terminates the
Railway Authority’s task.
Near misses
SYSTEM Definition
withTarget
System DESIGN ANALYSIS
Figure 0.2 - Example Risk Analysis process

The supplier’s task (summarized by the term System Design Analysis) comprises
• definition of the system architecture,
• analysis of the causes leading to each hazard,
• determination of the safety integrity requirements (SIL and hazard rates) for the subsystems,
• determination of the reliability requirements for the equipment.

Causal analysis constitutes two key stages. In the first phase the tolerable hazard rate for each hazard is
apportioned to a functional level. Safety Integrity Levels (SIL) are defined at this functional level for the
subsystems implementing the functionality. The hazard rate for a subsystem is then translated to a SIL
using the SIL table.
During the second phase the hazard rates for subsystems are further apportioned leading to failure rates
for the equipment, but at this physical implementation level the SIL remains unchanged. Consequently
also the software SIL defined by EN 50128 would be the same as the subsystem SIL but for the
exceptions described in EN 50128.

The apportionment process may be performed by any method which allows a suitable representation of
the combination logic, e.g. reliability block diagrams, fault trees, binary decision diagrams, Markov models
etc. In any case particular care must be taken when independence of items is required. While in the first
phase of the causal analysis functional independence is required, physical independence is sufficient in
the second phase. Assumptions made in the causal analysis must be checked and may lead to safety-
relevant application rules for the implementation.

From Risk
Analysis
List of
hazards
and THR
Undetected failure Undetetced failure Undetected failure
of power supply of road-side of LC controller
warnings
Late or no switch-in Undetected failure Undetetced failure Undetected failure 1E-7 1E-7
1E-7
LC set back to
of power supply of road-side of LC controller
warnings normal position
1E-7 1E-7 1E-7
1E-7
Check
System
....
independence
Undetected failure Undetected architecture
of light signals failure of barriers

assumptions
7E-6 7E-6
Undetected failure
Undetected Undetected failure Undetected
of switch-in failute of distant
of light signals failure of barriers
function signal
1E-7
7E-6 7E-6
....
SIL and THR
Determine THR
for subsystems
SIL table
and SIL
Apportion SIL and FR
hazard rates to for
elements elements
Figure 0.3 - Example System Design Analysis process

Both, the risk analysis and the system design analysis, have to be approved by the Railway Safety
Authority.
However whilst the risk analysis may be carried out once at the railway level, the system design analysis
must be performed for every new architecture. It is prudent to review the risk analysis and system design
analysis when safety related changes are introduced.

- 7 - CLC/TR 50451:2007
Introduction
Historically the interoperability of European railways was not only hindered by incompatible technology
but also by different approaches towards safety. The common European market is the main driving force
behind the harmonisation of the different safety cultures. In a joint pan-European effort comprehensive
safety standards have been established for railway signalling by the European Electrotechnical
Standardisation Committee CENELEC:

• EN 50126-1, Railway applications - The specification and demonstration of Reliability, Availability,
Maintainability and Safety (RAMS) - Part 1: Basic requirements and generic process

• EN 50128, Railway applications - Communications, signalling and processing systems - Software for
railway control and protection systems

• EN 50129, Railway applications - Communication, signalling and processing systems - Safety related
electronic systems for signalling

These CENELEC standards assume that safety relies both on adequate measures to prevent or tolerate
faults (as safeguards against systematic failure) and on adequate measures to control random failures.
Measures against both causes of failure should be balanced in order to achieve the optimum safety
performance of a system. To achieve this the concept of Safety Integrity Levels (SIL) is used. SILs are
used as a means of creating balance between measures to prevent systematic and random failures, as it
is agreed within CENELEC that it is not feasible to quantify systematic integrity.

A shortcoming of the CENELEC standards as of today is (similar as in other related standards like
1)
IEC 61508 [IEC] or ISA S84.01 [ISA]) that while the guidance on how to fulfil a particular SIL is quite
comprehensive the process and rules to derive SILs for system elements from system safety targets or
the tolerable system risk are not adequately covered. A general convincing solution to this problem is still
an open research problem, see [LM][ZD][YB2][GAM] for some divergent examples. However in order to
achieve cross-acceptance of safety cases and products for railway signalling applications it is necessary
to fill the gap.
This has been realized by SC 9XA in 1997 and consequently a working group has been set up in March
1998 in order to find a joint harmonized approach at least for railway signalling applications. This work
resulted in the publication of R009-004:2001, which is presently being converted into CLC/TR 50451.

Although the major driving forces behind this work were novel signalling applications which are required
to be interoperable throughout Europe, the scope and applicability of the approach presented in this
Technical Report should not be limited to signalling or interoperable applications.

1)
IEC 61508 series has been harmonized as EN 61508 series "Functional safety of electrical/electronic/programmable electronic
safety-related systems"
1 Scope
The scope of this Technical Report is to define a method to determine the required Safety Integrity Level
of railway signalling equipment taking in consideration
• the operational conditions of the railway, and
• the architecture of the signalling system.

The following picture may be used in order to detail more precisely the scope of this Technical Report:

Unified Signalling Safety
Scope of WGA10 work Target
as agreed by SC9XA (individual average risk:
units D /(P h) )
SIG
Legend:
Type of operation
Death
Example parameters:
System
speed, train density .
SIGnalling
Person
hour
Hazard
wrong side failure
Specific Signalling Safety
Rate
Target (hazard rate :
units H /(S h) or
SIG
wsf /(S h) )
SIG
Signalling system
architecture and
functionality (normal,
fallback .)
Allocation to functions
and system elements
(apportionment)
SILs and
failure rates for system
elements. Result:
Element SIL FR
E x λ
1 1
...
E x λ
n n
n
Figure 1.1 - Scope of WG A10
From a mechanistic point of view the task of this Technical Report is to define a method of calculation,
which determines the integrity requirements (qualitatively and quantitatively) from the inputs stated above.

- 9 - CLC/TR 50451:2007
2 References
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.

2.1 Normative references
EN 50121-5, Railway applications - Electromagnetic compatibility - Part 5: Emission and
immunity of fixed power supply installations and apparatus
[126] EN 50126-1:1999, Railway applications - The specification and demonstration of Reliability,
Availability, Maintainability and Safety (RAMS) – Part 1: Basic requirements and generic process
[128] EN 50128:2001, Railway applications - Communications, signalling and processing systems -
Software for railway control and protection systems
[129] EN 50129:2003, Railway applications - Communication, signalling and processing systems -
Safety related electronic systems for signalling

2.2 Informative references
[0056] UK Ministry of Defence, Safety Management Requirements for Defence Systems, Def Stan 00-56
[GAM] CASCADE: Generalised Assessment Method , Part II: Guidelines, ESPRIT 9032 report,
ref. CAS/IC/MK/D2.3.2/V3, 1996
[HK] Kumamotu, H. and Henley, E.: Probabilistic risk assessment and management for engineers and
scientists, IEEE Press, 1996
[IEC] Functional safety of electrical/electronic/programmable electronic safety-related systems,
IEC 61508 series
[ISA] ISA: Application of Safety Instrumented Systems for the Process Industries, ISA S84.01,
February 1996
[ISO] ISO/IEC: Information technology - System and software integrity levels, ISO/IEC 15026
[Lev95] Leveson, N. G.: Safeware - System safety and computers, Addison-Wesley, 1995
[LM] Lindsay, P. A. and McDermid, J. A.: A systematic approach to software safety integrity levels, in:
Peter Daniel (Ed.): SAFECOMP'97 , Springer Verlag, 1997, 70-82
[R01] Railway applications - Communication, signalling and processing systems - Hazardous failure
rates and Safety Integrity Levels (SIL), R009-001:1997
[RSH] Railway Signalling Hazards, Swedish National Rail Administration, Technical Report 1999:1
nd
[SAH] System Safety Analysis Handbook, 2 edition, System Safety Society, 1998
[VIL] Villemeur, A.: Reliability, Availability, Maintainability and Safety Assessment, Volume 1: Methods
and Techniques, Wiley, 1992
[YB2] Engineering Safety Management System, Issue 2.0, "Yellow Book", Railtrack, 1997
[ZD] Zerkani, H. and Dumolo, D.: System Safety Lifecycle Based on IEC 61508 and its Use for
th
Railway Applications, Proc. 16 International System Safety Conference, Sept. 14-19, 1998,
Seattle
3 Definitions
For the purpose of this Technical Report, the following definitions apply. For terms not defined here, the
following references should be consulted in order of priority:
- IEC 60050-191, International Electrotechnical Vocabulary - Chapter 191: Dependability and quality of
service
- ISO 8402, Quality vocabulary
- ISO/IEC 2382, Information technology vocabulary

3.1
accident
an unintended event or series of events that results in death, injury, loss of a system or service, or
environmental damage (EN 50129)

3.2
apportionment
a process whereby the RAMS elements for a system are sub-divided between the various items which
comprise the system to provide individual targets (EN 50126-1)

3.3
can
is possible (EN 50129)
3.4
causal analysis
analysis of the reasons how and why a particular hazard may come into existence

3.5
collective risk
a risk which is related to a group of people

3.6
common cause failure
a failure which is the result of an event(s) which causes a coincidence of failure states of two or more
components leading to a system failing to perform its required function (EN 50126-1)

3.7
common-mode fault
fault common to items which are intended to be independent

3.8
consequence analysis
analysis of events which are likely to happen after a hazard has occurred

3.9
cross-acceptance
the status achieved by a product that has been accepted by one Authority to the relevant European
Standards and is acceptable to other Authorities without the necessity for further assessment (EN 50129)

- 11 - CLC/TR 50451:2007
3.10
dependent failure
the failure of a set of events; the probability of which cannot be expressed as the simple product of the
unconditional probabilities of the individual events (EN 50126-1)

3.11
diversity
a means of achieving all or part of the specified requirements in more than one independent and
dissimilar manner (EN 50129)
3.12
element
a part of a product that has been determined to be a basic unit or building block. An element may be
simple or complex
3.13
environment
the surrounding objects or region or circumstances which may influence the behaviour of the system and
or may be influenced by the system (EN 50121-5)

3.14
equipment
a functional physical item (EN 50129)

3.15
error
a deviation from the intended design which could result in unintended system behaviour or failure
(EN 50129)
3.16
failure
a deviation from the specified performance of a system. A failure is the consequence of an fault or error in
a system (EN 50129)
3.17
failure cause
the circumstances during design; manufacture or use which have led to a failure (EN 50126-1, [IEC])

3.18
failure mode
the predicted or observed results of a failure cause on a stated item in relation to the operating conditions
at the time of the failure (EN 50126-1, [IEC])

3.19
failure rate
the limit; if this exists; of the ratio of the conditional probability that the instant of time; T; of a failure of a
product falls within a given time interval (t+(t) and the length of this interval; (t; when (t tends towards
zero; given that the item is in an up state at the start of the time interval (EN 50126-1, [IEC])

3.20
fault
an abnormal condition that could lead to an error in a system. A fault can be random or systematic
(EN 50126-1, [IEC])
3.21
fault detection time
time span which begins at the instant when a fault occurs and ends when the existence of the fault is
detected (EN 50129)
3.22
fault mode
one of the possible states of a faulty product for a given required function (EN 50126-1, [IEC])

3.23
fault tree analysis
an analysis to determine which fault modes of the product; sub-products or external events; or
combinations thereof; may result in a stated fault mode of the product; presented in the form of a fault
tree (EN 50126-1, [IEC])
3.24
FMEA
an acronym meaning Failure Modes and Effects Analysis. A qualitative method of reliability analysis
which involves the study of the fault modes which can exist in every sub-product of the product and the
determination of the effects of each fault mode on other sub-products of the product and on the required
functions of the product (EN 50126-1, [IEC])

3.25
function
a mode of action or activity by which a product fulfils its purpose (EN 50126-1, [IEC])

3.26
hazard
an object, condition or state that could lead to an accident [YB2].In the context of a system safety, a
hazard is an unprotected state of the system, which under certain external conditions leads to an accident

3.27
hazard identification
the process used to define potential hazards related to a system

3.28
hazard log
the document in which all safety management activities, hazards identified, decisions made and solutions
adopted, are recorded or referenced (EN 50126-1, [IEC])

3.29
human error
a human action (mistake), which can result in unintended system behaviour/failure (EN 50129)

- 13 - CLC/TR 50451:2007
3.30
independence (functional)
two items are functionally independent, if they do not have any common cause failures, neither
systematic nor random
3.31
independence (physical)
two items are physically independent, if they do not have any random common cause failures

3.32
independence (technical)
freedom from any mechanism which can affect the correct operation of more than one item (≠ EN 50129)

3.33
independence (human)
freedom from involvement in the same intellectual, commercial and/or management entity (EN 50129)

3.34
individual risk
a risk which is related to a single individual only (EN 50129)

3.35
item
element under consideration
3.36
loss analysis
analysis of safety, environmental or economical harm or damage

3.37
may
is permissible (EN 50129)
3.38
negation
enforcement of a safe state following detection of a hazardous fault (EN 50129)

3.39
negation time
time span which begins when the existence of a fault is detected and ends when a safe state is enforced
(EN 50129)
3.40
product
a collection of elements, interconnected to form a system, subsystem or item of equipment, in a manner
which meets the specified requirements (EN 50129)

3.41
railway authority
the body with the overall accountability to a Regulator for operating a railway system (EN 50126-1, [IEC])

3.42
RAMS
an acronym meaning a combination of Reliability; Availability; Maintainability and Safety (EN 50126-1,
[IEC])
3.43
random failure integrity
the degree to which a system is free from hazardous random faults (EN 50129)

3.44
random fault
the occurrence of a fault based on probability theory and previous performance (≠ EN 50129)

3.45
random hardware failures
failures; occurring at random times; which result from a variety of degradation mechanisms in the
hardware (EN 50126-1, [IEC])
3.46
redundancy
the provision of one or more additional elements, usually identical, to achieve or maintain availability
under the failure of one or more of those elements (≠ EN 50129)

3.47
reliability
the probability that an item can perform a required function under given conditions for a given time
interval (t1; t2) (EN 50126-1, [IEC])

3.48
risk
likelihood of an event occurring and its consequences

3.49
Risk Analysis
systematic use of available information to estimate the likelihood and consequences of hazards

3.50
risk assessment
overall process of risk analysis and risk evaluation

3.51
risk aversion
the ambivalent attitude of society towards catastrophic outcomes. This may be taken into account by
additional risk aversion factors, which give a weight to avoidance of catastrophic outcomes

3.52
risk reduction
a process of selection and implementation of options that is applied to reduce either the likelihood or
consequences, or both, of a particular risk

- 15 - CLC/TR 50451:2007
3.53
safe state
a condition which continues to preserve safety (EN 50129)

3.54
safety
freedom from unacceptable levels of risk or harm (EN 50129)

3.55
safety authority
the body responsible for certifying that a safety-related system is fit for service and complies with relevant
statutory and regulatory safety requirements (≠ EN 50129)

3.56
safety case
the documented demonstration that the product complies with the specified safety requirements
(EN 50129)
3.57
safety integrity
the likelihood of a safety-related system achieving its required safety features under all the stated
conditions within a stated operational environment and within a stated period of time (≠ EN 50129)

3.58
(system) safety integrity level
a number which indicates the required degree of confidence that a system will meet its specified safety
features (EN 50129)
3.59
safety life-cycle
the additional series of activities carried out in conjunction with the system life-cycle for safety-related
systems (EN 50129)
3.60
safety loss
the measure of injury and fatality arising from an accident

3.61
safety process
the series of procedures that are followed to enable all safety requirements of a product to be identified
and met (EN 50129)
3.62
safety requirements
the requirements of the safety functions that have to be performed by the safety related systems;
comprising safety functional requirements and safety integrity requirements (EN 50126-1, [IEC])

3.63
safety target
in the context of this Technical Report the safety target relates to a tolerable hazard rate derived by the
Railway Authority by risk analysis

3.64
shall
is mandatory (EN 50129)
3.65
should
is recommended (EN 50129)
3.66
signalling system
particular kind of system used on a railway to control and protect the operation of trains (EN 50129)

3.67
SIL table
a set of allocations between the values of safety integrity levels and the corresponding bands of tolerable
hazard rates (= safety target)

3.68
Software Safety Integrity Level
a classification number which determines the techniques and measures that have to be applied in order
to reduce residual software faults to an appropriate level (EN 50128)

3.69
system
a set of subsystems or elements which interact according to a design (≠ EN 50129)

NOTE  The system is a matter of perspective. It is not a fixed term, but can be defined arbitrarily.

3.70
system design analysis
the process of analysing the causes of hazards and of identification of requirements to limit the likelihood
of hazards to a tolerable level. “System Design Analysis” should better be called ”System Hazard
Analysis” or similar. But this definition would be contradictory to the EN 50126-1 definition of hazard
analysis
3.71
system function
a system manifests a emergent property, which is not necessarily inherent in its constituent parts

3.72
system life-cycle
the activities occurring during a period of time that starts when a system is conceived and ends when the
system is no longer available for use (EN 50126-1, [IEC])

3.73
systematic failure
failure due to errors in any safety lifecycle activity; within any phase; which cause it to fail under some
particular combination of inputs or under some particular environmental condition (EN 50126-1, [IEC])

- 17 - CLC/TR 50451:2007
3.74
systematic failure integrity
the degree to which a system is free from unidentified hazardous errors and the causes thereof
(EN 50129)
3.75
systematic fault
an inherent fault in the specification, design, construction, installation, operation or maintenance of a
system, subsystem or equipment (EN 50129)

3.76
target individual risk
an individual risk which is tolerated by society

3.77
tolerable hazard rate
a hazard rate which guarantees that the resulting risk does not exceed a target individual risk

3.78
tolerable risk
the maximum level of risk of a product that is acceptable to the Railway Authority (EN 50126-1, [IEC])

4 Symbols and abbreviations
A accident type k
k
ALARP as low as reasonably practicable
k
C consequence probability (for hazard j leading to accident k)
j
CCA cause consequence analysis
CCF common cause failure
D duration of hazard j
j
DR detection rate
E exposure of individual i to hazard j
ij
k
F probability of fatality for individual i in accident type k
i
FR failure rate
GAMAB globalement au moins aussi bon
HR hazard rate
IRF individual risk of datality
LC level crossing
MEM minimum endogenous mortality
MTBF mean time between failure
N number of uses
N number of people in a population
P
RAMS Reliability, Availability, Maintainability and Safety
SIL Safety Integrity Level
S severity of accident type k
k
T periodic testing time
THR tolerable hazard rate
TIR target individual risk
5 Safety Integrity Levels allocation framework

5.1 Prerequisites
The Technical Report does not define any safety targets for signalling systems or system elements. It
gives a generic methodology, therefore all numerical values shall be seen only as illustrative and may not
be relied upon.
This methodology does not deal with safety acceptance or risk tolerability.

Note that the definition and usage of the SIL table is different from the current EN 50129 [129]. The
explanation is given in 9.2.
This Technical Report deals with system SILs as utilized by EN 50129, not with software SILs as defined
by EN 50128. Guidance on software SILs can be found in EN 50128 only.

Some definitions, mainly from EN 50129, have been changed or extended. Refer to Clause 3.

5.2 Overview of the methodology

This subclause is intended to give a bird’s eye perspective of the methodology. It can not explain all
details, which are worked out in the following sections. Major aspects of the methodology are highlighted.

Risk Tolerability Criteria
System Definition
Hazard Identification
Risk Analysis
Consequence analysis
Loss Analysis
Risk Assessment
Hazards, THR
Apportionment of random
System Design Analysis
and systematic integrity
Causal Analysis
requirements
CCF Analysis
SIL Allocation
(Functional level) Apportionment of random
integrity requirements
SIL table
Subsystems, THR, SIL
(reliability)
(Technical level)
Components, FR, SIL
Figure 5.1 - Process overview
- 19 - CLC/TR 50451:2007
The general steps of the methodology can be summarized as follows (see Figure 5.1):
1) Define the system adequately.
2) Identify key operational hazards.
3) Determine the tolerable hazard rate THR for each hazard by analysing the consequences of the
i
hazards (taking into account the operational parameters).
4) For each hazard: Analyse the causes down to a functional level taking into account system definition
and architecture.
5) Decide which function(s) are implemented by which subsystem.
For each subsystem:
• collect contributions of each function, which is realized by the subsystem, to all hazards;
• calculate overall tolerable hazard rate THR for the subsystem;
S
• translate THR into a safety integrity level SIL for the subsystem using a SIL table;
S S
• determine failure rates for the system elements to meet THR for the subsystem.
S
Note that this approach inherently divides the world into railway operation (the “real” world, for which the
railway authority is responsible) and the technical solutions (the “technical” world, for which the supplier of
signalling equipment is responsible). The natural border between these is defined by essential functions,
the failure of which constitutes the hazards. These may have consequences (accidents in the worst case)
and causes. Thus the approach defines a natural interface between railway authorities and suppliers. A
different top-level perspective is given in Figure 5.2, which shows the flow of activities for a top-down
application of the methodology and the relation to some major input and output documents.

Input Activity Output
Define System
System Definition
(functions, boundary,
interfaces, environment
...)
Hazard Log
Identify
top level
hazards
(system) hazards
risk
Risk tolerability criteria System Requirements
Analyse consequences
(safety) Specification
THRs
of hazards
Analyse causes of
(Sub-)System
Hazard Analysis
hazards
Architecture
Identify additional
hazards
Iterate until
system element
level
Subsystem
Allocate Safety Integrity
SILs
Requirements
Requirements to
failure
Specification
subsystems/system
rates
elements
Figure 5.2 - Process overview in flowchart notation

In the process overview documents referenced by EN 50126-1 or EN 50129 are depicted by solid lines,
while documents not explicitly referred to are framed by dotted lines.

- 21 - CLC/TR 50451:2007
In particular step 3 and steps 4/5 can be further subdivided to show more details. Here dotted lines depict
optional steps.
Analyse
System
Operation
Definition
Identify
Hazards
Estimate
Hazard
Rates
Identify
Hazard
Consequen
Log
ces:
• Accidents
• Near miss
•
Safe state
Determine
risk
System
Risk
Determine
Requirements
tolerability
THR
Specification
criteria
(Safety
(safety)
requirements)
System Design
Analysis
Figure 5.3 - Process details of Risk Analysis (steps 1-3) in flowchart notation

Note that the methodology is generic and may be tailored to the user’s needs. For example if the railway
authority or the supplier has ways to define the THR by other means then only a part of the methodology
may be applied. In particular the THR may be derived from arguments like GAMAB by operational and
performance statistics (instead of consequence analysis) or by system design analysis of equipment in
use.
For each hazard
Risk Analysis
Hazard
Hazards
Analysis
Perform
Safety-
and THR
Causal
related
Analysis application
System
conditions
functions
For each function
Collect
contribution
to hazards
For each subsystem
Determine
System
which
Architecture
function is
Description
realised by
which
subsystem
Determine Subsystem
SIL table
THR and Requirements
SIL Specification
System
Determine
Design
FR for
Description
system
elements
Figure 5.4 - Process details of System Design Analysis (steps 4-5) in flowchart notation

5.3 Definition of Safety Integrity Levels

The CENELEC standards for railway signalling assume that safety relies both on adequate measures to
prevent or tolerate faults (as safeguards against systematic failure) and on adequate measures to control
random failures. Measures against both causes of failure should be balanced in order to achieve the
optimum safety performance of a system. To achieve this the concept of Safety Integrity Levels (SIL) is
used. SILs are used as a means of creating balance between measures to prevent systematic and
random failures, as it is agreed within CENELEC that it is not feasible to quantify systematic integrity.

- 23 - CLC/TR 50451:2007
Signalling
failure
OR
man-made
physical
systematic
failure
random
failure
Figure 5.5 - SIL concept
This concept is clearly explained in Annex A of EN 50129:

2)
Each of these Functions shall have a qualitative Safety Target and/or a Quantitative Target attached to
them. The Qualitative Target shall be in the form of a Safety Integrity Level, and shall cover Systematic
Failure Integrity. The Quantitative Target shall be in the form of a numerical failure rate, and shall cover
Random Failure Integrity.
It is important to recognize that achievement of a specified Safety Integrity Level requires compliance with
all of the factors in Figure A.2, namely:
- Quality Management conditions;
- Safety Management conditions;
- Technical Safety conditions;
- Quantified safety targets.
In many standards like IEC [IEC] or EN 50129 [129] this balance is expressed in a table, which consists
of a list of integrity levels 0, 1, 2, 3, 4 and a list of corresponding intervals or bands for hazard rates
I ,.,I .
0 4
5.4 Qualitative vs quantitative methods
5.4.1 Qualitative assessment
The qualitative risk assessment process broadly relies on expert judgement and past experience primarily
within a subjective and coarse quantitative process. It is worth noting that mere use of quantification and
numbers does not necessarily qualify an assessment as quantitative. Such quantification is mainly a
reflection of judgement and lacks the objectivity and accuracy to generate a detailed and reliable measure
of risks.
The qualitative framework for assessment of risks arising from hazards of undertakings, products and
processes, yields a number of benefits
• principally a judgmental process;
• no detailed quantification, data collection and analytical work;
• simple and can be carried out without assistance from process experts;

2)
At first glance this formulation ”and/or” may seem contradictory. But A.4.2.2 (the one containing the SIL table) gives guidance
what to do if only a qualitative Safety Target or a Quantitative Target is defined, namely to find the missing target by the SIL
table.
• auditable process with scope for review and improvement;
• does not require customisation or a specific form of a ranking matrix;
• employs the same framework and principles as in the quantitative approach;
• ease of extension/migration to the quantitative assessment where necessary.

The constraints and disbenefits of the qualitative approach must be borne in mind however, these are
• subjective and coarse nature of assumptions necessitating thorough documentation;
• simplistic hence unsuitable for complex systems and high-risk undertakings;
• inadequate for the assessment of major risks leading to significant losses.

5.4.2 Quantitative assessment
The quantitative risk assessment process generally satisfies the following requirements:
• extensive use of modelling;
• predominate application of objective and validated data;
• treatment of uncertainty associated with input data and results;
• treatment of dependency between significant factors;
• use of stat
...