SIST-TP CLC/TR 50506-2:2010
(Main)Railway applications - Communication, signalling and processing systems - Application Guide for EN 50129 - Part 2: Safety assurance
Railway applications - Communication, signalling and processing systems - Application Guide for EN 50129 - Part 2: Safety assurance
This document is a Technical Report about the basic standard. It is applicable to the same systems and addresses the same audience as the standard itself. It enhances information on specific items on the application of EN 50129. The following items are covered, within the scope of this Application Guideline of EN 50129, as follows: Clause 4 deals with identification and mitigation of failures in the concept, specification and design phases. It is mainly dedicated to designers and verifiers and product safety engineers; Clause 5 deals with the preparation of a safety case, enhancing points providing the required evidence for safety assessment and approval. It is mainly dedicated to verifiers, validators, safety managers, quality managers and safety engineers; Clause 6 deals with the activities an Independent Safety Assessor has to carry out. It is mainly dedicated to safety assessors, safety authorities, safety managers and safety approvals. In drafting this guidance, it is assumed that the reader is familiar with the basic structure of the standard. This document does not claim to be exhaustive. It is not a complete compilation of best practices, but only the translation of the knowledge of all the experts of the Working Group in charge of composition of this Application Guideline.
Železniške naprave - Komunikacijski, signalni in procesni sistemi - Vodilo za uporabo EN 50129 - 2. del: Zagotavljanje varnosti
Ta dokument je tehnično poročilo o osnovnem standardu. Velja za iste sisteme in je namenjen istim naslovnikom kot sam standard. Krepi obveščanje o določenih točkah uporabe EN 50129. V okviru tega vodila za uporabo EN 50129 so zajete naslednje točke: Klavzula 4 obravnava identifikacijo in zmanjševanje napak v idejni, specifikacijski in snovalni fazi. V glavnem je namenjena načrtovalcem in preveriteljem ter proizvodnim varnostnim inženirjem; Klavzula 5 obravnava pripravo varnostne analize in izpostavlja točke za zagotavljanje potrebnih dokazov za oceno varnosti in odobritev. V glavnem je namenjena preveriteljem, validatorjem, vodjem varnosti, vodjem kakovosti in varnostnim inženirjem; Klavzula 6 obravnava dejavnosti, ki jih mora opraviti neodvisni ocenjevalec varnosti. V glavnem je namenjena ocenjevalcem varnosti, varnostnim organom, vodjem varnosti in varnostnim odobritvam. Pri sestavljanju tega vodila se je domnevalo, da je bralec seznanjen z osnovno strukturo standarda. Ta dokument ni izčrpen. Ni popolna kompilacija dobrih praks, pač pa le prevod znanja vseh strokovnjakov delovne skupine, pristojne za sestavo tega vodila za uporabo.
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
SIST-TP CLC/TR 50506-2:2010
01-februar-2010
Železniške naprave - Komunikacijski, signalni in procesni sistemi - Vodilo za
uporabo EN 50129 - 2. del: Zagotavljanje varnosti
Railway applications - Communication, signalling and processing systems - Application
Guide for EN 50129 - Part 2: Safety assurance
Ta slovenski standard je istoveten z: CLC/TR 50506-2:2009
ICS:
35.240.60 Uporabniške rešitve IT v IT applications in transport
transportu in trgovini and trade
45.020 Železniška tehnika na Railway engineering in
splošno general
SIST-TP CLC/TR 50506-2:2010 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST-TP CLC/TR 50506-2:2010
---------------------- Page: 2 ----------------------
SIST-TP CLC/TR 50506-2:2010
TECHNICAL REPORT
CLC/TR 50506-2
RAPPORT TECHNIQUE
December 2009
TECHNISCHER BERICHT
ICS 93.100
English version
Railway applications -
Communication, signalling and processing systems -
Application Guide for EN 50129 -
Part 2: Safety assurance
This Technical Report was approved by CENELEC on 2009-07-17.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Cyprus, the
Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain,
Sweden, Switzerland and the United Kingdom.
CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: Avenue Marnix 17, B - 1000 Brussels
© 2009 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. CLC/TR 50506-2:2009 E
---------------------- Page: 3 ----------------------
SIST-TP CLC/TR 50506-2:2010
CLC/TR 50506-2:2009 – 2 –
Foreword
This Technical Report was prepared by SC 9XA, Communication, signalling and processing systems, of
Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways.
The text of the draft was submitted to vote in accordance with the Internal Regulations, Part 2,
Subclause 11.4.3.3 (simple majority) and was approved by CENELEC as CLC/TR 50506-2 on 2009-07-17.
__________
---------------------- Page: 4 ----------------------
SIST-TP CLC/TR 50506-2:2010
– 3 – CLC/TR 50506-2:2009
Contents
Page
Introduction . 5
1 Scope . 6
2 References . 6
3 Terms, definitions, symbols and abbreviated terms . 7
3.1 Terms and definitions . 7
3.2 Symbols and abbreviated terms . 8
4 Safety design for signalling subsystems . 10
4.1 Safety principles . 10
4.2 Components development guideline . 19
4.3 Specific implementation examples . 25
5 Safety case structure in relation with associated documents and activities . 28
5.1 Introduction . 28
5.2 Safety Case for Signalling Systems . 28
5.3 Recommendations regarding the fulfilment of the requirements of tables in EN 50129:2003,
Annex E . 62
6 Safety assessment and approval . 68
6.1 Guidance on the concept of Safety assessment . 68
6.2 Migration strategy from other Standards to CENELEC . 73
6.3 Approval for modification and internal adaptation . 75
Annex A (informative) EN/IEC standards for safety analysis . 77
Annex B (informative) Documentation for approval . 78
B.1 Introduction . 78
B.2 Documentation table structure . 79
B.3 Liaison to EN 50129:2003, 5.5.2 . 79
Annex C (informative) Structure of the System Requirements Specification . 87
C.1 Part one – General information . 87
C.2 Part two – Requirements . 87
Bibliography . 89
---------------------- Page: 5 ----------------------
SIST-TP CLC/TR 50506-2:2010
CLC/TR 50506-2:2009 – 4 –
Figures
Figure 1 – Example for hierarchical composition of Functional units . 11
Figure 2 – Example for creation and manifestation mechanisms of faults, errors, and failures . 11
Figure 3 – Example for the mechanisms of ‘fundamental chain’ . 12
Figure 4 – Relationships of faults, errors and failures . 12
Figure 5 – Representation for failures of single and multiple natures . 14
Figure 6 – Inherent fail safe devices structure and associated threats . 15
Figure 7 – Composite fail safe devices structure and associated threats . 17
Figure 8 – Reactive fail safe devices structure and associated threats . 18
Figure 9 – Example of composite fail-safety with identical VLSI components . 21
Figure 10 – Example of reactive fail-safety with different VLSI components . 23
Figure 11 – Example of development process for VLSI components (FPGA, EPLD, etc.) . 25
Figure 12 – Example of overall Safety Cases structure . 30
Figure 13 – Structure of the Technical Safety Report . 46
Figure 14 – Example of inherent fail-safety . 50
Figure 15 – Example for Relation between Design Functional Breakdown . 55
Figure 16 – Example of Relation breakdown from FMEA to FTA . 56
Figure 17 – SRAC classification . 58
Figure 18 – Exported constraints and SRAC management . 59
Tables
Table 1 – Examples for single and coupled failures types . 14
Table 2 – Guidance for threats mitigation in inherent fail-safe devices . 16
Table 3 – Guidance for threats mitigation in composite fail-safe devices . 17
Table 4 – Guidance for threats mitigation in reactive fail-safe devices . 18
Table 5 – Example of documentation linked to Quality Management . 32
Table 6 – Typical Example of some Safety Activities in the Lifecycle . 36
Table 7 – Methods for Safety Analysis . 37
Table 8 – List of safety methods and reference Standards . 37
Table 9 – Safety planning and quality assurance activities . 63
Table 10 – System requirements specification . 64
Table 11 – Design phase documentation . 66
Table 12 – Operation and maintenance . 67
Table 13 – Typical assessor activity during the life cycle . 69
Table 14 – Possible Work split Approval for modification . 76
Table B.1 – Documentation for Approval . 80
---------------------- Page: 6 ----------------------
SIST-TP CLC/TR 50506-2:2010
– 5 – CLC/TR 50506-2:2009
Introduction
EN 50129 was developed in CENELEC and is now regularly called up in specifications. In essence, it lists
factors that influence RAMS (see EN 50126-1) and adopts a broad risk-management approach to safety.
EN 50129 is the basic standard for safety related electronic systems for signalling.
Use of EN 50129 has enhanced the general understanding of the issues, but also showed, that items like
Safe Design, Safety Documents and Reports, Safety Assessment and Approval, and Cross-Acceptance
need further explanation and clarification. Therefore CENELEC decided to address those items in this
Application Guideline. The Cross Acceptance is included in CLC/TR 50506-1.
---------------------- Page: 7 ----------------------
SIST-TP CLC/TR 50506-2:2010
CLC/TR 50506-2:2009 – 6 –
1 Scope
This document is a Technical Report about the basic standard. It is applicable to the same systems and
addresses the same audience as the standard itself. It enhances information on specific items on the
application of EN 50129. The following items are covered, within the scope of this Application Guideline of
EN 50129, as follows:
Clause 4 deals with identification and mitigation of failures in the concept, specification and design
phases. It is mainly dedicated to designers and verifiers and product safety engineers;
Clause 5 deals with the preparation of a safety case, enhancing points providing the required evidence
for safety assessment and approval. It is mainly dedicated to verifiers, validators, safety managers,
quality managers and safety engineers;
Clause 6 deals with the activities an Independent Safety Assessor has to carry out. It is mainly
dedicated to safety assessors, safety authorities, safety managers and safety approvals.
In drafting this guidance, it is assumed that the reader is familiar with the basic structure of the standard.
This document does not claim to be exhaustive. It is not a complete compilation of best practices, but only
the translation of the knowledge of all the experts of the Working Group in charge of composition of this
Application Guideline.
2 References
This Application Guideline uses as basis for specific topics the following reference standards, already
mentioned in the main EN 50129.
For dated references, only the edition cited applies. For undated references, the latest edition of the
referenced document (including any amendments) applies.
CLC/TR 50506-1, Railway applications – Communication, signalling and processing systems – Application
Guide for EN 50129 – Part 1: Cross-acceptance
1)
EN 45004 , General criteria for the operation of various types of bodies performing inspection
EN 50121 series, Railway applications – Electromagnetic compatibility
EN 50121-4, Railway applications – Electromagnetic compatibility – Part 4: Emission and immunity of the
signalling and telecommunications apparatus
EN 50124-1, Railway applications – Insulation coordination – Part 1: Basic requirements – Clearances and
creepage distances for all electrical and electronic equipment
EN 50125-1, Railway applications – Environmental conditions for equipment – Part 1: Equipment on board
rolling stock
EN 50125-2, Railway applications – Environmental conditions for equipment – Part 2: Fixed electrical
installations
EN 50125-3, Railway applications – Environmental conditions for equipment – Part 3: Equipment for
signalling and telecommunications
1)
Superseded by EN ISO/IEC 17020:2004, General criteria for the operation of various types of bodies performing inspection
(ISO/IEC 17020:1998).
---------------------- Page: 8 ----------------------
SIST-TP CLC/TR 50506-2:2010
– 7 – CLC/TR 50506-2:2009
EN 50126-1:1999 + corr. May 2006, Railway Applications – The specification and Demonstration of
Reliability, Availability, Maintainability and Safety (RAMS) – Part 1: Basic requirements and generic process
EN 50128, Railway applications – Communication, signalling and processing systems – Software for railway
control and protection systems
EN 50129:2003, Railway applications – Communication, signalling and processing systems – Safety related
electronic systems for signalling
EN 50155, Railway applications – Electronic equipment used on rolling stock
EN 50159-1, Railway applications – Communication, signalling and processing systems – Part 1: Safety
related communication in closed transmission systems
EN 50159-2, Railway applications – Communication, signalling and processing systems – Part 2: Safety
related communication in open transmission systems
EN 61508 series, Functional safety of electrical/electronic/programmable electronic safety-related systems
(IEC 61508 series)
2)
EN ISO 9001:2000 , Quality Management Systems – Requirements (ISO 9001:2000)
ESA PSS 01-403, Hazard Analysis and Safety Risk Assessment
ISO/IEC Guide 73:2002, Risk management – Vocabulary – Guidelines for use in standards
The following standard is mentioned as complementary source of information:
EN ISO/IEC 17020 (former EN 45004), General criteria for the operation of various types of bodies
performing inspection (ISO/IEC 17020)
3 Terms, definitions, symbols and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in EN 50126-1:1999, EN 50128:2001,
EN 50129:2003 and the following apply.
3.1.1
generic application
system with specific functions that are related to “a category of applications” associated with a general
environmental and operational context, which is developed on the basis of criteria of standardization and
parameterization of its elements, so as to render it serviceable for various tangible applications. By
combining generic products or combining these with other generic applications, it is possible to obtain a new
generic application
3.1.2
generic product
component or product capable of performing certain functions, with specific performance level, in the
environmental and operational conditions stated in the reference specifications. It can be combined with
other products and Generic Applications to form other generic applications
2)
Superseded by EN ISO 9001:2008, Quality management systems – Requirements (ISO 9001:2008).
---------------------- Page: 9 ----------------------
SIST-TP CLC/TR 50506-2:2010
CLC/TR 50506-2:2009 – 8 –
3.1.3
specific application
specific application addresses a specific installation for a dedicated project with specific implementation, as
for instance data configuration
3.1.4
risk analysis
systematic use of all available information to identify hazards and to estimate the risk
[ISO/IEC 73:2002, Clause A.10]
3.1.5
safety analysis
subset of risk analysis solely focused on hazards which have a potential for causing accident which may
cause harm to people
3.2 Symbols and abbreviated terms
For the purposes of this document, the following symbols and abbreviated terms apply.
AC Alternating Current
ASIC Application Specific Integrated Circuit
ATC Automatic Train Control
ATP Automatic Train Protection
C Customer
CCF Common-cause failure
COTS Commercial-Off-The-Shelf
CV Curriculum Vitae
DC Direct Current
DMA Direct Memory Access
EM Electro Magnetic
EMI Electro Magnetic Interference
ESA PSS Spacecraft and Associated Equipment – Procedures, Standards and Specifications
ESD Electro Static Discharge
EU European Union
EPLD Erasable and Programmable Logic Device
ETA Event Tree Analysis
FMEA Failure Mode Effects Analysis (see also below)
FMECA Failure Mode Effects and Criticality Analysis
FPGA Field Programmable Gate Array
---------------------- Page: 10 ----------------------
SIST-TP CLC/TR 50506-2:2010
– 9 – CLC/TR 50506-2:2009
FTA Fault Tree Analysis
FTI Formal Technical Inspection
HAZOP Hazard and Operability Study
HW Hardware
I/O Input / Output
ISA Independent Safety Assessor
LRU Line Replaceable Unit
PAL Programmable Array Logic
PCB Printed Circuit Board
PHA Preliminary Hazard Analysis
PLC Programmable Logic Controller
QAP Quality Assurance Plan
QMS Quality Management System
R Recommended
RAM Reliability Availability Maintainability
RAMS Reliability Availability Maintainability and Safety
RBD Reliability Block Diagram
RS Rolling Stock
S Supplier
SART Structured Analysis for Real Time
SC Safety Case
SADT Structured Analysis and Design Techniques
SRAC Safety Related Application Condition
SHA System Hazard Analysis
SIL Safety Integrity Level
SMP Safety Management Process
SRIL Safety Related Item List
SRS System Requirements Specification
SSRS Subsystem Requirements Specification
SW Software
---------------------- Page: 11 ----------------------
SIST-TP CLC/TR 50506-2:2010
CLC/TR 50506-2:2009 – 10 –
TSR Technical Safety Report
VHDL VHSIC (Very High Speed Integrated Circuit) Hardware Description Language
VLSI Very Large Scale Integration
V&V Verification and Validation
µP Micro Processor
4 Safety design for signalling subsystems
The design of signalling systems should follow the requirements specified in EN 50129:2003, 5.3 and, in
particular, the safety design depends on the safety life-cycle which is consistent with the system life-cycle
defined in EN 50126-1 (see EN 50129:2003, Figure 4).
This clause gives more explanations on two specific items of the safety design dealing with “Safety
Requirements Specifications” covered by Safety Principles and “Hardware Design” covered by Components
Development Guidance:
safety principles, to be justified in early design phases of Products, Systems and Processes in
particularly for platforms. These principles have also to be justified in the "Effects of Faults" subsection
of every related Safety Case;
components development guidance, mainly for programmable devices.
4.1 Safety principles
This subclause is in line with EN 50129:2003, 5.4 and gives more details on how to fulfil all the requirements
specified in this subclause of the standard to provide technical evidences for the safety of the design and in
particular for the identification and the mitigation of systematic and random failures.
All assumptions detailed here after should be applied to products.
4.1.1 Classes of faults, errors and failures
This subclause is in line with EN 50129:2003, 5.4 and in particular with Section 3 “Effects of faults” in which
there is no clear definition of a Fault and no clear explanation of the relationship between faults, errors and
failures. The following definitions are issued from CENELEC.
Fault: an abnormal condition that could lead to an error in a system. A fault can be random or systematic.
Error: a deviation from the intended design which could result in unintended system behaviour or failure
(EN 50129).
Failure: a deviation from the specified performance of a system. A failure is the consequence of a fault or
error in the system.
Hazard: a condition that could lead to an accident.
Remark: Hazards are not events (ESA PSS 01-403).
Let’s consider a functional unit (FU) viewed as a hierarchical composition of multiple levels, each of which
can in turn be called a functional unit (Figure 1).
---------------------- Page: 12 ----------------------
SIST-TP CLC/TR 50506-2:2010
– 11 – CLC/TR 50506-2:2009
FU (level i+1)
FU (level i) FU (level i)
Figure 1 – Example for hierarchical composition of Functional units
The creation and manifestation mechanisms of faults, errors, and failures are illustrated by Figure 2, and
summarized as follows.
Service Service
Functional Unit (Level i) Functional Unit (Level i+1)
Interface Interface
Internal
Dormant
Fault
Activation
External
Propagation Propagation Propagation Propagation
Fault
Error Error Error Error Error Error
External Fault
Service status
Correct Incorrect
of Functional
service service
Failure
Unit (level i)
Service status Incorrect
Correct
of Functional service
service Failure
Unit (level i+1)
Figure 2 – Example for creation and manifestation mechanisms of faults, errors, and failures
1. A fault is active when it produces an error, otherwise it is dormant. An active fault is either a) an internal
fault that was previously dormant and that has been activated by the computation process or
environmental conditions, or b) an external fault. Fault activation is the application of an input (the
activation pattern) to a FU that causes a dormant fault to become active. Most internal faults cycle
between their dormant and active states.
2. Error propagation within a given FU (i.e., internal propagation) is caused by the computation process: an
error is successively transformed into other errors. Error propagation from one FU (level i) to another FU
(level i+1) that receives service from FU level i (i.e., external propagation) occurs when, through internal
propagation, an error reaches the service interface of FU level i. At this time, service delivered by FU
level i to FU level i+1 becomes incorrect, and the ensuing failure of FU level i appears as an external
fault to FU level i+1 and propagates the error into FU level i+1.
3. A failure occurs when an error is propagated to the service interface and unacceptably alters the service
delivered by the system. A failure of a FU causes a permanent or transient fault in the system that
contains the FU. Failure of a system causes a permanent or transient external fault for the other
system(s) that interact with the given system.
---------------------- Page: 13 ----------------------
SIST-TP CLC/TR 50506-2:2010
CLC/TR 50506-2:2009 – 12 –
These mechanisms enable the ‘fundamental chain’ to be completed, as indicated by Figure 3.
activation propagation causation
failure
fault error fault
Figure 3 – Example for the mechanisms of ‘fundamental chain’
From a time domain point of view the failures can be classified in “permanent” or in “temporary” depending
on the activation patterns conditions.
Whatever the creation mechanism or the time domain class is it, in the following sections reference will be
done to “failures” classified into “systematic” and “random” characteristics.
Figure 4 shows a practical example of the relationship between external events, components faults, errors
and other failures which could lead to hazards with respect to system- or sub-system hazards.
Boundary
Subsystem failure (threatening event)
Hazard
Failures
Non systematic failures
Systematic failures
Systematic
Human
Random
consequence
operation
error
of the error
error
Errors
Error in design,
manufacturing, operational
procedures, documentation.
Components
Random
Faults
Fault
External
Physical influences (EMI, ESD, climatic, P. supply, I/O)
events
Figure 4 – Relationships of faults, errors and failures
Systematic failures, are non quantifiable, but should be completely evaluated and extensively mitigated by
the relevant process and technical measures.
Systematic failures can be induced by
specification or design errors,
pre-existing faults (SW design error, error on programmable device, etc.),
---------------------- Page: 14 ----------------------
SIST-TP CLC/TR 50506-2:2010
– 13 – CLC/TR 50506-2:2009
manufacturing and hardware faults (procedure, error or use of wrong component material),
tools faults (compiler, development tools, etc.),
process (design, development, operation, etc.) or maintenance errors.
Random failures are caused by stochastic failure processes, and have to be taken into account in different
modes according to the type of applied fail-safety as suggested in the following sections. In many cases,
random failures are described by a failure rate.
In SIL 3/SIL 4 inherent fail-safety devices no single fault should induce hazardous consequences.
In composite and reactive fail safety devices all single faults have to be detected and negated without directly
leading to a hazardous consequence and the combination of faults (with dormant faults or not) is to be
evaluated.
There are special cases in which single faults can lead to a dangerous consequence but with a negligible
probability. This case applies to coded monoprocessor and single channel data transmission where the
redundancy/complexity of the information representation allows to detect all credible classes of physical
failures in such a way that can be considered as a sort of inherent fail-safety.
– In coded monoprocessor techniques, the information operands and operators are coded in such a way
that all possible classes of physical failures result in an information output able to self-reveal the errors
and allowing an external negation reaction.
– In single channel data transmission, data are protected at the source for possible communications
threats through specific techniques as specified in EN 50159-1 and EN 50159-2 allowing error detection
at the receiver end.
Human operational errors should not be included in technical subsystem failures evaluation. If it is necessary
to include them at system level, then they should be evaluated on a conservative basis and/or exported as a
constraint for the upper level application. Currently, their quantification is not recommended due to the lack of
related applicable standards.
4.1.2 External Influences and common causes as related to random and systematic failures
This subclause is in line with of EN 50129:2003, 5.4 and in particular with Section 3 “Effects of Faults” and
Section 4 “Operation with External Influences” (see also EN 50129:2003, Clauses B.3 and B.4). This
subclause gives more explanations and details on the relationship between random and systematic failures
and their possible causes, influences or common causes.
Although systematic and random failures being of different natures, it may be considered that any one of
them may correspond to a common cause or to external influences. Also, external influences inducing either
systematic or random faults may correspond or not to common causes.
---------------------- Page: 15 ----------------------
SIST-TP CLC/TR 50506-2:2010
CLC/TR 50506-2:2009 – 14 –
Figure 5 presents all possible cases and is followed by a table giving examples for all possible cases
(Table 1).
Random
Systematic
failures
failures
B
A
External
influences
C D
failures
H
G
E
Common. cause
F
failures
Figure 5 – Representation for failures of si
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.