Railway applications - Systematic allocation of safety integrity requirements

CENELEC Report * D122/066: To be converted into TR (see prTR 50451 - PR=16655)

Železniške naprave – Sistemska razporeditev zahtev varnostne integritete

General Information

Status
Withdrawn
Publication Date
28-Feb-2002
Withdrawal Date
17-Sep-2007
Current Stage
9900 - Withdrawal (Adopted Project)
Start Date
17-Sep-2007
Due Date
10-Oct-2007
Completion Date
18-Sep-2007

Relations

Buy Standard

Standard
R009-004:2002
English language
111 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST R009-004:2002
01-marec-2002
Železniške naprave – Sistemska razporeditev zahtev varnostne integritete
Railway applications - Systematic allocation of safety integrity requirements
Ta slovenski standard je istoveten z: R009-004:2001
ICS:
45.020 Železniška tehnika na Railway engineering in
splošno general
SIST R009-004:2002 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

CENELEC R009-004
REPORT June 2001
English version
Railway applications
Systematic allocation of safety integrity requirements
This CENELEC Report has been prepared by SC 9XA, Communication, signalling and processing systems,
of Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways. It was approved
by SC9XA on 1999-10-05 and endorsed by the CENELEC Technical Board on 2000-04-01.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Czech Republic,
Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Netherlands, Norway,
Portugal, Spain, Sweden, Switzerland and United Kingdom.
CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: rue de Stassart 35, B - 1050 Brussels
© 2001 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. R009-004:2001 E

---------------------- Page: 2 ----------------------

R009-004:2001 - 2 -
Foreword
This CENELEC Report was prepared by SC 9XA, Communication, signalling and processing systems, of
Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways.
It was approved by SC9XA on 1999-10-05 and endorsed by the CENELEC Technical Board on 2000-04-01.
Annexes designated "informative" are given for information only.

---------------------- Page: 3 ----------------------

- 3 - R009-004:2001
Content
Introduction . 8
1 Scope. 9
2 References. 10
2.1 Supporting standards. 10
2.2 Informative references. 10
3 Definitions . 10
4 Symbols and abbreviations. 16
5 Safety Integrity Levels allocation framework.17
5.1 Prerequisites . 17
5.2 Overview of the methodology. 17
5.3 Definition of Safety Integrity Levels. 21
5.4 Qualitative vs. quantitative methods. 22
5.4.1 Qualitative Assessment . 22
5.4.2 Quantitative Assessment . 23
5.5 EN 50126 lifecycle context. 24
6 System definition . 26
7 Hazard identification . 27
7.1 General principles. 27
7.2 Empirical hazard identification methods . 29
7.3 Creative hazard identification methods. 29
7.4 Hazard ranking. 30
7.5 Existing hazard lists. 30
8 Risk analysis . 30
8.1 Risk tolerability . 30
8.2 Determination of Tolerable Hazard Rate . 31
8.2.1 Qualitative Risk Analysis. 31
8.2.2 Quantitative risk analysis . 33
8.2.3 GAMAB and similar approaches . 39
8.2.4 The MEM approach . 40
8.2.4 Other approaches. 41

---------------------- Page: 4 ----------------------

R009-004:2001 - 4 -
9 System design analysis . 41
9.1 Apportionment of safety integrity requirements to functions. 42
9.1.1 Physical independence . 43
9.1.2 Functional Independence. 44
9.1.3 Process independence . 45
9.2 Use of SIL tables. 45
9.3 Identification and treatment of new hazards arising from design. 46
9.4 Determination of function and subsystem SIL . 48
9.5 Determination of safety integrity requirements for system elements . 49
Annex A Single-line signalling system example . 51
Annex B Level crossing example. 71
Annex C Comparison of demand and continuous mode. 83
Annex D Proposed changes for annex A of ENV 50129. 97
Annex E Frequently asked questions. 111

---------------------- Page: 5 ----------------------

- 5 - R009-004:2001
Executive summary
This report presents a systematic methodology to determine safety integrity requirements for railway
signalling equipment, taking into account the operational environment and the architectural design of the
signalling system.
At the heart of this approach is a well defined interface between the operational environment and the
signalling system. From the safety point of view this interface is defined by a list of hazards and tolerable
hazard rates associated with the system. It should be noted that the purpose of this approach is not to
limit co-operation between suppliers and railway authorities but to clarify responsibilities and interfaces.
It is the task (summarized by the term Risk Analysis) of the Railway Authority
• to define the requirements of the railway system (independent of the technical realisation);
• to identify the hazards relevant to the system;
• to derive the tolerable hazard rates, and
• to ensure that the resulting risk is tolerable (with respect to the appropriate risk tolerability criteria).
Definition
System Design Analysis
Figure 0.1 - Global process overview
The only requirement is that the tolerable hazard rates must be derived taking into account the risk
tolerability criteria. Risk tolerability criteria are not defined by this report, but depend on national or
European legislative requirements.

---------------------- Page: 6 ----------------------

R009-004:2001 - 6 -
Among the risk analysis methods two are proposed in order to estimate the individual risk explicitly, one
more qualitative, the other more quantitative. Other methods, similar to the GAMAB principle, do not
explicitly determine the resulting risks, but derive the tolerable hazard rates from comparison with the
performance of existing systems, either by statistical or analytical methods. Alternative qualitative
approaches are acceptable, if as a result they define a list of hazards and corresponding THR. The
specification of the system requirements comprising performance and safety (THR) terminates the
Railway Authority’s task.
Near misses
SYSTEM Definition
withTarget
System DESIGN ANALYSIS
Figure 0.2 - Example Risk Analysis process
The supplier’s task (summarized by the term System Design Analysis) comprises
• definition of the system architecture;
• analysis of the causes leading to each hazard;
• determination of the safety integrity requirements (SIL and hazard rates) for the subsystems;
• determination of the reliability requirements for the equipment.

---------------------- Page: 7 ----------------------

- 7 - R009-004:2001
Causal analysis constitutes two key stages. In the first phase the tolerable hazard rate for each hazard is
apportioned to a functional level. Safety Integrity Levels (SIL) are defined at this functional level for the
subsystems implementing the functionality. The hazard rate for a subsystem is then translated to a SIL
using the SIL table.
During the second phase the hazard rates for subsystems are further apportioned leading to failure rates
for the equipment, but at this physical implementation level the SIL remains unchanged. Consequently
also the software SIL defined by EN 50128 would be the same as the subsystem SIL but for the
exceptions described in EN 50128.
The apportionment process may be performed by any method which allows a suitable representation of
the combination logic, e.g. reliability block diagrams, fault trees, binary decision diagrams, Markov models
etc. In any case particular care must be taken when independence of items is required. While in the first
phase of the causal analysis functional independence is required, physical independence is sufficient in
the second phase. Assumptions made in the causal analysis must be checked and may lead to safety-
relevant application rules for the implementation.
From Risk
Analysis
List of
hazards
and THR
Undetected failure Undetetced failure Undetected failure
of power supply of road-side of LC controller
warnings
Late or no switch-in Undetected failure Undetetced failure Undetected failure 1E-7 1E-7 1E-7
LC set back to
of power supply of road-side of LC controller
warnings normal position
1E-7 1E-7 1E-7 1E-7
Check
System
....
independence
Undetected failure Undetected architecture
of light signals failure of barriers
assumptions 7E-6 7E-6
Undetected failure Undetected Undetected failure Undetected
of switch-in failute of distant
of light signals failure of barriers
function signal
1E-7 7E-6 7E-6
....
SIL and THR
THR
Determine
for subsystems
SIL table
and SIL
SIL and FR
Apportion
hazard rates to for
elements elements
Figure 0.3 - Example System Design Analysis process
Both, the risk analysis and the system design analysis, have to be approved by the Railway Safety
Authority.
However whilst the risk analysis may be carried out once at the railway level, the system design analysis
must be performed for every new architecture. It is prudent to review the risk analysis and system design
analysis when safety related changes are introduced.

---------------------- Page: 8 ----------------------

R009-004:2001 - 8 -
Introduction
Historically the interoperability of European railways was not only hindered by incompatible technology
but also by different approaches towards safety. The common European market is the main driving force
behind the harmonisation of the different safety cultures. In a joint pan-European effort comprehensive
safety standards have been established for railway signalling by the European electrotechnical
standardisation committee CENELEC:
• EN 50126: Railway applications - The specification and demonstration of Reliability, Availability,
Maintainability and Safety (RAMS)
• EN 50128: Railway applications - Communications, signalling and processing systems - Software for
railway control and protection systems
• ENV 50129: Railway applications - Safety related electronic systems for signalling

These CENELEC standards assume that safety relies both on adequate measures to prevent or tolerate
faults (as safeguards against systematic failure) and on adequate measures to control random failures.
Measures against both causes of failure should be balanced in order to achieve the optimum safety
performance of a system. To achieve this the concept of Safety Integrity Levels (SIL) is used. SILs are
used as a means of creating balance between measures to prevent systematic and random failures, as it
is agreed within CENELEC that it is not feasible to quantify systematic integrity.

A shortcoming of the CENELEC standards as of today is (similar as in other related standards like
IEC 61508 [IEC] or ISA S84.01 [ISA]) that while the guidance on how to fulfil a particular SIL is quite
comprehensive the process and rules to derive SILs for system elements from system safety targets or
the tolerable system risk are not adequately covered. A general convincing solution to this problem is still
an open research problem, see [LM][ZD][YB2][GAM] for some divergent examples. However in order to
achieve cross-acceptance of safety cases and products for railway signalling applications it is necessary
to fill the gap.

This has been realized by SC9XA in 1997 and consequently a working group has been set up in March
1998 in order to find a joint harmonized approach at least for railway signalling applications.

Although the major driving forces behind this work were novel signalling applications which are required
to be interoperable throughout Europe, the scope and applicability of the approach presented in this
report should not be limited to signalling or interoperable applications.

---------------------- Page: 9 ----------------------

- 9 - R009-004:2001
1 Scope

The scope of this report is to define a method to determine the required Safety Integrity Level of railway
signalling equipment taking in consideration
• the operational conditions of the railway and
• the architecture of the signalling system.
The following picture may be used in order to detail more precisely the scope of this report:
Unified Signalling Safety
Scope of WGA10 work Target
as agreed by SC9XA (individual average risk:
units D /(P h) )
SIG
Legend:
Type of operation
Death
Example parameters:
System
speed, train density .
SIGnalling
Person
hour
Hazard
wrong side failure
Specific Signalling Safety
Rate
Target (hazard rate :
units H /(S h) or
SIG
wsf /(S h) )
SIG
Signalling system
architecture and
functionality (normal,
fallback .)
Allocation to functions
and system elements
(apportionment)
SILs and
failure rates for system
elements. Result:
Element SIL FR
E x λ
1 1 1
...
E x λ
n n
n
Figure 1.1 - Scope of WGA10
From a mechanistic point of view the task of this report is to define a method of calculation, which
determines the integrity requirements (qualitatively and quantitatively) from the inputs stated above.

---------------------- Page: 10 ----------------------

R009-004:2001 - 10 -
2 References
This CENELEC Report incorporates by dated or undated references, provisions from other publications.
These references are cited at the appropriate place in the text and the publications are listed hereafter.
For dated references, subsequent amendments to or revisions of any of these publications apply to this
Report only when incorporated in it by amendment or revision. For undated references the latest edition
of the publication referred to applies.
2.1 Supporting standards
[126] Railway applications - The specification and demonstration of Reliability, Availability,
Maintainability and Safety (RAMS), EN 50126:1999
[128] Railway applications - Communications, signalling and processing systems - Software for railway
control and protection systems, EN 50128:2001
[129] Railway applications - Safety related electronic systems for signalling, ENV 50129:1998
2.2 Informative references
[0056] UK Ministry of Defence, Safety Management Requirements for Defence Systems, Def Stan 00-56
[GAM] CASCADE: Generalised Assessment Method , Part II: Guidelines, ESPRIT 9032 report,
ref. CAS/IC/MK/D2.3.2/V3, 1996
[HK] Kumamotu, H. and Henley, E.: Probabilistic risk assessment and management for engineers and
scientists, IEEE Press, 1996
[IEC] IEC: Functional safety of electrical/electronic/programmable electronic safety-related systems,
IEC 61508 series
[ISA] ISA: Application of Safety Instrumented Systems for the Process Industries, ISA S84.01,
February 1996
[ISO] ISO/IEC: Information technology - System and software integrity levels, ISO/IEC 15026
[Lev95] Leveson, N. G.: Safeware - System safety and computers, Addison-Wesley, 1995
[LM] Lindsay, P. A. and McDermid, J. A.: A systematic approach to software safety integrity levels, in:
Peter Daniel (Ed.): SAFECOMP'97 , Springer Verlag, 1997, 70-82
[R01] Railway applications - Communication, signalling and processing systems - Hazardous failure
rates and Safety Integrity Levels (SIL), R009-001:1997
[RSH] Railway Signalling Hazards, Swedish National Rail Administration, Technical Report 1999:1
nd
[SAH] System Safety Analysis Handbook, 2 edition, System Safety Society, 1998
[VIL] Villemeur, A.: Reliability, Availability, Maintainability and Safety Assessment, Volume 1: Methods
and Techniques, Wiley, 1992
[YB2] Engineering Safety Management System, Issue 2.0, "Yellow Book", Railtrack, 1997
[ZD] Zerkani, H. and Dumolo, D.: System Safety Lifecycle Based on IEC 61508 and its Use for
th
Railway Applications, Proc. 16 International System Safety Conference, Sept. 14-19, 1998,
Seattle
3 Definitions
For the purpose of this report, the following definitions apply. For terms not defined here, the following
references should be consulted in order of priority:
- IEC 60050(191): International Electrotechnical Vocabulary (Chapter 191, dependability and quality of
service);
- ISO 8402: Quality Vocabulary;
- ISO/IEC 2382: Information Technology Vocabulary.

---------------------- Page: 11 ----------------------

- 11 - R009-004:2001
accident
an unintended event or series of events that results in death, injury, loss of a system or service, or
environmental damage (ENV 50129)
apportionment
a process whereby the RAMS elements for a system are sub-divided between the various items which
comprise the system to provide individual targets (EN 50126)
can
is possible (ENV50129)
causal analysis
analysis of the reasons how and why a particular hazard may come into existence
collective risk
a risk which is related to a group of people
common cause failure
a failure which is the result of an event(s) which causes a coincidence of failure states of two or more
components leading to a system failing to perform its required function (EN 50126)
common-mode fault
fault common to items which are intended to be independent (ENV 50129)
consequence analysis
analysis of events which are likely to happen after a hazard has occurred
cross-acceptance
the status achieved by a product that has been accepted by one Authority to the relevant European
Standards and is acceptable to other Authorities without the necessity for further assessment
(ENV 50129)
dependent failure
the failure of a set of events; the probability of which cannot be expressed as the simple product of the
unconditional probabilities of the individual events (EN 50126)
diversity
a means of achieving all or part of the specified requirements in more than one independent and
dissimilar manner (ENV 50129)
element
a part of a product that has been determined to be a basic unit or building block. An element may be
simple or complex (ENV 50129)
environment
the surrounding objects or region or circumstances which may influence the behaviour of the system and
or may be influenced by the system (ENV 50121-5)
equipment
a functional physical item (ENV 50129)

---------------------- Page: 12 ----------------------

R009-004:2001 - 12 -
error
a deviation from the intended design which could result in unintended system behaviour or failure
(ENV 50129)
failure
a deviation from the specified performance of a system. A failure is the consequence of an fault or error in
a system (ENV 50129)
failure cause
the circumstances during design; manufacture or use which have led to a failure (EN 50126, IEC)
failure mode
the predicted or observed results of a failure cause on a stated item in relation to the operating conditions
at the time of the failure (EN 50126, IEC)
failure rate
the limit; if this exists; of the ratio of the conditional probability that the instant of time; T; of a failure of a
product falls within a given time interval (t+(t) and the length of this interval; (t; when (t tends towards
zero; given that the item is in an up state at the start of the time interval (EN 50126, IEC)
fault
an abnormal condition that could lead to an error in a system. A fault can be random or systematic
(EN 50126, IEC)
fault detection time
time span which begins at the instant when a fault occurs and ends when the existence of the fault is
detected (ENV 50129)
fault mode
one of the possible states of a faulty product for a given required function (EN 50126, IEC)
fault tree analysis
an analysis to determine which fault modes of the product; sub-products or external events; or
combinations thereof; may result in a stated fault mode of the product; presented in the form of a fault
tree (EN 50126, IEC)
FMEA
an acronym meaning Failure Modes and Effects Analysis. A qualitative method of reliability analysis
which involves the study of the fault modes which can exist in every sub-product of the product and the
determination of the effects of each fault mode on other sub-products of the product and on the required
functions of the product (EN 50126, IEC)
function
a mode of action or activity by which a product fulfils its purpose (EN 50126, IEC)
hazard
an object, condition or state that could lead to an accident [YB2].In the context of a system safety, a
hazard is an unprotected state of the system, which under certain external conditions leads to an accident
hazard identification
the process used to define potential hazards related to a system

---------------------- Page: 13 ----------------------

- 13 - R009-004:2001
hazard log
the document in which all safety management activities, hazards identified, decisions made and solutions
adopted, are recorded or referenced (EN 50126, IEC)
human error
a human action (mistake), which can result in unintended system behaviour/failure (ENV 50129)
independence (functional)
two items are functionally independent, if they do not have any common cause failures, neither
systematic nor random
independence (physical)
two items are physically independent, if they do not have any random common cause failures
independence (technical)
freedom from any mechanism which can affect the correct operation of more than one item (ENV 50129)
individual risk
a risk which is related to a single individual only
item
element under consideration (ENV 50129)
loss analysis
analysis of safety, environmental or economical harm or damage
may
is permissible (ENV 50129)
negation
enforcement of a safe state following detection of a hazardous fault (ENV 50129)
negation time
time span which begins when the existence of a fault is detected and ends when a safe state is enforced
(ENV 50129)
product
a collection of elements, interconnected to form a system, subsystem or item of equipment, in a manner
which meets the specified requirements (ENV 50129)
railway authority
the body with the overall accountability to a Regulator for operating a railway system (EN 50126, IEC)
RAMS
an acronym meaning a combination of Reliability; Availability; Maintainability and Safety (EN 50126, IEC)
random failure integrity
the degree to which a system is free from hazardous random faults (ENV 50129)
random fault
the occurrence of a fault based on probability theory and previous performance (ENV 50129)

---------------------- Page: 14 ----------------------

R009-004:2001 - 14 -
random hardware failures
failures; occurring at random times; which result from a variety of degradation mechanisms in the
hardware (EN 50126, IEC)
redundancy
the provision of one or more additional elements, usually identical, to achieve or maintain availability
under the failure of one or more of those elements. (ENV 50129)
reliability
the probability that an item can perform a required function under given conditions for a given time
interval (t1; t2) (EN 50126, IEC)
risk
likelihood of an event occurring and its consequences
Risk Analysis
systematic use of available information to estimate the likelihood and consequences of hazards
risk assessment
overall process of risk analysis and risk evaluation
risk aversion
the ambivalent attitude of society towards catastrophic outcomes. This may be taken into account by
additional risk aversion factors, which give a weight to avoidance of catastrophic outcomes
risk reduction
a process of selection and implementation of options that is applied to reduce either the likelihood or
consequences, or both, of a particular risk
safe state
a condition which continues to preserve safety (ENV 50129)
safety
freedom from unacceptable levels of risk (ENV 50129)
safety authority
the body responsible for certifying that a safety-related system is fit for service and complies with relevant
statutory and regulatory safety requirements (ENV 50129)
safety case
the documented demonstration that the product complies with the specified safety requirements
(ENV 50129)
safety integrity
the likelihood of a safety-related system achieving its required safety features under all the stated
conditions within a stated operational environment and within a stated period of time (ENV 50129)
(system) safety integrity level
a number which indicates the required degree of confidence that a system will meet its specified safety
features (ENV 50129)

---------------------- Page: 15 ----------------------

- 15 - R009-004:2001
safety life-cycle
the additional series of activities carried out in conjunction with the system life-cycle for safety-related
systems (ENV 50129)
safety loss
the measure of injury and fatality arising from an accident
safety process
the series of procedures that are followed to enable all safety requirements of a product to be identified
and met (ENV 50129)
safety requirements
the requirements of the safety functions that have to be performed by the safety related systems;
comprising safety functional requirements and safety integrity requirements . (EN 50126, IEC)
safety target
in the context of this report the safety target relates to a tolerable hazard rate derived by the Railway
Authority by risk analysis
shall
is mandatory (ENV 50129)
should
is recommended (ENV 50129)
signalling system
particular kind of system used on a railway to control and protect the operation of trains (ENV 50129)
SIL table
a set of allocations between the values of safety integrity levels and the corresponding bands of tolerable
hazard rates (= safety target)
Software Safety Integrity Level
a classification number which determines the techniques and measures that have to be applied in order
to reduce residual software faults to an appropriate level (EN 50128)
system
a set of subsystems or elements which interact according to a design (ENV 50129)
NOTE  The system is a matter of perspective. It is not a fixed term, but can be defined arbitrarily.
system design analysis
the process of analysing the causes of hazards and of identification of requirements to limit the likelihood
of hazards to a tolerable level. “System Design Analysis” should better be called ”System Hazard
Analysis” or similar. But this definition would be contradictory to the EN 50126 definition of hazard
analysis
system function
a system manifests a emergent property, which is not necessarily inherent in its constituent parts

-----------
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.