NEW CENELEC STANDARDS & CSM-RA

2017NEW CENELEC STANDARDS & CSM-RA

2017

NEW CENELEC STANDARDS& CSM-RA


AGENDA

• New EN 501xx Standards

• What is new/changed/improved

• The use of CENELEC inCSM-RA process


CENELEC & CSM-RA TIMELINE

EN50126 EN50128 EN50129ENV50126 EN50128

1995 1999 2001 2003 2011

EN50129

2017

EN50126

2018

CSM-RA352/2009

2010

EN61508

2000

EN61508

2010

2012

CSM-RA402/2013

CSM-RA1136/2015

2015

TR50126-2

TR50126-3

2006 2007

TSI


OVERVIEW OF CURRENT RAILWAYSAFETY STANDARDS

SystemLevel

EN 50126The Specification and

Demonstration of Reliablity,Availablity, Maintainability and

Safety (RAMS)

EN 50129Communication, signalling and processing

systems –Safety related electronic systems for

signalling

EN 50128

protection systems

EN 50128Communications, signalling and

processing systems -Software for railway control and

protection systems

TR 50126-3Guide to the application of EN

50126 for rolling stock

2006


50126 for safety

2007

1999


50129 –Part 1: Cross Acceptance

2007


50129 –Part 2: Safety Assurance

2008

2003

2011SubSystem(Product)

Guidance

Guidance2001


OVERVIEW OF NEW RAILWAYSAFETY STANDARDS

SystemLevel

EN 50126The Specification and

Demonstration of Reliablity,Availablity, Maintainability and

Safety (RAMS)

EN 50129Communication, signalling and processing

systems –Safety related electronic systems for

signalling

EN 50128

protection systems

EN 50128Communications, signalling and

processing systems -Software for railway control and

protection systems

EN 50126-2Systems Approach to Safety

20172017


50129 –Part 1: Cross Acceptance

2007


50129 –Part 2: Safety Assurance

2008

2018

2011SubSystem(Product)

Guidance

Guidance


SAFETY STANDARDS RELATIONSHIPS

EN 50126

EN 61508 ”FUNCTIONAL SAFETY OFELECTRICAL/ELECTRONIC/PROGRAMMABLE

ELECTRONIC SAFETY-RELATED SYSTEMS”

EN 50129SystemHW+SW

EN 50128SW

Entire Railway system

Railwaysignalling

Other

IEC 61551 ProcessSector Safety SystemStandard for SafetyInstrumented SystemsDesigners, Integratorsand Users

IEC 62061, Safety ofmachinery Functionalsafety of electrical/electronic/programmable controlsystems

Other sectors(e.g. machinery / process control)

General standard(generic)

Specific sector /application

Railwaysub-system/ Product

Where noother sector/applicationexists

Adapted after EN 50129 / IEC WG group

Railway Applications


RAILWAY SAFETY STANDARDS - SUBSYSTEM

EN 50126-1 & 2Railway Applications - The Specification and

Demonstration of Reliability, Availability, Maintainabilityand Safety (RAMS)

EN 50129Communication, signalling andprocessing systems –Safety related electronic systemsfor signalling

EN 50128Communications, signalling andprocessing systems -Software for railway control andprotection systems

2017

2018

2011

EN 50155Electronic equipment used onrolling stock

EN 50657Rolling stock applications -Software on board ofrolling stock,excluding railway control andprotection applications

2017

2017

EN 50562Process, measures anddemonstration of safety forelectric traction systems

2018SC9XA

SC9X / S-509

SC9XB SC9XC

Signalling Rolling Stock Fixed Installation


EN 50126 OLD & NEW IN COMPARISON

Similarities• System approach for

RAMS

• Risk based approach

• RAMS lifecycle

• Safety demonstrationprinciples

New/changed• More mature and consistent

• CSM-RA approach

• Multilevel system approach(hierarchies)

• Aligned risk evaluation

• Safety demonstration

• Safety requirements Spec.

• Guidance integrated part

• Clear linkage to TSI

Improved/detailed• Clear hazard identification and

classification

• Classification of safetyrequirements

• Method to derive THR fromstatistics

• Safety Case structure

• Modularity

• Handling of product/Generic /specific Application

• Safety Apportionment methods

• Key system safety roles &responsibilities


EN 50126-1

General1: Scope2: Normative reference3: Terms & Definition4: Abbreviation

5: Railway RAMS 6: Management ofRailway RAMS –

general requirements7: RAMS Life cycle 8: Safety Case

Annex DGuidance on system

definition

Annex BExamples of

parameters for railway

Annex ARAMS Plan

Annex CRisk Management

Calibration and riskacceptance categories

Bibliography

Norm

ativeInform

ative

New

New New


EN 50126-2

General1: Scope2: Normative reference3: Terms & Definition4: Abbreviation

5: Safety Process

6: SafetyDemonstration

7: Organisation andindependence of

roles8: Risk Assessment

Annex AALARP, GAME, MEM

Annex BUsing failure and

accident statistics toderive a THR

Annex DSafety Target

Apportionmentmethods

Annex CGuidance on SIL

Allocation

Bibliography

Norm

ativeInform

ative

9: Specification ofsystem safetyrequirements

10: Apportionmentof functional safety

integrityrequirements

11: Design &Implementation


PRODUCTS IN CENELEC PROCESS

EN 50126• Provide the overall process for

development of products

• Lifecycle

• Hazard identification and management

• Safety requirements identification andapportionment

• Safety target (THR, TFFR, SIL)

• Implementation evidence

• Documentation

50129/50128• Provide the process for development of

products

• Tailored system/hardware/softwaredevelopment process

• Detailed analysis of failure and hazardcontrol

• SIL demonstration

• Product specific implementation evidence

• Product specific documentation


EN 50129

General1: Scope2: Normative reference3:Definition

4: Overview

5: Requirements forDeveloping electronic

systems

6: Requirements forexternal elements 7: Safety Case 8: Acceptance and

subsequent phases

Annex CHW component failure

modes

Annex ASafety Integrity Level

(SIL)

Annex ESIL-based techniques

Annex BManagement of faults

Annex FProgrammableComponents

Bibliography

Norm

ativeInform

ative


CSM-RA VERSUS EN50126

CSM-RA• Focus on a change

• Significance

• Emphasis on hazard identification &control

• Hazard normally controlled by well knownmeasures

• Independent safety assessor as NSAproxy

EN 50126• Can be applied for changes and products

• Always applicable

• Life cycle approach in hazardidentification and control

• Generic control of hazards

• Verification and validation process

• Independent safety assessor to ensureprocess

• Functional Safety & Safety Integrity

• RAM (dependability)


CSM-RA IN SHORT

Preliminary SystemDefinition

SignificantChange?

Justify and documentdecision

System Definition(Scope, Functions, Interfaces, etc.)

Hazard Identification( What can happen?, When?, Where?, How? Etc.)

BroadlyAcceptable

Risk?

Selectionof Risk Acceptance

Criteria

EstimateFrequency

EstimateSeverity

Estimate Risks

Hazard Classification(How critical?)

Comparisonwith Criteria

AcceptableRisks?

Safety Requirements(i.e. the Safety Measures to be implemented)

Demonstration of the compliance withthe safety requirements

Justify anddocument decision

Application ofCode ofPractice

SimilarityAnalysis with

ReferenceSystem(s)

Codes of Practice Similar ReferenceSystem(s)

Explicit RiskEstimation

Identification ofScenarios & associated

Safety Measures

SafetyCritera?

RiskAnalysis

Qualitative

Quantitative

Yes

No No

Yes


AcceptableRisks?


AcceptableRisks?

Risk Evaluation

Yes

No

RiskAssessment

Yes

No

No

Yes

Significance evaluationCSM-RA relevant ?

System DefinitionThe Change in short

Hazard identificationWhat is the risk?

Risk evaluationHow to control risk

Risk AcceptanceControl risk

Safety documentationRisk was in control

Hazard Record

Safety Documentation

Concept Design Imple-mentation

Systemdefinition

EN50126

EN50126

EN50126

EN50129/EN50128

EN50129/EN50128

EN50126

EN50126

EN50

126


CSM-RA SUPPORTED BY EN50126

CSM-RA

• The Legal framework

• System definition

• Risk Management process

• Require systematic process

• Require documentation for hazard control

EN 50126

• Hierarchical system definition model

• Detailed risk management process &evaluation principles

• The systematic process

• Standard lifecycle to be tailored to project

• Detailed risk management process

• Engineering process requirements

• Provide the principles for safetydocumentation

• Safety Case structure

• Verification & Validation process

The Good Process


Concept

System definitionand Operational

Context

1

2

Risk Analysis andEvaluation

3

Specification ofSystem Requirements

4

Architecture andApportionment

of SystemRequirements

5

Design andImplementation

6

Manufacture

7

Integration

8

System Validation

9

System Acceptance

10Operation andMaintenance

11De-commissioning

and Disposal

12

Code ofPractice

SimilarReferenceSystem

Explicit RiskEstimation

Hazard Identification andclassification

Risk Analysis

System Definition

Risk Evaluationvs risk acceptance criteria

Safety Requirements

Risk Assessment

Prelim. System DefinitionSignificant

?

Demonstration of Compliance with Safety Requirement

Ind

epen

den

tS

afet

yA

sses

smen

t

Hazard

Man

agem

ent

CSM-RA

EN 50126 LIFECYCLE COMPARED TOCSM-RA PROCESS


System DefinitionRisk analysisRisk evaluation

System requirements

Safety Measures &Safety requirements

• Code Of practice• Reference system• Functional/technical/context

Hazard analysis

Demonstration of compliance

Lega

lfra

mew

ork

Con

trac

tual

Arr

ange

men

tRailway Duty

Holder’sresponsibility

Supplier’sResponsibility

Additional HazardsApplication Conditions

Proposer

Actor

CENELEC

CSM-RA

Hazard Hazard

SystemSub System

Products


SYSTEM DEFINITION

Functional RequirementsWhat the system shall do

Contextual RequirementsThe operational environment

Technical RequirementsEnsure the system function


HAZARD IDENTIFICATION & ACCEPTANCEInterfaceHazards

SystemdefinitionInterface

Hazards InterfaceHazards

HZ

HZ

HZ

HZ

HZ

HZ

HZ

Hazard

Hazard

Hazard

Code of Practice (1)

HZ

Hazard

Hazard

Code of Practice (2)

HZHazard

Code ofPractice (3)

HazardReference

HZ

Code Of Practice

Reference systemLack ofHazards

Explicit Risk Evaluation

CENELEC


EXAMPLE

Hazards

Trains too close - > separate

Block sections

indicate freewhile occupied

Indicate free/occupied Axle counter

EN50129

EN50128

EN50126

GenericProduct

SC

GenericApplication

SC

CSM-RA

Specific Appl.

Specific

Failures/Hazards in Product

Hazard related to Generic Appl.

Hazard related to Specific Appl.


LogRegister

Proposer’s Hazard Record

Generic Appl.Safety Case(s)

Specifc logRegister

Supplier Hazard Log

SystemDefintion

SystemDefintion

CSM-RA

Generic ProductSafety Case(s)

CENELEC

CENELEC

EN50126

EN50129

EN50128

EN50129

Specific Appl.Safety Case(s)

EN50126

Safety Demonstration

SafetyDcoumentation

CSM-RA

CENELECCLOSE

Allocation of hazards

Implementation


SUb

APPLICATION OF CENELEC STANDARDS ONSYSTEM/SUBSYSTEM LEVEL

Software

SystemIntegration

Hardware

EN 50126 systematicprocessSystem

EN 50129 Hardwaredevelopment process

Hazards identified in CSM-RA

Hazard HazardHazard

EN 50128 Softwaredevelopment process

SIL requirement

EN 50129 SystemIntegration


HAZARD RATES & SIL - PRINCIPLE

Functional Safety System

Hazard not fully mitigated

System Failure

Safety functionality

Hazard rateHazard not controlled by system

HazardsFunctional

Hazard rate

Safety Integrity (SIL)


SAFETY INTEGRITY

SIL QualitativeMeasures

QualityManagementConditions

SafetyManagementConditions

TechnicalSafety

Measures Tolerable FunctionalFailure Rate

10-9 < TFFR < 10-8

10-8 < TFFR < 10-7

10-7 < TFFR < 10-6

10-6 < TFFR < 10-5

Compliance to Basic Integrity measures

Complianceto the Safety Integrity measures

Demonstrationof

QuantitativeTargets

SIL QuantitativeTarget (TFFR)

SIL

4

3

2

1

SIL QualitativeMeasures

Defined insector specific

standardEN50129/EN50128


CSM-RA & SAFETY CASE

Definition of System

Quality Management Report

Safety Management Report

Technical Safety Report

Related Safety Cases

Conclusion

System description

QA System description

QA Audit

Safety Plan

Safety Management Audit

Hazard Log (activities)

Hazard Log (register)

Evidence of implementation

Safety Analysis

Executive summary

Introduction

What is done

1

2

3

4

5

6

Hazard Record

System definition

Safety requirements

CSM-RA CENELEC

Risk Management


Concept

System Definition andOperational Concept

Risk Analysis andevaluation

Architecture &Apportionment of Sys. Req



1

2

3

Manufacture

Integration

System Validation

System Acceptance

Operation, MaintenancePerformance Monitoring

Decom

missioning

4

5

6 7

8

9

10

11

Feedback onRAMS intorisk analysis

Control ofRAMSRequirements

12

Concept

System Definition andOperational Concept

Risk Analysis andevaluation

Architecture &Apportionment of Sys. Req



1

2

3

Manufacture

Integration

System Validation4

5

6 7

8

9

SafetyCase


V & V INDEPENDENCE ARRANGEMENTS

OR

Project Management

Design Verifier Validator

Project Management


Independentof project

Independentof project

Project Management


SIL 4 / SIL 3(Vital)

SIL 2 / SIL 1Basic Integrity

IndependentSafety

Assessor

IndependentSafety

Assessor

IndependentSafety

Assessor


CENELEC & CSM-RA

New EN 50126 & EN 50129

• No Contradiction with CSM-RA – but a good Code of Practice for the process

• CENELEC -> provide the good practice

• Fill-in on products


2017

New CENELEC StandardS& CSM-RA

THANK YOU

QUESTIONS ?

STIG MUNCK

[email protected]+45 5161 6375

Date post:	12-Jan-2022
Category:	Documents
Upload:	others
View:	20 times
Download:	0 times

NEW CENELEC STANDARDS & CSM-RA

Documents