new cenelec standards & csm-ra - trafikstyrelsen/media/dokumenter/07 jernbane/11... · 2017 new...
TRANSCRIPT
2017NEW CENELEC STANDARDS & CSM-RA
2017
NEW CENELEC STANDARDS& CSM-RA
2017NEW CENELEC STANDARDS & CSM-RA
AGENDA
• New EN 501xx Standards
• What is new/changed/improved
• The use of CENELEC inCSM-RA process
2017NEW CENELEC STANDARDS & CSM-RA
CENELEC & CSM-RA TIMELINE
EN50126 EN50128 EN50129ENV50126 EN50128
1995 1999 2001 2003 2011
EN50129
2017
EN50126
2018
CSM-RA352/2009
2010
EN61508
2000
EN61508
2010
2012
CSM-RA402/2013
CSM-RA1136/2015
2015
TR50126-2
TR50126-3
2006 2007
TSI
2017NEW CENELEC STANDARDS & CSM-RA
OVERVIEW OF CURRENT RAILWAYSAFETY STANDARDS
SystemLevel
EN 50126The Specification and
Demonstration of Reliablity,Availablity, Maintainability and
Safety (RAMS)
EN 50129Communication, signalling and processing
systems –Safety related electronic systems for
signalling
EN 50128
protection systems
EN 50128Communications, signalling and
processing systems -Software for railway control and
protection systems
TR 50126-3Guide to the application of EN
50126 for rolling stock
2006
TR 50126-2Guide to the application of EN
50126 for safety
2007
1999
TR 50506-1Guide to the application of EN
50129 –Part 1: Cross Acceptance
2007
TR 50506-2Guide to the application of EN
50129 –Part 2: Safety Assurance
2008
2003
2011SubSystem(Product)
Guidance
Guidance2001
2017NEW CENELEC STANDARDS & CSM-RA
OVERVIEW OF NEW RAILWAYSAFETY STANDARDS
SystemLevel
EN 50126The Specification and
Demonstration of Reliablity,Availablity, Maintainability and
Safety (RAMS)
EN 50129Communication, signalling and processing
systems –Safety related electronic systems for
signalling
EN 50128
protection systems
EN 50128Communications, signalling and
processing systems -Software for railway control and
protection systems
EN 50126-2Systems Approach to Safety
20172017
TR 50506-1Guide to the application of EN
50129 –Part 1: Cross Acceptance
2007
TR 50506-2Guide to the application of EN
50129 –Part 2: Safety Assurance
2008
2018
2011SubSystem(Product)
Guidance
Guidance
2017NEW CENELEC STANDARDS & CSM-RA
SAFETY STANDARDS RELATIONSHIPS
EN 50126
EN 61508 ”FUNCTIONAL SAFETY OFELECTRICAL/ELECTRONIC/PROGRAMMABLE
ELECTRONIC SAFETY-RELATED SYSTEMS”
EN 50129SystemHW+SW
EN 50128SW
Entire Railway system
Railwaysignalling
Other
IEC 61551 ProcessSector Safety SystemStandard for SafetyInstrumented SystemsDesigners, Integratorsand Users
IEC 62061, Safety ofmachinery Functionalsafety of electrical/electronic/programmable controlsystems
Other sectors(e.g. machinery / process control)
General standard(generic)
Specific sector /application
Railwaysub-system/ Product
Where noother sector/applicationexists
Adapted after EN 50129 / IEC WG group
Railway Applications
2017NEW CENELEC STANDARDS & CSM-RA
RAILWAY SAFETY STANDARDS - SUBSYSTEM
EN 50126-1 & 2Railway Applications - The Specification and
Demonstration of Reliability, Availability, Maintainabilityand Safety (RAMS)
EN 50129Communication, signalling andprocessing systems –Safety related electronic systemsfor signalling
EN 50128Communications, signalling andprocessing systems -Software for railway control andprotection systems
2017
2018
2011
EN 50155Electronic equipment used onrolling stock
EN 50657Rolling stock applications -Software on board ofrolling stock,excluding railway control andprotection applications
2017
2017
EN 50562Process, measures anddemonstration of safety forelectric traction systems
2018SC9XA
SC9X / S-509
SC9XB SC9XC
Signalling Rolling Stock Fixed Installation
2017NEW CENELEC STANDARDS & CSM-RA
EN 50126 OLD & NEW IN COMPARISON
Similarities• System approach for
RAMS
• Risk based approach
• RAMS lifecycle
• Safety demonstrationprinciples
New/changed• More mature and consistent
• CSM-RA approach
• Multilevel system approach(hierarchies)
• Aligned risk evaluation
• Safety demonstration
• Safety requirements Spec.
• Guidance integrated part
• Clear linkage to TSI
Improved/detailed• Clear hazard identification and
classification
• Classification of safetyrequirements
• Method to derive THR fromstatistics
• Safety Case structure
• Modularity
• Handling of product/Generic /specific Application
• Safety Apportionment methods
• Key system safety roles &responsibilities
2017NEW CENELEC STANDARDS & CSM-RA
EN 50126-1
General1: Scope2: Normative reference3: Terms & Definition4: Abbreviation
5: Railway RAMS 6: Management ofRailway RAMS –
general requirements7: RAMS Life cycle 8: Safety Case
Annex DGuidance on system
definition
Annex BExamples of
parameters for railway
Annex ARAMS Plan
Annex CRisk Management
Calibration and riskacceptance categories
Bibliography
Norm
ativeInform
ative
New
New New
2017NEW CENELEC STANDARDS & CSM-RA
EN 50126-2
General1: Scope2: Normative reference3: Terms & Definition4: Abbreviation
5: Safety Process
6: SafetyDemonstration
7: Organisation andindependence of
roles8: Risk Assessment
Annex AALARP, GAME, MEM
Annex BUsing failure and
accident statistics toderive a THR
Annex DSafety Target
Apportionmentmethods
Annex CGuidance on SIL
Allocation
Bibliography
Norm
ativeInform
ative
9: Specification ofsystem safetyrequirements
10: Apportionmentof functional safety
integrityrequirements
11: Design &Implementation
2017NEW CENELEC STANDARDS & CSM-RA
PRODUCTS IN CENELEC PROCESS
EN 50126• Provide the overall process for
development of products
• Lifecycle
• Hazard identification and management
• Safety requirements identification andapportionment
• Safety target (THR, TFFR, SIL)
• Implementation evidence
• Documentation
50129/50128• Provide the process for development of
products
• Tailored system/hardware/softwaredevelopment process
• Detailed analysis of failure and hazardcontrol
• SIL demonstration
• Product specific implementation evidence
• Product specific documentation
2017NEW CENELEC STANDARDS & CSM-RA
EN 50129
General1: Scope2: Normative reference3:Definition
4: Overview
5: Requirements forDeveloping electronic
systems
6: Requirements forexternal elements 7: Safety Case 8: Acceptance and
subsequent phases
Annex CHW component failure
modes
Annex ASafety Integrity Level
(SIL)
Annex ESIL-based techniques
Annex BManagement of faults
Annex FProgrammableComponents
Bibliography
Norm
ativeInform
ative
2017NEW CENELEC STANDARDS & CSM-RA
CSM-RA VERSUS EN50126
CSM-RA• Focus on a change
• Significance
• Emphasis on hazard identification &control
• Hazard normally controlled by well knownmeasures
• Independent safety assessor as NSAproxy
EN 50126• Can be applied for changes and products
• Always applicable
• Life cycle approach in hazardidentification and control
• Generic control of hazards
• Verification and validation process
• Independent safety assessor to ensureprocess
• Functional Safety & Safety Integrity
• RAM (dependability)
2017NEW CENELEC STANDARDS & CSM-RA
CSM-RA IN SHORT
Preliminary SystemDefinition
SignificantChange?
Justify and documentdecision
System Definition(Scope, Functions, Interfaces, etc.)
Hazard Identification( What can happen?, When?, Where?, How? Etc.)
BroadlyAcceptable
Risk?
Selectionof Risk Acceptance
Criteria
EstimateFrequency
EstimateSeverity
Estimate Risks
Hazard Classification(How critical?)
Comparisonwith Criteria
AcceptableRisks?
Safety Requirements(i.e. the Safety Measures to be implemented)
Demonstration of the compliance withthe safety requirements
Justify anddocument decision
Application ofCode ofPractice
SimilarityAnalysis with
ReferenceSystem(s)
Codes of Practice Similar ReferenceSystem(s)
Explicit RiskEstimation
Identification ofScenarios & associated
Safety Measures
SafetyCritera?
RiskAnalysis
Qualitative
Quantitative
Yes
No No
Yes
Comparisonwith Criteria
AcceptableRisks?
Comparisonwith Criteria
AcceptableRisks?
Risk Evaluation
Yes
No
RiskAssessment
Yes
No
No
Yes
Significance evaluationCSM-RA relevant ?
System DefinitionThe Change in short
Hazard identificationWhat is the risk?
Risk evaluationHow to control risk
Risk AcceptanceControl risk
Safety documentationRisk was in control
Hazard Record
Safety Documentation
Concept Design Imple-mentation
Systemdefinition
EN50126
EN50126
EN50126
EN50129/EN50128
EN50129/EN50128
EN50126
EN50126
EN50
126
2017NEW CENELEC STANDARDS & CSM-RA
CSM-RA SUPPORTED BY EN50126
CSM-RA
• The Legal framework
• System definition
• Risk Management process
• Require systematic process
• Require documentation for hazard control
EN 50126
• Hierarchical system definition model
• Detailed risk management process &evaluation principles
• The systematic process
• Standard lifecycle to be tailored to project
• Detailed risk management process
• Engineering process requirements
• Provide the principles for safetydocumentation
• Safety Case structure
• Verification & Validation process
The Good Process
2017NEW CENELEC STANDARDS & CSM-RA
Concept
System definitionand Operational
Context
1
2
Risk Analysis andEvaluation
3
Specification ofSystem Requirements
4
Architecture andApportionment
of SystemRequirements
5
Design andImplementation
6
Manufacture
7
Integration
8
System Validation
9
System Acceptance
10Operation andMaintenance
11De-commissioning
and Disposal
12
Code ofPractice
SimilarReferenceSystem
Explicit RiskEstimation
Hazard Identification andclassification
Risk Analysis
System Definition
Risk Evaluationvs risk acceptance criteria
Safety Requirements
Risk Assessment
Prelim. System DefinitionSignificant
?
Demonstration of Compliance with Safety Requirement
Ind
epen
den
tS
afet
yA
sses
smen
t
Hazard
Man
agem
ent
CSM-RA
EN 50126 LIFECYCLE COMPARED TOCSM-RA PROCESS
2017NEW CENELEC STANDARDS & CSM-RA
System DefinitionRisk analysisRisk evaluation
System requirements
Safety Measures &Safety requirements
• Code Of practice• Reference system• Functional/technical/context
Hazard analysis
Demonstration of compliance
Lega
lfra
mew
ork
Con
trac
tual
Arr
ange
men
tRailway Duty
Holder’sresponsibility
Supplier’sResponsibility
Additional HazardsApplication Conditions
Proposer
Actor
CENELEC
CSM-RA
Hazard Hazard
SystemSub System
Products
2017NEW CENELEC STANDARDS & CSM-RA
SYSTEM DEFINITION
Functional RequirementsWhat the system shall do
Contextual RequirementsThe operational environment
Technical RequirementsEnsure the system function
2017NEW CENELEC STANDARDS & CSM-RA
HAZARD IDENTIFICATION & ACCEPTANCEInterfaceHazards
SystemdefinitionInterface
Hazards InterfaceHazards
HZ
HZ
HZ
HZ
HZ
HZ
HZ
Hazard
Hazard
Hazard
Code of Practice (1)
HZ
Hazard
Hazard
Code of Practice (2)
HZHazard
Code ofPractice (3)
HazardReference
HZ
Code Of Practice
Reference systemLack ofHazards
Explicit Risk Evaluation
CENELEC
2017NEW CENELEC STANDARDS & CSM-RA
EXAMPLE
Hazards
Trains too close - > separate
Block sections
indicate freewhile occupied
Indicate free/occupied Axle counter
EN50129
EN50128
EN50126
GenericProduct
SC
GenericApplication
SC
CSM-RA
Specific Appl.
Specific
Failures/Hazards in Product
Hazard related to Generic Appl.
Hazard related to Specific Appl.
2017NEW CENELEC STANDARDS & CSM-RA
LogRegister
Proposer’s Hazard Record
Generic Appl.Safety Case(s)
Specifc logRegister
Supplier Hazard Log
SystemDefintion
SystemDefintion
CSM-RA
Generic ProductSafety Case(s)
CENELEC
CENELEC
EN50126
EN50129
EN50128
EN50129
Specific Appl.Safety Case(s)
EN50126
Safety Demonstration
SafetyDcoumentation
CSM-RA
CENELECCLOSE
Allocation of hazards
Implementation
2017NEW CENELEC STANDARDS & CSM-RA
SUb
APPLICATION OF CENELEC STANDARDS ONSYSTEM/SUBSYSTEM LEVEL
Software
SystemIntegration
Hardware
EN 50126 systematicprocessSystem
EN 50129 Hardwaredevelopment process
Hazards identified in CSM-RA
Hazard HazardHazard
EN 50128 Softwaredevelopment process
SIL requirement
EN 50129 SystemIntegration
2017NEW CENELEC STANDARDS & CSM-RA
HAZARD RATES & SIL - PRINCIPLE
Functional Safety System
Hazard not fully mitigated
System Failure
Safety functionality
Hazard rateHazard not controlled by system
HazardsFunctional
Hazard rate
Safety Integrity (SIL)
2017NEW CENELEC STANDARDS & CSM-RA
SAFETY INTEGRITY
SIL QualitativeMeasures
QualityManagementConditions
SafetyManagementConditions
TechnicalSafety
Measures Tolerable FunctionalFailure Rate
10-9 < TFFR < 10-8
10-8 < TFFR < 10-7
10-7 < TFFR < 10-6
10-6 < TFFR < 10-5
Compliance to Basic Integrity measures
Complianceto the Safety Integrity measures
Demonstrationof
QuantitativeTargets
SIL QuantitativeTarget (TFFR)
SIL
4
3
2
1
SIL QualitativeMeasures
Defined insector specific
standardEN50129/EN50128
2017NEW CENELEC STANDARDS & CSM-RA
CSM-RA & SAFETY CASE
Definition of System
Quality Management Report
Safety Management Report
Technical Safety Report
Related Safety Cases
Conclusion
System description
QA System description
QA Audit
Safety Plan
Safety Management Audit
Hazard Log (activities)
Hazard Log (register)
Evidence of implementation
Safety Analysis
Executive summary
Introduction
What is done
1
2
3
4
5
6
Hazard Record
System definition
Safety requirements
CSM-RA CENELEC
Risk Management
2017NEW CENELEC STANDARDS & CSM-RA
Concept
System Definition andOperational Concept
Risk Analysis andevaluation
Architecture &Apportionment of Sys. Req
Specification ofSystem Requirements
Design andImplementation
1
2
3
Manufacture
Integration
System Validation
System Acceptance
Operation, MaintenancePerformance Monitoring
Decom
missioning
4
5
6 7
8
9
10
11
Feedback onRAMS intorisk analysis
Control ofRAMSRequirements
12
Concept
System Definition andOperational Concept
Risk Analysis andevaluation
Architecture &Apportionment of Sys. Req
Specification ofSystem Requirements
Design andImplementation
1
2
3
Manufacture
Integration
System Validation4
5
6 7
8
9
SafetyCase
2017NEW CENELEC STANDARDS & CSM-RA
V & V INDEPENDENCE ARRANGEMENTS
OR
Project Management
Design Verifier Validator
Project Management
Design Verifier Validator
Independentof project
Independentof project
Project Management
Design Verifier Validator
SIL 4 / SIL 3(Vital)
SIL 2 / SIL 1Basic Integrity
IndependentSafety
Assessor
IndependentSafety
Assessor
IndependentSafety
Assessor
2017NEW CENELEC STANDARDS & CSM-RA
CENELEC & CSM-RA
New EN 50126 & EN 50129
• No Contradiction with CSM-RA – but a good Code of Practice for the process
• CENELEC -> provide the good practice
• Fill-in on products
2017NEW CENELEC STANDARDS & CSM-RA
2017
New CENELEC StandardS& CSM-RA
THANK YOU
QUESTIONS ?
STIG MUNCK
[email protected]+45 5161 6375