SIST-TP CLC/TR 50451:2007

SLOVENSKI STANDARD
SIST-TP CLC/TR 50451:2007
01-oktober-2007
1DGRPHãþD
SIST R009-004:2002
äHOH]QLãNHQDSUDYH±6LVWHPDWLþQDUD]SRUHGLWHY]DKWHYYDUQRVWQHLQWHJULWHWH
Railway applications - Systematic allocation of safety integrity requirements
Bahnanwendungen — Systematische Zuordnung von
Sicherheitsintegritätsanforderungen
Applications ferroviaires - Allocation systématique des exigences d'intégrité de la
sécurité
Ta slovenski standard je istoveten z: CLC/TR 50451:2007
ICS:
45.020 Železniška tehnika na Railway engineering in
splošno general
SIST-TP CLC/TR 50451:2007 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST-TP CLC/TR 50451:2007

---------------------- Page: 2 ----------------------

SIST-TP CLC/TR 50451:2007


TECHNICAL REPORT
CLC/TR 50451

RAPPORT TECHNIQUE
May 2007
TECHNISCHER BERICHT

ICS 45.020;93.100 Supersedes R009-004:2001


English version


Railway applications –
Systematic allocation of safety integrity requirements



Applications ferroviaires –  Bahnanwendungen –
Allocation systématique des exigences Systematische Zuordnung von
d'intégrité de la sécurité Sicherheitsintegritätsanforderungen







This Technical Report was approved by CENELEC on 2006-02-18.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Cyprus, the
Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia,
Slovenia, Spain, Sweden, Switzerland and the United Kingdom.





CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Central Secretariat: rue de Stassart 35, B - 1050 Brussels


© 2007 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. CLC/TR 50451:2007 E

---------------------- Page: 3 ----------------------

SIST-TP CLC/TR 50451:2007
CLC/TR 50451:2007 - 2 -
Foreword

This Technical Report was prepared by SC 9XA, Communication, signalling and processing systems, of
Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways.

The text of the draft was circulated for vote in accordance with the Internal Regulations, Part 2,
Subclause 11.4.3.3 and was approved by CENELEC as CLC/TR 50451 on 2006-02-18.

This Technical Report supersedes R009-004:2001.
__________

---------------------- Page: 4 ----------------------

SIST-TP CLC/TR 50451:2007
- 3 - CLC/TR 50451:2007
Contents

Executive summary . 4
Introduction . 7
1 Scope. 8
2 References. 9
2.1 Normative references. 9
2.2 Informative references. 9
3 Definitions. 10
4 Symbols and abbreviations . 17
5 Safety Integrity Levels allocation framework . 18
5.1 Prerequisites. 18
5.2 Overview of the methodology . 18
5.3 Definition of Safety Integrity Levels. 22
5.4 Qualitative vs quantitative methods . 23
5.4.1 Qualitative assessment.23
5.4.2 Quantitative assessment.24
5.5 EN 50126-1 lifecycle context . 25
6 System definition. 27
7 Hazard identification. 28
7.1 General principles. 28
7.2 Empirical hazard identification methods. 30
7.3 Creative hazard identification methods. 30
7.4 Hazard ranking. 31
7.5 Existing hazard lists. 31
8 Risk analysis. 31
8.1 Risk tolerability. 31
8.2 Determination of Tolerable Hazard Rate. 32
8.2.1 Qualitative risk analysis . 32
8.2.2 Quantitative risk analysis. 34
8.2.3 GAMAB and similar approaches. 40
8.2.4 The MEM approach. 41
8.2.5 Other approaches. 42
9 System design analysis. 42
9.1 Apportionment of safety integrity requirements to functions. 43
9.1.1 Physical independence.44
9.1.2 Functional independence.45
9.1.3 Process independence. 46
9.2 Use of SIL tables . 46
9.3 Identification and treatment of new hazards arising from design. 47
9.4 Determination of function and subsystem SIL. 48
9.5 Determination of safety integrity requirements for system elements . 50

Annex A Single-line signalling system example. 52
Annex B Level crossing example. 67
Annex C Comparison of demand and continuous mode . 77
Annex D Frequently asked questions . 87

---------------------- Page: 5 ----------------------

SIST-TP CLC/TR 50451:2007
CLC/TR 50451:2007 - 4 -
Executive summary

This Technical Report presents a systematic methodology to determine safety integrity requirements for
railway signalling equipment, taking into account the operational environment and the architectural design
of the signalling system.

At the heart of this approach is a well defined interface between the operational environment and the
signalling system. From the safety point of view this interface is defined by a list of hazards and tolerable
hazard rates associated with the system. It should be noted that the purpose of this approach is not to
limit co-operation between suppliers and railway authorities but to clarify responsibilities and interfaces.

It is the task (summarized by the term Risk Analysis) of the Railway Authority
• to define the requirements of the railway system (independent of the technical realisation),
• to identify the hazards relevant to the system,
• to derive the tolerable hazard rates, and
• to ensure that the resulting risk is tolerable (with respect to the appropriate risk tolerability criteria).


Definition
System Design Analysis
Figure 0.1 - Global process overview

The only requirement is that the tolerable hazard rates must be derived taking into account the risk
tolerability criteria. Risk tolerability criteria are not defined by this Technical Report, but depend on
national or European legislative requirements.

---------------------- Page: 6 ----------------------

SIST-TP CLC/TR 50451:2007
- 5 - CLC/TR 50451:2007
Among the risk analysis methods two are proposed in order to estimate the individual risk explicitly, one
more qualitative, the other more quantitative. Other methods, similar to the GAMAB principle, do not
explicitly determine the resulting risks, but derive the tolerable hazard rates from comparison with the
performance of existing systems, either by statistical or analytical methods. Alternative qualitative
approaches are acceptable, if as a result they define a list of hazards and corresponding THR. The
specification of the system requirements comprising performance and safety (THR) terminates the
Railway Authority’s task.
Near misses
SYSTEM Definition
withTarget
System DESIGN ANALYSIS

Figure 0.2 - Example Risk Analysis process

The supplier’s task (summarized by the term System Design Analysis) comprises
• definition of the system architecture,
• analysis of the causes leading to each hazard,
• determination of the safety integrity requirements (SIL and hazard rates) for the subsystems,
• determination of the reliability requirements for the equipment.

---------------------- Page: 7 ----------------------

SIST-TP CLC/TR 50451:2007
CLC/TR 50451:2007 - 6 -
Causal analysis constitutes two key stages. In the first phase the tolerable hazard rate for each hazard is
apportioned to a functional level. Safety Integrity Levels (SIL) are defined at this functional level for the
subsystems implementing the functionality. The hazard rate for a subsystem is then translated to a SIL
using the SIL table.

During the second phase the hazard rates for subsystems are further apportioned leading to failure rates
for the equipment, but at this physical implementation level the SIL remains unchanged. Consequently
also the software SIL defined by EN 50128 would be the same as the subsystem SIL but for the
exceptions described in EN 50128.

The apportionment process may be performed by any method which allows a suitable representation of
the combination logic, e.g. reliability block diagrams, fault trees, binary decision diagrams, Markov models
etc. In any case particular care must be taken when independence of items is required. While in the first
phase of the causal analysis functional independence is required, physical independence is sufficient in
the second phase. Assumptions made in the causal analysis must be checked and may lead to safety-
relevant application rules for the implementation.

From Risk

Analysis



List of

hazards

and THR





Undetected failure Undetetced failure Undetected failure
of power supply of road-side of LC controller
warnings
Late or no switch-in Undetected failure Undetetced failure Undetected failure 1E-7 1E-7
1E-7
LC set back to
of power supply of road-side of LC controller
warnings normal position
1E-7 1E-7 1E-7
1E-7
Check
System
....
independence
Undetected failure Undetected architecture
of light signals failure of barriers

assumptions
7E-6 7E-6
Undetected failure
Undetected Undetected failure Undetected
of switch-in failute of distant
of light signals failure of barriers
function signal
1E-7
7E-6 7E-6



....



SIL and THR
Determine THR

for subsystems
SIL table
and SIL




Apportion SIL and FR

hazard rates to for
elements elements



Figure 0.3 - Example System Design Analysis process

Both, the risk analysis and the system design analysis, have to be approved by the Railway Safety
Authority.

However whilst the risk analysis may be carried out once at the railway level, the system design analysis
must be performed for every new architecture. It is prudent to review the risk analysis and system design
analysis when safety related changes are introduced.

---------------------- Page: 8 ----------------------

SIST-TP CLC/TR 50451:2007
- 7 - CLC/TR 50451:2007
Introduction

Historically the interoperability of European railways was not only hindered by incompatible technology
but also by different approaches towards safety. The common European market is the main driving force
behind the harmonisation of the different safety cultures. In a joint pan-European effort comprehensive
safety standards have been established for railway signalling by the European Electrotechnical
Standardisation Committee CENELEC:

• EN 50126-1, Railway applications - The specification and demonstration of Reliability, Availability,
Maintainability and Safety (RAMS) - Part 1: Basic requirements and generic process

• EN 50128, Railway applications - Communications, signalling and processing systems - Software for
railway control and protection systems

• EN 50129, Railway applications - Communication, signalling and processing systems - Safety related
electronic systems for signalling

These CENELEC standards assume that safety relies both on adequate measures to prevent or tolerate
faults (as safeguards against systematic failure) and on adequate measures to control random failures.
Measures against both causes of failure should be balanced in order to achieve the optimum safety
performance of a system. To achieve this the concept of Safety Integrity Levels (SIL) is used. SILs are
used as a means of creating balance between measures to prevent systematic and random failures, as it
is agreed within CENELEC that it is not feasible to quantify systematic integrity.

A shortcoming of the CENELEC standards as of today is (similar as in other related standards like
1)
IEC 61508 [IEC] or ISA S84.01 [ISA]) that while the guidance on how to fulfil a particular SIL is quite
comprehensive the process and rules to derive SILs for system elements from system safety targets or
the tolerable system risk are not adequately covered. A general convincing solution to this problem is still
an open research problem, see [LM][ZD][YB2][GAM] for some divergent examples. However in order to
achieve cross-acceptance of safety cases and products for railway signalling applications it is necessary
to fill the gap.

This has been realized by SC 9XA in 1997 and consequently a working group has been set up in March
1998 in order to find a joint harmonized approach at least for railway signalling applications. This work
resulted in the publication of R009-004:2001, which is presently being converted into CLC/TR 50451.

Although the major driving forces behind this work were novel signalling applications which are required
to be interoperable throughout Europe, the scope and applicability of the approach presented in this
Technical Report should not be limited to signalling or interoperable applications.


1)
IEC 61508 series has been harmonized as EN 61508 series "Functional safety of electrical/electronic/programmable electronic
safety-related systems"

---------------------- Page: 9 ----------------------

SIST-TP CLC/TR 50451:2007
CLC/TR 50451:2007 - 8 -
1 Scope

The scope of this Technical Report is to define a method to determine the required Safety Integrity Level
of railway signalling equipment taking in consideration
• the operational conditions of the railway, and
• the architecture of the signalling system.

The following picture may be used in order to detail more precisely the scope of this Technical Report:

Unified Signalling Safety
Scope of WGA10 work Target
as agreed by SC9XA (individual average risk:
units D /(P h) )
SIG
Legend:
Type of operation
Death
Example parameters:
System
speed, train density .
SIGnalling
Person
hour
Hazard
wrong side failure
Specific Signalling Safety
Rate
Target (hazard rate :
units H /(S h) or
SIG
wsf /(S h) )
SIG
Signalling system
architecture and
functionality (normal,
fallback .)
Allocation to functions
and system elements
(apportionment)
SILs and
failure rates for system
elements. Result:
Element SIL FR
E x λ
1 1
1
...
E x λ
n n
n


Figure 1.1 - Scope of WG A10

From a mechanistic point of view the task of this Technical Report is to define a method of calculation,
which determines the integrity requirements (qualitatively and quantitatively) from the inputs stated above.

---------------------- Page: 10 ----------------------

SIST-TP CLC/TR 50451:2007
- 9 - CLC/TR 50451:2007
2 References

The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.

2.1 Normative references

EN 50121-5, Railway applications - Electromagnetic compatibility - Part 5: Emission and
immunity of fixed power supply installations and apparatus
[126] EN 50126-1:1999, Railway applications - The specification and demonstration of Reliability,
Availability, Maintainability and Safety (RAMS) – Part 1: Basic requirements and generic process
[128] EN 50128:2001, Railway applications - Communications, signalling and processing systems -
Software for railway control and protection systems
[129] EN 50129:2003, Railway applications - Communication, signalling and processing systems -
Safety related electronic systems for signalling

2.2 Informative references

[0056] UK Ministry of Defence, Safety Management Requirements for Defence Systems, Def Stan 00-56
[GAM] CASCADE: Generalised Assessment Method , Part II: Guidelines, ESPRIT 9032 report,
ref. CAS/IC/MK/D2.3.2/V3, 1996
[HK] Kumamotu, H. and Henley, E.: Probabilistic risk assessment and management for engineers and
scientists, IEEE Press, 1996
[IEC] Functional safety of electrical/electronic/programmable electronic safety-related systems,
IEC 61508 series
[ISA] ISA: Application of Safety Instrumented Systems for the Process Industries, ISA S84.01,
February 1996
[ISO] ISO/IEC: Information technology - System and software integrity levels, ISO/IEC 15026
[Lev95] Leveson, N. G.: Safeware - System safety and computers, Addison-Wesley, 1995
[LM] Lindsay, P. A. and McDermid, J. A.: A systematic approach to software safety integrity levels, in:
Peter Daniel (Ed.): SAFECOMP'97 , Springer Verlag, 1997, 70-82
[R01] Railway applications - Communication, signalling and processing systems - Hazardous failure
rates and Safety Integrity Levels (SIL), R009-001:1997
[RSH] Railway Signalling Hazards, Swedish National Rail Administration, Technical Report 1999:1
nd
[SAH] System Safety Analysis Handbook, 2 edition, System Safety Society, 1998
[VIL] Villemeur, A.: Reliability, Availability, Maintainability and Safety Assessment, Volume 1: Methods
and Techniques, Wiley, 1992
[YB2] Engineering Safety Management System, Issue 2.0, "Yellow Book", Railtrack, 1997
[ZD] Zerkani, H. and Dumolo, D.: System Safety Lifecycle Based on IEC 61508 and its Use for
th
Railway Applications, Proc. 16 International System Safety Conference, Sept. 14-19, 1998,
Seattle

---------------------- Page: 11 ----------------------

SIST-TP CLC/TR 50451:2007
CLC/TR 50451:2007 - 10 -
3 Definitions

For the purpose of this Technical Report, the following definitions apply. For terms not defined here, the
following references should be consulted in order of priority:
- IEC 60050-191, International Electrotechnical Vocabulary - Chapter 191: Dependability and quality of
service
- ISO 8402, Quality vocabulary
- ISO/IEC 2382, Information technology vocabulary

3.1
accident
an unintended event or series of events that results in death, injury, loss of a system or service, or
environmental damage (EN 50129)

3.2
apportionment
a process whereby the RAMS elements for a system are sub-divided between the various items which
comprise the system to provide individual targets (EN 50126-1)

3.3
can
is possible (EN 50129)

3.4
causal analysis
analysis of the reasons how and why a particular hazard may come into existence

3.5
collective risk
a risk which is related to a group of people

3.6
common cause failure
a failure which is the result of an event(s) which causes a coincidence of failure states of two or more
components leading to a system failing to perform its required function (EN 50126-1)

3.7
common-mode fault
fault common to items which are intended to be independent

3.8
consequence analysis
analysis of events which are likely to happen after a hazard has occurred

3.9
cross-acceptance
the status achieved by a product that has been accepted by one Authority to the relevant European
Standards and is acceptable to other Authorities without the necessity for further assessment (EN 50129)

---------------------- Page: 12 ----------------------

SIST-TP CLC/TR 50451:2007
- 11 - CLC/TR 50451:2007
3.10
dependent failure
the failure of a set of events; the probability of which cannot be expressed as the simple product of the
unconditional probabilities of the individual events (EN 50126-1)

3.11
diversity
a means of achieving all or part of the specified requirements in more than one independent and
dissimilar manner (EN 50129)

3.12
element
a part of a product that has been determined to be a basic unit or building block. An element may be
simple or complex

3.13
environment
the surrounding objects or region or circumstances which may influence the behaviour of the system and
or may be influenced by the system (EN 50121-5)

3.14
equipment
a functional physical item (EN 50129)

3.15
error
a deviation from the intended design which could result in unintended system behaviour or failure
(EN 50129)

3.16
failure
a deviation from the specified performance of a system. A failure is the consequence of an fault or error in
a system (EN 50129)

3.17
failure cause
the circumstances during design; manufacture or use which have led to a failure (EN 50126-1, [IEC])

3.18
failure mode
the predicted or observed results of a failure cause on a stated item in relation to the operating conditions
at the time of the failure (EN 50126-1, [IEC])

3.19
failure rate
the limit; if this exists; of the ratio of the conditional probability that the instant of time; T; of a failure of a
product falls within a given time interval (t+(t) and the length of this interval; (t; when (t tends towards
zero; given that the item is in an up state at the start of the time interval (EN 50126-1, [IEC])

---------------------- Page: 13 ----------------------

SIST-TP CLC/TR 50451:2007
CLC/TR 50451:2007 - 12 -
3.20
fault
an abnormal condition that could lead to an error in a system. A fault can be random or systematic
(EN 50126-1, [IEC])

3.21
fault detection time
time span which begins at the instant when a fault occurs and ends when the existence of the fault is
detected (EN 50129)

3.22
fault mode
one of the possible states of a faulty product for a given required function (EN 50126-1, [IEC])

3.23
fault tree analysis
an analysis to determine which fault modes of the product; sub-products or external events; or
combinations thereof; may result in a stated fault mode of the product; presented in the form of a fault
tree (EN 50126-1, [IEC])

3.24
FMEA
an acronym meaning Failure Modes and Effects Analysis. A qualitative method of reliability analysis
which involves the study of the fault modes which can exist in every sub-product of the product and the
determination of the effects of each fault mode on other sub-products of the product and on the required
functions of the product (EN 50126-1, [IEC])

3.25
function
a mode of action or activity by which a product fulfils its purpose (EN 50126-1, [IEC])

3.26
hazard
an object, condition or state that could lead to an accident [YB2].In the context of a system safety, a
hazard is an unprotected state of the system, which under certain external conditions leads to an accident

3.27
hazard identification
the process used to define potential hazards related to a system

3.28
hazard log
the document in which all safety management activities, hazards identified, decisions made and solutions
adopted, are recorded or referenced (EN 50126-1, [IEC])

3.29
human error
a human action (mistake), which can result in unintended system behaviour/failure (EN 50129)

---------------------- Page: 14 ----------------------

SIST-TP CLC/TR 50451:2007
- 13 - CLC/TR 50451:2007
3.30
independence (functional)
two items are functionally independent, if they do not have any common cause failures, neither
systematic nor random

3.31
independence (physical)
two items are physically independent, if they do not have any random common cause failures

3.32
independence (technical)
freedom from any mechanism which can affect the correct operation of more than one item (≠ EN 50129)

3.33
independence (human)
freedom from involvement in the same intellectual, commercial and/or management entity (EN 50129)

3.34
individual risk
a risk which is related to a single individual only (EN 50129)

3.35
item
element under consideration

3.36
loss analysis
analysis of safety, environmental or economical harm or damage

3.37
may
is permissible (EN 50129)

3.38
negation
enforcement of a safe state following detection of a hazardous fault (EN 50129)

3.39
negation time
time span which begins when the existence of a fault is detected and ends when a safe state is enforced
(EN 50129)

3.40
product
a collection of elements, interconnected to form a system, subsystem or item of equipment, in a manner
which meets the specified requirements (EN 50129)

3.41
railway authority
the body with the overall accountability to a Regulator for operating a railway system (EN 50126-1, [IEC])

---------------------- Page: 15 ----------------------

SIST-TP CLC/TR 50451:2007
CLC/TR 50451:2007 - 14 -
3.42
RAMS
an acronym meaning a combination of Reliability; Availability; Maintainability and Safety (EN 50126-1,
[IEC])

3.43
random failure integrity
the degree to which a system is free from hazardous random faults (EN 50129)

3.44
random fault
the occurrence of a fault based on probability theory and previous performance (≠ EN 50129)

3.45
random hardware failures
failures; occurring at random times; which result from a variety of degradation mechanisms in the
hardware (EN 50126-1, [IEC])

3.46
redundancy
the provision of one or more additional elements, usually identical, to achieve or maintain availability
under the failure of one or more of those elements (≠ EN 50129)

3.47
reliability
the probability that an item can perform a required function under given conditions for a given time
interval (t1; t2) (EN 50126-1, [IEC])

3.48
risk
likelihood of an event occurring and its consequences

3.49
Risk Analysis
systematic use of available information to estimate the likelihood and consequences of hazards

3.50
risk assessment
overall process of risk analysis and risk evaluation

3.51
risk aversion
the ambivalent attitude of society towards catastrophic outcomes. This may be taken into account by
additional risk aversion factors, which give a weight to avoidance of catastrophic outcomes

3.52
risk reduction
a process of selection and implementation of options that is applied to reduce either the likelihood or
consequences, or both, of a particular risk

---------------------- Page: 16 ----------------------

SIST-TP CLC/TR 50451:2007
- 15 - CLC/TR 50451:2007
3.53
safe state
a conditio
...