ImageVerifierCode 换一换
格式:PDF , 页数:90 ,大小:2MB ,
资源ID:397564      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-397564.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(BS PD CLC TR 50451-2007 Railway applications — Systematic allocation of safety integrity《轨道交通 安全完整性要求的系统分配》.pdf)为本站会员(sofeeling205)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

BS PD CLC TR 50451-2007 Railway applications — Systematic allocation of safety integrity《轨道交通 安全完整性要求的系统分配》.pdf

1、PUBLISHED DOCUMENT PD CLC/TR 50451:2007 Railway applications Systematic allocation of safety integrity requirements ICS 45.020; 93.100 Incorporating corrigendum December 2010PD CLC/TR 50451:2007 This Published Document was published under the authority of the Standards Policy and Strategy Committee

2、on 29 June 2007 BSI 2010 ISBN 978 0 580 7265 9 6 National foreword This Published Document is the UK implementation of CLC/TR 50451:2007. It supersedes PD R009-004:2001 which is withdrawn. The UK participation in its preparation was entrusted by Technical Committee GEL/9, Railway electrotechnical ap

3、plications, to Subcommittee GEL/9/1, Signalling and communications. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct applic

4、ation. Amendments/corrigenda issued since publicationDate Comments Error in pagination corrected 31 December 2010 TECHNICAL REPORT CLC/TR 50451 RAPPORT TECHNIQUE TECHNISCHER BERICHT May 2007 CENELEC European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechniq

5、ue Europisches Komitee fr Elektrotechnische Normung Central Secretariat: rue de Stassart 35, B - 1050 Brussels 2007 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members. Ref. No. CLC/TR 50451:2007 E ICS 45.020;93.100 Supersedes R009-004:2001English

6、 version Railway applications Systematic allocation of safety integrity requirements Applications ferroviaires Allocation systmatique des exigences dintgrit de la scurit Bahnanwendungen Systematische Zuordnung von Sicherheitsintegrittsanforderungen This Technical Report was approved by CENELEC on 20

7、06-02-18. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Rom

8、ania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom. CLC/TR 50451:2007 - 2 - Foreword This Technical Report was prepared by SC 9XA, Communication, signalling and processing systems, of Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways. The

9、 text of the draft was circulated for vote in accordance with the Internal Regulations, Part 2, Subclause 11.4.3.3 and was approved by CENELEC as CLC/TR 50451 on 2006-02-18. This Technical Report supersedes R009-004:2001. _ PD CLC/TR 5041:2007 - 3 - CLC/TR 50451:2007 Contents Executive summary . 4 I

10、ntroduction . 7 1 Scope 8 2 References 9 2.1 Normative references. 9 2.2 Informative references 9 3 Definitions 10 4 Symbols and abbreviations 17 5 Safety Integrity Levels allocation framework 18 5.1 Prerequisites 18 5.2 Overview of the methodology . 18 5.3 Definition of Safety Integrity Levels. 22

11、5.4 Qualitative vs quantitative methods 23 5.4.1 Qualitative assessment23 5.4.2 Quantitative assessment24 5.5 EN 50126-1 lifecycle context 25 6 System definition 27 7 Hazard identification 28 7.1 General principles 28 7.2 Empirical hazard identification methods 30 7.3 Creative hazard identification

12、methods. 30 7.4 Hazard ranking. 31 7.5 Existing hazard lists 31 8 Risk analysis 31 8.1 Risk tolerability. 31 8.2 Determination of Tolerable Hazard Rate. 32 8.2.1 Qualitative risk analysis . 32 8.2.2 Quantitative risk analysis 34 8.2.3 GAMAB and similar approaches. 40 8.2.4 The MEM approach 41 8.2.5

13、Other approaches. 42 9 System design analysis 42 9.1 Apportionment of safety integrity requirements to functions 43 9.1.1 Physical independence.44 9.1.2 Functional independence.45 9.1.3 Process independence . 46 9.2 Use of SIL tables 46 9.3 Identification and treatment of new hazards arising from de

14、sign. 47 9.4 Determination of function and subsystem SIL. 48 9.5 Determination of safety integrity requirements for system elements . 50 Annex A Single-line signalling system example 52 Annex B Level crossing example 67 Annex C Comparison of demand and continuous mode . 77 Annex D Frequently asked q

15、uestions . 87 PD CLC/TR 5041:2007CLC/TR 50451:2007 - 4 - Executive summary This Technical Report presents a systematic methodology to determine safety integrity requirements for railway signalling equipment, taking into account the operational environment and the architectural design of the signalli

16、ng system. At the heart of this approach is a well defined interface between the operational environment and the signalling system. From the safety point of view this interface is defined by a list of hazards and tolerable hazard rates associated with the system. It should be noted that the purpose

17、of this approach is not to limit co-operation between suppliers and railway authorities but to clarify responsibilities and interfaces. It is the task (summarized by the term Risk Analysis) of the Railway Authority to define the requirements of the railway system (independent of the technical realis

18、ation), to identify the hazards relevant to the system, to derive the tolerable hazard rates, and to ensure that the resulting risk is tolerable (with respect to the appropriate risk tolerability criteria). Figure 0.1 - Global process overview The only requirement is that the tolerable hazard rates

19、must be derived taking into account the risk tolerability criteria. Risk tolerability criteria are not defined by this Technical Report, but depend on national or European legislative requirements. Definition System Design Analysis PD CLC/TR 5041:2007 - 5 - CLC/TR 50451:2007 Among the risk analysis

20、methods two are proposed in order to estimate the individual risk explicitly, one more qualitative, the other more quantitative. Other methods, similar to the GAMAB principle, do not explicitly determine the resulting risks, but derive the tolerable hazard rates from comparison with the performance

21、of existing systems, either by statistical or analytical methods. Alternative qualitative approaches are acceptable, if as a result they define a list of hazards and corresponding THR. The specification of the system requirements comprising performance and safety (THR) terminates the Railway Authori

22、tys task. Figure 0.2 - Example Risk Analysis process The suppliers task (summarized by the term System Design Analysis) comprises definition of the system architecture, analysis of the causes leading to each hazard, determination of the safety integrity requirements (SIL and hazard rates) for the su

23、bsystems, determination of the reliability requirements for the equipment. SYS TEM D e fin itio n Near misses withTarget S yst em DE S IG N ANALYS IS PD CLC/TR 5041:2007CLC/TR 50451:2007 - 6 - Causal analysis constitutes two key stages. In the first phase the tolerable hazard rate for each hazard is

24、 apportioned to a functional level. Safety Integrity Levels (SIL) are defined at this functional level for the subsystems implementing the functionality. The hazard rate for a subsystem is then translated to a SIL using the SIL table. During the second phase the hazard rates for subsystems are furth

25、er apportioned leading to failure rates for the equipment, but at this physical implementation level the SIL remains unchanged. Consequently also the software SIL defined by EN 50128 would be the same as the subsystem SIL but for the exceptions described in EN 50128. The apportionment process may be

26、 performed by any method which allows a suitable representation of the combination logic, e.g. reliability block diagrams, fault trees, binary decision diagrams, Markov models etc. In any case particular care must be taken when independence of items is required. While in the first phase of the causa

27、l analysis functional independence is required, physical independence is sufficient in the second phase. Assumptions made in the causal analysis must be checked and may lead to safety- relevant application rules for the implementation. Figure 0.3 - Example System Design Analysis process Both, the ri

28、sk analysis and the system design analysis, have to be approved by the Railway Safety Authority. However whilst the risk analysis may be carried out once at the railway level, the system design analysis must be performed for every new architecture. It is prudent to review the risk analysis and syste

29、m design analysis when safety related changes are introduced. List of hazards and THR SIL table U nd etecte d failure of pow er s u pp ly L at e or no s w itch -i n U n det etc e d f a ilu re of roa d -side w ar ni ng s U n det ec ted fa i l u re of LC con tro l ler U nd etecte d fa il ure o f lig h

30、 t si gn al s U nd etected fa ilu re o f b ar ri e rs U n dete cted fa ilu re of sw itch -i n fun cti o n U n det e cted fai lute of dis tant sig n al L C set b ac k to n or m al p os i t i on 1E -7 1 E -7 1E -7 1E-7 1E-7 7E-6 7 E -6 Determine THR and SIL System architecture Apportion hazard rates t

31、o elements Check independence assumptions SIL and FR for elements Un det ected failure of power supply U ndetet ced f a i l ure of road-s i de wa r n i ngs Undetect ed failure o f L C c o n tr olle r Und etected failu re of light signals U ndet ected failure of barriers 1E-7 1E-7 1E-7 7E - 6 7E - 6S

32、IL and THR for subsystems From Risk Analysis PD CLC/TR 5041:2007 - 7 - CLC/TR 50451:2007 Introduction Historically the interoperability of European railways was not only hindered by incompatible technology but also by different approaches towards safety. The common European market is the main drivin

33、g force behind the harmonisation of the different safety cultures. In a joint pan-European effort comprehensive safety standards have been established for railway signalling by the European Electrotechnical Standardisation Committee CENELEC: EN 50126-1, Railway applications - The specification and d

34、emonstration of Reliability, Availability, Maintainability and Safety (RAMS) - Part 1: Basic requirements and generic process EN 50128, Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems EN 50129, Railway applications - Comm

35、unication, signalling and processing systems - Safety related electronic systems for signalling These CENELEC standards assume that safety relies both on adequate measures to prevent or tolerate faults (as safeguards against systematic failure) and on adequate measures to control random failures. Me

36、asures against both causes of failure should be balanced in order to achieve the optimum safety performance of a system. To achieve this the concept of Safety Integrity Levels (SIL) is used. SILs are used as a means of creating balance between measures to prevent systematic and random failures, as i

37、t is agreed within CENELEC that it is not feasible to quantify systematic integrity. A shortcoming of the CENELEC standards as of today is (similar as in other related standards like IEC 61508 1)IEC or ISA S84.01 ISA) that while the guidance on how to fulfil a particular SIL is quite comprehensive t

38、he process and rules to derive SILs for system elements from system safety targets or the tolerable system risk are not adequately covered. A general convincing solution to this problem is still an open research problem, see LMZDYB2GAM for some divergent examples. However in order to achieve cross-a

39、cceptance of safety cases and products for railway signalling applications it is necessary to fill the gap. This has been realized by SC 9XA in 1997 and consequently a working group has been set up in March 1998 in order to find a joint harmonized approach at least for railway signalling application

40、s. This work resulted in the publication of R009-004:2001, which is presently being converted into CLC/TR 50451. Although the major driving forces behind this work were novel signalling applications which are required to be interoperable throughout Europe, the scope and applicability of the approach

41、 presented in this Technical Report should not be limited to signalling or interoperable applications. 1)IEC 61508 series has been harmonized as EN 61508 series “Functional safety of electrical/electronic/programmable electronic safety-related systems“ PD CLC/TR 5041:2007CLC/TR 50451:2007 - 8 - 1 Sc

42、ope The scope of this Technical Report is to define a method to determine the required Safety Integrity Level of railway signalling equipment taking in consideration the operational conditions of the railway, and the architecture of the signalling system. The following picture may be used in order t

43、o detail more precisely the scope of this Technical Report: Type of operation Example parameters: speed, train density . Unified Signalling Safety Target (individual average risk: units D SIG /(P h) ) Specific Signalling Safety Target (hazard rate : units H SIG /(S h) or wsf SIG /(S h) ) Signalling

44、system architecture and functionality (normal, fallback .) Allocation to functions and system elements (apportionment) SILs and failure rates for system elements. Result: Element SIL FR E 1 x 1 1 . E n x n n Legend: Death System SIGnalling Person hour Hazard wrong side failure Rate Scope of WGA10 wo

45、rk as agreed by SC9XAFigure 1.1 - Scope of WG A10 From a mechanistic point of view the task of this Technical Report is to define a method of calculation, which determines the integrity requirements (qualitatively and quantitatively) from the inputs stated above. PD CLC/TR 5041:2007 - 9 - CLC/TR 504

46、51:2007 2 References The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. 2.1 Normative references EN

47、50121-5, Railway applications - Electromagnetic compatibility - Part 5: Emission and immunity of fixed power supply installations and apparatus 126 EN 50126-1:1999, Railway applications - The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) Part 1: Basi

48、c requirements and generic process 128 EN 50128:2001, Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems 129 EN 50129:2003, Railway applications - Communication, signalling and processing systems - Safety related electronic

49、systems for signalling 2.2 Informative references 0056 UK Ministry of Defence, Safety Management Requirements for Defence Systems, Def Stan 00-56 GAM CASCADE: Generalised Assessment Method , Part II: Guidelines, ESPRIT 9032 report, ref. CAS/IC/MK/D2.3.2/V3, 1996 HK Kumamotu, H. and Henley, E.: Probabilistic risk assessment and management for engineers and scientists, IEEE Press, 1996 IEC Functional safety of electrical/electronic/pro

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1