1、PUBLISHED DOCUMENTPD CLC/TR 50451:2007Railway applications Systematic allocation of safety integrity requirementsICS 45.020; 93.100g49g50g3g38g50g51g60g44g49g42g3g58g44g55g43g50g56g55g3g37g54g44g3g51g40g53g48g44g54g54g44g50g49g3g40g59g38g40g51g55g3g36g54g3g51g40g53g48g44g55g55g40g39g3g37g60g3g38g50g
2、51g60g53g44g42g43g55g3g47g36g58CLC/TR 50451:2007This Published Document was published under the authority of the Standards Policy and Strategy Committee on 29 June 2007 BSI 2007ISBN 978 0 580 52932 0National forewordThis Published Document was published by BSI. It is the UK implementation of CLC/TR
3、50451:2007. It supersedes PD R009-004:2001 which is withdrawn. The UK participation in its preparation was entrusted by Technical Committee GEL/9, Railway electrotechnical applications, to Subcommittee GEL/9/1, Signalling and communications.A list of organizations represented on this committee can b
4、e obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.Amendments issued since publicationAmd. No. Date CommentsTECHNICAL REPORT CLC/TR 50451 RAPPORT TECHNIQUE TECHNISCHER BERIC
5、HT May 2007 CENELEC European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung Central Secretariat: rue de Stassart 35, B - 1050 Brussels 2007 CENELEC - All rights of exploitation in any form and by any mea
6、ns reserved worldwide for CENELEC members. Ref. No. CLC/TR 50451:2007 E ICS 45.020;93.100 Supersedes R009-004:2001English version Railway applications Systematic allocation of safety integrity requirements Applications ferroviaires Allocation systmatique des exigences dintgrit de la scurit Bahnanwen
7、dungen Systematische Zuordnung von Sicherheitsintegrittsanforderungen This Technical Report was approved by CENELEC on 2006-02-18. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greec
8、e, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom. Foreword This Technical Report was prepared by SC 9XA, Communication, signalling and processing system
9、s, of Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways. The text of the draft was circulated for vote in accordance with the Internal Regulations, Part 2, Subclause 11.4.3.3 and was approved by CENELEC as CLC/TR 50451 on 2006-02-18. This Technical Report superse
10、des R009-004:2001. _ 2 CLC/TR 50451:2007Contents Executive summary . 4 Introduction . 7 1 Scope 8 2 References 9 2.1 Normative references . 9 2.2 Informative references 9 3 Definitions 10 4 Symbols and abbreviations 17 5 Safety Integrity Levels allocation framework 18 5.1 Prerequisites 18 5.2 Overvi
11、ew of the methodology . 18 5.3 Definition of Safety Integrity Levels. 22 5.4 Qualitative vs quantitative methods 23 5.4.1 Qualitative assessment 23 5.4.2 Quantitative assessment 24 5.5 EN 50126-1 lifecycle context 25 6 System definition 27 7 Hazard identification 28 7.1 General principles 28 7.2 Emp
12、irical hazard identification methods 30 7.3 Creative hazard identification methods. 30 7.4 Hazard ranking. 31 7.5 Existing hazard lists 31 8 Risk analysis 31 8.1 Risk tolerability . 31 8.2 Determination of Tolerable Hazard Rate. 32 8.2.1 Qualitative risk analysis . 32 8.2.2 Quantitative risk analysi
13、s 34 8.2.3 GAMAB and similar approaches. 40 8.2.4 The MEM approach 41 8.2.5 Other approaches. 42 9 System design analysis 42 9.1 Apportionment of safety integrity requirements to functions 43 9.1.1 Physical independence. 44 9.1.2 Functional independence . 45 9.1.3 Process independence . 46 9.2 Use o
14、f SIL tables 46 9.3 Identification and treatment of new hazards arising from design. 47 9.4 Determination of function and subsystem SIL. 48 9.5 Determination of safety integrity requirements for system elements . 50 Annex A Single-line signalling system example 52 Annex B Level crossing example 67 A
15、nnex C Comparison of demand and continuous mode . 77 Annex D Frequently asked questions . 87 3 CLC/TR 50451:2007Among the risk analysis methods two are proposed in order to estimate the individual risk explicitly, one more qualitative, the other more quantitative. Other methods, similar to the GAMAB
16、 principle, do not explicitly determine the resulting risks, but derive the tolerable hazard rates from comparison with the performance of existing systems, either by statistical or analytical methods. Alternative qualitative approaches are acceptable, if as a result they define a list of hazards an
17、d corresponding THR. The specification of the system requirements comprising performance and safety (THR) terminates the Railway Authoritys task. Figure 0.2 - Example Risk Analysis process The suppliers task (summarized by the term System Design Analysis) comprises definition of the system architect
18、ure, analysis of the causes leading to each hazard, determination of the safety integrity requirements (SIL and hazard rates) for the subsystems, determination of the reliability requirements for the equipment. SYSTEM DefinitionNear misseswithTargetSyst em DESIGN ANALYSIS 4 CLC/TR 50451:2007Causal a
19、nalysis constitutes two key stages. In the first phase the tolerable hazard rate for each hazard is apportioned to a functional level. Safety Integrity Levels (SIL) are defined at this functional level for the subsystems implementing the functionality. The hazard rate for a subsystem is then transla
20、ted to a SIL using the SIL table. During the second phase the hazard rates for subsystems are further apportioned leading to failure rates for the equipment, but at this physical implementation level the SIL remains unchanged. Consequently also the software SIL defined by EN 50128 would be the same
21、as the subsystem SIL but for the exceptions described in EN 50128. The apportionment process may be performed by any method which allows a suitable representation of the combination logic, e.g. reliability block diagrams, fault trees, binary decision diagrams, Markov models etc. In any case particul
22、ar care must be taken when independence of items is required. While in the first phase of the causal analysis functional independence is required, physical independence is sufficient in the second phase. Assumptions made in the causal analysis must be checked and may lead to safety-relevant applicat
23、ion rules for the implementation. Figure 0.3 - Example System Design Analysis process Both, the risk analysis and the system design analysis, have to be approved by the Railway Safety Authority. However whilst the risk analysis may be carried out once at the railway level, the system design analysis
24、 must be performed for every new architecture. It is prudent to review the risk analysis and system design analysis when safety related changes are introduced. List ofhazardsand THRSIL tableUndetected failureof power supplyLate or no switch-in Undetetced failureof road-sidewarningsUndetected failure
25、of LC controllerUndetected failureof light signal sUndetectedfailure of barriersUndetected failureof switch-infunctionUndetectedfailute of distantsignalLC set back tonormal positi on1E-7 1E-7 1E-7 1E-71E-7 7E-6 7E-6Determine THRand SILSystemarchitectureApportionhazard rates toelementsCheckindependen
26、ceassumptionsSIL and FRforelementsUndetected failureof power supplyUndetetced failureof road-sidewarni ngsUndetected failureof LC controllerUndetected failureof light signalsUndetectedfailure of barriers1E-7 1E-7 1E-77E-6 7E-6SIL and THRfor subsystemsFrom RiskAnalysis 5 CLC/TR 50451:2007Introduction
27、 Historically the interoperability of European railways was not only hindered by incompatible technology but also by different approaches towards safety. The common European market is the main driving force behind the harmonisation of the different safety cultures. In a joint pan-European effort com
28、prehensive safety standards have been established for railway signalling by the European Electrotechnical Standardisation Committee CENELEC: EN 50126-1, Railway applications - The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) - Part 1: Basic requirem
29、ents and generic process EN 50128, Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems EN 50129, Railway applications - Communication, signalling and processing systems - Safety related electronic systems for signalling These
30、 CENELEC standards assume that safety relies both on adequate measures to prevent or tolerate faults (as safeguards against systematic failure) and on adequate measures to control random failures. Measures against both causes of failure should be balanced in order to achieve the optimum safety perfo
31、rmance of a system. To achieve this the concept of Safety Integrity Levels (SIL) is used. SILs are used as a means of creating balance between measures to prevent systematic and random failures, as it is agreed within CENELEC that it is not feasible to quantify systematic integrity. A shortcoming of
32、 the CENELEC standards as of today is (similar as in other related standards like IEC 61508 1)IEC or ISA S84.01 ISA) that while the guidance on how to fulfil a particular SIL is quite comprehensive the process and rules to derive SILs for system elements from system safety targets or the tolerable s
33、ystem risk are not adequately covered. A general convincing solution to this problem is still an open research problem, see LMZDYB2GAM for some divergent examples. However in order to achieve cross-acceptance of safety cases and products for railway signalling applications it is necessary to fill th
34、e gap. This has been realized by SC 9XA in 1997 and consequently a working group has been set up in March 1998 in order to find a joint harmonized approach at least for railway signalling applications. This work resulted in the publication of R009-004:2001, which is presently being converted into CL
35、C/TR 50451. Although the major driving forces behind this work were novel signalling applications which are required to be interoperable throughout Europe, the scope and applicability of the approach presented in this Technical Report should not be limited to signalling or interoperable applications
36、. 1)IEC 61508 series has been harmonized as EN 61508 series “Functional safety of electrical/electronic/programmable electronic safety-related systems“ 6 CLC/TR 50451:20071 Scope The scope of this Technical Report is to define a method to determine the required Safety Integrity Level of railway sign
37、alling equipment taking in consideration the operational conditions of the railway, and the architecture of the signalling system. The following picture may be used in order to detail more precisely the scope of this Technical Report: Type of operationExample parameters:speed, train density .Unified
38、 Signalling SafetyTarget(individual average risk:units DSIG/(P h) )Specific Signalling SafetyTarget (hazard rate :units HSIG/(S h) orwsfSIG/(S h) )Signalling systemarchitecture andfunctionality (normal,fallback .)Allocation to functionsand system elements(apportionment)SILs andfailure rates for syst
39、emelements. Result:Element SIL FRE1x1 1.EnxnnLegend:DeathSystemSIGnallingPersonhourHazardwrong side failureRateScope of WGA10 workas agreed by SC9XAFigure 1.1 - Scope of WG A10 From a mechanistic point of view the task of this Technical Report is to define a method of calculation, which determines t
40、he integrity requirements (qualitatively and quantitatively) from the inputs stated above. 7 CLC/TR 50451:20072 References The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the late
41、st edition of the referenced document (including any amendments) applies. 2.1 Normative references EN 50121-5, Railway applications - Electromagnetic compatibility - Part 5: Emission and immunity of fixed power supply installations and apparatus 126 EN 50126-1:1999, Railway applications - The specif
42、ication and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) Part 1: Basic requirements and generic process 128 EN 50128:2001, Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems 129 EN 50129:2003
43、, Railway applications - Communication, signalling and processing systems - Safety related electronic systems for signalling 2.2 Informative references 0056 UK Ministry of Defence, Safety Management Requirements for Defence Systems, Def Stan 00-56 GAM CASCADE: Generalised Assessment Method , Part II
44、: Guidelines, ESPRIT 9032 report, ref. CAS/IC/MK/D2.3.2/V3, 1996 HK Kumamotu, H. and Henley, E.: Probabilistic risk assessment and management for engineers and scientists, IEEE Press, 1996 IEC Functional safety of electrical/electronic/programmable electronic safety-related systems, IEC 61508 series
45、 ISA ISA: Application of Safety Instrumented Systems for the Process Industries, ISA S84.01, February 1996 ISO ISO/IEC: Information technology - System and software integrity levels, ISO/IEC 15026 Lev95 Leveson, N. G.: Safeware - System safety and computers, Addison-Wesley, 1995 LM Lindsay, P. A. an
46、d McDermid, J. A.: A systematic approach to software safety integrity levels, in: Peter Daniel (Ed.): SAFECOMP97 , Springer Verlag, 1997, 70-82 R01 Railway applications - Communication, signalling and processing systems - Hazardous failure rates and Safety Integrity Levels (SIL), R009-001:1997 RSH R
47、ailway Signalling Hazards, Swedish National Rail Administration, Technical Report 1999:1 SAH System Safety Analysis Handbook, 2ndedition, System Safety Society, 1998 VIL Villemeur, A.: Reliability, Availability, Maintainability and Safety Assessment, Volume 1: Methods and Techniques, Wiley, 1992 YB2
48、 Engineering Safety Management System, Issue 2.0, “Yellow Book“, Railtrack, 1997 ZD Zerkani, H. and Dumolo, D.: System Safety Lifecycle Based on IEC 61508 and its Use for Railway Applications, Proc. 16thInternational System Safety Conference, Sept. 14-19, 1998, Seattle 8 CLC/TR 50451:20073 Definitio
49、ns For the purpose of this Technical Report, the following definitions apply. For terms not defined here, the following references should be consulted in order of priority: - IEC 60050-191, International Electrotechnical Vocabulary - Chapter 191: Dependability and quality of service - ISO 8402, Quality vocabulary - ISO/IEC 2382, Information technology vocabulary 3.1 accident an unintended event or series of events that results in death, injury, loss of a system or service, o
