1、PUBLISHED DOCUMENTPD CLC/TR 50506-1:2007Railway applications Communication, signalling and processing systems Application Guide for EN 50129 Part 1: Cross-acceptanceICS 93.100g49g50g3g38g50g51g60g44g49g42g3g58g44g55g43g50g56g55g3g37g54g44g3g51g40g53g48g44g54g54g44g50g49g3g40g59g38g40g51g55g3g36g54g3
2、g51g40g53g48g44g55g55g40g39g3g37g60g3g38g50g51g60g53g44g42g43g55g3g47g36g58PD CLC/TR 50506-1:2007This Published Document was published under the authority of the Standards Policy and Strategy Committee on 31 May 2007 BSI 2007ISBN 978 0 580 50824 0National forewordThis Published Document was publishe
3、d by BSI. It is the UK implementation of CLC/TR 50506-1:2007.The UK participation in its preparation was entrusted by Technical Committee GEL/9, Railway electrotechnical applications, to Subcommittee GEL/9/1, Signalling and communications.A list of organizations represented on this committee can be
4、obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.Amendments issued since publicationAmd. No. Date CommentsTECHNICAL REPORT CLC/TR 50506-1 RAPPORT TECHNIQUE TECHNISCHER BERIC
5、HT May 2007 CENELEC European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung Central Secretariat: rue de Stassart 35, B - 1050 Brussels 2007 CENELEC - All rights of exploitation in any form and by any mea
6、ns reserved worldwide for CENELEC members. Ref. No. CLC/TR 50506-1:2007 E ICS 93.100 English version Railway applications - Communication, signalling and processing systems - Application Guide for EN 50129 - Part 1: Cross-acceptance This Technical Report was approved by CENELEC on 2007-01-16. CENELE
7、C members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia,
8、Slovenia, Spain, Sweden, Switzerland and the United Kingdom. Foreword This Technical Report was prepared by SC 9XA, Communication, signalling and processing systems, of Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways. The text of the draft was submitted to vote
9、 and was approved by CENELEC as CLC/TR 50506-1 on 2007-01-16. CLC/TR 50506-1:2007 2 Contents Introduction . 4 1 Scope. 4 2 Normative references . 4 3 Terms, definitions and abbreviated terms 5 3.1 Terms and definitions . 5 3.2 Abbreviated terms 5 4 Cross-acceptance. 7 4.1 General 7 4.2 Definition an
10、d importance of cross-acceptance 7 4.3 Lifecycle for cross-acceptance . 7 4.3.1 General 7 4.3.2 Specification 9 4.4 Cross-acceptance process . 9 4.4.1 The basic premise 9 4.4.2 Principles of cross-acceptance. 10 4.4.3 Safety cases for cross-acceptance. 14 4.4.4 Generic product / application safety c
11、ase for cross-acceptance . 14 4.4.5 Field testing . 15 4.4.6 Compliance report 15 Bibliography 16 Figures Figure 1 The role of assessor and developer in maintaining system requirements . 12 Figure 2 The three types of safety case involved in cross-acceptance process 14 Table Table 1 Lifecycle for cr
12、oss-acceptance of safety related/safety critical systems/products/equipment . 8 CLC/TR 50506-1:2007 3 Introduction EN 50129 was developed in CENELEC and is now regularly called up in specifications. In essence, it lists factors that influence RAMS (see EN 50126) and adopts a broad risk-management ap
13、proach to safety. EN 50129 is the basic standard for safety related electronic systems for signalling. Use of EN 50129 has enhanced the general understanding of the issues, but has also shown that items like cross-acceptance need further explanation and clarification. Therefore CENELEC decided to ad
14、dress those items in this application guide for cross-acceptance. 1 Scope This application guide for cross-acceptance is a Technical Report about the basic standard. It is applicable to the same systems and addresses the same audience as the standard itself. It provides additional information on the
15、 application of EN 50129 to cross-acceptance. Therefore it deals with the acceptance by a safety authority of a previously accepted system or product in a different environment and/or context, often referred to as cross-acceptance. It is mainly dedicated to safety assessors, safety authorities, vali
16、dators, and safety managers. In drafting this guide, it is assumed that the reader is familiar with the basic structure of the standard. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited appl
17、ies. For undated references, the latest edition of the referenced document (including any amendments) applies. NOTE Additional informative references are included in the bibliography. EN 50124-1, Railway applications - Insulation coordination - Part 1: Basic requirements - Clearances and creepage di
18、stances for all electrical and electronic equipment EN 50126, Railway applications - The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) EN 50128, Railway applications - Communication, signalling and processing systems - Software for railway control an
19、d protection systems EN 50129, Railway applications - Communication, signalling and processing systems - Safety related electronic systems for signalling EN 61508 series, Functional safety of electrical/electronic/programmable electronic safety-related systems (IEC 61508 series) EN/ISO 9001:2000, Qu
20、ality management systems Requirements (ISO 9001:2000) EN/ISO/IEC 17020, General criteria for the operation of various types of bodies performing inspection (ISO/IEC 17020) CLC/TR 50506-1:2007 4 3 Terms, definitions and abbreviated terms 3.1 Terms and definitions For the purposes of this document, th
21、e terms and definitions given in EN 50126, EN 50128, EN 50129 and the following apply. Other definitions not included in these documents have been added to eliminate any doubts regarding their interpretation. 3.1.1 generic application system with specific functions that are related to “a category of
22、 applications” associated with a general environmental and operational context, which is developed on the basis of criteria of standardization and parameterization of its elements, so as to render it serviceable for various tangible applications. By combining generic products or combining these with
23、 other generic applications, it is possible to obtain a new generic application 3.1.2 generic product component/product capable of performing certain functions, with a specific performance level, in the environmental and operational conditions stated in the reference specifications. It can be combin
24、ed with other products and generic applications to form other generic applications 3.1.3 specific application a specific application is used for only one particular installation 3.1.4 risk analysis identification of hazards associated with a product, process or system, scrutiny of their causes and s
25、ystematic determination of their consequences in an operational context. Risk analysis results in the identification of the nature of likely sources of harm arising from a product, process or system and their impact in terms of nature of likely accidents and the severity of harm caused 3.1.5 safety
26、analysis subset of risk analysis solely focused on hazards which have a potential for causing accidents which may cause harm to people 3.2 Abbreviated terms For the purposes of this document, the abbreviated terms used in EN 50126, EN 50128 and EN 50129 and the following apply. Other abbreviations n
27、ot included in these standards have been added to eliminate any doubts regarding their interpretation. CMP configuration management plan COTS commercial-off-the-shelf CRS customer requirements specification CTC centralised traffic control DRACAS data reporting and corrective action system FMECA fail
28、ure mode effects and criticality analysis FRACAS failure reporting and corrective actions system FTI formal technical inspection FTP field trial plan CLC/TR 50506-1:2007 5 FTR field trial report FPGA field programmable gate array HAZAN hazard analysis HAZOP hazard and operability study I/O input / o
29、utput IHA interface hazard analysis ISA independent safety assessor LRU line replaceable unit OSHA operation and system hazard analysis PCB printed circuit board PHA preliminary hazard analysis PLC programmable logic controller QAP quality assurance plan QMS quality management system RAM-P RAM-plan
30、SC safety case SAD system architecture description SADT structured analysis and design techniques SAP safety plan SEEA SW error effects analysis SHA system hazard analysis SRS system requirements specification SSHA subsystem hazard analysis SSRS subsystem requirements specification VAP validation pl
31、an VHDL VHSIC hardware description language VHSIC very high speed integrated circuit VLSI very large scale integration VTR validation test report Vcreate preliminaryhazard analysis(PHA) and hazard analysis(HAZ-AN) on the base ofCRSand riskanalysis.SRS,preliminaryhazard analysis,hazard analysis.Evalu
32、ation ofdifferencesEvaluation ofdifferencesbetween originallyapproved application and new customer application.Evaluation ofdifferencesbetween originallyapproved application and new customer application.Verification reportofspecification,updated hazard-log (ifidentified).Validation Assessor:assessva
33、lidation plan.Startsystemvalidation ofsystemrequirementspecification againstcustomer requirementspecification.Lifecycle;validationtestreport, fieldtrial report(post pilot). AssessmentAssessor:create assessmentreport;safetycase willbe examined byan assessor.Theresultofhis workwillbepresentedinanasses
34、sment report, formingthe background for the decision taken bythe railwayauthority.Assessmentofthe differences,the assessor mustbe familiarwith the operating conditions.Assessmentreport. Systemacceptance Systemacceptance;validation ofthe systemfollowingfindingsinriskanalysis;prepare testreportor/and
35、application safetycase,startpre-pilotphase.Applicationsafetycase, compliancereport, systemacceptancebycustomerandrailwayauthority.Operation and maintenance Operate and maintain the system;introduce a DRACASsystem.RAMS-demonstration Updatefieldtrialreport. Field trialreport(pre-pilot). CLC/TR 50506-1
36、:2007 8 4.3.2 Specification As with the original approval, a cross-acceptance approval is based on a specification prepared by the infrastructure owner or railway undertaking. This specification should normally contain details on the following key points: environmental conditions (climatic, mechanic
37、al, EMI, EMC, etc.), reliability and availability, safety target (THR), interfaces, functional requirements based on operational rules, operational limits and dimensions, non functional requirements (necessary documents, size, weight, etc.). In addition, all functional and safety requirements should
38、 be defined. The quoted safety target (THR = Tolerable Hazard Rates) should be calculated based on a risk analysis. The specification prepared by the infrastructure owner or railway undertaking will then form the basis for examining the differences between the originally approved system and the cros
39、s-acceptance system. 4.4 Cross-acceptance process A structured and risk based framework for cross-acceptance of product, system or process is developed in this guidance comprising seven core principles. The principles are universal and are particularly pertinent to safety critical systems where no s
40、ystematic and efficient framework for their adoption and application in new applications or environments exists. 4.4.1 The basic premise The cross-acceptance of a product, system or process is implicitly founded on a number of key assumptions and conditions namely a) the product, system or process h
41、as been specified, designed and developed by a competent, capable and reputable organisation, b) the product, system or process has been scrutinised, analysed and assessed through a rigorous process to assure its relevant safety, environmental and technical performance and this process has been docu
42、mented at an appropriate level of detail, c) the product, system or process has been evaluated for its compliance with regulatory requirements and best practice standards and codes of practice, d) the assessment has been peer reviewed and the product, system or process approved or certified by a rel
43、evant competent body or authority in its native environment implying tolerability of its risks subject to specified constraints and controls, e) the product, system or process has preferably got a demonstrable record of adequate verification, validation and testing or trouble free operation in its n
44、ative environment, f) the product, system or process has potential for a wider scope of application beyond its initial native environment either in its original state, or through small-scale redesign and adaptation, g) there is a perceived or real safety or environmental benefit or need in adapting
45、the product, system or process for use in new (target) environments, CLC/TR 50506-1:2007 9 h) there is an implicit or explicit record of the above conditions and assumptions which can be made available to relevant third parties as deemed appropriate. Even though not always stated, these conditions a
46、nd assumptions are required or perceived to hold true for the purpose of cross-acceptance. 4.4.2 Principles of cross-acceptance The framework for systematic cross-acceptance developed and proposed here essentially comprises 7 key principles as detailed below. a) Establish a credible case for the nat
47、ive (baseline) application b) Specify the target environment and application c) Identify the key differences between the target and native cases d) Specify the technical, operational and procedural adaptations required to cater for the differences e) Assess the risks arising from the differences f)
48、Produce a credible case for the adaptations adequately controlling the risks arising from the differences g) Develop a generic or specific cross-acceptance case a) Establish a credible case for the native (baseline) application Cross-acceptance is broadly applicable to generic product/system/process
49、 and generic application cases. In this spirit, specific applications require further scrutiny and justification. Cross-acceptance is essentially a differential case and requires a credible native (baseline) and a target environment and associated arguments for safety. 1) To construct a baseline, the product, system or process shall be specified and documented in its native environment including (whenever applicable) a record of technical, operational, environmental, quality and safety performance requirements including applicable rules and s
