Sist TP CLC TR 50451 2007

SLOVENSKI STANDARD
SIST-TP CLC/TR 50451:2007

01-oktober-2007
1DGRPHãþD
SIST R009-004:2002
äHOH]QLãNHQDSUDYH±6LVWHPDWLþQDUD]SRUHGLWHY]DKWHYYDUQRVWQHLQWHJULWHWH
Railway applications - Systematic allocation of safety integrity requirements
Bahnanwendungen — Systematische Zuordnung von

Sicherheitsintegritätsanforderungen
iTeh STANDARD PREVIEW
(standards.iteh.ai)
Applications ferroviaires - Allocation systématique des exigences d'intégrité de la
sécurité
https://standards.iteh.ai/catalog/standards/sist/f9bb3c21-bb55-4cc9-8854-
Ta slovenski standard je istoveten z: CLC/TR 50451:2007
b04e3d766a9a/sist-tp-clc-tr-50451-2007
ICS:
45.020 Železniška tehnika na Railway engineering in
splošno general
SIST-TP CLC/TR 50451:2007 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

(standards.iteh.ai)
TECHNICAL REPORT CLC/TR 50451

RAPPORT TECHNIQUE
TECHNISCHER BERICHT May 2007
ICS 45.020;93.100 Supersedes R009-004:2001
English version
Railway applications –
Systematic allocation of safety integrity requirements
Applications ferroviaires – Bahnanwendungen –

Allocation systématique des exigences Systematische Zuordnung von
d'intégrité de la sécurité Sicherheitsintegritätsanforderungen

(standards.iteh.ai)
This Technical Report was approved by CENELEC on 2006-02-18.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Cyprus, the
Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg,b04e3d766a9a/sist-tp-clc-tr-50451-2007
Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia,
Slovenia, Spain, Sweden, Switzerland and the United Kingdom.
CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: rue de Stassart 35, B - 1050 Brussels
© 2007 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. CLC/TR 50451:2007 E

CLC/TR 50451:2007 -2-
Foreword
This Technical Report was prepared by SC 9XA, Communication, signalling and processing systems, of
Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways.
The text of the draft was circulated for vote in accordance with the Internal Regulations, Part 2,
Subclause 11.4.3.3 and was approved by CENELEC as CLC/TR 50451 on 2006-02-18.
This Technical Report supersedes R009-004:2001.

__________

(standards.iteh.ai)
-3- CLC/TR 50451:2007
Contents
Executive summary ................................................................................................................................... 4

Introduction ............................................................................................................................................... 7
1 Scope ................................................................................................................................................ 8
2 References ........................................................................................................................................ 9
2.1 Normative references ................................................................................................................. 9
2.2 Informative references................................................................................................................ 9
3 Definitions ........................................................................................................................................ 10
4 Symbols and abbreviations .............................................................................................................. 17
5 Safety Integrity Levels allocation framework .................................................................................... 18
5.1 Prerequisites ............................................................................................................................ 18
5.2 Overview of the methodology ................................................................................................... 18
5.3 Definition of Safety Integrity Levels........................................................................................... 22
5.4 Qualitative vs quantitative methods .......................................................................................... 23
5.4.1 Qualitative assessment .................................................................................................. 23
5.4.2 Quantitative assessment ................................................................................................ 24
5.5 EN 50126-1 lifecycle context .................................................................................................... 25
6 System definition.............................................................................................................................. 27
7 Hazard identification ........................................................................................................................ 28
7.1 General principles .................................................................................................................... 28
7.2 Empirical hazard identification methods.................................................................................... 30
(standards.iteh.ai)
7.3 Creative hazard identification methods ..................................................................................... 30
7.4 Hazard ranking ......................................................................................................................... 31
7.5 Existing hazard lists..................................................................................................................
SIST-TP CLC/TR 50451:2007 31
8 https://standards.iteh.ai/catalog/standards/sist/f9bb3c21-bb55-4cc9-8854-
Risk analysis.................................................................................................................................... 31
8.1 Risk tolerability ......................................................................................................................... 31
8.2 Determination of Tolerable Hazard Rate................................................................................... 32
8.2.1 Qualitative risk analysis ................................................................................................. 32
8.2.2 Quantitative risk analysis ................................................................................................ 34
8.2.3 GAMAB and similar approaches..................................................................................... 40
8.2.4 The MEM approach ........................................................................................................ 41
8.2.5 Other approaches........................................................................................................... 42
9 System design analysis.................................................................................................................... 42
9.1 Apportionment of safety integrity requirements to functions ...................................................... 43
9.1.1 Physical independence................................................................................................... 44
9.1.2 Functional independence ............................................................................................... 45
9.1.3 Process independence ................................................................................................... 46
9.2 Use of SIL tables ...................................................................................................................... 46
9.3 Identification and treatment of new hazards arising from design............................................... 47
9.4 Determination of function and subsystem SIL........................................................................... 48
9.5 Determination of safety integrity requirements for system elements ......................................... 50
Annex A Single-line signalling system example ...................................................................................... 52

Annex B Level crossing example............................................................................................................ 67
Annex C Comparison of demand and continuous mode ......................................................................... 77
Annex D Frequently asked questions ..................................................................................................... 87
CLC/TR 50451:2007 -4-
Executive summary
This Technical Report presents a systematic methodology to determine safety integrity requirements for
railway signalling equipment, taking into account the operational environment and the architectural design
of the signalling system.
At the heart of this approach is a well defined interface between the operational environment and the
signalling system. From the safety point of view this interface is defined by a list of hazards and tolerable
hazard rates associated with the system. It should be noted that the purpose of this approach is not to
limit co-operation between suppliers and railway authorities but to clarify responsibilities and interfaces.
It is the task (summarized by the term Risk Analysis) of the Railway Authority
• to define the requirements of the railway system (independent of the technical realisation),
• to identify the hazards relevant to the system,
• to derive the tolerable hazard rates, and
• to ensure that the resulting risk is tolerable (with respect to the appropriate risk tolerability criteria).
iTehDefinition
STANDARD PREVIEW
(standards.iteh.ai)
System Design Analysis
Figure 0.1 - Global process overview
The only requirement is that the tolerable hazard rates must be derived taking into account the risk
tolerability criteria. Risk tolerability criteria are not defined by this Technical Report, but depend on
national or European legislative requirements.
-5- CLC/TR 50451:2007
Among the risk analysis methods two are proposed in order to estimate the individual risk explicitly, one
more qualitative, the other more quantitative. Other methods, similar to the GAMAB principle, do not
explicitly determine the resulting risks, but derive the tolerable hazard rates from comparison with the
performance of existing systems, either by statistical or analytical methods. Alternative qualitative
approaches are acceptable, if as a result they define a list of hazards and corresponding THR. The
specification of the system requirements comprising performance and safety (THR) terminates the
Railway Authority’s task.
Near misses
SYSTEM Definition

(standards.iteh.ai)
withTarget
System DESIGN ANALYSIS
Figure 0.2 - Example Risk Analysis process
The supplier’s task (summarized by the term System Design Analysis) comprises
• definition of the system architecture,
• analysis of the causes leading to each hazard,
• determination of the safety integrity requirements (SIL and hazard rates) for the subsystems,
• determination of the reliability requirements for the equipment.
CLC/TR 50451:2007 -6-
Causal analysis constitutes two key stages. In the first phase the tolerable hazard rate for each hazard is
apportioned to a functional level. Safety Integrity Levels (SIL) are defined at this functional level for the
subsystems implementing the functionality. The hazard rate for a subsystem is then translated to a SIL
using the SIL table.
During the second phase the hazard rates for subsystems are further apportioned leading to failure rates
for the equipment, but at this physical implementation level the SIL remains unchanged. Consequently
also the software SIL defined by EN 50128 would be the same as the subsystem SIL but for the
exceptions described in EN 50128.
The apportionment process may be performed by any method which allows a suitable representation of
the combination logic, e.g. reliability block diagrams, fault trees, binary decision diagrams, Markov models
etc. In any case particular care must be taken when independence of items is required. While in the first
phase of the causal analysis functional independence is required, physical independence is sufficient in
the second phase. Assumptions made in the causal analysis must be checked and may lead to safety-
relevant application rules for the implementation.
From Risk
Analysis
List of
hazards
iTeh STANDARD PREVIEW and THR
(standards.iteh.ai)
Lateornoswitch-in Undetectedfailure Undetetcedfailure Undetectedfailure
LCset backto
Undetected failure
of powersupply
1E-7
Undetetcedfailure
of road-side
warnings
1E-7
Undetected failure
of LCcontroller
1E-7
of powersupply of road-side of LCcontroller
b04e3d766a9a/sist-tp-clc-tr-50451-2007 normal position
....
warnings
Check 1E-7 1E-7 1E-7 1E-7
System
independence
Undetected failure Undetected architecture
assumptions Undetectedfailure Undetected Undetectedfailure Undetected
of light signals
7E-6
failure of barriers
7E-6
ofswitch-in failuteof distant oflightsignals failureof barriers

function signal
1E-7 7E-6 7E-6
....
Determine THR SIL and THR
SIL table and SIL for subsystems
Apportion SIL and FR

hazard rates to for
elements elements
Figure 0.3 - Example System Design Analysis process
Both, the risk analysis and the system design analysis, have to be approved by the Railway Safety
Authority.
However whilst the risk analysis may be carried out once at the railway level, the system design analysis
must be performed for every new architecture. It is prudent to review the risk analysis and system design
analysis when safety related changes are introduced.
-7- CLC/TR 50451:2007
Introduction
Historically the interoperability of European railways was not only hindered by incompatible technology
but also by different approaches towards safety. The common European market is the main driving force
behind the harmonisation of the different safety cultures. In a joint pan-European effort comprehensive
safety standards have been established for railway signalling by the European Electrotechnical
Standardisation Committee CENELEC:
• EN 50126-1, Railway applications - The specification and demonstration of Reliability, Availability,

Maintainability and Safety (RAMS) - Part 1: Basic requirements and generic process
• EN 50128, Railway applications - Communications, signalling and processing systems - Software for
railway control and protection systems
• EN 50129, Railway applications - Communication, signalling and processing systems - Safety related
electronic systems for signalling
These CENELEC standards assume that safety relies both on adequate measures to prevent or tolerate
faults (as safeguards against systematic failure) and on adequate measures to control random failures.
Measures against both causes of failure should be balanced in order to achieve the optimum safety
performance of a system. To achieve this the concept of Safety Integrity Levels (SIL) is used. SILs are
used as a means of creating balance between measures to prevent systematic and random failures, as it
is agreed within CENELEC that it is not feasible to quantify systematic integrity.
(standards.iteh.ai)
A shortcoming of the CENELEC standards as of today is (similar as in other related standards like
1)
IEC 61508 [IEC] or ISA S84.01 [ISA]) that while
SIST-TP CLC/TR the50451:2007
guidance on how to fulfil a particular SIL is quite
comprehensive the process and rules to derive SILs for system elements from system safety targets or
the tolerable system risk are not adequately covered. A general convincing solution to this problem is still
an open research problem, see [LM][ZD][YB2][GAM] for some divergent examples. However in order to
achieve cross-acceptance of safety cases and products for railway signalling applications it is necessary
to fill the gap.
This has been realized by SC 9XA in 1997 and consequently a working group has been set up in March
1998 in order to find a joint harmonized approach at least for railway signalling applications. This work
resulted in the publication of R009-004:2001, which is presently being converted into CLC/TR 50451.
Although the major driving forces behind this work were novel signalling applications which are required
to be interoperable throughout Europe, the scope and applicability of the approach presented in this
Technical Report should not be limited to signalling or interoperable applications.
1)
IEC 61508 series has been harmonized as EN 61508 series "Functional safety of electrical/electronic/programmable electronic
safety-related systems"
CLC/TR 50451:2007 -8-
1 Scope
The scope of this Technical Report is to define a method to determine the required Safety Integrity Level
of railway signalling equipment taking in consideration
• the operational conditions of the railway, and
• the architecture of the signalling system.
The following picture may be used in order to detail more precisely the scope of this Technical Report:
Unified Signalling Safety

Scope of WGA10 work Target
as agreed by SC9XA (individual average risk:
units DSIG /(P h) )
Type of operation Legend:

Example parameters: Death
speed, train density ... System
SIGnalling
Person
hour
Hazard
wrong side failure
Specific Signalling Safety
Rate
Target (hazard rate :
units HSIG /(S h) or
wsfSIG /(S h) )
Signalling system
architecture and
(standards.iteh.ai)
functionality (normal,
fallback ...) SIST-TP CLC/TR 50451:2007
Allocation to functions
and system elements
(apportionment)
SILs and
failure rates for system
elements. Result:
Element SIL FR
E1 x1 λ1
...
En xn λn
Figure 1.1 - Scope of WG A10
From a mechanistic point of view the task of this Technical Report is to define a method of calculation,
which determines the integrity requirements (qualitatively and quantitatively) from the inputs stated above.
-9- CLC/TR 50451:2007
2 References
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
2.1 Normative references
EN 50121-5, Railway applications - Electromagnetic compatibility - Part 5: Emission and

immunity of fixed power supply installations and apparatus
[126] EN 50126-1:1999, Railway applications - The specification and demonstration of Reliability,
Availability, Maintainability and Safety (RAMS) – Part 1: Basic requirements and generic process
[128] EN 50128:2001, Railway applications - Communications, signalling and processing systems -
Software for railway control and protection systems
[129] EN 50129:2003, Railway applications - Communication, signalling and processing systems -
Safety related electronic systems for signalling
2.2 Informative references
[0056] UK Ministry of Defence, Safety Management Requirements for Defence Systems, Def Stan 00-56
[GAM] CASCADE: Generalised Assessment Method <GAM>, Part II: Guidelines, ESPRIT 9032 report,
ref. CAS/IC/MK/D2.3.2/V3, 1996
[HK] iTeh STANDARD PREVIEW
Kumamotu, H. and Henley, E.: Probabilistic risk assessment and management for engineers and
(standards.iteh.ai)
scientists, IEEE Press, 1996
[IEC] Functional safety of electrical/electronic/programmable electronic safety-related systems,
IEC 61508 series SIST-TP CLC/TR 50451:2007
[ISA] https://standards.iteh.ai/catalog/standards/sist/f9bb3c21-bb55-4cc9-8854-
ISA: Application of Safety Instrumented Systems for the Process Industries, ISA S84.01,
February 1996 b04e3d766a9a/sist-tp-clc-tr-50451-2007
[ISO] ISO/IEC: Information technology - System and software integrity levels, ISO/IEC 15026
[Lev95] Leveson, N. G.: Safeware - System safety and computers, Addison-Wesley, 1995
[LM] Lindsay, P. A. and McDermid, J. A.: A systematic approach to software safety integrity levels, in:
Peter Daniel (Ed.): SAFECOMP'97 , Springer Verlag, 1997, 70-82
[R01] Railway applications - Communication, signalling and processing systems - Hazardous failure
rates and Safety Integrity Levels (SIL), R009-001:1997
[RSH] Railway Signalling Hazards, Swedish National Rail Administration, Technical Report 1999:1
nd
[SAH] System Safety Analysis Handbook, 2 edition, System Safety Society, 1998
[VIL] Villemeur, A.: Reliability, Availability, Maintainability and Safety Assessment, Volume 1: Methods
and Techniques, Wiley, 1992
[YB2] Engineering Safety Management System, Issue 2.0, "Yellow Book", Railtrack, 1997
[ZD] Zerkani, H. and Dumolo, D.: System Safety Lifecycle Based on IEC 61508 and its Use for
th
Railway Applications, Proc. 16 International System Safety Conference, Sept. 14-19, 1998,
Seattle
CLC/TR 50451:2007 - 10 -
3 Definitions
For the purpose of this Technical Report, the following definitions apply. For terms not defined here, the
following references should be consulted in order of priority:
- IEC 60050-191, International Electrotechnical Vocabulary - Chapter 191: Dependability and quality of
service
- ISO 8402, Quality vocabulary
- ISO/IEC 2382, Information technology vocabulary
3.1
accident
an unintended event or series of events that results in death, injury, loss of a system or service, or
environmental damage (EN 50129)
3.2
apportionment
a process whereby the RAMS elements for a system are sub-divided between the various items which
comprise the system to provide individual targets (EN 50126-1)
3.3
can
is possible (EN 50129)
3.4 (standards.iteh.ai)
causal analysis
analysis of the reasons how and why aSIST-TP CLC/TR
particular 50451:2007
hazard may come into existence
3.5 b04e3d766a9a/sist-tp-clc-tr-50451-2007
collective risk
a risk which is related to a group of people
3.6
common cause failure
a failure which is the result of an event(s) which causes a coincidence of failure states of two or more
components leading to a system failing to perform its required function (EN 50126-1)
3.7
common-mode fault
fault common to items which are intended to be independent
3.8
consequence analysis
analysis of events which are likely to happen after a hazard has occurred
3.9
cross-acceptance
the status achieved by a product that has been accepted by one Authority to the relevant European
Standards and is acceptable to other Authorities without the necessity for further assessment (EN 50129)
- 11 - CLC/TR 50451:2007
3.10
dependent failure
the failure of a set of events; the probability of which cannot be expressed as the simple product of the
unconditional probabilities of the individual events (EN 50126-1)
3.11
diversity
a means of achieving all or part of the specified requirements in more than one independent and
dissimilar manner (EN 50129)
3.12
element
a part of a product that has been determined to be a basic unit or building block. An element may be
simple or complex
3.13
environment
the surrounding objects or region or circumstances which may influence the behaviour of the system and
or may be influenced by the system (EN 50121-5)
3.14
equipment
a functional physical item (EN 50129)
(standards.iteh.ai)
3.15
error SIST-TP CLC/TR 50451:2007
a deviation from the intended design which could result in unintended system behaviour or failure
(EN 50129) b04e3d766a9a/sist-tp-clc-tr-50451-2007
3.16
failure
a deviation from the specified performance of a system. A failure is the consequence of an fault or error in
a system (EN 50129)
3.17
failure cause
the circumstances during design; manufacture or use which have led to a failure (EN 50126-1, [IEC])
3.18
failure mode
the predicted or observed results of a failure cause on a stated item in relation to the operating conditions
at the time of the failure (EN 50126-1, [IEC])
3.19
failure rate
the limit; if this exists; of the ratio of the conditional probability that the instant of time; T; of a failure of a
product falls within a given time interval (t+(t) and the length of this interval; (t; when (t tends towards
zero; given that the item is in an up state at the start of the time interval (EN 50126-1, [IEC])
CLC/TR 50451:2007 - 12 -
3.20
fault
an abnormal condition that could lead to an error in a system. A fault can be random or systematic
(EN 50126-1, [IEC])
3.21
fault detection time
time span which begins at the instant when a fault occurs and ends when the existence of the fault is
detected (EN 50129)
3.22
fault mode
one of the possible states of a faulty product for a given required function (EN 50126-1, [IEC])
3.23
fault tree analysis
an analysis to determine which fault modes of the product; sub-products or external events; or
combinations thereof; may result in a stated fault mode of the product; presented in the form of a fault
tree (EN 50126-1, [IEC])
3.24
FMEA
an acronym meaning Failure Modes and Effects Analysis. A qualitative method of reliability analysis
(standards.iteh.ai)
which involves the study of the fault modes which can exist in every sub-product of the product and the
determination of the effects of each fault mode on other sub-products of the product and on the required
functions of the product (EN 50126-1, SIST-TP
[IEC]) CLC/TR 50451:2007
3.25 b04e3d766a9a/sist-tp-clc-tr-50451-2007
function
a mode of action or activity by which a product fulfils its purpose (EN 50126-1, [IEC])
3.26
hazard
an object, condition or state that could lead to an accident [YB2].In the context of a system safety, a
hazard is an unprotected state of the system, which under certain external conditions leads to an accident
3.27
hazard identification
the process used to define potential hazards related to a system
3.28
hazard log
the document in which all safety management activities, hazards identified, decisions made and solutions
adopted, are recorded or referenced (EN 50126-1, [IEC])
3.29
human error
a human action (mistake), which can result in unintended system behaviour/failure (EN 50129)
- 13 - CLC/TR 50451:2007
3.30
independence (functional)
two items are functionally independent, if they do not have any common cause failures, neither
systematic nor random
3.31
independence (physical)
two items are physically independent, if they do not have any random common cause failures
3.32
independence (technical)
freedom from any mechanism which can affect the correct operation of more than one item (≠ EN 50129)
3.33
independence (human)
freedom from involvement in the same intellectual, commercial and/or management entity (EN 50129)
3.34
individual risk
a risk which is related to a single individual only (EN 50129)
3.35
item
element under consideration (standards.iteh.ai)
3.36 SIST-TP CLC/TR 50451:2007
loss analysis https://standards.iteh.ai/catalog/standards/sist/f9bb3c21-bb55-4cc9-8854-
analysis of safety, environmental or b04e3d766a9a/sist-tp-clc-tr-50451-2007
economical harm or damage
3.37
may
is permissible (EN 50129)
3.38
negation
enforcement of a safe state following detection of a hazardous fault (EN 50129)
3.39
negation time
time span which begins when the existence of a fault is detected and ends when a safe state is enforced
(EN 50129)
3.40
product
a collection of elements, interconnected to form a system, subsystem or item of equipment, in a manner
which meets the specified requirements (EN 50129)
3.41
railway authority
the body with the overall accountability to a Regulator for operating a railway system (EN 50126-1, [IEC])

Sist TP CLC TR 50451 2007

Uploaded by

Copyright:

Available Formats

Sist TP CLC TR 50451 2007

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sist TP CLC TR 50451 2007

Uploaded by

Copyright:

Available Formats

SLOVENSKI STANDARD

SIST-TP CLC/TR 50451:2007

Railway applications - Systematic allocation of safety integrity requirements

Bahnanwendungen — Systematische Zuordnung von

SIST-TP CLC/TR 50451:2007 en

iTeh STANDARD PREVIEW

TECHNICAL REPORT CLC/TR 50451

ICS 45.020;93.100 Supersedes R009-004:2001

Applications ferroviaires – Bahnanwendungen –

iTeh STANDARD PREVIEW

Central Secretariat: rue de Stassart 35, B - 1050 Brussels

Ref. No. CLC/TR 50451:2007 E

CLC/TR 50451:2007 -2-

This Technical Report supersedes R009-004:2001.

iTeh STANDARD PREVIEW

-3- CLC/TR 50451:2007

Executive summary ................................................................................................................................... 4

Annex A Single-line signalling system example ...................................................................................... 52

CLC/TR 50451:2007 -4-

System Design Analysis

Figure 0.1 - Global process overview

-5- CLC/TR 50451:2007

iTeh STANDARD PREVIEW

System DESIGN ANALYSIS

Figure 0.2 - Example Risk Analysis process

CLC/TR 50451:2007 -6-

b04e3d766a9a/sist-tp-clc-tr-50451-2007 normal position

Check 1E-7 1E-7 1E-7 1E-7

ofswitch-in failuteof distant oflightsignals failureof barriers

Apportion SIL and FR

Figure 0.3 - Example System Design Analysis process

-7- CLC/TR 50451:2007

• EN 50126-1, Railway applications - The specification and demonstration of Reliability, Availability,

CLC/TR 50451:2007 -8-

Unified Signalling Safety

Type of operation Legend:

Figure 1.1 - Scope of WG A10

-9- CLC/TR 50451:2007

2.1 Normative references

EN 50121-5, Railway applications - Electromagnetic compatibility - Part 5: Emission and

2.2 Informative references

You might also like