BS PD CLC TR 50451-2007 Railway applications — Systematic allocation of safety integrity《轨道交通 安全完整性要求的系统分配》.pdf

《BS PD CLC TR 50451-2007 Railway applications — Systematic allocation of safety integrity《轨道交通 安全完整性要求的系统分配》.pdf》由会员分享，可在线阅读，更多相关《BS PD CLC TR 50451-2007 Railway applications — Systematic allocation of safety integrity《轨道交通 安全完整性要求的系统分配》.pdf（90页珍藏版）》请在麦多课文档分享上搜索。

1、PUBLISHED DOCUMENT PD CLC/TR 50451:2007 Railway applications Systematic allocation of safety integrity requirements ICS 45.020; 93.100 Incorporating corrigendum December 2010PD CLC/TR 50451:2007 This Published Document was published under the authority of the Standards Policy and Strategy Committee

2、on 29 June 2007 BSI 2010 ISBN 978 0 580 7265 9 6 National foreword This Published Document is the UK implementation of CLC/TR 50451:2007. It supersedes PD R009-004:2001 which is withdrawn. The UK participation in its preparation was entrusted by Technical Committee GEL/9, Railway electrotechnical ap

3、plications, to Subcommittee GEL/9/1, Signalling and communications. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct applic

4、ation. Amendments/corrigenda issued since publicationDate Comments Error in pagination corrected 31 December 2010 TECHNICAL REPORT CLC/TR 50451 RAPPORT TECHNIQUE TECHNISCHER BERICHT May 2007 CENELEC European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechniq

5、ue Europisches Komitee fr Elektrotechnische Normung Central Secretariat: rue de Stassart 35, B - 1050 Brussels 2007 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members. Ref. No. CLC/TR 50451:2007 E ICS 45.020;93.100 Supersedes R009-004:2001English

6、 version Railway applications Systematic allocation of safety integrity requirements Applications ferroviaires Allocation systmatique des exigences dintgrit de la scurit Bahnanwendungen Systematische Zuordnung von Sicherheitsintegrittsanforderungen This Technical Report was approved by CENELEC on 20

7、06-02-18. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Rom

8、ania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom. CLC/TR 50451:2007 - 2 - Foreword This Technical Report was prepared by SC 9XA, Communication, signalling and processing systems, of Technical Committee CENELEC TC 9X, Electrical and electronic applications for railways. The

9、 text of the draft was circulated for vote in accordance with the Internal Regulations, Part 2, Subclause 11.4.3.3 and was approved by CENELEC as CLC/TR 50451 on 2006-02-18. This Technical Report supersedes R009-004:2001. _ PD CLC/TR 5041:2007 - 3 - CLC/TR 50451:2007 Contents Executive summary . 4 I

10、ntroduction . 7 1 Scope 8 2 References 9 2.1 Normative references. 9 2.2 Informative references 9 3 Definitions 10 4 Symbols and abbreviations 17 5 Safety Integrity Levels allocation framework 18 5.1 Prerequisites 18 5.2 Overview of the methodology . 18 5.3 Definition of Safety Integrity Levels. 22

11、5.4 Qualitative vs quantitative methods 23 5.4.1 Qualitative assessment23 5.4.2 Quantitative assessment24 5.5 EN 50126-1 lifecycle context 25 6 System definition 27 7 Hazard identification 28 7.1 General principles 28 7.2 Empirical hazard identification methods 30 7.3 Creative hazard identification

12、methods. 30 7.4 Hazard ranking. 31 7.5 Existing hazard lists 31 8 Risk analysis 31 8.1 Risk tolerability. 31 8.2 Determination of Tolerable Hazard Rate. 32 8.2.1 Qualitative risk analysis . 32 8.2.2 Quantitative risk analysis 34 8.2.3 GAMAB and similar approaches. 40 8.2.4 The MEM approach 41 8.2.5

13、Other approaches. 42 9 System design analysis 42 9.1 Apportionment of safety integrity requirements to functions 43 9.1.1 Physical independence.44 9.1.2 Functional independence.45 9.1.3 Process independence . 46 9.2 Use of SIL tables 46 9.3 Identification and treatment of new hazards arising from de

14、sign. 47 9.4 Determination of function and subsystem SIL. 48 9.5 Determination of safety integrity requirements for system elements . 50 Annex A Single-line signalling system example 52 Annex B Level crossing example 67 Annex C Comparison of demand and continuous mode . 77 Annex D Frequently asked q

15、uestions . 87 PD CLC/TR 5041:2007CLC/TR 50451:2007 - 4 - Executive summary This Technical Report presents a systematic methodology to determine safety integrity requirements for railway signalling equipment, taking into account the operational environment and the architectural design of the signalli

16、ng system. At the heart of this approach is a well defined interface between the operational environment and the signalling system. From the safety point of view this interface is defined by a list of hazards and tolerable hazard rates associated with the system. It should be noted that the purpose

17、of this approach is not to limit co-operation between suppliers and railway authorities but to clarify responsibilities and interfaces. It is the task (summarized by the term Risk Analysis) of the Railway Authority to define the requirements of the railway system (independent of the technical realis

18、ation), to identify the hazards relevant to the system, to derive the tolerable hazard rates, and to ensure that the resulting risk is tolerable (with respect to the appropriate risk tolerability criteria). Figure 0.1 - Global process overview The only requirement is that the tolerable hazard rates

19、must be derived taking into account the risk tolerability criteria. Risk tolerability criteria are not defined by this Technical Report, but depend on national or European legislative requirements. Definition System Design Analysis PD CLC/TR 5041:2007 - 5 - CLC/TR 50451:2007 Among the risk analysis

20、methods two are proposed in order to estimate the individual risk explicitly, one more qualitative, the other more quantitative. Other methods, similar to the GAMAB principle, do not explicitly determine the resulting risks, but derive the tolerable hazard rates from comparison with the performance

21、of existing systems, either by statistical or analytical methods. Alternative qualitative approaches are acceptable, if as a result they define a list of hazards and corresponding THR. The specification of the system requirements comprising performance and safety (THR) terminates the Railway Authori

22、tys task. Figure 0.2 - Example Risk Analysis process The suppliers task (summarized by the term System Design Analysis) comprises definition of the system architecture, analysis of the causes leading to each hazard, determination of the safety integrity requirements (SIL and hazard rates) for the su

23、bsystems, determination of the reliability requirements for the equipment. SYS TEM D e fin itio n Near misses withTarget S yst em DE S IG N ANALYS IS PD CLC/TR 5041:2007CLC/TR 50451:2007 - 6 - Causal analysis constitutes two key stages. In the first phase the tolerable hazard rate for each hazard is

24、 apportioned to a functional level. Safety Integrity Levels (SIL) are defined at this functional level for the subsystems implementing the functionality. The hazard rate for a subsystem is then translated to a SIL using the SIL table. During the second phase the hazard rates for subsystems are furth

25、er apportioned leading to failure rates for the equipment, but at this physical implementation level the SIL remains unchanged. Consequently also the software SIL defined by EN 50128 would be the same as the subsystem SIL but for the exceptions described in EN 50128. The apportionment process may be

26、 performed by any method which allows a suitable representation of the combination logic, e.g. reliability block diagrams, fault trees, binary decision diagrams, Markov models etc. In any case particular care must be taken when independence of items is required. While in the first phase of the causa

27、l analysis functional independence is required, physical independence is sufficient in the second phase. Assumptions made in the causal analysis must be checked and may lead to safety- relevant application rules for the implementation. Figure 0.3 - Example System Design Analysis process Both, the ri

28、sk analysis and the system design analysis, have to be approved by the Railway Safety Authority. However whilst the risk analysis may be carried out once at the railway level, the system design analysis must be performed for every new architecture. It is prudent to review the risk analysis and syste

29、m design analysis when safety related changes are introduced. List of hazards and THR SIL table U nd etecte d failure of pow er s u pp ly L at e or no s w itch -i n U n det etc e d f a ilu re of roa d -side w ar ni ng s U n det ec ted fa i l u re of LC con tro l ler U nd etecte d fa il ure o f lig h

30、 t si gn al s U nd etected fa ilu re o f b ar ri e rs U n dete cted fa ilu re of sw itch -i n fun cti o n U n det e cted fai lute of dis tant sig n al L C set b ac k to n or m al p os i t i on 1E -7 1 E -7 1E -7 1E-7 1E-7 7E-6 7 E -6 Determine THR and SIL System architecture Apportion hazard rates t

31、o elements Check independence assumptions SIL and FR for elements Un det ected failure of power supply U ndetet ced f a i l ure of road-s i de wa r n i ngs Undetect ed failure o f L C c o n tr olle r Und etected failu re of light signals U ndet ected failure of barriers 1E-7 1E-7 1E-7 7E - 6 7E - 6S

32、IL and THR for subsystems From Risk Analysis PD CLC/TR 5041:2007 - 7 - CLC/TR 50451:2007 Introduction Historically the interoperability of European railways was not only hindered by incompatible technology but also by different approaches towards safety. The common European market is the main drivin

33、g force behind the harmonisation of the different safety cultures. In a joint pan-European effort comprehensive safety standards have been established for railway signalling by the European Electrotechnical Standardisation Committee CENELEC: EN 50126-1, Railway applications - The specification and d

34、emonstration of Reliability, Availability, Maintainability and Safety (RAMS) - Part 1: Basic requirements and generic process EN 50128, Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems EN 50129, Railway applications - Comm

35、unication, signalling and processing systems - Safety related electronic systems for signalling These CENELEC standards assume that safety relies both on adequate measures to prevent or tolerate faults (as safeguards against systematic failure) and on adequate measures to control random failures. Me

36、asures against both causes of failure should be balanced in order to achieve the optimum safety performance of a system. To achieve this the concept of Safety Integrity Levels (SIL) is used. SILs are used as a means of creating balance between measures to prevent systematic and random failures, as i

37、t is agreed within CENELEC that it is not feasible to quantify systematic integrity. A shortcoming of the CENELEC standards as of today is (similar as in other related standards like IEC 61508 1)IEC or ISA S84.01 ISA) that while the guidance on how to fulfil a particular SIL is quite comprehensive t

38、he process and rules to derive SILs for system elements from system safety targets or the tolerable system risk are not adequately covered. A general convincing solution to this problem is still an open research problem, see LMZDYB2GAM for some divergent examples. However in order to achieve cross-a

39、cceptance of safety cases and products for railway signalling applications it is necessary to fill the gap. This has been realized by SC 9XA in 1997 and consequently a working group has been set up in March 1998 in order to find a joint harmonized approach at least for railway signalling application

40、s. This work resulted in the publication of R009-004:2001, which is presently being converted into CLC/TR 50451. Although the major driving forces behind this work were novel signalling applications which are required to be interoperable throughout Europe, the scope and applicability of the approach

41、 presented in this Technical Report should not be limited to signalling or interoperable applications. 1)IEC 61508 series has been harmonized as EN 61508 series “Functional safety of electrical/electronic/programmable electronic safety-related systems“ PD CLC/TR 5041:2007CLC/TR 50451:2007 - 8 - 1 Sc

42、ope The scope of this Technical Report is to define a method to determine the required Safety Integrity Level of railway signalling equipment taking in consideration the operational conditions of the railway, and the architecture of the signalling system. The following picture may be used in order t

43、o detail more precisely the scope of this Technical Report: Type of operation Example parameters: speed, train density . Unified Signalling Safety Target (individual average risk: units D SIG /(P h) ) Specific Signalling Safety Target (hazard rate : units H SIG /(S h) or wsf SIG /(S h) ) Signalling

44、system architecture and functionality (normal, fallback .) Allocation to functions and system elements (apportionment) SILs and failure rates for system elements. Result: Element SIL FR E 1 x 1 1 . E n x n n Legend: Death System SIGnalling Person hour Hazard wrong side failure Rate Scope of WGA10 wo

45、rk as agreed by SC9XAFigure 1.1 - Scope of WG A10 From a mechanistic point of view the task of this Technical Report is to define a method of calculation, which determines the integrity requirements (qualitatively and quantitatively) from the inputs stated above. PD CLC/TR 5041:2007 - 9 - CLC/TR 504

46、51:2007 2 References The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. 2.1 Normative references EN

47、50121-5, Railway applications - Electromagnetic compatibility - Part 5: Emission and immunity of fixed power supply installations and apparatus 126 EN 50126-1:1999, Railway applications - The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) Part 1: Basi

48、c requirements and generic process 128 EN 50128:2001, Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems 129 EN 50129:2003, Railway applications - Communication, signalling and processing systems - Safety related electronic

49、systems for signalling 2.2 Informative references 0056 UK Ministry of Defence, Safety Management Requirements for Defence Systems, Def Stan 00-56 GAM CASCADE: Generalised Assessment Method , Part II: Guidelines, ESPRIT 9032 report, ref. CAS/IC/MK/D2.3.2/V3, 1996 HK Kumamotu, H. and Henley, E.: Probabilistic risk assessment and management for engineers and scientists, IEEE Press, 1996 IEC Functional safety of electrical/electronic/pro