Guidance for Use of CSM Recommendation - ERA - Europa
Guidance for Use of CSM Recommendation - ERA - Europa
Guidance for Use of CSM Recommendation - ERA - Europa
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
European Railway Agency<br />
Collection <strong>of</strong> examples <strong>of</strong> risk assessments and <strong>of</strong> some possible tools<br />
supporting the <strong>CSM</strong> Regulation<br />
<br />
A.3.1.5.<br />
A.3.1.6.<br />
A.3.1.7.<br />
Similarly, according to the CENELEC standards, the integrity <strong>of</strong> the s<strong>of</strong>tware <strong>of</strong> technical<br />
systems is not quantifiable. The CENELEC 50 128 standard, provides guidance <strong>for</strong> the<br />
development process <strong>of</strong> safety related s<strong>of</strong>tware in function <strong>of</strong> the requested safety integrity<br />
level. That includes the design, verification, validation and quality assurance processes <strong>for</strong><br />
the s<strong>of</strong>tware.<br />
According to the CENELEC 50 128 standard; <strong>for</strong> a programmable electronic control system,<br />
implementing safety functions, the highest possible safety integrity level <strong>for</strong> the s<strong>of</strong>tware<br />
development process is SIL 4, which corresponds to a quantitative tolerable hazard rate <strong>of</strong><br />
10 -9 h -1 .<br />
There<strong>for</strong>e, as the systematic failures/errors cannot be quantified, they need instead to be<br />
managed qualitatively by putting in place a quality and safety process that are compatible<br />
with the safety integrity level required <strong>for</strong> the system under assessment.<br />
(a) the purpose <strong>of</strong> the quality process is "to minimise the incidence <strong>of</strong> human errors at<br />
each stage in the life-cycle, and thus to reduce the risk <strong>of</strong> systematic faults in the<br />
system";<br />
(b) the purpose <strong>of</strong> the safety process is "to reduce further the incidence <strong>of</strong> safety related<br />
human errors throughout the life-cycle and thus minimise the residual risk <strong>of</strong> safety<br />
related systematic faults."<br />
<strong>Guidance</strong> <strong>for</strong> managing the incidence <strong>of</strong> systematic failures/errors, as well as guidance <strong>for</strong><br />
possible design measures to protect against Common Cause/Mode Failures (CCF/CMF) and<br />
to ensure that the technical system enters a fail-safe state in case <strong>of</strong> such failures/errors, is<br />
provided in standards:<br />
(a) the CENELEC 50 126-1 standard {Ref. 8} and its Guide 50 126-2 {Ref. 9} list the<br />
CENELEC 50 129 clauses and their applicability <strong>for</strong> documented evidence to systems<br />
other than signalling: see Table 9.1 in Guide 50 126-2 {Ref. 9}. This list provides<br />
reference to the guidance on how to address both the faults coming from the system<br />
itself and the effect <strong>of</strong> the environment on the system under assessment;<br />
For example, techniques/measures <strong>for</strong> design features are given in "Table E.5: Design<br />
features (referred to in 5.4)" <strong>of</strong> the CENELEC 50 129 standard {Ref. 7}, "<strong>for</strong> the<br />
avoidance and control <strong>of</strong> faults caused by:<br />
(1) "any residual design faults";<br />
(2) "environmental conditions";<br />
(3) "misuse or operating mistakes";<br />
(4) "any residual faults in the s<strong>of</strong>tware";<br />
(5) "human factors";<br />
Appendices D and E <strong>of</strong> the CENELEC 50 129 standard {Ref. 7} give techniques and<br />
measures <strong>for</strong> the avoidance <strong>of</strong> systematic faults and the control <strong>of</strong> random hardware<br />
and systematic failures/errors <strong>for</strong> safety related electronic systems in signalling. Many<br />
<strong>of</strong> them can be extended to systems other than signalling via a reference to these<br />
guidelines in Table 9.1 <strong>of</strong> Guide 50 126-2 {Ref. 9}.<br />
(b) the CENELEC 50 128 standard provides guidance <strong>for</strong> the development process <strong>of</strong><br />
safety related s<strong>of</strong>tware in function <strong>of</strong> the safety integrity level (SIL 0 to SIL 4) that is<br />
requested <strong>for</strong> the s<strong>of</strong>tware <strong>of</strong> the system under assessment.<br />
A.3.1.8.<br />
The RAC-TS represents also the highest level <strong>of</strong> integrity that can be required according to<br />
both the CENELEC and IEC standards. For ease <strong>of</strong> reference the requirements from IEC<br />
61508-1 and CENELEC 50 129 are quoted:<br />
(a) IEC 61508-1: "This standard sets a lower limit on the target failure measures, in a<br />
dangerous mode <strong>of</strong> failure, that can be claimed. These are specified as the lower<br />
<br />
Reference: <strong>ERA</strong>/GUI/02-2008/SAF Version: 1.1 Page 60 <strong>of</strong> 105<br />
File Name: Collection_<strong>of</strong>_RA_Ex_and_some_tools_<strong>for</strong>_<strong>CSM</strong>_V1.1.doc<br />
European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu