Guidance for Use of CSM Recommendation - ERA - Europa
Guidance for Use of CSM Recommendation - ERA - Europa
Guidance for Use of CSM Recommendation - ERA - Europa
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
European Railway Agency<br />
Collection <strong>of</strong> examples <strong>of</strong> risk assessments and <strong>of</strong> some possible tools<br />
supporting the <strong>CSM</strong> Regulation<br />
<br />
limits <strong>for</strong> safety integrity level 4. It may be possible to achieve designs <strong>of</strong> safetyrelated<br />
systems with lower values <strong>for</strong> the target failure measures <strong>for</strong> noncomplex<br />
systems, but it is considered that the figures in the table represent the limit <strong>of</strong> what<br />
can be achieved <strong>for</strong> relatively complex systems (<strong>for</strong> example programmable electronic<br />
safety-related systems) at the present time."<br />
(b) EN 50129: "A function having quantitative requirements more demanding than 10 -9 h -1<br />
shall be treated in one <strong>of</strong> the following ways:<br />
(1) if it is possible to divide the function into functionally independent sub-functions,<br />
the THR can be split between those sub-functions and a SIL assigned to each<br />
sub-function;<br />
(2) if the function cannot be divided, the measures and methods required <strong>for</strong> SIL 4<br />
shall, at least, be fulfilled and the function shall be used in combination with<br />
other technical or operational measures in order to achieve the necessary THR."<br />
A.3.1.9.<br />
All technical systems need then to limit the quantitative safety requirement to that figure. If<br />
there is a need <strong>for</strong> a higher level <strong>of</strong> protection, it cannot be achieved with only one system.<br />
The architecture <strong>of</strong> the system needs to be changed, <strong>for</strong> example using two independent<br />
systems in parallel that cross-check between them <strong>for</strong> generating safe outputs. But this<br />
definitely increases the costs <strong>of</strong> the technical system development.<br />
Remark: if there are existing functions, e.g. purely mechanical systems that, based on<br />
operational experience, may have achieved a higher level <strong>of</strong> integrity, then the safety level<br />
may be described by a particular code <strong>of</strong> practice or the safety requirements may be set by<br />
similarity analysis with the existing system. In the scope <strong>of</strong> the <strong>CSM</strong>, the RAC-TS needs<br />
only to be applied, if no code <strong>of</strong> practice and no reference system exist.<br />
A.3.1.10. The following can then be summarised:<br />
(a) according to the CENELEC 50 126, 50 128 and 50 129 standards, the systematic<br />
failures/errors in the development are not quantifiable;<br />
(b) the incidence <strong>of</strong> systematic failures/errors, as well as their residual risk, needs to be<br />
controlled and managed by the application <strong>of</strong> appropriate quality and safety process that<br />
are compatible with the safety integrity level requested <strong>for</strong> the system under<br />
assessment;<br />
(c) the highest achievable safety integrity level is SIL 4 both <strong>for</strong> the random hardware<br />
failures and the systematic failures/errors <strong>of</strong> technical systems;<br />
(d) this SIL 4 safety integrity level limit implies that the maximum tolerable hazard rate<br />
(THR) (i.e. the maximum failure rate) <strong>for</strong> technical systems needs to be limited also to<br />
10 -9 h -1 .<br />
A.3.1.11. A tolerable hazard rate <strong>of</strong> 10 -9 h -1 can be<br />
achieved by the technical system with either a<br />
"failsafe architecture" (which by definition meets<br />
such a safety per<strong>for</strong>mance) or a "redundant<br />
architecture" (e.g. two independent processing<br />
channels cross-checking each other).<br />
For a redundant architecture, it can be shown<br />
that the overall wrong side failure (Λ WSF ) <strong>of</strong> the<br />
technical system is proportional to λ 2 *T where:<br />
(a) λ² represents the square <strong>of</strong> the wrong side<br />
failure rate <strong>of</strong> one channel;<br />
Channel 1<br />
(λ)<br />
T (detection delay)<br />
Cross-Check<br />
Λ WSF<br />
λ²*T<br />
Channel 2<br />
(λ)<br />
Figure 13 : Redundant Architecture<br />
<strong>for</strong> a Technical System.<br />
<br />
Reference: <strong>ERA</strong>/GUI/02-2008/SAF Version: 1.1 Page 61 <strong>of</strong> 105<br />
File Name: Collection_<strong>of</strong>_RA_Ex_and_some_tools_<strong>for</strong>_<strong>CSM</strong>_V1.1.doc<br />
European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu