Guidance for Use of CSM Recommendation - ERA - Europa

European Railway Agency
Collection of examples of risk assessments and of some possible tools
supporting the CSM Regulation
(b) T represents the time necessary for one channel to detect the wrong side failure(s) of
the other channel. This is usually a multiple of the processing time/cycle of a channel.
Usually T is much less than 1 second.
A.3.1.12. Based on this formula (λ 2 *T), theoretically it can be demonstrated (considering only the
random hardware failures of the technical system – see also point A.3.1.13. in Appendix A)
that a 10 -9 h -1 quantitative requirement for the RAC-TS can be achieved. The systematic
failures/errors must be managed by a process: refer to point A.3.1.6. in Appendix A. For
example:
(a) with an MTBF of 10 000 hours for the reliability figure a channel, and the conservative
assumption that any channel failure is unsafe, the wrong side failure of the channel is
10 -4 h -1 ;
(b) even with a time of 10 minutes (i.e. 2*10 -3 hours) to detect the wrong side failure(s) of
the other channel, which is also a conservative assumption;
The overall wrong side failure Λ WSF 2 * 10 -10 h -1
A.3.1.13. In practice, for such a redundant architecture the evaluation of the quantitative overall wrong
side hardware failures needs to consider the measures that are taken in the design to protect
against the Common Cause/Mode Failures (CCF/CMF) and to ensure that the technical
system enters a fail-safe state in case of a CCF/CMF failure/error. This evaluation of overall
wrong side failure (Λ WSF ) needs thus also to consider:
(a) the components common to all channels, e.g. single or common inputs to all channels,
common power supply, comparators, voters, etc.;
(b) the time required to detect the dormant or latent failures. For complex technical
systems, this time can be higher by several orders of magnitude than 1 second;
(c) the impact of the Common Cause/Mode Failures (CCF/CMF).
Guidance on these topics can be found in standards that are recalled in point A.3.1.7. of
Appendix A of this document.
A.3.2.
A.3.2.1.
Flow chart for the applicability test of the RAC-TS
The way to apply the RAC-TS to hazards that arise from failures of technical systems can be
represented as shown in Figure 14.
A.3.2.2. The application of that flow chart on an example is provided in section C.15. of Appendix C.
A.3.3.
A.3.3.1.
Definition of a Technical System from the CSM
The RAC-TS applies to technical systems only. The following definition is provided for
"technical system" in Article 3(22) of the CSM Regulation:
„technical system‟ means a product or an assembly of products including the design,
implementation, and support documentation. The development of a technical system
starts with its requirements specification and ends with its acceptance. Although the
design of relevant interfaces with human behaviour is considered, human operators and
their actions are not included in a technical system. The maintenance process is described
in the maintenance manuals but is not itself part of the technical system.
Reference: ERA/GUI/02-2008/SAF Version: 1.1 Page 62 of 105
File Name: Collection_of_RA_Ex_and_some_tools_for_CSM_V1.1.doc
European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu