Guidance for Use of CSM Recommendation - ERA - Europa
Guidance for Use of CSM Recommendation - ERA - Europa Guidance for Use of CSM Recommendation - ERA - Europa
European Railway Agency Collection of examples of risk assessments and of some possible tools supporting the CSM Regulation C.13.2. C.13.3. C.13.4. C.13.5. C.13.6. C.13.7. C.13.8. C.13.9. In order to derive standard safety requirements for future electronic interlocking systems, Deutsche Bahn had conducted a risk analysis of an already approved electronic system. The latter system had been previously approved according to German codes of practice (Mü 8004). The risk analysis was done in accordance with the CENELEC standards (EN 50126 and EN 50129), and included the following steps: (a) system definition; (b) hazard identification; (c) hazard analysis and quantification. For the system definition, care had been taken to define the boundaries of the system, its functions and its interfaces. The main challenge there was to define the system in such a way that it is independent from the internal architecture of an interlocking system while remaining compatible with existing interlocking systems. Particular attention was thus given in defining very clearly the interfaces with outside systems interacting with the interlocking, without detailing the inner functions of the interlocking. The hazards were then identified only at the interfaces in order to remain generic (i.e. to avoid any dependency with specific architectures). Only hazards arising from technical faults were considered. For each interface, two generic hazards were thus identified: (a) wrong output from interlocking transmitted to the interface (b) (correct) Input is corrupted at the interface More specific characteristics were then given to these generic hazards for each interface. In the following phase, the contributions of the existing system‘s components to each identified hazards were analysed and assembled in a fault tree. This allowed, based on the estimated failure rates of the components, to calculate a rate of occurrence for each hazard, and use those rates as Tolerable Hazard Rates (THR) for future generations of electronic interlocking. The risk analysis was followed up and assessed by the national safety authority (EBA). As part of the risk analysis, an analysis for the control and display functions in electronic system was also conducted. Again an existing approved electronic interlocking system was taken as a reference in order to derive safety requirements of the Man-Machine-Interface (MMI) functions for controlling both random failures and faults and for controlling systematic faults. As a result the safety integrity levels (SILs) for different functions were determined: for MMI functions in standard operation, for MMI functions in Command-Release operation (degraded mode), and for display functionality. C.13.10. This risk analysis was also followed up and assessed by the national safety authority (EBA). C.13.11. Those risk assessment examples illustrate how the second risk acceptance (reference system) of the CSM can be used for deriving safety requirements for new systems. Furthermore they were based on the CENELEC standards and thus correspond well with the CSM process. The risk assessment in the examples fulfils the requirements from the CSM related to the phases that are covered. But as no design activity is included, there is neither a reference to hazard record management nor to the demonstration of compliance of the system under assessment with the identified safety requirements. C.13.12. Further information on these risk analyses can be found in: Reference: ERA/GUI/02-2008/SAF Version: 1.1 Page 94 of 105 File Name: Collection_of_RA_Ex_and_some_tools_for_CSM_V1.1.doc European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu
European Railway Agency Collection of examples of risk assessments and of some possible tools supporting the CSM Regulation (a) Ziegler, P., Kupfer, L., Wunder, H.: "Erfahrungen mit der Risikoanalyse ESTW (DB AG)", Signal+Draht, 10, 2003, 10-15, and; (b) Bock, H., Braband, J., and Harborth, M.: "Safety Assessment of Vital Control and Display Functions in Electronic Interlockings, in Proc. AAET2005 Automation, Assistance and Embedded Real Time Platforms for Transportation", GZVB, Braunschweig, 2005, 234-253. C.14. C.14.1. C.14.2. C.14.3. C.14.4. C.14.5. Example of an explicit Risk acceptance criterion for FFB Radiobased Train Operation in Germany Remark: this example of risk assessment was not produced as a result of the application of the CSM process; it was carried out before the existence of CSM. The purpose of the example is: (a) to identify the similarities between the existing risk assessment methods and the CSM process; (b) to give traceability between the existing process and the one requested by the CSM; (c) to provide justification of the added value of performing the additional steps (if any) required by the CSM. It must be stressed that this example is given for information only. Its purpose is to help the reader understanding the CSM process. But the example itself shall not be transposed to or used as a reference system for another significant change. The risk assessment shall be carried out for each significant change in compliance with the CSM Regulation. A risk analysis in accordance with the CENELEC standards was carried out for a totally new operating procedure that had been envisaged (but never introduced) in Germany for conventional railway lines. The concept consisted in operating trains safely only through radio-based (route and train) control. As there were not existing codes of practice (acknowledged engineering rules) and reference systems for such a new system, explicit risk estimation was conducted in order to demonstrate the safety of the new procedure. It was necessary to show that the level of risk to a passenger due to the new system would not exceed an acceptable risk value (explicit risk acceptance criterion). This explicit risk acceptance criterion was estimated on the basis of statistics of accidents in Germany that had been attributable to signalling and control systems, and its plausibility was also checked against the MEM criterion. Such demonstration of safety conforms with the German EBO requirement of having "the same level of safety" in case of deviations from engineering rules. The risk analysis also was followed up and assessed by the national safety authority (EBA). This risk assessment example shows how a global explicit criterion (for the third risk acceptance principle in the CSM) can be derived for new systems with no applicable codes of practice nor any reference system. The risk analysis that was subsequently carried out for the new system is based on the CENELEC standards and thus corresponds well with the CSM process. The risk assessment in the example fulfils the requirements from the CSM, but there is no reference to hazard record management neither to demonstration of the compliance of the system under assessment with the identified safety requirements. Further information on this risk analysis can be found in: Braband, J., Günther, J., Lennartz, K., Reuter, D.: "Risikoakzeptanzkriterien für den FunkFahrBetrieb (FFB)", Signal + Draht, Nr.5, 2001, 10-15 Reference: ERA/GUI/02-2008/SAF Version: 1.1 Page 95 of 105 File Name: Collection_of_RA_Ex_and_some_tools_for_CSM_V1.1.doc European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu
- Page 43 and 44: European Railway Agency Collection
- Page 45 and 46: European Railway Agency Collection
- Page 47 and 48: European Railway Agency Collection
- Page 49 and 50: European Railway Agency Collection
- Page 51 and 52: European Railway Agency Collection
- Page 53 and 54: European Railway Agency Collection
- Page 55 and 56: European Railway Agency Collection
- Page 57 and 58: European Railway Agency Collection
- Page 59 and 60: European Railway Agency Collection
- Page 61 and 62: European Railway Agency Collection
- Page 63 and 64: European Railway Agency Collection
- Page 65 and 66: European Railway Agency Collection
- Page 67 and 68: European Railway Agency Collection
- Page 69 and 70: European Railway Agency Collection
- Page 71 and 72: European Railway Agency Collection
- Page 73 and 74: European Railway Agency Collection
- Page 75 and 76: European Railway Agency Collection
- Page 77 and 78: European Railway Agency Collection
- Page 79 and 80: European Railway Agency Collection
- Page 81 and 82: European Railway Agency Collection
- Page 83 and 84: European Railway Agency Collection
- Page 85 and 86: European Railway Agency Collection
- Page 87 and 88: European Railway Agency Collection
- Page 89 and 90: European Railway Agency Collection
- Page 91 and 92: European Railway Agency Collection
- Page 93: European Railway Agency Collection
- Page 97 and 98: European Railway Agency Collection
- Page 99 and 100: European Railway Agency Collection
- Page 101 and 102: European Railway Agency Collection
- Page 103 and 104: European Railway Agency Collection
- Page 105: European Railway Agency Collection
European Railway Agency<br />
Collection <strong>of</strong> examples <strong>of</strong> risk assessments and <strong>of</strong> some possible tools<br />
supporting the <strong>CSM</strong> Regulation<br />
<br />
C.13.2.<br />
C.13.3.<br />
C.13.4.<br />
C.13.5.<br />
C.13.6.<br />
C.13.7.<br />
C.13.8.<br />
C.13.9.<br />
In order to derive standard safety requirements <strong>for</strong> future electronic interlocking systems,<br />
Deutsche Bahn had conducted a risk analysis <strong>of</strong> an already approved electronic system.<br />
The latter system had been previously approved according to German codes <strong>of</strong> practice (Mü<br />
8004).<br />
The risk analysis was done in accordance with the CENELEC standards (EN 50126 and<br />
EN 50129), and included the following steps:<br />
(a) system definition;<br />
(b) hazard identification;<br />
(c) hazard analysis and quantification.<br />
For the system definition, care had been taken to define the boundaries <strong>of</strong> the system, its<br />
functions and its interfaces. The main challenge there was to define the system in such a<br />
way that it is independent from the internal architecture <strong>of</strong> an interlocking system while<br />
remaining compatible with existing interlocking systems. Particular attention was thus given<br />
in defining very clearly the interfaces with outside systems interacting with the interlocking,<br />
without detailing the inner functions <strong>of</strong> the interlocking.<br />
The hazards were then identified only at the interfaces in order to remain generic (i.e. to<br />
avoid any dependency with specific architectures). Only hazards arising from technical faults<br />
were considered. For each interface, two generic hazards were thus identified:<br />
(a) wrong output from interlocking transmitted to the interface<br />
(b) (correct) Input is corrupted at the interface<br />
More specific characteristics were then given to these generic hazards <strong>for</strong> each interface.<br />
In the following phase, the contributions <strong>of</strong> the existing system‘s components to each<br />
identified hazards were analysed and assembled in a fault tree. This allowed, based on the<br />
estimated failure rates <strong>of</strong> the components, to calculate a rate <strong>of</strong> occurrence <strong>for</strong> each hazard,<br />
and use those rates as Tolerable Hazard Rates (THR) <strong>for</strong> future generations <strong>of</strong> electronic<br />
interlocking.<br />
The risk analysis was followed up and assessed by the national safety authority (EBA).<br />
As part <strong>of</strong> the risk analysis, an analysis <strong>for</strong> the control and display functions in electronic<br />
system was also conducted. Again an existing approved electronic interlocking system was<br />
taken as a reference in order to derive safety requirements <strong>of</strong> the Man-Machine-Interface<br />
(MMI) functions <strong>for</strong> controlling both random failures and faults and <strong>for</strong> controlling systematic<br />
faults. As a result the safety integrity levels (SILs) <strong>for</strong> different functions were determined:<br />
<strong>for</strong> MMI functions in standard operation, <strong>for</strong> MMI functions in Command-Release operation<br />
(degraded mode), and <strong>for</strong> display functionality.<br />
C.13.10. This risk analysis was also followed up and assessed by the national safety authority (EBA).<br />
C.13.11. Those risk assessment examples illustrate how the second risk acceptance (reference<br />
system) <strong>of</strong> the <strong>CSM</strong> can be used <strong>for</strong> deriving safety requirements <strong>for</strong> new systems.<br />
Furthermore they were based on the CENELEC standards and thus correspond well with the<br />
<strong>CSM</strong> process. The risk assessment in the examples fulfils the requirements from the <strong>CSM</strong><br />
related to the phases that are covered. But as no design activity is included, there is neither<br />
a reference to hazard record management nor to the demonstration <strong>of</strong> compliance <strong>of</strong> the<br />
system under assessment with the identified safety requirements.<br />
C.13.12. Further in<strong>for</strong>mation on these risk analyses can be found in:<br />
<br />
Reference: <strong>ERA</strong>/GUI/02-2008/SAF Version: 1.1 Page 94 <strong>of</strong> 105<br />
File Name: Collection_<strong>of</strong>_RA_Ex_and_some_tools_<strong>for</strong>_<strong>CSM</strong>_V1.1.doc<br />
European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu