cenelec - sc9xa wga15: maintenance of en...
Post on 03-Mar-2021
2 Views
Preview:
TRANSCRIPT
SiT Workshop - Braunschweig, 16/17 November 2015
CENELEC - SC9XAWGA15:Maintenanceof EN 50129
Attilio Ciancabilla
WGA15 – maintenance of EN 50129
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
EU 402
AsBo and ISA
targets and SILs
50129
similarities
50126
50129 – state of the art
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
97 98 00 02 04 06 08 10 12 1499 01 03 05 07 09 11 13
50129 :2003
1615
TR 50451 Allocation of SIL
WGA15
TR 50126-2 guide
50126 :1999
50128 :2001 50128 :2011
WG21
SC9XA
TC9X
WG14
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
Maintenance of 50129
TR50506-1 CrossAcc.
TR 50506-2 Safety assurance
WGA15 - schedule
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
Annex A SIL
Annex BTECH. SAF. REPORT
Bibliography Annex ETech. & Measures
EN 50129
Clause 1Scope
Clause 2Ref
Clause 4Overview
Clause 5SAFETY CASE
Clause 3Def
Annex DFault analysis
Normative
Informative
Annex CHw failures
B.1 B.2 B.4 B.6B.3 B.5
5.1 5.2 5.3 5.4 5.5
50129 - the current structure
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
50129 - the current structure
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
B.3
B.2
B.1
E.10
E.9
E.8
E.7
E.55.4
E.4
E.3
E.2
E.1
5.2
5.3.3
5.3.6
5.3.4
5.3.7
5.3.9
5.3.12
E.6
B.3.1B.3.2
B.3.3B.3.4
B.3.5B.3.6
B.2.1B.2.2
B.2.3B.2.4
B.2.5B.2.6
D.4
D.3
D.2
D.5
5.3
B.4B.5
B.6
E.4
E.6
Bibliography
Annex ETech.& Measures
EN 50129
Clause 1Scope
Clause 2Ref
Clause 4Overview
Clause 5Safety Man.
Clause 3Def
Annex B+DSafety Design
Normative
Informative
Annex CHw failures
Clause 6SAFETY CASE
50129 - a possible future structure
Annex A SIL
Annex F Programmable Components
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
New topics
Handling of SRAC 1 page
IT security 1 page
Reuse of pre-existing systems 2 pages
Safety-related tools 3 pages
Programmable components 14 pages
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
Relationship with 50126
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
WGA15 and WG2197 98 00 02 04 06 08 10 12 1499 01 03 05 07 09 11 13
50129 :2003
1615
TR 50451 Allocation of SIL
WGA15
TR 50126-2 guide
50126 :1999
50128 :2001 50128 :2011
WG21
SC9XA
TC9X
WG14
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
TR50506-1 CrossAcc.
TR 50506-2 Safety assurance
WGA15 and WG21
WG2150126
WGA1550129
of all the participants
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
DE and IT memberstogether compose
13
Applying EN 50129 out of the context of EN 50126 would be misleading
Overall requirements, allocation to safety-
related systems
PART 1
Installation, operation and maintenance
PART 1
Realisation for E/E/PE systems
Realisation for software
PART 2 PART 3
Overall requirements,
for all thelife-cycle phases
from 1 to 12
50126
Specific SIG
requirements,mainly for phasesfrom
5 to 10
50129
EN 61508
Relationship with EN 50126
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
Can EN 50129 be used as a stand-alone standard?NO if carrying out a complete project:
- life-cycle phases not defined- risk assessment only partially described- COP/REF.SYS not addressed
if developing an electronic GP/GA/SAYES
BUT basic requirements, role definitions, etc. are still given in 50126 and only partially translated in 50129
That’s why EN 50126 is a normative reference, meaning ’indispensable for the application of the document’[CLC IR 3]
Relationship with EN 50126
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
The normative context of 402
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
2004SafetyDir.49
2008Interop. Dir.57
2009CSM-RAReg.352
2013CSM-RAReg.402
2011"DV29"
Rec. 217
2009Guide for
352
2015CSM-RAReg.1136
2014"DV29 bis "Rec. 897
2014Guide for
CSM AsBo
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
The normative context of 402
Relationship between
50129 and 402
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
CSM-RA
Demonstration of Compliance with the Safety Requirements
EXPLICIT RISK ESTIMATION
RISK EVALUATION
HA
ZAR
D M
AN
AG
EMEN
T
Identification of Scenarios & associated Safety Measures
Estimate Frequency
Estimate Severity
Estimate Risk IN
DEP
END
ENT
ASS
ESSM
ENT
Quantitative
Qualitative
Application of Codes of Practice
Similarity Analysis with Reference
System(s)
CODES OF PRACTICE SIMILAR REFERENCE SYSTEM(S)
Safety Criteria?
SYSTEM DEFINITION (Scope, Functions, Interfaces, etc.)
Selection of Risk Acceptance
Principle
RISK ASSESSMENT
YES
HAZARD IDENTIFICATION (What can happen? When?
Where? How? Etc.
HAZARD CLASSIFICATION (How critical?)
PRELIMINARY SYSTEM DEFINITION
Significant Change?
NO
RISK ANALYSIS
Sys
tem
Def
initi
on R
evie
w in
func
tion
of t
he id
entif
ied
Saf
ety
Req
uire
men
ts
Safety Requirements (i.e. the Safety Measures
to be implemented)
HA
ZAR
D ID
ENTI
FIC
ATI
ON
A
ND
CLA
SSIF
ICA
TIO
N
Broadly Acceptable
Risk?
YES
Acceptable Risk?
NO
Comparison with Criteria
YES YES YES
Comparison with Criteria
Comparison with Criteria
Acceptable Risk?
Acceptable Risk?
NO NO
Justify and document desicion
Justify and document desicion
NO
Assessment Body(AsBo) 3 Risk Acceptance
Principles: COP Similarity Explicit risk
estimation
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
CSM-RA vs 50126
Ope
ratio
n an
d D
ecom
mis
ssio
ning
Ris
k A
sses
smen
t
Impl
emen
tatio
n an
d D
emon
stra
tion
of C
ompl
ianc
e w
ith
Req
uire
men
ts
System Validation 9
Operation, Maintenance and
Performance Monitoring
11
Integration8
System Acceptance10
Feed
back
of s
ubse
quen
t haz
ard
iden
tific
atio
n in
to ri
sk a
nalys
is
Ope
ratio
n an
d D
ecom
mis
sion
ing
Decommissioning12
Key:
Correlated process steps in European legal framework
DoCRA
O&D
Design and Implementation
6
Manufacture 7
Con
side
ratio
n of
sub
sequ
ent R
AMS
Req
uire
men
ts in
pro
duct
dev
elop
men
t
Concept 1
System Definition and Operational Context2
Architecture & Apportionment
of System Requirements5
*)
*)
*) may contain many subsystems and components
Specification of System Requirements
4
Risk Analysis and Evaluation3
risk assessment
demonstration of compliance with the safety requirements
implementation and demonstration of compliance
with requirementsA. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
Different users CLC and EU/OTIF communities are not the same
Different level of mandatorinessCLC 50129 is a Voluntary Standard
Different systems under considerationUrban rail, metro not in the scope of Reg.402
Different conditions Reg.402 is mainly for significant changes
Different life-cycle phases Reg.402 focuses only on the Risk Assessment process
Differences betw. 50129 and 402
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
Is the proposal actively or probably in support of European regulation / legislation or established public policy? Yes, in relation to EC Regulation 402/2013
Ensure that the revised standard and the ERA Regulation (EU) No 402/2013 fit together. As a result of this action, theworking group shall deliver aposition paper giving theirinterpretation on the applicationand the relationship between theERA Regulation (EU) No402/2013 and the 50129.
Additionally a CLC Technical Reportseparate from the standard should clarify theway the CSM RA and the suite of standardswork together and provide evidence fortheir compatibility.This issue should be addressed by ERA andCLC in close collaboration outside of thisworking group.In support and in preparation of this action,the working group shall deliver a positionpaper giving their interpretation on theapplication and the relationship betweenCSM-RA and 50126.
50129 50126
50126/50129 in support of Reg.402
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
AsBo and ISA
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
2004SafetyDir.49
2008Interop. Dir.57
2009CSM-RAReg.352
2013CSM-RAReg.402
2011"DV29"
Rec. 217
2009Guide for
352
2015CSM-RAReg.1136
2014"DV29 bis "Rec. 897
2014Guide for
CSM AsBo
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
AsBo
ASSESSMENT BODY:
the independent and competent external or internal individual, organisation or entity which undertakes investigation to provide a judgement, based on evidence, of the suitability of a system to fulfil its safety requirements.
2004SafetyDir.49
2008Interop. Dir.57
2009CSM-RAReg.352
2013CSM-RAReg.402
2011"DV29"
Rec. 217
2009Guide for
352
2015CSM-RAReg.1136
2014"DV29 bis "Rec. 897
2014Guide for
CSM AsBo
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
AsBo
Art.6Duplication of work between the following assessments shall be avoided:
a) SMS conformity (Dir.49)b) Interoperability conformity (Dir.57)c) RA conformity (Reg.402)
2004SafetyDir.49
2008Interop. Dir.57
2009CSM-RAReg.352
2013CSM-RAReg.402
2011"DV29"
Rec. 217
2009Guide for
352
2015CSM-RAReg.1136
2014"DV29 bis "Rec. 897
2014Guide for
CSM AsBo
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
6. Relationship between CSM AsBo and CLC ISA
a fundamental difference:
CENELEC standards 50128 and 50129 do not impose the assessor to be accredited or recognised .
Consequently CSM AsBo will at least include all the activities of a CLC ISA.
AsBo and ISA
accredited/recognised ISA
97 98 00 02 04 06 08 10 12 1499 01 03 05 07 09 11 13
EN 50129 :2003
1615
WGA15
shall be approved by the Saf.Aut.
shall have acceptance/licencefrom a recognised Saf.Aut.
shall have acceptance/licence from a recognised Saf.Aut.
?
pr50126 (WG14) WG21
50128 :2001 50128 :2011
50126 :1999
should have acceptance/licence from a recognised Saf.Aut.
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
2013CSM-RAReg.402
Annex II: Criteria for accreditation or recognition of AsBo
The Assessment Body shall fulfil ISO/IEC 17020:2012
17020:2012 - INSPECTION BODY
Indep. from Design Org. Limitations
Type A
Type B
Type C
not part of the same legal entity
separate and identifiable part
identifiable but not necessarily a separate part; not the same person.
2nd – 1st party inspection services only to its parent organization
2nd – 1st party inspection services to its parent organization or also to other parties
AsBo types
3rd party inspection
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
2004SafetyDir.49
2008Interop. Dir.57
2009CSM-RAReg.352
2013CSM-RAReg.402
2011"DV29"
Rec. 217
2009Guide for
352
2015CSM-RAReg.1136
2014"DV29 bis "Rec. 897
2014Guide for
CSM AsBo
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
AsBo types
5. Who can be the AsBo
Permitting also the use of the type C of independence is crucial for the sector:[…] (when number of technical experts is limited) technical competence may be preferred to full independence.
ISA independence
ASSR
DI VER
ASSR
SIL 3 AND 4
OR
PM
DI VER, VAL
PM
VAL
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
ISA independence
97 98 00 02 04 06 08 10 12 1499 01 03 05 07 09 11 13
50129 :2003
1615
WGA15
same organisation only if authorised by the Saf.Aut.and reporting to the Saf.Aut.
same organisation at the discretion of the Saf.Aut.
?
50128 :2001 50128 :2011
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
Quantitative targets and SILs
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
10-5
10-6
10-7
10-8
10-9
Critical:very small n. of people,
at least one fatality
Catastrophic:large n. of people,multiple fatalities
SIL4
SIL3
SIL2
SIL1
Frequence of failures per operating hour
2003EN 50129
Catastrophic:fatalities,
multiple severe injuries,major damage to the env.
Harmonised quantitative design targets
2009, 2013CSM-RA
Reg. 352, 402
2015CSM-RAReg.1136
SIL4 + other meas.
basic integrity
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
Door control hazard: «one or more doors
wrongfully open»THR = 10-9, SIL4
Single door hazardTFFR = 10-11
Critical accident(Reg.1136)TFFR = 10-7
THR = 10-5
NO SIL (basic integrity)
Playing with SILs
Misusing target definitions and SIL allocation
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
2004SafetyDir.49
2008Interop. Dir.57
2009CSM-RAReg.352
2013CSM-RAReg.402
2011"DV29"
Rec. 217
2009Guide for
352
2015CSM-RAReg.1136
2014"DV29 bis "Rec. 897
2014Guide for
CSM AsBo
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
2.5.7The risk is acceptable:
(a) compliance with design targets;(b) the associated systematic failures are
controlled in accordance with safety and quality processes, commensurate with the design target and defined in commonly acknowledged relevant standards
Design Targets, S/Q Processes
Design targets
Safety and quality
processes
Reduction of systematic failures
Dangerous (random) failure rate
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
IntegrityAccuracyConsistency
Targets, Processes and Fail-Safety
Design for safety
Fail-safe principles and
fault management criteria
Fail-Safety
Can be apportioned(physical
independence)
May be apportioned(process
independence)
cannot beapportioned !
Design targets
Safety and quality
processes
Design for safety
Fail-safe principles and
fault management criteria
Reduction of systematic failures
Dangerous (random) failure rate
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
Targets, Processes and Fail-Safety
Conclusion
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
50129 is a prime number.
Let it be a prime standard too.
SiT Workshop – Braunschweig, 16-17 November 2015
Thank you for your attention
a.ciancabilla@rfi.it
top related