cenelec - sc9xa wga15: maintenance of en...

SiT Workshop - Braunschweig, 16/17 November 2015

CENELEC - SC9XAWGA15:Maintenanceof EN 50129

Attilio Ciancabilla

WGA15 – maintenance of EN 50129

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

EU 402

AsBo and ISA

targets and SILs

50129

similarities

50126

50129 – state of the art


97 98 00 02 04 06 08 10 12 1499 01 03 05 07 09 11 13

50129 :2003

1615

TR 50451 Allocation of SIL

WGA15

TR 50126-2 guide

50126 :1999

50128 :2001 50128 :2011

WG21

SC9XA

TC9X

WG14


Maintenance of 50129

TR50506-1 CrossAcc.

TR 50506-2 Safety assurance

WGA15 - schedule


Annex A SIL

Annex BTECH. SAF. REPORT

Bibliography Annex ETech. & Measures

EN 50129

Clause 1Scope

Clause 2Ref

Clause 4Overview

Clause 5SAFETY CASE

Clause 3Def

Annex DFault analysis

Normative

Informative

Annex CHw failures

B.1 B.2 B.4 B.6B.3 B.5

5.1 5.2 5.3 5.4 5.5

50129 - the current structure


50129 - the current structure


B.3

B.2

B.1

E.10

E.9

E.8

E.7

E.55.4

E.4

E.3

E.2

E.1

5.2

5.3.3

5.3.6

5.3.4

5.3.7

5.3.9

5.3.12

E.6

B.3.1B.3.2

B.3.3B.3.4

B.3.5B.3.6

B.2.1B.2.2

B.2.3B.2.4

B.2.5B.2.6

D.4

D.3

D.2

D.5

5.3

B.4B.5

B.6

E.4

E.6

Bibliography

Annex ETech.& Measures

EN 50129

Clause 1Scope

Clause 2Ref

Clause 4Overview

Clause 5Safety Man.

Clause 3Def

Annex B+DSafety Design

Normative

Informative

Annex CHw failures

Clause 6SAFETY CASE

50129 - a possible future structure

Annex A SIL

Annex F Programmable Components


New topics

Handling of SRAC 1 page

IT security 1 page

Reuse of pre-existing systems 2 pages

Safety-related tools 3 pages

Programmable components 14 pages


Relationship with 50126


WGA15 and WG2197 98 00 02 04 06 08 10 12 1499 01 03 05 07 09 11 13

50129 :2003

1615

TR 50451 Allocation of SIL

WGA15

TR 50126-2 guide

50126 :1999

50128 :2001 50128 :2011

WG21

SC9XA

TC9X

WG14


TR50506-1 CrossAcc.

TR 50506-2 Safety assurance

WGA15 and WG21

WG2150126

WGA1550129

of all the participants


DE and IT memberstogether compose

13

Applying EN 50129 out of the context of EN 50126 would be misleading

Overall requirements, allocation to safety-

related systems

PART 1

Installation, operation and maintenance

PART 1

Realisation for E/E/PE systems

Realisation for software

PART 2 PART 3

Overall requirements,

for all thelife-cycle phases

from 1 to 12

50126

Specific SIG

requirements,mainly for phasesfrom

5 to 10

50129

EN 61508

Relationship with EN 50126


Can EN 50129 be used as a stand-alone standard?NO if carrying out a complete project:

- life-cycle phases not defined- risk assessment only partially described- COP/REF.SYS not addressed

if developing an electronic GP/GA/SAYES

BUT basic requirements, role definitions, etc. are still given in 50126 and only partially translated in 50129

That’s why EN 50126 is a normative reference, meaning ’indispensable for the application of the document’[CLC IR 3]

Relationship with EN 50126


The normative context of 402


2004SafetyDir.49

2008Interop. Dir.57

2009CSM-RAReg.352

2013CSM-RAReg.402

2011"DV29"

Rec. 217

2009Guide for

352

2015CSM-RAReg.1136

2014"DV29 bis "Rec. 897

2014Guide for

CSM AsBo


The normative context of 402

Relationship between

50129 and 402


CSM-RA

Demonstration of Compliance with the Safety Requirements

EXPLICIT RISK ESTIMATION

RISK EVALUATION

HA

ZAR

D M

AN

AG

EMEN

T

Identification of Scenarios & associated Safety Measures

Estimate Frequency

Estimate Severity

Estimate Risk IN

DEP

END

ENT

ASS

ESSM

ENT

Quantitative

Qualitative

Application of Codes of Practice

Similarity Analysis with Reference

System(s)

CODES OF PRACTICE SIMILAR REFERENCE SYSTEM(S)

Safety Criteria?

SYSTEM DEFINITION (Scope, Functions, Interfaces, etc.)

Selection of Risk Acceptance

Principle

RISK ASSESSMENT

YES

HAZARD IDENTIFICATION (What can happen? When?

Where? How? Etc.

HAZARD CLASSIFICATION (How critical?)

PRELIMINARY SYSTEM DEFINITION

Significant Change?

NO

RISK ANALYSIS

Sys

tem

Def

initi

on R

evie

w in

func

tion

of t

he id

entif

ied

Saf

ety

Req

uire

men

ts

Safety Requirements (i.e. the Safety Measures

to be implemented)

HA

ZAR

D ID

ENTI

FIC

ATI

ON

A

ND

CLA

SSIF

ICA

TIO

N

Broadly Acceptable

Risk?

YES

Acceptable Risk?

NO

Comparison with Criteria

YES YES YES



Acceptable Risk?

Acceptable Risk?

NO NO

Justify and document desicion

Justify and document desicion

NO

Assessment Body(AsBo) 3 Risk Acceptance

Principles: COP Similarity Explicit risk

estimation


CSM-RA vs 50126

Ope

ratio

n an

d D

ecom

mis

ssio

ning

Ris

k A

sses

smen

t

Impl

emen

tatio

n an

d D

emon

stra

tion

of C

ompl

ianc

e w

ith

Req

uire

men

ts

System Validation 9

Operation, Maintenance and

Performance Monitoring

11

Integration8

System Acceptance10

Feed

back

of s

ubse

quen

t haz

ard

iden

tific

atio

n in

to ri

sk a

nalys

is

Ope

ratio

n an

d D

ecom

mis

sion

ing

Decommissioning12

Key:

Correlated process steps in European legal framework

DoCRA

O&D

Design and Implementation

6

Manufacture 7

Con

side

ratio

n of

sub

sequ

ent R

AMS

Req

uire

men

ts in

pro

duct

dev

elop

men

t

Concept 1

System Definition and Operational Context2

Architecture & Apportionment

of System Requirements5

*)

*)

*) may contain many subsystems and components

Specification of System Requirements

4

Risk Analysis and Evaluation3

risk assessment

demonstration of compliance with the safety requirements

implementation and demonstration of compliance

with requirementsA. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

Different users CLC and EU/OTIF communities are not the same

Different level of mandatorinessCLC 50129 is a Voluntary Standard

Different systems under considerationUrban rail, metro not in the scope of Reg.402

Different conditions Reg.402 is mainly for significant changes

Different life-cycle phases Reg.402 focuses only on the Risk Assessment process

Differences betw. 50129 and 402


Is the proposal actively or probably in support of European regulation / legislation or established public policy? Yes, in relation to EC Regulation 402/2013

Ensure that the revised standard and the ERA Regulation (EU) No 402/2013 fit together. As a result of this action, theworking group shall deliver aposition paper giving theirinterpretation on the applicationand the relationship between theERA Regulation (EU) No402/2013 and the 50129.

Additionally a CLC Technical Reportseparate from the standard should clarify theway the CSM RA and the suite of standardswork together and provide evidence fortheir compatibility.This issue should be addressed by ERA andCLC in close collaboration outside of thisworking group.In support and in preparation of this action,the working group shall deliver a positionpaper giving their interpretation on theapplication and the relationship betweenCSM-RA and 50126.

50129 50126

50126/50129 in support of Reg.402


AsBo and ISA


2004SafetyDir.49

2008Interop. Dir.57

2009CSM-RAReg.352

2013CSM-RAReg.402

2011"DV29"

Rec. 217

2009Guide for

352

2015CSM-RAReg.1136

2014"DV29 bis "Rec. 897

2014Guide for

CSM AsBo


AsBo

ASSESSMENT BODY:

the independent and competent external or internal individual, organisation or entity which undertakes investigation to provide a judgement, based on evidence, of the suitability of a system to fulfil its safety requirements.

2004SafetyDir.49

2008Interop. Dir.57

2009CSM-RAReg.352

2013CSM-RAReg.402

2011"DV29"

Rec. 217

2009Guide for

352

2015CSM-RAReg.1136

2014"DV29 bis "Rec. 897

2014Guide for

CSM AsBo


AsBo

Art.6Duplication of work between the following assessments shall be avoided:

a) SMS conformity (Dir.49)b) Interoperability conformity (Dir.57)c) RA conformity (Reg.402)

2004SafetyDir.49

2008Interop. Dir.57

2009CSM-RAReg.352

2013CSM-RAReg.402

2011"DV29"

Rec. 217

2009Guide for

352

2015CSM-RAReg.1136

2014"DV29 bis "Rec. 897

2014Guide for

CSM AsBo


6. Relationship between CSM AsBo and CLC ISA

a fundamental difference:

CENELEC standards 50128 and 50129 do not impose the assessor to be accredited or recognised .

Consequently CSM AsBo will at least include all the activities of a CLC ISA.

AsBo and ISA

accredited/recognised ISA

97 98 00 02 04 06 08 10 12 1499 01 03 05 07 09 11 13

EN 50129 :2003

1615

WGA15

shall be approved by the Saf.Aut.

shall have acceptance/licencefrom a recognised Saf.Aut.

shall have acceptance/licence from a recognised Saf.Aut.

?

pr50126 (WG14) WG21

50128 :2001 50128 :2011

50126 :1999

should have acceptance/licence from a recognised Saf.Aut.


2013CSM-RAReg.402

Annex II: Criteria for accreditation or recognition of AsBo

The Assessment Body shall fulfil ISO/IEC 17020:2012

17020:2012 - INSPECTION BODY

Indep. from Design Org. Limitations

Type A

Type B

Type C

not part of the same legal entity

separate and identifiable part

identifiable but not necessarily a separate part; not the same person.

2nd – 1st party inspection services only to its parent organization

2nd – 1st party inspection services to its parent organization or also to other parties

AsBo types

3rd party inspection


2004SafetyDir.49

2008Interop. Dir.57

2009CSM-RAReg.352

2013CSM-RAReg.402

2011"DV29"

Rec. 217

2009Guide for

352

2015CSM-RAReg.1136

2014"DV29 bis "Rec. 897

2014Guide for

CSM AsBo


AsBo types

5. Who can be the AsBo

Permitting also the use of the type C of independence is crucial for the sector:[…] (when number of technical experts is limited) technical competence may be preferred to full independence.

ISA independence

ASSR

DI VER

ASSR

SIL 3 AND 4

OR

PM

DI VER, VAL

PM

VAL


ISA independence

97 98 00 02 04 06 08 10 12 1499 01 03 05 07 09 11 13

50129 :2003

1615

WGA15

same organisation only if authorised by the Saf.Aut.and reporting to the Saf.Aut.

same organisation at the discretion of the Saf.Aut.

?

50128 :2001 50128 :2011


Quantitative targets and SILs


10-5

10-6

10-7

10-8

10-9

Critical:very small n. of people,

at least one fatality

Catastrophic:large n. of people,multiple fatalities

SIL4

SIL3

SIL2

SIL1

Frequence of failures per operating hour

2003EN 50129

Catastrophic:fatalities,

multiple severe injuries,major damage to the env.

Harmonised quantitative design targets

2009, 2013CSM-RA

Reg. 352, 402

2015CSM-RAReg.1136

SIL4 + other meas.

basic integrity


Door control hazard: «one or more doors

wrongfully open»THR = 10-9, SIL4

Single door hazardTFFR = 10-11

Critical accident(Reg.1136)TFFR = 10-7

THR = 10-5

NO SIL (basic integrity)

Playing with SILs

Misusing target definitions and SIL allocation


2004SafetyDir.49

2008Interop. Dir.57

2009CSM-RAReg.352

2013CSM-RAReg.402

2011"DV29"

Rec. 217

2009Guide for

352

2015CSM-RAReg.1136

2014"DV29 bis "Rec. 897

2014Guide for

CSM AsBo


2.5.7The risk is acceptable:

(a) compliance with design targets;(b) the associated systematic failures are

controlled in accordance with safety and quality processes, commensurate with the design target and defined in commonly acknowledged relevant standards

Design Targets, S/Q Processes

Design targets

Safety and quality

processes

Reduction of systematic failures

Dangerous (random) failure rate


IntegrityAccuracyConsistency

Targets, Processes and Fail-Safety

Design for safety

Fail-safe principles and

fault management criteria

Fail-Safety

Can be apportioned(physical

independence)

May be apportioned(process

independence)

cannot beapportioned !

Design targets

Safety and quality

processes

Design for safety

Fail-safe principles and

fault management criteria

Reduction of systematic failures

Dangerous (random) failure rate


Targets, Processes and Fail-Safety

Conclusion



50129 is a prime number.

Let it be a prime standard too.

SiT Workshop – Braunschweig, 16-17 November 2015

Thank you for your attention

[email protected]

cenelec - sc9xa wga15: maintenance of en...

Documents