Sie sind auf Seite 1von 10

ENTWURF

VE/NORM

EN 50126-2
Ausgabe: 2012-12-01

Railway applications
The Specification and Demonstration of Reliability,
Availability, Maintainability and Safety (RAMS)
Part 2: Systems approach to safety

Hinweis:
Aufgrund von Stellungnahmen kann die endgltige Fassung
dieser VE/NORM vom vorliegenden Entwurf abweichen.
Stellungnahmen (schriftlich) bis 2013-01-01 an den OVE.
Medieninhaber und Hersteller:
OVE sterreichischer Verband fr Elektrotechnik
Austrian Standards Institute

AS+ Shop 03.02.2013

Copyright OVE/Austrian Standards Institute 2012.


Alle Rechte vorbehalten! Nachdruck oder
Vervielfltigung, Aufnahme auf oder in sonstige Medien
oder Datentrger nur mit Zustimmung gestattet!
Verkauf von in- und auslndischen Normen und
technischen Regelwerken durch
Austrian Standards Institute
Heinestrae 38, 1020 Wien
E-Mail: sales@as-plus.at
Internet: www.as-plus.at
Webshop: www.as-plus.at/shop
Tel.: +43 1 213 00-444
Fax: +43 1 213 00-818
Alle Regelwerke fr die Elektrotechnik auch erhltlich bei
OVE sterreichischer Verband fr Elektrotechnik
Eschenbachgasse 9, 1010 Wien
E-Mail: verkauf@ove.at
Internet: www.ove.at
Webshop: www.ove.at/webshop
Tel.: +43 1 587 63 73
Fax: +43 1 587 63 73 - 99

ICS

Ident (IDT) mit


zustndig



prEN 50126-2:2012
OVE/Komitee
TK TM
Traktion und Motorik

ENTWURF VE/NORM EN 50126-2:2012

Erluterungen zum Entwurf


Der
von
CENELEC TC 9X
ausgearbeitete
Entwurf
zu
einer
Europischen
Norm
EN 50126-2:2012 wurde den CENELEC-Mitgliedern zur Abstimmung vorgelegt. Im Falle eines positiven
Abstimmungsergebnisses im Sinne der CEN/CENELEC-Regeln wird dieser Entwurf zu einer EN fhren.
Wie alle Mitgliedsorganisationen von CENELEC ist der OVE grundstzlich verpflichtet, Europische Normen
in das nationale Normenwerk zu bernehmen und entgegenstehende Normen zurckzuziehen.
Der OVE legt hiermit diesen Entwurf eines europischen Normungsdokumentes der ffentlichkeit zur
Information und Stellungnahme als VE/NORM-Entwurf vor.
Da eine bersetzung in die deutsche Sprache zu diesem Zeitpunkt noch nicht vorhanden ist, wird um die
von CENELEC vorgegebene Einspruchsfrist einzuhalten die englischsprachige Fassung der
prEN 50126-2:2012 zur Information und Stellungnahme vorgelegt.

AS+ Shop 03.02.2013

Interessenten knnen das gegenstndliche Dokument beim sterreichischen Verband fr Elektrotechnik


beziehen bzw. in den Text Einsicht nehmen.

ENTWURF VE/NORM

EUROPEAN STANDARD

DRAFT
prEN 50126-2

NORME EUROPENNE
EUROPISCHE NORM

October 2012

ICS 45.020

Will supersede EN 50126-1:1999 (partially)

English version

Railway applications The Specification and Demonstration of Reliability, Availability,


Maintainability and Safety (RAMS) Part 2: Systems approach to safety

Applications ferroviaires Spcification et dmonstration de la fiabilit,


de la disponibilit, de la maintenabilit et de la
scurit (FDMS) Partie 2: Approche systmatique pour la
scurit

Bahnanwendungen Spezifikation und Nachweis von


Zuverlssigkeit, Verfgbarkeit,
Instandhaltbarkeit und Sicherheit (RAMS) Teil 2: Systembezogene Sicherheitsmethodik

This draft European Standard is submitted to CENELEC members for CENELEC enquiry.
Deadline for CENELEC: 2013-03-29.
It has been drawn up by CLC/TC 9X.
If this draft becomes a European Standard, CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without
any alteration.
This draft European Standard was established by CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CENELEC member into its own
language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the
Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece,
Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal,
Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they
are aware and to provide supporting documentation.

AS+ Shop 03.02.2013

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change
without notice and shall not be referred to as a European Standard.

CENELEC
European Committee for Electrotechnical Standardization
Comit Europen de Normalisation Electrotechnique
Europisches Komitee fr Elektrotechnische Normung
Management Centre: Avenue Marnix 17, B - 1000 Brussels
2012 CENELEC Project: 21753

All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. prEN 50126-2:2012 E

ENTWURF VE/NORM

prEN 50126-2:2012

4001

Contents

4002

Foreword .................................................................................................................................... 5 

4003

Introduction................................................................................................................................. 6 

4004

1

Scope ................................................................................................................................... 8 

4005

2

Normative references ........................................................................................................... 9 

4006

3

Terms and definitions ........................................................................................................... 9 

4007

4

Abbreviations ....................................................................................................................... 9 

4008

5

Tailoring the life-cycle ........................................................................................................ 10 

4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030

AS+ Shop 03.02.2013

-2-

4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044

Page

The life-cycle Model .................................................................................................. 10 


The Hourglass Model ................................................................................................ 10 
Generic and specific safety acceptance processes .................................................... 14 
5.3.1  Introduction ................................................................................................... 14 
5.3.2  Safety acceptance process ............................................................................ 14 
5.3.3  After safety acceptance ................................................................................. 16 
5.3.4  Dependency between safety cases ................................................................ 16 
5.3.5  Relationship between safety case dependencies and system architecture ..... 17 
Avoidance of systematic failures ......................................................................................... 17 

5.1 
5.2 
5.3 

6

7

General ..................................................................................................................... 17 
Independent safety assessment ................................................................................ 17 
Prevention of systematic failure in the early phases of the life-cycle .......................... 18 
Detection and correction of systematic failure during the design and development
phases of the life-cycle .............................................................................................. 19 
6.5  Detection and correction of systematic failure during integration and following
phases of the life-cycle .............................................................................................. 19 
Guidance on system definition ............................................................................................ 21 

8

7.1 
7.2 
7.3 
7.4 
Risk

System definition in an iterative system approach ..................................................... 21 


Method for defining the structure of a system ............................................................ 21 
Parties/stakeholders/boundaries of systems .............................................................. 22 
Guidance on the content of a system definition.......................................................... 22 
analysis and evaluation .............................................................................................. 23 

8.1 
8.2 

General ..................................................................................................................... 23 
Hazard identification - process and methods ............................................................. 23 
8.2.1  General ......................................................................................................... 23 
8.2.2  Empirical hazard identification methods ......................................................... 23 
8.2.3  Creative hazard identification methods .......................................................... 24 
Hazard classification ................................................................................................. 24 
Consequence analysis............................................................................................... 24 
8.4.1  General ......................................................................................................... 24 
8.4.2  The risk model ............................................................................................... 25 
8.4.3  Techniques for the consequence analysis...................................................... 26 
Risk evaluation and acceptance ................................................................................ 27 
8.5.1  Introduction to the risk acceptance principles ................................................ 27 
8.5.2  Use of code of practice .................................................................................. 28 
8.5.3  Use of a similar system as reference ............................................................. 28 

6.1 
6.2 
6.3 
6.4 

8.3 
8.4 

8.5 

ENTWURF VE/NORM

AS+ Shop 03.02.2013

-3-

prEN 50126-2:2012

4045
4046
4047
4048
4049
4050

8.5.4  Explicit risk estimation ................................................................................... 29 


8.6  Guidelines to the explicit risk estimation .................................................................... 30 
8.6.1  Rationale ....................................................................................................... 30 
8.6.2  Quantitative approach ................................................................................... 30 
8.7  Qualitative approach ................................................................................................. 33 
Specification of system requirements ................................................................................. 33 

9

4051
4052
4053
4054
4055

9.1  General ..................................................................................................................... 33 


9.2  Functional safety requirements .................................................................................. 34 
9.3  Technical safety requirements ................................................................................... 34 
9.4  Operational and maintenance safety requirements .................................................... 35 
10  Apportionment of System Safety Requirements .................................................................. 35 

4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073

10.1  Deriving and apportioning system safety requirements .............................................. 35 


10.1.1  How to proceed with functions implemented by E/E/PE architectures ............ 35 
10.1.2  How to proceed with functions implemented by non-E/E/PE architecture ....... 35 
10.2  Functional safety integrity for E/E/PE ........................................................................ 35 
10.2.1  Deriving functional safety requirements for E/E/PE systems from defined
hazards ......................................................................................................... 35
10.2.2  The safety integrity concept and its levels ..................................................... 36 
10.2.3  Random aspects of functional safety integrity ................................................ 37 
10.2.4  Systematic aspect of functional safety integrity .............................................. 37 
10.2.5  Combination of random and systematic aspects ............................................ 37 
10.2.6  The SIL table ................................................................................................. 38 
10.2.7  SIL allocation ................................................................................................ 39 
10.2.8  Apportionment of TFFR ................................................................................. 40 
10.2.9  Demonstration of quantified targets ............................................................... 40 
10.2.10 S IL0 .............................................................................................................. 41 
10.2.11 P revention of misuse of SILs and warnings.................................................... 41 
10.3  Safety Integrity for non-E/E/PE systems Guidance on application of CoP ............... 41 
11  Design and implementation ................................................................................................ 42 

4074
4075
4076
4077
4078
4079
4080
4081

Causal analysis ......................................................................................................... 42 


Identification and treatment of additional hazards arising from design ....................... 42 
Techniques for causal analysis .................................................................................. 43 
Functional Safety principles....................................................................................... 43 
11.4.1  Functional composition .................................................................................. 43 
11.4.2  Independence of functions ............................................................................. 44 
11.4.3  Supporting rules for evaluating technical aspects of independence ................ 44 
Annex A (informative) Measures for the avoidance of systematic failures ................................. 46 

4082
4083
4084
4085
4086
4087
4088

A.1 
A.2 
A.3 
A.4 
A.5 
A.6 
Annex B

4089

Annex C (informative) Using failure and accident statistics to derive a THR ............................. 54 

4090
4091

Annex D (informative) CoP on maintenance activities to preserve the safety integrity of nonE/E/PE systems .................................................................................................................. 55 

4092

Annex E (informative) Apportionment methods......................................................................... 57 

11.1 
11.2 
11.3 
11.4 

General remark ......................................................................................................... 46 


Safety and quality management ................................................................................. 46 
System requirements specification ............................................................................ 46 
System architecture and design ................................................................................. 47 
Integration and testing of the system ......................................................................... 47 
Application, operation and maintenance .................................................................... 47 
(informative) ALARP, GAME, MEM ............................................................................ 48 

ENTWURF VE/NORM

AS+ Shop 03.02.2013

prEN 50126-2:2012

-4-

4093

Annex F (informative) Safety Target Quantification Methods .................................................... 61 

4094

Annex G (informative) Common mistakes in quantification ....................................................... 67 

4095

Annex H (informative) Techniques / methods for safety analysis .............................................. 68 

4096
4097

Figure 1 The Hourglass Model ............................................................................................... 11 

4098

Figure 2 Definition of hazards with respect to the system boundary ....................................... 13 

4099

Figure 3 Generic and specific safety acceptance processes ................................................... 15 

4100

Figure 4 Examples of dependencies between safety cases .................................................... 16 

4101

Figure 5 Organisational structure for early phases ................................................................. 19 

4102

Figure 6 Organisational structure for integration and final phases .......................................... 20 

4103

Figure 7 An example of risk model ......................................................................................... 25 

4104

Figure 8 Tolerable rates in an example of risk model ............................................................. 31 

4105

Figure 9 Safety requirements ................................................................................................. 34 

4106

Figure 10 Apportionment of functional safety requirements .................................................... 36 

4107

Figure 11 Relationship between SILs and techniques ............................................................ 38 

4108

Figure 12 Impact of functional dependence in a fault-tree analysis ......................................... 44 

4109

Figure B.1 Example of simple qualitative risk matrix for use within an ALARP framework ....... 50 

4110

Figure B.2 Example of semi-quantitative risk matrix for use within an ALARP framework ....... 50 

4111

Figure B.3 Differential risk aversion ....................................................................................... 53 

4112

Figure E.1 Functional breakdown ........................................................................................... 57 

4113

Figure E.2 Analysis of the scenario: functional independence ................................................ 58 

4114

Figure E.3 1st step of apportionment: analysis of the system ................................................. 59 

4115

Figure E.4 Example of quantified apportionment .................................................................... 60 

4116

Figure F.1 Interpretation of failure and repair times ................................................................ 61 

4117

Figure F.2 Double channel failure with common cause ........................................................... 63 

4118

Figure G.1 ................................................................................................................................ 67 

4119
4120

Table 1 Typical examples for a functional breakdown............................................................. 22 

4121

Table 2 Examples of hazards ................................................................................................. 26 

4122

Table 3 SIL and SIL-measures ............................................................................................... 38 

4123

Table A.1 Safety planning and quality assurance activities .................................................... 46 

4124

Table A.2 System requirements specification ......................................................................... 46 

4125

Table A.3 System architecture and design ............................................................................. 47 

4126

Table A.4 Integration and testing of the system ...................................................................... 47 

4127

Table A.5 Application, operation and maintenance ................................................................. 47 

4128

Table B.1 .................................................................................................................................. 48 

4129

Table D.1 Measures to achieve the necessary safety integrity of non-E/E/PE systems ........... 56 

4130

Table H.1 Techniques / Methods for safety analysis ............................................................... 68 

4131

ENTWURF VE/NORM

AS+ Shop 03.02.2013

-5-

prEN 50126-2:2012

4132

Foreword

4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149

This document [prEN 50126-2:2012] has been prepared by CLC/TC 9X "Electrical and electronic
applications for railways".
This document is currently submitted to the Enquiry.
EN 50126 "Railway applications The specification and demonstration of Reliability, Availability,
Maintainability and Safety (RAMS)" consists of the following parts:
Part 1: Generic RAMS process;
Part 2: Systems approach to safety;
Part 4: Functional safety Electrical/Electronic/Programmable electronic systems;
Part 5: Functional safety Software.
This
new
edition
of
EN 50126
(all
parts)
will
supersede
EN 50126-1:1999,
CLC/TR 50126-2:2007, CLC/TR 50126-3:2008, EN 50128:2011 and EN 50129:2003.
This part of EN 50126 covers the systems approach to safety. It is mainly based on
EN50126-1:1999.
This part of EN 50126 will supersede EN 50126-1:1999 (together with prEN 50126-2:2012).
This document has been prepared under a mandate given to CENELEC by the European
Commission and the European Free Trade Association, and supports essential requirements of
EU Directive(s).

ENTWURF VE/NORM

AS+ Shop 03.02.2013

prEN 50126-2:2012

-6-

4150

Introduction

4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195

EN 50126-1:1999 was produced to introduce the application of a systematic RAMS management


process in the railway sector. For safety-related electronic systems for signalling EN 50128 and
EN 50129 were produced. Through the application of these standards and the experiences
gained over the last years, the need for revision and restructuring became apparent with a need
to deliver a systematic and coherent approach to RAMS applicable to all the railway application
fields Signalling, Rolling Stock and Electric power supply for Railways (Fixed Installations).
The revision work improved the coherency and consistency of the standards, the concept of
safety management and the practical usage of EN 50126 and took into consideration the existing
and related Technical Reports as well.
This European Standard provides railway duty holders and the railway suppliers, throughout the
European Union, with a process which will enable the implementation of a consistent approach to
the management of reliability, availability, maintainability and safety, denoted by the acronym
RAMS.
Processes for the specification and demonstration of RAMS requirements are cornerstones of
this standard. This European Standard promotes a common understanding and approach to the
management of RAMS.
EN 50126 is the railways sector specific application of IEC 61508. Meeting the requirements in
this European Standard is sufficient to ensure that additional compliance to IEC 61508 does not
need to be evaluated.
With regard to safety EN 50126-1 provides a Safety Management Process which is supported by
guidance and methods described in EN 50126-2.
EN 50126-1 and EN 50126-2 are independent from the technology used. EN 50126-4 and
EN 50126-5 provide guidance specific to safety-related E/E/PE technology of railway
applications. Their application is determined through the application of the general RAMS
process of EN 50126-1 and through the outcome of the safety-related methods described in
EN 50126-2. As far as safety is concerned, EN 50126 takes the perspective of functional safety.
This does not exclude other aspects of safety. However, these are not the focus.
The aims set for revision of EN 50126 required a better understanding of the systems approach
and improved methods for applying the safety management process described in EN 50126-1.
EN 50126-2 provides this guidance.
The application of this standard should be adapted to the specific requirements of the system
under consideration.
This European Standard can be applied systematically by the railway duty holders and railway
suppliers, throughout all phases of the life-cycle of a railway application, to develop railway
specific RAMS requirements and to achieve compliance with these requirements. The systemslevel approach developed by this European Standard facilitates assessment of the RAMS
interactions between elements of railway applications even if they are of complex nature.
This European Standard promotes co-operation between the stakeholders of Railways in the
achievement of an optimal combination of RAMS and cost for railway applications. Adoption of
this European Standard will support the principles of the European Single Market and facilitate
European railway inter-operability.
The process defined by this European Standard assumes that railway duty holders and railway
suppliers have business-level policies addressing Quality, Performance and Safety. The
approach defined in this standard is consistent with the application of quality management
requirements contained within the ISO 9001.

ENTWURF VE/NORM

-7-

AS+ Shop 03.02.2013

4196
4197
4198
4199
4200
4201
4202

prEN 50126-2:2012

In accordance with CENELEC editing rules 1) , mandatory requirements in this standard are
indicated with the modal verb shall. Where justifiable, the standard permits process tailoring.
Specific guidance on the application of this standard in the case of process tailoring is provided
in 7.3 of EN 50126-1. EN 50126-2 provides various methods for use in the safety management
process. Where a particular method is selected for the system under consideration, the
mandatory requirements of this method are by consequence mandatory for the safety
management of the system under consideration.

1) CENELEC Internal Regulations Part 3: Rules for the structure and drafting of CEN/CENELEC Publications (200908), Annex H.

ENTWURF VE/NORM

AS+ Shop 03.02.2013

prEN 50126-2:2012

4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254

-8-

1 Scope
This part of EN 50126

considers the safety-related generic aspects of the RAMS life-cycle. The guidance in this
part is still applicable in the application of specific standards;

defines methods and tools which are independent of the actual technology of the systems
and subsystems, whilst following EN 50126-4 and EN 50126-5 are related to E/E/PE internal
systems/subsystems;

provides:

the user of the standard with the understanding of the system approach to safety which
is a key concept of EN 50126;

methods to derive the safety requirements and their safety integrity requirements for
the system and to apportion it to the subsystems, be it for hardware or software;

provides guidance and methods for the following areas:

system life-cycles as applicable to generic and specific applications, and to the generic
products;

systems safety assurance;

risk assessment process;

risk management process;

application of risk acceptance principles and criteria;

safety integrity concept.

provides the user with the methods to assure safety with respect to the system under
consideration and its interactions. Examples are guidance on safety integrity by the
apportionment amongst the various parts of a system or a method to derive the safetyrelated role of software as a precondition to apply EN 50126-5;

enables the user to define the system under consideration, to identify the interfaces and the
interactions of this system with its subsystems or other systems and to conduct the risk
analysis;

addresses railway specifics;

does not define:

RAMS targets, quantities, requirements or solutions for specific railway applications;

rules or processes pertaining to the certification of railway products against the


requirements of this standard;

an approval process by the safety authority.

does not specify requirements for ensuring system security.


This part 2 of EN 50126 is applicable

to all systems under consideration - as regards safety - within the entire railway system and
the stakeholders involved;

to the specification and demonstration of safety for all railway applications and at all levels
of such an application, as appropriate, from complete railway systems to major systems and
to individual and combined sub-systems and components within these major systems,
including those containing software; in particular:

to new systems;

to new systems integrated into existing systems in operation prior to the creation of this
standard, although it is not generally applicable to other aspects of the existing system;

for modifications of existing systems in operation prior to the creation of this standard,
although it is not generally applicable to other aspects of the existing system;

at all relevant phases of the life-cycle of an application;

for use by railway duty holders and the railway suppliers.


It is not required to apply this standard to existing systems including those systems already
compliant with any version of former EN 50126, EN 50128 or EN 50129, which remain
unmodified. Railway applications mean Command, Control & Signalling, Rolling Stock and
Electric Power Supply for Railways (Fixed Installations).