CENELEC - SC9XA WGA15: Maintenance of EN 50129

Size: px

Start display at page:

Download "CENELEC - SC9XA WGA15: Maintenance of EN 50129"

Kelly Park
5 years ago
Views:

1 CENELEC - SC9XA WGA15: Maintenance of EN Attilio Ciancabilla SiT Workshop - Braunschweig, 16/17 November 2015

2 WGA15 maintenance of EN EU similarities AsBo and ISA targets and SILs

3 50129 state of the art

4 Maintenance of :2003 WGA15 TR Allocation of SIL TR CrossAcc. TR Safety assurance : : :1999 WG14 WG21 SC9XA TC9X TR guide

5 WGA15 - schedule

6 the current structure EN Clause 1 Scope Clause 2 Ref Clause 3 Def Clause 4 Overview Clause 5 SAFETY CASE Annex A SIL Annex B TECH. SAF. REPORT Normative B.1 B.2 B.3 B.4 B.5 B.6 Annex C Hw failures Bibliography Annex D Fault analysis Annex E Tech. & Measures Informative

7 the current structure 5.2 E.8 E.1 B B B.2.1 B.2.2 B.2.3 B.2.4 B.2.5 B E.2 E.3 E.7 E E.10 E.4 D.2 D.3 D.4 B.3 B.3.1 B.3.2 B.3.3 B.3.4 B E.4 E.5 E.6 E.6 D.5 B.3.6 B.4 B.5 B.6

8 a possible future structure EN Clause 1 Scope Clause 2 Ref Clause 3 Def Clause 4 Overview Clause 5 Safety Man. Clause 6 SAFETY CASE Normative Annex A SIL Annex E Tech.& Measures Annex B+D Safety Design Annex C Hw failures Bibliography Annex F Programmable Components Informative

9 New topics Handling of SRAC IT security Reuse of pre-existing systems Safety-related tools Programmable components 1 page 1 page 2 pages 3 pages 14 pages

10 Relationship with 50126

11 WGA15 and WG :2003 WGA15 TR Allocation of SIL TR CrossAcc. TR Safety assurance : : :1999 WG14 WG21 SC9XA TC9X TR guide

12 WGA15 and WG21 DE and IT members together compose 1 3 WGA of all the participants WG

13 Relationship with EN Applying EN out of the context of EN would be misleading EN Realisation for E/E/PE systems PART 1 Overall requirements, allocation to safetyrelated systems PART 1 Installation, operation and maintenance Realisation for software PART 2 PART Overall requirements, for all the life-cycle phases from 1 to Specific SIG requirements, mainly for phases from 5 to 10

14 Relationship with EN Can EN be used as a stand-alone standard? NO if carrying out a complete project: - life-cycle phases not defined - risk assessment only partially described - COP/REF.SYS not addressed YES if developing an electronic GP/GA/SA BUT basic requirements, role definitions, etc. are still given in and only partially translated in That s why EN is a normative reference, meaning indispensable for the application of the document [CLC IR 3]

15 The normative context of 402

16 The normative context of Safety Dir Interop. Dir CSM-RA Reg CSM-RA Reg CSM-RA Reg Guide for "DV29" Rec "DV29 bis " Rec Guide for CSM AsBo

17 Relationship between and 402

18 CSM-RA PRELIMINARY SYSTEM DEFINITION Significant Change? NO Justify and document desicion YES RISK ASSESSMENT SYSTEM DEFINITION System Definition Review in function of the identified Safety Requirements HAZARD IDENTIFICATION AND CLASSIFICATION (Scope, Functions, Interfaces, etc.) HAZARD IDENTIFICATION (What can happen? When? Where? How? Etc. HAZARD CLASSIFICATION (How critical?) Broadly YES Acceptable Risk? Justify and document desicion RISK ANALYSIS Assessment Body (AsBo) INDEPENDENT ASSESSMENT CODES OF PRACTICE Application of Codes of Practice NO Selection of Risk Acceptance Principle SIMILAR REFERENCE SYSTEM(S) Similarity Analysis with Reference System(s) EXPLICIT RISK ESTIMATION Identification of Scenarios & associated Safety Measures Qualitative Safety Criteria? Quantitative Estimate Estimate Frequency Severity Estimate Risk RISK EVALUATION HAZARD MANAGEMENT 3 Risk Acceptance Principles: COP Similarity Explicit risk estimation Comparison with Criteria Comparison with Criteria Comparison with Criteria NO Acceptable Risk? NO Acceptable Risk? NO Acceptable Risk? YES YES YES Safety Requirements (i.e. the Safety Measures to be implemented) Demonstration of Compliance with the Safety Requirements

CSM-RA vs 50126 risk assessment 1 Concept System Definition and 2 Operational Context 3 Risk Analysis and Evaluation Consideration of subsequent RAMS Requirements in product development

System Requirements 6 7 8 9 11 Design and Implementation Manufacture Integration System Validation 10 System Acceptance Operation, Maintenance and Performance Monitoring 12 Decommissioning *) *) Risk

19 CSM-RA vs risk assessment 1 Concept System Definition and 2 Operational Context 3 Risk Analysis and Evaluation Consideration of subsequent RAMS Requirements in product development Implementation and Demonstration of Compliance with Requirements Operation Operation and and Decommissioning Decommisssioning 4 Specification of System Requirements Architecture & 5 Apportionment of System Requirements Design and Implementation Manufacture Integration System Validation 10 System Acceptance Operation, Maintenance and Performance Monitoring 12 Decommissioning *) *) Risk Assessment Feedback of subsequent hazard identification into risk analysis Key: RA DoC O&D demonstration of compliance with the safety requirements Correlated process steps in European legal framework implementation *) may contain many subsystems and components and demonstration of compliance with requirements

20 Differences betw and 402 Different users CLC and EU/OTIF communities are not the same Different level of mandatoriness CLC is a Voluntary Standard Different systems under consideration Urban rail, metro not in the scope of Reg.402 Different conditions Reg.402 is mainly for significant changes Different life-cycle phases Reg.402 focuses only on the Risk Assessment process

21 50126/50129 in support of Reg.402 Is the proposal actively or probably in support of European regulation / legislation or established public policy? Yes, in relation to EC Regulation 402/ Ensure that the revised standard and the ERA Regulation (EU) No 402/2013 fit together. As a result of this action, the working group shall deliver a position paper giving their interpretation on the application and the relationship between the ERA Regulation (EU) No 402/2013 and the Additionally a CLC Technical Report separate from the standard should clarify the way the CSM RA and the suite of standards work together and provide evidence for their compatibility. This issue should be addressed by ERA and CLC in close collaboration outside of this working group. In support and in preparation of this action, the working group shall deliver a position paper giving their interpretation on the application and the relationship between CSM-RA and

22 AsBo and ISA

23 AsBo 2004 Safety Dir Interop. Dir.57 ASSESSMENT BODY: 2009 the independent and competent CSM-RA external or internal individual, organisation Reg.352 or entity which undertakes investigation to provide a judgement, based on evidence, of the suitability of a system to fulfil its safety requirements Guide for "DV29" 352 Rec CSM-RA Reg "DV29 bis " Rec Guide for CSM AsBo 2015 CSM-RA Reg.1136

24 AsBo 2004 Safety Dir Interop. Dir.57 Art Duplication of work between CSM-RA the following assessments shall be avoided: Reg CSM-RA Reg CSM-RA Reg.1136 a) SMS conformity (Dir.49) b) Interoperability conformity (Dir.57) c) RA conformity (Reg.402) 2009 Guide for "DV29" Rec "DV29 bis " Rec Guide for CSM AsBo

25 AsBo and ISA 2004 Safety Dir Interop. Dir Relationship between CSM AsBo and CLC 2009 ISA CSM-RA a fundamental difference: Reg.352 CENELEC standards and do not impose the assessor to be accredited or recognised Consequently CSM AsBo will at least include Guide for "DV29" all the activities of a CLC ISA. 352 Rec CSM-RA Reg "DV29 bis " Rec Guide for CSM AsBo 2015 CSM-RA Reg.1136

26 accredited/recognised ISA EN :2003 WGA15? : : :1999 shall be approved by the Saf.Aut. shall have acceptance/licence from a recognised Saf.Aut. pr50126 (WG14) WG21 shall have acceptance/licence from a recognised Saf.Aut. should have acceptance/licence from a recognised Saf.Aut.

27 AsBo types Annex II: Criteria for accreditation or recognition of AsBo The Assessment Body shall fulfil ISO/IEC 17020: CSM-RA Reg : INSPECTION BODY Indep. from Design Org. Limitations Type A Type B Type C not part of the same legal entity separate and identifiable part identifiable but not necessarily a separate part; not the same person. 3 rd party inspection 2 nd 1 st party inspection services only to its parent organization 2 nd 1 st party inspection services to its parent organization or also to other parties

28 AsBo types 2004 Safety Dir Interop. Dir Who can be the AsBo 2009 Permitting also the use of CSM-RA the type C of independence is crucial for the sector: Reg.352 [ ] (when number of technical experts is limited) technical competence may be preferred to full independence Guide for "DV29" Rec CSM-RA Reg "DV29 bis " Rec CSM-RA Reg Guide for CSM AsBo

29 ISA independence PM ASSR DI VER, VAL SIL 3 AND 4 OR PM ASSR DI VER VAL

30 ISA independence :2003 same organisation only if authorised by the Saf.Aut. and reporting to the Saf.Aut. WGA15 same organisation at the discretion of the Saf.Aut.? : :2011

31 Quantitative targets and SILs

32 Harmonised quantitative design targets Frequence of failures per operating hour Catastrophic: fatalities, multiple severe injuries, major damage to the env. Critical: very small n. of people, at least one fatality Catastrophic: large n. of people, multiple fatalities basic integrity SIL1 SIL2 SIL3 SIL4 SIL4 + other meas. 2009, 2013 CSM-RA Reg. 352, CSM-RA Reg EN 50129

33 Playing with SILs Door control hazard: «one or more doors wrongfully open» THR = 10-9, SIL4 NO SIL (basic integrity) THR = 10-5 Single door hazard TFFR = Misusing target definitions and SIL allocation Critical accident (Reg.1136) TFFR = 10-7

34 Design Targets, S/Q Processes Safety Interop. Dir Dir.57 The risk is acceptable: (a) compliance with design 2009targets; (b) the associated systematic CSM-RAfailures are controlled in accordance Reg.352 with safety and quality processes, commensurate with the design target and defined in commonly acknowledged Guide for "DV29" relevant standards 352 Rec CSM-RA Reg "DV29 bis " Rec Guide for CSM AsBo 2015 CSM-RA Reg.1136

35 Targets, Processes and Fail-Safety Design targets Safety and quality processes Design for safety Dangerous (random) failure rate Reduction of systematic failures Fail-safe principles and fault management criteria Integrity Accuracy Consistency Fail-Safety

36 Targets, Processes and Fail-Safety Design targets Safety and quality processes Design for safety Dangerous (random) failure rate Reduction of systematic failures Fail-safe principles and fault management criteria cannot be apportioned! Can be apportioned (physical independence) May be apportioned (process independence)

37 Conclusion

38 50129 is a prime number. Let it be a prime standard too.

39 Thank you for your attention SiT Workshop Braunschweig, November 2015