Assurance Gap: The Feasibility of Cross Acceptance. James B. Balliet. Battelle Memorial Institute. Rail Safety and Security AREMA 2011

Size: px

Start display at page:

Download "Assurance Gap: The Feasibility of Cross Acceptance. James B. Balliet. Battelle Memorial Institute. Rail Safety and Security AREMA 2011"

Marsha Stone
5 years ago
Views:

1 Bridging the European and U.S. Rail Safety Assurance Gap: The Feasibility of Cross Acceptance James B. Balliet Battelle Memorial Institute Rail Safety and Security AREMA 2011

2 Abstract The issuance of 49 CFR Part 236 Subpart H and Subpart I rail safety regulations has raised the bar with regard to the level of safety assurance evidence required of rail authorities and their suppliers. Together with recent revisions to AREMA C& S Manual Parts (e.g. Section 17.3), a more structured framework for system safety assurance has been provided for software based vital systems. These performance based safety regulations and recommended practices generally provide an outline for what the structure of a railroad s safety case is required to be to demonstrate an acceptable level of safety assurance. Running somewhat concurrent to the U.S. efforts, a similar evolution in best practices was being led by the national railways in Central Europe and resulted in a comprehensive set of standards collectively referred to as CENELEC Standards. Somewhat different in approach, CENELEC standards can be summarized as prescriptive safety design standards covering a full RAMS perspective describing how to proceed in achieving an acceptable level of safety assurance. With globalization of the rail signaling industry, Central European companies are participating widely in the U.S. rail market; that is, new to the market or new owners of formerly U.S. based signaling suppliers. A natural outcome then is the need to require supplier products developed per CENELEC to have their safety cases structured for acceptance to U.S. regulations, which due to the difference in approach, may not be a straightforward process. Word Count = 5,943

3 The intent of this paper is to identify those areas of standards and regulations that are aligned, gaps observed and address the overall feasibility of a potential cross acceptance activity that could provide an efficient and acceptable level of safety assurance to meet U.S. regulations. INTRODUCTION In the past 15 years there has been a stepped increase in the deployment of signaling systems worldwide as microprocessor based products have been developed by rail suppliers. This has provided rail agencies many benefits over previous generations of equipment but introduced a new paradigm with respect to how safety assurance of the new systems is to be considered. Signaling suppliers in the U.S. and Europe have separately developed advanced technologies to address national railway needs and in doing so have driven the need to have both new technical and regulatory standards established to cover the newer technologies. In the U.S., a host of changes have been made with respect to federal regulations, new standards have been adopted and new considerations have been introduced with regard to best practices where processor based equipment will be used. This involved, in some cases, distinctly separate actions taken by the Federal Railroad Administration (FRA), the Institute of Electrical and Electronic Engineers (IEEE), and The American Railway Engineering and Maintenance of Way Association (AREMA) in capturing the advent of software used in safety critical systems. In Europe, the European Committee for Electrotechnical Standardization commonly referred to as CENELEC, established a new set of Railway Standards in the 1990 s and early 2000 s. These standards addressed the emergence of software based signaling in areas of design considerations with regard to Reliability, Availability, Maintainability and Safety (RAMS) as well as prescriptive processes by which

4 suppliers of railway equipment (rolling stock, communications, signaling, etc.) were intended to comply for certification by European rail authorities. One key aspect of the standards was the life cycle orientation incorporating the idea of useful equipment life and eventual decommissioning. While these standards were considered voluntary, compliance to these standards has become a primary qualifier in gaining system safety certification of equipment proposed for use on European railways. Due to the comprehensive nature of coverage of CENELEC railway standards, they have been greatly embraced by rail agencies internationally as acceptable prerequisites required of rail suppliers toward rail system safety certification. Even though many of the countries of Europe have their own national railways, many commonalities of rail infrastructure, operating modes, and best practices, formerly covered by disparate standards, are now consolidated under CENELEC. European rail agencies, in adopting the common Cenelec standards, have the ability to more easily accept and certify for their own use, rail equipment deployed in other European countries without requiring an expensive and time consuming certification process. This is the case where European suppliers have developed rail equipment to commonly accepted standards, have been certified for use by one European rail agency and look to have a second agency accept the initial certification. This idea of cross acceptance has greatly facilitated the deployment of new signaling systems for the benefit of both the rail agencies and suppliers. A definition of cross acceptance shown here is a paraphrase of one established by the Swedish Federal Office of Transport the process by which approval procedures are simplified, through the mutual recognition of approvals and certificates in several countries. This is implemented through intergovernmental agreements that recognise the approvals issued by other safety authorities. While this idea of cross acceptance is directly applicable to rail systems deployed across European, a next step consideration is to gauge how well these CENELEC certified systems comply with rail agency requirements from other parts of the world. Specifically for use in the U.S., a review is necessary to

5 judge how feasible it may be, to attempt product or system certification in the U.S. for those systems not developed to U.S. standards and/or best practices; particularly as it relates to commuter and freight rail authorities looking to use advanced train control systems such as Positive Train Control (PTC) and High Speed Rail (HSR). As the Federal Government of the U.S. is looking to significantly increase the emphasis on high speed rail as a counter to escalating costs of automobile fuel, congestion of highways and an overall increase in transportation safety, it is certainly important to be able to leverage to the greatest extent possible, advanced technology available around the world.

6 A DECADE OF CONVERGENCE In the past 10 years, U.S. and European rail industry stakeholders have separately encountered many changes; from technology advances driving the design of more advanced systems, to more stringent safety regulations as a result of rail accidents, to business drivers defining a need for a higher degree of interoperability (and interchangeability) between rail authorities and suppliers equipment. In several ways, a convergence of these two previously distinct rail market segments can now be observed both in technical solutions focused on future rail applications as well as the evolution of regulations in the U.S. which may be considered a next step in the idea of a more global cross acceptance approach. Consolidation of Global Signaling Companies Over the past 20 years, where once there were a multitude of rail equipment suppliers, has now been reduced greatly due to company consolidations both within each rail market (U.S. and Europe) and across continents. Well established U.S. based signaling suppliers such as Union Switch and Signal, General Railway Signal, Safetran, and Westinghouse (some in the rail supply business for over 100 years) have now become part of European based companies; Ansaldo, Alstom, Invensys and Bombardier respectively. This global consolidation has brought about several implications as to how suppliers can now address the U.S. market for advanced systems for HSR and PTC. Among these is the expanded portfolio of products/systems and the rail engineering and safety capabilities that the large rail suppliers have at their disposal for application worldwide. In addition, European companies have already established U.S. facilities for the production of rolling stock for use on passenger rail properties (e.g., Heavy Rail Transit, Light Rail Transit and Commuter lines, AMTRAK).

7 ERTMS for Interoperable High Speed Rail Application Especially as it pertains to high speed rail, European companies have addressed this technical segment very well having established an extremely sophisticated high speed rail network and more recently defined the European Railway Traffic Management System (ERTMS) specification assuring a high degree of interoperability across European countries. With this technical solution involving Automatic Train Protection products designed to a European Train Control System (ETCS) specification and through the use of GSM-R radios, comes a more advanced class of railway systems based on processor based technology. Like U.S. based PTC solutions for passenger lines outside of the North East Corridor (between Boston, Mass. and Washington, D.C.), ERTMS possesses a somewhat similar configuration of safety systems having wayside (trackside), trainborne, and central office components. The primary technical driver for implementing an advanced system rests with an established communications network. As a byproduct of rail supplier consolidation, European suppliers now have access to the U.S. market through their U.S. based organizations and can offer a variety of technical solutions. Establishing New U.S. Regulations for Processor Based Systems At the same time that Europe was evolving their technology and consolidating suppliers at the turn of the century, the U.S. embarked on new regulations for processor based systems. This stemming from two catalysts: as a result of accidents in the U.S. that occurred on rail lines that did not possess the ability to positively enforce the stopping of trains when confronted with safety critical failures or human error and the need to address the new software based technology now being embraced by the global rail industry

8 It was readily seen that the advanced technologies available from suppliers could offer potential solutions for the freight and commuter rail lines to improve the overall safety of the rail network. In anticipation, the Federal Railroad Administration (FRA) issued new performance based safety regulations in 2005 and again in 2010 pertaining to advanced train control systems to address the need for rail systems with a higher degree of safety that processor based technology can provide. An excerpt taken from each FRA regulation is included here: CFR Part 236 Subpart H - Standards for Development and Use of Processor Based Signal and Train Control Systems (1) FRA is issuing a performance standard for the development and use of processor-based signal and train control systems. The rule also covers systems which interact with highway-rail grade crossing warning systems. The rule establishes requirements for notifying FRA prior to installation and for training and recordkeeping. FRA is issuing these standards to promote the safe operation of trains on railroads using processor-based signal and train control equipment CFR Part 236 Subpart I Positive Train Control Systems (2) FRA is issuing regulations implementing a requirement of the Rail Safety Improvement Act of 2008 that defines criteria for certain passenger and freight rail lines requiring the implementation of Positive Train Control (PTC) systems. This final rule includes required functionalities of PTC system technology and the means by which PTC systems will be certified. This final rule also describes the contents of the PTC implementation plans required by the statute and contains the process for submission of those plans for review and approval by FRA. These regulations could also be voluntarily complied with by entities not mandated to install PTC systems.

9 The regulation s emphasis was on the establishment of a performance standard for safety systems and to not be unduly prescriptive in defining how to go about complying with the requirements. Rail suppliers are free to employ their existing processes, procedures, methods of analysis and documentation in order to demonstrate that safety requirements are met. Lastly, with the exception of having to illustrate the level of safety the processor based system provides, the regulations were written in the context of the safety system s application in the rail environment, not focusing on the methods by which the safety critical design must be instituted. This is one distinct difference between European and U.S. paths to safety certification that will be highlighted later. While the means to meet the requirements was left open to the rail authorities and supply industry, the specific requirements were unique to rail operations in the U.S. and loosely aligned with best practices previously established. The AREMA Communications and Signals Manual of Recommended Practices (3), with more recent updates in the areas of processor based safety and Positive Train Control, is an established reference known and universally used within the U.S. Rail Industry and currently cited as an acceptable reference on safety practices in the latest FRA regulations. Other references include IEEE, and U.S. MIL STDs in areas of verification and hazard management. As a result, the latest regulations, while open, are somewhat unintentionally biased with respect to the U.S. rail supply industry. To rail equipment suppliers and rail authorities with pre-existing signaling equipment which incorporated the use of safety critical software, the new regulations had only marginal impact. For developers of new products to address the needs of PTC and High Speed Rail, the latest regulations represented a considerable hurdle to overcome.

10 THE RAIL SUPPLIER S DILEMMA As mentioned above, the consolidation of the rail equipment supply industry has resulted in foreign ownership of formerly U.S. signaling companies, who have in their product portfolio, established products and systems developed to meet the requirements of the U.S. rail market. In addition, the European owners also have within their portfolio of products a similar set of products and systems that perform to European standards but in many cases are intent on providing the same signaling functionality as those of their newly purchased U.S. companies. The primary issue to deal with is how to effectively rationalize the expanded product portfolio and still be in a position to address the global marketplace. With the U.S. moving to more advanced systems and high speed rail, it raises a question for suppliers to what products can be used to meet the newly established regulations and address the advanced features necessary to address PTC and HSR. Do they build onto an established product platform originated in the U.S? Do they develop new products with the associated high development costs and certification costs? Do they attempt to take European product lines that have technologies better aligned with the technology required for PTC and HSR and adapt for U.S. requirements? In the end, the financial considerations drive the roadmap but, those systems used on high speed lines in Europe and now elsewhere in the world are proven concepts and safety certified. In many cases, this final alternative is considered to provide the most beneficial aspects of cost, quality and delivery of advanced systems to the U.S. Clearly, then, the next step is to understand the gaps in the existing safety case of systems currently certified by non U.S. agencies as it relates to meeting the regulation requirements of 236 Subparts H & I.

11 Can the Cross Acceptance Idea Be Applied Pragmatically? So, a decision is taken by rail equipment suppliers to investigate the possibility of utilizing European rail solutions in the U.S. This would be facilitated by having to undergo only a limited certification process under the recent regulations. This then leads to a requirement for a more technical assessment of the gaps to be considered from both a system applicability and safety case perspective. The main exercise is to determine if the required functionality for U.S. PTC or HSR application exists in manner that won t require massive changes to the design and therefore safety evidence. Does the design need to be adapted or can it be requalified to meet AREMA guidelines and is the concept of operations sufficiently aligned with that for the targeted rail use? It is generally considered that it must be demonstrated to rail authorities (Class One Railroads, Commuter Railroads, etc) that foreign designed products meet AREMA guidelines as a first qualifier for use in the U.S. Without that, rail agencies are not compelled to participate in certification efforts as sponsors for the products or systems. The next effort is to determine if the safety principles of design and safety assurance methodology are similar enough to be transferrable to the U.S. in meeting FRA requirements and what weight foreign certifications may play in minimizing the U.S. certification efforts. The primary gap analysis effort then is to understand the difference between what has been performed under CENELEC standards based developments and that required under the new regulations. The goal of the effort may be achievable allowing a more pragmatic certification process to be executed.

A REVIEW OF RAIL MARKET REGULATIONS, STANDARDS AND BEST PRACTICES A summary view of the key standards and recommended practices is identified here as a basis for comparing and contrasting rail safety

12 A REVIEW OF RAIL MARKET REGULATIONS, STANDARDS AND BEST PRACTICES A summary view of the key standards and recommended practices is identified here as a basis for comparing and contrasting rail safety processes and procedures between U.S. and Europe. In the U.S., FRA regulations for processor based and PTC systems provide key requirements to be met in order to achieve product or system certification. Figure 1 illustrates the general structure for each of the processor based certification paths. FIGURE 1 FRA Certification Path It should be noted that none of the requirements identified under 236 Subpart H or Subpart I, define specific design methods, or prescriptive authority or supplier processes that need to be demonstrated in order to achieve safety certification of an advanced safety critical control system. Primarily, FRA 236 Subparts H and Subpart I identify requirements from the perspective of a system being applied in the rail environment,

13 its suitability to perform the operational aspects of the rail function, its adherence to other regulatory requirements for the rail environment under 236 Subparts A-G, evidence of a sufficient amount of verification and validation, a qualified and quantified level of safety the system provides and the degree to which safety critical hazards have been mitigated and human factors and critical considerations associated with the maintenance of a safety system over the system s life cycle. How, the individual rail authority or signaling supplier formulates and structures the evidence illustrating compliance with the regulations is left somewhat open.

14 U.S. Standards and Best Practices Summary Regarding certification activities with the FRA, AREMA is one of three U.S. based references identified under 49 CFR Part 236 Subpart H and Appendix C of 49 CFR Part 236 Subpart I, as acceptable for use in justifying safety arguments under 236 Subparts H&I. Along with AREMA, IEEE standards 1483 (4) and IEEE 1474 (5) and MIL STD 882C (6) are also identified. 236 Subpart H & Subpart I Appendix C Safety References AREMA 2011 C&S Manual AREMA Manual Part AREMA Manual Part AREMA Manual Part IEEE Safety Category Processor Based Verification and Validation Recommended Safety Assurance Program for Electronic/Software based Equipment Recommended Practice For Hardware Analysis for Vital Electronic/Software Based Equipment Recommended Procedure for Hazard Identification and Management of Vital Electronic/Software Based Equipment Verification of Vital Functions in Rail Transit IEEE Safety Assurance Concepts IEEE MIL STD 882C "Safety of High Speed Ground Transportation Systems", Luedeke 1995 Performance and Functional Requirements Risk Assessment Processes Safety Validation TABLE 1 U.S. Safety References AREMA, formed in 1997 as a merging of recommended practices from several rail associations including functions of the Communication and Signals Division of the Association of American Railroads (AAR), has served as the de-facto set of standards for railroads and equipment suppliers for 15 years. While focused primarily on the U.S. freight and commuter rail industry, references in project specifications for

15 rail mass transit signaling equipment requiring compliance to AREMA guidelines, have become commonplace. The relationship between the FRA regulations, AREMA recommended practices, IEEE and MIL STD 882C represents a capture of the best applicable guidance that can be utilized by rail agencies, private railroads and rail equipment suppliers under a safety assurance umbrella. However, it does not provide a top down, comprehensive framework of standards for rail safety that can easily be adopted from an international context as is the case with rail safety standards identified under CENELEC. In some cases, FRA regulations cite a possible need for third party review of the safety evidence produced and compiled by a railroad prior to filing for system certification. The use of Independent Safety Assessors (ISA) is a voluntary choice that can be made by a railroad if it feels compelled to review a new system from an independent perspective. The FRA also may recommend that a railroad provide an ISA in cases where the FRA feels it may be warranted. At no time, however, is an ISA a required role in the U.S. whereas in Europe, an ISA is considered a part of the certification process, and works with equipment suppliers and rail authorities to insure safety requirements are appropriate and have been met. In summary then, at a high level of consideration, the lack of a comprehensive U.S. standard and the differing roles of the participants in the development, operation and certification of rail systems, would seemingly make the cross acceptance of European systems in the U.S. seemingly difficult.

16 European Standards Overview European Standards have evolved from European Norms to fully international standards for Railway Systems. Assembled as a top down and comprehensive set of standards covering all facets of Railway and Safety under CENELEC, safety standards holistically cover Organizational, Technical (Software and System), Quality, Reliability, Maintainability and Safety (RAMS) aspects of safety process to be applied toward certification activities in Europe. The overall intent is to assist rail operators and suppliers of railway equipment with a framework under which to provide the following for railway system certification. Standards describe what and how the information regarding a system safety case is to be structured in the illustration of: 1. evidence of quality management in which the system provider outlines all aspect of the quality organization and processes used 2. evidence of safety management which outlines the organization, safety assurance processes, safety integrity attributes, hazard management, etc., processes 3. evidence of functional and technical safety which describes the system or product to be certified and indicates full life cycle considerations including all safety acceptance and approval. Figure 2 illustrates the hierarchical coverage of CENELEC standards.

FIGURE 2 CENELEC Safety Hierarchy Within the CENELEC framework, linkages between key

IEC 61508 (7) volumes 1-8 identifies safety requirements, definitions and general

Particular to the rail industry, hazard and risk assessment, safety integrity level

Below these international standards, more railway systems specific standards, which

17 FIGURE 2 CENELEC Safety Hierarchy Within the CENELEC framework, linkages between key safety discipline standards can be seen (Figure 3). IEC (7) volumes 1-8 identifies safety requirements, definitions and general guidance for Electrical / Electronic / Programmable Safety related systems. Particular to the rail industry, hazard and risk assessment, safety integrity level descriptions, etc are covered at a high level. Below these international standards, more railway systems specific standards, which can be considered interpretations of the IEC standard, are identified, including the three key standards related to railway systems: FIGURE 3 CENELEC Applicable Standards

18 The primary rail safety standards are identified below in Table 2. Standard Reference EN50126 Title Railway applications - The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) EN50128 Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems EN50129 Railway applications - Communication, signalling and processing systems - Safety related electronic systems for signalling TABLE 2 Primary Rail Safety CENELEC Standards As indicated previously, the CENELEC Standards facilitate the building of a structured System Safety Case, as illustrated in Figure 4. The EN50129 (8) Standard specifically outlines the nature of the reports with conclusive evidence of how the system being prepared for request for certification is to be presented concluding with summary conclusions on the degree to which the system being considered meets all safety requirements. Generally, all summary evidence is accumulated within the safety case with associated attachments to be presented to the rail agency or governmental body for certification consideration.

19 System Safety Case System Definition Management Of Quality Management Of Safety Technical Safety Supporting Documentation Conclusions FIGURE 4 System Safety Case Organization (e.g., EN 50129) The Role of the Independent Safety Assessor Unlike the U.S., Europe has a network of Independent Safety Assessors (ISA) who are employed by government rail institutions and rail agencies to assess if a 3 rd party who has developed a safety critical system has met all the safety requirements established for use of that system. The ISA, in the case of railway standards has demonstrated proficiency of understanding COMPARE AND CONTRAST U.S. AND EUROPEAN SAFETY It is clear that the evolution of U.S. and European rail systems have taken very different paths. U.S. rail traffic under FRA governance is primarily freight traffic focused. Many lines are designated mixed traffic lines with commuter trains sharing the right of way with freight trains. In Europe, rail lines are primarily

20 focused on passenger traffic running at higher average speeds than their U.S. counterparts and having a different operational focus with minimal freight traffic. As previously mentioned, however, there are many similarities in the types of rolling stock and signaling equipment used within each market even though designed for different detailed requirements. When looking at the differences between the safety assurance processes, standards and best practices, again, similarities exist but the context of the standard may focus on a different aspect of safety. In general a few observations can be made: 1. CENELEC standards emphasize Quality and Safety Management in a more prescriptive manner and comprehensively cover the full life cycle of a safety system from initial design to decommissioning 2. CENELEC and U.S. standards identify the need to establish safety targets for systems. However, CENELEC introduces the formal definition of Safety Integrity Levels (SIL 0-4) as they could be addressed in differing safety applications within a rail system. 3. U.S. standards and regulations (e.g., 236 Subpart I, Appendix C) identify the primary types of safety assurance concepts that can be applied in the development of a rail system. They are: 4. a. Design diversity and self checking b. Checked redundancy c. N-version programming d. Numerical assurance e. Intrinsic fail safe design A few of these classifications of safety concepts are considered somewhat unique to the U.S while the whole list covers safety concepts utilized in other parts of the world including Europe.

21 This classification of concepts allows for any of a variety of safety systems to be provided in the U.S. assuming all requirements of FRA regulations are met. 5. Hazard classifications, hazard analysis types such as Preliminary hazard Analysis, Fault Tree Analysis, Failure Modes and Effects Analysis are common to both rail markets. Quantified levels of risk, while the same in intent do present different target levels depending on the level of safety of the system being assessed. An example is shown in Table 3 concerning tolerable risk associated with Safety Integrity Levels from EN 50129: Tolerable Hazard Rate (THR) per hour and per function Safety Integrity Level 10-9 THR < THR < THR < THR < TABLE 3 Tolerable Hazard Rate per Safety Integrity Level MIL STD 882C is referenced by both markets and definitions used regarding hazard frequency, severity and risk categories are common. Applicable Safety References Acknowledged by the FRA Many applicable references are cited within the FRA regulations that can be used during the formation of Product and System Safety Plans by U.S. Railroads and Suppliers. Most are related to acceptable processes that could be used for demonstrating verification and validation of a proposed system for

certification. Figure 5 illustrates references acknowledged in the regulations regarding acceptable standards to use for verification and validation activities.

22 certification. Figure 5 illustrates references acknowledged in the regulations regarding acceptable standards to use for verification and validation activities. FIGURE 5 Applicable V & V References Note: IEC and are international standards based on EN50126 and EN50128 respectively. It is considered here that despite the some contextual differences, the majority of the key aspects of safety assurance processes and procedures identified in regulations, standards and best practices in both the U.S. and Europe are sufficiently in common. Therefore, an attempt to gain certification for a European developed product in the U.S, given that the primary functional specifications are aligned with AREMA, is feasible. A mapping of a European Safety Case to FRA requirements would identify those areas which

23 require significant supplemental documentary evidence and those that may be directly applicable without major amendments. CROSS REFERENCE MAPPING OF FRA 236 SUBPART H WITH A CENELEC SAFETY CASE A test case was performed to determine the viability of having a comprehensive System Level Safety Case developed under EN being used as acceptable safety evidence in support of a system certification under FRA 239 Subpart H. Taking a product available on the market, whose safety documentation was oriented in the form of a CENELEC Safety Report as indicated in Figure 4, a mapping was performed to individual requirements defined under 236 Subpart H. Table 4a and 4b provides a detailed look at this mapping performed: FRA 236H Reference PSP section PSP Requirement Title EN50129 Reference Safety Case Section Description Supporting Product Document Reference (a)(1) 4.1 High Level Architecture/System Description Section 2 Definition of the Product System Overview (a)(2) 4.2 General Railroad Operations N/A Not Applied N/A (a)(3) 4.3 Concept of Operations (ConOps) Section 5.2 Assurance of Correct Functional Operation System Overview As Generally Applied to RR (a)(4) 4.4 Safety Requirements Section (a)(5) 4.5 Safety Architecture Section 4 Safety Management Report Safety Management Report Project Development Plan, System Requirements, Fault Tree Analysis System Overview and System Documents

24 (a)(6) 4.6 Hazard Log Section (a)(7) 4.7 Risk Analysis Section 5 Safety Management Report Technical Safety Report Fault Tree Analysis and System Safety Analysis Fault Tree Analysis and System Safety Analysis (a)(8) 4.8 Hazard Mitigation Analysis Section 4 Safety Management Report Fault Tree Analysis and System Safety Analysis (a)(9) 4.9 Verification Testing Plans, Procedures and Results Section 4.9 Safety Verification and Validation Product Development V&V Documentation (a)(10) 4.10 Safety Assurance Concepts (SAC) Section 2 Definition of the Safety Philosophy Safety Concept Definition TABLE 4a FRA 236 Subpart H Mapping to CENELEC Safety Case FRA 236H Reference PSP Section (a)(11) (a)(12) 4.12 PSP Requirement Title EN50129 Reference Human Factor Analysis Section 5 Safety Training Plan (a)(13) 4.13 Safety Procedures (a)(14) 4.14 Section 3.14, 4.12, Section 3.14, 4.12, FRA Part 236 A- G Compliance Section (a)(15) 4.15 System Security Section (a)(16) (a)(17) 4.17 Warnings and Warning Labels Section Safety Validation Plan Section 4 Safety Case Section Description Technical Safety Report Operation and Maintenance Operation and Maintenance Identification of Safety Requirements Identification of Safety Requirements Identification of Safety Requirements Safety Management Report Supporting Document Reference System Overview and Product O&M Documents Series Training Plan for RR Product Commercial Documents Series Need to Perform Details Check Product Commercial Documents Series Product Commercial Documents Series FMEAs and Product Development Documentation

25 (a)(18) (a)(19) 4.19 Post Installation Safety Requirements and Procedures Section 3.12 Safety Critical Assumptions and Fallback Operations Section 5 Pre-Defined and Incremental Section 3.14, Changes 4.12, Installation and Commissioning Technical Safety Report Operation and (a)(20) 4.20 Maintenance TABLE 4b FRA 236 Subpart H Mapping to CENELEC Safety Case Product Commercial Documents Series regarding Test and Maintenance Redundancy and Hot Standby Configuration Descriptions Product Development Plan

26 Mapping Summary The mapping example proved relatively successful. Information identified within the FRA regulation was able to reference sections within the safety case report for a vital system. Key requirements likely needing more substantial documentation were: The Operational Concept of the Rail agency and the role played by the system normally the rail agency responsibility to provide this information as part of a Rail Road Safety or Product Safety Plan and A confirmation of the system s compliance with 236 Subparts A through G this is unique to U.S. and covers a considerable range of requirements Human Factors FRA specifically calls out a Human Factors Analysis as a separate requirement under 236 Subparts H and I. Specific paragraphs within a EN structured safety case are likely not to possess safety considerations solely from a Human Factors perspective. It is possible that the justification can be made by illustrating human factor related hazards and failures have been accounted for within the risk assessment for the system.

27 CROSS ACCEPTANCE FEASIBILITY CONCLUSION It is clear that cross acceptance of safety systems, that may be permitted within Europe given developments and certifications to the same standards under CENELEC, is not feasible with respect to gaining similarly expedited certification in the U.S. Far too many differences in railway specifications, operating rules, etc., prevent such as occurrence. However, based on the performing a gap analysis between an existing European authored safety case and FRA regulations, and taking into account U.S. referenced standards and recommended practices, it is possible to leverage a great deal of safety case documentation. This may facilitate a more straightforward certification process under FRA regulations 236 Subpart H or I, and provide an efficient and cost effective solution to deploying advanced technology available from Europe; especially as it relates to advanced control systems that currently provide high speed rail service across Europe. The FRA acknowledges that this may be possible within Subpart I, stating, Foreign regulatory entity verification. Information that has been certified under the auspices of a foreign regulatory entity recognized by the Associate Administrator may, at the Associate Administrator s sole discretion, be accepted as independently Verified and Validated and used to support each railroad s development of the PTCSP. While this doesn t represent all requirements under Subpart I, it does cover many significant sections related to proof of safety and reinforces that a shortened certification cycle may be possible.

28 ACKNOWLEDGEMENTS To the best of the author s knowledge, no European product or system intended to be deployed in the U.S. following issuance of the regulations 236 Subpart H in 2005 or Subpart I in 2010, has been certified for use under these regulations. It is understood, however, that, at the time of this paper, several European products and systems are currently being sponsored by U.S. rail agencies under system projects, are in the process of providing the necessary filing documentation to achieve certification under each 236 Subparts H and I. The author is peripherally involved in the formulating of safety case documentation to support the certification process for one system being provided on one of these projects. The author wishes to acknowledge for their assistance in the writing of this paper: Jon Luedeke, Ryan McKinley and Tim Heywood of the Battelle Rail Safety and Security Group for providing background information and detailed review of the presentation form of this paper Laurent Boileau of Alstom Signaling Inc. for providing a comprehensive view of the structure and application of CENELEC standards in the railway signaling industry

29 REFERENCES (1) Federal Railroad Administration, 49 CFR Parts 209, 234, and 236, Standards for Development and use of Processor Based Signal and Train Control Systems: Final Rule, March 2005 (2) Federal Railroad Administration, 49 CFR Parts 229, 234, and 235, et al, Positive Train Control Systems, Final Rule, January 2010 (3) AREMA, Communications and Signals Manual of Recommended Practices, 2011 (4) IEEE , IEEE Standard for Verification of Vital Functions in Processor-Based Systems Used in Rail Transit Control, March 2000 (5) IEEE , IEEE Standard for Communications-Based Train Control (CBTC) Performance and Functional Requirements, 2004 (6) MIL STD 882C, Department of Defense Standard Practice for Safety Systems, January 1993 (7) IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems, 2005 (8) pren 50129, Railway applications - Communications, signalling and processing systems - Safety related electronic systems for signalling, Final Draft, May 2002

30 List of Tables TABLE 2 U.S. Safety References TABLE 2 Primary Rail Safety CENELEC Standards TABLE 3 Tolerable Hazard Rate per Safety Integrity Level TABLE 4a FRA 236 Subpart H Mapping to CENELEC Safety Case TABLE 4b FRA 236 Subpart H Mapping to CENELEC Safety Case List of Figures FIGURE 2 FRA Certification Path FIGURE 2 CENELEC Safety Hierarchy FIGURE 3 CENELEC Applicable Standards FIGURE 4 System Safety Case Organization (e.g., EN 50129) FIGURE 5 Applicable V & V References

31 James B. Balliet Sr. Rail Safety Consultant Rail Safety and Security 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

32 To Identify Current Rail Supplier Evolution With Regard To European Influence To Characterize U.S. And European Safety Methods Under Which Current Available Products Are Developed To Establish the Level of Effort Required for European Developed Products To Gain U.S. Acceptance Is Cross Acceptance of European Developed Products Feasible? 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

33 A Paraphrased Definition From Switzerland FOT the process by which approval procedures are simplified, through the mutual recognition of approvals and certificates in several countries. This is implemented through intergovernmental agreements that recognise the approvals issued by other safety authorities ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

34 GLOBALIZATION OF RAIL SIGNALING SEVERAL U.S. SIGNALING SUPPLIERS ARE NOW SUBSIDIARIES OF EUROPEAN COMPANIES EUROPEAN SUPPLIER PRESENCE IN ROLLING STOCK, SIGNALING EUROPEANS POSSESS GLOBAL PRODUCT AND SYSTEMS FRA ESTABLISHED NEW REGULATIONS [49 CFR PART 236 ] PERFORMANCE BASED SAFETY (PROCESSORS) AND PTC, SUBPART H AND I 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

35 EVOLVING RAILWAY STANDARDS IN U.S. AND EUROPE WITH EMERGENCE OF PROCESSOR BASED SYSTEMS AREMA C&S QUALITY, SAFETY IEEE VALIDATION AND VERIFICATION MIL STD HAZARD MANAGEMENT CENELEC ESTABLISHING EN501XX FOR RAILWAY SYSTEMS AND SAFETY 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

36 PRAGMATIC MEANS TO ADDRESS NEW REGULATIONS: A GLOBAL PORTFOLIO MIX OF SIMILAR PRODUCTS (U.S. AND EURO) DESIGNS SIMILAR BUT IS A COMPREHENSIVE SAFETY CASE COST JUSTIFIABLE? MINIMUM (?) EFFORT REQUIRED TO GAIN CERTIFICATION? 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

37 CONSIDERATIONS DOES SYSTEM FIT THE CONTEXT OF APPLICATION? WHAT LIMITATIONS AND CONSTRAINTS? ARE SAFETY CONCEPTS TRANSFERRABLE? ARE SAFETY METHODOLOGY TRANSFERABLE? DOES EXISTING SAFETY CASE ALIGN WITH PART 236 REQUIREMENTS AND N. AMERICAN STANDARDS? DO U.S. REGULATIONS LEAVE AN OPENING? 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

FRA FRA CAN REQUIRE AN INDEPENDENT SAFETY ASSESSOR (ISA) EUROPE RAIL AUTHORITY APPROVED AFTER ISA ASSURES

38 GENERAL VIEWPOINTS: PRESCRIPTIVE (EU) VS PERFORMANCE BASED (US) DESIGN SAFETY PERSPECTIVE (EU) VS APPLIED (US) U.S. FRA TYPE APPROVAL AND CERTIFICATION RAIL AUTHORITIES (W/SUPPLIERS) PROVIDE SAFETY CASE INPUT TO FRA FRA CAN REQUIRE AN INDEPENDENT SAFETY ASSESSOR (ISA) EUROPE RAIL AUTHORITY APPROVED AFTER ISA ASSURES ALL CONDITIONS FOR SAFETY APPROVAL HAVE BEEN SATISFIED 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

39 EQUIPMENT IS DESIGNED FOR U.S TO AREMA AREMA MANUAL OF RECOMMENDED PRACTICE A DE FACTO STANDARD APPLICABLE TO RAILROAD (FREIGHT AND PASSENGER) ENVIRONMENT SEVERAL BUT NOT ALL TRANSIT AGENCIES CITE AREMA RAIL AUTHORITIES -> VERIFY SUPPLIER ADHERENCE IEEE 1483 FOR SAFETY VERIFICATION IEEE 1012 FOR SOFTWARE V&V MIL STD 882 FOR HAZARD MGMT 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

40 RAILROAD SAFETY PLAN FRA Certification Processor Based 236 Subpart H PTC 236 Subpart I 236 Subpart A-G Product Safety Plan (PSP) 236 Subparts A-G PTC Safety Plan (PTCSP) 236 Subpart H 236 Subpart A-G FRA DEFINED ACCEPTABLE SAFETY REFERENCES 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

41 FRA IDENTIFIED V&V NOTED REFERENCES (from 236 Subpart I) VITAL HW & SW QUALITY DATA TRANS COMM BASED SIGNALING AREMA Sections 16, 17, 21 and 23 IEEE 1483, 1474 Verification and Comms MIL STD 882 ATCS 200, 250 U.S. REFERENCES IEC IEC 62278, EN50126, 128, 129 CENELEC REFERENCES 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

Subsystems Components S O F T W A R E S Y S S A F E T Y R A M S

42 Hierarchical Standards Coverage Similarly Illustrated in pren50129:2002 Total Railway System Signaling System Subsystems Subsystems Components S O F T W A R E S Y S S A F E T Y R A M S C O M M S 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

43 EMPHASIS ON DESIGN FOR SAFETY FACILITATES SAFETY CASE CONSTRUCTION FUNCTIONAL SAFETY HAZARDS LIFE CYCLE & RAMS SAFETY SOFTWARE 2011 ANNUAL CONFERENCE SYSTEM SAFETY CASE September 18-21, 2011 Minneapolis, MN

44 DISSIMILARITY OF RAIL OPERATIONS US MIXED TRAFFIC AND VARIOUS TYPES OF SIGNALING FREIGHT, PASSENGER, CTC, ABS, ATP CRITICAL SAFETY CASE ELEMENTS RELATIVELY COMMON QUANTIFIED SAFETY LEVEL, HAZARDS & MITIGATIONS, SAFETY ASSURANCE CONCEPT SAFETY INTEGRITY LEVELS EU WELL DEFINED CENELEC - HIGHER LEVEL OF EMPHASIS ON QUALITY, SAFETY AND TECHNICAL MANAGEMENT 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

FRA 236H Reference PSP section 236.907(a)(1) 4.1 236.907(a)(2) 4.2 236.907(a)(3) 4.

Overview General Railroad Operations N/A Not Applied N/A System Overview As Concept of Operations Assurance of Correct Generally Applied to (ConOps) Section 5.

45 FRA 236H Reference PSP section (a)(1) (a)(2) (a)(3) 4.3 PSP Requirement Title EN50129 Reference Safety Case Section Description Supporting Product Document Reference High Level Architecture/System Definition of the Description Section 2 Product System Overview General Railroad Operations N/A Not Applied N/A System Overview As Concept of Operations Assurance of Correct Generally Applied to (ConOps) Section 5.2 Functional Operation RR Project Development Plan, System Rail Safety Management Requirements, Fault Report Tree Analysis Safety Management System Overview and Report System Documents Safety Management Fault Tree Analysis and Report System Safety Analysis (a)(4) 4.4 Safety Requirements Section (a)(5) 4.5 Safety Architecture Section (a)(6) 4.6 Hazard Log Section (a)(7) 4.7 Risk Analysis Section 5 Hazard Mitigation (a)(8) 4.8 Analysis Section 4 Verification Testing Plans, Procedures and (a)(9) 4.9 Results Section 4.9 Safety Assurance (a)(10) 4.10 Concepts (SAC) Section ANNUAL CONFERENCE Technical Safety Report Safety Management Report Safety Verification and Validation Definition of the Safety Philosophy September 18-21, 2011 Minneapolis, MN Describing Operations Fault Tree Analysis and System Safety Analysis Fault Tree Analysis and System Safety Analysis Product Development V&V Documentation Safety Concept Definition

46 FRA 236H Reference PSP Section PSP Requirement Title EN50129 Reference Safety Case Section Description (a)(11) 4.11 Human Factor Analysis Section 5 Technical Safety Report Section 3.14, Operation and (a)(12) 4.12 Safety Training Plan 4.12, Maintenance Section 3.14, Operation and (a)(13) 4.13 Safety Procedures 4.12, Maintenance FRA Part 236 A-G Identification of Safety (a)(14) 4.14 Compliance Section Requirements Identification of Safety (a)(15) 4.15 System Security Section Requirements Warnings and Identification of Safety (a)(16) 4.16 Warning Labels Section Requirements Safety Validation Safety Management (a)(17) 4.17 Plan Section 4 Report Post Installation Safety Requirements and Installation and (a)(18) 4.18 Procedures Section 3.12 Commissioning Safety Critical Assumptions and (a)(19) 4.19 Fallback Operations Section 5 Technical Safety Report Pre-Defined and Incremental Section 3.14, Operation and (a)(20) 4.20 Changes 4.12, ANNUAL CONFERENCE Maintenance September 18-21, 2011 Minneapolis, MN Supporting Document Reference System Overview and Product O&M Documents Series Training Plan for RR Product Commercial Documents Series Need to Perform Details Check Product Commercial Documents Series Product Commercial Documents Series FMEAs and Product Development Documentation Product Commercial Documents Series regarding Test and Maintenance Redundancy and Hot Standby Configuration Descriptions MEETING U.S. RAIL REGULATIONS Product Development Plan

47 FROM 236 SUBPART I OF REGULATION: (i) Foreign regulatory entity verification. Information that has been certified under the auspices of a foreign regulatory entity recognized by the Associate Administrator may, at the Associate Administrator s sole discretion, be accepted as independently Verified and Validated and used to support each railroad s development of the PTCSP ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

48 DIRECT CROSS ACCEPTANCE OF EUROPEAN PRODUCTS IS NOT FEASIBLE GIVEN THE EUROPEAN DEFINITION HOWEVER, GIVEN A COMPREHENSIVE SAFETY CASE DEVELOPED PER CURRENT CENELEC STANDARDS, CERTIFIED AND SUPPLEMENTED WITH: ACCEPTABLE V&V EVIDENCE A WELL DEFINED CONCEPT OF OPERATION AS IT RELATES TO SIGNALING ENVIRONMENT 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

OF SAFETY A STRAIGHTFORWARD ACCEPTANCE CYCLE IN PSP OR PTCSP FORM, WITH PROPER

49 APPROPRIATE HUMAN FACTORS ANALYSIS EVIDENCE OF COMPLIANCE WITH 236 SUBPARTS A-G, AREMA A DESIGN SAFETY METHODOLOGY ALIGNED WITH 236 SUBPART I A QUANTIFIED LEVEL OF SAFETY A STRAIGHTFORWARD ACCEPTANCE CYCLE IN PSP OR PTCSP FORM, WITH PROPER REFERENCES IS FEASIBLE 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN

50 Thank You! Visit Battelle on-line at Contact Jim Balliet at Rail Safety and Security 2011 ANNUAL CONFERENCE September 18-21, 2011 Minneapolis, MN