CLC/TR 50126-2:2007

Introduction
1 Scope
2 References
3 Definitions and abbreviations
  3.1 Guidance on the interpretation of terms and definitions
      used in EN 50126-1
  3.2 Additional safety terms
  3.3 Abbreviations
4 Guidance on bodies/entities involved and concepts of system
  hierarchy and safety
  4.1 Introduction
  4.2 Bodies/entities involved in a system
  4.3 Concepts of system hierarchy
      4.3.1 Rail transport system environment and system hierarchy
  4.4 Safety concepts
      4.4.1 Hazard perspective
      4.4.2 Risk
      4.4.3 Risk normalising
5 Generic risk model for a typical railway system and check
  list of common functional hazards
  5.1 Introduction
  5.2 Generic risk model
  5.3 Risk assessment process
      5.3.1 Introduction
      5.3.2 Generic process
  5.4 Application of the risk assessment process
      5.4.1 Depth of analysis
      5.4.2 Preliminary hazard analysis
      5.4.3 Qualitative and Quantitative assessment
      5.4.4 Use of historical data
      5.4.5 Sensitivity analysis
      5.4.6 Risk assessment during life cycle phases
  5.5 Check-list of common functional hazards and hazard
      identification
      5.5.1 Introduction
      5.5.2 Hazard grouping structures
      5.5.3 Check-list of 'Hazards'
6 Guidance on application of functional safety, functional
  safety requirements and SI targets, risk apportionment and
  application of SILs
  6.1 Introduction
  6.2 Functional and technical safety
      6.2.1 System characteristics
      6.2.2 Railway system structure and safety requirements
      6.2.3 Safety related functional and technical
            characteristics and overall system safety
  6.3 General considerations for risk apportionment
      6.3.1 Introduction
      6.3.2 Approaches to apportionment of safety targets
      6.3.3 Use of THRs
  6.4 Guidance on the concept of SI and the application of SILs
      6.4.1 Safety integrity
      6.4.2 Using SI concept in the specification of safety
            requirements
      6.4.3 Link between THR and SIL
      6.4.4 Controlling random failures and systematic faults
            to achieve SI
      6.4.5 Use and misuse of SILs
  6.5 Guidance on fail-safe systems
      6.5.1 Fail-safe concept
      6.5.2 Designing fail-safe systems
7 Guidance on methods for combining probabilistic and deterministic
  means for safety demonstration
  7.1 Safety demonstration
      7.1.1 Introduction
      7.1.2 Detailed guidance on safety demonstration approaches
      7.1.3 Safety qualification tests
  7.2 Deterministic methods
  7.3 Probabilistic methods
  7.4 Combining deterministic and probabilistic methods
  7.5 Methods for mechanical and mixed (mechatronic) systems
8 Guidance on the risk acceptance principles
  8.1 Guidance on the application of the risk acceptance principles
      8.1.1 Application of risk acceptance principles
      8.1.2 The ALARP principle
      8.1.3 The GAMAB (GAME) principle
      8.1.4 Minimum Endogenous Mortality (MEM) safety principle
            (EN 50126-1, Clause D.3)
9 Guidance on the essentials for documented evidence or proof
  of safety (Safety case)
  9.1 Introduction
  9.2 Safety case purpose
  9.3 Safety case scope
  9.4 Safety case levels
  9.5 Safety case phases
  9.6 Safety case structure
  9.7 Safety assessment
      9.7.1 The scope of the safety assessor
      9.7.2 The independence of a safety assessor
      9.7.3 Competence of the safety assessor
  9.8 Interfacing with existing systems
      9.8.1 Systems developed according to the EN 50126-1 process
      9.8.2 System proven in use
      9.8.3 Unproven systems
  9.9 Criteria for cross acceptance of systems
      9.9.1 The basic premise
      9.9.2 The framework
Annex A (informative) Steps of risk assessment process
      A.1 System definition
      A.2 Hazard identification
          A.2.1 Empirical hazard identification
          A.2.2 Creative hazard identification
          A.2.3 Foreseeable accident identification
          A.2.4 Hazards
      A.3 Hazard log
      A.4 Consequence analysis
      A.5 Hazard control
      A.6 Risk ranking
          A.6.1 Qualitative ranking
          A.6.2 Semi-quantitative ranking approach
Annex B (informative) Railway system level HAZARDs - Check lists
      B.1 General
      B.2 Example of hazard grouping according to affected persons
          B.2.1 'C-hazards' - Neighbours group
          B.2.2 'C-hazards' - Passengers group
          B.2.3 'C-hazards' - Workers group
      B.3 Example of functional based hazard grouping
Annex C (informative) Approaches for classification of risk
        categories
      C.1 Functional breakdown approach (a)
      C.2 Installation (constituent) based breakdown approach (b)
      C.3 Hazard based breakdown approach (c)
      C.4 Hazard causes based breakdown approach (d)
      C.5 Breakdown by types of accidents (e)
Annex D (informative) An illustrative railway system risk model
        developed for railways in UK
      D.1 Building a risk model
      D.2 Illustrative example of a risk model for UK railways
          D.2.1 Modelling technology
          D.2.2 Usage and constraints
          D.2.3 Model forecasts
Annex E (informative) Techniques & methods
      E.1 General
      E.2 Rapid ranking analysis
      E.3 Structured What-if analysis
      E.4 HAZOP
      E.5 State transition diagrams
      E.6 Message Sequence Diagrams
      E.7 Failure Mode Effects and Criticality Analysis - FMECA
      E.8 Event tree analysis
      E.9 Fault tree analysis
      E.10 Risk graph method
      E.11 Other analysis techniques
           E.11.1 Formal methods analysis
           E.11.2 Markov analysis
           E.11.3 Petri networks
           E.11.4 Cause consequence diagrams
      E.12 Guidance on deterministic and probabilistic methods
           E.12.1 Deterministic methods and approach
           E.12.2 Probabilistic methods and approach
      E.13 Selection of tools & methods
Annex F (informative) Diagramatic illustration of availability
        concept
Annex G (informative) Examples of setting risk acceptance
        criteria
      G.1 Example of ALARP application
      G.2 Copenhagen Metro
Annex H (informative) Examples of safety case outlines
      H.1 Rolling stock
      H.2 Signalling
      H.3 Infrastructure
Bibliography

1.1This Technical Report provides guidance on specific issues, listed under 1.3 below, for applying the safety process requirements in EN 50126 1 to a railway system and for dealing with the safety activities during the different system life cycle phases. The guidance is applicable to all systems covered within the scope of EN 50126-1. It assumes that the users of the report are familiar with safety matters but need guidance on the application of EN 50126-1 for safety issues that are not or could not be addressed in the standard in detail. 1.2EN 50126-1 is the top-level basic RAMS standard. This application guide, CLC/TR 50126 2 forms an informative part of EN 50126-1 dealing explicitly with safety aspects as limited by the scope defined in 1.3 below. 1.3Limitation of scope The scope is limited to providing guidance only for the following issues related to EN 50126 1. i)Production of a top-level generic risk model for the railway system down to its major constituents (e.g., signalling, rolling stock, infrastructure, etc.) with definition of the constituents of the model and their interactions. ii)Development of a checklist of common functional hazards within a conventional railway system (including high speed lines, Light Rail Train’s, metro’s, etc.). iii)Guidance on the application of the risk acceptance principles in EN 50126-1. iv)Guidance on the application of functional safety in railway systems and qualitative assessment of tolerable risk with examples. v)Guidance for specifying relevant functional safety requirements and apportionment of safety targets to the requirements for sub-systems (e.g. for rolling stock: door systems, brake systems, etc.). vi)Guidance on the application of safety integrity level concept, through all the life cycle phases of the system. vii)Guidance on methods for combining probabilistic and deterministic means for safety demonstration. viii)Guidance on the essentials (incl. maintenance, operation, etc.) for documented evidence or proof of safety (safety case) with proposals for a common structure for such documentation.