CENELEC - SC9XA

WGA15:
Maintenance
of EN 50129
Attilio Ciancabilla

SiT Workshop - Braunschweig, 16/17 November 2015

 WGA15 maintenance of EN 50129

EU 402

50129

similarities

50126 AsBo and ISA

targets and SILs

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
 50129 state of the art

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 Maintenance of 50129
97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16

50129 :2003 WGA15

TR 50451 Allocation of SIL

TR50506-1 CrossAcc.

TR 50506-2 Safety assurance

50128 :2001 50128 :2011

SC9XA
TC9X
50126 :1999 WG14 WG21

TR 50126-2 guide

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 WGA15 - schedule

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 50129 - the current structure
EN50129

Clause1 Clause2 Clause3 Clause4 Clause5

Scope Ref Def Overview SAFETYCASE

5.1 5.2 5.3 5.4 5.5

AnnexA Normative
AnnexB
SIL TECH.SAF.REPORT

B.1 B.2 B.3 B.4 B.5 B.6

AnnexC
Hwfailures

Bibliography AnnexD AnnexE Informative

Faultanalysis Tech.&Measures

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 50129 - the current structure
5.2 E.8

E.1
5.3
B.1
5.3.4
B.2

5.3.6 E.2
B.2.1
B.2.2 E.3
5.3.3
B.2.3
B.2.4
B.2.5 5.3.7 E.7
B.2.6
5.3.9 E.9

5.3.12 E.10
B.3
E.4
D.2 5.4
B.3.1 E.5
D.3 B.3.2
E.6
E.4 B.3.3
D.4 B.3.4
B.3.5
D.5 B.3.6
E.6

B.4
B.5
B.6

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 50129 - a possible future structure
EN50129

Clause1 Clause2 Clause3 Clause4 Clause5 Clause6

Scope Ref Def Overview SafetyMan. SAFETYCASE

Normative

AnnexA AnnexE AnnexB+D AnnexC

SIL Tech.&Measures SafetyDesign Hwfailures

Bibliography AnnexF Informative

Programmable
Components

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 New topics

Handling of SRAC 1 page

IT security 1 page

Reuse of pre-existing systems 2 pages

Safety-related tools 3 pages

Programmable components 14 pages

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 Relationship with 50126

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 WGA15 and WG21
97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16

50129 :2003 WGA15

TR 50451 Allocation of SIL

TR50506-1 CrossAcc.

TR 50506-2 Safety assurance

50128 :2001 50128 :2011

SC9XA
TC9X
50126 :1999 WG14 WG21

TR 50126-2 guide

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 WGA15 and WG21

DEandIT
members
together
compose
1
3
ofallthe
participants
WGA15
50129

WG21
50126
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
 Relationship with EN 50126
Applying EN 50129 out of the context of EN 50126
would be misleading
EN 61508
50126
PART 1
Overall requirements, Overall
allocation to safety- 50129
requirements,
related systems
Specific
for all the SIG
Realisation for Realisation for
life-cycle requirements,
E/E/PE systems software
phases mainly for
PART 2 PART 3 phases
from
PART 1 5 to 10
from
Installation,
1 to 12
operation and
maintenance

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 Relationship with EN 50126

Can EN 50129 be used as a stand-alone standard?

NO if carrying out a complete project:
- life-cycle phases not defined
- risk assessment only partially described
- COP/REF.SYS not addressed
YES if developing an electronic GP/GA/SA

BUT basic requirements, role definitions, etc.

are still given in 50126
and only partially translated in 50129

Thats why EN 50126 is a normative reference, meaning

indispensable for the application of the document
[CLC IR 3]

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 The normative context of 402

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 The normative context of 402

2004 2008
Safety Interop.
Dir.49 Dir.57

2009 2013 2015

CSM-RA CSM-RA CSM-RA
Reg.352 Reg.402 Reg.1136

2009 2011 2014

Guide for "DV29" "DV29 bis "
352 Rec. 217 Rec. 897

2014
Guide for
CSM AsBo

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 Relationship
between
50129 and 402

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 CSM-RA
PRELIMINARY SYSTEM NO Justify and
Significant
DEFINITION Change? document desicion

YES
RISK ASSESSMENT
SYSTEM DEFINITION

of the identified Safety Requirements

(Scope, Functions, Interfaces, etc.)

System Definition Review in function

RISK
HAZARD IDENTIFICATION ANALYSIS

HAZARD IDENTIFICATION
(What can happen? When?

AND CLASSIFICATION
Where? How? Etc.

HAZARD CLASSIFICATION
(How critical?)

Broadly YES Justify and

Acceptable document desicion
Risk?
NO

Assessment Body Selection of

Risk Acceptance
Principle

INDEPENDENT ASSESSMENT
(AsBo) 3 Risk Acceptance

HAZARD MANAGEMENT
CODES OF PRACTICE SIMILAR REFERENCE EXPLICIT RISK ESTIMATION
SYSTEM(S)

Principles:
Similarity Analysis Identification of Scenarios &
Application of associated Safety Measures
with Reference
Codes of Practice
System(s)

COP
Qualitative Safety
Criteria?

Quantitative

Estimate
Frequency
Estimate
Severity
Similarity
Estimate
Risk
Explicit risk
RISK EVALUATION estimation
Comparison Comparison Comparison
with Criteria with Criteria with Criteria

NO Acceptable NO Acceptable NO Acceptable

Risk? Risk? Risk?
YES YES YES

Safety Requirements
(i.e. the Safety Measures
to be implemented)

Demonstration of
Compliance with the
Safety Requirements

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 CSM-RA vs 50126
risk assessment
1 Concept

System Definition and

2
Operational Context

Risk Analysis
3
and Evaluation

Assessment
4 Specification of

Risk
System Requirements

Consideration of subsequent RAMS Requirements in product development

Architecture &

Feedback of subsequent hazard identification into risk analysis

5 Apportionment
of System Requirements

6 Design and *)
Implementation

Demonstration of Compliance with

*)

Implementation and
7 Manufacture

Requirements
8 Integration

9 System Validation

10 System Acceptance

Decommisssioning
andand
Operation,

Decommissioning
11
Maintenance and

Operation
Performance

Operation
Monitoring

12 Decommissioning

Key:
RA
DoC
O&D
implementation and
Correlated process steps in
European legal framework *) may contain many subsystems and components

demonstration of compliance
demonstration of compliance with requirements
with the safety requirements
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
 Differences betw. 50129 and 402

Different users
CLC and EU/OTIF communities are not the same
Different level of mandatoriness
CLC 50129 is a Voluntary Standard
Different systems under consideration
Urban rail, metro not in the scope of Reg.402
Different conditions
Reg.402 is mainly for significant changes
Different life-cycle phases
Reg.402 focuses only on the Risk Assessment process

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 50126/50129 in support of Reg.402

Is the proposal actively or probably in support of European

regulation / legislation or established public policy?
Yes, in relation to EC Regulation 402/2013
50129 50126

Ensure that the revised standard Additionally a CLC Technical Report

and the ERA Regulation (EU) No
402/2013 fit together.
As a result of this action, the
working group shall deliver a
position paper giving their
interpretation on the application
and the relationship between the
ERA Regulation (EU) No
402/2013 and the 50129.
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
separate from the standard should clarify the
way the CSM RA and the suite of standards
work together and provide evidence for
their compatibility.
This issue should be addressed by ERA and
CLC in close collaboration outside of this
working group.
In support and in preparation of this action,
the working group shall deliver a position
paper giving their interpretation on the
application and the relationship between
CSM-RA and 50126.
 AsBo and ISA

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 AsBo

2004 2008
Safety Interop.
Dir.49 Dir.57

ASSESSMENT BODY:
2009 2013 2015
the independent and competent
external or internal
CSM-RA CSM-RA CSM-RA
individual, organisationReg.352
or entity Reg.402 Reg.1136
which undertakes investigation to provide a
judgement, based on evidence, of the suitability of
a system to fulfil its safety requirements.
2009 2011 2014
Guide for "DV29" "DV29 bis "
352 Rec. 217 Rec. 897

2014
Guide for
CSM AsBo

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 AsBo

2004 2008
Safety Interop.
Dir.49 Dir.57

Art.6 2009 2013 2015

Duplication of work between the following
CSM-RA CSM-RA CSM-RA
assessments shall be avoided:
Reg.352 Reg.402 Reg.1136
a) SMS conformity (Dir.49)
b) Interoperability conformity (Dir.57)
c) RA conformity (Reg.402)2009 2011 2014
Guide for "DV29" "DV29 bis "
352 Rec. 217 Rec. 897

2014
Guide for
CSM AsBo

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 AsBo and ISA

2004 2008
Safety Interop.
Dir.49 Dir.57

6. Relationship between
CSM AsBo and CLC ISA
2009 2013 2015
CSM-RA CSM-RA CSM-RA
a fundamental difference:Reg.352 Reg.402 Reg.1136
CENELEC standards 50128 and 50129 do not impose
the assessor to be accredited or recognised .
2009 2011 2014
Consequently CSM AsBo will at least include
Guide for "DV29" "DV29 bis "
all the activities of a CLC ISA.
352 Rec. 217 Rec. 897

2014
Guide for
CSM AsBo

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 accredited/recognised ISA
97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16

EN 50129 :2003 WGA15

?

50128 :2001 50128 :2011

shallbeapproved shallhaveacceptance/licence
bytheSaf.Aut. fromarecognisedSaf.Aut.

50126 :1999 pr50126 (WG14) WG21

shallhaveacceptance/licence
fromarecognisedSaf.Aut.

shouldhaveacceptance/licence
fromarecognisedSaf.Aut.
A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015
 AsBo types
Annex II: Criteria for accreditation or recognition of AsBo 2013
CSM-RA
The Assessment Body shall fulfil ISO/IEC 17020:2012 Reg.402

17020:2012 - INSPECTION BODY

Indep. from Design Org. Limitations

not part of the same 3rd party inspection
Type A
legal entity

separate and identifiable 2nd 1st party inspection services

Type B only to its parent organization
part

identifiable but not 2nd 1st party inspection services

Type C to its parent organization or
necessarily a separate part;
not the same person. also to other parties

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 AsBo types

2004 2008
Safety Interop.
Dir.49 Dir.57

5. Who can be the AsBo

2009 2013 2015
Permitting also the use of the
CSM-RA type C of CSM-RA CSM-RA
independence is crucial for the sector:
Reg.352 Reg.402 Reg.1136
[]
(when number of technical experts is
limited) technical competence may be
preferred to full independence.
2009 2011 2014
Guide for "DV29" "DV29 bis "
352 Rec. 217 Rec. 897

2014
Guide for
CSM AsBo

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 ISA independence

PM
ASSR

DI VER, VAL

SIL 3 OR
AND 4

PM
ASSR

DI VER VAL

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 ISA independence
97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16

50129 :2003 WGA15

sameorganisationonlyif ?
authorisedbytheSaf.Aut. sameorganisation
andreportingtotheSaf.Aut. atthediscretionoftheSaf.Aut.

50128 :2001 50128 :2011

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 Quantitative targets and SILs

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 Harmonised quantitative design targets

Frequence of failures basic

per operating hour integrity
10-5
SIL1
10-6
SIL2
10-7
Critical:
SIL3
10-8 very small n. of people,
at least one fatality
SIL4
10-9 Catastrophic:
Catastrophic:
fatalities, SIL4
large n. of people,
multiple severe injuries, + other
multiple fatalities
major damage to the env. meas.

2009, 2013 2015

2003
CSM-RA CSM-RA
EN 50129
Reg. 352, 402 Reg.1136

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 Playing with SILs

Door control hazard:

one or more doors
NO SIL (basic integrity)
wrongfully open
THR = 10-9, SIL4

THR = 10-5

Single door hazard Critical accident

TFFR = 10-11 (Reg.1136)
TFFR = 10-7
Misusing
target definitions
and SIL allocation

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 Design Targets, S/Q Processes

2004 2008
Safety Interop.
Dir.49
2.5.7 Dir.57
The risk is acceptable:

(a) compliance with design

2009targets; 2013 2015
(b) the associated systematic
CSM-RAfailures are CSM-RA CSM-RA
controlled in accordance
Reg.352with Reg.402 Reg.1136
safety and quality processes,
commensurate with the design target
and
defined in commonly 2009 2011 2014
acknowledged Guide for "DV29" "DV29 bis "
relevant standards
352 Rec. 217 Rec. 897

2014
Guide for
CSM AsBo

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 Targets, Processes and Fail-Safety
Safety and
Design Design for
quality
targets safety
processes

Fail-safe principles
Dangerous (random) Reduction of and
failure rate systematic failures fault management
criteria

Accuracy Fail-Safety
Integrity Consistency

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 Targets, Processes and Fail-Safety
Safety and
Design Design for
quality
targets safety
processes

Fail-safe principles
Dangerous (random) Reduction of and
failure rate systematic failures fault management
criteria

cannot be
apportioned !

Can be May be
apportioned apportioned
(physical (process
independence) independence)

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 Conclusion

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

 50129 is a prime number.

Let it be a prime standard too.

A. CIANCABILLA - SiT - Braunschweig 16-17 NOV. 2015

Thank you for your attention

a.ciancabilla@rfi.it

SiT Workshop Braunschweig, 16-17 November 2015