Safety Standards

SIGNAL+DRAHT INTERNATIONAL

The Relationship between the CENELEC Railway Signalling Standards and Other Safety Standards
Jens Braband / Yuji Hirao / Jonathan F. Luedeke Although there are many different international, European, Japanese and US safety standards, these standards coincide in many general aspects and concepts. However, there are several differences in detail, e.g. while the TFM, THR and MTTHE concepts are very similar with respect to setting safety targets, the verification process for assuring that the targets are met, differs. The most important differences are: - The SIL concept is not common in the US railway industry. - Rather than using quantitative analyses and absolute targets, in Japan qualitative analyses including hazard analysis are emphasised for safety evaluation, and quantitative analyses perform a confirming role. - The attitude to and application of standards. They are sometimes treated as guidelines and sometimes as mandatory regulations. - Terminology. It is the hope of the authors that the future will bring further discussion and harmonisation at an international level.
Dr. Jens Braband Head of System Development Integrity, Rail Automation Division, Siemens Transportation Systems. Member of the IEC TC 56 Dependability, IEEE Reliability Society and System Safety Society. Address: Ackerstrae 22, D-38126 Braunschweig, Germany E-mail: jens.braband@siemens.com Dr. Yuji Hirao General Manager, Signalling and Telecommunications Technology Division, Railway Technical Research Institute (RTRI). Address: 2-8-38, Hikari-cho, Kokubunji-city,Tokyo 185-8540, Japan E-mail: hirao@rtri.or.jp Jonathan F. Luedeke Chief Technical Leader, Rail Safety Group, Battelle Memorial Institute. Member of the American Railway Engineering and Maintenance-of-Way Association (AREMA). Address: 505 King Avenue, Columbus, Ohio, USA 43201 E-mail: luedekej@battelle.org

1 Introduction
Since the circulation of early drafts in the mid-1990s, the CENELEC standards for railway signalling and in particular the subset relating to functional safety [1, 2, 3, 4] have attracted widespread attention. The reasons for this are manifold, but the most important are: - Firstly, they represent the only truly international standards in this field, having being drawn up by the now 22 members of CENELEC, each representing a different European country, with the involvement of hundreds of experts. - Secondly, while the application of standards, e.g. those of the IEC, is largely at the discretion of operators and suppliers, the CENELEC standards are de facto made mandatory by Directive 93/38/EEC, which demands that all contracts worth more than 400,000 be tendered on the basis of European specifications (including European standards). The interest in the CENELEC standards has greatly increased in the last few years for two reasons: - They are likely to become worldwide IEC standards in the near future by a fast-track procedure, making them the first worldwide standards in this field. - The new EU General Product Safety Directive of December 3, 2001 (2001/ 95/EC) places more emphasis on the role of standards for product safety than its predecessor, the Product Liability Directive of July 25, 1985 (85/ 374/EEC). According to the new Directive a product shall be presumed safe when it conforms to European standards, the references of which have been published by the Commission in the Official Journal of the European Communities . This means that in the long run the CENELEC standards are likely to become the only standards of significance for railway signalling in the global market, because the international suppliers on the one hand cannot afford to continue taking account of the many different local standards and the buyers on the other wish to have as much competition for their tenders as possible. The interests of both parties are best served by the CENELEC standards. This paper focuses on the relationship between the CENELEC standards and other safety standards, whether national ones or
by Tetzlaff Verlag, Hamburg

general international standards. The relationship is important because in future applications of the CENELEC standards it will not be possible to assume that equipment has already been certified on the basis of CENELEC standards. Instead it will be necessary to design systems which can be certified according to CENELEC standards from components previously certified on the basis of national or other international standards. A knowledge of the links and relations between the standards is thus likely to be an advantage when performing this task. Similar work has already been reported on by one of the authors before [5], but in connection with preliminary versions of some of the standards. The study, which was completed in 1995, aimed at identifying best practice for safety verification and validation (V&V) and concluded that the documents with the most significant qualities/attributes from, primarily, a safety V&V standpoint at that time included: - IEC 65A 122 [6] and 123 [7] (draft versions of IEC 61508 [8]) - CENELEC draft standards prEN 50128 and prEN 50129 - M 8004 [9] - Def Stan 00-55 [10] and Def Stan 0056 [11] - MIL-STD-882C [12].

2 A genealogy of the CENELEC standards

As with human contacts, where it may be useful to know more about a persons family background in order to understand their behaviour better, this can also be of interest in the case of standards, since standards are not created in isolation but build on ideas from each other. Figure 1 identifies the major roots of the CENELEC standards, insofar as they are known to the authors. Certainly the most significant impact comes from the international safety publication IEC 61508, which lays down the basic definitions and approaches to functional safety across all application sectors. This relationship will be further discussed in the sections below. A major contributor, in particular to the safety case regime of EN 50129 [3], was the German M 8004. The structuring of the technical safety report, but also much of its contents, was directly transferred from M 8004 to EN 50129. In comparison with IEC 61508 this is a major distinSIGNAL + DRAHT (95) 12/2003

32

Safety Standards

Figure 1: Family tree of the major CENELEC standards

guishing feature, because IEC 61508 does not have a concise safety case structure, which is an important condition for crossacceptance. Another important characteristic of the CENELEC standards is RAMS (reliability, availability, maintainability and safety) management. Major contributors to EN 50126 [1], which covers this issue, were the US MIL-STD-882 (sometimes called the mother of all safety management standards) and the IEC 60300 series [13], which covers dependability management and techniques. Note that in IEC terminology, dependability is a collective term for reliability, availability and maintainability, which in CENELEC is denoted by RAM. In fact it is a drawback of the general IEC standards that safety and dependability issues are dealt with in two different standards, prepared by two different technical committees.

and safety activities are handled jointly, also from the point of view of RAMS management [14]. 3.2 System definition and safety targets IEC 61508 sets targets for functions of electrical/electronic/programmable electronic (E/E/PES) control systems. It clearly defines what components are part of such systems: sensors, logic solvers, communication channels and actuators. This definition originates from process automation. However, for other application sectors it appears of limited use because the systems are much more complex than in process automation. EN 50126 and EN 50129 set targets generally for hazards which may occur at any system level. Safety integrity requirements are finally defined by EN 50129 at a functional level, which is similar to the level at which IEC sets targets.

3.3 Target measures In IEC 61508 a target failure measure (TFM) is defined, which covers both random and systematic failures. This TFM is quantified and equivalent to a safety integrity level (SIL). However, it is accepted that only random integrity can be quantified, while systematic integrity must be covered qualitatively. IEC 61508 distinguishes between low demand and continuous system operation modes for which different TFMs are defined. Tolerable hazard rates (THRs) in EN 50129 are a generalisation of the TFM in IEC 61508, because they may be defined at any system indenture level. For continuous mode functions TFM and THR are identical concepts, and the SIL tables are the same. Figure 2 shows a graphical summary. It is important to note that by definition THRs cover random and systematic failures and are target measures for both. However, it is acknowledged that based

3 Comparison of basic concepts in IEC 61508 and the CENELEC standards

The CENELEC standards are a railway-specific adaptation of IEC 61508. However, it is interesting to know in what respects they coincide and differ. 3.1 Definition of safety and risk analysis IEC 61508 and EN 50126/EN 50129 use the same risk-based definition of safety and similar processes for hazard and risk analysis. Both give examples of methods but do not prescribe any particular technique or risk tolerability criterion. They aim at hazard elimination and, if not practicable, risk reduction. A particular advantage of the CENELEC standards is that, due to EN 50126, RAM
SIGNAL + DRAHT (95) 12/2003

Figure 2: Similarities between IEC 61508 and EN 50129 with respect to target measures

by Tetzlaff Verlag, Hamburg

33

SIGNAL+DRAHT INTERNATIONAL

Safety Standards

SIGNAL+DRAHT INTERNATIONAL

on the current state of the art only contributions from random failures can be verified quantitatively. For this reason the SIL concept is introduced and SILs are derived from the THRs in order to define sufficient countermeasures with respect to systematic failures. This may be a drawback, but a review of software standards has shown that there is currently no alternative [15]. It is interesting to note that civil aviation also uses a similar concept called the Development Assurance Level (DAL); see [16] for a comparison of railway and aviation safety principles and standards. Another observation is that as an alternative to the THR concept the mean-timeto-hazardous-event (MTTHE) could have been used without the process being affected in any way. 3.4 Operation modes Low demand mode is not used by EN 50129 in order to avoid ambiguity. The distinction between the operation modes is artificial: - The goal of system safety is to eliminate hazards or, where this not possible, control them. - For PES this normally means a reduction of the frequency of hazardous events. - Frequency is related to continuous time, thus it seemed natural for it to require the continuous system mode. - A probability of failure on demand (PFD) as a target usually requires the definition of a proof test interval, which is defined by the operator, not the supplier of the system. For the supplier it is more natural to fulfil targets defined as hazard rates, than PFDs. - It is possible to relate the PFD to frequencies (and vice versa). It has also been shown by several examples [17] that, depending on which operation mode is chosen by the analyst, different SILs result from the same quantitative risk analysis. This is an inherent contradiction within IEC 61508! This concept of EN 50129 is equivalent to a new approach [18] currently under consideration by the IEC.

- concise independence requirements for designer, verifier, validator and assessor. 3.6 Summary The concepts behind IEC 61508 and EN 50126/EN 50129 are compatible. They coincide in the - risk-based approach, - safety life-cycle concept, - approach with respect to the setting of safety targets and - definition of the SIL. They differ with respect to the - system indenture level (EN 50126/EN 50129 being more general), - use of operation modes (EN 50126/EN 50129 being more restrictive), - integration of RAM and safety (IEC 61508 considers only safety), - level of detail (e.g. guidance for SIL), - safety case concept (not covered by IEC 61508 explicitly) and - terminology.

4 Relation to German guidelines

4.1 M 8004 The traditional German signalling guidelines for main lines, M 8004, apply a rule-based approach to safety. For each type of safety application a certain set of design rules has been established and, in a nutshell, if these rules are fulfilled by a particular product, then this product is considered to be safe for operation in Germany. This regime is more constructive than the CENELEC approach, but it has drawbacks with respect to the introduction of new technology (for which no rules exist) and with respect to competition, because M 8004 implies particular safety architectures and rules out others. Another major difference between M 8004 and the CENELEC standards is that the M 8004 definition of safety is not risk-based. There was therefore no possibility of establishing M 8004 directly as an international standard. The philosophy behind M 8004 is basically a bottom-up strategy based on experience: safety systems are built from a collection of safe components. The M 8004 approach has many benefits, which were incorporated into the CENELEC standards wherever possible, e.g. the structure and contents of the safety case or qualitative rules for the independence of items. 4.2 VDV 331 Another set of guidelines, for the signalling of regional or metro lines, VDV 331 [19], already uses a risk-based approach to safety, which is based on the risk graph, a mainly qualitative risk analy by Tetzlaff Verlag, Hamburg

sis method. The risk graph is explicitly mentioned as an example method in IEC 61508. The risk tolerability criterion is not expressed directly but is incorporated into the risk graph. This was also the major reason why the risk graph, despite some attractive features, could not become the standard method in EN 50129. It is not at all clear what the relation between the risk graph and other risk tolerability criteria is, e.g. GAMAB (globalement au moins aussi bon) or ALARP (as low as reasonably practicable). As VDV 331 complies with IEC 61508, it also complies with CENELEC. Practical compliance is shown in figure 3. In VDV 331 the risk graph is used to assign SILs to functions. Negating these functions leads immediately to hazards and the corresponding THR = TFM can be derived using the SIL table from IEC 61508 (or EN 50129). It is, however, necessary to explain that the successful application of a risk graph depends on the concise definition of the qualitative parameters (Severity (S), Exposure and Frequency (A), Risk Reduction (G) and Probability of Occurrence (W) in figure 3) and the expertise and experience of the analyst in the application domain. While in VDV 331 satisfactory definitions and guidance have been given for regional and metro lines, it has not yet been demonstrated that this approach can also be meaningfully transferred to main-line applications.

5 Relation to Japanese safety guidelines

Although in Japan safety guidelines for the introduction of microelectronics to railway signalling were built up in the 1980s following the commissioning of the first Japanese microcomputerised interlocking, they are intradepartmental documents. To cope with higher system safety requirements and more sophisticated functions, new safety guidelines were compiled by a specialists committee with a secretariat from Railway Technical Research Institute (RTRI) in 1996. Up to now, the safety guidelines have been applied entirely or in part to some new signalling systems, including system modifications. The basic characteristics of these safety guidelines are as follows: - The guidelines compile, on the basis of IEC 61508, the necessary technical conditions which have been cultivated over the years in railway signalling in Japan. - The guidelines compile necessary conditions for safety management and technical activities throughout life cycles and are not intended as regulations. The guidelines consist of seven chapters. The scope and definitions are described in the first two chapters. Safety principles on the basis of fail-safety and concepts of safety management and its activities
SIGNAL + DRAHT (95) 12/2003

3.5 Safety cases This important topic is not covered explicitly by IEC 61508. Here CENELEC has all the advantages of a sector-specific standard: - a clear safety case structure, - considerations for the cross-acceptance of safety cases by following a structured standardised life cycle and harmonised documentation set, - support for reuse and modularisation by defining different types of approvals: generic product, generic application and specific application,

34

Safety Standards

throughout the lifecycle are described in chapters 3 and 4. Safety lifecycle is defined and technical requirements for each lifecycle process are given in chapter 5. Safety assessment and documentation are described in the following two chapters. A more detailed discussion is given in [20]. IEC 61508 concepts were applied to the Japanese safety guidelines and EN standards are also, in principle, based on IEC 61508, but there are some differences between them. The major difference is that whereas EN standards intend legal regulation, Japanese safety guidelines are advice to be adopted. The other notable difference can be seen in that the guidelines consist of three layers, namely the main text, an explanation and information, integrating software, transmission and systems. The main text describes the fundamentals of the guidelines and detailed and concrete ideas and concepts are given in the explanatory layer. Information supplements explanation. In addition to the above, quantitative analyses, which are prescribed mainly in EN 50129, are a subject yet to be discussed. In Annex A, which discusses the safety integrity level concept, there is a table which defines safety integrity levels by quantitative values, e.g. less than 10-9/h for SIL 4. In Japan there is a feeling that quantitative analysis should be only applied for the purpose of identifying the most critical part and confirming the consecutive safety approach results. By allocating numerical values to each hazard, it indeed becomes possible to identify the more dangerous points and to take necessary measures against them. In this point, however, absolute values are not necessarily important, and relative values are quite adequate. And absolute values should not be regarded as the target by following which the consecutive safety process is decided. Values should be utilised, at a comparatively late phase, to confirm, as a result that each consecutive safety process has been appropriate. Hazard analysis, which identifies failure causes, should be more emphasised than quantitative risk analysis because of the insufficiency of data and also because of the fail-safe principle. Another point to be considered is organisational and legal matters. EN 50129 is for safety acceptance and approval, and this is deeply related to the legal organisations or systems of each country. Although this standard has been thoroughly considered for some adjustments, we still need to see whether there is any inconvenience in applying this standard to other countries especially outside Europe.

Figure 3: Procedure for defining safety targets using a risk graph

6 Relation to US standards
There is currently no single US safety assurance standard or regulation, or set of such standards or regulations, for processor-based systems similar to the European
SIGNAL + DRAHT (95) 12/2003

EN 50126, EN 50128 [2] and EN 50129 documents. Rather, in the US, it has been common practice for suppliers to base their own, and often unique, safety assurance process on a number of different standards developed by different organisations. The primary reason for this has been that the various standards in existence have not addressed all the key aspects of safety assurance for safety-critical rail products/systems, or not addressed them at all, or not with the same rigour. Due to the insufficiency of regulations in this area, suppliers have based their processes on standards such as the AREMA (American Railway Engineering and Maintenance-ofWay Association) Communications and Signals Manual of Recommended Practices [21], MIL-STD-882C for safety programs and hazard analyses, a fairly recent IEEE (Institute of Electrical and Electronics Engineers) standard, IEEE 1483-2000 [22], for safety verification, IEEE 1012-1998 [23] for software V&V, and portions of other standards from other industries. To address this safety concern in the light of technological advances and the use of processor-based systems in safety-critical rail applications, the Federal Railroad Administration (FRA) initiated efforts a few years ago to revise existing regulations. These efforts led to the establishment of a Railroad Safety Advisory Committee (RSAC) and subsequent development and recent publication of a Notice of Proposed Rulemaking (NPRM) [24] in the Code of Federal Regulations (CFR). While this publication, or some revision thereof, is not expected to become a valid regulation until later in 2003, it does define a relatively comprehensive set of requirements for the safety assurance of processor-based systems. In the light of the above, the discussions
by Tetzlaff Verlag, Hamburg

below focus on the various standards that have been utilised most extensively in the US. 6.1 MIL-STD-882 MIL-STD-882, System Safety Program Requirements, although a US Department of Defense standard, is the current standard in the rail industry for the development of system safety program plans (SSPPs). The SSPP, which is prepared by the supplier and developed for a specific product or application, describes the system safety assurance process being employed. It describes all the technical and management activities to be performed to ensure and demonstrate the safety of the product/system. Typical activities detailed in an SSPP include the following: - safety management addressing organisational and other aspects for ensuring compliance with the safety program, - hazard analyses and associated risk assessment to identify and assess hazards and their relative risks, and - safety V&V to demonstrate the level of safety. SSPPs are normally prepared based on a suppliers internal safety process and customer requirements. That is, a supplier typically has a documented internal safety process (with procedures) that describes the technical and management-related safety activities to be performed on all vital products, and then tailors that process into a SSPP for a specific product or application for a given customer. MIL-STD-882 applies to a system life cycle, as does EN 50126/EN 50129, but only addresses safety as opposed to reliability, maintainability or quality. MIL-STD-882 does not describe a definitive safety pro-

35

SIGNAL+DRAHT INTERNATIONAL

Safety Standards

SIGNAL+DRAHT INTERNATIONAL

gram, fixed set of activities, fixed safety case or set of associated documentation, but rather is tailored to the needs of a specific development program. In addition to being the primary basis for safety programs, MIL-STD-882 is also the current industry standard for the execution of hazard analyses such as preliminary hazard analyses, subsystem hazard analyses and operating and support hazard analyses. As such, the standard is very similar to EN 50129 with respect to the safety management aspects addressed. MIL-STD-882 is risk-based as are EN 50126/EN 50129, but, unlike them, is not based on SILs. MIL-STD-882 does define software control categories to help address probability aspects of software-related hazards, but these categories do not have the same purpose as the SILs in the CENELEC standards. In fact, except for some software integrity levels in IEEE documentation (addressed later in this paper), SILs have not been used in the US rail industry. The hazard severity and hazard probability definitions in MIL-STD-882 are very similar to those in EN 50126, but there are some slight differences. For example, MILSTD-882 describes five categories for hazard probability, but CENELEC has six. The occasional category in 50126 does not correspond to the occasional category in MIL-STD-882. Also, the definition of the critical category in MIL-STD-882 is different from the definition in EN 50126. EN 50126 includes a single fatality, whereas MIL-STD-882 does not. MIL-STD-882 is much more descriptive than EN 50126/EN 50129 with respect to the types and content of hazard analyses, but considerably less descriptive than EN 50129 with regard to safety V&V. Two basic versions of MIL-STD-882 are used: C and D. MIL-STD-882C, January 19, 1993, is much more descriptive than MIL-STD-882D, February 10, 2000, and therefore used more extensively than version D. 6.2 IEEE 1483 Safety Verification Standard The IEEE recently approved IEEE 14832000, Standard for the Verification of Safety of Vital Functions in ProcessorBased Systems Used in Rail Transit Control. This document stems from an industry-consensus process, and is not a regulation, but is currently being used extensively in the rail industry for the safety verification of computer-based systems and products. The standard defines a process that is structured around three levels of verification by analytical means: - a concept level, which describes the safety assurance concepts, sometimes referred to as design principles, factors on which these concepts are dependent and methods needed to analyse the concepts,

- a functional level, which comprehensively identifies vital functions, and - an implementation level, which verifies that the vital functions are implemented with the necessary level of safety, including qualitative analysis and possibly quantitative analysis as well, in terms of a MTTHE value. The process in IEEE 1483 defines a number of analytical activities such as fault tree analyses that can be used for verification, but essentially leaves the specific types of analyses to be performed at the three levels defined above up to the organisation carrying out (or specifying) the verification. The standard describes the verification activities as being highly dependent upon the system architecture involved. The standard as a whole describes the types of activities and supporting documentation that are needed to demonstrate that safety goals/requirements have been met. It is thus very similar in nature to the section in EN 50129 pertaining to the Evidence of Functional and Technical Safety. For example, IEEE 1483 requires a description of safety assurance concepts which is similar in intent to the description of technical principles that ensure safety of the design as described in EN 50129. Also, EN 50126/EN 50129 describe a systematic approach to selecting a suitable system architecture, while IEEE 1483 provides information that assists one in the definition of suitable/recognised system architectures. One slight difference here is that IEEE 1483 recognises a single-channel architecture based on diagnostics and selftesting, while CENELEC does not. Another similarity between IEEE 1483 and EN 50129 is that they both, to a large extent, leave the selection of the particular techniques to be used up to the organisation concerned. As with EN 50129, the development and V&V of software are addressed by other documents EN 50128 for CENELEC, and IEEE 1012 and other IEEE standards in the US. Both EN 50129 and IEEE 1483 describe the need for the authority or organisation setting the goals to define quantitative safety targets/goals and for it to demonstrate that these have been met. In EN 50129, the quantitative safety target is based on random and systematic faults (and the requirements relating to systematic faults are not verified quantitatively, but by means of the SIL), while in IEEE 1483 the quantitative goal is defined in terms of the MTTHE. The parts of the system which are to contribute to this goal (i.e. hardware and/or software) are not defined in IEEE 1483, although it is acknowledged in the standard that the probability or frequency of factors involved may need to be determined qualitatively. In EN 50129 the qualitative safety target is defined in terms of an SIL, whereas in IEEE 1483 the qualitative target is based on demonstrating the vitality of functions defined as being vital.
by Tetzlaff Verlag, Hamburg

There are several major differences between IEEE 1483 and EN 50129. IEEE 1483 is not based on SIL as is EN 50129. It is based on the definition of functions that are vital, and the verification of these functions primarily by analytical means. As cited earlier, SIL has not been used in the US railway industry, although similar concepts exist in civil aviation. Also, IEEE 1483 focuses on safety verification, and does not include validation aspects. The section on Evidence of Functional and Technical Safety in EN 50129 includes a requirement for Safety Qualification Testing which, along with other validation aspects, is not addressed by IEEE 1483. IEEE 1483 does not specify the need for an independent safety assessor as does EN 50129. 6.3 AREMA C&S Manual Section 17.3 of the AREMA Communications and Signals (C&S) Manual, Recommended Safety Assurance Program for Electronic/Software Based Products Used in Vital Signal Applications, covers processor-based system safety. This portion of the manual, partial or complete adherence to which is sometimes required by North American railways, describes activities and aspects of an overall safety assurance program for processor-based systems/equipment. Section 17 covers product design considerations, safety organisational and management aspects including an SSPP, hazard analyses, safety requirement identification and allocation, safety V&V, and quantitative assessments. The intention of the standard is to address all aspects of safety assurance, not merely a subset as in MIL-STD-882 (program plans and hazard analyses) and IEEE 1483 (safety verification). This document is also not a regulation, but rather a set of recommended practices for railways incorporating processor-based systems/products in safety-critical applications. Section 17.3 of the AREMA manual specifies the need to address safety management, quality management and safety V&V. Safety V&V in the AREMA manual is similar in intent to the section on Evidence of Functional and Technical Safety in EN 50129. Thus, this section is similar to EN 50129 in terms of the need to address each of these aspects in the safety case. This similarity also extends to the conditions under which safety is demonstrated (normal operation, faults, external influences, etc). The activities of the safety process described in the AREMA manual (Section 17.3) are similar in intent to a combination of MIL-STD-882, some aspects of IEEE 1483, and some aspects of IEEE 1012 for the verification of software. They are also similar in intent, in many respects, to EN 50126, EN 50128 and EN 50129. However, the AREMA manual is not based on SIL
SIGNAL + DRAHT (95) 12/2003

36

Safety Standards

like the CENELEC standards, nor is it as descriptive or detailed as the latter, particularly for demonstrating the safety of software. The software aspects in the AREMA manual address software V&V only, and do not address the broader software development issue as does EN 50128. The AREMA manual states that safety requirements should include qualitative and quantitative aspects, in common with EN 50129. Section 17 of the AREMA manual provides recommended practices and minimum requirements for safety, reliability, maintainability and quality assurance. As such, Section 17 of the AREMA manual comes closest to EN 50126 in the US in terms of defining an integrated approach to addressing safety, reliability, maintainability and quality. The AREMA manual does not address availability as directly as EN 50126, but does discuss maintainability in terms of the reliability and maintainability aspects to some extent. EN 50126 defines the totality of safety, reliability, maintainability, availability and quality as dependability; dependability is not discussed in this manner in the AREMA manual or in the US. In the AREMA manual, the quality system can be based on an IEEE standard (IEEE 730.1-1995) [25] or the ISO series of standards. CENELEC also specifies conformance to ISO 9001 [26] for quality. 6.4 RSAC safety standards An RSAC was established by the FRA in 1996 to, among other things, prepare possible revisions to regulations (Code of Federal Regulations 49 CFR, Part 209, 234 and 236) addressing new softwarebased train control systems. A Standards Task Force was established within RSAC in the 1990s to create regulations for positive train control (PTC) systems. PTC systems were described as achieving three basic functions: - preventing train-to-train collisions, - enforcing speed restrictions and - providing protection for roadway workers and their equipment. Four stakeholder groups, comprised of representatives from the Federal Government, railway management, railway labour, and railway signal and train control suppliers, were formed to develop a consensus on resulting regulation revisions. Several draft NPRM documents from the PTC Standards Task Force have been issued and reviewed over the last few years. On August 10, 2001, the FRA published its Proposed Rule, Standards for the Development and Use of Processor Based Signal and Train Control Systems, in the Federal Register. This Proposed Rule is not a regulation for US railways at this time, but it or some revision thereof, is likely to become one in 2003. Two key topics within Subpart H of the NPRM relate to the establishment of a
SIGNAL + DRAHT (95) 12/2003

Railroad Safety Program Plan (RSPP) and a Product Safety Plan (PSP). The RSPP is a formal document to be prepared by the railways, which is to serve as the principal safety document for all safety-critical products used by the railways. The purpose of the RSPP is to describe the railways strategy for addressing safety hazards associated with the operation of products under the jurisdiction of Subpart H of CFR 236 and minimum requirements that will govern the development and implementation of these products. Each railway must submit a petition for approval of the RSPP to the FRA. Another key item addressed by the NPRM is the PSP. The PSP is to be a formal document that describes in detail all safety aspects of a product including procedures for its development, installation, implementation, operation, maintenance, repair, inspection, testing and modifications, and analyses supporting its safety claims. It is anticipated that railways will look to the product supplier to provide most of the information for the PSP. This PSP will also need approval from the FRA. Subpart H defines the following 20 items that will likely need to be included in the PSP: - product description, - description of railway operation or categories of operation on which the product will be used, - operational concepts document functionality and information flows, - safety requirements document description of all safety functions, - description of how the product architecture satisfies safety requirements, - hazard log describing all safety-related hazards, - risk assessment calculation of a quantitative level of safety of the new system and the system it is replacing, - hazard mitigation analyses, - description of safety assessment and safety V&V processes used and results, - description of hazard analyses, - human factors analysis (if applicable), - description of training that is needed for inspection, test and maintenance, - description of specific procedures and test equipment for installation, operation, maintenance, etc., - description of necessary security measures, - description of safety warnings for operation and maintenance manuals, - description of procedures for safe installation, - description of measures to ensure safe operation over life cycle and recordkeeping, and - description of backup methods and safety-critical assumptions affecting availability, configurable applications of the product and planned version changes. Section 234 of the NPRM addresses the applicability of requirements of Subpart H to road-rail level crossing warning systems.
by Tetzlaff Verlag, Hamburg

In short, level crossing systems that contain new or novel technology not previously recognised for use as of the effective date of this rule or that provide safety-critical data to a railway signal system must comply with Subpart H of Part 236. The NPRM defines a performance-based, non-prescriptive, technology-neutral standard for the development and use of processor-based systems under the jurisdiction of the FRA. The 20 items in the PSP define the safety case for the product/system under consideration. The safety case includes hazard analyses and tracking, safety V&V, risk assessment, and numerous other items defined above pertaining to designing in and demonstrating safety. The PSP addresses safety management and technical/functional safety aspects, making it similar to the Safety Management and Evidence of Functional and Technical Safety sections in EN 50129. Quality assurance aspects are not addressed in the PSP as they are in EN 50129. The PSP also resembles EN 50129 in that it specifies a systematic approach to hazard identification, hazard mitigation assessment and risk assessment. The NPRM lists a number of standards that can be used to address V&V and other requirements of, especially, the PSP. Of note is that this list includes the EN 50126, EN 50128 and EN 50129 standards as well as IEC 61508, MIL-STD-882C, IEEE 1483 and AREMA. The important point when using one or more of these standards to address various aspects required by the NPRM (PSP) is that the method applied must meet the specific requirement as defined in the NPRM. For V&V, the NPRM requires a demonstration of safety under various conditions such as normal operation, random faults, systematic faults and external influences, similar to those specified in EN 50129. The key aspect of the PSP, and one that relates to the performance-based nature of the standard, is the need for a risk assessment. This risk assessment is intended to be used to demonstrate with a high degree of confidence that the system of interest will not result in a risk that exceeds the previous condition. Thus, two assessments are necessary one for the original (base) system (if applicable), and one for the new system it is replacing. The risk assessment is based on relative, rather than absolute, risk. Although the NPRM prefers a quantitative risk assessment in terms of an MTTHE or equivalent, it also permits assessments to be quantitative, qualitative or a combination of the two. No specific absolute quantitative safety target is defined in the NPRM. This approach is slightly different from that specified in EN 50126/50129, where first a quantitative safety target is established and then qualitative targets are set based on SILs. The NPRM specifies that quantitative assessments are to include the contribution of human factor issues (when applicable) and other systematic faults such as soft-

37

SIGNAL+DRAHT INTERNATIONAL

Safety Standards

SIGNAL+DRAHT INTERNATIONAL

ware coding errors. This is different from EN 50126/50129, according to which the quantitative safety calculation does not include such factors, but is based solely on random (hardware) faults. One other similarity between the NPRM and CENELEC is that they both require third-party assessments, and final approval is based in part on the results of these assessments. To date, such third-party assessments have been mandatory in Europe, but have not been required in the US, although they are now being conducted there with increasing regularity. 6.5 IEEE 1012 IEEE 1012-1998, Standard for Software Verification and Validation, is the standard used most often in the US for the V&V of software. It describes a logical and structured approach to the execution of various analyses and tests in the different phases of software development. The use of a process such as this is almost always required in the rail industry due to the complexity of the software. The IEEE 1012 standard is not a safety standard per se, but its application does help eliminate potentially hazardous software errors that may otherwise not have been uncovered. In the safety process, this software V&V technique is typically utilised in conjunction with the hazard analyses and other safety analyses being performed. IEEE 1012 defines V&V activities, techniques and documentation for four software integrity levels and the different software development phases. The integrity levels in IEEE 1012 are based on the criticality of the software, which could include safety, security, software complexity, performance, reliability and other factors. These levels are somewhat similar to the five software integrity levels defined in EN 50128. The first four software integrity levels in EN 50128 relate to safety-critical software, however, which the levels in IEEE 1012 do not. Thus, EN 50128 is more specifically focused on software safety. Safety is, however, one factor that can lead to the highest software integrity level in IEEE 1012. For example, the highest software integrity level in IEEE 1012 relates to the software having the potential of causing catastrophic consequences with various likelihoods of occurrence. There are many similarities in the activities, techniques and documentation cited for the various phases in IEEE 1012 and EN 50128. IEEE 1012 identifies requirements for a software V&V plan as does EN 50128. However, the biggest difference is that EN 50128 is designed to serve a broader purpose addressing the development of software, including V&V , while IEEE 1012 focuses exclusively on software V&V. There are numerous other IEEE standards that address various other aspects of software development.

References
[1] CENELEC, EN 50126: Railway applications The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS). 1998. To be published as IEC 62278. [2] CENELEC, EN 50128: Railway applications Communications, signalling and processing systems Software for railway control and protection systems. 2000. To be published as IEC 62279. [3] CENELEC, EN 50129: Railway applications Safety-related electronic systems for signalling. 2002. To be published as IEC 6228x. [4] CENELEC, EN 50159-1/-2: Railway applications - Communication, signalling and processing systems - Safety-related communication in open/closed communication systems. 2001. To be published as IEC 62280. [5] Luedeke, J.: Safety of High-Speed Ground Transportation Systems, Analytical Methodology for Safety Validation of Computer Controlled Subsystems; Volume I: State-of-theArt and Assessment of Safety Verification/ Validation Methodologies, DOT-VNTSCFRA-95-8.I; Volume II: Development of a Safety Validation Methodology, DOTVNTSC-FRA-95-8.II, 1995. [6] IEC 65A(Sec)122: Software for computers in the application of industrial safety-related systems. 1992. [7] IEC 65A(Sec)123: Functional safety of electrical/electronic/programmable electronic safety-related systems; generic aspects; part 1: general requirements. 1993. [8] IEC 61508: Functional safety of electrical/ electronic/programmable electronic safety-related systems. 2000. [9] Federal German Railways Office (EBA), M 8004: Anweisung zu den technischen Anforderungen fr die Zulassung von Sicherungsanlagen (Principles of Technical Approval for Signalling and Communications Technology; in German). [10] Ministry of Defence (UK), Def Stan 00-55: Requirements for Safety Related Software in Defence Equipment. 1997. [11] Ministry of Defence (UK), Def Stan 00-56: Safety Management Requirements for Defence Systems. 1996. [12] Department of Defense (US), MIL-STD-882: System Safety Program Requirements. 1993 (version C), 2000 (version D). [13] IEC 60300: Dependability Management. 1997. [14] Braband, J.: RAMS-Management nach CENELEC (RAMS management according to CENELEC; in German). SIGNAL+DRAHT, 1998, issue 11. [15] Herrmann, D.: Software Safety and Reliability - Techniques, Approaches and Standards of Key Industrial Sectors. IEEE Press, 1999. [16] Braband, J.; Reder, H.-J.: Sicherheitstechnische Vorgehensweise in der Eisenbahnsignaltechnik und Luftfahrt (Safety Procedures in Railway Signalling and Civil Aviation; in German). SIGNAL+DRAHT, 2003, issue 1+2. [17] Sundvall, K.-E.: Establishing Safety Integrity Level (SIL) from frequency of failure. Report SP 80085, 1998 (part of CENELEC report R009-004:2001). [18] Kato, E.; Sato, Y.: Safety Integrity Level Models for IEC 61508 Examination of modes of operation. IEEE Trans. Fundamentals, vol. E83-A, 2000, 863 865. [19] VDV: Anforderungsklassen fr Signal- und Zugsicherungsanlagen gem BOStrab (Requirement categories for signalling and automatic train protection systems according to the Tram Construction and Operation Ordinance; in German). VDV 331, 1994. [20] Hirao, Y.: New European Norms from a Japanese Viewpoint. SIGNAL+DRAHT, 2001, issue 11. [21] American Railway Engineering and Maintenance-of-Way Association (AREMA): Com[22] [23] [24]

[25] [26]

munications and Signals Manual of Recommended Practices. 2000. IEEE 1483-2000: Standard for the Verification of Vital Functions in Processor-Based Systems Used in Rail Transit Control. March 30, 2000. IEEE 1012-1998: Standard for Software Verification and Validation. IEEE Computer Society, July 20, 1998. Standards for the Development and Use of Processor-Based Signal and Train Control Systems; Proposed Rule. Federal Register, August 10, 2001. IEEE 730.1: Guide for software quality assurance planning. January 1, 1995. ISO 9001: Quality management systems Requirements. 2000.

ZUSAMMENFASSUNG Die Beziehung der CENELECNormen zu anderen Sicherheitsnormen Wenn es auch viele verschiedene internationale, europische, japanische und US-amerikanische Sicherheitsnormen gibt, so decken sich diese Normen doch in vielen allgemeinen Aspekten und Begriffen. Es gibt jedoch einige Unterschiede im Detail. So gibt es zwar zum Beispiel groe hnlichkeiten bei Ausfallgrenzwerten, tolerierbarer Gefhrdungsrate und mittlerer Zeit bis zum gefhrlichen Ereignis in Bezug auf das Setzen von Sicherheitszielen, beim Verifikationsprozess aber, der sicherstellen soll, dass die Sicherheitsziele erreicht werden, unterscheiden sich die Normen. Die wichtigsten Unterschiede sind: - Der Begriff des Sicherheitsanforderungsstufe ist in der US-amerikanischen Bahnindustrie nicht blich. - Anstatt auf quantitativen Analysen und absoluten Zielen liegt der Schwerpunkt in Japan auf qualitativen Analysen einschlielich Risikoanalyse und quantitativen Analysen als Besttigung. - Die Einstellung zu und die Anwendung von Normen. Manchmal werden sie als Richtlinien angesehen und manchmal als bindende Vorschriften. - Terminologie. Die Autoren hoffen, dass die Zukunft weitere Diskussionen und Harmonisierung auf internationaler Ebene bringt.
SIGNAL + DRAHT (95) 12/2003

38

by Tetzlaff Verlag, Hamburg