Normung konkret die Maintenance der EN...

www.thalesgroup.com

Normung konkret – die Maintenance der EN 50129

2 14.11.2016 Dr. M. Notter

Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002

Übersicht

▌ Allgemeine Informationen zur Aktualisierung

▌ Änderungen konkret

▌ Schlusswort

3 14.11.2016 Dr. M. Notter


Übersicht



▌ Schlusswort

4 14.11.2016 Dr. M. Notter


Entwicklung der EN 50129

ENV 50129:1999

Mü8004

EN

50126: 1999

EN 50129:2003

H THR

System Definition

Hazard Identification

Consequence Analysis

Risk Estimation

THR Allocation

Causal Analysis

Common Cause Analysis

SIL Allocation

Hazard Control

Risk Analysis

H THR

H THR

Railways Authority’s Responsibility

Supplier’s Responsibility

Potential new hazards

Draft EN 50129:2016

prEN 50126-4 (prEN 50126-

1 bis 5)

prEN 50126-1/2 prEN 50126-3

prEN 50126-4 prEN 50126-5

Railway applications –

Communication, signalling and processing systems – Safety related electronic systems for signalling

5 14.11.2016 Dr. M. Notter


Zeitplan

New Work Item Proposal

Draft for

Enqiry Draft for Vote

6 14.11.2016 Dr. M. Notter


Rahmenbedingungen

▌ Bessere Übereinstimmung mit CENELEC-Regeln

▌ Inhaltliche Verbesserungen

▌ EN 50126-1/2 neu (WG A21)

▌ Konsistenz zu existierenden anderen Normen (EN 50128)

▌ Technische und normative Entwicklungen seit 2000

▌ Informativ -> normativ (Bewährung)

▌ Schönheitskorrekturen

Optimum

Umstellungs-

aufwand Verschö-

nerung

Inhaltl. Ver-

besserung

▌ EN 50129 – Fassung von 2003 auch heute noch in weiten Teilen aktuell

aber

7 14.11.2016 Dr. M. Notter


▌ Convenor

A. Ciancabilla RFI

▌ Secretary

C. Hilgers DB AG

WG A15 Members

1

1

1

2

1

2

2

4 3

5

4

8 14.11.2016 Dr. M. Notter


Herausforderungen

▌ Materialumfang

▌ Diskussionen

▌ Teilnehmerzahl

▌ Sprachen

▌ Gewohnheiten

Standardisierung: Bohren dicker

Bretter!

9 14.11.2016 Dr. M. Notter


Übersicht



▌ Schlusswort

10 14.11.2016 Dr. M. Notter


▌ Prinzip: so wenig wie möglich, so viel wie nötig

▌ Leider: teilweise Vermischung innerhalb von Abschnitten

Strukturveränderungen

5 5 – Q&S Management

6 – Requ. for special elements like tools

7 – Safety Case Structure and Content

8 – System safety acceptance

A A – Safety Integrity levels

B B – Management of faults

C C – HW component failure modes

D D – leer

E E – Techniques and measures

F – Programmable components

▌ !! Referenztabelle der Änderungen im Anhang ZY !!

11 14.11.2016 Dr. M. Notter


Verbesserungen von Bildern

▌ EN 50129:2003

▌ Maintenance

START

At least

2 independent

items?

A single fault

is non-hazardous

A second fault could be

hazardous

Conditions in annex D.4

(1-6) need to be fulfilled

Conditions in

annex D.5(1) and

D.5(3) need to be

fulfilled

A third fault

could be

hazardous

4 out of 4

A fourth fault

could be

hazardous

Conditions in

annex D.5(2) and

D.5(3) need to be

fulfilled

A single fault

could be

hazardous

Conditions in

annex D.4

(7-10)

need to be

fulfilled

Accept

Reject

END

END

NO

YES

YES

NO

YES

NO

3 out of 3 ?

2 out of 2 ?

Are these

conditions

fulfilled?

NOreactive

fail safety

?

Conditions in

annex C.4

need to be

fulfilled

YES

NO

START

No hazardous failure mode plausible

M-out-of-N redundancy

(M≥2) Without further mitigation a single fault could produce a

hazardous output

No hazardous output by single fault

A 2nd fault could be hazardous

Requirements and recommendations in B.3.3.1 and B.3.3.2

Requirements in B.3.5.2

Requirements and recommendations in B.3.3.1 and B.3.3.3

Requirements provided in Annex C.4

(inherent fail-safety)

END

A 2nd faults is not hazardous

NO YES

NO YES (e.g. 3ooN)

YES NO

Composite Fail-Safe

Reactive Fail-Safe

Inherent Fail-Safe

M-out-of-N redundancy

(M≥3)

Mitigation by test and fast reaction

12 14.11.2016 Dr. M. Notter


Safety Management

▌ Weitgehend unverändert

▌ Organisation:

„back to the roots“ -> VER/VAL

▌ Neu: Abschnitt „Handling of SRAC“

Definition, Prozess, Auflösung

SIL 1, SIL 2 and

Basic Integrity

Legend

Can be the same person

SIL 3 and SIL 4

DES VAL VER

PM

PM

VER, VAL DES

the project team

Can report to PM

Shall not report to the PM

DES VER, VAL

PM

OR

ISA

ISA

ISA

13 14.11.2016 Dr. M. Notter


Neu: Kap. 6 „Requirements for elements external to lifecycle“

▌ Pre-existing items

Zulässige Nachweisführung:

- „Hazardous failure modes incredible“ oder „re-qualification“ oder „external negation“

▌ Tools

Keine Klassifizierung T1/T2/T3 wie EN 50128

Anforderungen an Tools, die direkt die Sicherheit beeinflussen können

Nachweisführung

- Gefährdungsanalyse

- „Verification of tool output“ oder „Proven in use“ oder „Analysis and testing“ oder „Diversity“

▌ Physical security and IT-Security

Keine spezifischen Anforderungen -> IT-Security-Normen

Risikoanalyse, wenn nicht trivial

Maßnahmen -> Sicherheitsnachweis

Geheimhaltung für sicherheitsbezogene Dokumente inkl. Design-Dokumentation

14 14.11.2016 Dr. M. Notter


Weitere Kapitel Hauptteil

▌ Modifiziert: Kap. 7 „The Safety Case: structure and content“

Sicherheitsnachweis- und TSR-Struktur unverändert!

Neuer Abschnitt mit Anforderungen an spezifischen Sicherheitsnachweis

- Konkreter und praxisnäher

▌ Modifiziert: Kap. 8 „System safety acceptance and subsequent phases”

Generic Product Safety Process nur bis Phase 7 (Manufacture)

Ab Phase 8 „Integration” nur für Generic/Specific Application Safety Process

15 14.11.2016 Dr. M. Notter


Annex A: Beispiel Fig. A.6 (neu)

Signalling System Failure

(Hazard)

Part A Failure

Subsystem Y

Failure

Function C

FailureFunction B

Failure

Part B Failure

Subsystem Z

Failure

Equipment Y1

FailureOther

10-10/h

OR

OR

OR

ANDIndependency with respect to

random faults

5x10-10/h

3x10-9/h 2x10-9/h 10-9/h

10-6/h

2x10-10/h

THR ≤ 6x10-9

10-6/h

Equipment Z1

Failure

Equipment Z2

Failure

AND

10-7/h10-6/h

Independency

with respect to

systematic and

random faults

Subsystem X

Failure

10-10/h each

OR

x10

Function A

Failure

Other

SIL4 allocated and inherited(unless independency with respect to systematic and

random faults demonstrated)

SIL1

allocated

SIL2

allocated

OR

Equipment Z3

Failure

Fail-safe comparison

and common

functionalities

5x10-11/h

TFFR

per hour and per function

Safety Integrity

Level

10-9 TFFR < 10-8 4

10-8 TFFR < 10-7 3

10-7 TFFR < 10-6 2

10-6 TFFR < 10-5 1

Neu: Basic integrity

16 14.11.2016 Dr. M. Notter


Modifiziert: Annex A: „Safety Integrity Levels“

▌ Angepasst an EN 50126-2

▌ Prozess der Zuweisung von Sicherheitszielen überarbeitet

Anforderungen an die Verwendung von AND-Gates

SIL Zuweisung: wann -> Systemebene und ggf. weiter unten, wenn Unabhängigkeit erfüllt

Neuer Begriff: Total Functional (unsafe) Failure Rate TFFR

▌ Neu: Basic integrity und non-safety-related (SIL0 entfällt)

Basic integrity: Sicherheitsbezug , aber THR ≥ 10-5/h

- Anforderungen für Qualitätsmanagement

- Sicherheitsnachweis, aber kein Technischer Sicherheitsbericht

Non-safety-related: außerhalb EN 50129

17 14.11.2016 Dr. M. Notter


Deutlich modifiziert: Anhang B „Management of faults…“

▌ Reduziert auf technische Anforderungen

▌ Grundsätzliche Anforderungen unverändert

▌ Viele Detailanforderungen aus Anhang D

(informativ) integriert

Mü8004-Formeln (k/1000) noch existent.

B.3.3.2 Recommendations for SIL3/SIL4 composite fail-safety functions

The following requirements apply to single-fault detection in composite (2-out-of-n) fail-safety.

=>2003, A.4.2.2.1 In order to use AND combinations properly each item shall have an independent failure detection and shut-down mechanism. If an item does not have such mechanism, then according the installed lifetime of the item has to be taken into account as seen above (see: "two independent items without detection").

1) Periodic tests for faults in all items should be implemented. The tests should be representative for all credible faults affecting the safe operation, and should be finished within a time < SDT. This time has to include the negation time (see next item 5) following detection of the single fault.

Detection of faults in integrated circuits should be compliant with Table D.1.

Jetzt normativ,

aber mit „should“ entschärft

Vom Anhang D („Supplementary

technical information“)

Anforderungen aus Anhang A

18 14.11.2016 Dr. M. Notter


Table D.1 (alt) → B.1(neu)

▌ Table D.1 (informativ)

▌ Table B.1 (normativ – „should“)

COMPONENT MALFUNCTION MEASURES

1 CPU

1.1 Register

Any, for example

dependency on

combinations of

data bits (pattern -

sensitive fault)

Using all registers (except initialisation

registers) in all possible patterns

(combinations of data bits).

After initialising an initialisation register

(e.g. interrupt control register), the

correct initialised function needs to be

tested.

Registers greater than 8 bits may be

tested by using all following

combinations of data bits:

..5555....H

OAAAA....H

..3333....H

9999....H

0CCCC....H

6666....H

usw.

COMPONENT FAILURE MODES MEASURES

CPU

Register,

Internal RAM

DC fault model for data

and addresses

Dynamic cross-over for memory cells

Change of information (including those caused by soft-errors)

No, wrong or multiple addressing

One of the following diagnostic

measures should be implemented depending on the architecture:

- Comparator (HW): The signals of independent processing units are compared1 cyclically by a hardware comparator and enable the detection of a first fault. The comparator may itself be externally tested or inherently fail safe

- Reciprocal comparison by software: Two processing units exchange data

(including results, intermediate results and test data) reciprocally. A comparison of the data is carried out using software ….

usw.

19 14.11.2016 Dr. M. Notter


Annex C und D

▌ Annex C „… HW component failure modes“

weitgehend unverändert

Editorielle Überarbeitung von Tabellen und einzelnen Abschnitten

„Integrated circuits“ stärker überarbeitet

- Unterscheidung nach SIL

Einzelne neue Failure Modes (z.B. Farbveränderung bei Mehrfarben-LED)

▌ Annex D (bisher „Supplementary technical information”)

Leer - in andere Teile integriert -

20 14.11.2016 Dr. M. Notter


For field experience to apply, the following requirements should be fulfilled: 1 – unchanged specification; 2 – at least 10 systems in different applications; 3 – at least 10

5 operating hours and at least one year of service history. 4

Annex E – Tabellen zu „Techniques and Measures…“, SIL-abhängig

▌ Jetzt normativ!

Strukturelle Anpassung an EN 50128 (dort normativer Anhang A)

▌ Einzelne Tabellen in Hauptteil integriert, z.B. Tab. 1: Safety Planning

▌ Stark überarbeitet

Neu: „Approved combinations“ eingeführt

Neu: Erläuterungen zu Methoden, soweit sinnvoll (z.B. „structured specification“)

Änderungen: Beispiel Betriebsbewährtheit:

- „High confidence“ -> „statistical confidence“

- Quantitative Vorgaben verschärft:

21 14.11.2016 Dr. M. Notter


PC - Logic

PC - Hardware

Programmable Component (PC)

Neu: Annex F (inform.) – „Guidance on Programmable Components“

▌ -> FPGA, EPLD… (VHDL…)

▌ EN 50128 nur stark modifiziert anwendbar

▌ Einfache und komplexe Anwendungen

Unterscheidung

▌ Komplex: Prozess mit Tabellen ähnlich EN 50128 (inkl. Beschreibungen)

Technique/Measure SIL1 SIL2 SIL3 SIL4 Typical V-Cycle phase allocation

1 Structured description HR HR HR HR Requirements, Architecture and Design

2 Design description in HDL HR HR HR HR Component Coding

3 Schematic entry - - NR NR Component Design

4a For circuit descriptions that use boolean

equations: manual inspection in designs with limited (low) complexity

HR HR HR HR Component Testing

Table F.4 – Design (including all activities pre-synthesis)

Logic Component Design Phase

DES: Logic Component Design Description

TST : Logic Component Test Specification

VER: Logic Component Verification Report

PC Integration Phase

VER: PC Requirements & Integration Test Report

PC Architecture and Design Phase

DES: PC Architecture & Design Specification

TST: PC Requirement & Integration Test Specification

VER: PC Requirements Architecture & Design Ver. Report

HW or SW/HW integration PhaseHardware Requirements &

Architecture Phase

PC Validation Phase

VAL: PC Validation Report

Logic Component Testing Phase

TST: Logic Component Test Report

Logic Component Coding Phase

DES: Source Code and supporting

documentation

PC Requirements Phase

DES: PC Requirements Specification

PC Physical Implementation Phase

DES: PC Placement & Routing, Synthesis and

Programming files

VER: Physical Implementation Verification Report

HW life-cycle

PC life-cycle

Planning

DP: Development Plan

VerP: Verification Plan

ValP: Validation Plan

QAP: Quality Assurance Plan

CMP: Conf. Management PlanVER: Logic Source Code Verification Report

Legend

VAL: Validator

VER: Verifier

TST: Tester (inc. Integrator)

DES: Designer (inc. Implementer) Logic Component Lifecycle

22 14.11.2016 Dr. M. Notter


Übersicht



▌ Schlusswort

23 14.11.2016 Dr. M. Notter


Schlusswort

Optimum

Umstellungs-

aufwand Verschö-

nerung

Inhaltl. Ver-

besserung

24 14.11.2016 Dr. M. Notter


Schlusswort

▌Enquiry!

Normung konkret die Maintenance der EN...

Documents

Transcript of Normung konkret die Maintenance der EN...