Normung konkret die Maintenance der EN...
Transcript of Normung konkret die Maintenance der EN...
2 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Übersicht
▌ Allgemeine Informationen zur Aktualisierung
▌ Änderungen konkret
▌ Schlusswort
3 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Übersicht
▌ Allgemeine Informationen zur Aktualisierung
▌ Änderungen konkret
▌ Schlusswort
4 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Entwicklung der EN 50129
ENV 50129:1999
Mü8004
EN
50126: 1999
EN 50129:2003
H THR
System Definition
Hazard Identification
Consequence Analysis
Risk Estimation
THR Allocation
Causal Analysis
Common Cause Analysis
SIL Allocation
Hazard Control
Risk Analysis
H THR
H THR
Railways Authority’s Responsibility
Supplier’s Responsibility
Potential new hazards
Draft EN 50129:2016
prEN 50126-4 (prEN 50126-
1 bis 5)
prEN 50126-1/2 prEN 50126-3
prEN 50126-4 prEN 50126-5
Railway applications –
Communication, signalling and processing systems – Safety related electronic systems for signalling
5 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Zeitplan
New Work Item Proposal
Draft for
Enqiry Draft for Vote
6 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Rahmenbedingungen
▌ Bessere Übereinstimmung mit CENELEC-Regeln
▌ Inhaltliche Verbesserungen
▌ EN 50126-1/2 neu (WG A21)
▌ Konsistenz zu existierenden anderen Normen (EN 50128)
▌ Technische und normative Entwicklungen seit 2000
▌ Informativ -> normativ (Bewährung)
▌ Schönheitskorrekturen
Optimum
Umstellungs-
aufwand Verschö-
nerung
Inhaltl. Ver-
besserung
▌ EN 50129 – Fassung von 2003 auch heute noch in weiten Teilen aktuell
aber
7 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
▌ Convenor
A. Ciancabilla RFI
▌ Secretary
C. Hilgers DB AG
WG A15 Members
1
1
1
2
1
2
2
4 3
5
4
8 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Herausforderungen
▌ Materialumfang
▌ Diskussionen
▌ Teilnehmerzahl
▌ Sprachen
▌ Gewohnheiten
Standardisierung: Bohren dicker
Bretter!
9 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Übersicht
▌ Allgemeine Informationen zur Aktualisierung
▌ Änderungen konkret
▌ Schlusswort
10 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
▌ Prinzip: so wenig wie möglich, so viel wie nötig
▌ Leider: teilweise Vermischung innerhalb von Abschnitten
Strukturveränderungen
5 5 – Q&S Management
6 – Requ. for special elements like tools
7 – Safety Case Structure and Content
8 – System safety acceptance
A A – Safety Integrity levels
B B – Management of faults
C C – HW component failure modes
D D – leer
E E – Techniques and measures
F – Programmable components
▌ !! Referenztabelle der Änderungen im Anhang ZY !!
11 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Verbesserungen von Bildern
▌ EN 50129:2003
▌ Maintenance
START
At least
2 independent
items?
A single fault
is non-hazardous
A second fault could be
hazardous
Conditions in annex D.4
(1-6) need to be fulfilled
Conditions in
annex D.5(1) and
D.5(3) need to be
fulfilled
A third fault
could be
hazardous
4 out of 4
A fourth fault
could be
hazardous
Conditions in
annex D.5(2) and
D.5(3) need to be
fulfilled
A single fault
could be
hazardous
Conditions in
annex D.4
(7-10)
need to be
fulfilled
Accept
Reject
END
END
NO
YES
YES
NO
YES
NO
3 out of 3 ?
2 out of 2 ?
Are these
conditions
fulfilled?
NOreactive
fail safety
?
Conditions in
annex C.4
need to be
fulfilled
YES
NO
START
No hazardous failure mode plausible
M-out-of-N redundancy
(M≥2) Without further mitigation a single fault could produce a
hazardous output
No hazardous output by single fault
A 2nd fault could be hazardous
Requirements and recommendations in B.3.3.1 and B.3.3.2
Requirements in B.3.5.2
Requirements and recommendations in B.3.3.1 and B.3.3.3
Requirements provided in Annex C.4
(inherent fail-safety)
END
A 2nd faults is not hazardous
NO YES
NO YES (e.g. 3ooN)
YES NO
Composite Fail-Safe
Reactive Fail-Safe
Inherent Fail-Safe
M-out-of-N redundancy
(M≥3)
Mitigation by test and fast reaction
12 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Safety Management
▌ Weitgehend unverändert
▌ Organisation:
„back to the roots“ -> VER/VAL
▌ Neu: Abschnitt „Handling of SRAC“
Definition, Prozess, Auflösung
SIL 1, SIL 2 and
Basic Integrity
Legend
Can be the same person
SIL 3 and SIL 4
DES VAL VER
PM
PM
VER, VAL DES
the project team
Can report to PM
Shall not report to the PM
DES VER, VAL
PM
OR
ISA
ISA
ISA
13 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Neu: Kap. 6 „Requirements for elements external to lifecycle“
▌ Pre-existing items
Zulässige Nachweisführung:
- „Hazardous failure modes incredible“ oder „re-qualification“ oder „external negation“
▌ Tools
Keine Klassifizierung T1/T2/T3 wie EN 50128
Anforderungen an Tools, die direkt die Sicherheit beeinflussen können
Nachweisführung
- Gefährdungsanalyse
- „Verification of tool output“ oder „Proven in use“ oder „Analysis and testing“ oder „Diversity“
▌ Physical security and IT-Security
Keine spezifischen Anforderungen -> IT-Security-Normen
Risikoanalyse, wenn nicht trivial
Maßnahmen -> Sicherheitsnachweis
Geheimhaltung für sicherheitsbezogene Dokumente inkl. Design-Dokumentation
14 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Weitere Kapitel Hauptteil
▌ Modifiziert: Kap. 7 „The Safety Case: structure and content“
Sicherheitsnachweis- und TSR-Struktur unverändert!
Neuer Abschnitt mit Anforderungen an spezifischen Sicherheitsnachweis
- Konkreter und praxisnäher
▌ Modifiziert: Kap. 8 „System safety acceptance and subsequent phases”
Generic Product Safety Process nur bis Phase 7 (Manufacture)
Ab Phase 8 „Integration” nur für Generic/Specific Application Safety Process
15 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Annex A: Beispiel Fig. A.6 (neu)
Signalling System Failure
(Hazard)
Part A Failure
Subsystem Y
Failure
Function C
FailureFunction B
Failure
Part B Failure
Subsystem Z
Failure
Equipment Y1
FailureOther
10-10/h
OR
OR
OR
ANDIndependency with respect to
random faults
5x10-10/h
3x10-9/h 2x10-9/h 10-9/h
10-6/h
2x10-10/h
THR ≤ 6x10-9
10-6/h
Equipment Z1
Failure
Equipment Z2
Failure
AND
10-7/h10-6/h
Independency
with respect to
systematic and
random faults
Subsystem X
Failure
10-10/h each
OR
x10
Function A
Failure
Other
SIL4 allocated and inherited(unless independency with respect to systematic and
random faults demonstrated)
SIL1
allocated
SIL2
allocated
OR
Equipment Z3
Failure
Fail-safe comparison
and common
functionalities
5x10-11/h
TFFR
per hour and per function
Safety Integrity
Level
10-9 TFFR < 10-8 4
10-8 TFFR < 10-7 3
10-7 TFFR < 10-6 2
10-6 TFFR < 10-5 1
Neu: Basic integrity
16 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Modifiziert: Annex A: „Safety Integrity Levels“
▌ Angepasst an EN 50126-2
▌ Prozess der Zuweisung von Sicherheitszielen überarbeitet
Anforderungen an die Verwendung von AND-Gates
SIL Zuweisung: wann -> Systemebene und ggf. weiter unten, wenn Unabhängigkeit erfüllt
Neuer Begriff: Total Functional (unsafe) Failure Rate TFFR
▌ Neu: Basic integrity und non-safety-related (SIL0 entfällt)
Basic integrity: Sicherheitsbezug , aber THR ≥ 10-5/h
- Anforderungen für Qualitätsmanagement
- Sicherheitsnachweis, aber kein Technischer Sicherheitsbericht
Non-safety-related: außerhalb EN 50129
17 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Deutlich modifiziert: Anhang B „Management of faults…“
▌ Reduziert auf technische Anforderungen
▌ Grundsätzliche Anforderungen unverändert
▌ Viele Detailanforderungen aus Anhang D
(informativ) integriert
Mü8004-Formeln (k/1000) noch existent.
B.3.3.2 Recommendations for SIL3/SIL4 composite fail-safety functions
The following requirements apply to single-fault detection in composite (2-out-of-n) fail-safety.
=>2003, A.4.2.2.1 In order to use AND combinations properly each item shall have an independent failure detection and shut-down mechanism. If an item does not have such mechanism, then according the installed lifetime of the item has to be taken into account as seen above (see: "two independent items without detection").
1) Periodic tests for faults in all items should be implemented. The tests should be representative for all credible faults affecting the safe operation, and should be finished within a time < SDT. This time has to include the negation time (see next item 5) following detection of the single fault.
Detection of faults in integrated circuits should be compliant with Table D.1.
Jetzt normativ,
aber mit „should“ entschärft
Vom Anhang D („Supplementary
technical information“)
Anforderungen aus Anhang A
18 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Table D.1 (alt) → B.1(neu)
▌ Table D.1 (informativ)
▌ Table B.1 (normativ – „should“)
COMPONENT MALFUNCTION MEASURES
1 CPU
1.1 Register
Any, for example
dependency on
combinations of
data bits (pattern -
sensitive fault)
Using all registers (except initialisation
registers) in all possible patterns
(combinations of data bits).
After initialising an initialisation register
(e.g. interrupt control register), the
correct initialised function needs to be
tested.
Registers greater than 8 bits may be
tested by using all following
combinations of data bits:
..5555....H
OAAAA....H
..3333....H
9999....H
0CCCC....H
6666....H
usw.
COMPONENT FAILURE MODES MEASURES
CPU
Register,
Internal RAM
DC fault model for data
and addresses
Dynamic cross-over for memory cells
Change of information (including those caused by soft-errors)
No, wrong or multiple addressing
One of the following diagnostic
measures should be implemented depending on the architecture:
- Comparator (HW): The signals of independent processing units are compared1 cyclically by a hardware comparator and enable the detection of a first fault. The comparator may itself be externally tested or inherently fail safe
- Reciprocal comparison by software: Two processing units exchange data
(including results, intermediate results and test data) reciprocally. A comparison of the data is carried out using software ….
usw.
19 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Annex C und D
▌ Annex C „… HW component failure modes“
weitgehend unverändert
Editorielle Überarbeitung von Tabellen und einzelnen Abschnitten
„Integrated circuits“ stärker überarbeitet
- Unterscheidung nach SIL
Einzelne neue Failure Modes (z.B. Farbveränderung bei Mehrfarben-LED)
▌ Annex D (bisher „Supplementary technical information”)
Leer - in andere Teile integriert -
20 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
For field experience to apply, the following requirements should be fulfilled: 1 – unchanged specification; 2 – at least 10 systems in different applications; 3 – at least 10
5 operating hours and at least one year of service history. 4
Annex E – Tabellen zu „Techniques and Measures…“, SIL-abhängig
▌ Jetzt normativ!
Strukturelle Anpassung an EN 50128 (dort normativer Anhang A)
▌ Einzelne Tabellen in Hauptteil integriert, z.B. Tab. 1: Safety Planning
▌ Stark überarbeitet
Neu: „Approved combinations“ eingeführt
Neu: Erläuterungen zu Methoden, soweit sinnvoll (z.B. „structured specification“)
Änderungen: Beispiel Betriebsbewährtheit:
- „High confidence“ -> „statistical confidence“
- Quantitative Vorgaben verschärft:
21 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
PC - Logic
PC - Hardware
Programmable Component (PC)
Neu: Annex F (inform.) – „Guidance on Programmable Components“
▌ -> FPGA, EPLD… (VHDL…)
▌ EN 50128 nur stark modifiziert anwendbar
▌ Einfache und komplexe Anwendungen
Unterscheidung
▌ Komplex: Prozess mit Tabellen ähnlich EN 50128 (inkl. Beschreibungen)
Technique/Measure SIL1 SIL2 SIL3 SIL4 Typical V-Cycle phase allocation
1 Structured description HR HR HR HR Requirements, Architecture and Design
2 Design description in HDL HR HR HR HR Component Coding
3 Schematic entry - - NR NR Component Design
4a For circuit descriptions that use boolean
equations: manual inspection in designs with limited (low) complexity
HR HR HR HR Component Testing
Table F.4 – Design (including all activities pre-synthesis)
Logic Component Design Phase
DES: Logic Component Design Description
TST : Logic Component Test Specification
VER: Logic Component Verification Report
PC Integration Phase
VER: PC Requirements & Integration Test Report
PC Architecture and Design Phase
DES: PC Architecture & Design Specification
TST: PC Requirement & Integration Test Specification
VER: PC Requirements Architecture & Design Ver. Report
HW or SW/HW integration PhaseHardware Requirements &
Architecture Phase
PC Validation Phase
VAL: PC Validation Report
Logic Component Testing Phase
TST: Logic Component Test Report
Logic Component Coding Phase
DES: Source Code and supporting
documentation
PC Requirements Phase
DES: PC Requirements Specification
PC Physical Implementation Phase
DES: PC Placement & Routing, Synthesis and
Programming files
VER: Physical Implementation Verification Report
HW life-cycle
PC life-cycle
Planning
DP: Development Plan
VerP: Verification Plan
ValP: Validation Plan
QAP: Quality Assurance Plan
CMP: Conf. Management PlanVER: Logic Source Code Verification Report
Legend
VAL: Validator
VER: Verifier
TST: Tester (inc. Integrator)
DES: Designer (inc. Implementer) Logic Component Lifecycle
22 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Übersicht
▌ Allgemeine Informationen zur Aktualisierung
▌ Änderungen konkret
▌ Schlusswort
23 14.11.2016 Dr. M. Notter
Thales Transportation Systems GmbH/ Template : 87204467-DOC-GRP-EN-002
Schlusswort
Optimum
Umstellungs-
aufwand Verschö-
nerung
Inhaltl. Ver-
besserung