HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (8 Dec 2024)

GB/T 21562.2-2015 PDF in English


GB/T 21562.2-2015 (GB/T21562.2-2015, GBT 21562.2-2015, GBT21562.2-2015)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 21562.2-2015English500 Add to Cart 0-9 seconds. Auto-delivery. Railway applications -- Specification and demonstration of reliability, availability, maintainability and safety (RAMS) -- Part 2: Guide to the application for safety Valid
Standards related to (historical): GB/T 21562.2-2015
PDF Preview

GB/T 21562.2-2015: PDF in English (GBT 21562.2-2015)

GB/T 21562.2-2015 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 45.060 S 04 Railway applications - Specification and demonstration of reliability, availability, maintainability and safety (RAMS) - Part 2. Guide to the application for safety ISSUED ON. DECEMBER 31, 2015 IMPLEMENTED ON. JULY 01, 2016 Issued by. General Administration of Quality Supervision, Inspection and Quarantine; Standardization Administration of the People's Republic of China. Table of Contents Foreword ... 5 Introduction ... 6 1 Scope ... 7 2 Normative references ... 9 3 Terms, definitions and abbreviations ... 9 3.1 Explanation of terms and definitions used in GB/T 21562-2008 ... 10 3.2 Other safety terms ... 15 3.3 Abbreviations ... 19 4 Guidelines for the concept of related organizations/entities and systems hierarchy and safety ... 20 4.1 Overview ... 20 4.2 Related organizations/entities in the system ... 20 4.3 Concepts of system level ... 21 4.4 Safety concept ... 23 5 General risk models and common functional hazard checklists for typical railway application systems ... 28 5.1 Overview ... 28 5.2 General risk model... 29 5.3 Risk assessment process ... 30 5.4 Application of risk assessment process ... 37 5.5 General function hazard checklist ... 45 6 Application guidelines for functional safety, functional safety requirements, SI objectives, risk apportionment, and SIL ... 49 6.1 Overview ... 49 6.2 Functional safety and technical safety ... 49 6.3 General considerations for risk apportionment ... 53 6.4 SI concept and SIL application ... 56 6.5 Fault-safety system guideline ... 69 7 Safety proof guide combined with probabilistic and deterministic methods ... 73 7.1 Overview ... 74 7.2 Safety argument ... 74 7.3 Deterministic methods ... 85 7.4 Probabilistic methods... 86 7.5 Combining deterministic and probabilistic methods ... 86 7.6 Methods for mechanical and hybrid (mechatronic) systems ... 87 8 Guidelines for risk acceptance principle ... 88 8.1 Overview ... 88 8.2 Application of risk acceptance principle ... 88 8.3 ALARP principle ... 90 8.4 GAMAB (GAME) principle ... 91 8.5 MEM (minimum endogenous mortality) safety principle (see D.3 in GB/T 21562-2008) ... 94 9 Basic element guide related to safety proof documents (safety arguments) ... 95 9.1 Overview ... 95 9.2 Use of safety arguments ... 96 9.3 Scope of safety arguments ... 96 9.4 Levels of safety argument... 97 9.5 Stages of safety argument ... 99 9.6 Safety argument structure ... 100 9.7 Safety assessment ... 106 9.8 Interface with existing systems ... 107 9.9 System mutual recognition criteria ... 108 Appendix A (Informative) Steps of risk assessment process ... 112 A.1 System definition ... 112 A.2 Hazard identification ... 113 A.3 Hazard records ... 118 A.4 Consequence analysis ... 119 A.5 Hazard control ... 121 A.6 Risk rating ... 122 Appendix B (Informative) Hazard checklist at the railway application system level ... 127 B.1 Overview ... 127 B.2 Examples of hazard classification based on affected people ... 128 B.3 Example of function-based hazard classification ... 133 Appendix C (Informative) Risk category classification method ... 137 C.1 Functional subdivision method (a) ... 137 C.2 System (constitution) decomposition method (b) ... 138 C.3 Hazard breakdown method (c) ... 139 C.4 Subdivision methods based on hazard cause (d) ... 140 C.5 Subdivision methods based on accident types (e) ... 141 Appendix D (Informative) British railway system risk model diagram ... 142 D.1 Building a risk model ... 142 D.2 Illustrative examples of the UK railway risk model ... 143 Appendix E (Informative) Technology and methods ... 148 E.1 Overview ... 148 E.2 Fast rating analysis ... 149 E.3 Structured assumption analysis ... 150 E.4 HAZOP ... 151 E.5 Status transition diagram ... 152 E.6 Message sequence diagram ... 152 E.7 Failure mode effect and criticality analysis - FMECA ... 153 E.8 Event tree analysis ... 154 E.9 Fault tree analysis ... 156 E.10 Risk map method ... 157 E.11 Other analysis techniques ... 158 E.12 Guide for deterministic method and probabilistic method ... 159 E.13 Selection of tools and methods ... 162 Appendix F (Informative) Graphical representation of availability concepts . 164 Appendix G (Informative) Example of establishing risk acceptance criteria . 166 G.1 Example of ALARP application ... 166 G.2 Copenhagen subway ... 170 Appendix H (Informative) Example of safety argument overview ... 172 H.1 Locomotive and rolling stock ... 172 H.2 Signal ... 175 H.3 Infrastructure ... 178 References ... 181 Railway applications - Specification and demonstration of reliability, availability, maintainability and safety (RAMS) - Part 2. Guide to the application for safety 1 Scope 1.1 This part of GB/T 21562 gives guidance on the safety process requirements of railway application systems specified in GB/T 21562-2008 and on the specific issues involved in the safety activities at various stages of the system life cycle (see 1.3). This part applies to all systems covered by the scope of GB/T 21562- 2008. This part assumes that users are familiar with safety issues, but GB/T 21562-2008 lacks detailed guidance on certain safety issues. 1.2 GB/T 21562-2008 is the basic RAMS standard for the top level of the system. This part is a supplement to GB/T 21562-2008 and applies only to the safety issues stated in 1.3. 1.3 This part only gives guidance on the following issues within the scope of GB/T 21562-2008. a) The establishment of top-level generic risk models for the overall system of railway application to its major components (such as signals, rolling stock, and infrastructure, etc.), the definition of model components and their interactions; b) The establishment of general function hazard checklists for railway application systems (including high-speed lines, light rail and subways, etc.); c) The application of risk acceptance principle in GB/T 21562-2008; d) Application and examples of qualitative assessment of functional safety and tolerable risks in railway application systems; e) The functional safety requirements and the definitions of assigning the safety objectives to the subsystems (e.g. railway application vehicles, door systems, braking systems, etc.); f) The application of safety integrity levels at all stages of the system's life cycle; Failures due to errors in any safety life cycle activity, within any phase, which cause it to fail under some particular combination of inputs or under some particular environmental condition. [GB/T 21562-2008, Definition 3.42] GB/T 20438.4-2006 gives a different definition of this term, but there is no substantial difference between the two, it is specifically defined as. failure to determine the cause, only the design or manufacturing process, operating procedures, documents or other related factors are modified, it is possible to eliminate this failure. Note 1. Repair maintenance without change usually cannot eliminate the cause of failure. Note 2. Systematic failure can be caused by simulating the cause of failure. Note 3. Examples of systematic failures including human errors. - Safety requirements specifications; - Hardware design, manufacture, installation and operation; - Software design and implementation. Note 4. The failures of safety-related systems are classified into two types. random failure and system failure. 3.1.12 Tolerable risk The maximum level of risk of a product that is acceptable to the railway authority. [GB/T 21562-2008, Definition 3.43] The railway authority (RA) is responsible for negotiating risk acceptance criteria and risk acceptance level with the safety regulatory authority (SRA) and providing it to the railway support industry (RSI) (see 5.3.2). The risk acceptance level is usually defined by the SRA or negotiated between the RA and the SRA. The risk acceptance level depends on national laws or regulations. 3.2 Other safety terms This clause lists the safety terms not defined in GB/T 21562-2008 but used in Although each has a different meaning, these terms are closely related to each other. To avoid misunderstandings, the following differences in these terms shall be considered. - Failure is the termination of the individual's ability to perform the required functions; Note 1. After a failure occurs, the individual has a fault. Note 2. “Failure” is an event that is different from “fault” as a state. - A fault is an individual condition manifested in the inability to perform the required function, but it is not included in the period of preventative maintenance, other planned actions, or loss of ability due to lack of external resources; Note 3. Fault is usually the cause of the individual's own failure, but it can also exist without causing any failure. - Errors are differences between calculated, observed, measured values or status and the actually determined or theoretically correct values or states; Note 4. Errors may be due to fault individuals, such as calculation errors caused by fault computer equipment. - Human errors or mistakes are human activities that produce unexpected results. The fault may be an incorrect signal value or an incorrect decision in the system. If a fault occurs, its resulting errors (such as incorrect information or system status) may affect the system. If the functional unit is no longer able to perform the required function, a failure occurs, i.e. the failure is the result due to internal errors or failures and is observable at the system boundary. Errors or fault do not necessarily lead to failures. For example, internal error checking can correct errors. Therefore, failure is only a functional problem. It is related to the effect and has nothing to do with the physical integrity of the individual. 3.2.8 Functional safety In the normal operating conditions and fault modes that respond to external stimulus, the safety depending on the system function, as shown in 6.2. 3.2.9 SRA. Safety Regulatory Authority (as defined in 3.1.7) THR. Tolerate Hazard Rate, also known as the “hazard occurrence rate”, the risk caused by this hazard is at an acceptable level (usually judged by accepted organizations as acceptable, such as RA, RSI and SRA negotiation, or SRA itself). 4 Guidelines for the concept of related organizations / entities and systems hierarchy and safety 4.1 Overview Considering the interaction of the system and its environment, GB/T 21562- 2008 defines safety as “avoiding unacceptable risk of harm”. This definition covers all aspects of safety, including functional and technical safety, health and safety issues, and human factors. Clause 4 gives a description of the relevant organizations/entities in the railway application system. It further explains some basic concepts (such as risk, hazard, harm, and safety) in system level, safety, and risk assessment. It supplements the railway application RAMS analysis as well as the impact factors as given in 4.3 and 4.4 of GB/T 21562-2008. 4.2 Related organizations/entities in the system Depending on the social/policy environment and organizational/management structure associated with the railway application system, there may be several organizations/entities performing different functions in each phase of the system life cycle. For the purpose of guidance, the organizations/entities are divided into three major categories (as defined in GB/T 21562-2008), as shown below (including 3.1.7). - RA (Infrastructure management and/or railway application operator); - SRA (Safety regulatory authority); - RSI (System vendor/installer/manufacturer). The roles and responsibilities of these organizations may change, or may be outsourced to some other participants or subcontractors, depending on. - Social, policy or legal considerations; - Size and complexity of the relevant system or subsystem; System functions are the activities performed by the system as a whole. Function and structure are internal views that reflect the characteristics of the system and are related to the organization/entity responsible for system design. The environment consists of any object that affects or is affected by the system. - Any objects that is mechanically or electrically connected or otherwise connected by other methods of the system, such as electromagnetic interference and heat sources; - People and procedures that affect the system or are affected by the system during system operation. Correct understanding of the boundary between the system under consideration and the environment as well as its interaction with the interconnected subsystems is a prerequisite for understanding how the system causes accidents and system hazards (see 6.2.2). 4.3.2 Railway application system environment and system level Railway application systems usually operate in a socio-economic/policy environment. The economics of designing, constructing, implementing, and using the system also depend on the socio-economic/policy environment. Therefore, the system safety shall be considered from the current safety level of the system economy, the current safety level of the social environment, and the social/policy-allowed safety levels. No matter how safe the system is, systems that users cannot afford will reduce the safety in the social environment in which they are located. Within the socio-economic/policy system, the relevant competent authorities of the railway application system are responsible for the balanced consideration of economy and safety, and formulate safety requirements and targets for the overall system safety risk level. Usually this target may not be suitable at the earlier period of the project, the organization/entity responsible for the system (such as design/configuration) can modify the target and submit it to the relevant authority for approval. In accordance with the hierarchical structure of the system, the organization/entity responsible for the railway application system (e.g., RA) shall establish the subsystem safety requirements and goals that correspond to the levels of risk allowed by the subsystems. Typically, the responsible organizations/entities for each level of system design/configuration define the safety requirements and goals for their subsystems; in some cases, the RA establishes safety requirements and goals for lower-level subsystems or specific risks. identified and that their management responsibilities and measures are clearly defined and properly understood by the relevant organizations/entities. Introducing the concept of “interface hazards” is very important, because these hazards are difficult to find in a single system, but they occur when different systems interact. 4.4.1.5 Hazards at system boundary Figure 2 describes the relationship between system boundaries, hazards, causes of hazards, and accidents (see Figure A.4 in ISO/IEC 14408.2012). This figure shows that when considering from the subsystem boundary (outside the subsystem), the failure or fault of the subsystem (i.e., the subsystem level hazard) is the cause of the system level hazard (inside the system). By using this concept, the structured hierarchical methods can be used for hazard analysis and hazard tracking in a nesting system, and for hazard identification and cause analysis at multiple system levels. This method is particularly suitable for the system development stage. The hazards at the system boundary are only relevant to the function of the system under consideration. The description of hazards should consider all interactions with other related systems, these factors may reduce the hazards. Two examples are given below. a) If a subsystem-related hazard is monitored by other subsystems, the safety requirements for the hazard should consider the mitigation measures implemented by the monitoring equipment and the subsequent risk time; b) At the subsystem level, the occlusion of axle-boxes on high-speed trains can be regarded as a hazard. If the vehicle is running on a line with equipment monitoring (e.g., a shaft temperature detector), the safety requirements for the hazard should consider the presence of the monitoring equipment and the subsequent risk time. Therefore, allocating safety requirements within the system is a detailed process that may require repeated iterations to ensure that the relevant responsible parties (such as the team responsible for the development of subsystems) correctly understand the safety requirements. control risk), so these factors shall be considered comprehensively to establish risk tolerance criteria. For the railway application system, the relevant authorities can classify people exposed risks in different ways, for example, they can be divided into three groups. passengers, railway application workers (i.e., personnel hired or contracted by RA or RSI, or authorized by RA to perform railway application specific tasks), and the general public. In these groups, the risk acceptance criteria for the three groups may be different due to the different levels of association with the system and the differences in capabilities that result in different risks. At the beginning of the project, it is advisable to consult with the relevant competent authorities to determine the specific criteria. The level of risk faced by each group may also be affected by many factors. These factors include. - Personnel exposure, such as the duration and frequency of contact hazards of personnel, as well as the probability of the personnel exposed to hazards to identify hazards, make timely response and actively take measures to avoid accidents; - The duration of the hazard, such as the duration of the hazard, and the probability of the person being exposed to the hazard; - Risk-triggering events and/or conditions that may cause accidents, as well as the overall possibility and probability of occurrence; - A series of events/conditions of the triggering events or follow-up triggering events that may cause accident, and the accidents that result from it are less likely to occur as a whole but the consequences of the accident are serious. Figure 3 shows an example of the above factors causing the accident to expand. It shall be noted that safety barrier (protection) measures can be set at the hazard level, triggering event level or accident level to reduce the risk. Triggering event and failure of safety barrier are necessary conditions for the accident. consistent with the basic measurement method, to facilitate risk communication and comparison. For example, the damage occurrence rate depends on the number of people affected (such as the number of employees involved in maintenance and the number of working hours, etc.), traffic density, train mileage, passenger mileage, train or passenger hours, number of trips, number of train operations and landforms (such as number of tunnels, bridges, and crossings). The following subclauses outline the basic concepts of normalization. 4.4.3.2 Event rate (reference base for probability of occurrence) The RA and the relevant SRA shall, through negotiation or based on the generally acknowledged principles, determine the harm/death rate of different groups affected by railway application. This rate is only used as a reference for event processing and comparison. For example, the unit rate of risk for passengers and public groups can either use the yearly accumulative injury of each group as the basis, or convert it into individual risk. 4.4.3.3 Equivalent death (injury reference basis) See definition in 3.2.6. The RA and SRA shall make negotiation to determine the relationship between the number of injuries and the number of deaths. This rate is only used as a reference for event processing and comparison. For example, the conversion formula can be. 1 equivalent death = 1 death = 10 major injuries = 100 minor injuries. 5 General risk models and common functional hazard checklists for typical railway application systems 5.1 Overview This clause introduces the concept of a general risk model, gives guidance on the risk assessment process and application, and gives a hazard checklist. The railway application system presents many characteristics in the course of transportation services, among which safety is more stringent than forecasting, management and delivery, directly affecting the railway application system and related companies. The social law/regulatory system imposes further restrictions on the performance of the railway application system, to control the human or environmental damage caused by the product or system. Historically, the improvement of safety has been achieved through tragic accident lessons. Today, it systematically focuses on the root causes of safety issues, expands the scope of considerations, understands safety issues in depth, and solves problems in a more proactive manner. The method of drawing lessons from the accident can continue to be retained, but it is not an ideal safety method. A systematic approach to safety requires an understanding of the risk assessment process, while understanding the structure of the railway application system and its interaction with the environment. Clause 5.3 gives a description of the risk assessment process, and clause 6.2.2 describes the structural principles of the railway application system and other relevant factors. Clause 5.4 gives some guidance on the depth and type of necessary risk assessment. 5.2 General risk model Modeling is primarily a simplification and generalization of reality, in order to understand causality and highlight important factors. Modeling is an effective tool for estimating and forecasting the future. It can create risk models for specific tasks (e.g., hazard occurrences, hazard combinations, operations, subsystems, etc.) in accordance with the risk assessment process for specific applications or the entire railway application system. Establishing risk prediction/description models for products, processes, or systems is a major step in systematically understanding risk and early safety management. The model essentially appears as an abstract view of the system, irrespective of its qualitative or quantitative characteristics, it should satisfy the following requirements in order to facilitate the implementation of the safety process. - A systematic description negotiated and agreed by all stakeholders; - Explicit system elements, boundaries and key external and internal interfaces, preferably using graphic representations; - Support the construction of a safety-related decision-making environment, while providing a comprehensive record of the system's life cycle. Most risk assessments only consider the risks of passengers. Because safety risks are directed at people, it is important to identify all affected groups and determine their tolerable risks. Establish a safety risk assessment for all groups that come into contact with the railway application system, assess the risk of each group based on a consistent baseline (such as yearly or per trip/train mileage). Establishing a risk model for the entire railway application system involves a large amount of work, and due to the diversity of the environment, operations and interfaces with other systems of railway application systems, the differences and quality of available data, the complexity of models, and the overall availability of integrated model tools, as well as for large and complex models that are difficult to identify, it is not appropriate to give a general risk model for the overall railway application system. The remainder of this clause only presents the general risk assessment process and its application, and gives a hazard checklist. Depending on the purpose of the analysis, risk models that are evaluated using quantitative, qualitative, or synthetic methods are used at different system levels, to perform basic function assessment for the higher level functions and assess the technical plans of the lower level functions. Appendix D lists the basic steps for establishing a risk model and a graphical example of a railway application system risk prediction model. 5.3 Risk assessment process 5.3.1 Overview Risk assessment mainly includes hazard identification, risk assessment and risk tolerance judgment. Risk management includes identifying and implementing economic and practical risk control measures, and ensuring that resources are continuously used to control and maintain risks at an acceptable level. Risk analysis is an important part of the life cycle of the entire system shown in Figure 8 of GB/T 21562-2008 and shall be carried out at different stages of the life cycle. Clause 6.4 of GB/T 21562-2008 gives a summary description based on basic risk concept and risk analysis, assessment and acceptance. The above “risk assessment” includes the “risk analysis”, “risk assessment and acceptance” in 4.6.2 and 4.6.3 of GB/T 21562-2008. The “risk analysis” in the system life cycle shown in Figure 8 of GB/T 21562-2008 shall be regarded as a “risk assessment” in a strict sense, clause 5.3.2 gives a further description of the general risk assessment process, clause 5.4 gives the guidance on the process application and analysis depth and breadth. Risk assessment using qualitative, quantitative or comprehensive methods is a systematic and structured approach, which is used for. a) Identify incidents that can directly or indirectly cause casualties related to the operation and maintenance of the system; in the railway application operating environment, these personnel may be passengers, workers or members of the public; b) Identify hazards that can lead to an accident, i.e. component/subsystem or system failure, physical effects, human error or operating conditions; c) Formulate measures to deal with or limit all types of hazards that cannot be eliminated; d) Estimate the frequency of hazards and accidents (if feasible); e) Estimate the consequences of the accident in the form of casualties. If the risk needs to be reduced, take measures to control or limit. - Various types of hazards that cannot be eliminated by identifying the cause and accident triggering conditions; - The consequences of related accidents; f) Estimate the overall risk associated with a major accident; g) Estimate the individual risk associated with the exposure group (if feasible); h) It shall determine the additional measures necessary to reduce the risk to an acceptable level of SRA (e.g., meet the established risk acceptance criteria); i) Give documents that fully demonstrate the risk assessment...... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.