GB/T 21562.2-2015 PDF in English
GB/T 21562.2-2015 (GB/T21562.2-2015, GBT 21562.2-2015, GBT21562.2-2015)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 21562.2-2015 | English | 500 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Railway applications -- Specification and demonstration of reliability, availability, maintainability and safety (RAMS) -- Part 2: Guide to the application for safety
| Valid |
Standards related to (historical): GB/T 21562.2-2015
PDF Preview
GB/T 21562.2-2015: PDF in English (GBT 21562.2-2015) GB/T 21562.2-2015
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 45.060
S 04
Railway applications - Specification and demonstration of
reliability, availability, maintainability and safety (RAMS) -
Part 2. Guide to the application for safety
ISSUED ON. DECEMBER 31, 2015
IMPLEMENTED ON. JULY 01, 2016
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 5
Introduction ... 6
1 Scope ... 7
2 Normative references ... 9
3 Terms, definitions and abbreviations ... 9
3.1 Explanation of terms and definitions used in GB/T 21562-2008 ... 10
3.2 Other safety terms ... 15
3.3 Abbreviations ... 19
4 Guidelines for the concept of related organizations/entities and systems
hierarchy and safety ... 20
4.1 Overview ... 20
4.2 Related organizations/entities in the system ... 20
4.3 Concepts of system level ... 21
4.4 Safety concept ... 23
5 General risk models and common functional hazard checklists for typical
railway application systems ... 28
5.1 Overview ... 28
5.2 General risk model... 29
5.3 Risk assessment process ... 30
5.4 Application of risk assessment process ... 37
5.5 General function hazard checklist ... 45
6 Application guidelines for functional safety, functional safety requirements,
SI objectives, risk apportionment, and SIL ... 49
6.1 Overview ... 49
6.2 Functional safety and technical safety ... 49
6.3 General considerations for risk apportionment ... 53
6.4 SI concept and SIL application ... 56
6.5 Fault-safety system guideline ... 69
7 Safety proof guide combined with probabilistic and deterministic methods
... 73
7.1 Overview ... 74
7.2 Safety argument ... 74
7.3 Deterministic methods ... 85
7.4 Probabilistic methods... 86
7.5 Combining deterministic and probabilistic methods ... 86
7.6 Methods for mechanical and hybrid (mechatronic) systems ... 87
8 Guidelines for risk acceptance principle ... 88
8.1 Overview ... 88
8.2 Application of risk acceptance principle ... 88
8.3 ALARP principle ... 90
8.4 GAMAB (GAME) principle ... 91
8.5 MEM (minimum endogenous mortality) safety principle (see D.3 in GB/T
21562-2008) ... 94
9 Basic element guide related to safety proof documents (safety arguments)
... 95
9.1 Overview ... 95
9.2 Use of safety arguments ... 96
9.3 Scope of safety arguments ... 96
9.4 Levels of safety argument... 97
9.5 Stages of safety argument ... 99
9.6 Safety argument structure ... 100
9.7 Safety assessment ... 106
9.8 Interface with existing systems ... 107
9.9 System mutual recognition criteria ... 108
Appendix A (Informative) Steps of risk assessment process ... 112
A.1 System definition ... 112
A.2 Hazard identification ... 113
A.3 Hazard records ... 118
A.4 Consequence analysis ... 119
A.5 Hazard control ... 121
A.6 Risk rating ... 122
Appendix B (Informative) Hazard checklist at the railway application system
level ... 127
B.1 Overview ... 127
B.2 Examples of hazard classification based on affected people ... 128
B.3 Example of function-based hazard classification ... 133
Appendix C (Informative) Risk category classification method ... 137
C.1 Functional subdivision method (a) ... 137
C.2 System (constitution) decomposition method (b) ... 138
C.3 Hazard breakdown method (c) ... 139
C.4 Subdivision methods based on hazard cause (d) ... 140
C.5 Subdivision methods based on accident types (e) ... 141
Appendix D (Informative) British railway system risk model diagram ... 142
D.1 Building a risk model ... 142
D.2 Illustrative examples of the UK railway risk model ... 143
Appendix E (Informative) Technology and methods ... 148
E.1 Overview ... 148
E.2 Fast rating analysis ... 149
E.3 Structured assumption analysis ... 150
E.4 HAZOP ... 151
E.5 Status transition diagram ... 152
E.6 Message sequence diagram ... 152
E.7 Failure mode effect and criticality analysis - FMECA ... 153
E.8 Event tree analysis ... 154
E.9 Fault tree analysis ... 156
E.10 Risk map method ... 157
E.11 Other analysis techniques ... 158
E.12 Guide for deterministic method and probabilistic method ... 159
E.13 Selection of tools and methods ... 162
Appendix F (Informative) Graphical representation of availability concepts . 164
Appendix G (Informative) Example of establishing risk acceptance criteria . 166
G.1 Example of ALARP application ... 166
G.2 Copenhagen subway ... 170
Appendix H (Informative) Example of safety argument overview ... 172
H.1 Locomotive and rolling stock ... 172
H.2 Signal ... 175
H.3 Infrastructure ... 178
References ... 181
Railway applications - Specification and demonstration of
reliability, availability, maintainability and safety (RAMS) -
Part 2. Guide to the application for safety
1 Scope
1.1 This part of GB/T 21562 gives guidance on the safety process requirements
of railway application systems specified in GB/T 21562-2008 and on the specific
issues involved in the safety activities at various stages of the system life cycle
(see 1.3). This part applies to all systems covered by the scope of GB/T 21562-
2008. This part assumes that users are familiar with safety issues, but GB/T
21562-2008 lacks detailed guidance on certain safety issues.
1.2 GB/T 21562-2008 is the basic RAMS standard for the top level of the system.
This part is a supplement to GB/T 21562-2008 and applies only to the safety
issues stated in 1.3.
1.3 This part only gives guidance on the following issues within the scope of
GB/T 21562-2008.
a) The establishment of top-level generic risk models for the overall system
of railway application to its major components (such as signals, rolling
stock, and infrastructure, etc.), the definition of model components and
their interactions;
b) The establishment of general function hazard checklists for railway
application systems (including high-speed lines, light rail and subways,
etc.);
c) The application of risk acceptance principle in GB/T 21562-2008;
d) Application and examples of qualitative assessment of functional safety
and tolerable risks in railway application systems;
e) The functional safety requirements and the definitions of assigning the
safety objectives to the subsystems (e.g. railway application vehicles,
door systems, braking systems, etc.);
f) The application of safety integrity levels at all stages of the system's life
cycle;
Failures due to errors in any safety life cycle activity, within any phase, which
cause it to fail under some particular combination of inputs or under some
particular environmental condition.
[GB/T 21562-2008, Definition 3.42]
GB/T 20438.4-2006 gives a different definition of this term, but there is no
substantial difference between the two, it is specifically defined as. failure to
determine the cause, only the design or manufacturing process, operating
procedures, documents or other related factors are modified, it is possible to
eliminate this failure.
Note 1. Repair maintenance without change usually cannot eliminate the
cause of failure.
Note 2. Systematic failure can be caused by simulating the cause of failure.
Note 3. Examples of systematic failures including human errors.
- Safety requirements specifications;
- Hardware design, manufacture, installation and operation;
- Software design and implementation.
Note 4. The failures of safety-related systems are classified into two types.
random failure and system failure.
3.1.12
Tolerable risk
The maximum level of risk of a product that is acceptable to the railway
authority.
[GB/T 21562-2008, Definition 3.43]
The railway authority (RA) is responsible for negotiating risk acceptance
criteria and risk acceptance level with the safety regulatory authority (SRA)
and providing it to the railway support industry (RSI) (see 5.3.2). The risk
acceptance level is usually defined by the SRA or negotiated between the
RA and the SRA. The risk acceptance level depends on national laws or
regulations.
3.2 Other safety terms
This clause lists the safety terms not defined in GB/T 21562-2008 but used in
Although each has a different meaning, these terms are closely related to
each other. To avoid misunderstandings, the following differences in these
terms shall be considered.
- Failure is the termination of the individual's ability to perform the required
functions;
Note 1. After a failure occurs, the individual has a fault.
Note 2. “Failure” is an event that is different from “fault” as a state.
- A fault is an individual condition manifested in the inability to perform the
required function, but it is not included in the period of preventative
maintenance, other planned actions, or loss of ability due to lack of external
resources;
Note 3. Fault is usually the cause of the individual's own failure, but it can
also exist without causing any failure.
- Errors are differences between calculated, observed, measured values or
status and the actually determined or theoretically correct values or states;
Note 4. Errors may be due to fault individuals, such as calculation errors
caused by fault computer equipment.
- Human errors or mistakes are human activities that produce unexpected
results.
The fault may be an incorrect signal value or an incorrect decision in the
system. If a fault occurs, its resulting errors (such as incorrect information
or system status) may affect the system.
If the functional unit is no longer able to perform the required function, a
failure occurs, i.e. the failure is the result due to internal errors or failures
and is observable at the system boundary. Errors or fault do not necessarily
lead to failures. For example, internal error checking can correct errors.
Therefore, failure is only a functional problem. It is related to the effect and
has nothing to do with the physical integrity of the individual.
3.2.8
Functional safety
In the normal operating conditions and fault modes that respond to external
stimulus, the safety depending on the system function, as shown in 6.2.
3.2.9
SRA. Safety Regulatory Authority (as defined in 3.1.7)
THR. Tolerate Hazard Rate, also known as the “hazard occurrence rate”, the
risk caused by this hazard is at an acceptable level (usually judged by accepted
organizations as acceptable, such as RA, RSI and SRA negotiation, or SRA
itself).
4 Guidelines for the concept of related organizations
/ entities and systems hierarchy and safety
4.1 Overview
Considering the interaction of the system and its environment, GB/T 21562-
2008 defines safety as “avoiding unacceptable risk of harm”. This definition
covers all aspects of safety, including functional and technical safety, health and
safety issues, and human factors.
Clause 4 gives a description of the relevant organizations/entities in the railway
application system. It further explains some basic concepts (such as risk,
hazard, harm, and safety) in system level, safety, and risk assessment. It
supplements the railway application RAMS analysis as well as the impact
factors as given in 4.3 and 4.4 of GB/T 21562-2008.
4.2 Related organizations/entities in the system
Depending on the social/policy environment and organizational/management
structure associated with the railway application system, there may be several
organizations/entities performing different functions in each phase of the
system life cycle. For the purpose of guidance, the organizations/entities are
divided into three major categories (as defined in GB/T 21562-2008), as shown
below (including 3.1.7).
- RA (Infrastructure management and/or railway application operator);
- SRA (Safety regulatory authority);
- RSI (System vendor/installer/manufacturer).
The roles and responsibilities of these organizations may change, or may be
outsourced to some other participants or subcontractors, depending on.
- Social, policy or legal considerations;
- Size and complexity of the relevant system or subsystem;
System functions are the activities performed by the system as a whole.
Function and structure are internal views that reflect the characteristics of the
system and are related to the organization/entity responsible for system design.
The environment consists of any object that affects or is affected by the system.
- Any objects that is mechanically or electrically connected or otherwise
connected by other methods of the system, such as electromagnetic
interference and heat sources;
- People and procedures that affect the system or are affected by the system
during system operation.
Correct understanding of the boundary between the system under
consideration and the environment as well as its interaction with the
interconnected subsystems is a prerequisite for understanding how the system
causes accidents and system hazards (see 6.2.2).
4.3.2 Railway application system environment and system level
Railway application systems usually operate in a socio-economic/policy
environment. The economics of designing, constructing, implementing, and
using the system also depend on the socio-economic/policy environment.
Therefore, the system safety shall be considered from the current safety level
of the system economy, the current safety level of the social environment, and
the social/policy-allowed safety levels. No matter how safe the system is,
systems that users cannot afford will reduce the safety in the social environment
in which they are located.
Within the socio-economic/policy system, the relevant competent authorities of
the railway application system are responsible for the balanced consideration
of economy and safety, and formulate safety requirements and targets for the
overall system safety risk level. Usually this target may not be suitable at the
earlier period of the project, the organization/entity responsible for the system
(such as design/configuration) can modify the target and submit it to the
relevant authority for approval.
In accordance with the hierarchical structure of the system, the
organization/entity responsible for the railway application system (e.g., RA)
shall establish the subsystem safety requirements and goals that correspond to
the levels of risk allowed by the subsystems. Typically, the responsible
organizations/entities for each level of system design/configuration define the
safety requirements and goals for their subsystems; in some cases, the RA
establishes safety requirements and goals for lower-level subsystems or
specific risks.
identified and that their management responsibilities and measures are clearly
defined and properly understood by the relevant organizations/entities.
Introducing the concept of “interface hazards” is very important, because these
hazards are difficult to find in a single system, but they occur when different
systems interact.
4.4.1.5 Hazards at system boundary
Figure 2 describes the relationship between system boundaries, hazards,
causes of hazards, and accidents (see Figure A.4 in ISO/IEC 14408.2012). This
figure shows that when considering from the subsystem boundary (outside the
subsystem), the failure or fault of the subsystem (i.e., the subsystem level
hazard) is the cause of the system level hazard (inside the system). By using
this concept, the structured hierarchical methods can be used for hazard
analysis and hazard tracking in a nesting system, and for hazard identification
and cause analysis at multiple system levels. This method is particularly
suitable for the system development stage.
The hazards at the system boundary are only relevant to the function of the
system under consideration. The description of hazards should consider all
interactions with other related systems, these factors may reduce the hazards.
Two examples are given below.
a) If a subsystem-related hazard is monitored by other subsystems, the
safety requirements for the hazard should consider the mitigation
measures implemented by the monitoring equipment and the subsequent
risk time;
b) At the subsystem level, the occlusion of axle-boxes on high-speed trains
can be regarded as a hazard. If the vehicle is running on a line with
equipment monitoring (e.g., a shaft temperature detector), the safety
requirements for the hazard should consider the presence of the
monitoring equipment and the subsequent risk time.
Therefore, allocating safety requirements within the system is a detailed
process that may require repeated iterations to ensure that the relevant
responsible parties (such as the team responsible for the development of
subsystems) correctly understand the safety requirements.
control risk), so these factors shall be considered comprehensively to establish
risk tolerance criteria.
For the railway application system, the relevant authorities can classify people
exposed risks in different ways, for example, they can be divided into three
groups. passengers, railway application workers (i.e., personnel hired or
contracted by RA or RSI, or authorized by RA to perform railway application
specific tasks), and the general public. In these groups, the risk acceptance
criteria for the three groups may be different due to the different levels of
association with the system and the differences in capabilities that result in
different risks. At the beginning of the project, it is advisable to consult with the
relevant competent authorities to determine the specific criteria.
The level of risk faced by each group may also be affected by many factors.
These factors include.
- Personnel exposure, such as the duration and frequency of contact hazards
of personnel, as well as the probability of the personnel exposed to hazards
to identify hazards, make timely response and actively take measures to
avoid accidents;
- The duration of the hazard, such as the duration of the hazard, and the
probability of the person being exposed to the hazard;
- Risk-triggering events and/or conditions that may cause accidents, as well
as the overall possibility and probability of occurrence;
- A series of events/conditions of the triggering events or follow-up triggering
events that may cause accident, and the accidents that result from it are
less likely to occur as a whole but the consequences of the accident are
serious.
Figure 3 shows an example of the above factors causing the accident to expand.
It shall be noted that safety barrier (protection) measures can be set at the
hazard level, triggering event level or accident level to reduce the risk.
Triggering event and failure of safety barrier are necessary conditions for the
accident.
consistent with the basic measurement method, to facilitate risk communication
and comparison. For example, the damage occurrence rate depends on the
number of people affected (such as the number of employees involved in
maintenance and the number of working hours, etc.), traffic density, train
mileage, passenger mileage, train or passenger hours, number of trips, number
of train operations and landforms (such as number of tunnels, bridges, and
crossings). The following subclauses outline the basic concepts of
normalization.
4.4.3.2 Event rate (reference base for probability of occurrence)
The RA and the relevant SRA shall, through negotiation or based on the
generally acknowledged principles, determine the harm/death rate of different
groups affected by railway application. This rate is only used as a reference for
event processing and comparison. For example, the unit rate of risk for
passengers and public groups can either use the yearly accumulative injury of
each group as the basis, or convert it into individual risk.
4.4.3.3 Equivalent death (injury reference basis)
See definition in 3.2.6. The RA and SRA shall make negotiation to determine
the relationship between the number of injuries and the number of deaths. This
rate is only used as a reference for event processing and comparison. For
example, the conversion formula can be. 1 equivalent death = 1 death = 10
major injuries = 100 minor injuries.
5 General risk models and common functional hazard
checklists for typical railway application systems
5.1 Overview
This clause introduces the concept of a general risk model, gives guidance on
the risk assessment process and application, and gives a hazard checklist.
The railway application system presents many characteristics in the course of
transportation services, among which safety is more stringent than forecasting,
management and delivery, directly affecting the railway application system and
related companies. The social law/regulatory system imposes further
restrictions on the performance of the railway application system, to control the
human or environmental damage caused by the product or system. Historically,
the improvement of safety has been achieved through tragic accident lessons.
Today, it systematically focuses on the root causes of safety issues, expands
the scope of considerations, understands safety issues in depth, and solves
problems in a more proactive manner. The method of drawing lessons from the
accident can continue to be retained, but it is not an ideal safety method.
A systematic approach to safety requires an understanding of the risk
assessment process, while understanding the structure of the railway
application system and its interaction with the environment. Clause 5.3 gives a
description of the risk assessment process, and clause 6.2.2 describes the
structural principles of the railway application system and other relevant factors.
Clause 5.4 gives some guidance on the depth and type of necessary risk
assessment.
5.2 General risk model
Modeling is primarily a simplification and generalization of reality, in order to
understand causality and highlight important factors. Modeling is an effective
tool for estimating and forecasting the future.
It can create risk models for specific tasks (e.g., hazard occurrences, hazard
combinations, operations, subsystems, etc.) in accordance with the risk
assessment process for specific applications or the entire railway application
system.
Establishing risk prediction/description models for products, processes, or
systems is a major step in systematically understanding risk and early safety
management. The model essentially appears as an abstract view of the system,
irrespective of its qualitative or quantitative characteristics, it should satisfy the
following requirements in order to facilitate the implementation of the safety
process.
- A systematic description negotiated and agreed by all stakeholders;
- Explicit system elements, boundaries and key external and internal
interfaces, preferably using graphic representations;
- Support the construction of a safety-related decision-making environment,
while providing a comprehensive record of the system's life cycle.
Most risk assessments only consider the risks of passengers. Because safety
risks are directed at people, it is important to identify all affected groups and
determine their tolerable risks. Establish a safety risk assessment for all groups
that come into contact with the railway application system, assess the risk of
each group based on a consistent baseline (such as yearly or per trip/train
mileage).
Establishing a risk model for the entire railway application system involves a
large amount of work, and due to the diversity of the environment, operations
and interfaces with other systems of railway application systems, the
differences and quality of available data, the complexity of models, and the
overall availability of integrated model tools, as well as for large and complex
models that are difficult to identify, it is not appropriate to give a general risk
model for the overall railway application system. The remainder of this clause
only presents the general risk assessment process and its application, and
gives a hazard checklist.
Depending on the purpose of the analysis, risk models that are evaluated using
quantitative, qualitative, or synthetic methods are used at different system
levels, to perform basic function assessment for the higher level functions and
assess the technical plans of the lower level functions.
Appendix D lists the basic steps for establishing a risk model and a graphical
example of a railway application system risk prediction model.
5.3 Risk assessment process
5.3.1 Overview
Risk assessment mainly includes hazard identification, risk assessment and
risk tolerance judgment. Risk management includes identifying and
implementing economic and practical risk control measures, and ensuring that
resources are continuously used to control and maintain risks at an acceptable
level.
Risk analysis is an important part of the life cycle of the entire system shown in
Figure 8 of GB/T 21562-2008 and shall be carried out at different stages of the
life cycle. Clause 6.4 of GB/T 21562-2008 gives a summary description based
on basic risk concept and risk analysis, assessment and acceptance. The
above “risk assessment” includes the “risk analysis”, “risk assessment and
acceptance” in 4.6.2 and 4.6.3 of GB/T 21562-2008. The “risk analysis” in the
system life cycle shown in Figure 8 of GB/T 21562-2008 shall be regarded as
a “risk assessment” in a strict sense, clause 5.3.2 gives a further description of
the general risk assessment process, clause 5.4 gives the guidance on the
process application and analysis depth and breadth.
Risk assessment using qualitative, quantitative or comprehensive methods is a
systematic and structured approach, which is used for.
a) Identify incidents that can directly or indirectly cause casualties related to
the operation and maintenance of the system; in the railway application
operating environment, these personnel may be passengers, workers or
members of the public;
b) Identify hazards that can lead to an accident, i.e. component/subsystem
or system failure, physical effects, human error or operating conditions;
c) Formulate measures to deal with or limit all types of hazards that cannot
be eliminated;
d) Estimate the frequency of hazards and accidents (if feasible);
e) Estimate the consequences of the accident in the form of casualties. If the
risk needs to be reduced, take measures to control or limit.
- Various types of hazards that cannot be eliminated by identifying the
cause and accident triggering conditions;
- The consequences of related accidents;
f) Estimate the overall risk associated with a major accident;
g) Estimate the individual risk associated with the exposure group (if feasible);
h) It shall determine the additional measures necessary to reduce the risk to
an acceptable level of SRA (e.g., meet the established risk acceptance
criteria);
i) Give documents that fully demonstrate the risk assessment......
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|