Application of CENELEC EN 50129 standard in safety systems for railway signalling
CENELEC EN 50129 standard is part of the legislative package on RAMS -reliability, availability, maintainability, and safety- of the railway industry. At a more detailed level, EN 50129 standard is applicable to systems with electronic technology related to safety for railway signalling applications.
As we will see in this article, EN 50129 standard is applicable to all phases of the life cycle of electronic safety signalling system. It includes the specification, design, construction, installation, acceptance, operation, maintenance, and modification. All this, both for generic products or systems, as well as for specific products or systems.
EN 50129 standard aims to define the conditions that must be met so that a product, system, or electronic installation could be ACCEPTED as safe -or safe enough-. Accordingly, this supports its safety assurance strategy being based on three basic pillars:
- Evidencing correct management of quality in the processes of the product life cycle.
- Evidencing of correct management of safety in the processes of the product life cycle.
- Evidence of the technical and functional safety of the product, system or installation.
As it is quite common in RAMS Engineering, this evidence will be, in the end, in the form of documentary evidence showing that the three points have indeed been considered. Also that they are controlled and justified. These documentary evidences are called a safety study or a safety case. The safety study must follow the structure defined in 50129 standards. Its 6 sections are the following ones:
- The Definition of the System under analysis.
- The Quality Management Report.
- The Safety Management Report.
- Technical Safety Report
- References to Safety Reports.
There are three different categories of Safety Studies. The first one consists of generic products that are characterized by being independent of the final application. It can be used and reused in different independent applications. The second one is from generic applications, which is characterized by being able to be reused in classes/ types of applications having common functions. And finally, the specific applications, which are used only for a particular installation.
It is important to stress that it is considered essential that, for each specific application, the environmental conditions and the context of use are compatible with the conditions of general application.
Section 1 - Definition of the System
Initially, in the definition of systems under analysis (Section 1), it is important to specify precisely the system, the equipment or the subsystem under monitoring of the safety case, giving shape to the equipment: application boundaries of the equipment, that is, as far as it goes, therefore, by correctly defining the interfaces with the rest of systems with which it coexists. It is also especially important in a safety study to define the versions (and edition) of the equipment and subsystems that make it up to and that apply this safety case.
Section 2 - Quality Management
The Report on quality management (Section 2) is considered the first condition that a project -being executed by a company- must meet. Furthermore, evidence shall be given that quality is controlled by an appropriate quality management system. Typically, this report presents a mix between compliance with ISO9001 at generic safety level and compliance with EN 50126 in terms of RAMS life cycle. This means following the phases of product life cycle, which is correctly and robustly defined by EN 50126 standard: concept, definition of the system and safety conditions, risk analysis, system requirements, allocation of system requirements, design and implementation, manufacturing, installation, system validation, system acceptance, operation and maintenance, decommissioning and disposal.
Section 3 - Safety Management
The Security Management Report (Section 3) is responsible for providing evidence about security being controlled by an appropriate security management system, which is consistent with RAMS Management process described in EN 50126. Very briefly, this report will provide evidence regarding:
- V-model product development life cycle has been followed according to EN 50126 standard.
- An organization is available with an adequate level of independence (between management, design and validation/ verification). Also, it will have an appropriate competent level in terms of knowledge, regarding personnel involved in the project. On the other hand, a Safety Plan has been drawn up at the beginning of the life cycle.
- A risks record called Hazard Log.
- Specification of security requirements.
- In-house system design where the system design has been documented by all objective standards: mechanical, electronic, chemical, optical, software, communications, etc.
- Verifying and validating safety targets. Safety justification.
Section 4 - Technical Safety Report
Technical Safety Report (Section 4) must contain the technical principles ensuring design safety, and including detailed technical specification, design calculations, results of type tests, etc. In short:
- Guarantee of proper operation.
- Damaging effects.
- Operation under external influences.
- Application conditions (relations with safety).
- Test results.
Section 5 - References to Safety Reports
In References to Safety Reports
(Section 5), other Safety Reports that are dependent on the Safety Report being
under analysis must be referenced. This documentation for complex Safety Cases
occurs in cases involving, for some reason, some sort of dependency regarding
another product, system, sub-system which has been already previously
Section 6 - Conclusion
Finally, in Conclusions (Section 6), the set of evidence presented in the previous Sections should be summarized arguing that the "system is sufficiently safe according to the specified application conditions".
Independent Evaluation of System Safety
All documentation generated in
the safety study should be evaluated by an Independent Safety Assessor. This
will generate a Report explaining the evaluation activities carried out by the
evaluator to ratify that the system's safety requirements are indeed met. As
explained in EN 50126 standard, the scope of the safety assessment and the
degree of independence, with which it is being carried out, are based on the
results of risk classification