How do we apply the Railway RAMS (EN50126) in non-electronic systems?
Regulations, tools, and reliability , availability , maintainability and safety studies are
normally closely related or tailor-made for electrical and electronic
systems. On the other hand, the scope objective of the Railway
Administrations and Operators of the railway RAMS Engineering is
increasing and, therefore, this is reaching all systems, not only
electrical and electronic ones.
Thus, when a manufacturer of mechanical, pneumatic or hydraulic systems or subsystems , etc., must apply the CENELEC standard EN 50126 "Specification and demonstration of reliability , availability , maintainability and safety ( RAMS )" in an application railway, it is found that both this and the rest of the related regulations (such as EN 50129), have a strong and orientation towards electrical or electronic systems, characterized by being made up of components and sub-systems with an associated statistical failure rate as a function of time, for example, the MTBF (Mean Time Between Failures ). These failures are called random failures .
The concept of random failure , as we discussed, does make sense in electrical or electronic applications. But it doesn't make much sense in mechanical, pneumatic, hydraulic or similar systems. For example, if we ask ourselves, how often does a train window fail? Both the question and the answer seem to make little sense. A window can wear out or degrade if we think, for example, that it is attached to the train by a chemical component of subjection or that, due to solar radiation, it loses its properties filtering. All these failures associated with degradation or fatigue, it does not make sense to model them as an approximation of the statistical failure rate . It also does not make sense, trying absurd approaches such as modeling the vandalism that a train window can have that will break it and force replace the: the random failure rate models equipment failures with a statistical method and vandalism, following the same example, does not make sense to model it statistically.
Therefore, we can perfectly understand that we can find equipment, products, systems or sub-systems that, despite requesting compliance with RAMS Ferroviaria's CENELEC EN 50126 , does not make sense to apply one of the most important concepts of said standard: the quantitative study of random failures.
A train door or window, a bellows, a cable conductor, a compressor, a pneumatic valve, etc., are equipment that may have associated safety requirements and require compliance with the CENELEC EN 50126 standard , on the other hand, they do not have, in any case, an associated random failure.
Why is the study of random failures so important for EN 50126?
In a very summarized way, RAMS Engineering's objectives are the management of systematic failures through robust and proven processes, random failures through an adequate design and in its analysis of said failures and their consequences, and the management of risks to which they are It exposes the system, both endogenous and exogenous.
In this sense, as we can see, the more quantitative analysis of the RAMS study goes through a set of analyzes and calculations based on random failures and the rest of the activities are associated with processes of a more qualitative nature. Since SIL levels are quantitative targets for safety functions and, therefore, closely linked to the calculation of random equipment failures , non-electronic systems companies find themselves with no way to advance in meeting the RAMS requirements requested by their customers on the one hand and, compliance with the EN 50126 standard on the other, generating a situation where it is not known very well what proceed, advance or manage this discrepancy. Many times, the SIL level is the way to materialize a safety requirement associated with the RAMS of EN 50126 . Let's take a very simple example: The security functions of the train door must have a security integrity level (SIL level), SIL-4 , according to the CENELEC EN 50126 standard .
A SIL-4 level effectively
indicates that the probability of failure against the safety
functions should be between 1x10-8 and 1x10-9. Therefore, we
detect at this point the difficulty of proceeding: If we do not have
a to associated
failure probability, how do I guarantee to my client that the failure
the required ranges? The simplification of associating a SIL-4
level only to the fulfillment of a toFailure
rate is deliberate: in reality, a SIL-4 level has many other
implications, such as the type of organization that the
company must have and the team that executes the project ,
the processes and activities that must be
carried out throughout the cycle of ltoproject
life , etc.
The first thing that we always indicate to our clients is that it is important to correctly define the security requirements since CENELEC EN 50126 indicates explicitly and in line with the aforementioned that, said standard does NOT allow the assignment of security integrity levels to non-functions. electronic. That is, SIL levels are only defined for system-dependent functions partially or totally electronic
The strategy to face compliance with EN 50126 for a system not electronic
The EN 50126 allows for non - electronic systems, the application of 2 additional methods for risk assessment and comply properly with a related function security: the code of practice and reference systems beyond the commonly know as the EXPLICIT ESTIMATION OF RISKS .
A CODE OF GOOD PRACTICES , therefore, used correctly, can be used to control one or more specific hazards, accepting the mitigation of said risk when applying said CODE and, therefore, not having to analyze further. We must understand a CODE OF GOOD PRACTICES as one or more recognized and accepted standards in the railway field and be applicable to ensure a design or other process associated with the hazard, in the system under consideration.
In a practical way, in our hazard log or threat registry, we will mitigate threats thanks to compliance with the CODE OF GOOD PRACTICES , making compliance a system security requirement. In addition, the relationships of the functions is security with the CODE OF GOOD PRACTICES used must be indicated and justified in the architecture of the system. And finally, during the integration of the subsystems and components of the system, there must be evidence of the compliance of the implementation with the CODE OF GOOD PRACTICES used.
For another on the other hand, the application of a REFERENCE SYSTEM must meet at least the following requirements: have proven in practice an acceptable level of security and therefore continue to be authorized in the Member State where the change is to be introduced, have functions and interfaces similar to that of the evaluated system, used in operating conditions similar to the evaluated system and used in similar environmental conditions to the evaluated system. Apparently this method can be very useful to apply but in many cases repeating the operating and environmental conditions can become very complicated and tedious .
The CENELEC EN 50126 enables three strategies or risk acceptance principles: use of codes of good practice, using a similar reference system, explicit risk estimation.
Regarding non-electronic systems, CENELEC EN 50126 explicitly indicates, pay special attention to the causes of failures of systems and functions due to the inherent physical properties that affect the useful life of the equipment, including wear, degradation or fatigue. mechanical or environmental influences such as temperature, solar radiation, exposure to polluting chemical agents , etc.
Therefore, the prevention of systematic and random failures for non-electronic products will be adjusted by following the following approaches:
- The integrity random security is achieved through product design applying codes of practice .
- The safety integrity systematic, mainly based on processing methods, including the management of quality throughout the life cycle, the safety management and organizational measures type.
We continue with the example: a train
The doors of trains undoubtedly have security functions. The easiest to understand is to keep the doors closed without a safe command order indicating otherwise. In this sense, security will be guaranteed by a mechanical lock and by an electronic system that controls the door. As we have seen, the mechanical part will be built accordingly dor to a CODE OF GOOD PRACTICE . Instead, the sub electronic control system, if it can be approached with a "classical" approach of EN 50126 based on random failure study, being able assign a SIL level to the functions developed by said subsystem.
At Leedeo Engineering , we are specialists in the development of RAMS projects, supporting RAM and Safety tasks at any level required, and both at the infrastructure or on-board equipment level.