Infrastructure Business: Canada and International

The Safety Case as a Living

Document to Manage the

System Safety Program

Copyright © 2012 Delcan Corporation. All rights reserved.

1 • Types of faults in rail signalling systems

2

• Weaknesses in MIL-STD-882 System Safety as applied to systems in rail transit programs

3 • Adaptations from EN 50126/50129

4

• Using the System Safety Case as a management tool

Outline of Presentation

2

Inherent in the system

Quality & safety management, organization

Types of Faults

Safety-Significant

Function

Systematic

Faults

Random

Failures

Human

Interactions

External

Influences

Result of deterioration

Reliability prediction, maintenance

Action causing a failure or unintended behaviour

O&SHA, FMECA, manuals

EMI, temperature, vibration

Systematic, random or human error

3

Purpose

Method

A Comparison of Standards

Consistent evaluation of identified risks for systems, facilities and equipment

Tracking hazard resolution to acceptable risk levels

Primarily addresses hazards originating from system design and hazardous materials

EN 50126/50129

Acceptance and approval of safety-related electronic systems in railway signalling

RAMS management and engineering

Management of RAMS using a consistent approach and format

4

MIL-STD-882

Method

Purpose

A Comparison of Standards

MIL-STD-882

5-step life cycle, cradle/grave

Safety organization, roles

Hazard id & Risk assessment

Risk reduction order of precedence

Analysis of select subsystems and system hazard rate

Tracking hazard resolution to acceptable risk levels

Task-oriented

EN 50126/50129

14-step life cycle, cradle/grave

same

Risk criteria differ

same

Full analysis required or proof no safety-related function

Reviewed at design completion (generic safety case)

Integrated systematic process for RAMS, safety management, quality management

5

System Requirements Specification

Safety Requirements Specification

Safety Case

• Part 1: Definition of System

• Part 2: Quality Management Report

• Part 3: Safety Management Report

• Part 4: Technical Safety Report

• Part 5: Related Safety Cases

• Part 6: Conclusion

Safety Assessment Report

Structure of a CENELEC Safety Case

Systematic / Human

Random / Human

6

Section 1: Introduction

• Describes the safety design, technical safety principles

Section 2: Assurance of correct functional operation

• Under fault-free normal conditions

Section 3: Effects of faults

• In the event of random hardware faults or systematic faults

Section 4: Operation with external influences

Section 5: Safety-related application conditions

Section 6: Safety Qualification Tests

Structure of a Technical Safety Report

7

Must address safety-related application conditions

Cross-Acceptance of Generic Safety Cases

Generic Applications

System A System B

Subsystem 1

Subsystem 2

Subsystem 3

Subsystem 4

Equipment a

Equipment b

Equipment c

Specific Applications

Generic Products

8

Management Tool

Weaknesses

Adaptations

Conclusions

MIL-STD-882

Little attention to control of systematic errors. The standard offers some support for safety management, but these tasks

are not described in detail and in practice are seldom documented.

Does not discuss quality management

The only significant element considered for safety acceptance is hazard resolution. Addresses hazards originating from system design, O&M manuals and

hazardous materials

Does not emphasize integration of RAM with system safety Accurate failure rate predictions are necessary to establish the system

hazard rate

9

Management Tool

Adaptations

Weaknesses

Conclusions

EN 50126/50129

Structured and comprehensive safety case Integrates quality management, safety management, RAMS

Documents activities addressing systematic faults

Standard format facilitates development and review

Presents internal and independent safety assessments

Incremental delivery of safety case Reduces risk to system safety program before manufacture & installation

Verifies application conditions to ensure correct usage

Cross-acceptance of generic safety cases Complements system engineering and product development

Greatly reduces effort to re-certify subsystems & products

10

Management Tool

Adaptations

Weaknesses

Conclusions

Populate safety case in real-time with project progress Safety case writes itself; highly accurate

Checklist to monitor quality management , safety management, RAMS

Documents management and engineering activities

Note issues (with time-stamp) and resolutions

Increased visibility for safety management & project management Risks to system safety program are clearly identified and assessed

Project decisions considered impact to system safety program

Helps align expectations across the program

Positive impact on team dynamics System safety is recognized as a contributing discipline, rather than “brakes”

Complements system engineering and product development

11

THANK YOU

www.delcan.com

Sue Cox, B.A.Sc., B.Math System Safety Manager

Office: 905.917.3224 (Canada) S.Cox@delcan.com