Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 21562.2-2015 English PDF (GBT21562.2-2015)

GB/T 21562.2-2015 English PDF (GBT21562.2-2015)

Regular price $495.00 USD
Regular price Sale price $495.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 21562.2-2015 to get it for Purchase Approval, Bank TT...

GB/T 21562.2-2015: Railway applications -- Specification and demonstration of reliability, availability, maintainability and safety (RAMS) -- Part 2: Guide to the application for safety

This part of GB/T 21562 gives guidance on the safety process requirements of railway application systems specified in GB/T 21562-2008 and on the specific issues involved in the safety activities at various stages of the system life cycle (see 1.3). This part applies to all systems covered by the scope of GB/T 21562-2008. This part assumes that users are familiar with safety issues, but GB/T 21562-2008 lacks detailed guidance on certain safety issues.
GB/T 21562.2-2015
ICS 45.060
S 04
Railway applications - Specification and demonstration of
reliability, availability, maintainability and safety (RAMS) -
Part 2. Guide to the application for safety
Issued by. General Administration of Quality Supervision, Inspection and Quarantine;
Standardization Administration of the People's Republic of
Table of Contents
Foreword ... 5
Introduction ... 6
1 Scope ... 7
2 Normative references ... 9
3 Terms, definitions and abbreviations ... 9
3.1 Explanation of terms and definitions used in GB/T 21562-2008 ... 10 3.2 Other safety terms ... 15
3.3 Abbreviations ... 19
4 Guidelines for the concept of related organizations/entities and systems hierarchy and safety ... 20
4.1 Overview ... 20
4.2 Related organizations/entities in the system ... 20
4.3 Concepts of system level ... 21
4.4 Safety concept ... 23
5 General risk models and common functional hazard checklists for typical railway application systems ... 28
5.1 Overview ... 28
5.2 General risk model... 29
5.3 Risk assessment process ... 30
5.4 Application of risk assessment process ... 37
5.5 General function hazard checklist ... 45
6 Application guidelines for functional safety, functional safety requirements, SI objectives, risk apportionment, and SIL ... 49
6.1 Overview ... 49
6.2 Functional safety and technical safety ... 49
6.3 General considerations for risk apportionment ... 53
6.4 SI concept and SIL application ... 56
6.5 Fault-safety system guideline ... 69
7 Safety proof guide combined with probabilistic and deterministic methods ... 73
7.1 Overview ... 74
7.2 Safety argument ... 74
7.3 Deterministic methods ... 85
7.4 Probabilistic methods... 86
7.5 Combining deterministic and probabilistic methods ... 86
7.6 Methods for mechanical and hybrid (mechatronic) systems ... 87
8 Guidelines for risk acceptance principle ... 88
8.1 Overview ... 88
8.2 Application of risk acceptance principle ... 88
8.3 ALARP principle ... 90
8.4 GAMAB (GAME) principle ... 91
8.5 MEM (minimum endogenous mortality) safety principle (see D.3 in GB/T 21562-2008) ... 94
9 Basic element guide related to safety proof documents (safety arguments) ... 95
9.1 Overview ... 95
9.2 Use of safety arguments ... 96
9.3 Scope of safety arguments ... 96
9.4 Levels of safety argument... 97
9.5 Stages of safety argument ... 99
9.6 Safety argument structure ... 100
9.7 Safety assessment ... 106
9.8 Interface with existing systems ... 107
9.9 System mutual recognition criteria ... 108
Appendix A (Informative) Steps of risk assessment process ... 112
A.1 System definition ... 112
A.2 Hazard identification ... 113
A.3 Hazard records ... 118
A.4 Consequence analysis ... 119
A.5 Hazard control ... 121
A.6 Risk rating ... 122
Appendix B (Informative) Hazard checklist at the railway application system level ... 127
B.1 Overview ... 127
B.2 Examples of hazard classification based on affected people ... 128
B.3 Example of function-based hazard classification ... 133
Appendix C (Informative) Risk category classification method ... 137
C.1 Functional subdivision method (a) ... 137
C.2 System (constitution) decomposition method (b) ... 138
C.3 Hazard breakdown method (c) ... 139
C.4 Subdivision methods based on hazard cause (d) ... 140
C.5 Subdivision methods based on accident types (e) ... 141
Appendix D (Informative) British railway system risk model diagram ... 142 D.1 Building a risk model ... 142
D.2 Illustrative examples of the UK railway risk model ... 143
Appendix E (Informative) Technology and methods ... 148
E.1 Overview ... 148
E.2 Fast rating analysis ... 149
E.3 Structured assumption analysis ... 150
E.4 HAZOP ... 151
E.5 Status transition diagram ... 152
E.6 Message sequence diagram ... 152
E.7 Failure mode effect and criticality analysis - FMECA ... 153
E.8 Event tree analysis ... 154
E.9 Fault tree analysis ... 156
E.10 Risk map method ... 157
E.11 Other analysis techniques ... 158
E.12 Guide for deterministic method and probabilistic method ... 159
E.13 Selection of tools and methods ... 162
Appendix F (Informative) Graphical representation of availability concepts . 164 Appendix G (Informative) Example of establishing risk acceptance criteria . 166 G.1 Example of ALARP application ... 166
G.2 Copenhagen subway ... 170
Appendix H (Informative) Example of safety argument overview ... 172
H.1 Locomotive and rolling stock ... 172
H.2 Signal ... 175
H.3 Infrastructure ... 178
References ... 181
Railway applications - Specification and demonstration of
reliability, availability, maintainability and safety (RAMS) -
Part 2. Guide to the application for safety
1 Scope
1.1 This part of GB/T 21562 gives guidance on the safety process requirements of railway application systems specified in GB/T 21562-2008 and on the specific issues involved in the safety activities at various stages of the system life cycle (see 1.3). This part applies to all systems covered by the scope of GB/T 21562- 2008. This part assumes that users are familiar with safety issues, but GB/T 21562-2008 lacks detailed guidance on certain safety issues.
1.2 GB/T 21562-2008 is the basic RAMS standard for the top level of the system. This part is a supplement to GB/T 21562-2008 and applies only to the safety issues stated in 1.3.
1.3 This part only gives guidance on the following issues within the scope of GB/T 21562-2008.
a) The establishment of top-level generic risk models for the overall system of railway application to its major components (such as signals, rolling stock, and infrastructure, etc.), the definition of model components and their interactions;
b) The establishment of general function hazard checklists for railway
application systems (including high-speed lines, light rail and subways, etc.);
c) The application of risk acceptance principle in GB/T 21562-2008;
d) Application and examples of qualitative assessment of functional safety and tolerable risks in railway application systems;
e) The functional safety requirements and the definitions of assigning the safety objectives to the subsystems (e.g. railway application vehicles, door systems, braking systems, etc.);
f) The application of safety integrity levels at all stages of the system's life cycle;
Failures due to errors in any safety life cycle activity, within any phase, which cause it to fail under some particular combination of inputs or under some particular environmental condition.
[GB/T 21562-2008, Definition 3.42]
GB/T 20438.4-2006 gives a different definition of this term, but there is no substantial difference between the two, it is specifically defined as. failure to determine the cause, only the design or manufacturing process, operating procedures, documents or other related factors are modified, it is possible to eliminate this failure.
Note 1. Repair maintenance without change usually cannot eliminate the
cause of failure.
Note 2. Systematic failure can be caused by simulating the cause of failure. Note 3. Examples of systematic failures including human errors.
- Safety requirements specifications;
- Hardware design, manufacture, installation and operation;
- Software design and implementation.
Note 4. The failures of safety-related systems are classified into two types. random failure and system failure.
Tolerable risk
The maximum level of risk of a product that is acceptable to the railway authority.
[GB/T 21562-2008, Definition 3.43]
The railway authority (RA) is responsible for negotiating risk acceptance criteria and risk acceptance level with the safety regulatory authority (SRA) and providing it to the railway support industry (RSI) (see 5.3.2). The risk acceptance level is usually defined by the SRA or negotiated between the RA and the SRA. The risk acceptance level depends on national laws or
3.2 Other safety terms
This clause lists the safety terms not defined in GB/T 21562-2008 but used in Although each has a different meaning, these terms are closely related to each other. To avoid misunderstandings, the following differences in these terms shall be considered.
- Failure is the termination of the individual's ability to perform the required functions;
Note 1. After a failure occurs, the individual has a fault.
Note 2. ?€?Failure?€? is an event that is different from ?€?fault?€? as a state. - A fault is an individual condition manifested in the inability to perform the required function, but it is not included in the period of preventative maintenance, other planned actions, or loss of ability due to lack of external resources;
Note 3. Fault is usually the cause of the individual's own failure, but it can also exist without causing any failure.
- Errors are differences between calculated, observed, measured values or status and the actually determined or theoretically correct values or states; Note 4. Errors may be due to fault individuals, such as calculation errors caused by fault computer equipment.
- Human errors or mistakes are human activities that produce unexpected results.
The fault may be an incorrect signal value or an incorrect decision in the system. If a fault occurs, its resulting errors (such as incorrect information or system status) may affect the system.
If the functional unit is no longer able to perform the required function, a failure occurs, i.e. the failure is the result due to internal errors or failures and is observable at the system boundary. Errors or fault do not necessarily lead to failures. For example, internal error checking can correct errors. Therefore, failure is only a functional problem. It is related to the effect and has nothing to do with the physical integrity of the individual.
Functional safety
In the normal operating conditions and fault modes that respond to external stimulus, the safety depending on the system function, as shown in 6.2. 3.2.9
SRA. Safety Regulatory Authority (as defined in 3.1.7)
THR. Tolerate Hazard Rate, also known as the ?€?hazard occurrence rate?€?, the risk caused by this hazard is at an acceptable level (usually judged by accepted organizations as acceptable, such as RA, RSI and SRA negotiation, or SRA itself).
4 Guidelines for the concept of related organizations
/ entities and systems hierarchy and safety
4.1 Overview
Considering the interaction of the system and its environment, GB/T 21562- 2008 defines safety as ?€?avoiding unacceptable risk of harm?€?. This definition covers all aspects of safety, including functional and technical safety, health and safety issues, and human factors.
Clause 4 gives a description of the relevant organizations/entities in the railway application system. It further explains some basic concepts (such as risk, hazard, harm, and safety) in system level, safety, and risk assessment. It supplements the railway application RAMS analysis as well as the impact factors as given in 4.3 and 4.4 of GB/T 21562-2008.
4.2 Related organizations/entities in the system
Depending on the social/policy environment and organizational/management structure associated with the railway application system, there may be several organizations/entities performing different functions in each phase of the system life cycle. For the purpose of guidance, the organizations/entities are divided into three major categories (as defined in GB/T 21562-2008), as shown below (including 3.1.7).
- RA (Infrastructure management and/or railway application operator);
- SRA (Safety regulatory authority);
- RSI (System vendor/installer/manufacturer).
The roles and responsibilities of these organizations may change, or may be outsourced to some other participants or subcontractors, depending on.
- Social, policy or legal considerations;
- Size and complexity of the relevant system or subsystem;
System functions are the activities performed by the system as a whole. Function and structure are internal views that reflect the characteristics of the system and are related to the organization/entity responsible for system design. The environment consists of any object that affects or is affected by the system. - Any objects that is mechanically or electrically connected or otherwise connected by other methods of the system, such as electromagnetic
interference and heat sources;
- People and procedures that affect the system or are affected by the system during system operation.
Correct understanding of the boundary between the system under
consideration and the environment as well as its interaction with the
interconnected subsystems is a prerequisite for understanding how the system causes accidents and system hazards (see 6.2.2).
4.3.2 Railway application system environment and system level
Railway application systems usually operate in a socio-economic/policy
environment. The economics of designing, constructing, implementing, and using the system also depend on the socio-economic/policy environment.
Therefore, the system safety shall be considered from the current safety level of the system economy, the current safety level of the social environment, and the social/policy-allowed safety levels. No matter how safe the system is, systems that users cannot afford will reduce the safety in the social environment in which they are located.
Within the socio-economic/policy system, the relevant competent authorities of the railway application system are responsible for the balanced consideration of economy and safety, and formulate safety requirements and targets for the overall system safety risk level. Usually this target may not be suitable at the earlier period of the project, the organization/entity responsible for the system (such as design/configuration) can modify the target and submit it to the relevant authority for approval.
In accordance with the hierarchical structure of the system, the
organization/entity responsible for the railway application system (e.g., RA) shall establish the subsystem safety requirements and goals that correspond to the levels of risk allowed by the subsystems. Typically, the responsible organizations/entities for each level of system design/configuration define the safety requirements and goals for their subsystems; in some cases, the RA establishes safety requirements and goals for lower-level subsystems or specific risks.
identified and that their management responsibilities and measures are clearly defined and properly understood by the relevant organizations/entities. Introducing the concept of ?€?interface hazards?€? is very important, because these hazards are difficult to find in a single system, but they occur when different systems interact. Hazards at system boundary
Figure 2 describes the relationship between system boundaries, hazards, causes of hazards, and accidents (see Figure A.4 in ISO/IEC 14408.2012). This figure shows that when considering from the subsystem boundary (outside the subsystem), the failure or fault of the subsystem (i.e., the subsystem level hazard) is the cause of the system level hazard (inside the system). By using this concept, the structured hierarchical methods can be used for hazard analysis and hazard tracking in a nesting system, and for hazard identification and cause analysis at multiple system levels. This method is particularly suitable for the system development stage.
The hazards at the system boundary are only relevant to the function of the system under consideration. The description of hazards should consider all interactions with other related systems, these factors may reduce the hazards. Two examples are given below.
a) If a subsystem-related hazard is monitored by other subsystems, the
safety requirements for the hazard should consider the mitigation
measures implemented by the monitoring equipment and the subsequent
risk time;
b) At the subsystem level, the occlusion of axle-boxes on high-speed trains can be regarded as a hazard. If the vehicle is running on a line with
equipment monitoring (e.g., a shaft temperature detector), the safety
requirements for the hazard should consider the presence of the
monitoring equipment and the subsequent risk time.
Therefore, allocating safety requirements within the system is a detailed process that may require repeated iterations to ensure that the relevant responsible parties (such as the team responsible for the development of subsystems) correctly understand the safety requirements.
control risk), so these factors shall be considered comprehensively to establish risk tolerance criteria.
For the railway application system, the relevant authorities can classify people exposed risks in different ways, for example, they can be divided into three groups. passengers, railway application workers (i.e., personnel hired or contracted by RA or RSI, or authorized by RA to perform railway application specific tasks), and the general public. In these groups, the risk acceptance criteria for the three groups may be different due to the different levels of association with the system and the differences in capabilities that result in different risks. At the beginning of the project, it is advisable to consult with the relevant competent authorities to determine the specific criteria.
The level of risk faced by each group may also be affected by many factors. These factors include.
- Personnel exposure, such as the duration and frequency of contact hazards of personnel, as well as the probability of the personnel exposed to hazards to identify hazards, make timely response and actively take measures to avoid accidents;
- The duration of the hazard, such as the duration of the hazard, and the probability of the person being exposed to the hazard;
- Risk-triggering events and/or conditions that may cause accidents, as well as the overall possibility and probability of occurrence;
- A series of events/conditions of the triggering events or follow-up triggering events that may cause accident, and the accidents that result from it are less likely to occur as a whole but the consequences of the accident are serious.
Figure 3 shows an example of the above factors causing the accident to expand. It shall be noted that safety barrier (protection) measures can be set at the hazard level, triggering event level or accident level to reduce the risk. Triggering event and failure of safety barrier are necessary conditions for the accident.
consistent with the basic measurement method, to facilitate risk communication and comparison. For example, the damage occurrence rate depends on the
number of people affected (such as the number of employees involved in
maintenance and the number of working hours, etc.), traffic density, train mileage, passenger mileage, train or passenger hours, number of trips, number of train operations and landforms (such as number of tunnels, bridges, and crossings). The following subclauses outline the basic concepts of
normalization. Event rate (reference base for probability of occurrence)
The RA and the re...

View full details