1
/
of
12
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GB/T 21562.2-2015 English PDF (GB/T21562.2-2015)
GB/T 21562.2-2015 English PDF (GB/T21562.2-2015)
Regular price
$500.00
Regular price
Sale price
$500.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GB/T 21562.2-2015: Railway applications - Specification and demonstration of reliability, availability, maintainability and safety (RAMS) - Part 2: Guide to the application for safety
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 21562.2-2015 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 21562.2-2015
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 21562.2-2015
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 45.060
S 04
Railway applications - Specification and demonstration of
reliability, availability, maintainability and safety (RAMS) -
Part 2. Guide to the application for safety
ISSUED ON. DECEMBER 31, 2015
IMPLEMENTED ON. JULY 01, 2016
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 5
Introduction ... 6
1 Scope ... 7
2 Normative references ... 9
3 Terms, definitions and abbreviations ... 9
3.1 Explanation of terms and definitions used in GB/T 21562-2008 ... 10
3.2 Other safety terms ... 15
3.3 Abbreviations ... 19
4 Guidelines for the concept of related organizations/entities and systems
hierarchy and safety ... 20
4.1 Overview ... 20
4.2 Related organizations/entities in the system ... 20
4.3 Concepts of system level ... 21
4.4 Safety concept ... 23
5 General risk models and common functional hazard checklists for typical
railway application systems ... 28
5.1 Overview ... 28
5.2 General risk model... 29
5.3 Risk assessment process ... 30
5.4 Application of risk assessment process ... 37
5.5 General function hazard checklist ... 45
6 Application guidelines for functional safety, functional safety requirements,
SI objectives, risk apportionment, and SIL ... 49
6.1 Overview ... 49
6.2 Functional safety and technical safety ... 49
6.3 General considerations for risk apportionment ... 53
6.4 SI concept and SIL application ... 56
6.5 Fault-safety system guideline ... 69
7 Safety proof guide combined with probabilistic and deterministic methods
... 73
7.1 Overview ... 74
7.2 Safety argument ... 74
7.3 Deterministic methods ... 85
7.4 Probabilistic methods... 86
7.5 Combining deterministic and probabilistic methods ... 86
7.6 Methods for mechanical and hybrid (mechatronic) systems ... 87
8 Guidelines for risk acceptance principle ... 88
8.1 Overview ... 88
8.2 Application of risk acceptance principle ... 88
8.3 ALARP principle ... 90
8.4 GAMAB (GAME) principle ... 91
8.5 MEM (minimum endogenous mortality) safety principle (see D.3 in GB/T
21562-2008) ... 94
9 Basic element guide related to safety proof documents (safety arguments)
... 95
9.1 Overview ... 95
9.2 Use of safety arguments ... 96
9.3 Scope of safety arguments ... 96
9.4 Levels of safety argument... 97
9.5 Stages of safety argument ... 99
9.6 Safety argument structure ... 100
9.7 Safety assessment ... 106
9.8 Interface with existing systems ... 107
9.9 System mutual recognition criteria ... 108
Appendix A (Informative) Steps of risk assessment process ... 112
A.1 System definition ... 112
A.2 Hazard identification ... 113
A.3 Hazard records ... 118
A.4 Consequence analysis ... 119
A.5 Hazard control ... 121
A.6 Risk rating ... 122
Appendix B (Informative) Hazard checklist at the railway application system
level ... 127
B.1 Overview ... 127
B.2 Examples of hazard classification based on affected people ... 128
B.3 Example of function-based hazard classification ... 133
Appendix C (Informative) Risk category classification method ... 137
C.1 Functional subdivision method (a) ... 137
C.2 System (constitution) decomposition method (b) ... 138
C.3 Hazard breakdown method (c) ... 139
C.4 Subdivision methods based on hazard cause (d) ... 140
C.5 Subdivision methods based on accident types (e) ... 141
Appendix D (Informative) British railway system risk model diagram ... 142
D.1 Building a risk model ... 142
D.2 Illustrative examples of the UK railway risk model ... 143
Appendix E (Informative) Technology and methods ... 148
E.1 Overview ... 148
E.2 Fast rating analysis ... 149
E.3 Structured assumption analysis ... 150
E.4 HAZOP ... 151
E.5 Status transition diagram ... 152
E.6 Message sequence diagram ... 152
E.7 Failure mode effect and criticality analysis - FMECA ... 153
E.8 Event tree analysis ... 154
E.9 Fault tree analysis ... 156
E.10 Risk map method ... 157
E.11 Other analysis techniques ... 158
E.12 Guide for deterministic method and probabilistic method ... 159
E.13 Selection of tools and methods ... 162
Appendix F (Informative) Graphical representation of availability concepts . 164
Appendix G (Informative) Example of establishing risk acceptance criteria . 166
G.1 Example of ALARP application ... 166
G.2 Copenhagen subway ... 170
Appendix H (Informative) Example of safety argument overview ... 172
H.1 Locomotive and rolling stock ... 172
H.2 Signal ... 175
H.3 Infrastructure ... 178
References ... 181
Railway applications - Specification and demonstration of
reliability, availability, maintainability and safety (RAMS) -
Part 2. Guide to the application for safety
1 Scope
1.1 This part of GB/T 21562 gives guidance on the safety process requirements
of railway application systems specified in GB/T 21562-2008 and on the specific
issues involved in the safety activities at various stages of the system life cycle
(see 1.3). This part applies to all systems covered by the scope of GB/T 21562-
2008. This part assumes that users are familiar with safety issues, but GB/T
21562-2008 lacks detailed guidance on certain safety issues.
1.2 GB/T 21562-2008 is the basic RAMS standard for the top level of the system.
This part is a supplement to GB/T 21562-2008 and applies only to the safety
issues stated in 1.3.
1.3 This part only gives guidance on the following issues within the scope of
GB/T 21562-2008.
a) The establishment of top-level generic risk models for the overall system
of railway application to its major components (such as signals, rolling
stock, and infrastructure, etc.), the definition of model components and
their interactions;
b) The establishment of general function hazard checklists for railway
application systems (including high-speed lines, light rail and subways,
etc.);
c) The application of risk acceptance principle in GB/T 21562-2008;
d) Application and examples of qualitative assessment of functional safety
and tolerable risks in railway application systems;
e) The functional safety requirements and the definitions of assigning the
safety objectives to the subsystems (e.g. railway application vehicles,
door systems, braking systems, etc.);
f) The application of safety integrity levels at all stages of the system's life
cycle;
Failures due to errors in any safety life cycle activity, within any phase, which
cause it to fail under some particular combination of inputs or under some
particular environmental condition.
[GB/T 21562-2008, Definition 3.42]
GB/T 20438.4-2006 gives a different definition of this term, but there is no
substantial difference between the two, it is specifically defined as. failure to
determine the cause, only the design or manufacturing process, operating
procedures, documents or other related factors are modified, it is possible to
eliminate this failure.
Note 1. Repair maintenance without change usually cannot eliminate the
cause of failure.
Note 2. Systematic failure can be caused by simulating the cause of failure.
Note 3. Examples of systematic failures including human errors.
- Safety requirements specifications;
- Hardware design, manufacture, installation and operation;
- Software design and implementation.
Note 4. The failures of safety-related systems are classified into two types.
random failure and system failure.
3.1.12
Tolerable risk
The maximum level of risk of a product that is acceptable to the railway
authority.
[GB/T 21562-2008, Definition 3.43]
The railway authority (RA) is responsible for negotiating risk acceptance
criteria and risk acceptance level with the safety regulatory authority (SRA)
and providing it to the railway support industry (RSI) (see 5.3.2). The risk
acceptance level is usually defined by the SRA or negotiated between the
RA and the SRA. The risk acceptance level depends on national laws or
regulations.
3.2 Other safety terms
This clause lists the safety terms not defined in GB/T 21562-2008 but used in
Although each has a different meaning, these terms are closely related to
each other. To avoid misunderstandings, the following differences in these
terms shall be considered.
- Failure is the termination of the individual's ability to perform the required
functions;
Note 1. After a failure occurs, the individual has a fault.
Note 2. “Failure” is an event that is different from “fault” as a state.
- A fault is an individual condition manifested in the inability to perform the
required function, but it is not included in the period of preventative
maintenance, other planned actions, or loss of ability due to lack of external
resources;
Note 3. Fault is usually the cause of the individual's own failure, but it can
also exist without causing any failure.
- Errors are differences between calculated, observed, measured values or
status and the actually determined or theoretically correct values or states;
Note 4. Errors may be due to fault individuals, such as calculation errors
caused by fault computer equipment.
- Human errors or mistakes are human activities that produce unexpected
results.
The fault may be an incorrect signal value or an incorrect decision in the
system. If a fault occurs, its resulting errors (such as incorrect information
or system status) may affect the system.
If the functional unit is no longer able to perform the required function, a
failure occurs, i.e. the failure is the result due to internal errors or failures
and is observable at the system boundary. Errors or fault do not necessarily
lead to failures. For example, internal error checking can correct errors.
Therefore, failure is only a functional problem. It is related to the effect and
has nothing to do with the physical integrity of the individual.
3.2.8
Functional safety
In the normal operating conditions and fault modes that respond to external
stimulus, the safety depending on the system function, as shown in 6.2.
3.2.9
SRA. Safety Regulatory Authority (as defined in 3.1.7)
THR. Tolerate Hazard Rate, also known as the “hazard occurrence rate”, the
risk caused by this hazard is at an acceptable level (usually judged by accepted
organizations as acceptable, such as RA, RSI and SRA negotiation, or SRA
itself).
4 Guidelines for the concept of related organizations
/ entities and systems hierarchy and safety
4.1 Overview
Considering the interaction of the system and its environment, GB/T 21562-
2008 defines safety as “avoiding unacceptable risk of harm”. This definition
covers all aspects of safety, including functional and technical safety, health and
safety issues, and human factors.
Clause 4 gives a description of the relevant organizations/entities in the railway
application system. It further explains some basic concepts (such as risk,
hazard, harm, and safety) in system level, safety, and risk assessment. It
supplements the railway application RAMS analysis as well as the impact
factors as given in 4.3 and 4.4 of GB/T 21562-2008.
4.2 Related organizations/entities in the system
Depending on the social/policy environment and organizational/management
structure associated with the railway application system, there may be several
organizations/entities performing different functions in each phase of the
system life cycle. For the purpose of guidance, the organizations/entities are
divided into three major categories (as defined in GB/T 21562-2008), as shown
below (including 3.1.7).
- RA (Infrastructure management and/or railway application operator);
- SRA (Safety regulatory authority);
- RSI (System vendor/installer/manufacturer).
The roles and responsibilities of these organizations may change, or may be
outsourced to some other participants or subcontractors, depending on.
- Social, policy or legal considerations;
- Size and complexity of the relevant system or subsystem;
System functions are the activities performed by the system as a whole.
Function and structure are internal views that reflect the characteristics of the
system and are related to the organization/entity responsible for system design.
The environment consists of any object that affects or is affected by the system.
- Any objects that is mechanically or electrically connected or otherwise
connected by other methods of the system, such as electromagnetic
interference and heat sources;
- People and procedures that affect the system or are affected by the system
during system operation.
Correct understanding of the boundary between the system under
consideration and the environment as well as its interaction with the
interconnected subsystems is a prerequisite for understanding how the system
causes accidents and system hazards (see 6.2.2).
4.3.2 Railway application system environment and system level
Railway application systems usually operate in a socio-economic/policy
environment. The economics of designing, constructing, implementing, and
using the system also depend on the socio-economic/policy environment.
Therefore, the system safety shall be considered from the current safety level
of the system economy, the current safety level of the social environment, and
the social/policy-allowed safety levels. No matter how safe the system is,
systems that users cannot afford will reduce the safety in the social environment
in which they are located.
Within the socio-economic/policy system, the relevant competent authorities of
the railway application system are responsible for the balanced consideration
of economy and safety, and formulate safety requirements and targets for the
overall system safety risk level. Usually this target may not be suitable at the
earlier period of the project, the organization/entity responsible for the s...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 21562.2-2015 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 21562.2-2015
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 21562.2-2015
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 45.060
S 04
Railway applications - Specification and demonstration of
reliability, availability, maintainability and safety (RAMS) -
Part 2. Guide to the application for safety
ISSUED ON. DECEMBER 31, 2015
IMPLEMENTED ON. JULY 01, 2016
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 5
Introduction ... 6
1 Scope ... 7
2 Normative references ... 9
3 Terms, definitions and abbreviations ... 9
3.1 Explanation of terms and definitions used in GB/T 21562-2008 ... 10
3.2 Other safety terms ... 15
3.3 Abbreviations ... 19
4 Guidelines for the concept of related organizations/entities and systems
hierarchy and safety ... 20
4.1 Overview ... 20
4.2 Related organizations/entities in the system ... 20
4.3 Concepts of system level ... 21
4.4 Safety concept ... 23
5 General risk models and common functional hazard checklists for typical
railway application systems ... 28
5.1 Overview ... 28
5.2 General risk model... 29
5.3 Risk assessment process ... 30
5.4 Application of risk assessment process ... 37
5.5 General function hazard checklist ... 45
6 Application guidelines for functional safety, functional safety requirements,
SI objectives, risk apportionment, and SIL ... 49
6.1 Overview ... 49
6.2 Functional safety and technical safety ... 49
6.3 General considerations for risk apportionment ... 53
6.4 SI concept and SIL application ... 56
6.5 Fault-safety system guideline ... 69
7 Safety proof guide combined with probabilistic and deterministic methods
... 73
7.1 Overview ... 74
7.2 Safety argument ... 74
7.3 Deterministic methods ... 85
7.4 Probabilistic methods... 86
7.5 Combining deterministic and probabilistic methods ... 86
7.6 Methods for mechanical and hybrid (mechatronic) systems ... 87
8 Guidelines for risk acceptance principle ... 88
8.1 Overview ... 88
8.2 Application of risk acceptance principle ... 88
8.3 ALARP principle ... 90
8.4 GAMAB (GAME) principle ... 91
8.5 MEM (minimum endogenous mortality) safety principle (see D.3 in GB/T
21562-2008) ... 94
9 Basic element guide related to safety proof documents (safety arguments)
... 95
9.1 Overview ... 95
9.2 Use of safety arguments ... 96
9.3 Scope of safety arguments ... 96
9.4 Levels of safety argument... 97
9.5 Stages of safety argument ... 99
9.6 Safety argument structure ... 100
9.7 Safety assessment ... 106
9.8 Interface with existing systems ... 107
9.9 System mutual recognition criteria ... 108
Appendix A (Informative) Steps of risk assessment process ... 112
A.1 System definition ... 112
A.2 Hazard identification ... 113
A.3 Hazard records ... 118
A.4 Consequence analysis ... 119
A.5 Hazard control ... 121
A.6 Risk rating ... 122
Appendix B (Informative) Hazard checklist at the railway application system
level ... 127
B.1 Overview ... 127
B.2 Examples of hazard classification based on affected people ... 128
B.3 Example of function-based hazard classification ... 133
Appendix C (Informative) Risk category classification method ... 137
C.1 Functional subdivision method (a) ... 137
C.2 System (constitution) decomposition method (b) ... 138
C.3 Hazard breakdown method (c) ... 139
C.4 Subdivision methods based on hazard cause (d) ... 140
C.5 Subdivision methods based on accident types (e) ... 141
Appendix D (Informative) British railway system risk model diagram ... 142
D.1 Building a risk model ... 142
D.2 Illustrative examples of the UK railway risk model ... 143
Appendix E (Informative) Technology and methods ... 148
E.1 Overview ... 148
E.2 Fast rating analysis ... 149
E.3 Structured assumption analysis ... 150
E.4 HAZOP ... 151
E.5 Status transition diagram ... 152
E.6 Message sequence diagram ... 152
E.7 Failure mode effect and criticality analysis - FMECA ... 153
E.8 Event tree analysis ... 154
E.9 Fault tree analysis ... 156
E.10 Risk map method ... 157
E.11 Other analysis techniques ... 158
E.12 Guide for deterministic method and probabilistic method ... 159
E.13 Selection of tools and methods ... 162
Appendix F (Informative) Graphical representation of availability concepts . 164
Appendix G (Informative) Example of establishing risk acceptance criteria . 166
G.1 Example of ALARP application ... 166
G.2 Copenhagen subway ... 170
Appendix H (Informative) Example of safety argument overview ... 172
H.1 Locomotive and rolling stock ... 172
H.2 Signal ... 175
H.3 Infrastructure ... 178
References ... 181
Railway applications - Specification and demonstration of
reliability, availability, maintainability and safety (RAMS) -
Part 2. Guide to the application for safety
1 Scope
1.1 This part of GB/T 21562 gives guidance on the safety process requirements
of railway application systems specified in GB/T 21562-2008 and on the specific
issues involved in the safety activities at various stages of the system life cycle
(see 1.3). This part applies to all systems covered by the scope of GB/T 21562-
2008. This part assumes that users are familiar with safety issues, but GB/T
21562-2008 lacks detailed guidance on certain safety issues.
1.2 GB/T 21562-2008 is the basic RAMS standard for the top level of the system.
This part is a supplement to GB/T 21562-2008 and applies only to the safety
issues stated in 1.3.
1.3 This part only gives guidance on the following issues within the scope of
GB/T 21562-2008.
a) The establishment of top-level generic risk models for the overall system
of railway application to its major components (such as signals, rolling
stock, and infrastructure, etc.), the definition of model components and
their interactions;
b) The establishment of general function hazard checklists for railway
application systems (including high-speed lines, light rail and subways,
etc.);
c) The application of risk acceptance principle in GB/T 21562-2008;
d) Application and examples of qualitative assessment of functional safety
and tolerable risks in railway application systems;
e) The functional safety requirements and the definitions of assigning the
safety objectives to the subsystems (e.g. railway application vehicles,
door systems, braking systems, etc.);
f) The application of safety integrity levels at all stages of the system's life
cycle;
Failures due to errors in any safety life cycle activity, within any phase, which
cause it to fail under some particular combination of inputs or under some
particular environmental condition.
[GB/T 21562-2008, Definition 3.42]
GB/T 20438.4-2006 gives a different definition of this term, but there is no
substantial difference between the two, it is specifically defined as. failure to
determine the cause, only the design or manufacturing process, operating
procedures, documents or other related factors are modified, it is possible to
eliminate this failure.
Note 1. Repair maintenance without change usually cannot eliminate the
cause of failure.
Note 2. Systematic failure can be caused by simulating the cause of failure.
Note 3. Examples of systematic failures including human errors.
- Safety requirements specifications;
- Hardware design, manufacture, installation and operation;
- Software design and implementation.
Note 4. The failures of safety-related systems are classified into two types.
random failure and system failure.
3.1.12
Tolerable risk
The maximum level of risk of a product that is acceptable to the railway
authority.
[GB/T 21562-2008, Definition 3.43]
The railway authority (RA) is responsible for negotiating risk acceptance
criteria and risk acceptance level with the safety regulatory authority (SRA)
and providing it to the railway support industry (RSI) (see 5.3.2). The risk
acceptance level is usually defined by the SRA or negotiated between the
RA and the SRA. The risk acceptance level depends on national laws or
regulations.
3.2 Other safety terms
This clause lists the safety terms not defined in GB/T 21562-2008 but used in
Although each has a different meaning, these terms are closely related to
each other. To avoid misunderstandings, the following differences in these
terms shall be considered.
- Failure is the termination of the individual's ability to perform the required
functions;
Note 1. After a failure occurs, the individual has a fault.
Note 2. “Failure” is an event that is different from “fault” as a state.
- A fault is an individual condition manifested in the inability to perform the
required function, but it is not included in the period of preventative
maintenance, other planned actions, or loss of ability due to lack of external
resources;
Note 3. Fault is usually the cause of the individual's own failure, but it can
also exist without causing any failure.
- Errors are differences between calculated, observed, measured values or
status and the actually determined or theoretically correct values or states;
Note 4. Errors may be due to fault individuals, such as calculation errors
caused by fault computer equipment.
- Human errors or mistakes are human activities that produce unexpected
results.
The fault may be an incorrect signal value or an incorrect decision in the
system. If a fault occurs, its resulting errors (such as incorrect information
or system status) may affect the system.
If the functional unit is no longer able to perform the required function, a
failure occurs, i.e. the failure is the result due to internal errors or failures
and is observable at the system boundary. Errors or fault do not necessarily
lead to failures. For example, internal error checking can correct errors.
Therefore, failure is only a functional problem. It is related to the effect and
has nothing to do with the physical integrity of the individual.
3.2.8
Functional safety
In the normal operating conditions and fault modes that respond to external
stimulus, the safety depending on the system function, as shown in 6.2.
3.2.9
SRA. Safety Regulatory Authority (as defined in 3.1.7)
THR. Tolerate Hazard Rate, also known as the “hazard occurrence rate”, the
risk caused by this hazard is at an acceptable level (usually judged by accepted
organizations as acceptable, such as RA, RSI and SRA negotiation, or SRA
itself).
4 Guidelines for the concept of related organizations
/ entities and systems hierarchy and safety
4.1 Overview
Considering the interaction of the system and its environment, GB/T 21562-
2008 defines safety as “avoiding unacceptable risk of harm”. This definition
covers all aspects of safety, including functional and technical safety, health and
safety issues, and human factors.
Clause 4 gives a description of the relevant organizations/entities in the railway
application system. It further explains some basic concepts (such as risk,
hazard, harm, and safety) in system level, safety, and risk assessment. It
supplements the railway application RAMS analysis as well as the impact
factors as given in 4.3 and 4.4 of GB/T 21562-2008.
4.2 Related organizations/entities in the system
Depending on the social/policy environment and organizational/management
structure associated with the railway application system, there may be several
organizations/entities performing different functions in each phase of the
system life cycle. For the purpose of guidance, the organizations/entities are
divided into three major categories (as defined in GB/T 21562-2008), as shown
below (including 3.1.7).
- RA (Infrastructure management and/or railway application operator);
- SRA (Safety regulatory authority);
- RSI (System vendor/installer/manufacturer).
The roles and responsibilities of these organizations may change, or may be
outsourced to some other participants or subcontractors, depending on.
- Social, policy or legal considerations;
- Size and complexity of the relevant system or subsystem;
System functions are the activities performed by the system as a whole.
Function and structure are internal views that reflect the characteristics of the
system and are related to the organization/entity responsible for system design.
The environment consists of any object that affects or is affected by the system.
- Any objects that is mechanically or electrically connected or otherwise
connected by other methods of the system, such as electromagnetic
interference and heat sources;
- People and procedures that affect the system or are affected by the system
during system operation.
Correct understanding of the boundary between the system under
consideration and the environment as well as its interaction with the
interconnected subsystems is a prerequisite for understanding how the system
causes accidents and system hazards (see 6.2.2).
4.3.2 Railway application system environment and system level
Railway application systems usually operate in a socio-economic/policy
environment. The economics of designing, constructing, implementing, and
using the system also depend on the socio-economic/policy environment.
Therefore, the system safety shall be considered from the current safety level
of the system economy, the current safety level of the social environment, and
the social/policy-allowed safety levels. No matter how safe the system is,
systems that users cannot afford will reduce the safety in the social environment
in which they are located.
Within the socio-economic/policy system, the relevant competent authorities of
the railway application system are responsible for the balanced consideration
of economy and safety, and formulate safety requirements and targets for the
overall system safety risk level. Usually this target may not be suitable at the
earlier period of the project, the organization/entity responsible for the s...
Share
