Upload
vohanh
View
231
Download
2
Embed Size (px)
Citation preview
/CENELEC Phase 4/EIR/HL/Qualitative/Generic Safety Plan Template
Project Qualitative
Template for safety plan for railway signalling projects
Version: 7.0
Printed by: Holter
Printed on: 22 May 2003
Generated from DOORS V5.2 Copyright (c) 2003 UIC / Euro-Interlocking
Contents
1 1Introduction1.1 1Aims and objectives1.2 1Scope (6.2.3.4 b)1.3 1Structure1.4 1Terminology and definitions1.5 2Maintaining the safety plan
2 2Background and requirements2.1 2Summary of system (6.2.3.4 c,m)2.2 3Project description (6.2.3.4 a)2.3 3Safety requirements (6.2.3.4 f) 2.4 3Risk assessment criteria (6.2.3.4 f)2.5 4Assumptions and constraints (6.2.3.4 n)
3 4Safety management activities3.1 4Safety roles and responsibilities phase 1-4 (6.2.3.4 d,f)3.2 7Safety life cycle and safety tasks (6.2.3.4 e)
3.2.1 7Overview of the system life cycle as defined inCENELEC
3.2.1.1 7Phase 1: Concept (6.1)3.2.1.2 8Phase 2: System definition and application condition (6.2)3.2.1.3 8Phase 3: Risk analysis (6.3)3.2.1.4 8Phase 4: System requirements (6.4)3.2.1.5 9Phase 5: Apportionment of system requirements (6.5)3.2.1.6 9Phase 6: Design and implementation (6.6)3.2.1.7 10Phase 7: Manufacturing (6.7)3.2.1.8 10Phase 8: Installation (6.8)3.2.1.9 10Phase 9: System validation (6.9)
3.2.1.10 10Phase 10: System acceptance (6.10)3.2.1.11 11Phase 11: Operation and maintenance (6.11)
3.2.1.12 11Phase 12: Performance monitoring (6.12)3.2.1.13 11Phase 13: Modification and retrofit (6.13)3.2.1.14 12Phase 14: Decommissioning and disposal (6.14)
3.3 12Safety analysis (6.2.3.4 f)3.4 13Safety deliverables (6.2.3.4 g)3.5 13Safety standards3.6 13Safety assessment (6.2.3.4 f,p)3.7 14Safety audits (6.2.3.4 f,p)3.8 15Safety case and certification (6.2.3.4 h,i)3.9 15Contractor management (6.2.3.4 o)
3.10 16Configuration management3.11 16Safety training3.12 16System operation, modification and maintenance (6.2.3.4
j,k)
4 16Safety controls (6.2.3.4 p)
5 17Safety documentation (6.2.3.4 f,l)
6 18Safety engineering (6.2.3.4 f)
7 19Validation and verification of external items (6.2.3.4f)
8 20References
Contents Copyright (c) 2003 UIC / Euro-Interlocking i
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 1 of 20
Identifier
GSP1-Com
GSP2-Com
GSP3-Com
GSP4-Com
GSP5-Com
GSP6-Com
GSP7-Com
GSP8-Req
GSP9-Com
GSP10-Com
GSP11-Com
GSP12-Com
GSP13-Com
GSP14-Com
GSP15-Com
Template for safety plan for railway signalling projects
1 IntroductionThis chapter presents the aim, purpose, scope and structure of the safety plan.
1.1 Aims and objectives
The aim of this generic safety plan is to present requirements and a structure that can be applied to a specificsafety plan.
The purpose of this document is to be a template for a specific safety plan. The intent is to issue this genericsafety plan template, which is based on the EI requirements, to future suppliers as a guideline for their ownsafety plan.
For the application of this template at a specific railway or supplier, the contents of the chapters will depend onthe specific system’s safety integrity level (SIL).
1.2 Scope (6.2.3.4 b)
The safety plan shall include a section describing its scope.
The safety plan should include the lifecycle phases the specific safety plan addresses, ref. 3.2.
If the specific safety plan covers only parts of the lifecycle phases, only relevant lifecycle phases in this documentshould be applied, ref. 3.2.
A specific safety plan for a supplier typically covers the middle lifecycle phases 5-9, and a specific safety plan forrailway authorities covers the initial phase 1-4 for requirement development and phases 10-14 for acceptance,operation and maintenance.
1.3 Structure
The safety plan is set up according to the guidelines in Engineering Safety Management, issue 3, Yellow Book 3,January 2000 [2]. The numbers mentioned in the headings and in the text of this document refer to thenumbering in EN 50126 [1].
1.4 Terminology and definitions
The safety plan should include definitions of all relevant terms and abbreviations and a list of references toother documents.
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 2 of 20
Identifier
GSP16-Com
GSP17-Com
GSP18-Req
GSP19-Req
GSP20-Com
GSP21-Com
GSP22-Com
GSP23-Com
GSP24-Com
GSP25-Com
GSP26-Com
GSP27-Com
GSP28-Com
GSP29-Com
GSP30-Com
GSP31-Req
GSP32-Req
GSP33-Com
Template for safety plan for railway signalling projects
In this document the Railway Authority is defined as the body which is legally responsible of the railwayinfrastructure.
1.5 Maintaining the safety plan
The safety plan shall be agreed on by the railway authority and the railway support industry for the systemunder consideration.
The safety plan shall be implemented, reviewed and maintained throughout the life cycle of the system.
2 Background and requirementsThis section shall:
a) Justify the approach taken, with reference to engineering safety management guidance such as the YellowBook [2] and safety policies;
b) Describe or refer to a description of any safety principles underpinning the approach to safety;
c) Describe to the railway authority the aims, extent and context of the change to be made and provide or refer toa summary of the system or equipment, including interfaces to other systems or projects;
d) State or refer to a reference to the safety requirement specifications;
e) Briefly describe the risk assessment criteria that will be used to derive targets for risk tolerability;
f) Describe or refer to the process for assigning safety functions to system elements;
g) List assumptions or constraints of the project or system.
Items c) and d) may be omitted from early issues, but shall be included when the appropriate activities havebeen carried out.
2.1 Summary of system (6.2.3.4 c,m)
The safety plan shall include a description of the system.
The safety plan shall include interfaces to other related programmes and plans.
This section should include, or refer to, a description of the system, including interfaces to other relatedprogrammes.
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 3 of 20
Identifier
GSP34-Com
GSP35-Req
GSP36-Com
GSP37-Com
GSP38-Req
GSP39-Req
GSP40-Req
GSP41-Req
GSP42-Req
GSP43-Req
GSP44-Req
GSP45-Req
GSP46-Req
GSP47-Req
GSP48-Req
GSP49-Req
GSP50-Com
GSP51-Com
Template for safety plan for railway signalling projects
2.2 Project description (6.2.3.4 a)
The safety plan shall include the policy and strategy for achieving safety.
This section should briefly describe the conduct of the project, including a statement of compliance with theorganisation’s safety policy, or a justification of an alternative approach.
2.3 Safety requirements (6.2.3.4 f)
The safety plan shall include the safety analysis, engineering and assessment processes to be applied during thelife cycle, including processes for:
- Ensuring an appropriate degree of personnel independence in performing tasks, commensurate with the risk ofthe system;
- Hazard identification and analysis;
- Risk assessment and on-going risk management;
- Risk tolerability criteria;
- The establishment and on-going review of the adequacy of the safety requirements;
- System design;
- Verification and validation
- Safety assessment to achieve compliance between system requirements and realisation;
- Safety audits to achieve compliance of the management process with the safety plan;
- Safety assessment to achieve compliance between sub-system and system safety analysis
(Parts of the requirement relevant to this section are written in italic)
This section should summarise the safety requirements or refer to them and describe the process by which thesafety requirements were established and maintained; where none are available the safety plan should indicatehow and when the safety requirements are to be determined
2.4 Risk assessment criteria (6.2.3.4 f)
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 4 of 20
Identifier
GSP52-Req
GSP53-Req
GSP54-Req
GSP55-Req
GSP56-Req
GSP57-Req
GSP58-Req
GSP59-Req
GSP60-Req
GSP61-Req
GSP62-Req
GSP63-Req
GSP64-Com
GSP65-Com
GSP66-Req
GSP67-Com
GSP68-Com
GSP69-Com
GSP70-Req
Template for safety plan for railway signalling projects
The safety plan shall include the safety analysis, engineering and assessment processes to be applied during thelife cycle, including processes for:
- Ensuring an appropriate degree of personnel independence in performing tasks, commensurate with the risk ofthe system;
- Hazard identification and analysis;
- Risk assessment and on-going risk management;
- Risk tolerability criteria;
- The establishment and on-going review of the adequacy of the safety requirements;
- System design;
- Verification and validation;
- Safety assessment to achieve compliance between system requirements and realisation;
- Safety audits to achieve compliance of the management process with the safety plan;
- Safety assessment to achieve compliance between sub-system and system safety analysis.
(Parts of the requirement relevant to this section are written in italic)
This section should include a brief description of the criteria used to derive risk tolerability targets for thesystem.
2.5 Assumptions and constraints (6.2.3.4 n)
The safety plan shall include constraints and assumptions made in the plan.
This section should include a list of any assumptions or constraints of the system or of the project.
3 Safety management activities3.1 Safety roles and responsibilities phase 1-4 (6.2.3.4 d,f)
The safety plan shall include details of roles, responsibilities, competencies and relationships of bodiesundertaking tasks within the life cycle.
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 5 of 20
Identifier
GSP71-Req
GSP72-Req
GSP73-Req
GSP74-Req
GSP75-Req
GSP76-Req
GSP77-Req
GSP78-Req
GSP79-Req
GSP80-Req
GSP81-Req
GSP82-Req
GSP83-Com
GSP84-Com
GSP85-Com
GSP86-Com
GSP87-Com
GSP88-Com
GSP89-Com
Template for safety plan for railway signalling projects
The safety plan shall include the safety analysis, engineering and assessment processes to be applied during thelife cycle, including processes for:
Ensuring an appropriate degree of personnel independence in performing tasks, commensurate with the risk of thesystem;
- Hazard identification and analysis;
- Risk assessment and on-going risk management;
- Risk tolerability criteria;
- The establishment and on-going review of the adequacy of the safety requirements;
- System design;
- Verification and validation
- Safety assessment, to achieve compliance between system requirements and realisation;
- Safety audits, to achieve compliance of the management process with the safety plan;
- Safety assessment to achieve compliance between sub-system and system safety analysis
(Parts of the requirement relevant to this section are written in italic)
This section should identify the key safety personnel of the project, their roles, responsibilities, qualificationsand experience and the reporting lines between them.
Note: the Project Manager retains overall accountability for safety even if he or she delegates responsibilities forengineering safety management activities.
In particular, this section should identify the personnel allocated to manage and perform the following safetyactivities:
- Defining safety requirements;
- Leading the design, implementation or validation activities;
- Performing safety analysis;
- Liaising with regulatory bodies.
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 6 of 20
Identifier
GSP90-Com
GSP91-Com
GSP92-Com
GSP93-Com
GSP94-Com
GSP95-Com
GSP96-Com
GSP97-Com
GSP98-Com
GSP99-Com
GSP100-Com
GSP101-Com
GSP102-Com
GSP103-Com
GSP104-Com
GSP105-Com
GSP106-Com
GSP107-Com
GSP108-Com
GSP109-Com
GSP110-Com
Template for safety plan for railway signalling projects
The project manager should be responsible for:
- Producing a safety plan;
- Submitting the safety plan to the relevant safety authorities;
- Where necessary, attending the safety endorsement meetings;
- Ensuring safety documentation is produced as planned;
- Commissioning safety audits and assessments as planned;
- Initiating engineering safety management activities as planned;
- Ensuring that all project staff have read and understood the safety plan
- Obtaining and allocating sufficient resources to implement the safety plan;
- Ensuring competence of key staff;
- Co-ordinating safety activities with other parts of the organisation, and with the client.
If there is a project safety manager, he or she will typically be delegated responsibility for:
- Producing a safety plan;
- Submitting the safety plan to the relevant safety authorities;
- Where necessary, attending endorsement meeting;
- Ensuring safety documentation is produced as planned;
- Commissioning safety audits and assessments as planned; and
- Initiating engineering safety activities as planned.
This section should define the specific safety responsibilities of the safety auditor and safety assessor.
The safety auditor should audit the project to check for adequacy of the safety plan and compliance with thesafety plan and any referenced standards procedures.
The safety assessor should assess the project to check for adequacy of the safety requirements and that thesafety requirements are being met.
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 7 of 20
Identifier
GSP111-Com
GSP112-Req
GSP113-Com
GSP114-Com
GSP396-Com
GSP115-Com
GSP118-Com
GSP119-Com
Template for safety plan for railway signalling projects
3.2 Safety life cycle and safety tasks (6.2.3.4 e)
The safety plan shall include description of the system life cycle and safety tasks to be undertaken within the lifecycle along with any dependencies.
This section should define a project life cycle that describes the major phases of the project, and a safety life cyclethat specifies the order in which the safety tasks are to be carried out. The system life cycle as described in theCENELEC standard 50126 should be used as a guideline.
3.2.1 Overview of the system life cycle as defined in CENELEC
In the following sections, the main safety tasks for each phase in the life cycle are described.
1. Concept
2. System definition &application conditions
3. Risk analysis
4. SystemRequirements
5. Apportionment ofSystem requirements
6. Design andimplementation
7. Manufacture
8. Installation
10. System acceptance
9. System validationsincluding safetyacceptance andcommisioning
11. Operation andmaintenane
14. De-commissioningand disposal
Figure 1 System life cycle – “V” Representation
3.2.1.1 Phase 1: Concept (6.1)
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 8 of 20
Identifier
GSP120-Com
GSP121-Com
GSP122-Com
GSP123-Com
GSP124-Com
GSP125-Com
GSP126-Com
GSP127-Com
GSP128-Com
GSP129-Com
GSP130-Com
GSP131-Com
GSP132-Com
GSP133-Com
GSP134-Com
GSP135-Com
GSP136-Com
GSP137-Com
GSP138-Com
GSP139-Com
GSP140-Com
Template for safety plan for railway signalling projects
Main safety tasks:
- Identify sources of hazards that could affect safety performance of the system (6.1.3.3).
- Obtain information about previous safety requirements and past safety performance of similar and/or relatedsystems (6.1.3.4. a).
- Obtain information about identified sources of hazards to safety performance (6.1.3.4 b).
- Obtain information about safety legislation and current railway authority safety policy and targets (6.1.3.4 c).
- Perform assessment tasks related to this phase (6.1.5)
3.2.1.2 Phase 2: System definition and application condition (6.2)
Main safety tasks:
- Define the system mission profile, including safety targets (6.2.3.1 a)
- Define the scope of the hazard analysis (6.2.3.1 d)
- Perform preliminary hazard identification (6.2.3.2 b).
- Establish a safety policy for the system, including requirements for a safety concept and the railway authority’s policyfor resolving any conflicts arising between “availability” and “safety” (6.2.3.3)
- Establish safety plan (6.2.3.4).
- Perform assessment tasks related to this phase (6.2.5).
3.2.1.3 Phase 3: Risk analysis (6.3)
Main safety tasks:
- Perform preliminary hazard analysis (6.3.3.1).
- Determine and classify the acceptability of the risk associated with each identified hazard (6.3.3.2).
- Establish hazard log (6.3.3.3).
- Perform verification and assessment tasks related to this phase (6.3.5).
3.2.1.4 Phase 4: System requirements (6.4)
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 9 of 20
Identifier
GSP141-Com
GSP142-Com
GSP143-Com
GSP144-Com
GSP145-Com
GSP146-Com
GSP147-Com
GSP148-Com
GSP149-Com
GSP150-Com
GSP151-Com
GSP152-Com
GSP153-Com
GSP154-Com
GSP155-Com
GSP156-Com
GSP157-Com
GSP158-Com
GSP159-Com
GSP160-Com
Template for safety plan for railway signalling projects
Main safety tasks:
- Specify the overall safety requirements for the system (6.4.3.1).
- Define acceptance criteria for the safety requirements (6.4.3.2).
- Establish Verification and validation plan (6.4.3.2).
- Amend the safety plan to ensure that the future tasks are consistent with the system’s emergent safety requirements(6.4.3.4)
- Perform verification and assessment tasks related to this phase (6.4.5).
3.2.1.5 Phase 5: Apportionment of system requirements (6.5)
Main safety tasks:
- Allocate functional and safety requirements to sub-system and components (6.5.3.1)
- Review and update the safety plan and the verification and validation plan to ensure its continued applicability(6.5.3.3).
- Perform verification and assessment tasks related to this phase (6.5.5).
3.2.1.6 Phase 6: Design and implementation (6.6)
Main safety tasks:
- Design the sub-systems and components to meet the safety requirements (6.6.3.1).
- Realise the sub-systems and components to meet the safety requirements (6.6.3.2).
- Establish plans for future life cycle tasks, including installation, commissioning, operation and maintenance, includingdefinition of operation and maintenance procedures (6.6.3.3)
- Define, verify and establish a manufacturing process capable of producing safety validated sub-systems andcomponents (6.6.3.4).
- Prepare a generic product safety case (6.6.3.5 a).
- Prepare a generic application safety case if appropriate (6.6.3.5 b)
- Perform the verification and assessment tasks related to this phase (6.6.5)
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 10 of 20
Identifier
GSP161-Com
GSP162-Com
GSP163-Com
GSP164-Com
GSP165-Com
GSP166-Com
GSP167-Com
GSP168-Com
GSP169-Com
GSP170-Com
GSP171-Com
GSP172-Com
GSP173-Com
GSP174-Com
GSP175-Com
GSP176-Com
GSP177-Com
GSP178-Com
GSP179-Com
GSP180-Com
GSP181-Com
Template for safety plan for railway signalling projects
3.2.1.7 Phase 7: Manufacturing (6.7)
Main safety tasks:
- Verify and implement the manufacturing process (6.7.3.1).
- Preparation, verification and validation of operation and maintenance procedures (6.7.3.2).
- Perform verification and assessment tasks related to this phase (6.7.5).
3.2.1.8 Phase 8: Installation (6.8)
Main safety tasks:
- Document the installation process including the actions taken to resolve failures and incompatibilities (6.8.3.2).
- Review and update the safety plan to ensure that any changes to either the system or the procedures are recordedand effectively managed (6.8.3.3)
- Perform the verification and assessment tasks related to this phase (6.8.5).
3.2.1.9 Phase 9: System validation (6.9)
Main safety tasks:
- Validate the system according to the verification and validation plan (6.9.3.1)
- Commission the total system according to the commissioning plan (6.9.3.2).
- Prepare a specific application safety case (6.9.3.3)
- Establish and implement a process for the acquisition and assessment of operational data (6.9.3.3).
- Perform the verification and assessment tasks related to this phase (6.9.5)
3.2.1.10 Phase 10: System acceptance (6.10)
Main safety tasks:
- Assess all verification and validation tasks, especially of the specific application safety case (6.10.3.1).
- Formally accept the system for entry into service, if appropriate (6.10.3.2).
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 11 of 20
Identifier
GSP182-Com
GSP183-Com
GSP184-Com
GSP185-Com
GSP186-Com
GSP187-Com
GSP188-Com
GSP189-Com
GSP190-Com
GSP191-Com
GSP192-Com
GSP193-Com
GSP194-Com
GSP195-Com
GSP196-Com
GSP197-Com
GSP198-Com
GSP199-Com
GSP200-Com
GSP201-Com
Template for safety plan for railway signalling projects
- Review and update the hazard log to record any residual hazards identified during system validation or acceptance(6.10.3.3).
- Perform verification and assessment tasks related to this phase (6.10.5).
3.2.1.11 Phase 11: Operation and maintenance (6.11)
Main safety tasks:
- Monitor the implementation of the system and its operation and maintenance procedures (6.11.3.1).
- Regular review and update of the operation and maintenance procedures (6.11.3.2 a).
- Regular review of the system training documentation (6.11.3.2 b).
- Regular review and update of the hazard log and safety case (6.11.3.2 c).
- Perform the verification and assessment tasks related to this phase (6.11.5).
3.2.1.12 Phase 12: Performance monitoring (6.12)
Main safety tasks:
- Establish, implement and regularly review a process for collecting operational performance and safety statistics(6.12.3.1).
- Establish, implement and regularly review a process for the acquisition, analysis and evaluation of performance andsafety data (6.12.3.1).
- Regularly checking that the assumptions made in the safety case remain valid (6.12.3.1).
- Analyse the performance and safety data to influence new operating and maintenance procedures (6.12.3.2).
- Perform the verification and assessment tasks related to this phase (6.12.5).
3.2.1.13 Phase 13: Modification and retrofit (6.13)
Main safety tasks:
- Establish a safety plan for the modification task (6.13.3.1).
- Establish, implement and regularly review a process to control the system modification and the retrofit (6.13.3.2).
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 12 of 20
Identifier
GSP202-Com
GSP203-Com
GSP204-Com
GSP205-Com
GSP206-Com
GSP207-Com
GSP208-Req
GSP209-Req
GSP210-Req
GSP211-Req
GSP212-Req
GSP213-Req
GSP214-Req
GSP215-Req
GSP216-Req
GSP217-Req
GSP218-Req
GSP219-Req
GSP220-Com
Template for safety plan for railway signalling projects
- Perform the verification and assessment tasks related to this phase (6.13.5).
3.2.1.14 Phase 14: Decommissioning and disposal (6.14)
Main safety tasks:
- Establish the safety impact of decommissioning and disposal on any system or external facility associated with thesystem to be de-commissioned (6.14.3.1).
- Provide an analysis of safety life cycle performance to be used as an input for future systems (6.14.3.2).
3.3 Safety analysis (6.2.3.4 f)
The safety plan shall include the safety analysis, engineering and assessment processes to be applied during the lifecycle, including processes for:
- Ensuring an appropriate degree of personnel independence in performing tasks, commensurate with the risk of thesystem;
- Hazard identification and analysis;
- Risk assessment and on-going risk management;
- Risk tolerability criteria;
- The establishment and on-going review of the adequacy of the safety requirements;
- System design;
- Verification and validation
- Safety assessment, to achieve compliance between system requirements and realisation;
- Safety audits, to achieve compliance of the management process with the safety plan;
- Safety assessment to achieve compliance between sub-system and system safety analysis
(Parts of the requirement relevant to this section are written in italic)
This section defines the process of safety analysis to be used to determine the safety requirements for the project.The process should be tailored to each individual project
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 13 of 20
Identifier
GSP221-Com
GSP222-Com
GSP223-Req
GSP224-Req
GSP225-Req
GSP226-Req
GSP227-Com
GSP228-Com
GSP229-Com
GSP230-Com
GSP231-Com
GSP232-Req
GSP233-Req
GSP234-Req
GSP235-Req
GSP236-Req
GSP237-Req
Template for safety plan for railway signalling projects
For each safety analysis activity, this section should provide details of responsibilities, documentation and timing ofdeliverables. This section should also state the criteria used to establish the tolerability for the identified risks.
3.4 Safety deliverables (6.2.3.4 g)
The safety plan shall include details of all safety-related deliverables from the life cycle, including:
- Documentation;
- Hardware;
- Software.
This section should detail the safety-related items (other than safety documentation) that are to be delivered duringthe project. They should include safety-related hardware and software, but may also include other items such asmaintenance procedures.
3.5 Safety standards
Any safety-related work shall be performed within a defined quality management system, which is compliant with anISO-9000 series standard.
This section shall state the procedures and standards to be followed by the project. Procedures may includereferences to project quality and technical plans and industry, national or international standards. The plan shouldstate the order of precedence of these procedures and standards, in case they are in conflict.
3.6 Safety assessment (6.2.3.4 f,p)
The safety plan shall include the safety analysis, engineering and assessment processes to be applied during the lifecycle, including processes for:
- Ensuring an appropriate degree of personnel independence in performing tasks, commensurate with the risk of thesystem;
- Hazard identification and analysis;
- Risk assessment and on-going risk management;
- Risk tolerability criteria;
- The establishment and on-going review of the adequacy of the safety requirements;
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 14 of 20
Identifier
GSP238-Req
GSP239-Req
GSP240-Req
GSP241-Req
GSP242-Req
GSP243-Req
GSP244-Com
GSP245-Com
GSP246-Com
GSP247-Com
GSP248-Req
GSP249-Req
GSP250-Req
GSP251-Req
GSP252-Req
GSP253-Req
GSP254-Req
GSP255-Req
Template for safety plan for railway signalling projects
- System design;
- Verification and validation
- Safety assessment, to achieve compliance between system requirements and realisation;
- Safety audits, to achieve compliance of the management process with the safety plan;
- Safety assessment to achieve compliance between sub-system and system safety analysis.
(Parts of the requirement relevant to this section are written in italic)
The safety plan shall include requirements for periodic safety audits, safety assessment and safety review, throughoutthe life cycle and appropriate to the safety relevance of the system under consideration, including any personnelindependence requirements.
This section shall schedule a series of Safety Assessments to provide an authoritative, independent opinion onwhether or not a project will meet its safety requirements. The safety assessor should be independent of thedevelopment team.
This section shall address the safety assessment of suppliers, where suppliers are involved in safety-related work forthe project.
3.7 Safety audits (6.2.3.4 f,p)
The safety plan shall include the safety analysis, engineering and assessment processes to be applied during the lifecycle, including processes for:
-- Ensuring an appropriate degree of personnel independence in performing tasks, commensurate with the risk of thesystem;
- Hazard identification and analysis;
- Risk assessment and on-going risk management;
- Risk tolerability criteria;
- The establishment and on-going review of the adequacy of the safety requirements;
- System design;
- Verification and validation
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 15 of 20
Identifier
GSP256-Req
GSP257-Req
GSP258-Req
GSP259-Req
GSP260-Com
GSP261-Com
GSP262-Com
GSP263-Req
GSP264-Req
GSP265-Com
GSP266-Com
GSP267-Com
GSP268-Com
GSP269-Req
GSP270-Com
Template for safety plan for railway signalling projects
- Safety assessment, to achieve compliance between system requirements and realisation;
- Safety audits, to achieve compliance of the management process with the safety plan;
- Safety assessment to achieve compliance between sub-system and system safety analysis.
(Parts of the requirement relevant to this section are written in italic)
The safety plan shall include requirements for periodic safety audits, safety assessment and safety review, throughoutthe life cycle and appropriate to the safety relevance of the system under consideration, including any personnelinterdependence requirements.
This section should schedule a series of safety audits to check compliance of the safety process with the safety plan.The safety auditor should be independent of the development team. This section should also address the safety auditof suppliers, where suppliers are involved in safety-related work for the project.
3.8 Safety case and certification (6.2.3.4 h,i)
The safety plan shall include a process to prepare system safety cases.
The safety case shall include a process for the safety approval of the system.
This section should provide or reference the completion criteria for the safety-related aspects of the project. Thisshould include the procedures and approvals mechanisms to be adopted.
This section should provision for the safety approval of the system. An endorsed safety case is required for safetyapproval and this section should state who will write the safety case, when it should be written, and which safetyauthorities will need to endorse it.
The project may agree to deliver evidence of safety in some form other than a safety case. For example, it is possiblethat a third-party safety certificate and a safety assessment report may be sufficient. Any such agreement should berecorded here.
3.9 Contractor management (6.2.3.4 o)
The safety plan shall include subcontractor management arrangements.
This section ensures that the work of suppliers is managed in such a manner that the parts of the system for whichthey are responsible meet the overall requirements. Suppliers should certify their products as compliant with theappropriate specifications. Their test plans should adequately demonstrate safety features. Where appropriate,references to test plan documentation should be made from the certification documentation.
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 16 of 20
Identifier
GSP271-Com
GSP272-Com
GSP273-Com
GSP274-Com
GSP275-Com
GSP276-Com
GSP277-Com
GSP278-Req
GSP279-Req
GSP280-Com
GSP281-Com
GSP282-Req
GSP283-Com
Template for safety plan for railway signalling projects
Contracted items should be subject to the same safety analyses as those built in-house. Analyses and assessmentsconducted by suppliers should be used as an input to system level analyses. Safety targets for contracted workshould be set by the project manager and agreed on by the supplier. The project manager should require the supplierto produce a safety plan compliant with the guidance, which the project manager should endorse.
This section should schedule safety audits and safety assessments of suppliers. It should include activities forassessing suppliers engineering safety management and quality management systems where work is being carriedout under the suppliers systems, to ensure that they are of an acceptable standard.
3.10 Configuration management
This section should specify how configuration of system deliverables will be managed, normally referring to a separateconfiguration management plan for detail. This section should specify how system, components and other equipmentwill be labelled to ensure that safety is not compromised by the use of faulty or untested equipment.
3.11 Safety training
This section should define any training requirements of personnel scheduled to perform safety-related activities andprovide a plan or programme of training that meets the requirements.
3.12 System operation, modification and maintenance (6.2.3.4 j,k)
The safety plan shall include a process for safety approval of system modifications.
The safety plan shall include a process for analysing operation and maintenance performance to ensure realisedsafety is compliant with requirements.
This section outlines the functioning of the analysing system in order to ensure compliance with requirements. It alsodescribes the process and approval mechanisms for system modification and maintenance.
4 Safety controls (6.2.3.4 p)The safety plan shall include requirements for periodic safety audits, safety assessment and safety reviews,throughout the life cycle and appropriate to the safety relevance of the system under consideration, includingany personnel independence requirements.
This section specifies all aspects of quality controls that contribute to safety and normally refers to a separatequality plan for detail. It identifies any requirements for the use of equipment in restricted areas or restrictionsto be imposed on the use of equipment in open areas. These requirements may cover training, security clearanceor the use of specific safety-related procedures or controls.
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 17 of 20
Identifier
GSP284-Com
GSP285-Com
GSP286-Com
GSP287-Com
GSP288-Com
GSP289-Req
GSP290-Req
GSP291-Req
GSP292-Req
GSP293-Req
GSP294-Req
GSP295-Req
GSP296-Req
GSP297-Req
GSP298-Req
GSP299-Req
GSP300-Req
GSP301-Req
Template for safety plan for railway signalling projects
This section should also record the signatories for each safety deliverable produced by the project. Thesignatories should include:
- The originator of the deliverable;
- The approver (i.e. the person who professionally accepts the technical work in the deliverable); and
- The authoriser (i.e. the person who is managerially responsible, normally the project manager).
5 Safety documentation (6.2.3.4 f,l)The safety plan shall include the safety analysis, engineering and assessment processes to be applied during thelife cycle, including processes for:
- Ensuring an appropriate degree of personnel independence in tasks, commensurate with the risk of the system;
- Hazard identification and analysis;
- Risk assessment and on-going risk management;
- Risk tolerability criteria;
- The establishment and on-going review of the adequacy of the safety requirements;
- System design;
- Verification and validation;
- Safety assessment, to achieve compliance between system requirements and realisation;
- Safety audits, to achieve compliance of the management process with the safety plan;
- Safety assessment to achieve compliance between sub-system and system safety analysis.
(Parts of the requirement relevant to this section are written in italic)
The safety plan shall include a process for the maintenance of safety-related documentation, including a hazardlog.
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 18 of 20
Identifier
GSP302-Com
GSP303-Com
GSP304-Req
GSP305-Req
GSP306-Req
GSP307-Req
GSP308-Req
GSP309-Req
GSP310-Req
GSP311-Req
GSP312-Req
GSP313-Req
GSP314-Req
GSP315-Req
GSP316-Com
GSP317-Com
GSP318-Com
Template for safety plan for railway signalling projects
This section should specify whether an incremental or non-incremental safety case is to be used and list thesafety documentation to be produced. It should also specify when it is to be produced and the personnel to beresponsible for producing it. This section should provide or reference a specification of the form, content,distribution and required endorsement for each document.
6 Safety engineering (6.2.3.4 f)The safety plan shall include the safety analysis, engineering and assessment processes to be applied during thelife cycle, including processes for:
- Ensuring an appropriate degree of personnel independence in performing tasks, commensurate with the risk ofthe system;
- Hazard identification and analysis;
- Risk assessment and on-going risk management;
- Risk tolerability criteria;
- The establishment and on-going review of the adequacy of the safety requirements;
- System design;
- Verification and validation;
- Safety assessment, to achieve compliance between system requirements and realisation;
- Safety audits, to achieve compliance of the management process with the safety plan;
- Safety assessment to achieve compliance between sub-system and system safety analysis.
(Parts of the requirement relevant to this section are written in italic)
This section should specify mainstream engineering steps that are being taken to reduce risk (such asredundancy, protection systems, fail-safe design principles). The engineering activities specified should beappropriate to the safety integrity level of the system.
For each phase of the project, this section should identify the methods to be used, describe how traceability,verification and validation will be addressed and identify the documents to be produced. Each phase should beconcluded with a planned verification activity (for example a programme of testing, a review or an inspection).
If the details above are specified in a separate quality plan, then this section should just refer to that plan.
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 19 of 20
Identifier
GSP319-Com
GSP320-Com
GSP321-Com
GSP322-Req
GSP323-Req
GSP324-Req
GSP325-Req
GSP326-Req
GSP327-Req
GSP328-Req
GSP329-Req
GSP330-Req
GSP331-Req
GSP332-Req
GSP333-Req
GSP334-Com
GSP335-Com
Template for safety plan for railway signalling projects
The provision of specific engineering guidance is beyond the scope of this guidance. The project manager shoulddraw on his engineering experience and competence to determine the appropriate engineering tasks for aparticular project, and on best practice engineering as defined in the relevant standards.
This section should describe how a data reporting analysis and corrective action system (DRACAS) will beimplemented. This is a system for reporting, collecting, recording, analysing, investigating and taking timelycorrective action on all incidents. It should be applied from the point at which a version of the systemapproximating to the final, operational version is available until the system is decommissioned.
7 Validation and verification of external items (6.2.3.4 f)The Safety Plan shall include the safety analysis, engineering and assessment processes to be applied during thelife cycle, including processes for:
- Ensuring an appropriate degree of personnel independence in tasks, commensurate with the risk of the system;
- Hazard identification and analysis;
- Risk assessment and on-going risk management;
- Risk tolerability criteria;
- The establishment and on-going review of the adequacy of the safety requirements;
- System design;
- Verification and validation;
- Safety assessment, to achieve compliance between system requirements and realisation;
- Safety audits, to achieve compliance of the management process with the safety plan;
- Safety assessment to achieve compliance between sub-system and system safety analysis.
(Parts of the requirement relevant to this section are written in italic)
This section should specify adequate controls to ensure that the risk arising from safety-related external items(such as tools, equipment and components that have been previously developed or purchased) has been reducedto an acceptable level.
This section should specify an approval procedure for the use of external items. The procedure should include thefollowing steps:
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
Printed 22 May 2003
Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 20 of 20
Identifier
GSP336-Com
GSP337-Com
GSP338-Com
GSP339-Com
GSP340-Com
GSP341-Com
GSP342-Com
GSP343-Com
GSP344-Com
GSP345-Com
GSP346-Com
GSP347-Com
GSP348-Com
GSP349-Com
GSP350-Com
Template for safety plan for railway signalling projects
1) Determine the extent to which the item in question will be used in a safety-related manner;
2) Obtain all documentation relevant to the item;
3) Assess the documentation;
4) Identify the item’s capabilities and limitations with respect to the project’s requirements;
5) Test the item’s safety-related features both with, and independent to, the new system;
6) Perform a risk assessment of the use of the item;
7) Perform a Safety Assessment of the supplier of the item.
The use of external items not subject to such an approval procedure should be justified in the Safety Plan.Non-approval may be justified in the following cases:
- Non-safety-related items justified as such by the reference to the Hazard Log
- Items for which there is extensive operational experience under the same conditions as the current system orequipment; or
- Items for which the relevant railway authority has granted safety approval in the application in question.
A similar procedure should apply to approving the upgrade or modification of previously approved externalitems already in use on the project.
8 References[1] EN 50126, English version, September 1999
[2] Engineering Safety Management, issue 3, Yellow Book 3, January 2000. Volumes 1 and 2 Fundamentalsand Guidance
Status
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Approved
Applicable to
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All