CENELEC Phase 4/EIR/HL/Qualitative/Generic Safety · PDF filenumbering in EN 50126 [1]. 1.4 Terminology and definitions The safety plan should include definitions of all relevant terms

/CENELEC Phase 4/EIR/HL/Qualitative/Generic Safety Plan Template

Project Qualitative

Template for safety plan for railway signalling projects

Version: 7.0

Printed by: Holter

Printed on: 22 May 2003

Generated from DOORS V5.2 Copyright (c) 2003 UIC / Euro-Interlocking

Contents

1 1Introduction1.1 1Aims and objectives1.2 1Scope (6.2.3.4 b)1.3 1Structure1.4 1Terminology and definitions1.5 2Maintaining the safety plan

2 2Background and requirements2.1 2Summary of system (6.2.3.4 c,m)2.2 3Project description (6.2.3.4 a)2.3 3Safety requirements (6.2.3.4 f) 2.4 3Risk assessment criteria (6.2.3.4 f)2.5 4Assumptions and constraints (6.2.3.4 n)

3 4Safety management activities3.1 4Safety roles and responsibilities phase 1-4 (6.2.3.4 d,f)3.2 7Safety life cycle and safety tasks (6.2.3.4 e)

3.2.1 7Overview of the system life cycle as defined inCENELEC

3.2.1.1 7Phase 1: Concept (6.1)3.2.1.2 8Phase 2: System definition and application condition (6.2)3.2.1.3 8Phase 3: Risk analysis (6.3)3.2.1.4 8Phase 4: System requirements (6.4)3.2.1.5 9Phase 5: Apportionment of system requirements (6.5)3.2.1.6 9Phase 6: Design and implementation (6.6)3.2.1.7 10Phase 7: Manufacturing (6.7)3.2.1.8 10Phase 8: Installation (6.8)3.2.1.9 10Phase 9: System validation (6.9)

3.2.1.10 10Phase 10: System acceptance (6.10)3.2.1.11 11Phase 11: Operation and maintenance (6.11)

3.2.1.12 11Phase 12: Performance monitoring (6.12)3.2.1.13 11Phase 13: Modification and retrofit (6.13)3.2.1.14 12Phase 14: Decommissioning and disposal (6.14)

3.3 12Safety analysis (6.2.3.4 f)3.4 13Safety deliverables (6.2.3.4 g)3.5 13Safety standards3.6 13Safety assessment (6.2.3.4 f,p)3.7 14Safety audits (6.2.3.4 f,p)3.8 15Safety case and certification (6.2.3.4 h,i)3.9 15Contractor management (6.2.3.4 o)

3.10 16Configuration management3.11 16Safety training3.12 16System operation, modification and maintenance (6.2.3.4

j,k)

4 16Safety controls (6.2.3.4 p)

5 17Safety documentation (6.2.3.4 f,l)

6 18Safety engineering (6.2.3.4 f)

7 19Validation and verification of external items (6.2.3.4f)

8 20References

Contents Copyright (c) 2003 UIC / Euro-Interlocking i

Printed 22 May 2003

Generic Safety Plan Template Copyright (c) 2003 UIC / Euro-Interlocking Page 1 of 20

Identifier

GSP1-Com

GSP2-Com

GSP3-Com

GSP4-Com

GSP5-Com

GSP6-Com

GSP7-Com

GSP8-Req

GSP9-Com

GSP10-Com

GSP11-Com

GSP12-Com

GSP13-Com

GSP14-Com

GSP15-Com


1 IntroductionThis chapter presents the aim, purpose, scope and structure of the safety plan.

1.1 Aims and objectives

The aim of this generic safety plan is to present requirements and a structure that can be applied to a specificsafety plan.

The purpose of this document is to be a template for a specific safety plan. The intent is to issue this genericsafety plan template, which is based on the EI requirements, to future suppliers as a guideline for their ownsafety plan.

For the application of this template at a specific railway or supplier, the contents of the chapters will depend onthe specific system’s safety integrity level (SIL).

1.2 Scope (6.2.3.4 b)

The safety plan shall include a section describing its scope.

The safety plan should include the lifecycle phases the specific safety plan addresses, ref. 3.2.

If the specific safety plan covers only parts of the lifecycle phases, only relevant lifecycle phases in this documentshould be applied, ref. 3.2.

A specific safety plan for a supplier typically covers the middle lifecycle phases 5-9, and a specific safety plan forrailway authorities covers the initial phase 1-4 for requirement development and phases 10-14 for acceptance,operation and maintenance.

1.3 Structure

The safety plan is set up according to the guidelines in Engineering Safety Management, issue 3, Yellow Book 3,January 2000 [2]. The numbers mentioned in the headings and in the text of this document refer to thenumbering in EN 50126 [1].

1.4 Terminology and definitions

The safety plan should include definitions of all relevant terms and abbreviations and a list of references toother documents.

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP16-Com

GSP17-Com

GSP18-Req

GSP19-Req

GSP20-Com

GSP21-Com

GSP22-Com

GSP23-Com

GSP24-Com

GSP25-Com

GSP26-Com

GSP27-Com

GSP28-Com

GSP29-Com

GSP30-Com

GSP31-Req

GSP32-Req

GSP33-Com


In this document the Railway Authority is defined as the body which is legally responsible of the railwayinfrastructure.

1.5 Maintaining the safety plan

The safety plan shall be agreed on by the railway authority and the railway support industry for the systemunder consideration.

The safety plan shall be implemented, reviewed and maintained throughout the life cycle of the system.

2 Background and requirementsThis section shall:

a) Justify the approach taken, with reference to engineering safety management guidance such as the YellowBook [2] and safety policies;

b) Describe or refer to a description of any safety principles underpinning the approach to safety;

c) Describe to the railway authority the aims, extent and context of the change to be made and provide or refer toa summary of the system or equipment, including interfaces to other systems or projects;

d) State or refer to a reference to the safety requirement specifications;

e) Briefly describe the risk assessment criteria that will be used to derive targets for risk tolerability;

f) Describe or refer to the process for assigning safety functions to system elements;

g) List assumptions or constraints of the project or system.

Items c) and d) may be omitted from early issues, but shall be included when the appropriate activities havebeen carried out.

2.1 Summary of system (6.2.3.4 c,m)

The safety plan shall include a description of the system.

The safety plan shall include interfaces to other related programmes and plans.

This section should include, or refer to, a description of the system, including interfaces to other relatedprogrammes.

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP34-Com

GSP35-Req

GSP36-Com

GSP37-Com

GSP38-Req

GSP39-Req

GSP40-Req

GSP41-Req

GSP42-Req

GSP43-Req

GSP44-Req

GSP45-Req

GSP46-Req

GSP47-Req

GSP48-Req

GSP49-Req

GSP50-Com

GSP51-Com


2.2 Project description (6.2.3.4 a)

The safety plan shall include the policy and strategy for achieving safety.

This section should briefly describe the conduct of the project, including a statement of compliance with theorganisation’s safety policy, or a justification of an alternative approach.

2.3 Safety requirements (6.2.3.4 f)

The safety plan shall include the safety analysis, engineering and assessment processes to be applied during thelife cycle, including processes for:

- Ensuring an appropriate degree of personnel independence in performing tasks, commensurate with the risk ofthe system;

- Hazard identification and analysis;

- Risk assessment and on-going risk management;

- Risk tolerability criteria;

- The establishment and on-going review of the adequacy of the safety requirements;

- System design;

- Verification and validation

- Safety assessment to achieve compliance between system requirements and realisation;

- Safety audits to achieve compliance of the management process with the safety plan;

- Safety assessment to achieve compliance between sub-system and system safety analysis

(Parts of the requirement relevant to this section are written in italic)

This section should summarise the safety requirements or refer to them and describe the process by which thesafety requirements were established and maintained; where none are available the safety plan should indicatehow and when the safety requirements are to be determined

2.4 Risk assessment criteria (6.2.3.4 f)

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP52-Req

GSP53-Req

GSP54-Req

GSP55-Req

GSP56-Req

GSP57-Req

GSP58-Req

GSP59-Req

GSP60-Req

GSP61-Req

GSP62-Req

GSP63-Req

GSP64-Com

GSP65-Com

GSP66-Req

GSP67-Com

GSP68-Com

GSP69-Com

GSP70-Req








- System design;

- Verification and validation;

- Safety assessment to achieve compliance between system requirements and realisation;

- Safety audits to achieve compliance of the management process with the safety plan;

- Safety assessment to achieve compliance between sub-system and system safety analysis.


This section should include a brief description of the criteria used to derive risk tolerability targets for thesystem.

2.5 Assumptions and constraints (6.2.3.4 n)

The safety plan shall include constraints and assumptions made in the plan.

This section should include a list of any assumptions or constraints of the system or of the project.

3 Safety management activities3.1 Safety roles and responsibilities phase 1-4 (6.2.3.4 d,f)

The safety plan shall include details of roles, responsibilities, competencies and relationships of bodiesundertaking tasks within the life cycle.

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP71-Req

GSP72-Req

GSP73-Req

GSP74-Req

GSP75-Req

GSP76-Req

GSP77-Req

GSP78-Req

GSP79-Req

GSP80-Req

GSP81-Req

GSP82-Req

GSP83-Com

GSP84-Com

GSP85-Com

GSP86-Com

GSP87-Com

GSP88-Com

GSP89-Com



Ensuring an appropriate degree of personnel independence in performing tasks, commensurate with the risk of thesystem;





- System design;


- Safety assessment, to achieve compliance between system requirements and realisation;

- Safety audits, to achieve compliance of the management process with the safety plan;



This section should identify the key safety personnel of the project, their roles, responsibilities, qualificationsand experience and the reporting lines between them.

Note: the Project Manager retains overall accountability for safety even if he or she delegates responsibilities forengineering safety management activities.

In particular, this section should identify the personnel allocated to manage and perform the following safetyactivities:

- Defining safety requirements;

- Leading the design, implementation or validation activities;

- Performing safety analysis;

- Liaising with regulatory bodies.

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP90-Com

GSP91-Com

GSP92-Com

GSP93-Com

GSP94-Com

GSP95-Com

GSP96-Com

GSP97-Com

GSP98-Com

GSP99-Com

GSP100-Com

GSP101-Com

GSP102-Com

GSP103-Com

GSP104-Com

GSP105-Com

GSP106-Com

GSP107-Com

GSP108-Com

GSP109-Com

GSP110-Com


The project manager should be responsible for:

- Producing a safety plan;

- Submitting the safety plan to the relevant safety authorities;

- Where necessary, attending the safety endorsement meetings;

- Ensuring safety documentation is produced as planned;

- Commissioning safety audits and assessments as planned;

- Initiating engineering safety management activities as planned;

- Ensuring that all project staff have read and understood the safety plan

- Obtaining and allocating sufficient resources to implement the safety plan;

- Ensuring competence of key staff;

- Co-ordinating safety activities with other parts of the organisation, and with the client.

If there is a project safety manager, he or she will typically be delegated responsibility for:

- Producing a safety plan;

- Submitting the safety plan to the relevant safety authorities;

- Where necessary, attending endorsement meeting;

- Ensuring safety documentation is produced as planned;

- Commissioning safety audits and assessments as planned; and

- Initiating engineering safety activities as planned.

This section should define the specific safety responsibilities of the safety auditor and safety assessor.

The safety auditor should audit the project to check for adequacy of the safety plan and compliance with thesafety plan and any referenced standards procedures.

The safety assessor should assess the project to check for adequacy of the safety requirements and that thesafety requirements are being met.

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP111-Com

GSP112-Req

GSP113-Com

GSP114-Com

GSP396-Com

GSP115-Com

GSP118-Com

GSP119-Com


3.2 Safety life cycle and safety tasks (6.2.3.4 e)

The safety plan shall include description of the system life cycle and safety tasks to be undertaken within the lifecycle along with any dependencies.

This section should define a project life cycle that describes the major phases of the project, and a safety life cyclethat specifies the order in which the safety tasks are to be carried out. The system life cycle as described in theCENELEC standard 50126 should be used as a guideline.

3.2.1 Overview of the system life cycle as defined in CENELEC

In the following sections, the main safety tasks for each phase in the life cycle are described.

1. Concept

2. System definition &application conditions

3. Risk analysis

4. SystemRequirements

5. Apportionment ofSystem requirements

6. Design andimplementation

7. Manufacture

8. Installation

10. System acceptance

9. System validationsincluding safetyacceptance andcommisioning

11. Operation andmaintenane

14. De-commissioningand disposal

Figure 1 System life cycle – “V” Representation

3.2.1.1 Phase 1: Concept (6.1)

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP120-Com

GSP121-Com

GSP122-Com

GSP123-Com

GSP124-Com

GSP125-Com

GSP126-Com

GSP127-Com

GSP128-Com

GSP129-Com

GSP130-Com

GSP131-Com

GSP132-Com

GSP133-Com

GSP134-Com

GSP135-Com

GSP136-Com

GSP137-Com

GSP138-Com

GSP139-Com

GSP140-Com


Main safety tasks:

- Identify sources of hazards that could affect safety performance of the system (6.1.3.3).

- Obtain information about previous safety requirements and past safety performance of similar and/or relatedsystems (6.1.3.4. a).

- Obtain information about identified sources of hazards to safety performance (6.1.3.4 b).

- Obtain information about safety legislation and current railway authority safety policy and targets (6.1.3.4 c).

- Perform assessment tasks related to this phase (6.1.5)

3.2.1.2 Phase 2: System definition and application condition (6.2)

Main safety tasks:

- Define the system mission profile, including safety targets (6.2.3.1 a)

- Define the scope of the hazard analysis (6.2.3.1 d)

- Perform preliminary hazard identification (6.2.3.2 b).

- Establish a safety policy for the system, including requirements for a safety concept and the railway authority’s policyfor resolving any conflicts arising between “availability” and “safety” (6.2.3.3)

- Establish safety plan (6.2.3.4).

- Perform assessment tasks related to this phase (6.2.5).

3.2.1.3 Phase 3: Risk analysis (6.3)

Main safety tasks:

- Perform preliminary hazard analysis (6.3.3.1).

- Determine and classify the acceptability of the risk associated with each identified hazard (6.3.3.2).

- Establish hazard log (6.3.3.3).

- Perform verification and assessment tasks related to this phase (6.3.5).

3.2.1.4 Phase 4: System requirements (6.4)

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP141-Com

GSP142-Com

GSP143-Com

GSP144-Com

GSP145-Com

GSP146-Com

GSP147-Com

GSP148-Com

GSP149-Com

GSP150-Com

GSP151-Com

GSP152-Com

GSP153-Com

GSP154-Com

GSP155-Com

GSP156-Com

GSP157-Com

GSP158-Com

GSP159-Com

GSP160-Com


Main safety tasks:

- Specify the overall safety requirements for the system (6.4.3.1).

- Define acceptance criteria for the safety requirements (6.4.3.2).

- Establish Verification and validation plan (6.4.3.2).

- Amend the safety plan to ensure that the future tasks are consistent with the system’s emergent safety requirements(6.4.3.4)


3.2.1.5 Phase 5: Apportionment of system requirements (6.5)

Main safety tasks:

- Allocate functional and safety requirements to sub-system and components (6.5.3.1)

- Review and update the safety plan and the verification and validation plan to ensure its continued applicability(6.5.3.3).


3.2.1.6 Phase 6: Design and implementation (6.6)

Main safety tasks:

- Design the sub-systems and components to meet the safety requirements (6.6.3.1).

- Realise the sub-systems and components to meet the safety requirements (6.6.3.2).

- Establish plans for future life cycle tasks, including installation, commissioning, operation and maintenance, includingdefinition of operation and maintenance procedures (6.6.3.3)

- Define, verify and establish a manufacturing process capable of producing safety validated sub-systems andcomponents (6.6.3.4).

- Prepare a generic product safety case (6.6.3.5 a).

- Prepare a generic application safety case if appropriate (6.6.3.5 b)

- Perform the verification and assessment tasks related to this phase (6.6.5)

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP161-Com

GSP162-Com

GSP163-Com

GSP164-Com

GSP165-Com

GSP166-Com

GSP167-Com

GSP168-Com

GSP169-Com

GSP170-Com

GSP171-Com

GSP172-Com

GSP173-Com

GSP174-Com

GSP175-Com

GSP176-Com

GSP177-Com

GSP178-Com

GSP179-Com

GSP180-Com

GSP181-Com


3.2.1.7 Phase 7: Manufacturing (6.7)

Main safety tasks:

- Verify and implement the manufacturing process (6.7.3.1).

- Preparation, verification and validation of operation and maintenance procedures (6.7.3.2).


3.2.1.8 Phase 8: Installation (6.8)

Main safety tasks:

- Document the installation process including the actions taken to resolve failures and incompatibilities (6.8.3.2).

- Review and update the safety plan to ensure that any changes to either the system or the procedures are recordedand effectively managed (6.8.3.3)

- Perform the verification and assessment tasks related to this phase (6.8.5).

3.2.1.9 Phase 9: System validation (6.9)

Main safety tasks:

- Validate the system according to the verification and validation plan (6.9.3.1)

- Commission the total system according to the commissioning plan (6.9.3.2).

- Prepare a specific application safety case (6.9.3.3)

- Establish and implement a process for the acquisition and assessment of operational data (6.9.3.3).

- Perform the verification and assessment tasks related to this phase (6.9.5)

3.2.1.10 Phase 10: System acceptance (6.10)

Main safety tasks:

- Assess all verification and validation tasks, especially of the specific application safety case (6.10.3.1).

- Formally accept the system for entry into service, if appropriate (6.10.3.2).

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP182-Com

GSP183-Com

GSP184-Com

GSP185-Com

GSP186-Com

GSP187-Com

GSP188-Com

GSP189-Com

GSP190-Com

GSP191-Com

GSP192-Com

GSP193-Com

GSP194-Com

GSP195-Com

GSP196-Com

GSP197-Com

GSP198-Com

GSP199-Com

GSP200-Com

GSP201-Com


- Review and update the hazard log to record any residual hazards identified during system validation or acceptance(6.10.3.3).


3.2.1.11 Phase 11: Operation and maintenance (6.11)

Main safety tasks:

- Monitor the implementation of the system and its operation and maintenance procedures (6.11.3.1).

- Regular review and update of the operation and maintenance procedures (6.11.3.2 a).

- Regular review of the system training documentation (6.11.3.2 b).

- Regular review and update of the hazard log and safety case (6.11.3.2 c).


3.2.1.12 Phase 12: Performance monitoring (6.12)

Main safety tasks:

- Establish, implement and regularly review a process for collecting operational performance and safety statistics(6.12.3.1).

- Establish, implement and regularly review a process for the acquisition, analysis and evaluation of performance andsafety data (6.12.3.1).

- Regularly checking that the assumptions made in the safety case remain valid (6.12.3.1).

- Analyse the performance and safety data to influence new operating and maintenance procedures (6.12.3.2).


3.2.1.13 Phase 13: Modification and retrofit (6.13)

Main safety tasks:

- Establish a safety plan for the modification task (6.13.3.1).

- Establish, implement and regularly review a process to control the system modification and the retrofit (6.13.3.2).

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP202-Com

GSP203-Com

GSP204-Com

GSP205-Com

GSP206-Com

GSP207-Com

GSP208-Req

GSP209-Req

GSP210-Req

GSP211-Req

GSP212-Req

GSP213-Req

GSP214-Req

GSP215-Req

GSP216-Req

GSP217-Req

GSP218-Req

GSP219-Req

GSP220-Com



3.2.1.14 Phase 14: Decommissioning and disposal (6.14)

Main safety tasks:

- Establish the safety impact of decommissioning and disposal on any system or external facility associated with thesystem to be de-commissioned (6.14.3.1).

- Provide an analysis of safety life cycle performance to be used as an input for future systems (6.14.3.2).

3.3 Safety analysis (6.2.3.4 f)

The safety plan shall include the safety analysis, engineering and assessment processes to be applied during the lifecycle, including processes for:

- Ensuring an appropriate degree of personnel independence in performing tasks, commensurate with the risk of thesystem;





- System design;






This section defines the process of safety analysis to be used to determine the safety requirements for the project.The process should be tailored to each individual project

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP221-Com

GSP222-Com

GSP223-Req

GSP224-Req

GSP225-Req

GSP226-Req

GSP227-Com

GSP228-Com

GSP229-Com

GSP230-Com

GSP231-Com

GSP232-Req

GSP233-Req

GSP234-Req

GSP235-Req

GSP236-Req

GSP237-Req


For each safety analysis activity, this section should provide details of responsibilities, documentation and timing ofdeliverables. This section should also state the criteria used to establish the tolerability for the identified risks.

3.4 Safety deliverables (6.2.3.4 g)

The safety plan shall include details of all safety-related deliverables from the life cycle, including:

- Documentation;

- Hardware;

- Software.

This section should detail the safety-related items (other than safety documentation) that are to be delivered duringthe project. They should include safety-related hardware and software, but may also include other items such asmaintenance procedures.

3.5 Safety standards

Any safety-related work shall be performed within a defined quality management system, which is compliant with anISO-9000 series standard.

This section shall state the procedures and standards to be followed by the project. Procedures may includereferences to project quality and technical plans and industry, national or international standards. The plan shouldstate the order of precedence of these procedures and standards, in case they are in conflict.

3.6 Safety assessment (6.2.3.4 f,p)


- Ensuring an appropriate degree of personnel independence in performing tasks, commensurate with the risk of thesystem;





Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP238-Req

GSP239-Req

GSP240-Req

GSP241-Req

GSP242-Req

GSP243-Req

GSP244-Com

GSP245-Com

GSP246-Com

GSP247-Com

GSP248-Req

GSP249-Req

GSP250-Req

GSP251-Req

GSP252-Req

GSP253-Req

GSP254-Req

GSP255-Req


- System design;






The safety plan shall include requirements for periodic safety audits, safety assessment and safety review, throughoutthe life cycle and appropriate to the safety relevance of the system under consideration, including any personnelindependence requirements.

This section shall schedule a series of Safety Assessments to provide an authoritative, independent opinion onwhether or not a project will meet its safety requirements. The safety assessor should be independent of thedevelopment team.

This section shall address the safety assessment of suppliers, where suppliers are involved in safety-related work forthe project.

3.7 Safety audits (6.2.3.4 f,p)


-- Ensuring an appropriate degree of personnel independence in performing tasks, commensurate with the risk of thesystem;





- System design;


Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP256-Req

GSP257-Req

GSP258-Req

GSP259-Req

GSP260-Com

GSP261-Com

GSP262-Com

GSP263-Req

GSP264-Req

GSP265-Com

GSP266-Com

GSP267-Com

GSP268-Com

GSP269-Req

GSP270-Com






The safety plan shall include requirements for periodic safety audits, safety assessment and safety review, throughoutthe life cycle and appropriate to the safety relevance of the system under consideration, including any personnelinterdependence requirements.

This section should schedule a series of safety audits to check compliance of the safety process with the safety plan.The safety auditor should be independent of the development team. This section should also address the safety auditof suppliers, where suppliers are involved in safety-related work for the project.

3.8 Safety case and certification (6.2.3.4 h,i)

The safety plan shall include a process to prepare system safety cases.

The safety case shall include a process for the safety approval of the system.

This section should provide or reference the completion criteria for the safety-related aspects of the project. Thisshould include the procedures and approvals mechanisms to be adopted.

This section should provision for the safety approval of the system. An endorsed safety case is required for safetyapproval and this section should state who will write the safety case, when it should be written, and which safetyauthorities will need to endorse it.

The project may agree to deliver evidence of safety in some form other than a safety case. For example, it is possiblethat a third-party safety certificate and a safety assessment report may be sufficient. Any such agreement should berecorded here.

3.9 Contractor management (6.2.3.4 o)

The safety plan shall include subcontractor management arrangements.

This section ensures that the work of suppliers is managed in such a manner that the parts of the system for whichthey are responsible meet the overall requirements. Suppliers should certify their products as compliant with theappropriate specifications. Their test plans should adequately demonstrate safety features. Where appropriate,references to test plan documentation should be made from the certification documentation.

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP271-Com

GSP272-Com

GSP273-Com

GSP274-Com

GSP275-Com

GSP276-Com

GSP277-Com

GSP278-Req

GSP279-Req

GSP280-Com

GSP281-Com

GSP282-Req

GSP283-Com


Contracted items should be subject to the same safety analyses as those built in-house. Analyses and assessmentsconducted by suppliers should be used as an input to system level analyses. Safety targets for contracted workshould be set by the project manager and agreed on by the supplier. The project manager should require the supplierto produce a safety plan compliant with the guidance, which the project manager should endorse.

This section should schedule safety audits and safety assessments of suppliers. It should include activities forassessing suppliers engineering safety management and quality management systems where work is being carriedout under the suppliers systems, to ensure that they are of an acceptable standard.

3.10 Configuration management

This section should specify how configuration of system deliverables will be managed, normally referring to a separateconfiguration management plan for detail. This section should specify how system, components and other equipmentwill be labelled to ensure that safety is not compromised by the use of faulty or untested equipment.

3.11 Safety training

This section should define any training requirements of personnel scheduled to perform safety-related activities andprovide a plan or programme of training that meets the requirements.

3.12 System operation, modification and maintenance (6.2.3.4 j,k)

The safety plan shall include a process for safety approval of system modifications.

The safety plan shall include a process for analysing operation and maintenance performance to ensure realisedsafety is compliant with requirements.

This section outlines the functioning of the analysing system in order to ensure compliance with requirements. It alsodescribes the process and approval mechanisms for system modification and maintenance.

4 Safety controls (6.2.3.4 p)The safety plan shall include requirements for periodic safety audits, safety assessment and safety reviews,throughout the life cycle and appropriate to the safety relevance of the system under consideration, includingany personnel independence requirements.

This section specifies all aspects of quality controls that contribute to safety and normally refers to a separatequality plan for detail. It identifies any requirements for the use of equipment in restricted areas or restrictionsto be imposed on the use of equipment in open areas. These requirements may cover training, security clearanceor the use of specific safety-related procedures or controls.

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP284-Com

GSP285-Com

GSP286-Com

GSP287-Com

GSP288-Com

GSP289-Req

GSP290-Req

GSP291-Req

GSP292-Req

GSP293-Req

GSP294-Req

GSP295-Req

GSP296-Req

GSP297-Req

GSP298-Req

GSP299-Req

GSP300-Req

GSP301-Req


This section should also record the signatories for each safety deliverable produced by the project. Thesignatories should include:

- The originator of the deliverable;

- The approver (i.e. the person who professionally accepts the technical work in the deliverable); and

- The authoriser (i.e. the person who is managerially responsible, normally the project manager).

5 Safety documentation (6.2.3.4 f,l)The safety plan shall include the safety analysis, engineering and assessment processes to be applied during thelife cycle, including processes for:

- Ensuring an appropriate degree of personnel independence in tasks, commensurate with the risk of the system;





- System design;






The safety plan shall include a process for the maintenance of safety-related documentation, including a hazardlog.

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP302-Com

GSP303-Com

GSP304-Req

GSP305-Req

GSP306-Req

GSP307-Req

GSP308-Req

GSP309-Req

GSP310-Req

GSP311-Req

GSP312-Req

GSP313-Req

GSP314-Req

GSP315-Req

GSP316-Com

GSP317-Com

GSP318-Com


This section should specify whether an incremental or non-incremental safety case is to be used and list thesafety documentation to be produced. It should also specify when it is to be produced and the personnel to beresponsible for producing it. This section should provide or reference a specification of the form, content,distribution and required endorsement for each document.

6 Safety engineering (6.2.3.4 f)The safety plan shall include the safety analysis, engineering and assessment processes to be applied during thelife cycle, including processes for:






- System design;






This section should specify mainstream engineering steps that are being taken to reduce risk (such asredundancy, protection systems, fail-safe design principles). The engineering activities specified should beappropriate to the safety integrity level of the system.

For each phase of the project, this section should identify the methods to be used, describe how traceability,verification and validation will be addressed and identify the documents to be produced. Each phase should beconcluded with a planned verification activity (for example a programme of testing, a review or an inspection).

If the details above are specified in a separate quality plan, then this section should just refer to that plan.

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP319-Com

GSP320-Com

GSP321-Com

GSP322-Req

GSP323-Req

GSP324-Req

GSP325-Req

GSP326-Req

GSP327-Req

GSP328-Req

GSP329-Req

GSP330-Req

GSP331-Req

GSP332-Req

GSP333-Req

GSP334-Com

GSP335-Com


The provision of specific engineering guidance is beyond the scope of this guidance. The project manager shoulddraw on his engineering experience and competence to determine the appropriate engineering tasks for aparticular project, and on best practice engineering as defined in the relevant standards.

This section should describe how a data reporting analysis and corrective action system (DRACAS) will beimplemented. This is a system for reporting, collecting, recording, analysing, investigating and taking timelycorrective action on all incidents. It should be applied from the point at which a version of the systemapproximating to the final, operational version is available until the system is decommissioned.

7 Validation and verification of external items (6.2.3.4 f)The Safety Plan shall include the safety analysis, engineering and assessment processes to be applied during thelife cycle, including processes for:

- Ensuring an appropriate degree of personnel independence in tasks, commensurate with the risk of the system;





- System design;






This section should specify adequate controls to ensure that the risk arising from safety-related external items(such as tools, equipment and components that have been previously developed or purchased) has been reducedto an acceptable level.

This section should specify an approval procedure for the use of external items. The procedure should include thefollowing steps:

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Printed 22 May 2003


Identifier

GSP336-Com

GSP337-Com

GSP338-Com

GSP339-Com

GSP340-Com

GSP341-Com

GSP342-Com

GSP343-Com

GSP344-Com

GSP345-Com

GSP346-Com

GSP347-Com

GSP348-Com

GSP349-Com

GSP350-Com


1) Determine the extent to which the item in question will be used in a safety-related manner;

2) Obtain all documentation relevant to the item;

3) Assess the documentation;

4) Identify the item’s capabilities and limitations with respect to the project’s requirements;

5) Test the item’s safety-related features both with, and independent to, the new system;

6) Perform a risk assessment of the use of the item;

7) Perform a Safety Assessment of the supplier of the item.

The use of external items not subject to such an approval procedure should be justified in the Safety Plan.Non-approval may be justified in the following cases:

- Non-safety-related items justified as such by the reference to the Hazard Log

- Items for which there is extensive operational experience under the same conditions as the current system orequipment; or

- Items for which the relevant railway authority has granted safety approval in the application in question.

A similar procedure should apply to approving the upgrade or modification of previously approved externalitems already in use on the project.

8 References[1] EN 50126, English version, September 1999

[2] Engineering Safety Management, issue 3, Yellow Book 3, January 2000. Volumes 1 and 2 Fundamentalsand Guidance

Status

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Approved

Applicable to

All

All

All

All

All

All

All

All

All

All

All

All

All

All

All

Documents

CENELEC Phase 4/EIR/HL/Qualitative/Generic Safety · PDF filenumbering in EN 50126 [1]. 1.4 Terminology and definitions The safety plan should include definitions of all relevant terms