european commission seventh framework programme modsafe ...€¦ · v0.8 08-12-2010 peter wigger...

European Commission Seventh Framework Programme

MODSafe Modular Urban Transport Safety and Security Analysis

Comparison of current safety lifecycle approaches

Deliverable No. D6.2

Doc Name: DEL_D6.2_TRIT_WP6_110104_V1.0.doc Date: 110104 ID: DEL_D6.2_TRIT_WP6_110104_V1.0 Revision: V1.0 /61

Contract No. 218606 Document type DEL Version V1.0 Status Final Date 110104 WP WP 6 Lead Author Peter Wigger (TRIT)

Mike Schick (TRIT) Contributors (ModSafe) BME, INRETS, LU, Rail & Bus, RATP, UITP, UTC Other Contributors - Description Deliverable D6.2 V1.0 Document ID DEL_D6.2_TRIT_WP6_110104_V1.0 Dissemination level PU Distribution WP6/7/10 Document History:

Version Date Author Modification [very short description] V0.1 30-03-2010 Mike Schick Preparation of the structure V0.2 28-05-2010 Mike Schick Preparation of the methodology

(preparation for WP6 meeting) V0.3 23-07-2010 Peter Wigger

Mike Schick Updated according to comments on V0.2

V0.4 11-08-2010 Peter Wigger Mike Schick

Update for WP6 review


Updated according to comments on V0.4 and WP6 meeting 2010-09-10


Updated according to comments on V0.5 and WP6 meeting 2010-10-06


Updated according to comments on V0.6


Updated according to comments of WP10 meeting 2010-11-04 and WP10 consensus building 25-11-2010


Updated according to comments of WP10 consensus building 17-12-2010

V1.0 04-01-2011 Peter Wigger Final version for delivery to EC (no change against V0.9)

Approval:

Authority Name/Partner Date WP responsible WP6 approval of V0.7 – TRIT 31-10-2010 WP10 consensus WP10 approval of V0.9 – RATP 04-01-2011


Table of Contents

1. Introduction.................................................................................................... 5

1.1 References ...................................................................................................................6 1.2 Terms and Definitions...................................................................................................7 1.3 Abbreviations................................................................................................................8 2. Objectives of the Work Package................................................................. 10

3. Basis of the comparison ............................................................................. 12

3.1 Questionnaire .............................................................................................................14 3.2 Consistency Analysis..................................................................................................16 3.3 Quantitative result matrix............................................................................................18 3.4 Quantitative overview of the results............................................................................19 3.5 Consideration for the further comparison ...................................................................20 4. Methodology ................................................................................................ 21

5. Comparison.................................................................................................. 24

5.1 Activity comparison.....................................................................................................25 5.1.1 Grouping of questions ............................................................................................25 5.1.2 Categorisation of explanations ...............................................................................26 5.1.3 Group 1: Safety Regulatory Activities & Approval Process ....................................30 5.1.4 Group 2: Safety Management ................................................................................33 5.1.5 Group 3: Verification & Validation...........................................................................34 5.1.6 Group 4: Installation & Operation ...........................................................................34 5.2 Coverage of regulation comparison............................................................................35 5.2.1 Ranking of coverage of regulation..........................................................................35 5.2.2 Network overview ...................................................................................................38 5.2.3 National facts..........................................................................................................39 5.2.4 Discussion of results...............................................................................................41 5.3 Aspect comparison .....................................................................................................42 5.3.1 Grade of Automation ..............................................................................................42 5.3.2 Cross-acceptance of products and sub-systems....................................................44 5.3.3 ISA tasks ................................................................................................................48 5.3.4 Distinction of the systems.......................................................................................48 5.3.5 Handling of sub-systems ........................................................................................49 5.4 Compliance to CENELEC Live Cycle comparison .....................................................51 5.4.1 Grouping of Lifecycle steps and questions.............................................................52 5.4.2 Compliance check ..................................................................................................53 5.4.3 Discussion of results...............................................................................................55 5.5 Summarising comparison ...........................................................................................56 6. Conclusion ................................................................................................... 60

7. Outlook to D6.3 ............................................................................................ 61


Index of Tables Table 1: Template of the questionnaire used for the survey in [MODSafe D6.1] ...................15 Table 2: Quantitative result matrix according to [MODSafe D6.1]..........................................18 Table 3: Quantitative overview of the results from [MODSafe D6.1] ......................................19 Table 4: The EU-countries considered, after the consistency analysis..................................20 Table 5: Grouping of the questions (overview).......................................................................25 Table 6: Caption for categorisation of results.........................................................................26 Table 7: Categorisation of explanations .................................................................................27 Table 8: Results related to group 1 ........................................................................................28 Table 9: Results concerning group 2 - 4 ................................................................................29 Table 10: Ranking of regulation coverage – Level definitions................................................35 Table 11: Ranking of the regulation coverage........................................................................36 Table 12: Network overview opposed to level of regulation coverage ...................................38 Table 13: National facts opposed to the level of regulation coverage....................................40 Table 14: Grades of Automation (refer to [MODUrban D80], Table 1)...................................42 Table 15: Safety Lifecycle steps matched to questions .........................................................52 Table 16: Abbreviations for categorisation of explanations....................................................52 Table 17: Compliance to CENELEC LC.................................................................................53 Table 18: Summarised results of the compliance check ........................................................54 Index of Figures Figure 1: Relations and activities of D6.2...............................................................................11 Figure 2: Overview of interdependencies and the workflow of the comparisons ...................23 Figure 3: Legislation pyramid .................................................................................................31 Figure 4: Results of the ranking mapped to the European mainland .....................................37 Figure 5: Safety Lifecycle e.g. for a system (EN 50126, Figure 8).........................................51


1. Introduction In Europe, Light Rail, Metros, Trams are characterized by a diversified landscape of safety requirements, safety models, roles and responsibilities, schemes for safety approval, accep-tance and certification; however, there are convergences between some architectures and systems, [MODUrban D93]. There are currently no standardised procedures at the European level for bringing Urban Guided Transport into service. There are no common standard procedures in Europe for safety evaluation (each country applies its own safety conformity assessment). Recent appli-cations have been increasingly assessed by taking into account the European standards EN 50126/50128/50129, [CENELEC]. Most Urban Guided Transport stakeholders believe that the development of European (and even worldwide) standards should be encouraged, in order to facilitate the voluntary refer-ence to such standards by relevant national authorities and the various stakeholders, [MODUrban D93]. The European Commission is favouring this approach, notably through its support of major European research projects such as the MODSafe project. This work package focuses on Metros, Light Rail Systems, and Trams, covering the whole transportation system including all sub-systems, e.g. signalling system or rolling stock. Heavy rail and urban commuter trains like “S-Bahn” in Germany or SNCF “RER” in France are not within the focus. The main objective of this deliverable D6.2 is the comparison of the results of the survey gained in [MODSafe D6.1]. The objective of finding differences and / or similarities in the processes of the different EU countries shall reveal the regulation background and analyse the main phases of the safety lifecycles. The results will be used to propose a uniformly generic safety lifecycle for urban guided transport systems, as it is the task of D6.3.


1.1 References

Reference-ID Document title, identifier and version

[Case Study UK] Case Study UK /MODSafe D6.1/, Sub-clause 3.1 [Case Study FR] Case Study France /MODSafe D6.1/, Sub-clause 3.3 [Case Study HU] Case Study Hungary /MODSafe D6.1/, Sub-clause 3.2 [Case Study GER] Case Study Germany /MODSafe D6.1/, Sub-clause 3.5 [Case Study DK] Case Study Denmark /MODSafe D6.1/, Sub-clause 3.4 [CENELEC] EN 50126 "Railway applications – The specification and

demonstration of Reliability, Availability, Maintainability and Safety (RAMS)" EN 50128 “Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems" EN 50129 “Railway applications - Communication, signalling and processing systems - Safety related electronic systems for signalling”

[GLOSSARY.en] MODSAFE Glossary - Deliverable No. D10.5 [MODSafe D1.1] WP 1 - MODSafe Deliverable - D1.1

First draft - State of the art on safety responsibilities and certi-fication

[MODSafe D6.1] WP 6 - MODSafe Deliverable - D6.1 Survey of current lifecycle approaches

[MODSafe D7.1] WP 7 - MODSafe Deliverable D7.1 Survey of current AAC-procedures

[MODSafe DOW] MODSafe Annex 1 - Description of Work [MODUrban D80] MODUrban Deliverable Report – WP21 – D80

Comprehensive operational, functional and performance re-quirements

[MODUrban D93] MODUrban Deliverable Report – WP23 – D93 Conformity Assessment, Guidelines for Functional and Tech-nical Specifications

[TR 50506-1] PD CLC/TR 50506-1:2007 “Railway applications - Communication, signalling and proc-essing systems” - Application guide for EN 50129 – Part 1: Cross-acceptance


1.2 Terms and Definitions Term Description

Gross Domestic Product

The Gross domestic product (GDP) is a measure for the economic activity. It is defined as the value of all goods and services produced less the value of any goods or services used in their creation. (http://epp.eurostat.ec.europa.eu/cache/ITY_SDDS/DE/tsieb010_esms.htm)

Light Rail Light Rail Transit (LRT) is an electric rail-borne form of transport which can be developed in stages from a tram to a metro-like system oper-ated partially on its own right-of-way. The general term ‘light transit’ covers those systems whose role and performance lie between a conventional bus service running on the highway at one extreme and an urban heavy rail or underground met-ropolitan railway at the other. Light rail systems are thus flexible and expandable. Source: http://www.uitp.org/public-transport/light-rail/index.cfm

Metros Metropolitan railways are urban, electric transport systems with high capacity and a high frequency of service. Metros are totally independent from other traffic, road or pedestrians. They are consequently designed in tunnel, viaducts or on surface level but with physical separation. Metropolitan railways are the optimal pub-lic transport mode for a high capacity line or network service. Some systems run on rubber-tyres but are based on the same control-command principles as steel-wheel systems. In different parts of the world metro systems are also known as the underground, subway or tube. Source: http://www.uitp.org/Public-Transport/metro/index.cfm

Purchasing Power Standards

The volume index of GDP per capita in Purchasing Power Standards (PPS) is expressed in relation to the European Union (EU-27) average set to equal 100. If the index of a country is higher than 100, this coun-try's level of GDP per head is higher than the EU average and vice versa. (http://epp.eurostat.ec.europa.eu/cache/ITY_SDDS/DE/tsieb010_esms.htm)

Tram A tram is an urban electric rail-borne system sharing the track right-of-way with the general road traffic. It is a special kind of “Light Rail”.

Refer also to [GLOSSARY.en].


1.3 Abbreviations

Abbreviation Description

ALARP As Low As Reasonably Practicable (UK safety principle)

ATC Automatic Train Control BME Budapest University of Technology and Economics BOStrab Verordnung über den Bau und Betrieb der Straßenbahnen

(German Federal Regulations on the construction and operation of light rail transit systems)

CENELEC Comité Européen de Normalisation Electrotechnique (European Committee for Electrotechnical Standardisation)

DOW Description Of Work (refer to Sub-clause 1.1) EC European Commission EN European Norm EU European Union GAME Globalement Au Moins Equivalent

(French safety principle) GOA Grade of Operation GDP Gross Domestic Product (refer to Sub-clause 1.2) GER Germany ISA Independent Safety Assessor JvSFS Järnvägsstyrelsens författningssamling

(Swedish Railway Laws) LC LifeCycle LRT Light Rail Transit LU London Underground MODSafe Modular Urban Transport Safety and Security Analysis MODUrban Modular Urban Guided Rail System project n/a Not applicable NoBo Notified Body PPS Purchasing Power Standards (refer to Sub-clause 1.2) ROGS Railways and Other Guided Transport Systems (Safety)

Regulations 2006 SLC Safety LifeCycle StrabVO Verordnung über den Bau und den Betrieb von Straßenbahnen

(Austrian Federal Regulations on the construction and operation of light rail transit systems)


Abbreviation Description

TR Technical Report UITP Union Internationale des Transports Publics

(International Association of Public Transport) UK United Kingdom VAL Villeneuve-d’Ascq-Lille (Siemens Matra System) V&V Verification and Validation (according to [CENELEC]) WP Work Package Refer also to [GLOSSARY.en].


2. Objectives of the Work Package

This Chapter briefly describes the objectives of Work Package 6 (WP6) in general and the task of this deliverable in specific.

“The objective of WP6 is to identify common practices and/or similarities for the safety ap-proval of guided urban transport systems, in particular ATC-Systems by safety authorities and other involved parties, throughout the different countries of the European Union. On this basis a potential common procedure for building, assessing and approving the different safety files will be developed and proposed bearing in mind the different responsibilities along the safety lifecycle and the roles and authorizations of the different actors.”, ([MOD-Safe DOW], Sub-clause B.1.3.5).

WP 6 comprises of the following deliverables:

• Deliverable D6.1 - Survey on current safety lifecycle approaches

• Deliverable D6.2 - Comparison of current lifecycle approaches (this report)

This deliverable focuses on the comparison of the results, done in the survey for [MODSafe D6.1]. The objective of finding similarities and/or differences in the proc-esses of the different EU countries shall reveal the regulation background and ana-lyse the main phases of the safety lifecycles. The results will be used to propose a uniformly generic safety lifecycle for guided urban transport systems.

• Deliverable D6.3 - Proposal of a common safety lifecycle approach

Relation to other Work Packages

Results of [MODSafe D1.1] have been used as input, for starting the survey of the previous deliverable D6.1, as described in the [MODSafe DOW]. This input mainly refers to the case studies. Additionally, synergy effects have been used, sharing the results of the survey with WP7 ([MODSafe D7.1]), due to the fact that Work Packages 6 and 7 have a common base. The relation to other WPs, deliverables and activities is depicted in Figure 1.


Figure 1: Relations and activities of D6.2


3. Basis of the comparison

The basis of the comparison and their interdependencies can be traced with Figure 1. All this information was considered either directly or indirectly. The following bases have a direct influence on this deliverable and are therefore briefly described here in terms of their origin, quality and usage for the upcoming comparisons. With consideration of these bases, first conclusions filter the gained information for relevance.

The related conclusions or additional information are presented in the related Sub-clauses of this Chapter, in terms of tables or matrices.

Questionnaires

Within D6.1 Survey of current safety lifecycle approaches, the current European practices were investigated with the help of questionnaires. Detailed information on the process of gaining information, including the use of the questionnaires is given in [MODSafe D6.1], Chapter 2. A sample questionnaire is given within the following Sub-clause 3.1 of this report. The fields of this table are filled in with explanations (in italic), in order to clarify their inten-tions. Please note that the metro, light rail or tram systems listed in the header of the tables served as examples; these lists are not exhaustive but indicative.

Consistency Analysis

The answers and explanations delivered as the questionnaires reply have been analysed in terms of consistency. Sub-clause 3.2 provides additional explanations to ambiguous answers or explanations to increase clarification.

Quantitative overview of the results

The outcome of the survey has been discussed in Chapter 6 of the previous deliverable [MODSafe D6.1]. After the consistency analysis, the results of the questionnaires are dis-played in a matrix format (see Table 2, Sub-clause 3.3).This matrix is a quantitative collection of the answers (yes/no) and therefore does not add additional information on the exact proc-esses.

A summary of the answers is given with Table 3, Sub-clause 3.4, which provides an over-view, to evaluate the given information for each country. The intention of this table is there-fore to grant a high-level overview of the questionnaires’ outcome. This table is an input for the consideration for the further comparison.


Qualitative overview of the results

Qualitative answers on the processes – in each case when explanations were given in the questionnaires replies - also serve as basis for this deliverable, e.g. for the activity compari-son in Sub-clause 5.1. The source of these explanations is Sub-clause 2.1 of [MOD-Safe D6.1].

Consideration for the further comparison

Due to the lack of systems (metros, light rails or trams) or insufficient information, some EU-countries are no longer considered (refer to Table 3 for results). Table 4 in Sub-clause 3.5 lists the EU-countries which are in the focus of WP6. The countries:

• Cyprus, • Lithuania, • Luxemburg, • Malta and • Slovenia

were not considered for the survey in D6.1, due to the fact that there are no urban rail sys-tems in these countries.

Additionally:

• Bulgaria, • Estonia, • Finland, • Latvia and • Romania

are not considered (or just partly), due to a lack of information or predominantly “no” an-swers. Therefore it appears unreasonable to give exhaustive or adequate feedback on these countries’ processes. According to the [MODSafe DOW], a selection of a representative sub-set of the 27 member states is wanted.

Case studies

The case studies carried out for [MODSafe D6.1], Chapter 3 or respectively in [MOD-Safe D1.1] will be used to compare the complete lifecycle of chosen systems, where the questionnaires do not cover all aspects, due to lack of answers / explanations and different goals. The collection of case studies was chosen due to their different processes and treat-ments, to deliver a general view. Case studies were delivered for the following countries: Denmark, France, Germany, Hungary and United Kingdom.


3.1 Questionnaire The table below demonstrates the template; the italic marked sentences are explanations, due to the missing contents of the table.

Name of the country addressed

Flag and Map (of the country addressed)

Metros Names of cities (not exhaustive) Trams / Light Rails Names of cities (not exhaustive)

ITEM Answer Explanation

1. Are there Safety Regulatory Authorities appointed for metro, light rail or tram systems? yes / no

2. Is there any legal basis for the Safety Regulatory Authorities’ activities? yes / no

3. Are there any national rules or regulations by the Safety Regulatory Authorities for obtaining system approval?

yes / no

4. Are there any national functional, technical or opera-tional requirements to be fulfilled for obtaining sys-tem approval?

yes / no

5. Is the involvement of Independent Safety Assessors regulated? yes / no

6. Is liability for safe and orderly operation clearly as-signed? yes / no

7. Are metro, light rail or tram systems treated differ-ently in terms of methods or requirements for obtain-ing system approval?

yes / no

8. Are there mandatory risk acceptance criteria (e.g. ALARP, GAME) or codes of practice in use to obtain system approval?

yes / no

9. Are there any requirements for safety management for entities involved (operators, maintainers, infra-structure owners, etc)?

yes / no

10. Are there any regulations or guidelines describing generic safety targets for specified applications? If the answer is yes please explain how they are speci-fied.

yes / no

11. If the Safety Regulatory Authority is active, do they delve down into the sub-systems? If yes, explain who is in charge for these activities.

yes / no


Name of the country addressed

Flag and Map (of the country addressed)

Metros Names of cities (not exhaustive) Trams / Light Rails Names of cities (not exhaustive)

ITEM Answer Explanation

12. If the Safety Regulatory Authority is active, do they get involved in the maintenance and operation? If yes, explain who is in charge for proper operation and maintenance and supervision of these various activities.

yes / no

13. Does the Safety Regulatory Authority monitor, pro-mote and develop the safety regulatory framework? yes / no

14. Is determination of safety requirements and conduct-ing risk analysis regulated? If yes, explain who is in charge for setting requirements / conducting risk analysis and who is in charge for acceptance of cor-rectly determined safety requirements.

yes / no

15. Is the initiation of a new specific application (e.g. building new line, renovation of signalling system, purchase of rolling stock, setting the requirements) regulated? If yes, explain who is in charge for initia-tion of the project and who allows the start of this project based on approved requirements.

yes / no

16. Are verification and validation of installed equipment or delivered rolling stock prior to operation regulated; who is in charge for these activities and which kinds of documentation is necessary (e.g. safety case)?

yes / no

17. Are there methods in use (e.g. EN50126) which are able to ensure system safety performance during the whole system lifecycle?

yes / no

18. Is modification and retrofit of installed equipment or delivered rolling stock after start of operation regu-lated? If yes, explain who is in charge asking for ac-ceptance for modification / retrofit and who is in charge to supervise these activities.

yes / no

19. Is monitoring safety performance of installed equip-ment or delivered rolling stock after set in operation regulated? If yes, explain who is in charge for moni-toring safety performance and who is in charge to supervise these activities.

yes / no

Table 1: Template of the questionnaire used for the survey in [MODSafe D6.1]


3.2 Consistency Analysis

The answers and explanations collected with the questionnaires were provided by different sources. The questions Q1 – Q19 partly give room for interpretation, which means the an-swers and explanations differ in terms of quality, quantity and focus. This consistency analy-sis gives additional guidance on how to understand or interpret the given answers in relation to the explanations.

The answers and explanations were discussed e.g. for the following consistencies:

• Linkage of the questions and answers for Q1 and Q2

• Explanations given in comparison to the answers (yes/no)

• Unambiguousness of the questions

Linkage of the questions and answers for Q1 and Q2

Safety Regulatory Authorities usually have a legal basis for their activities. A linkage of the answers of Q1 and Q2 is not necessarily given, but likely. It is discussed here in which way and for what reason the countries Belgium, Greece and Italy don’t have a linkage of ap-pointed safety regulatory activities and a legal basis.

• Belgium: In the Belgium case the regional government is responsible, but there is no authority solely appointed for metro, light rail or tram systems. This is the reason for answering Q1 for Belgium with ”no”.

• Greece: For Greece, the Ministry of transport appointed responsibility to Attiko Metro and further expert opinions from accredited bodies are used for metro, light rail and tram systems. This appointment is not based on a legal basis.

• Italy: The legislation about safety of transportation systems is in Italy a priori in proc-ess of development. This however has driven Q2 for Italy to “yes”.


Explanations given in comparison to the answers (yes/no)

Some of the answers clearly show the grey zones, potential “inconsistency” might be given due to the explanation of this particular question or other questions with related topic. In gen-eral all questions were meant to be answered unambiguously with “yes” or “no”, nevertheless this allocation might not fit for every question and country. Some answers could be “yes” and “no”. As example: Methods are in use, but not frequently or regulated. In this case the an-swer given could be “yes” or “no”, depending on the focus. For the comparison of the results, an unambiguous allocation is necessary, even though there are multiple tendencies. The methods in use or procedures are considered in any case, because even “no” answers are categorised in the activity comparison of Sub-clause 5.1.

Unambiguousness of the questions

Some questions prompt to get one or two more detailed explanations, when the answer given is “yes”. Example: “…If yes, explain who is in charge…of these activities.” Neverthe-less additional explanations were given in both cases, whether the answer was “yes” or not. This additional explanations help to understand the procedures or methods in use, even though there might not be an according regulation. The related questions are Q10, Q11, Q12, Q14, Q15, Q18 and Q19.

The answers and explanations collected for [MODSafe D6.1] were not amended, due to this consistency analysis, the results concluded in the related Appendix A are therefore valid as input for this deliverable. Table 2 lists these results which are the basis for the comparisons.


3.3 Quantitative result matrix

Table 2: Quantitative result matrix according to [MODSafe D6.1]


3.4 Quantitative overview of the results

Table 3: Quantitative overview of the results from [MODSafe D6.1]


3.5 Consideration for the further comparison

Table 4: The EU-countries considered, after the consistency analysis.


4. Methodology

This Chapter briefly describes the methodology to achieve task 6.2 Identification of similari-ties within current safety lifecycle approaches in order to enable a reasonable comparison and get unambiguous results. Figure 2 gives an overview on the relations and the workflow, which shall help to understand the intentions behind the activities / outcomes and the line of argument.

On a general level quantitative and qualitative approaches shall enable an easy classification and indication for further comparisons. A qualitative comparison is performed in first place, and secondly, a quantitative comparison is performed - where it adds value.

Qualitative approaches (low level)

“Yes” and “no” answered questions partly provide additional context through the explanations given. It has to be noticed, that the sources and therefore the information are diverse in terms of detail, focus and quality. Hence a direct comparison seems not always possible or reasonable, it limits the answers which can be easily compared and matched.

Quantitative approaches (high level)

Quantitative approaches only consider the answers “yes” or “no” and therefore do not add any value regarding the specific context given with the explanations. This comparison shall provide an overview of the results gained with the qualitative approaches. Additionally these approaches shall help to determine which countries are to be examined in more detail.

Comparisons

The following activities have been performed for the purpose of comparison. While the up-coming paragraphs give a short introduction to each activity, a detailed description is given in the related Sub-clauses.

As a first step, the activity comparison (Sub-clause 5.1) adds value as it categorises the an-swers to each single question. This qualitative comparison takes the explanations into ac-count and therefore enables a direct comparison of the answers / explanations. The ques-tions are grouped due to their lifecycle relation, in this way a quick overview about similarities and differences is granted.


Secondly, the countries are ranked in a quantitative comparison. The coverage of regulation comparison (Sub-clause 5.2) therefore lists the countries in a ranking of coverage regulation, according to their “level of regulation”. The results of this comparison will be opposed to the activity comparison, network overview and national facts, in order to find interdependencies.

In accordance to the previous comparisons, an aspect comparison (Sub-clause 5.3) related to the safety lifecycle is discussed. The main aspects are the impact of grade of automation (GOA), the handling of cross-acceptance of products and sub-systems, the ISA tasks, the distinction of the systems on the process as well as the handling of sub-systems.

As the last comparison, the compliance to the CENELEC lifecycle (Sub-clause 5.4) is checked. The questions used are matched to each CENELEC lifecycle group. It is checked, in which way each single country already contributes to the well established railway stan-dards EN5012x (refer to [CENELEC]), which are mentioned in the [MODSafe DOW] as a matter of focus.

All collected information and the resulting comparisons will be used to create a summarising comparison (Sub-clause 5.5) which identifies different / similar safety lifecycle approaches or strategies. This last activity grants a complete and detailed overview of current safety lifecy-cle approaches, compared and matched to each other.

Structure

The structure of each comparison is similar; after an introduction explaining the nature of each comparison and the methodology employed, the results are briefly given in terms of tables, matrices or continuous text. The Sub-clause might be closed with a comprehensive discussion of results, describing the outcomes and possible impacts.

Conclusion and outlook

All the listed activities help to compare the safety lifecycles and enable a final conclusion. The order of the activities of Chapter 5 partly depends on the conclusions of the previous ones. Whereas the summarising comparison (Sub-clause 5.5) merges all necessary informa-tion together, the Chapters 6 and 7 focus on summarising as well as interpreting the results and the impact on Deliverable 6.3.


Figure 2: Overview of interdependencies and the workflow of the comparisons


5. Comparison

Additional task descriptions for the following comparisons are given in the stated sub-clauses:

5.1 Activity comparison 5.1.1 Grouping of questions 5.1.2 Categorisation of explanations 5.1.3 Group 1: Safety Regulatory Activities & Approval Process 5.1.4 Group 2: Safety Management 5.1.5 Group 3: Verification & Validation 5.1.6 Group 4: Installation & Operation 5.2 Coverage of regulation comparison 5.2.1 Ranking of coverage of regulation 5.2.2 Network overview 5.2.3 National facts 5.3 Aspect comparison 5.3.1 Grade of automation 5.3.2 Cross-acceptance of products and sub-systems 5.3.3 ISA tasks 5.3.4 Distinction of the systems 5.3.5 Handling of sub-systems 5.4 Compliance to CENELEC LC comparison 5.4.1 Grouping of Lifecycle steps and questions 5.4.2 Compliance check 5.5 Summarising comparison


5.1 Activity comparison

Introduction

In a first step the questions are grouped according to their aim and lifecycle relation. In a second step each group is reviewed, involving the answers and explanations given. The ex-planations are categorised, in order to easily compare the current status. This procedure aims at identifying differences and similarities at a glance.

The following activities are performed:

• Grouping of questions (see Table 5), • Categorisation of explanations given to “yes” and “no” answers (were possible) • Evaluation of results

5.1.1 Grouping of questions

The following table lists the questions and matches them to the related groups:

Table 5: Grouping of the questions (overview)


5.1.2 Categorisation of explanations

Abbreviations categorise the answers according to Table 7. These categories conclude all given explanations on a high level and enable later on an easy comparison of the resulting patterns. More than one abbreviation can be matched to a country, especially when the questions prompt for more than one explanation, or the activities are diverse.

In general the categories are divided in 5 steps, starting with the highest:

• Legislation / Regulation (Act / Decree, Regulation) • Authority (National / Regional) • Standards / Procedures (e.g. CENELEC / National Standards / Procedures) • Parties involved (e.g. Operator / ISA / Third Party) • Others / Various

Table 8 and Table 9 display the results. All abbreviations and field information in use are listed in the following Table 6. It has to be noticed that these abbreviations are no indicator for quality in means of the best practice, but countries with same abbreviations can be pre-sumed to follow similar (not necessarily the same) strategies. There again countries with dif-ferent abbreviations follow different strategies. In some cases explanations have been pro-vided to “no” answers as well. They are categorised, but the colour for these fields stays -according to the “no” answer- orange. This situation might appear in cases of:

• planned activities, but not yet in use • methods in use, but not yet regulated

Field information Possible answer Explanation / Description

yes

no

n/a not applicable

The colour gives information on the quantitative answer related to the questions. A green field symbolises the answer “yes”, an orange field is an indicator for the an-swer “no”, whereas a grey field means “n/a”, are no answers or information given. This information is adopted from Table 2.

Act yes / no Act, Law, Royal decision Dec yes / no Decree, Regulation

NAu yes / no National Authority / Government / Safety Regulatory Authority

RAu / Cit yes / no Regional Authority / Government / Safety Regulatory Authority / City

CEN / NSt yes / no CENELEC / National Standards Rul yes / no Rules, Code of practices, Procedures Ope / IPr / RPe yes / no Operator / Infrastructure Provider / Responsible Person ISA yes / no Independent Safety Assessor TPa yes / no Third Party, Independent Expert Oth yes / no Others / Various

Table 6: Caption for categorisation of results


Table 7: Categorisation of explanations


Table 8: Results related to group 1 All abbreviations in use are listed in Table 6.


Table 9: Results concerning group 2 - 4 All abbreviations in use are listed in Table 6.


5.1.3 Group 1: Safety Regulatory Activities & Approval Process

Legislation

The following questions are taken into account, according to Table 5:

Q1: Are there Safety Regulatory Authorities appointed for metro, light rail or tram systems?

Q2: Is there any legal basis for the Safety Regulatory Authorities’ activities?

Considering Table 8, Safety Regulatory Authorities are appointed to metro, light rail and tram systems on a legal basis. The majority of the countries have responsible authorities either on national or regional level. Belgium, Greece and Italy are discussed in Sub-clause 3.2.

Countries with federal structures such as Austria, Belgium, Germany or Spain often have appointed Safety Regulatory Authorities on regional level for each federal state. In Spain the activities of the different autonomous regions considering these activities vary a lot. Unambi-guous answers covering the whole nation are not possible.

The legal basis is generally given with acts, royal decisions (Belgium), decrees or regula-tions. The highest level of legislation is given by laws / acts in multiple countries. On the next lower level decrees and regulations have been established, specifying roles & responsibili-ties, processes & procedures, defining targets & requirements and partly referring to stan-dards, such as CENELEC. Austria, Denmark and Germany share the BOStrab / Strab VO as a common basis. Other countries’ decrees / regulations are exclusively in use on national level.

Finally standards and technical rules apply all in front the European CENELEC standards. In addition or exclusively, National standards / rules & guidelines, both for overall metro / light rail / tram systems and sub-systems such as Rolling Stock and Signalling may apply.

The following “legislation pyramid” depicts the hierarchy of legislation with the related acts, decrees / regulations and standards in use. This figure is not exhaustive, but indicative.


Figure 3: Legislation pyramid

Safety Regulatory Activities


Q11: If the Safety Regulatory Authority is active, do they delve down into the sub-systems? If yes, explain who is in charge for these activities.

Q12: If the Safety Regulatory Authority is active, do they get involved in the maintenance and operation? If yes, explain who is in charge for proper operation and maintenance and super-vision of these various activities.

Q13: Does the Safety Regulatory Authority monitor, promote and develop the safety regula-tory framework? (Remark: Q13 is corresponding with Q1)

Considering Table 8, most of the countries having appointed Safety Regulatory Authorities have also distinctive activities in safety regulation. Delving down into subsystems is standard for 2/3 of the authorities, whereas the involvement in maintenance and operation, or the monitoring, promotion and development of the regulatory framework is done in half of the member states.

Depending on the particular legislation background, authorities are responsible for delving down into subsystems. Maintenance and operation might be supervised by the authority, but is often the responsibility of the operator or respectively responsible person.

In multiple countries the Safety Regulatory Authority is at least monitoring or promoting the safety regulatory framework.


Approval Process


Q3: Are there any national rules or regulations by the Safety Regulatory Authorities for ob-taining system approval?

Q4: Are there any national functional, technical or operational requirements to be fulfilled for obtaining system approval?

Q5: Is the involvement of Independent Safety Assessors regulated?

Q7: Are metro, light rail or tram systems treated differently in terms of methods or require-ments for obtaining system approval?

Q8: Are there mandatory risk acceptance criteria (e.g. ALARP, GAME) or codes of practice in use to obtain system approval?

Considering Table 8, nearly every country follows rules and regulations for system approval, differences are existent in how to achieve this goal. Most often acts and decrees / regulations give guidance, sometimes in combination with European and / or national standards. The approval is sometimes regulated by standards only or by special rules and practices.

Countries having appointed Safety Regulatory Activities mostly rely on decrees / regulations, coherent with European and national standards. In some cases guidance is given with spe-cific rules or procedures which are also commonly in use and widen the national activities, especially when the appointed authority is not related to the government, e.g. operator.

The involvement of an Independent Safety Assessor is only regulated in a few countries, despite the fact that there are ISAs commonly in use. The integration of an independent third party in the safety related processes is covered diverse by authorities, decrees / regulations, CENELEC or rules. In case to case the authority, the operator or the supplier are involving an Independent Safety Assessor for system approval on a voluntary basis. This applies for example for France, Germany, Italy and United Kingdom.

For a comprehensive evaluation of Q7 concerning the different system treatment on approval procedure, refer to Sub-clause 5.3.4.

Risk criteria for obtaining system approval are mandatory in most member-states. The crite-ria are diverse and there is no common procedure in Europe. Criteria can be regulated as in Germany or the United Kingdom, but more often there are rules, code of practices or proce-dures in use. The questioned ALARP or GAME are quite often in use.

For a comprehensive evaluation of the acceptance, approval and certification processes in Europe refer to [MODSafe D7.1], Chapter 4.


5.1.4 Group 2: Safety Management

Liability

The following question is taken into account, according to Table 5:

Q6: Is liability for safe and orderly operation clearly assigned?

Considering Table 9, liability is most often regulated by acts or decrees / regulations. The responsibility is usually in the hands of the operator / responsible person or infrastructure provider.

Procedures & Processes


Q9: Are there any requirements for safety management for entities involved (operators, maintainers, infrastructure owners, etc)?

Q10: Are there any regulations or guidelines describing generic safety targets for specified applications? If the answer is yes please explain how they are specified.

Q14: Is determination of safety requirements and conducting risk analysis regulated? If yes, explain who is in charge for setting requirements / conducting risk analysis and who is in charge for acceptance of correctly determined safety requirements.

Q17: Are there methods in use (e.g. EN 50126) which are able to ensure system safety per-formance during the whole system lifecycle?

Considering Table 9, requirements in safety management are often regulated by acts or de-crees and regulations. These requirements are assigned to the operator / responsible person and infrastructure provider.

Generic safety targets are commonly in use by most of the European members countries. Different from country to country, the definition of targets can be found in acts, decrees / regulations, authority guidelines or standards (often CENELEC).

In comparison to generic safety targets, the determination of safety requirements and con-duction of risk analyses is less regulated and therefore variegated in procedures. The same can be stated for regulations on describing generic safety targets.

System safety performance during the whole lifecycle is a matter of importance for most countries. The CENELEC standards, especially EN 50126, are commonly in use. Where this standard is not in use, national rules are applied instead.


5.1.5 Group 3: Verification & Validation


Q16: Are verification and validation of installed equipment or delivered rolling stock prior to operation regulated; who is in charge for these activities and which kinds of documentation is necessary (e.g. safety case)?

Considering Table 9, the verification & validation of installed equipment or delivered rolling stock prior to operation is only legislatively regulated by a few countries. In case CENELEC is applied, verification & validation activities are required to be performed by the supplier. In multiple cases the Safety Authority, the operator or the ISA require / supervise / assess the suppliers verification & validation.

5.1.6 Group 4: Installation & Operation


Q15: Is the initiation of a new specific application (e.g. building new line, renovation of signal-ling system, purchase of rolling stock, setting the requirements) regulated? If yes, explain who is in charge for initiation of the project and who allows the start of this project based on approved requirements.

Q18: Is modification and retrofit of installed equipment or delivered rolling stock after start of operation regulated? If yes, explain who is in charge asking for acceptance for modification / retrofit and who is in charge to supervise these activities.

Q19: Is monitoring safety performance of installed equipment or delivered rolling stock after set in operation regulated? If yes, explain who is in charge for monitoring safety performance and who is in charge to supervise these activities.

Considering Table 9, the regulation of initiation for a new specific application is partly applied. Some countries have respective legislations with decrees / regulations. In general the re-sponsible authority (national or regional) in combination with operator are in charge of these activities. Modifications and retrofit, as well as monitoring of safety performance of installed equipment or delivered rolling stock is handled in the same way.


5.2 Coverage of regulation comparison

5.2.1 Ranking of coverage of regulation

This first approach levels the EU countries due to their complexity of regulation. The results given in Table 3 are summarized and therefore enable a quick quantitative overview. The following Table 11 levels the countries according to their “yes” answered questions on the [MODSafe D6.1] survey. All 19 questions raised are considered for this ranking and equally counted (a few questions are linked pair wise).

The results are ranked in 4 levels (the level borders have been chosen considering that no country has 8 respectively 14 “yes” in the survey questionnaire):

Regulation Level Answer "Yes"

High High level of coverage 19 – 15

Medium Medium level of coverage 14 – 9

Low Low level of coverage 8 – 1

No coverage / Not considered -

Table 10: Ranking of regulation coverage – Level definitions

This list implies that every question answered with “yes”, reflects an effort for / in the regula-tion process and therefore can be seen as an indicator for the complexity or level of regula-tion. It is important to notice, that this list is not representative for the quality or efficiency of a regulation process!

A highly regulated process indicates e.g. a comparably high:

• Complexity • Respect of safety issues • Demand on safety issues • Level of administrative work • Level of experience • Investment / costs

Other reasons for a high regulation could be:

• History of accidents → public pressure • First system, therefore knowledge transfer and need for new procedures

The predication made for this listing is that the more effort is put in the regulation (answered questions with “yes”), the more safe is the output. On a general level this comes true and is partly reversible, but it is no guarantee. This comparison does not compare the achieved level of safety with the level / amount of regulation.


Concerning these factors the demand on safety is the issue of consideration. The reasons for the different treatments of the EU countries on the Safety Lifecycle are varied and are not topic of this discussion. Nevertheless there is an effort to find reasons for these different ap-proaches in the Sub-clauses 5.2.2 and 5.2.3.

Table 11: Ranking of the regulation coverage


The following Figure 4 shows the ranking mapped to the European mainland.

Figure 4: Results of the ranking mapped to the European mainland


5.2.2 Network overview

The level of regulation has been compared with data related to the network overview. The following data is being faced:

• No. of tram / light rail and metro networks • No. of lines • Network extent (km) • GOA (Grade of Automation)

A country with a lot of experience in passenger service (trams, light rails and metros) and highly advanced systems (GOA) might have a higher complexity of regulation. Therefore the level of regulation complexity is faced to this data.

Table 12: Network overview opposed to level of regulation coverage Source: UITP 2010 *Total length of network (in km) resulting from the addition of every section on which only one line is operated and of every section (if any) on which several lines are operated.


5.2.3 National facts

The results of the ranking will be also matched to some national facts. The short overview of Table 13 gives an impression, whether and how the complexity of regulation could be influ-enced by national economics or other factors. It has to be noticed, that this list is just an in-dicative collection of data, nevertheless this table can provide information on a possible con-nection of level of complexity to:

• GDP (Gross Domestic Product) • Population • Total area

The idea is that countries with a high GDP might have a more complex hierarchy or spend more effort on a highly complex / regulated process. On the same hand the size of the coun-tries (population or total area) might influence this process as well, due to higher / lower revenue service.


Table 13: National facts opposed to the level of regulation coverage * Provisional value # rounded off with exact numbers 1 http://epp.eurostat.ec.europa.eu (GDP per capita in Purchasing Power Standards

(PPS), based on 2010 (relative to the European average EU-27 = 100)). 2, 3 http://europa.eu/abc/european_countries/eu_members/index_en.htm


5.2.4 Discussion of results

Regulation coverage

Analysing the results of Table 11 the EU countries with the highest effort on safety regulation are the Czech Republic, followed by the Netherlands, Sweden, France and Germany.

Due to the results which have been mapped in Figure 4, there is no unambiguous indication of a pattern. On a superficial level, the states in northern and middle Europe have a compa-rably high coverage of regulation (regulation “high” and “medium”), compared to the states in eastern or southern Europe (regulation “medium” and “lower”).

It is important to notice, that Table 11 does not necessarily reflect the effective level of safety or a sophistication of a procedure.

Experience

Countries with “high” regulation have in relation to “medium” and “low” more experience in terms of number of systems and mileage and automation. Spain with a lot of experience in revenue service is an exception, ranked as “low”.

It seems plausible that the experience gained in the revenue service and the high complexity of the systems (in number and / or size) leads to a higher coverage of regulation.

National facts

Taking the “GDP”, “population” and “total area” into account, mapped to the complexity of regulation, the following can be noted:

• GDP: For all countries ranked on level “A”, the GDP is clearly over 100 (Czech Re-public as exception), whereas the GDPs of countries ranked on the levels “B”, “C” or “D” is incommensurable. In this point of view there is not necessarily coherence be-tween the GDP and the regulation coverage.

• Population: No relation between the size of the population and the ranking seems to be existent. Throughout all levels of regulation complexity, the allegation of population varies and no coherence could be revealed.

• Total area: No relation between the size of a country and the regulation seems to be existent. Throughout all levels of regulation coverage the sizes vary.


5.3 Aspect comparison

5.3.1 Grade of Automation

One distinction of metro / light rail / trams systems is the Grade of Automation (GOA) as de-fined in [MODUrban D80] and shown in the following table.

Table 14: Grades of Automation (refer to [MODUrban D80], Table 1)


Historically, VAL (the acronym stands for Villeneuve-d’Ascq-Lille) was the first project of automated urban guided transport system in the world. Lille’s first underground metro line is based on the VAL (Automated Light Vehicle) system. The project started in 1971 and was conceived by the University of Lille, further designed and developed by Matra Transport (now Siemens Transportation System) and inaugurated in Lille in 1983.

The VAL was adopted in other cities: it is already in operation in Toulouse, Rennes, Paris-Orly, Paris-Charles de Gaulle Airport, Turin and other applications outside of Europe.

Today, unattended / driverless underground metro systems are known for example from Germany (Nürnberg), Denmark (Copenhagen), France (Paris, Lille, Rennes, Toulouse, Roissy, Orly Lyon), Italy (Turin) or Spain (Barcelona). As shown before, these countries do not necessarily have comparable complex life cycle approval systems, simply comparing Germany and Denmark.

It goes without saying that an unattended / driverless underground metro system has more safety scenarios to be considered than a tram with a driver – both in quantity and complexity.

Consequently it could be assumed, that the higher the Grade of Automation the higher the live cycle regulation / the life cycle effort for approval behind.

This however does not necessarily mean that the legal basis and the life cycle approval process as such are different. In fact the number and complexity of safety scenarios to be considered can be different, but being based on the same legal basis and following the same principle life cycle approval process.

For a list of unattended / driverless systems refer to Table 12.


5.3.2 Cross-acceptance of products and sub-systems

Driven by the industry’s attempt to effectively re-use products and sub-systems already used elsewhere and also driven by the employer’s attempt to buy safe and reliable products and systems, the application of cross-acceptance is more and more in the focus.

Cross-acceptance means to accept a product or a sub-system already used and certified / approved elsewhere without a complete re-evaluation / re-assessment / re-certification / re-approval thereof. Cross-acceptance is consequently to be considered at first on the Approval Authority’s side in terms of defining the criteria to be applied and secondly on the supplier’s side in terms of demonstrating appropriateness.

It goes without saying that cross-acceptance of course does not apply to entire Urban Guided Transport systems since each system has its own characteristics and no system is totally equal to another one. Cross-acceptance therefore naturally applies on product and sub-system level.

[TR 50506-1], the application guide for EN 50129 for cross-acceptance, provides criteria and lists aspects to be considered for cross-acceptance. “A structured and risk based framework for cross-acceptance of product, system or process is developed in this guidance comprising seven core principles. The principles are universal and are particularly pertinent to safety critical systems where no systematic and efficient framework for their adoption and applica-tion in new applications or environments exists.“ (Refer to Sub-clause 4.4 of the application guide)

The core principles for cross-acceptance as per [TR 50506-1]:

• Establish a credible case for the native (baseline) application

• Specify the target environment and application

• Identify the key differences between the target and native cases

• Specify the technical, operational and procedural adaptations required to cater for the differences

• Assess the risks arising from the differences

• Produce a credible case for the adaptations adequately controlling the risks arising from the differences

• Develop a generic or specific cross-acceptance case

In addition, Approval Authorities may introduce their own (additional) criteria, for example for the qualification of Independent Safety Assessors who shall assess the cross-acceptance appropriateness.


Before cross-acceptance is applied, the pre-certifying body’s competence and accreditation shall be checked (criteria derived from guidelines and recommendations).

Furthermore, the following criteria (guide) apply for the cross-acceptance of the pre-certifying body’s safety report (on the safety case of the product to be cross-accepted),

• the product subject to the assessment is well defined (description, documents, software configuration, …);

• the standards or other normative documents used to establish the results of safety assessment are well defined and appropriate;

• the methodology (review of documents, audit, testing, modelling, simulations, combinations of methods, …) used by safety assessors is well defined and ap-propriate;

• the limits of validity of the safety assessment result are well defined;

• the standards, methods, conditions, limitations and restrictions are also applicable for the particular situation for which cross-acceptance is desired.

In case of non-satisfaction of the Approval Authority due to any lack of evidence and / or lack of documentation and / or any criteria non-compliance, the supplier shall introduce a plan on how to close the delta. Furthermore, an Independent Safety Assessor can support in provid-ing the respective delta services for achieving the necessary generic product / generic appli-cation approval as the basis for cross-acceptance.

Actually, cross-acceptance application is known from Germany, France, Denmark, Italy, and Greece and to some extent also from other countries. On a case to case basis, the decision on the application of cross-acceptance has been made due to supplier provided evidence from previous projects elsewhere or has been made because the Approval Authority and / or a tender has asked therefore.

The following examples were taken from individual MODSafe working group member’s in house knowledge; they do not claim completeness throughout Europe.


Examples are:

• Germany: Cross-acceptance is practiced usually in all fields of Urban Guided Trans-port. Basis for cross-acceptance is the approval of a specified generic product (e.g. a point machine, a type of track circuit, a core computer for a train control and protec-tion system) as well as for or generic applications (e.g. interlocking with identical software for a cluster of specified applications) by an assessment report of an ac-knowledged assessor. It is in the responsibility of supervisory body or the assessor in charge for approval of a specific application to check the accordance of implemented generic products or applications with the granted approvals. Only new and additional functionality as well as the site specific implementation is subject for the approval of a specific application (the terms generic product, generic application, specific applica-tion are used in accordance with TR SIG ZA based on EN 50129).

o Example 1: Siemens has used their acknowledged company-own “Prüfleit-stelle” for the base assessment of their new product TrainguardMT. This has been cross-accepted for specific applications, where the assessor concen-trated on the assessment of the appropriate implementation of the safety re-lated application conditions. Such granted approvals are recognized as valid not only inside Germany.

o Example 2: The generic interlocking application SICAS as well as SICAS S7 is reused throughout Europe and in the rest of world based on generic approval certificates.

o Example 3: The generic interlocking application platform CIXL from Alstom has been assessed by praxis. This has been cross-accepted for specific ap-plications, where the assessor concentrated on the assessment of the appro-priate implementation of the safety related application conditions.

• Greece: In the Thessaloniki Metro case - a project currently still being in the construc-tion phase - the supplier and partly the equipment under installation are the same as known from the Copenhagen Metro. The Greece Authority (here Attiko Metro) agreed to trust on Independent Safety Assessor reports, which confirm that selected products / equipment foreseen for the Thessaloniki Metro are exactly the same as used in the Copenhagen Metro and that the generic application conditions are the same. Of course, the specific Thessaloniki application conditions are subject to safety assess-ment, but the underlying generic application product / equipment assessment results / certification / Authority approval can be re-used in Thessaloniki and is cross-accepted by Attiko Metro.


• France, Italy and outside Europe: The VAL was adopted from the first Lille application to other cities such as Toulouse, Rennes, Paris-Orly, Paris-Charles de Gaulle Airport, Torino and further applications outside of Europe. The same technologies of the vehi-cle and other sub-systems were used and cross-acceptance was applied to some ex-tent.

• Italy: Automatic Train Control systems are currently being installed in Brescia, Roma and Milan by the same supplier as known from the Copenhagen Metro, also the Inde-pendent Safety Assessor is the same. The local authorities – the respective commis-sione di sicurezza – agreed to cross-accept Assessor Reports and related product / equipment approval from the Copenhagen Metro case. Cross-acceptance may also apply between Brescia, Roma and Milan – depending on the sequence of local ac-ceptance and approval. This applies on the generic application; in any case the spe-cific application is / will be subject to Independent Safety Assessment and Authority Approval. This cross-acceptance process avoids a repetition of work already done to the benefit of all parties involved.

• Sweden: The Swedish Railway Authority (the rail division within Trafikstyrelsen) intro-duces in their approval procedure JvSFS 2006:1 and the related guide a simplified approval for vehicles, where the applicant can make a “Reference to a previously an-nounced approval that the applicant wishes to invoke.” This comes along with a re-quest for a risk analysis which describes in particular any technical differences com-pared with solutions previously approved.

• United Kingdom: LU has adopted the “Application Guide for EN50129 – Part 1” (refer to [TR 50506-1]) which details cross-acceptance processes for equipment. London Underground have recently cross-accepted a track circuit system from the main-line railway for their metro system using the cross-acceptance process as per the above guide adoption.


5.3.3 ISA tasks

Historically, individuals being recognized as safety experts, and organisations being recog-nized as competent bodies, were used to review / to argue on specific safety issues – based on local / national specific rules and regulations and standards, if any.

Independent Safety Assessors in the sense of third party organisations with respective ac-creditations in place and with a specified scope of work were more and more required after the CENELEC railway application standards were introduced in the late 1990’s.

The ISA’s scope of work mainly depends on project specifics and / or the Authorities re-quirements and / or the employer’s requirements.

As a general rule it can be stated, that whenever an ISA was required, the ISA’s scope was at least covering the signalling system / the ATP system. System level aspects, Rolling Stock or other technical sub-systems were not necessarily in the scope of work, however decided per project.

5.3.4 Distinction of the systems

In general terms, a distinction in the treatment of the systems is applied. Under consideration of Q7 differences are applied in half of the countries, depending upon the nature of the sys-tem and in particular between tram and metro. Countries as e.g. Hungary, the Netherlands, Poland or the United Kingdom have additionally different processes or underlying rules.

In case of distinction, the safety requirements on metros are usually higher or the processes are more extensive, due to higher:

• Speed,

• Passenger load or

• Grade of Automation (GOA)

A legal basis exists for metros in most countries, whereas the situation for light rail / trams is not that regulated. The reasons for these different treatments are diverse and vary from country to country. In Greece, where the operator is in charge, each operator follows different strategies. The same underlying law but different regulations, distinct the systems in the Netherlands and in the United Kingdom, the regulations ROGS only partly apply to light rails / trams. Hungary assigns trams / light rails as street vehicles, whereas metros are considered to be railway systems.


5.3.5 Handling of sub-systems

In general, the Automatic Train Control (respectively the safety related part thereof, the Automatic Train Protection system) and Rolling Stock are considered the most safety related sub-systems of a metro / light rail / tram. This can be concluded when analysing the number and complexity of available rules, regulations and standards applied throughout Europe.

Automatic Train Control

Multiple European Member states either apply historically driven rules and regulations for Automatic Train Control Systems or apply the CENELEC railway application standards EN 50128 / EN 50129 or even a mixture of both. Examples are:

• The French approval process is based on the GAME principle, requires the involve-ment of independent third parties (EOQA), the demonstration of safety cases (DDS) etc. and therewith following the basic life cycle elements of the CENELEC standards. This process is applied for ATC systems, even if not explicitly specified for ATC sys-tems as such. For further details refer to [Case Study FR].

• The German TR SIG ZA, which stands for approval of Signalling and Train Control and Protection Systems according to BOStrab, is developed in order to implement the use of the standards EN 50128 / EN 50129, in reference to the German legislation (e.g. regarding the risk acceptance criteria and responsibilities of involved parties). For the description of how system approval and acceptance procedure shall be con-ducted TR SIG ZA strictly follows the life cycle concept mentioned in EN 50126. For further details refer to [Case Study GER].

• The UK LU Standard 1-538 Assurance, which defines a risk based assurance, four assurance gates aligned with EN 50126 and respective verification activities, also ap-plying to LU and its suppliers and infrastructure maintenance companies. This ap-proval process has been applied for the Jubilee Line re-signalling project, where a Transmission Based Train Control system was introduced. For further details refer to [Case Study UK].

• The Hungarian approval process is a staged process covering safety requirements, safety cases, independent experts / ISA’s etc. following basic life cycle elements of the CENELEC standards. This process is applied for ATC systems, even if not explic-itly specified for ATC systems and not fully regulated. For further details refer to [Case Study HU].

• In Denmark, the CENELEC standards are applied, all in front for ATC systems since this concept was applied from the very beginning for the first metro installed. The ap-proval process for ATC systems accompanies step-wise the CENELEC life cycle.


In conclusion it can be stated, that the CENELEC standards EN 50126 / EN 50128 / EN 50129 (at least their basic elements) are already or tend to be the coming backbone for approval of Automatic Train Control systems in multiple European Member states. These standards are an integral part of the national (different) approval processes.

Rolling Stock

For Rolling Stock, the situation is slightly different. This is mainly driven by the fact, that the CENELEC standards EN 50128 and EN 50129 were originally considered for safety related train protection systems / functions and not for Rolling Stock while EN 50126 covers the en-tire railway system life cycle (and therewith somehow including Rolling Stock).

Historically driven, natural rules and regulations cover requirements for Rolling Stock, for example the German BOStrab, introducing multiple design requirements, functional and op-erational requirements (e.g. on dimensions, brakes, running gear, traction, doors, etc.). Ger-many furthermore has multiple VDV papers recognized as proven rules of technology, also introducing requirements on Rolling Stock.

Common to all these rules and regulations is that they mainly introduce design requirements, functional or operational. Process requirements in terms of life cycle requirements are usu-ally not part thereof.

In conclusion it can be stated, that the various rules and regulations can be considered as a source for requirements, consequently feeding life cycle phase “Requirements Specification” when considering the EN 50126 life cycle.

In the meantime, the safety case concept has also been increasingly used for Rolling Stock. The argument that the safety case shall only apply to signalling systems due to the title of EN 50129 has been overcome by the benefits of using the safety case documentation struc-ture as an appropriate safety evidence documentation structure. This also fits into overall light rail / metro / tram system safety evidence concepts when using the Rolling Stock safety case as a related safety case towards the system level.

This has also lead to more and more application of the hazard and risk processes for Rolling Stock, since functionality becomes more and more complex due to increasing number of software driven systems and interfaces within the vehicle.

Finally it can be concluded, that the Rolling Stock functional hazard and risk analysis, re-quirements specification and safety evidence using the principle safety case structure well fits into the life cycle concept of EN 50126, still using the proven rules and regulations as a source of (further) requirements.


5.4 Compliance to CENELEC Live Cycle comparison Introduction

All questions of the survey are related to the safety of a system. The compliance to the life-cycle, as it is promoted in [CENELEC], e.g. EN 50126, is checked. “This standard acknowl-edges the balance between the RAMS performance of a system and the costs of develop-ment and ownership of the system, known as lifecycle costs” (EN 50126).

The 14 steps of the Life Cycle (LC) (see figure below) are grouped and the questions are matched accordingly. The 19 questions refer to the CENELEC LC either directly or indirectly.

Figure 5: Safety Lifecycle e.g. for a system (EN 50126, Figure 8)

The activity comparison Sub-clause 5.1 delivers, due to its categorisation, detailed informa-tion on the safety related procedures of the countries. The coverage or regulation as it is dis-cussed in Sub-clause 5.2 gives an overview of the coverage of safety activities (concerning the chosen questions). With this information, the differences and similarities in the compli-ance of the member states to the CENELEC LC groups can be checked and compared eas-ily with Table 17. In this way it can be found out whether and in which way the member coun-tries (already) apply to that existing cycle. The questions 9 and 17 refer to the LC directly, either in terms of requirements for safety management or safety performance during the whole Life Cycle.


5.4.1 Grouping of Lifecycle steps and questions

The table below gives an overview about the safety LC groups and their related 14 steps, as well as the questions. Due to this table the answers and explanations are matched to the related groups and therefore the compliance is comprehensible, not only in quantitative but also qualitative matter.

Table 15: Safety Lifecycle steps matched to questions

The following abbreviations are in use for Table 17: Compliance to CENELEC LC. Abbreviation Definition Act Act, Law Dec Decree, Regulation NAu National Authority / Government / Safety Regulatory Authority

RAu / Cit Regional Authority / Government / Safety Regulatory Author-ity

CEN / NSt CENELEC / National Standards Rul Rules, Code of practices, Procedures Ope / IPr / RPe Operator / Infrastructure Provider / Responsible Person ISA Independent Safety Assessor TPa Third Party, Independent Expert Oth Others / Various

Table 16: Abbreviations for categorisation of explanations


5.4.2 Compliance check

Table 17: Compliance to CENELEC LC


The following Table 18 summarises the results of the compliance check of Table 17 above. The results are summarised according to the established coverage of regulation “high”, “me-dium” and “low”. Every possible answer is counted. The number on the left side is the actual amount of positive / negative answers, whereas the number on the right displays the total amount of answers, related to the regulation and group. It has to be noticed that procedures which are in place, but not regulated are not considered here.

Table 18: Summarised results of the compliance check


5.4.3 Discussion of results

The matching of the questions to the LC groups gives a trend on the compliance and help to identify differences and similarities in the general procedure. Under consideration of the re-sults of Table 17 and Table 18 the following can be stated:

The compliance to the three groups “System Conception & Specification”, “Installation & Manufacturing” and “Maintenance & Operation” is nearly equal and alternates between 62% and 66%. The compliance to the group “Design & Manufacturing” is relatively high, given with 80%. Through all levels or regulation the processes related to “Design & Manufacturing” seem to be regarded as highly relevant.

System Conception & Specification

More than half of the member states have processes ongoing, which are compliant to the above stated CENELEC LC group, as defined in Table 15. It is eye-catching that Q7, the “treatment in terms of methods or requirements for obtaining system approval”, is handled nearly even in two manners. A distinction in approval processes for light rails or metros is not being made in countries with comprehensive network infrastructure, as there are e.g.: France, Germany, Italy or Spain.

Design & Manufacturing

In the second LC group, the compliance of all levels of regulation is comparably high. 80% of all questions were answered positive which indicates a high coverage of actions and proc-esses related to the single phases in “Design & Manufacturing”, throughout all countries.

Installation & Commissioning

In the third LC group, the compliance is at around 66%. “Low” regulated countries barley comply with the single phases of “Installation & Commissioning”. The eye-catching answers to Q13 reveal that monitoring, promotion and developing of the safety regulatory framework is limited to countries with a high coverage of regulation.

Maintenance & Operation

The group “maintenance & operation” reflects the same compliance as the groups one and three. It is important to notice that liability is assigned in nearly every country.


5.5 Summarising comparison

This Sub-clause is to exemplarily summarise the results of the comparisons as per Sub-clauses 5.1 to 5.4 of the countries under consideration (refer to Sub-clause 3.5) on a superior level.

To put these procedures into practice, the approaches and taken measures might deviate. The intention of these procedures is nevertheless the same.

The following aspects are a matter of focus:

• Safety Regulatory Activities & Approval Process

o Legislation

o Safety Regulatory Activities

o Approval Process

• Safety Management

o Liability

o Procedures & Processes

• Verification & Validation

• Installation & Operation

• Network overview

• National facts

• Grade of Automation

• Cross–acceptance of products and sub-systems

• ISA tasks

• Distinction of the systems

• Handling of sub-systems

These aspects have been chosen due to their lifecycle relation or relatively low or high com-pliance, compared to other aspects under inspection. The following summary aims to distin-guish between the differences and similarities per aspect, which will be finally concluded in Chapter 6.


Safety Regulatory Activities & Approval Process

Safety Regulatory Authorities are in most cases orderly appointed on national or regional level. Where no respective authority is in charge, the regional government is in control. A legal basis is mainly given with respective acts and / or decrees, in a few cases the legal ba-sis is deviating from that.

The activities of the appointed Safety Regulatory Authority are not uniformly. The activities such as: delving down into the sub-systems, getting involved in maintenance & operation and monitoring, promoting and developing the framework are taken into consideration.

• Safety Regulatory Authorities of countries ranked as “high” have applicable proce-dures in place, deviating in range.

• Countries ranked as “medium” have less applicable procedures, the monitoring, pro-moting and developing of the safety regulatory framework is not applied in a wide range of countries.

Acts and decrees or regulations on national level set functional, technical or operational re-quirements such as risk acceptance criteria, in order to obtain system approval. In some countries the authorities are involved for setting these requirements. The criteria for risk ac-ceptance are diverse, but mandatory for all countries despite a very few. A uniformly han-dling for differential treatment of the systems (metro or light rail) concerning methods and requirements as well as the involvement of the ISA is not given. The involvement of the ISA regarding the approval processes is partly regulated but handled differently. Despite this regulation the involvement is commonly practiced, sometimes on behalf of the appointed authority.

Safety Management

The liability for safe and orderly operation is clearly assigned to the operator, a responsible person or infrastructure provider. The bases of this liability are often acts and decrees, in a very few cases liability is not regulated.

Regarding the safety management procedures, the following trends are given:

• The safety management of the entities involved follow requirements and regulations based on legal decisions or CENELEC.

• Regulations and guidelines for risk acceptance criteria as well as risk analyses are applied and evident, but diverse in countries ranked as “high” and partly in countries ranked as “medium”, while regulations for describing generic safety targets, as well as conducting risk analyses is not applicable in the remaining countries.


• Methods for assuring safety performance during the whole system lifecycle are in use and equally distributed, mainly applying to the CENELEC standards in countries ranked as “high” and partly in countries ranked as “medium”, while overall coverage on processes & procedures is lower in the remaining countries.

Verification & Validation

Verification & Validation of installed equipment or delivered rolling stock prior to operation is regulated mainly with decrees or CENELEC. In some few cases a regulation is not given, but procedures in use involving the operator or ISA.

Installation & Operation

Regarding the procedures on installation & operation, the following trends are given:

• Countries ranked as “high” and partly “medium” have respective procedures for In-stallation & Operation in use. The focus of the other countries is diverse and the pro-cedures vary. Commonly it can be stated, that the operator is very much involved in the according approaches.

• In multiple countries, regulations concerning the initiation of new specific applications, modification or retrofit of installed equipment or rolling stock as well as the monitoring of suchlike are applied. The appointed Safety Regulatory Authority or a decree in-volves the operator into these activities. The focus differs from country to country; in various cases no uniform approach is evident.

• In few cases, regulation of procedures for Installation & Operation is not given, but di-verse procedures are in use.

Network Overview and National Facts

Comprehensive networks and a long history of light rail or metro service are two factors for growing and complex rules and regulations concerning safety lifecycle approaches. Coun-tries fitting this profile are mainly capable of running automated lines. Examples for those cases are e.g. France, Germany or the United Kingdom.

Countries building new systems, without a history of experience, rely on the latest standards and approaches. They are capable of using the latest technology without retrofit or other dis-turbing factors. The combination of up-to-date processes and technology enable a high GOA. An example for such a system is the metro in Denmark.


Grade of Automation

Automation is generally applied in the following countries: Denmark, France, Germany, Italy and the United Kingdom. More countries plan automated lines such as Finland, Greece and Hungary, therefore the process of automation is steadily growing. According to the spreading of automated lines through Europe, the majority is located in countries ranked as “high” and with comprehensive networks, Denmark as exception. France has the highest rate of auto-mated lines in Europe and the most experience in automated services.

Cross–acceptance of products and sub-systems

Cross-acceptance is widely accepted in countries such as: Germany, France, Denmark, Greece, Italy, Sweden or the United Kingdom. Examples on successfully transferred prod-ucts or systems are evident. This trend is steadily increasing and mostly based on the CENELEC standards and its application guide.

ISA tasks

The scope of work of the ISA differs, depending on projects specifics or Safety Authority re-quirements. The minimum coverage applies on signalling systems / ATP systems, whereas additional aspects such as Rolling Stock or other technical sub-systems, or even the entire system (as done in Denmark) can be applied, depending on the project.

Distinction of the systems

A distinction in the treatment of the systems concerning methods or requirements for safety approval is applied in half of the countries. A distinction in approval processes for light rails or metros is not being made in countries with comprehensive network infrastructure and a long history of service, as there are e.g.: France, Germany, Italy or Spain. In the case of the dis-tinction, the safety requirements on metros are usually higher, due to higher speed, passen-ger load or GOA.

Handling of sub-systems

Automated Train Control and Rolling Stock are considered the most safety related sub-systems. Concerning ATC, the CENELEC Standards seem to be becoming an integral part of the national (different) approval processes. For Rolling Stock, the CENELEC Standards gain more influence with introducing the safety case concept as well as the system lifecycle according to EN 50126.


6. Conclusion

The comparison on current safety life cycle approaches of the EU member states was car-ried out according to MODSafe task 6.2. The conclusion on the differences and similarities in the diverse approaches is mainly based on the comparisons of this report. For details refer to the respective Sub-clauses of Chapter 5.

Most of the EU-member states have processes and criteria in place which are applicable to cover lifecycle requirements of the CENELEC standards on a general level.

Analysing these processes, heterogeneous approaches are existent on more detailed levels. These approaches are diverse in depth and focus and therefore strengths and weaknesses differ from country to country, depending on multiple factors.

The following bullet points aim to conclude the findings, in order to cover the countries’ ap-proaches on a general level.

Differences

• The involvement of the Safety Regulatory Authority differs in range and depth.

• Risk criteria for obtaining system approval are mandatory, but there is no common or regulated approach, although CENELEC gives guidance.

• Procedures on installation & operation are not uniformly regulated but in practice commonly in use with a different level of operator involvement.

• Light rail, tram or metro systems are not uniformly treated in terms of approval proc-ess and requirements.


Similarities

• A legal basis for the Safety Regulatory Authorities is mostly given with acts or de-crees / regulations.

• Safety Regulatory Authorities appointed to urban guided transport are commonly in use.

• Liability for safety & orderly operation is mostly dedicated to the operator / responsi-ble person / infrastructure provider.

• The involvement of an Independent Safety Assessor is not uniformly regulated but in practice commonly in use.

• Verification & Validation activities prior to operation are not uniformly regulated but in practice commonly in use, the performance along the lifecycle differs in scope and depth.

• Examples for cross-acceptance in European level are evident. The CENELEC stan-dards and their guidelines contribute to this increasing harmonisation.

• CENELEC Standards are commonly used as guidelines for obtaining system ap-proval.

7. Outlook to D6.3

Most of the EU-countries apply to processes which are at least tentatively compliant to the CENELEC Lifecycle, deviating in range and depths. Some countries follow CENELEC to en-sure system safety performance during the whole lifecycle. An application of the CENELEC procedures is evident and steadily growing.

On basis of the results of this report (refer to Chapter 5 and Chapter 6), a uniformly generic safety lifecycle for urban guided transport systems will be proposed.

european commission seventh framework programme modsafe ...€¦ · v0.8 08-12-2010 peter wigger...

Documents