Legal information

Copyright DB Netz AG, licensed under CC-BY SA 3.0 DE (see full text in CC-BY-SA-3.0-DE)

ARCH.069 Add system level risk measures

SM-2811 - Populate Confluence page for activity definition: ARCH.069 Add system level risk measure IN PEER REVIEW

GoalAdd system functionality to lower the probability of a related operational level deviation occurrence.
Requirements met by this process step

EN 50126-1 6.4.3.1, 6.4.3.2

ISO 15288 6.4.3.3 d)

Inputs

AMOD-004 Fault tree (per operational deviation)

AMOD-059 Initial system functional chain description

AMOD-115 External interface behaviour

AMOD-056 System functions and exchanges (single system capability)

Outputs

AMOD-056 System functions and exchanges (single system capability) (updated)

AMOD-004 Fault tree (per operational deviation) (updated)

Methodology


Following prerequisite activities have been completed in ARCH.066 and ARCH.067:

  • Fault tree has been populated to show system level deviation probabilities and resulting operational deviation probability
  • System level deviations of external incoming functional exchanges have been assessed and are reflected in the fault tree.


After the assessment of system level deviations of incoming functional exchanges have been reflected in the fault tree and the result is that the related operational deviation probability is exceeded this activity is carried out to add additional safety measure, i.e. to add system functions and functional exchanges to compensate where incoming functional exchanges are of safety integrity lower than needed:

  • Define new system functions and functional exchanges in relation to the functional exchanges of insufficient safety integrity, e.g. error checking, verification, backup functionality as redundancy or arbiter functionality that allows validation of incoming functional exchanges.

Example: Functionality for visual object recognition in a train unit is of insufficient safety integrity, functionality for visual object recognition in another train unit can be used to produce a validated object recognition result of higher safety integrity.

  • Assess the possible deviations of the new functional exchange (Control action deviation category, probability)
  • Update the fault tree by adding the newly defined system level deviations and by defining its logical combination with other system level deviations that cause the same operational deviation.


Tools and non-human resources

Team for Capella

(tbd - possibly a further tool or plugin for modelling fault trees - ticketed SET-183

CardinalityOnce, with allowed revisions after changes in the operational level risk model or the system function definitions 
Completion criteriaAll needs for additional safety measures (as per ARCH.068) have been addressed, their deviations have been assessed and documented in the fault tree and these measures can be proven as effective via means like the fault tree.
Design review

ARCH.R.3 System capability review

ARCH.R.4 System review - consolidated

Step done by (Responsible)

System architect

Provides input to/assists (Contributes)

RAMS architect

Security architect

Uses outputs (Informed)None identified.