Appendix B to Part 236 - Risk Assessment Criteria
49:4.1.1.1.30.11.125.1.65 : Appendix B
Appendix B to Part 236 - Risk Assessment Criteria
The safety-critical performance of each product for which risk
assessment is required under this part must be assessed in
accordance with the following minimum criteria or other criteria if
demonstrated to the Associate Administrator for Safety to be
equally suitable:
(a) How are risk metrics to be expressed? The risk metric
for the proposed product must describe with a high degree of
confidence the accumulated risk of a train control system that
operates over the designated life-cycle of the product. Each risk
metric for the proposed product must be expressed with an upper
bound, as estimated with a sensitivity analysis, and the risk value
selected must be demonstrated to have a high degree of
confidence.
(b) How does the risk assessment handle interaction risks for
interconnected subsystems/components? The risk assessment of
each safety-critical system (product) must account not only for the
risks associated with each subsystem or component, but also for the
risks associated with interactions (interfaces) between such
subsystems.
(c) What is the main principle in computing risk for the
previous and current conditions? The risk for the previous
condition must be computed using the same metrics as for the new
system being proposed. A full risk assessment must consider the
entire railroad environment where the product is being applied, and
show all aspects of the previous condition that are affected by the
installation of the product, considering all faults, operating
errors, exposure scenarios, and consequences that are related as
described in this part. For the full risk assessment, the total
societal cost of the potential numbers of accidents assessed for
both previous and new system conditions must be computed for
comparison. An abbreviated risk assessment must, as a minimum,
clearly compute the MTTHE for all of the hazardous events
identified for both previous and current conditions. The comparison
between MTTHE for both conditions is to determine whether the
product implementation meets the safety criteria as required by
subpart H or subpart I of this part as applicable.
(d) What major system characteristics must be included when
relevant to risk assessment? Each risk calculation must
consider the total signaling and train control system and method of
operation, as subjected to a list of hazards to be mitigated by the
signaling and train control system. The methodology requirements
must include the following major characteristics, when they are
relevant to the product being considered:
(1) Track plan infrastructure, switches, rail crossings at grade
and highway-rail grade crossings as applicable;
(2) Train movement density for freight, work, and passenger
trains where applicable and computed over a time span of not less
than 12 months;
(3) Train movement operational rules, as enforced by the
dispatcher, roadway worker/Employee in Charge, and train crew
behaviors;
(4) Wayside subsystems and components;
(5) Onboard subsystems and components;
(6) Consist contents such as hazardous material, oversize loads;
and
(7) Operating speeds if the provisions of part 236 cite
additional requirements for certain type of train control systems
to be used at such speeds for freight and passenger trains.
(e) What other relevant parameters must be determined for the
subsystems and components? In order to derive the frequency of
hazardous events (or MTTHE) applicable for a product, subsystem or
component included in the risk assessment, the railroad may use
various techniques, such as reliability and availability
calculations for subsystems and components, Fault Tree Analysis
(FTA) of the subsystems, and results of the application of safety
design principles as noted in Appendix C to this part. The MTTHE is
to be derived for both fail-safe and non-fail-safe subsystems or
components. The lower bounds of the MTTF or MTBF determined from
the system sensitivity analysis, which account for all necessary
and well justified assumptions, may be used to represent the
estimate of MTTHE for the associated non-fail-safe subsystem or
component in the risk assessment.
(f) How are processor-based subsystems/components
assessed? (1) An MTTHE value must be calculated for each
processor-based subsystem or component, or both, indicating the
safety-critical behavior of the integrated hardware/software
subsystem or component, or both. The human factor impact must be
included in the assessment, whenever applicable, to provide the
integrated MTTHE value. The MTTHE calculation must consider the
rates of failures caused by permanent, transient, and intermittent
faults accounting for the fault coverage of the integrated
hardware/software subsystem or component, phased-interval
maintenance, and restoration of the detected failures.
(2) Software fault/failure analysis must be based on the
assessment of the design and implementation of all safety-related
software including the application code, its operating/executive
program, COTS software, and associated device drivers, as well as
historical performance data, analytical methods and experimental
safety-critical performance testing performed on the subsystem or
component. The software assessment process must demonstrate through
repeatable predictive results that all software defects have been
identified and corrected by process with a high degree of
confidence.
(g) How are non-processor-based subsystems/components
assessed? (1) The safety-critical behavior of all
non-processor-based components, which are part of a processor-based
system or subsystem, must be quantified with an MTTHE metric. The
MTTHE assessment methodology must consider failures caused by
permanent, transient, and intermittent faults, phase-interval
maintenance and restoration of operation after failures and the
effect of fault coverage of each non-processor-based subsystem or
component.
(2) MTTHE compliance verification and validation must be based
on the assessment of the design for adequacy by a documented
verification and validation process, historical performance data,
analytical methods and experimental safety-critical performance
testing performed on the subsystem or component. The
non-processor-based quantification compliance must be demonstrated
to have a high degree of confidence.
(h) What assumptions must be documented for risk
assessment? (1) The railroad shall document any assumptions
regarding the derivation of risk metrics used. For example, for the
full risk assessment, all assumptions made about each value of the
parameters used in the calculation of total cost of accidents
should be documented. For abbreviated risk assessment, all
assumptions made for MTHHE derivation using existing reliability
and availability data on the current system components should be
documented. The railroad shall document these assumptions in such a
form as to permit later comparisons with in-service experience.
(2) The railroad shall document any assumptions regarding human
performance. The documentation shall be in such a form as to
facilitate later comparisons with in-service experience.
(3) The railroad shall document any assumptions regarding
software defects. These assumptions shall be in a form that permit
the railroad to project the likelihood of detecting an in-service
software defect. These assumptions shall be documented in such a
form as to permit later comparisons with in-service experience.
(4) The railroad shall document all of the identified
safety-critical fault paths to a mishap as predicted by the safety
analysis methodology. The documentation shall be in such a form as
to facilitate later comparisons with in-service faults.
[75 FR 2717, Jan. 15, 2010]