Information Technology Reference
In-Depth Information
about the infrastructure (e.g. section length, number of trains per hour).
For the duration of the hazard, assumptions have to be made by the user.
All parameters are presented in diagrams allowing for an easy reading. The
diagrams make it obvious how changes in the parameter values in one or the
other direction on the axis might influence the result. This helps to assess the
stability of the results of the risk assessment assuming that the input values
usually are estimates and some variation is possible.
Parameter classes:
The factor between the parameter classes was chosen
to be root of 10. A first choice would have been factor 10 because this factor
lies between the safety requirement hazard rates given in e.g. IEC 61508.
However, upon closer inspection it became obvious that a factor 10 leads to
too wide classes for some of the parameters. Therefore, parameter root of 10
was chosen. As explained earlier, the same factor which is between parameter
classes can also be found between the resulting maximum hazard rates.
Calibration:
The final risk graph was calibrated using the RAC-TS criteria
given in 352/2009 [9]:
For technical systems where a functional failure has credible direct poten-
tial for a catastrophic consequence, the associated risk does not have to be
reduced further if the rate of that failure is less than or equal to
10
−
9
per
operating hour.
Taking into account the guidance given in [10], the given benchmark risk
is valid on the analysis level.
When calibrating, it was decided that the benchmark scenario given with
the EU regulation did not need to be modeled with the most stringent param-
eter classes. It is supposed that the scenario given with RAC-TS is best de-
scribed by the parameters F5 (catastrophic, most stringent class), C4 (direct
potential, most stringent class), and DE2 (no information given by RAC-TS,
chosen based on typical operational conditions). Therefore, the maximum
safety requirement which can be obtained with the risk graph is not
10
−
9
10
−
10
failures per operating hour
1
.
Starting with the benchmark combination, by using factor 10 all other
hazard rates can be calculated. The final risk graph can be seen in figure
3. The risk graph shows the parameter classes of all three parameters and
for each possible combination the resulting hazard rate. Examples for the
application of the risk graph can be found in [4].
failures per operating hour, but
5
Conclusion
The presented paper shows the main ideas for a lifecycle based construction
process of a semi-quantitative risk assessment method. An example of a newly
constructed risk graph with the reasoning of its construction process was
given.
1
It is assumed that failure rate as used in [8] corresponds to hazard rate as used
in the guidelines.
