What is the main purpose of EN 50126-2?

The main purpose of EN 50126-2 is to specify a detailed, systematic process for managing and demonstrating the safety of railway systems. It provides a structured lifecycle and methodology to identify hazards, assess risks, and implement safety measures to ensure a system is acceptably safe for its intended use.

How does EN 50126-2 relate to EN 50126-1?

EN 50126-1 defines the overall management framework for RAMS (Reliability, Availability, Maintainability, and Safety). EN 50126-2 is Part 2 of this standard and provides the specific, detailed implementation guidance for the 'Safety' component, outlining the technical activities and deliverables required to build a robust Safety Case.

What is a Safety Integrity Level (SIL) in the context of EN 50126-2?

A Safety Integrity Level (SIL) is a measure of the required performance for a safety function. Within the EN 50126-2 process, SILs (ranging from SIL 1 to SIL 4) are assigned to safety functions based on the level of risk they are intended to control. A higher SIL indicates a greater risk and therefore requires a more rigorous level of safety performance and engineering.

Is a Safety Case mandatory under EN 50126-2?

Yes, the creation and maintenance of a Safety Case is a mandatory and critical output of the EN 50126-2 process. It is the formal, documented argument, supported by evidence, that demonstrates a railway system is acceptably safe. It is essential for gaining regulatory approval and system acceptance.

EN 50126-2: Europe’s Cornerstone for Railway Safety

Ensure railway safety with EN 50126-2. This standard details a systematic lifecycle for hazard analysis, risk assessment, and creating the essential Safety Case for compliant railway systems.

December 15, 2024 2:02 am

Understanding EN 50126-2: A Systems Approach to Railway Safety

EN 50126-2 is a European standard that specifies the safety-related aspects of the RAMS (Reliability, Availability, Maintainability, and Safety) lifecycle for railway applications. While its companion standard, EN 50126-1, provides the overall framework for RAMS management, EN 50126-2 focuses exclusively on the systematic process for managing and demonstrating safety, ensuring that railway systems are free from unacceptable risk throughout their entire lifecycle.

This standard provides a rigorous, evidence-based methodology for specifying safety requirements, identifying hazards, assessing risks, and implementing control measures. It is fundamental for any organization involved in the design, development, installation, operation, and maintenance of safety-critical railway systems, from signalling and control to rolling stock and infrastructure.

Core Principles of EN 50126-2

The standard is built upon several core principles that guide the safety engineering process. These principles ensure a structured, traceable, and verifiable approach to achieving safety.

The Safety Lifecycle

EN 50126-2 defines a comprehensive Safety Lifecycle, which is a sequence of phases and activities that spans from the initial concept of a system to its final decommissioning. This lifecycle model ensures that safety is considered at every stage and is not merely an afterthought. The key phases include concept definition, risk analysis, requirements apportionment, design, implementation, verification, validation, and operation.

Top-Down Systems Approach

The standard mandates a top-down approach, often visualized using the V-model. This process begins at the highest system level with the definition of safety functions and requirements. These requirements are then progressively broken down and allocated to subsystems and components. The right side of the V-model represents the integration and validation process, where components are tested and integrated back into the complete system, verifying that the safety requirements defined on the left side have been met at each level.

Hazard Analysis and Risk Assessment

A central activity within the EN 50126-2 framework is the continuous process of Hazard Analysis and Risk Assessment. This involves:

Hazard Identification: Systematically identifying potential sources of harm (hazards) under all foreseeable operating conditions and failure modes.
Risk Analysis: Determining the frequency and severity of potential accidents arising from the identified hazards.
Risk Evaluation: Comparing the assessed risk against predefined risk acceptance criteria to determine if the risk is tolerable.

Common techniques used include HAZOP (Hazard and Operability Study), FMEA (Failure Modes and Effects Analysis), and FTA (Fault Tree Analysis).

The Safety Case

A critical output of the EN 50126-2 process is the Safety Case. The Safety Case is a structured, comprehensive, and defensible argument, supported by evidence, that a system is acceptably safe for its intended application. It serves as the primary document to demonstrate compliance with safety requirements to railway authorities, operators, and other stakeholders.

The EN 50126-2 Safety Lifecycle in Detail

The standard outlines a detailed lifecycle with specific objectives and deliverables for each phase.

Phase 1: Concept and System Definition

This initial phase involves defining the system’s mission, functions, boundaries, and its operational environment. The fundamental safety goals and the overall System Safety Plan are established here.

Phase 2: Hazard Analysis and Risk Assessment

This iterative phase runs parallel to the system development. A preliminary hazard analysis is conducted early on, and it is continuously updated as the system design evolves. Risks are identified and assessed, leading to the creation and maintenance of a Hazard Log, which tracks all identified hazards, their associated risks, and the status of mitigation measures.

Phase 3: Safety Requirements Specification

Based on the risk assessment, specific Safety Requirements are derived. These requirements define the necessary safety functions and the required level of performance to control the identified risks. This is where Safety Integrity Levels (SILs) are often assigned to safety functions, quantifying the necessary risk reduction.

Phase 4 & 5: Apportionment and Design/Implementation

The overall system safety requirements are allocated (apportioned) to subsystems (e.g., hardware, software, human operators). The design and implementation phase then creates the system according to these allocated requirements, incorporating safety principles like fail-safety, redundancy, and diversity.

Phase 6 & 7: Verification and Validation

Verification ensures that the system was built correctly (i.e., it meets the specified safety requirements). Validation ensures that the correct system was built (i.e., it is safe for its intended operational environment). This involves extensive testing, analysis, and reviews at every level of integration.

Phase 8: System Acceptance and Operation

Before entering service, a formal safety acceptance process is conducted, primarily based on the evidence presented in the Safety Case. Once in operation, safety performance is monitored, and any incidents or changes are managed through a defined process to ensure safety is maintained throughout the operational life of the system.

Comparison: EN 50126-1 vs. EN 50126-2

While intricately linked, the two parts of the standard have distinct focuses. Part 1 establishes the “what” and “why” for RAMS as a whole, while Part 2 details the “how” specifically for safety.

Aspect	EN 50126-1: RAMS Management	EN 50126-2: Systems Approach to Safety
Primary Focus	Provides the overall management framework for Reliability, Availability, Maintainability, and Safety (RAMS).	Provides a detailed, prescriptive process specifically for demonstrating and managing Safety.
Scope	Holistic, covering all four elements of RAMS and their interplay throughout the lifecycle.	Deep-dive into the “S” (Safety) element, detailing the required activities, techniques, and deliverables.
Key Output	RAMS Plan, system requirements, and an overall management structure.	System Safety Plan, Hazard Log, Safety Requirements Specification, and the culminating Safety Case.
Level of Detail	High-level process definition and management requirements.	Detailed, technical guidance on implementing the safety lifecycle, including hazard analysis and risk assessment methods.
Analogy	The strategic blueprint for building a safe and reliable system.	The detailed engineering and construction manual specifically for the safety-critical structures.

The Importance of the Safety Case

The Safety Case is more than just a document; it is the cornerstone of the assurance process under EN 50126-2. It demonstrates that:

A systematic safety management process has been followed.
All credible hazards have been identified and analyzed.
Risks have been controlled to an acceptable level (e.g., ALARP – As Low As Reasonably Practicable).
The system is demonstrably safe to operate under the defined conditions.

Without a robust and complete Safety Case, a system cannot be certified for use in a safety-critical railway environment, making it the ultimate deliverable of the EN 50126-2 process.