reference document for the certification of the safety ... · of the safety integrity level. of...

CERTIFER REFERENCE DOCUMENT RF 0015

/ 14

INDEX UPDATED:

2

REFERENCE DOCUMENT FOR CERTIFICATION OF THE SAFETY INTEGRITY LEVEL OF PRODUCTS AND SYSTEMS LIKELY TO BE USED IN GUIDED TRANSPORTS SYSTEMS, ACCORDING TO EN50126, EN50128 AND EN50129 STANDARDS

DATE 09/12/14

This document is the property of CERTIFIER. It may not be used, reproduced or disclosed without prior agreement. Agence de Certification Ferroviaire - SIREN 411 047 285 - Code APE 9499Z

CERTIFER 1, Place de Boussu, BP70141, F-59416 ANZIN Cedex, France. Tel: +33 3 27 28 35 00 - Fax: +33 3 27 28 35 09

RF 0015

REFERENCE DOCUMENT

FOR THE CERTIFICATION

OF THE SAFETY INTEGRITY LEVEL

OF PRODUCTS OR SYSTEMS

LIKELY TO BE USED

IN GUIDED TRANSPORT SYSTEMS

ACCORDING TO EN50126 EN50128 and EN50129

STANDARDS


/ 14

INDEX UPDATED:

2


DATE 09/12/14



MEMBERS OF THE WORKING GROUP ESTABLISHING THE REFERENCE DOCUMENT

• Philippe BERNAGE, CERTIFER

• Sergio FURLAN, CERTIFER

• Patrick OZELLO, CERTIFER

MEMBERS OF THE COMMITTEE APPROVING THE REFERENCE DOCUMENT:

College A: users of certified products:

• Jean-Marc CEREZ, SNCF

• Sylvie REROLLE, SNCF

College B: suppliers of certified products:

• Paul BENOIT, SIEMENS

• Robert CAPEL, ALSTOM

College C: independents:

• François BARANOWSKI, IFSTTAR

APPROVAL OF THE REFERENCE DOCUMENT

Following a favourable opinion returned by the Approval Committee (in compliance with CERTIFER procedure 7407), this reference document was signed by:

The Chairman and Managing Director of

CERTIFER Jacques COUVERT


/ 14

INDEX UPDATED:

2


DATE 09/12/14



TABLE OF CONTENTS

Page

1. OBJET ET DOMAINE D’APPLICATION ......................................................................................................... 4

2. DOCUMENTS DE REFERENCE .................................................................................................................... 4

3. DEFINITIONS ET ABREVIATIONS ................................................................................................................ 5

4. PROCEDURE ET EXIGENCES ....................................................................................................................... 6

4.1. DEFINITION DETAILLEE DU PRODUIT OU DU SYSTEME A CERTIFIER ............................................................................ 6 4.2. ELABORATION DU PLAN D’EVALUATION .............................................................................................................. 6 4.3. ACCORD DU DEMANDEUR SUR LA CERTIFICATION PROPOSEE ................................................................................... 7 4.4. MISSIONNEMENT DES INTERVENANTS ................................................................................................................ 7 4.5. REALISATION DE L’EVALUATION ........................................................................................................................ 8 4.6. RAPPORT D’EVALUATION .............................................................................................................................. 12 4.7. DECISION DE CERTIFICATION .......................................................................................................................... 14 4.8. CERTIFICAT ................................................................................................................................................ 14 4.9. RECOURS, APPELS ........................................................................................................................................ 14 4.10. UTILISATION DE LA MARQUE DU CERTIFICATEUR ............................................................................................ 14 4.11. OPERATIONS APRES CERTIFICATION ............................................................................................................. 14

Appendix 1: RFU-2-000-16: “Cross acceptance of Safety Case Assessments” of 01/04/2006.

Appendix 2: “Validity of test results” (CERTIFER origin) du 28/10/2014.

Appendix 3: Depth of documentary reviews.


/ 14

INDEX UPDATED:

2


DATE 09/12/14



1. OBJECT AND AREA OF APPLICATION This reference document establishes the requirements and the procedure for the certification of the safety integrity level of products1 likely to be used in guided transport systems. The certification described in this reference document is a type-certification by design examination, as specified in COFRAC document CPS-Ref-09. Subsequently it does not fall under the scope of application of the French Consumer Code. In this document, the text “EN 45011 / ISO 17065” refers to the requirements of the EN 45011 standard, which must be replaced by those of the ISO/CEI 17065 standard by 15 September 2015 at the latest.

2. REFERENCE DOCUMENTS For undated references, the last published version applies.

• NF EN 45011 Standard (1998) “General requirements for bodies operating product certification systems”, supplemented by application guide EA-6/01,

• ISO/CEI 17065: 2012 Standard “Conformity assessment – Requirements for bodies certifying products, processes and services”

• COFRAC document n°CPS-Ref-09 (ver 00 2010) – “Type certification by design examination ”,

• EN 50126 (1999) standard: Railway applications – The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS)

• EN 50128 (2001, 2011) standard: Railway applications – Communications, signalling and processing systems – Software for railway control and protections systems.

• EN 50129 (2003) standard: Railway applications – Communication, signalling and processing systems – Safety related electronic systems for signalling.

1 In this reference document, the term “product” refers to both hardware and software products.


/ 14

INDEX UPDATED:

2


DATE 09/12/14



These may be supplemented, when required, by other standards (the last published version applies):

• EN 50121: Railway applications - Electromagnetic compatibility (various parts)

• EN 50125: Railway applications - Environmental conditions for equipment

• EN 50155: Railways Applications Electronic Equipment Used on Rolling Stock

• EN 50159: Railway applications - Communication, signalling and processing systems. Safety-related communication in transmission systems.

• EN 61508: Functional safety of electrical/electronic/ programmable electronic safety-related systems (various parts).

3. DEFINITIONS AND ABBREVIATIONS The definitions of the following reference documents are applicable: COFRAC: COmité FRançais d’ACréditation The safety integrity level of products and software is designated by the English acronym SIL, (except under the EN50128:2001 Standard for software “Software safety integrity level”: English acronym SSIL). ISA: Independent Safety Assessor.

Manufacturer: entity responsible for demonstrating to the ISA that product or system being assessed meets the required safety integrity level. They are responsible for organising the audits required by the ISA and providing them with all necessary documents relating to the design, manufacturing, installation, verification, testing, safety studies and use of the product or system.

THR: Tolerable Hazard Rate: the maximum permissible hazard rate.


/ 14

INDEX UPDATED:

2


DATE 09/12/14



4. PROCEDURES AND REQUIREMENTS The following paragraphs describe the chronological stages and associated requirements. All operations associated with the certification service, including those not mentioned in this reference document, but appearing in the procedures of the ISA’s quality system, must be executed in compliance with all requirements of the NF EN 45011 / ISO 17065 standard, the IAF and EA guides and COFRAC documents applicable to the type certification. In particular, the certification body must possess and maintain a complete system of procedures, instructions and forms conforming to EN 45011 / ISO 17065.

4.1. Detailed definition of the product or system to be certified The certification body must accurately define, in conjunction with the requesting party, the limits of the product or system to be certified, explaining:

- the physical architecture, the components and the internal and external functional and technical interfaces,

- the functions of the product or system, - the list of software and hardware, as well as the safety integrity level (SIL and SSIL) and

the safety targets (THR, undesired events) for each one. It is possible that the certification of the product or system also includes processes to be assessed (e.g. processes such as parameterisation or downloading). These must be stipulated.

4.2. Creation of the assessment plan The certification body will establish an assessment plan detailing at least the following aspects:

• The list of successive versions and modifications made • The names of the writers (and verifiers, if any) • The Identity of requesting party • The context of the mission (a short description of the project which will use the

product or system, the assessment stages when there are more than one, the history of assessments when previous versions have already been subject to an assessment)

• The identity and limits of the product to be assessed (see §4.1 of this document), as well as the processes to be assessed, if any

• Identification of the standards which will be used in the assessment (EN 50126, EN 50128, EN50129, see § 4.5 below…). When assessing existing products which have been modified, the applicable requirements of the standards must be specified (in particular, see §1.9 of EN50128:2011)


/ 14

INDEX UPDATED:

2


DATE 09/12/14



• The stages included in the assessment (Risk analysis, Specifications, Allocation of requirements, Design, manufacturing, Installation, unit testing, integration testing, laboratory tests, on-site tests, safety file, operation and maintenance)

• If the assessment concerns a generic product, a generic application or a specific application (such as those defined in the EN 50129 standard)

• The identification of the persons involved, if known • The assessment method (number of audits, documentary reviews, visits, and if

possible, the depth of documentary reviews). Also state whether the assessment is a gap assessment when a previous version of the product or system has already been subject to an assessment

• The cross-acceptance activities (list of assessment reports to be sent to the ISA) • The list of assessment tasks • The deliverables (audit reports, assessment reports, certificate)

And, if required: • A list of attachments and appendixes • The special provisions (language, sampling, confidentiality, staff safety,

distribution of tasks to partners, sub-contractors or contractors, …) • Assumptions • A schedule

The assessment plan may be updated as many times as necessary during performance of the service.

4.3. Agreement of the requesting party on the proposed certification The requesting party must approve the assessment plan and undertake to comply with the obligations of requesting party and custodian stipulated in the NF EN 45011 / ISO 17065 Standard.

4.4. Tasking of parties involved The parties (individuals and/or organisations) responsible for assessing the conformity of the products will be selected based on their competence and their independence. They undertake to maintain all information gathered during their mission confidential.


/ 14

INDEX UPDATED:

2


DATE 09/12/14



4.5. Performance of the assessment The parties tasked by the certification body perform the conformity examination in regards to the standards specified in the assessment plan. They are then acting in the capacity of the "assessment assessor” in regards to the following standards. The standards used are:

• EN 50128 for software

• EN 50129 for signalling, telecommunications and processing products and systems. Electronic safety systems for signalling.

• EN 50126 for systems and assemblies

• EN 50121 for EMC requirements

• EN50125 and EN50155 for requirements relating to physical environmental conditions

• EN50159 for requirements relating to safety communications

It is strongly recommended to commence and conduct the assessment in parallel with the development cycle of the product or system.

The Independent safety assessment must include:

- An assessment of the quality and safety management system of the entity (manufacturer) in charge of the design, manufacturing, installation, verification, testing, safety study and use of the product or system.

- An assessment of the quality and safety management system applied during the project.

- An examination of the design of the product or system.

When an assessment only covers modifications to the product or system and, in order to make the modifications, the manufacturer resubmits the organisation and processes audited and accepted by the ISA during the previous stage, the ISA may decide that a new audit of the quality and safety management system is not required.


/ 14

INDEX UPDATED:

2


DATE 09/12/14



a) The quality and safety management system

The ISA must ensure that the requirements of §5.3.4 and 5.3.5 of the EN50126 standard are complied with.

The ISA must ensure that the EN50126, EN50128, and EN50129 standards are implemented within the framework of the policies applied by the company, based on a Quality Management System which conforms to the provisions of the ISO9001-2008 standard.

When the manufacturer operates a certified quality management system by an accredited certification body for the design and manufacturing of the product or system in question, the ISA shall take this into account in his assessment.

The team of auditors must have experience in quality and safety management systems and have at least one member experienced as an assessor in the product or system and the technology concerned, as well as knowledge of the EN50126, EN50128, EN50129 standards.

The audit will include an assessment visit to the manufacturer’s premises. The team of auditors will examine documentation describing the processes, methods and tools, as well as all technical documents produced during the development of the product or system under assessment, in order to verify the ability of the manufacturer to implement these processes, methods and tools and to ensure conformity with the requirements of the EN50126, EN50128 and EN50129 standards.

The auditing team formalises their conclusions in an audit report.

b) Surveillance of the quality and safety management system

The purpose of surveillance is to make sure that the manufacturer duly fulfils the obligations arising out of the approved quality management system.

The assessment will affect all phases, including design, manufacturing, installation, verification, testing and safety studies.

The ISA will periodically perform audits to ensure that the manufacturer maintains and applies the quality and safety management system. These audits will take place every two years at least.

The auditing team will formalise their conclusions in an audit report.


/ 14

INDEX UPDATED:

2


DATE 09/12/14



c) Examination of the design

The manufacturer must provide the ISA with all documentation regarding the product or system to enable them to understand the design, manufacturing, installation, verifications, testing, as well as safety studies and user manuals, in order to evaluate their compliance with the requirements of the EN50126, EN50128 EN50129 standards.

The ISA must assess the documentation for all software, hardware, assemblies and parameterisation processes. The ISA’s assessment will also affect the software development cycle, the hardware development cycle and the software and hardware integration. During the documentary assessment, the ISA will make sure that:

- the safety requirements are traceable over the entire life cycle

- the techniques and methods specified in the quality and safety management system are implemented

- the safety verification and validation processes have been implemented

- the functional and technical safety requirements (correct operation under failure-free conditions, the impacts of failures and external influences) are verified.

in compliance with the requirements of the EN50126, EN50128, EN50129 standards.

The ISA may perform sample verifications of the documentation, but may also perform a more in-depth assessment depending on the criticality of the information contained in the documentation. The depth of the assessment must always be at least equivalent to the "process audit + design examination” stipulated in Appendix 3.

The documentary assessment must be conducted by assessors who are competent in the techniques and methods implemented by the manufacturer.

The ISA must conduct visits during tests in order to gauge the relevance of the tools and methods used and to ensure compliance with the quality and safety management system during testing. The ISA may require additional tests to be performed.

When a part of the product or system has already been assessed by an independent organisation, the ISA may take this into account to avoid repeating the assessment. He will then examine:

• the recognition of the organisation performing the assessment • the assessment method applied • the assessment report provided

The assessment criteria used will be those defined in document RFU-2-000-16 drafted by NBRAIL. (See Appendix 1).

The ISA may, if required, request additional information necessary to the proper understanding of the results of the assessment report (safety case, description of the conditions of use of the product…).


/ 14

INDEX UPDATED:

2


DATE 09/12/14



In terms of input data, the ISA will accept test reports (EMC, Environment…) produced by laboratories, after making sure that all necessary tests have been performed based on the intended use of the product or system. The ISA will make sure that the tests are properly admissible. (Appendix 2).

The ISA will assess the safety case of the product or system. He will make sure that all risks identified in the Hazard Log are covered, and that safety constraints relating to usage (integration, operation or maintenance) are clearly defined.


/ 14

INDEX UPDATED:

2


DATE 09/12/14



4.6. Assessment reports The assessment report(s) will cover at least the following aspects:

• A review of the context of the service • The identity of the product undergoing conformity assessment • The Identification of the standards used • The identification of the Assessment Plan • The Identification of the industrial designer or manufacturer of the product,

when it is not the client • The names and roles of the persons involved (including sub-contractors) in the

conformity assessment • The names of the writers, checkers and approvers of the report • The scope of the assessment described in the report

The report must clearly detail the phases and/or parts of the product and/or the sites subject to the conformity assessment referred to in the report (an extract of the assessment plan is permissible). It must be stated whether the assessment affects a generic product, a generic application or a specific application (such as those defined in the EN 50129 standard) It must also be stated whether the processes were subject to assessment (e.g. parameterisation processes).

• The constraints and assumptions used in the conformity assessment, if any When the results of the conformity assessment are only valid when requirements are assumed to be complied with (functional, environmental, operational…) these requirements, postulates and expectations must be clearly defined. Assumptions made about non-assessed parties must also be mentioned.

• Description of the conformity assessment work completed And problems encountered, as well as provisions made to resolve them. All discrepancies between the assessment plan and the actual work done must be indicated and justified. The visits and audits conducted during the project must be listed

• Conformity assessment methods The depth of assessments must be indicated, e.g. listing the documents assessed using a sampling process.

• Identification of assessed documents • Results

The assessment report must contain the following elements: - Justifications regarding cross-acceptance activities


/ 14

INDEX UPDATED:

2


DATE 09/12/14



- When the assessment uses results obtained from other assessment missions, the assessment report will include a summary of the assessment results for each of these reports

- The conclusions of audits of safety and quality management systems, as well as any discrepancies found during the audits and their statuses (corrective actions in progress, closed reservations…)

- The list of hardware and software components assessed, their versions, and the SIL (or SSIL) achieved (specification of the “THR” is also recommended), as well as the conclusions of the assessment for each of the components;

- The conclusions of the assessment of the product or system, its version, the SIL achieved (specification of the “THR” is also recommended)

- The list of exported safety constraints, or a reference to the safety case when listed therein.

Note: The assessment report must mention all discrepancies detected and other open points, or refer to observation and question sheets and non-conformity sheets, if any.

• Conclusions.

- On the progress of the service (tasks performed, in progress, pending). - On the conformity (or lack of conformity) of the product or system. When non-conformities are remaining, the report must specify the extent of additional assessments required.

Special case for software The EN50128 standard does not require that a software safety case be produced. Subsequently, the ISA will not always have a safety case for the assessment of the exported use and safety constraints. Furthermore, the behaviour of a piece of software will largely depend on the hardware on which it is executed. The ISA must therefore make sure that:

- all phases of the life-cycle of the software are covered by the assessment, including software/hardware integration and validation

- the safety constraints exported to the user of the software are defined by the manufacturer.

The ISA must include the following in their report or refer to a document: - the list of exported safety constraints - the hardware which can be used to execute the software


/ 14

INDEX UPDATED:

2


DATE 09/12/14



4.7. Certification decision The decision to award certification or not is taken by a committee comprising (in application of the certification body’s procedures) members who have not participated in the conformity assessment. The committee will base its decision on: - the contents of the assessment report - the presentation made by the lead assessor - the answers provided by the lead assessor to the committee questions.

4.8. Certificates The text of the certificate stipulates that it in no way presumes the mass production of the “type” certified, and that it only applies to the design of the product (referred to) and the resulting descriptive dossier. The term of validity of the certificate and the certificate surveillance procedure are specified in the procedures used by the certification body.

4.9. Appeals The certification body will make its appeals procedures available to the requesting party. In particular, the notification of rejection of a certificate must describe the appeal procedures against this decision.

4.10. Use of the certification body’s mark Type certification does not allow for the marking of products, packaging, notices or guarantee certificates, or the inclusion of the CERTIFER’s logo on any medium. However, the holder may refer to the certificate in conformity and suitability for use declarations, as well as in letters, technical files, commercial tenders etc. They must then communicate:

- either the entirety of the information appearing on the certificate (including the list of its appendixes)

- either the entirety of the information appearing on the certificate and its Appendixes

so as to avoid any confusion about the scope of certification.

In order to refer to certification on advertising literature specific to the product (brochures, leaflets, advertising materials, audiovisual media, websites etc.), the holder must have been previously authorised to use a logo created by the certification body. The latter will send the logo and its conditions of use to the applicant.

4.11. Operations after certification The certification body will apply the procedures for the surveillance, maintenance and renewal established in compliance with EN 45011 / ISO 17065.

RECOMMENDATION FOR USE

CO-ORDINATION BETWEEN NOTIFIED BODIES DIRECTIVES 96/48/EC AND 2001/16/EC ON THE

INTEROPERABILITY OF THE TRANS-EUROPEAN HIGH-SPEED AND CONVENTIONAL RAILWAY SYSTEMS

RFU 2-000-16 Issue: 02 Date: 01-04-2006 Page 1 of 3


TITLE CROSS ACCEPTANCE OF SAFETY CASE ASSESSMENTS

ORIGINATORS SUBJECT RELATED TO

CERTIFER / KEMA RAIL TRANSPORT CERTIFICATION NOTIFIED BODY

CCS SUBSYSTEM CERTIFICATION

DESCRIPTION AND BACKGROUND EXPLANATION Scope The scope of this proposal is limited to the conformity assessment procedure in the framework of the Directive 96/48 and of the TSI Control, Command and Signalling. It is not applicable to other TSI or Directives. Abbreviation IC : Interoperability Constituent ISA : Independent Safety Assessor NoBo : Notified Body TSI EC96/48: Technical Specification for Interoperability of Control, Command and Signalling of September 2002 (Directive 96/48). Introduction An ISA can be involved during IC or Sub-System conformity assessment. According to the TSI: - TSI § 6.1.1 conformity and suitability for use assessment procedure and - TSI § 6.2.1 control command subsystem: “The independent assessment in the safety acceptance and approval process as described in Annex A, index 1 may be accepted by the notified body, without it being repeated”. Hence, Safety, which is an essential requirement, may be assessed by an ISA which is not necessarily a Notified Body. Note that the scope of ISA assessment can be an IC, a subsystem, or a part of an IC or a subsystem such as an electronic board, software, or a sensor. Therefore, it is important that an ISA involved in a Directive 96/48 conformity assessment procedure, meets minimum criteria to give confidence to the NoBo accepting the ISA results, and those accepting the ISA results in a cross acceptance situation.

RFU PROPOSAL Criteria for ISA Acceptance The minimum criteria of independence, competence and quality for the acceptance of the ISA results consist of the following three elements that are further explained below






and that shall be verified by the NoBo:

a. Acceptance of the ISA competency b. Acceptance of the ISA entity c. Acceptance of the safety assessment results

(a) Acceptance of the ISA competency The NoBo shall verify that the ISA meets the following criterion:

1) The scope of competence of the ISA is appropriate. The competence of the ISA is relative to the product or subsystem assessed, and also to the standards and methods used in the assessment.

(b) Acceptance of the ISA entity

The NoBo shall verify that the ISA meets one of the following criteria: 1) The ISA is a Notified Body; or 2) The ISA has a legal notification by a member state to perform safety assessments; or 3) The ISA has already performed an earlier safety assessment of the same product that has been authorised by a member state to be put in service; or 4) The ISA performs safety assessment of a modified product, and ISA has already performed earlier the safety assessment of the original product that has been authorised by a member state to be put in service; or 5) The ISA is accredited to EN45011 (certification bodies); or 6) In all other cases, there cannot be a cross acceptance on the proof that the ISA meets the requirements of independence, competence and quality. The NoBo will have to verify this himself. Therefore the ISA shall submit for acceptance to the NoBo:

- the curriculum vitae of each assessor; - a written statement from each assessor indicating his impartiality and the absence of any conflict of interests; - the safety assessment plan written by ISA team to assess the product. This safety plan shall indicate the level of quality and methods used to achieve this level, shall enable the scope of the assessment to be understood and shall precisely describe the working methods that are






Given the difficulties in establishing an exhaustive list of criteria the following is a guide.

applied in the assessment. These requirements do not exclude that the ISA is also an inspection body with EN 45004 accreditation or a testing laboratory with ISO 17025 accreditation, however the above requirements must be fulfilled.

(c) Acceptance of the safety assessment results

Before accepting the conclusion of the ISA assessment, the case for cross acceptance shall demonstrate the following points which shall be verified by the NoBo:

1) the product (or subsystem) subject to the assessment is well defined (description, documents, software configuration, …); and 2) the standards or other normative documents used to establish the results of safety assessment are well defined and appropriate; and 3) the methodology (review of documents, audit, testing, modelling, simulations, combinations of methods, …) used by safety assessors is well defined and appropriate; and 4) the environment of the product (physical, CEM, technical, functional, …) is well defined; and 5) the limits of validity of the safety assessment result are well defined; and 6) the standards, methods, conditions, limitations and restrictions are also applicable for the particular situation for which cross acceptance is desired.

DATE OF AGREEMENT AT NB RAIL PLENARY MEETING 16th February 2006 (PM 16)

28/10/2014 page 1 of 3

Acceptance criteria for test results

This memorandum summarises the CERTIFER requirements for guaranteeing that test results are obtained under conditions guaranteeing their validity. These requirements are derived from legislation, European standards and the NBRAIL RFU:

- SAM X 001/ SAM X 009 - ISO 17020 - ISO 17025 - RFU-STR22

CERTIFER must ensure that the criteria listed below are complied with when:

- tests results are supplied by the client. - tests are performed on behalf of CERTIFER and under their responsibility - tests are performed by CERTIFER

Three criteria are used in the acceptance of test results:

- Criteria 1: the quality management system - Criteria 2: minimal content of test reports - Criteria 3: calibration

If conformity with the requirements listed below is, in the opinion of CERTIFER, insufficiently demonstrated in the documents provided by the client, “open points” must be created in the questions and remarks follow-up sheet : in the form of questions and/or requests for additional information. Depending on the answers and new proofs provided by the client, the reservation can be closed or converted to a discrepancy in the final report. For tests in the fire/smoke domain, EN ISO/CEI 17025 accreditation is mandatory for the fire/smoke fields, as well as the participation with success in the CERTIFER inter-laboratory campaigns. CERTIFER may perform tests, provided that they fall within the normal activities of CERTIFER given its area of certification.

28/10/2014 page 2 of 3

1 Acceptance criteria for tests results

1.1 Criteria 1: the quality management system of the test body

a) EN ISO/CEI 17025 accredited tests laboratory or body covering the tests under consideration: The quality management system is acceptable. The tests report must meet criteria 2 above.

b) EN ISO/CEI 17025 accredited tests laboratory or body not covering the tests under consideration: Acceptance of the report presenting the tests results is subordinate to the results of an audit of the execution of the test, focused on the specific application, the particular techniques and the implementation conditions of the test. The reference document for the audit is the EN ISO/CEI 17025 standard (See SAM X 009).

c) ISO9001 certified test bodies or laboratories c1) case of tests intended to measure the physical characteristics of a product or system Acceptance of the report presenting the tests results is subordinate to the results of an audit of the execution of the test, in regards to its compliance with the additional requirements of the EN ISO/CEI 17025 standard compared to the requirements of ISO 9001:

- effective implementation of the quality management system in the test domain in question - verification of the additional requirements of the EN ISO/CEI 17025 standard compared to the

requirements of ISO 9001 (this can be based on the SAM X009 audit outline). - particulars techniques, methods, the competence of technical staff and the implementation

conditions for the test requested. c2) case of tests intended to validate the compliance with the functional requirements of a product or system Acceptance of the report presenting the results of tests is subordinate to: - the opinion of CERTIFER about the tests Plan (particularly presenting the test strategy and test tools) - an opinion on the specifications of functional tests.

CERTIFER may require additional tests and/or attendance at certain tests.

d) Non ISO9001-certified test bodies or laboratories d1) case of tests intended to measure the physical characteristics of a product or system Acceptance of the report presenting the test results is subordinate to the results of an audit of the execution of the test, in regards to its compliance with the requirements of EN ISO/CEI 17025. d2) case of tests intended to validate the compliance with the functional requirements of a product or system Acceptance of the report presenting the results of tests is subordinate to: - an audit of the execution of the test in regards to its compliance with the requirements of the

ISO9001 standard. - An opinion of CERTIFER about the Tests Plan (particularly presenting the test strategy and test tools) - an opinion on the specifications of functional tests.

CERTIFER may require additional tests and/or attendance at certain tests.

1.2 Criteria 2: Minimum content of the test report (or other admissible document) To be admissible, the test report must include the following elements at the least:

28/10/2014 page 3 of 3

requirement Objective 1 a unique identification and, on each page, an indication

indicating that the page is recognised as being part of the document, as well as a clear indication of the end of the document.

Make sure that nothing has been removed or added

2 the name and address of the entity performing the tests Make sure that the person responsible for the test results is identified

3 description of (or reference to) the method Make sure that the method is relevant 4 The unambiguous description and identification of the object

submitted to the test Make sure that the sample tested is representative of the product being assessed

5 accurate identification of equipment, software and simulators used

Make sure that the tests are reproducible, and, where applicable, that the calibration proofs match the devices used (or can be found)

6 the results of the test with the measurement units if required Make sure that the results demonstrate the product compliance with the requirements

7 information relating to the specific conditions of the test, such as the ambient conditions, when they are likely to influence the result

Make sure that no test condition is likely to invalidate the results

a) case of tests intended to measure the physical characteristics of a product or system

requirement Objective 8 a declaration relating to the measurement uncertainty (if it is

important for the validity of the results or when they affect the conformity at the limits of a specification)

Make sure that the measurement error range does not exceed the admissible tolerances for the value of the product

b) case for tests intended to validate the compliance with the functional requirements of a product or system

requirement Objective 8 accurate identification of the functional specifications and of

the functional tests specifications Make sure that the expected functional behaviour of the product is clearly identified

9 Any other information required by the EN50126, EN50129, EN50128 standards (test coverage report, list of known discrepancies and the impact these discrepancies may have on usage...)

Make sure of the compliance with the requirements of the EN50126, EN50129 and EN50128 standards.

1.3 Criteria 3: Calibration When the measured values are traceable to national or international standards, the certificates demonstrating the validity of calibration of all the equipment used for measurements and tests having a significant influence on the results of our assessment must be provided to CERTIFER by post, or presented on site.

of 3

Appendix 3 of CERTIFER reference document RF0015 version 2

Level of depth required in a documentary examination

Examples Abbreviations used: FR: fast reading CR: critical reading SR: sample reading NE: not Examined X: the method is used whatever the safety integrity level of the product; X1: the method is used when the safety integrity level is SIL1; X2: the method is used when the safety integrity level is SIL2; X3: the method is used when the safety integrity level is SIL3; X4: the method is used when the safety integrity level is SIL4; 1) Example: Audit of the process

Document to be examined NE FR SR CR Quality Manual X (if

ISO9001) X (if not

ISO9001) Process and instruction sheets X

(if ISO9001)

X (if not ISO9001)

Management Plan X Quality plan X Safety plan X Quality registration documents (minutes review, anomaly sheets, modification sheets...)

X

System Risk analysis X System Functional specifications X System Architecture and safety principle X System integration and installation tests specifications

X

System integration and installation tests results

X

System validation tests specifications X System validation tests results X System Safety case X Hardware Risk analysis X Hardware Functional specifications X Hardware Architecture and safety principle X

of 3

Document to be examined NE FR SR CR Hardware integration tests specifications X Hardware integration tests results X Hardware validation tests specifications X Hardware validation tests results X Software Risk analysis X Software Functional specifications X Software architecture X Software Detailed design X Source code X Software integration tests specifications X Software integration tests results X Software validation tests specifications X Software validation case X 2) Example: process audit + design examination

Document to be examined NE FR SR CR Quality Manual X (if

ISO9001) X (if not

ISO9001) Process and instruction sheets X

(if ISO9001) X (if not

ISO9001)

Management Plan X Quality plan X Safety plan X Quality registration documents (minutes review, anomaly sheets, modification sheets...)

X

System risk analysis X System Functional specifications X System Architecture X1,X2 X3, X4 System Safety principles X1,X2 X3, X4 System integration and installation tests specifications

X1,X2 X3,X4

System integration and installation tests results

X1,X2 X3, X4

System validation tests specifications X X3, X4 System validation tests results X X3, X4 System Safety Case X X3, X4 Hardware Risk analysis X1,X2 X3,X4 Hardware Functional specifications X1,X2 X3,X4

of 3

Document to be examined NE FR SR CR Hardware Architecture and safety principle X1,X2 X3,X4 Hardware integration tests specifications X1,X2 X3,X4 Hardware integration tests results X1,X2 X3,X4 Hardware validation tests specifications X1,X2 X3,X4 Hardware validation tests results X1,X2 X3,X4 Tests results in working environment (EMC, vibration, temperature…)

X

Software risk analysis X1,X2 X3,X4 Software functional specifications X1,X2 X3,X4 Software architecture X1,X2 X3,X4 Detailed design of the software X1,X2 X3,X4 Source code X Test tool documentation X Software integration tests specifications X1,X2 X3,X4 Software integration tests results X1,X2 X3,X4 Software validation tests specifications X1,X2 X3,X4 Software validation case X1,X2 X3,X4

reference document for the certification of the safety ... · of the safety integrity level. of...

Documents