ARTICLE IN PRESS

Reliability Engineering and System Safety 92 (2007) 1686–1700

www.elsevier.com/locate/ress

A SIL quantification approach based on an operating situation model

for safety evaluation in complex guided transportation systems
J. Beugin, D. Renaux, L. Cauffriez
LAMIH (Laboratory for Automation Mechanical Engineering, Information Sciences and Human-Machine Systems), Department of Human-Machine
Systems, University of Valenciennes-Le Mont Houy, UMR CNRS 8530, F-59313 Valenciennes Cedex 9, France
Accepted 22 September 2006
Available online 22 November 2006

Abstract

Safety analysis in guided transportation systems is essential to avoid rare but potentially catastrophic accidents. This article presents a
quantitative probabilistic model that integrates Safety Integrity Levels (SIL) for evaluating the safety of such systems. The standardized
SIL indicator allows the safety requirements of each safety subsystem, function and/or piece of equipment to be specified, making SILs
pivotal parameters in safety evaluation. However, different interpretations of SIL exist, and faced with the complexity of guided
transportation systems, the current SIL allocation methods are inadequate for the task of safety assessment. To remedy these problems,
the model developed in this paper seeks to verify, during the design phase of guided transportation system, whether or not the safety
specifications established by the transport authorities allow the overall safety target to be attained (i.e., if the SIL allocated to the
different safety functions are sufficient to ensure the required level of safety). To meet this objective, the model is based both on the
operating situation concept and on Monte Carlo simulation. The former allows safety systems to be formalized and their dynamics to be
analyzed in order to show the evolution of the system in time and space, and the latter make it possible to perform probabilistic
calculations based on the scenario structure obtained.
r 2006 Elsevier Ltd. All rights reserved.

Keywords: Guided transportation systems; Global risk assessment; Safety Integrity Levels; Operating situation; Monte Carlo simulation

1. Introduction means are barriers that act prior to an incident either to

The objective of a guided transportation system is to
ensure the safe transfer of passengers from one location to
another within a given time frame, while simultaneously
guaranteeing the safety of system operations. In order to
fulfil this dual objective, the level of safety must be
assessed, which implies evaluating the safety of the overall
system (both onboard train and trackside infrastructures)
either to prove that safety conditions are sufficient, or, if
they are not, to recommend measures that will reduce the
various risks detected. Safety assessment is, then, a process
of risk analysis that determines whether or not the planned
means of prevention and protection are adequate. These
Corresponding author. Tel.: +33 3 27 51 13 49; fax: +33 3 27 51 13 16.
E-mail addresses: Julie.Beugin@univ-valenciennes.fr (J. Beugin),
Dominique.Renaux@univ-valenciennes.fr (D. Renaux),
Laurent.Cauffriez@univ-valenciennes.fr (L. Cauffriez).
eliminate hazards (e.g., system failures) that could poten-
tially cause accidents (e.g., collisions) or to reduce the
occurrence of the undesirable accidental events, or they are
barriers that come into play after an incident to mitigate
the consequences of accidents that could not be prevented.
Such barriers are mainly implemented through safety-
related systems. The residual risk remaining with these
barriers is evaluated through a process of probabilistic risk
assessment (PRA). The type of PRA presented in this
article is adapted to the field of guided transportation.
Functional safety, as its name implies, concerns the
correct functioning of the sub-systems that insure the
overall safety of a system. IEC 61508, the generic safety
standard for E/E/PE (Electrical/Electronic/Programmable
Electronic) safety-related systems [1], dictates the func-
tional safety requirements of guided transportation sys-
tems. These requirements are expressed in terms of SILs
(Safety Integrity Levels) [2–4]. SILs are set to ensure that

0951-8320/$ - see front matter r 2006 Elsevier Ltd. All rights reserved.
doi:10.1016/j.ress.2006.09.022
 ARTICLE IN PRESS
J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700
specific risk limits are not exceeded. In Section 2, the SIL
concept is described and some of the current SIL allocation
methods are presented.
Because of the diverse interpretations and applications
that exist for the SIL definition given in the IEC 61508
standard, the SIL concept can be unclear and difficult to
understand. Section 3 provides an overview of the different
interpretations in order to explain how SILs are used in this
study, particularly the quantitative part of this indicator.
Current allocation methods are discussed in terms of the
complexity of guided transportation systems, highlighting
the inadequacy of these methods for evaluating the overall
safety of such systems and showing the necessity of
combining the safety functions, thus, a fortiori, combining
the SIL of these safety functions.
In Section 4, a quantitative probabilistic model integrat-
ing the various aspects of SIL is proposed for evaluating
the overall safety of a guided transportation system. The
model is based on a novel conception of the ‘‘operating
situation’’, which is a new pattern for characterizing the
different elements of a particular operational context. This
model incorporates a risk-scenario approach that is
appropriate to the complexity of transportation safety
systems. Section 5 describes a Monte Carlo simulation
approach based on the scenario structure provided by the
model; this MCS approach allows the probabilistic
calculation to be performed. Section 6 presents our
conclusions and our thoughts for future research.
2. Evaluating system safety in guided transportation systems
2.1. An introduction to risk management
Risk management examines the different phases of a
system’s life cycle to assess, evaluate, implement, document
and control safety conditions. It deploys techniques to
prevent accidents or reduce their consequences to an
acceptable level. In the design phase, it works to identify
critical risk profiles that are used to assess safety. In other
life cycle phases, the risk management process establishes
Fig. 1. PRA in the field of guided transportation.
1687
procedures (e.g., use of standards, instructions, controls)
and evaluates the diverse system activities (e.g., operation
and maintenance) to make sure that they follow these
procedures. The safety assessment methods in the design
phase are fundamental; in fact, they are the very founda-
tion of risk management. These methods are all part of
PRA. Based on causal scenarios derived from hazardous
events, use of safety goals and risk uncertainty calculations
[5], PRA provides the framework for evaluating safety in
guided transportation systems.
2.2. The probabilistic risk assessment framework
PRA in the field of guided transportation is the
responsibility of the two entities that administrate this
PRA process: the operator who will exploit the system and
the supplier who designed and constructed the system
[2,4,6] (see Fig. 1). This shared responsibility allows a
separation of tasks and liabilities.
The operator establishes the system specifications, inde-
pendent of system construction, by studying the functional
aspect of the system, in particular the safety functions. This
operator determines the different possible undesirable events
that could occur in the system and their associated potential
outcomes. It analyzes the hazards that could lead to these
undesirable events, given both internal operational system
failures and external events, and establishes the safety levels
for the various safety functions that might be implemented to
prevent/palliate the different hazards. Depending on a safety
goal allocation approach, these levels are specified in the form
of SIL (defined below) or in the form of numerical indicators
that can be translated into SIL. The allocation, which is
dependent on risk acceptance principles, is carried out using
the quantitative and/or qualitative methods explained in the
following sections. These methods attribute the minimum SIL
needed by the safety functions. This level is generally
maintained because it costs more to construct a function
with a higher SIL.
The supplier defines, designs and constructs a system
architecture that meets the requirements spelled out in the
 ARTICLE IN PRESS
1688 J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700
specifications. Dependability methods are used to allocate
safety requirements to each function and from each
function to the various subsystems and equipment. A
causal analysis of operational sub-system failures and
safety sub-system failures (e.g., detected failures, unde-
tected failures, common causes of the various component
failures) is done in order to highlight the dangerous failures
(hazards) that can lead to undesirable events, and to verify
that each safety function attains it specified safety level.
This operator/supplier paradigm is not always strictly
respected. For example, the Urban Guided Transport
Management System (UGTMS) project has adopted a
conceptual safety approach [7] that groups the functional
SIL allocation with risk analysis and does not assign SIL to
subsystems or equipment.
2.3. The principles of risk acceptance
Derived from national law, three risk acceptance
principles for the field of guided transportation have been
set down in the EN 50126 standard [2]:
 The first is the English ALARP (As Low As Reasonably
Practicable) principle depicted in Fig. 2(a). This
principle is identical to the ALARA (As Low As
Reasonably Attainable/Achievable) principle used in
the nuclear field [8]. The ALARP principle defines an
acceptable risk zone, an unacceptable risk zone, and a
middle zone, called the ALARP zone, in which the
global safety objectives are set according to the ratio of
risk improvement over invested costs. This middle zone
can be delimited by frequency values (indicative values
in Fig. 2(a)). If the risk falls in this zone, the means to be
deployed to attain the desired safety level must be
evaluated in terms of the risk run compared to the
benefit accrued. Clearly, it is foolish to expend vast
resources (e.g., financial, human, material) for a slight
improvement.
 The second is the German MEM (Minimum Endogenous
Mortality) principle depicted in Fig. 2(b). This principle
sets the global safety objectives with reference to the
endogenous mortality of an individual (i.e., the ambient
risk RMEM for a person from 5 to 15 years old, fixed at
Unacceptable
zone
Risk reduction
ALARP in terms of the
Risk
cost-benefit
zone
analysis
Acceptable
zone
(a) Frequency in h-1
Fig. 2. Risk acceptance criteria for ALARP and MEM [2].
2  104/year). The risks related to the technical systems
are judged to contribute 5% to the individual risk; thus,
the limit of tolerated risk is set at 0.05  RMEM. The
degree of tolerated risk becomes more rigid as the size of
the population that could be affected increases.
 The last is the French GAME (Globalement Au Moins
Équivalent: globally at least equivalent) principle, which
requires that new systems fulfil the same safety require-
ments as those attained by an equivalent existing system.
This principle necessitates knowledge of the safety
objectives and of the safety behavior of the reference
system.
2.4. The Safety Integrity Level concept
SIL serve as safety targets in the field of guided
transportation [2–4]. SILs are discrete indicators on a
four-level scale. On this scale, SIL 1 is the weakest safety
requirement and SIL 4 is the most restrictive. SILs are used
to specify the safety integrity requirements for the safety
functions performed by E/E/PE safety systems [1]. Using
SILs allows the rare but possible safety system failures to
be taken into consideration, in addition to those existing in
the operational system. The potential operational system
failures correspond to the hazards detected during the PRA
process. The most dangerous failures—those safety system
failures that can provoke accidents—can be either
systematic or random in nature.
Systematic failures are latent system failures that only
become visible under certain operating conditions. Soft-
ware flaws and design errors are included in this category,
as are certain material failures caused by environmental
perturbations (e.g., high temperature, electric or vibratory
disturbances). Systematic failures can only be eliminated by
modifying the system design or manufacturing process, by
applying operational procedures, or by providing addi-
tional documentation. Because they are deterministic in
nature and are largely unpredictable, systematic failures
cannot be quantified. Limiting or eliminating them requires
making the quality assurance part of the risk management
process a primary concern. Though quality assurance is
difficult when the required SIL is high, it is this activity that
can prevent systematic failures from occurring.
10-3
Minimum Endogenous Mortality
Frequency* (per year)
10-4
10-6 10-5 Tolerated
-6
mortality
10 frequency
10-7
10-8
10-9
10-9
1 10 102 103 104 105 106
Number of victims*
(b) *Logarithmic scale
 ARTICLE IN PRESS
J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700
Random failures always result from material component
failures (i.e., they are hardware failures). Due to their
probabilistic nature, these hardware failures can be
quantified. The IEC 61508 standard [1] thus defines
quantitative safety requirements for each SIL. Table 1
summarizes the quantitative requirements of the standard.
In this table, the safety systems’ operational demand modes
are differentiated by using two different dependability
parameters: PFDavg (average Probability of Failure on
Demand) and PFH (Probability of dangerous Failure per
Hour). The table expresses quantitative SIL requirements
with a minimal and maximal boundary for each parameter.
The operational mode, which corresponds to the
operational system’s expected demand frequency on the
safety system, can be further divided into low-demand
mode and high-demand mode:
 The low-demand mode of operation implies irregular
solicitations of the safety system, as is the case with a
train’s emergency braking system. To be considered low-
demand, the operational demand frequency can be no
greater than once a year and no greater than twice the
proof-test frequency [1]. This mode mainly concerns
protection systems, or in other words, those systems
activated once an undesirable event (accident) has
occurred. The PFDavg is evaluated based on the safety
system’s architecture. (See Section 3 for the details
concerning the controversy surrounding the use of this
parameter.)
 The high-demand mode of operation implies regular, even
continual, solicitations of the safety system, as is the
case with a train’s continuous speed controls. To be
considered high-demand, the operational demand fre-
quency must be more than once a year or more than
twice the proof-test frequency [1]. This mode mainly
concerns systems that prevent the propagation of
hazardous events or that stop such events from
becoming accidents. The PFH is evaluated based on
the safety system’s architecture. (See Section 3 for the
details concerning the controversy surrounding the use
of this parameter.)
The capacity of a safety system to comply with SIL
requirements must be validated during each phase of the
Table 1
Quantitative SIL requirements
Safety Integrity Low-demand mode of High-demand mode of
Level operation operation
Average Probability of Probability of
Failure on Demand dangerous Failure per
(PFDavg)/activation Hour (PFH)/h
SIL 4 105pPFDavgo104 109pPFHo108
SIL 3 104pPFDavgo103 108pPFHo107
SIL 2 103pPFDavgo102 107pPFHo106
SIL 1 102pPFDavgo101 106pPFHo105
1689
design process and, once the system has gone operational,
prior to each design modification. System exploitation and
maintenance procedures must also comply with SIL
requirements. The SIL allocation methods are described
in the section below.
2.5. Determining SIL using functional allocation methods
The methods for allocating SILs to a system or to a
function come mainly from the process industry sector
[9–12] and the machine safety sector [13,14]. The standards
used in these two sectors, the IEC 61511 standard [15] and
the IEC 62061 standard [16], refer to a single safety system
within the overall system, called SRECS (Safety-Related
Electrical Control System) in the process industry sector
and SIS (Safety Instrumented System) in the machine
safety sector. In the sector of guided transportation,
because several safety devices, fulfilling multiple safety
functions, coexist in the overall system, referring to
functions rather than with a single safety system is
preferable. The quantitative or qualitative functional SIL
allocation methods described below analyze the various
hazards stemming from an operational system without
safety systems. To reduce the risk associated with a given
hazard, the output of the methods designates the safety
function SIL that should be implemented to act on the
consequences of this particular hazard.
2.5.1. Quantitative methodology using the risk matrix
method
The risk matrix method is a two-dimensional risk matrix
that is usually employed in the field of guided transporta-
tion [17,18]. By specifying an acceptable risk zone in a
criticality table (see Table 2), this matrix allows a
hazardous event to be analyzed in terms of occurrence
frequency and consequence severity. The scale of the
frequency parameter can be adapted to the risk acceptance
criterion given by the transport authority. For example, in
the UGTMS project [7], the individual risk acceptance rate
specified in the MEM principle was adopted for determin-
ing the threshold frequency that separates the tolerable
area from the intolerable area.
The risk Rnp, where np stands for ‘‘not protected’’, is
related to a failure (the hazardous event) of an operational
system without a safety system. Using the criticality table,
Rnp is evaluated in terms of a combination of the hazardous
event’s severity level C, as evaluated by expert judgment,
and the Fnp frequency related to the safety function
demand that prevents dangerous situations (i.e., the failure
frequency of the operational system). The risk of each
identified hazardous event is thus classified as ‘‘tolerable’’
(negligible and acceptable in the example in Table 2) or as
‘‘intolerable’’ (undesirable and unacceptable in the example
in Table 2). (Please note that, according to the ALARP
principle, the undesirable area can be considered as
acceptable under certain conditions.) In order to prevent
 ARTICLE IN PRESS
1690 J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700
a hazardous event classified as intolerable, a safety function
must be created.
Determining this function’s SIL depends on how much
the risk needs to be reduced in order to reach the tolerable
risk zone. In risk prevention, the safety function acts on the
hazard frequency in order to reduce risk. In this case, the
safety function must reduce the frequency of Fnp to at least
Ft (tolerable risk frequency). Though this situation is
generally preferred in risk analysis, sometimes, when the
hazardous event does end up provoking an undesirable
event, a safety function is needed to reduce the event’s
severity.
Using the Fnp and Ft frequencies, the IEC 61508
standard explains how this method can be used to
determine the SIL of a function operating in the low-
demand mode. The PFDavg is determined according to the
Table 2
An example of a risk matrix (i.e., a criticality table)
Fig. 3. Risk reduction achieved by a safety function in low-demand mode.
Fig. 4. Risk reduction achieved by a safety function in high-demand mode.
process shown in Fig. 3. Using the information given in
Table 1, the SIL function can be determined.
The subject of functions operating in the high-demand
mode is not dealt with clearly in the literature. In Refs.
[17,18], where the high-demand mode is used, in situations
in which the system environment is not taken into account,
the safety function failure frequency Fsf is examined rather
than Fnp. In fact, an operational system failure (the
hazardous event) appearing at frequency Fnp is already
taken into account in the safety function failure frequency,
as Fig. 4 shows: either the event has no serious
consequences because the safety function keeps the
operational system (called Equipment Under Control, or
EUC, in the standards) in a safe state during normal
operations; or on the contrary, serious consequences occur
because the safety function fails. In the latter case, the risk
incurred must be analyzed. Fsf must be returned to the
tolerable risk frequency for the dangerous event in
question, which allows the SIL to be determined directly
based on the information in the right-hand column of
Table 1. Please note that, in the field of guided transporta-
tion, the operational system and the safety system cannot
really be separated since they are implemented on the same
equipment. Fnp in this case, does not apply; only FSF can be
considered.
The methodology shown in Figs. 3 and 4 is not only used
with the risk graph method. It can also be applied as part
of other methods, such as LOPA (Layer Of Protection
Analysis) [19,20], which seeks to determine the PFDavg of a
safety instrumented function, integrated in a succession of
protective layers of a technology other than E/E/PE. The
methodology can be used with no supporting method.
 ARTICLE IN PRESS
J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700
Because the frequency parameters are quite difficult to
calculate, alternative qualitative methods based on expert
judgment are often used. In these methods, risk reduction
is implicit.
2.5.2. The main qualitative methods
2.5.2.1. The risk graph. The risk graph method analyzes
four hazard-related risk factors that are divided into
categories according to their importance: the severity of
the consequences, the time exposed to danger, the
possibility of avoiding the danger, and the probability of
undesirable occurrences without a safety function. The
output of the method indicates the minimum risk reduction
that the safety function must achieve. The risk graph
structure depends on the specific field of activity, hence the
use of various graphs in the directives or standards. An
example extracted from Ref. [13] is presented in Fig. 5,
where the consequences result in death, with either one
victim or several. Considering material and environmental
damage requires the use of additional graphs.
2.5.2.2. The hazardous event severity matrix. Unlike the
risk graph method, which considers only one safety
function, the hazardous event severity matrix integrates
several independent safety functions. The matrix has three
dimensions: severity of the hazardous event, the likelihood
of an undesirable event, and the number of independent
safety devices that must be integrated in order to act
against the hazard. Only one safety system based on the E/
E/PE technology can be taken into account; other systems
must be based on other technologies (e.g., mechanics or
pneumatics) and must have a safety requirement criterion
equivalent to the requested SIL. As in the risk graph
method, the structure depends on the specific field of
activity. An example extracted from Ref. [1] is presented in
Fig. 6.
Fig. 5. An example of a risk graph.
1691
This section has presented functional safety in terms of a
standardized concept of a SIL. The following section will
examine the various interpretations of the quantitative SIL
definition that make the concept ambiguous and difficult to
apply. Specifically, it will focus on the methods for using
and allocating SIL in the domain of guided transportation,
as compared to the general SIL allocation methods
presented above.
3. Some thoughts about a SIL definition and SIL allocation
methods for evaluating the overall safety of guided
transportation systems
3.1. Various interpretations of the probabilistic aspect of
SIL for the low-demand and high-demand modes of
operation
Determining the probabilistic aspects of SIL for safety
functions is performed differently, depending on the
standard and the author, and depending on which on the
two entities introduced in Section 2.1 is performing the
procedure. The operator that exploits the overall system
specifies the SILs according to the tolerable risk criteria set
by legislative authorities. The supplier designing the
system, including the safety system, verifies these specifica-
tions, using the dependability parameters of the compo-
nents integrated in the system.
To determine the PFDavg value related to a SIL (see
Table 1), diverse indicators, including dependability para-
meters, are used (see Table 3). When specifying the SILs,
this probability can be evaluated in terms of the required
risk reduction, which is often expressed using the risk
reduction factor (RRF). The safety system designed to
comply with the specifications must then be analyzed in
order to verify that its properties are consistent with the
safety specifications. During this design analysis phase,
the PFDavg is obtained by calculating PFDðtÞ. Several
 ARTICLE IN PRESS
1692 J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700

Fig. 6. An example of a hazardous event severity matrix.

Table 3
Quantitative indicators for the low-demand mode of operation

Low-demand mode of operation

Different indicators Related equations References

PFD(t) Probability of failure Calculation made PFDðtÞ ¼ 1  RðtÞ  PFSðtÞ [13]

on demand during system design (1  RðtÞ ¼ PFDðtÞ þ PFSðtÞ, RðtÞ: reliability, PFS: probability of
analysis failing safely)
PFDðtÞ ¼ 1  AðtÞ (AðtÞ: availability) [12]

Calculation made 1 Tolerable risk frequency [9]

PFDavg ¼ RRF ¼ Process demand frequency
while setting the 1 Tolerable risk frequency
PFDavg ¼ RRF ¼ Inherent risk frequency
specifications
(RRF: risk reduction factor) [13]
R
1 T
PFDavg Average probability Calculation made PFDavg ¼ T 0 PFDðtÞ dt
of failure on demand during system design
analysis (to verify the (T time interval between two safety system proof tests) [23–25]
R T1 R Tn
SIL requirement) PFDavg ¼ Qn1 [21]
0 ::: 0 PFDsys ðtÞ dt
Ti
i¼1
(T i time interval between two proof tests, which can be different
depending on the sub-system i; sys: system)

calculation examples have already been developed using
reliability block diagrams, fault trees or Markov analysis
methods [12,21,22]. Because the PFDðtÞ parameter is not
constant in time, it is translated into an average probability
over the mission time. When proof tests are carried out
periodically, the mission time is considered to be equal to
the time interval between two consecutive proof tests, with
the post-test system being taken for a new system. When no
proof tests are carried out, the mission time is assimilated
into the system’s lifetime.
Various indicators (see Table 4) are also used to determine
the PFH value related to a SIL (see Table 1). These indicators
come into play during the design phase and are all forms of a
hazardous event frequency whose unit is often expressed in
hours (h1). During the specification definition phase, SIL
probabilistic values are directly related to the tolerable risk
criteria, which are generally expressed as a table of the
different tolerable risk frequencies for an individual for the
different accident categories. Smith and Simpson [12] have
already published such a table.
3.2. A probabilistic SIL indicator that is consistent with
guided transportation systems
In guided transportation systems, safety is mainly
ensured by the continuous control of the moving trains.
This control works to guarantee that:
 no train exceeds its own speed limit nor the different
speed limits assigned to the various track sections;
 ARTICLE IN PRESS
J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700
Table 4
Quantitative indicators for the high-demand mode of operation
High-demand mode of operation
Different indicators Related equations
PFH Probability of dangerous Sum of the dangerous failure rates for all the subsystems serving a safety [1, part 6]
failure per hour function
PFH ¼ PFDðTTi
iÞ
(T i time interval between two proof tests, identical for the different sub-
systems)
THR Tolerable hazard rate THR ¼ lDD þ lDU
(Hazard rate for functions and sub-systems, D: Dangerous hazard, DD:
detected dangerous hazard, DU: undetected dangerous hazard)
 each train proceeds in the correct direction and remains
within a limited authorized zone, called the movement
authority;
 each train is assigned a zone and each zone contains one
and only one train;
 each train’s movement authority is correctly established,
meaning (i) that sufficient protections have been set to
forbid the entrance of other trains into a zone that has
been assigned to a specific train, and (ii) that the points
of the different switches are blocked in the correct
position so that the train moves along its planned
itinerary (with signalling and interlocking equipment);
 for non-urban guided transportation systems that
interact with road traffic, each level-crossing train
barrier is in the correct position to protect persons and
vehicles during the passage of the train; and
 no object or person is on the track in front of the train.
The continuous control of all these aspects keeps the overall
operational system in a safe state during normal operations.
This continuous aspect corresponds to the high-demand mode
of operations for safety functions. However, do all the
functions really operate in high-demand mode? Functions that
occur at the end of a sequence of events, just before a potential
accident, such as the emergency braking function, correspond
mainly to a low-demand operational mode because these
functions are performed intermittently, on demand, in order to
move the operational system into a specified safe state.
Hypothetically, though not far from reality, this kind of
function may actually serve more than once a year, so that they
can also be considered to operate in the high-demand mode
(see the definition of the high-demand mode of operation).
Different indicators exist for the high-demand mode due
to the different interpretations of the IEC 61508 standard
(see Table 4). The CENELEC railway standard [4] clearly
states that the tolerable hazard rate (THR) is employed in
the risk process, as do the safety system analyses conducted
by Braband, Schäbe and Wigger [6,17,18,26]. Based on
these examples in the railway domain, we chose THR as
the probabilistic indicator for SIL.
1693
References
[1,21, parts 1 and 6]
[4,6,17,18,26,27]
3.3. The inadequacies of the classic SIL allocation methods
Guided transportation systems should be considered as
complex systems, given the functional, behavioral, struc-
tural and technological complexities underlined in Refs.
[28,29]:
 Functionally complex—Guided transportation systems
are functionally complex due to their numerous
recurring functionalities. For example, many identical
systems are repeated from one track section to another
or one train to another;
 Behaviorally complex—The complexity inherent in the
aggregation of many entities whose various states evolve
stochastically over time makes such systems behavio-
rally complex. Using onboard and trackside equipment,
the evolution of the trains as they move along the tracks
can result in a variety of normal or risky situations;
 Structurally complex—The various heterogeneous sys-
tem elements (hardware, software or human) that are
distributed throughout the system interact continually,
and these system elements also interact with their
environment (i.e., the global guided transportation
system’s operating domain);
 Technologically complex—Issues related to the compat-
ibility, interoperability and interchangeability of the
existing material components, commonly named COTS
(Components-Off-The-Shelf), underline the complexity
of the various interacting technologies.
However, classic SIL allocation methods do not take
these complexity concerns into account, principally be-
cause these methods come from process industry sector,
where, a single system within a system is charged with
insuring overall system safety. For this reason, the
complexity issues in the two sectors are not the same. To
work around this problem, hypotheses are made during the
SIL allocation process. Thus, rather than imagining a
realistic complex scenario using the interdependence of the
safety functions, a hazard scenario integrating a safety
 ARTICLE IN PRESS
1694 J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700
function is reduced to a direct link between the hazardous
event, the safety function that will prevent it from
becoming an accident, and the worst possible consequence
of the event. The THR of one safety function is obtained
directly from the tolerable risk rate generated by the risk
principles described earlier in this article, which simplifies
the SIL allocation process by ignoring the system’s
structural complexity.
In addition, the current SIL allocation methods are not
totally objective. Clearly, the use of qualitative risk factors,
insufficient experience feedback, and/or simplified scenar-
ios introduces a certain subjectivity into the analysis of
specific safety functions, independent of the analysis of the
aggregated safety functions of the system.
In reality, a safety function failure can immediately
generate hazardous events for other safety functions. Thus,
an event triggering a particular scenario can result in
several consequence alternatives, which means that the
worst case is not the only possible final outcome. The event
tree represented in Fig. 7 depicts a safety function sequence
that may, or may not, lead to serious consequences. These
event chains connect strings of conditional events related to
the events preceding them and suggest a possible combina-
tion of the safety functions’ SIL.
3.4. SIL combination
Combining safety functions that have different SIL,
called for simplicity ‘‘SIL combination’’, is succinctly
examined in the generic safety standard [1]. From the
information given in part 2 of this standard and
summarized in Refs. [23,26], general rules for combining
several allocated SIL can be deduced to produce what can
be considered as the ‘‘global safety evaluation’’. The rules
for series functions (AND operator) or parallel functions
(OR operator) are presented in Eqs. (1)–(3), where the SIL
for function i is SILxi.
8xi ; xj ji; j 2 f1; ng; xi 2 f1; 4g:
ANDðSILxi Þ ) SIL minðxi Þ,
i
ORðSILxi ; SILxj jxi ¼ xj Þ ) minðxi þ 1; 4Þ,
i;j
Fig. 7. Safety function sequences showing various consequence alter-
natives.
ORðSILxi ; SILxj jxi axj Þ ) SIL maxðxi Þ. (3)
i;j
These rules are a starting point for safety assessment
using safety targets. They are, however, restrictive since
certain tolerable hazard rate (THR) combinations, and
thus certain SIL combinations, have been proved by
Beugin [30] to produce broader results than the rules
would suggest.
To summarize, all these restrictions in the SIL allocation
process make the use of the previously presented methods
and combination rules unsuitable for the complex systems
found in the field of guided transportation. Two inter-
dependent questions must be answered to allow the
evaluation of the overall safety of guided transportation
systems when the probabilistic aspects of SIL are taken
into account: ‘‘Which SIL must be allocated to each safety
function in order to comply with the risk criteria?’’ (a top-
down problem); and ‘‘How is it possible to verify that these
allocated SIL, when combined, will lead to tolerable risk?’’
(a bottom-up problem). In this article, the focus is on the
second problem, whose resolution involves the use of a
priori SIL values, which are combined to evaluate global
safety. The values are not at first optimal, but sensitivity
analyses can indicate the critical SIL that must be modified
in order to attain safety objectives.
According to our analysis, a procedure for evaluating the
overall safety of a system that integrates SIL requirements
and SIL combinations is needed. In response to this need,
we propose a new probabilistic systemic approach. Our
approach is based on the operating situation concept in
order to allow the dependencies between the safety
functions (i.e. the system’s overall structure) to be taken
into account and to allow the dynamics of the system’s
evolution to be identified (e.g., the failure and repair events
in the system and the variation of the physical variables
due to the system’s operation in a particular environment).
4. An appropriate approach for integrating SIL
requirements into the safety evaluations of complex guided
transportation systems
ð1Þ
4.1. An approach based on risk scenarios
(2)
Safety functions act on random hazardous events—
which can be internal (sub-system failures) or external
(environmental influence)—in order to reduce risk over the
transportation system’s mission time. The actions triggered
by the safety functions correspond to a set of scenarios that
may, or may not, lead to serious consequences. As already
mentioned in Section 2.5.1, the operational system and the
safety system in guided transportation systems cannot
really be separated since they are implemented on the same
equipment. For instance, the system that establishes the
movement authority for the different trains performs both
an operational function and a safety function. For this
reason, a single representation of the scenario set, with a
cause-consequence diagram, can be employed, where the
 ARTICLE IN PRESS
J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700
internal events—sub-system failures—are related to the
failures of the safety system. An example of such a
representation is given in Fig. 8.
This cause-consequence method involves visualizing the
possible alternative sequences composed of function fail-
ures and their causes, and allows the undesirable event
probabilities to be calculated from the basic event
probabilities. However, several system aspects are missing
from this calculation, notably the system’s structural and
behavioral complexity. First, the system recursiveness that
contributes to the structural complexity of guided trans-
portation system is not used profitably. Given the extent of
the operating domain and the set of moving transporters,
certain safety functions obviously recur throughout the
system. This recursive aspect could be taken into account
by dividing the operating domain into several parts,
considering the functions are not recurrent in one part,
allowing thus a more comprehensive and workable
diagram to be constructed. One diagram could be
constructed for each part, with the diagram input, which
is an external initiating event, being either an environ-
mental event outside the system (e.g., an obstacle on the
track), or the consequence of an internal sub-system failure
in one of the other parts (e.g., a train moving in the wrong
direction). Second, the behavioral complexity of the system
is ignored. In fact, the evolution of the system during its
operational phase is not taken into account at all: both the
discrete dynamics of the situation (i.e., the stochastic
evolution of events, such as failure and/or repair events,
over time) and the continuous dynamics (i.e., the physical
evolution of the moving train) are not taken into
consideration.
To deal with the problems outlined above, we propose a
model based on a risk-scenario approach and linked to a
Fig. 8. A risk-scenario approach based on cause-consequence diagrams, an example.
1695
new conception of the operating situation, as described in
Section 4.2.
4.2. The notion of ‘‘operating situation’’, the basis of a new
risk-scenario approach
The notion of ‘‘operating situation’’, which is derived from
Hasan and Bernard’s ‘‘working situation’’ [31] in the
machinery domain, allows the scenarios that occur during
the operations of the complex guided transportation system
to be formalized. An operating situation represents a static
model that is composed of a collection of elements related to
the transportation system, such as classes, class attributes, the
relationships between the classes, and the cardinality of the
relationships (see the class diagram in Fig. 9). A class is an
abstract model for several concrete objects that have common
properties and behavior. For example, both ‘‘train’’ and
‘‘beacon’’ are objects in the ‘‘sub-system’’ class. Such objects
are called ‘‘class instances’’.
A particular operating situation Oi is considered in a
time span during which the states of the system functions
are known and unchanged. In one Oi , the different classes
can be instantiated in several objects, since the different
elements are static. Please note that though the parameters
are static in an operating situation, the system evolves in its
environment. For instance, the speed parameter of a train
is fixed, but the train moves. Given this knowledge,
analyzing the scenarios appears more plausible. However,
at this phase, all recurrent functions in the entire
transportation system must still be taken into considera-
tion. The operating domain has not yet been divided into
several parts, whose functions are not recurrent. This
division, described in Section 4.1, leads to the creation of
sub-operating situations comprised of minimal scenarios.
 ARTICLE IN PRESS
1696 J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700
Fig. 10 illustrates the risk-scenario approach based on
the notion of operating situation. In this figure, i is the ith
sampling interval of the mission time, whose length must
be sufficiently small to cover all the possible state changes
in the mission. The evolution of the system during one Oi is
viewed as discrete events eij , where j represents the number
of events that arise during Oi , conditional to the states of
all the safety functions. Knowing both the operational
context and the states of the different functions for a
specific operating situation allows sequences of the possible
critical safety outcomes to be constructed. This piecewise
construction of scenarios allows dynamic state changes
both in the system’s functions from Oi to Oiþ1 and in the
operating context during one operating situation Oi . As
explained, several adjacent scenarios are possible in an
operating situation, depending on the evolution of the
system in a large domain requiring recurrent functions.
These adjacent scenarios yield a set of sub-operating
situations that overlaps the scenario set SðOi Þ; each sub-
operating situation has its own scenario S m and its own
initiating event m. A function that is not recurrent can
intervene in several scenarios. So the scenario overlap can
be written using Eq. (4), where the functions are denoted
Fk, F being the function set and k being a the kth function.
For S m ðF kðk2KÞ Þðm2MÞ  SðOiði2IÞ Þ,
[ \
8k 2 K; SðOi Þ ¼ sm ðF k Þ and S n ðF k Þa+.
m2M n2M
(4)
The following section explains how to apply the
topological elements described above within the safety
method proposed in this paper.
Fig. 9. The new operating situation model.
4.3. A scenario structure, combining the SIL, obtained from
operating situations
In an operating situation scenario, the failure of a safety
function is a stochastic event in a temporal sequence, which
appears at a specific point in time due to some causal failure
in the system architecture. Thus, in our method, scenarios
consist of temporal sequences in an operating context, rather
than of sequences of successive hypothetical outcomes, as is
the case in the cause-consequence method. Only final
outcomes are important for safety assessment. In particular,
it is important to obtain the occurrence frequency that will
allow final outcomes to be compared to the risk targets
generated from acceptable risk principles.
The topology of the scenarios in an operating situation
creates dependencies between the functions, in addition to
those necessarily existing in a complex system. The
structural function employed to encode these scenarios,
SF(Fk,t), comprises the dependencies and the different
possible combinations of the system functions. Rather than
a single function, the SF ðF k ; tÞ function appears to be a
vector whose every coordinate represents a logical combi-
nation of safety functions that perform one safety-related
action. For a time interval Dt of one Oi , the vector
SF ðF k ; DtÞ is evaluated according to the logical combina-
tions of the current functional states at the time t. The
operating situation parameters allow then the final risk of
the unsafe scenario given by SF ðF k ; DtÞ to be determined.
This generation of safe actions in a particular operational
context can be carried out as a numerical process using the
constructed discretization process. In our method, the
operating situation model that integrates the safety data
(safety functions and their a priori SIL values) is simulated
with MCS, as explained in the next section.
 ARTICLE IN PRESS
J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700
Fig. 10. A risk-scenario approach based on the notion of operating situation.
5. A Monte Carlo approach to the quantitative aspect of the
operating situation model
5.1. A preliminary Monte Carlo approach that considers
only the evolution of the system states
As explained in Section 3.2, the quantitative aspect of
SIL is related to frequency intervals or THR, which are
allocated to safety functions in order to obtain acceptable
risk levels. SILs can be viewed as uncertain parameters
because they do not concern a single frequency but rather a
range of frequencies or a distribution over possible
frequencies. For each specific scenario constructed from
the attributes of the operating situation, the probability of
a specific event in a scenario depends on the frequency
range assigned to the safety function.
MCS is a numerical process that is able to generate
probable sequences composed of dependent functions
whose failure frequencies are subject to uncertainty. In
other words, MCS can be used to perform uncertainty
analysis. It is employed in dynamic dependability analysis
in complex system to generate stochastic and time-
dependant events in a system by randomly sampling the
system elements’ various probability distributions. Several
possible evolutions in the life of the system (i.e., the
dynamic transitions of the system in a failure or repair
state) can be obtained with a MCS. A single evolution
corresponds to one history. Several histories allow mean
data to be generated over a system mission duration, using
the statistical analysis of these histories.
We have designed an adapted MCS based on the system
structure approach used by Dubi [32]. In this MCS, each
parameter subject to uncertainty is taken into account
when deriving the uncertainty of the final system failure
probability, here the probability of a final undesirable
event resulting from a scenario. In this first Monte Carlo
1697
process, we suppose that the system states evolve, while the
operating context remains the same. This supposition
allows the same structure to be maintained in all the
possible scenarios, since this structure depends only on the
system states. A sample structure is presented in Fig. 11;
the attributes of an operating situation, at a given time and
with no recurrent functions, are given in Table 5. (The
attributes that depend on context have been left out, since
the environment is not considered here.)
Time-dependant reliability functions are used in the
obtained functional structure SF ðF k ; tÞ, and a second
sampling of the SIL interval, sometimes called double
randomization [33] or second-order Monte Carlo [34], is
also performed. At this point, given that SIL have very low
failure frequencies, a problem arises: the sampled events
are so rare that they do not provide enough information
for statistical analysis. This problem is solvable by biasing
the failure frequency in order to increase the quality and
the performance of the results. The developed algorithm
then propagates probability intervals from the different
frequency parameters over a mission time to provide an
interval of time-dependant probabilities for the final event.
These can then be compared to tolerable risk criteria in
order to validate, or invalidate, the global safety require-
ments of the system.
5.2. A global simulation process expanding the preliminary
Monte Carlo approach
The Monte Carlo process presented above focuses
mainly on the probabilistic occurrence of scenarios that
are detrimental to safety. We call such scenarios ‘‘accident
situations’’ and represent them with the set fAdðiÞ g  fOi g.
In addition to providing accident occurrence statistics, the
operating situation model can provide information about
the magnitude variability of the accident consequences.
 ARTICLE IN PRESS
1698 J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700

Fig. 11. Example of the structure for the possible scenarios.

Table 5 In fact, the model was built with this idea in mind.
An example of operating situation parameters with no recurrent functions Magnitude variability information, which depends on the
environment in which the system evolves (e.g., the degree
Classes Instances Attributes
of human interaction, the location of the infrastructure, the
Risk R1 Undesirable event name ¼ accident time of the daily rush hour) is not provided by MCS.
Nature of the risk ¼ collective However, such information can be determined using
Severity ¼ catastrophic
discrete event simulation. A discrete event simulation
Hazardous H1 Name ¼ failure of F41 model re-creates the context in which the system evolves,
events Type ¼ external based on the system’s continuous environment-dependent
H2 Name ¼ initiating event 2
variables. In guided transportation systems, these variables
Type ¼ external
include speed and numbers of passengers, for example.
Safety SF1 Name ¼ F1 The stochastic failure events determined through MCS
functions Integrity level ¼ SIL 1
can then be injected into the model in the form of discrete
State ¼ in operation
SF2 Name ¼ F2 events. Under these circumstances, uncertainty analysis is
Integrity level ¼ SIL difficult to incorporate, and so, at this level, we prefer to
State ¼ in operation use a single value from an uncertainty interval (e.g.,
SF3 Name ¼ F3 the mean value) rather a distributed interval. During the
Integrity level ¼ SIL 1
run, the discrete event simulation model discretizes the
State ¼ in operation
SF4 Name ¼ F4 continuous variables and must react to the injected
Integrity level ¼ SIL 4 stochastic failure events. Each MCS history must be
State ¼ failed processed separately. From each history (i.e., one sequence
Scenario S1 Structure ¼ Initiating event 1 and F1 succeeds of dynamic safety-related events) a succession of operating
and F2 succeeds situations can thus be generated. During a complete
Order ¼ 3 scenario, the system can remain in a safe state or fall
S2 Structure ¼ Initiating event 1 and F1 fails into an unsafe state. The latter could cause an accident,
Order ¼ 2
whose possible consequences can be analyzed in
S3 Structure ¼ initiating event 1 and F1 succeeds
and F2 fails and F3 succeeds and F4 succeeds terms of the context at that point in time, and can
Order ¼ 5 be situated on a scale of consequences or severity. Beugin
S4 Structure ¼ initiating event 1 and F1 succeeds [35] attempted this global simulation process using an
and F2 fails and F3 succeeds and F4 fails example.
Order ¼ 5
S5 Structure ¼ initiating event 1 and F1 succeeds
and F2 fails and F3 fails
Order ¼ 4 6. Conclusion
S6 Structure ¼ initiating event 2 and F3 succeeds
and F4 fails
Order ¼ 3 In order to validate the safety of a system that may be a
S7 Structure ¼ initiating event 2 and F3 succeeds source of risk, a demonstration assessing the existing risks
and F4 succeeds is needed. This demonstration must, on the one hand,
Order ¼ 3 estimate the occurrence probability of potential accidents,
S8 Structure ¼ initiating event 2 and F3 fails
and on the other hand, evaluate the damage such accidents
Order ¼ 2
could provoke (i.e., the severity of the accident). Risks can
 ARTICLE IN PRESS
J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700
thus be prevented or managed to minimize the critical
consequences. Given the complexity of systems like guided
transportation systems and the variable environment in
which these systems evolve, such a demonstration is hard
to achieve. This study concentrates on global safety
assessment, which is the principal concern of guided
transportation system designers. Safety is indeed an
important element in the recent European standards,
which seek to create a truly European rail network by
harmonizing the different partner systems. These standards
impose specific safety requirements expressed in terms of
the SILs (Safety Integrity Levels) found in the generic IEC
61508 safety standard.
This article described the SIL concept in the context of
risk analysis in the field of guided transportation and
highlighted the conflicting information available on SIL
use, especially as concerns the quantitative aspect of this
safety indicator. It explained why the existing methods,
which allocate SILs qualitatively and/or quantitatively to
subsystems, functions or equipment, remain restrictive with
regard to the global safety assessment of guided transpor-
tation systems.
The focus was on the probabilistic aspects of the SIL
concept and on the inadequacies of the existing allocation
methods for complex systems. Given these inadequacies, a
relevant approach to risk evaluation in complex guided
transportation systems was proposed using the probabil-
istic SIL requirement. Our approach employs a scenario
representation based on an analysis of the operating
situations. The proposed operating situation concept was
developed to deal with the structural and behavioral
complexity of guided transportation systems. System
dynamics are represented by a succession of operating
situations that integrate safety function failures, thus
establishing a suitable foundation for a numerical im-
plementation.
An adapted Monte Carlo simulation was then designed,
allowing stochastic failures of the safety functions to be
generated. This MCS is able to take the uncertainty
induced by SIL into account to produce accident occur-
rence statistics. To avoid overestimating the risk, as can
happen with a scenario approach that considers the only
worst possible consequences, we proposed to examine the
severity of the accident consequences by associating
discrete event simulation with the Monte Carlo simulation
approach.
Future research will concentrate on developing a large-
scale application into which the human factor could be
integrated, since human actions have an important impact
on safety.
Acknowledgments
The authors would like to thank Lisa Ellen Spencer
Services for the correction of the English version of this
paper.
1699
This research was conducted as part of the MODular
Urban Guided Rail System project (MODUrban) sup-
ported by the European Commission. MODUrban is an
integrated research project that is part of the European 6th
Framework Programme.
References
[1] IEC 61508. Functional safety of electrical/electronic/programmable
electronic safety-related systems (IEC 61508-1 to 7). Geneva: IEC
(International Electrotechnical Commission); 2000.
[2] CENELEC NF EN 50126. Railway Applications: the specification
and demonstration of reliability, availability, maintainability and
safety (RAMS). CENELEC European standard (European Commit-
tee for Electrotechnical Standardization). Fontenay-aux-Roses: UTE
(Union Technique de l’Electricité et de la communication); 2000.
[3] CENELEC prEN 50128. Railway Applications: Software for railway
control and protection systems. CENELEC European standard
(European Committee for Electrotechnical Standardization). Fonte-
nay-aux-Roses: UTE (Union Technique de l’Electricité et de la
communication); 1998.
[4] CENELEC prEN 50129. Railway Applications: Safety related
electronic systems for signalling. CENELEC European standard
(European Committee for Electrotechnical Standardization). Fonte-
nay-aux-Roses: UTE (Union Technique de l’Electricité et de la
communication); 1999.
[5] Kumamoto H, Henley EJ. Probabilistic risk assessment and manage-
ment for engineers and scientists. New York: IEEE Press; 1996.
[6] Braband J. Allocation of safety integrity requirements for railway
signalling applications. In: Proceedings of ESREL ‘99—European
safety and reliability conference, Munich-Garching, Germany, vol. 2,
1999. p. 1237–42.
[7] UGTMS D6, Cassir C, Schütte J, Cauffriez L, Beugin J, Renaux D,
Millot P, et al. A Safety conceptual approach and guidelines.
Deliverable D6 of Urban Guided Transport Management system
project, fifth framework programme; 2003.
[8] Melchers RE. On the ALARP approach to risk management. Reliab
Eng Syst Safety 2001;71(2):201–8.
[9] Summers AE. Techniques for assigning a target safety integrity level.
ISA Trans 1998;37(2):95–104.
[10] Stavrianidis P, Bhimavarapu K. Performance-based standards: safety
instrumented functions and safety integrity levels. J Hazardous Mater
2000;71(1–3):449–65.
[11] Rouvroye JL. Enhanced Markov Analysis as a method to assess
safety in the process industry. Doctoral thesis, Beta Research School
for Operations Management and Logistics, Technische Universiteit
Eindhoven; 2001.
[12] Smith DJ, Simpson KGL. Functional safety: a straightforward guide
to IEC 61508 and related standards. Boston: Elsevier; 2004.
[13] Goble WM. Control systems safety evaluation and reliability. 2nd ed.
Research Triangle Park (NC): ISA (The Instrumentation, Systems,
and Automation Society); 1998.
[14] Charpentier P. Architecture d’automatisme en sécurité des machines:
études des conditions de conception liées aux défaillances de mode
commun. Doctoral thesis, INRS (Institut National de Recherche et
de Sécurité), Institut National Polytechnique de Lorraine; 2002.
[15] IEC 61511. Functional safety—Safety instrumented systems for the
process industry sector. Geneva: IEC (International Electrotechnical
Commission); 2003.
[16] IEC 62061/Ed.1. Safety of machinery—Functional safety of elec-
trical, electronic and programmable control systems for machinery
(Project). Geneva: IEC (International Electrotechnical Commission);
2005.
[17] Schäbe H, Wigger P. Experience with SIL allocation in Railway
Applications. In: Proceedings of the fourth international symposium
 ARTICLE IN PRESS
1700 J. Beugin et al. / Reliability Engineering and System Safety 92 (2007) 1686–1700
programmable electronic systems in safety related applications, Köln,
Germany, 2000.
[18] Schäbe H. Different approaches for determination of tolerable
hazard rates. In: Proceedings of ESREL 2001—European safety
and reliability conference, Torino, Italy, 2001. p. 435–442.
[19] Dowell AM. Layer of protection analysis for determining safety
integrity level. ISA Trans 1998;37(3):155–65.
[20] Summers AE. Introduction to layers of protection analysis.
J Hazardous Mater 2003;104(1–3):163–8.
[21] Lamy P. Probabilité de défaillance dangereuse d’un système: explications
et exemple de calcul. INRS (Institut National de Recherche et de
Sécurité), Note scientifique et Technique no. 225; 2002.
[22] Zhang T, Long W, Sato Y. Availability of systems with self-
diagnostic components—applying Markov model to IEC 61508-6.
Reliab Eng Syst Safety 2003;80(2):133–41.
[23] Kosmowski KT, Sliwinski M. Methodology for functional safety
assessment. In: Proceedings of ESREL 2005—European safety and
reliability conference, Gdansk, Poland, 2005. p. 1173–1180.
[24] Rausand M, Høyland A. System reliability theory: models, statistical
methods and applications. 2nd ed. Hoboken, USA: Wiley; 2004.
[25] Bukowski JV, Rouvroye JL, Goble WM. What is PFDavg?
Sellersville, USA: Exida library; 2002.
[26] Schäbe H. Apportionment of safety integrity levels in complex
electronically controlled systems. In: Proceedings of ESREL 2003—
European safety and reliability conference, Maastricht, The Nether-
lands, 2003. p. 1395–1400.
[27] Renpenning F, Braband J. Risk assessment of a novel railway
signalling concept. In: Proceedings of Lambda-Mu—ESREL 2002—
European safety and reliability conference, Lyon, France, 2002.
p. 251–257.
[28] Blaise JC, Lhoste P, Ciccotelli J. Formalisation of normative
knowledge for safe design. Safety Sci 2003;41(2–3):241–61.
[29] Cauffriez L, Benard V, Renaux D. A new formalism for designing
and specifying RAMS parameters for safe complex distributed
control systems: the Safe-SADT formalism. IEEE Trans Reliab,
2006.
[30] Beugin J, Renaux D, Cauffriez L. A SIL quantification approach to
complex systems for guided transportation. In: Proceedings of
ESREL 2005—European safety and reliability conference, Gdansk,
Poland, vol. 1, 2005. p. 197–204.
[31] Hasan R, Bernard A, Ciccotelli J, Martin P. Integrating safety into
the design process: elements and concepts relative to the working
situation. Safety Science 2003;41(2–3):155–79.
[32] Dubi A. Monte Carlo applications in systems engineering. New
York: Wiley; 2000.
[33] Labeau PE. Monte Carlo simulation for dynamic reliability problems
with distributed safety border. In: Proceedings of ESREL 2001,
Torino, Italy, 2001. p. 1395–1402.
[34] Ferson S, Ginzburg LR. Different methods are needed to propagate
ignorance and variability. Reliab Eng Syst Safety 1996;54(2–3):
133–44.
[35] Beugin J, Renaux D, Cauffriez L. A safety assessment method for
guided transportation systems: a dynamic approach using Monte
Carlo and discrete event simulation. In: Proceedings of 17th IMACS
world congress-scientific computation, applied mathematics and
simulation, Paris, France; 2005.