RF0015 Version 2 EN Compilée

RF 0015
CERTIFER REFERENCE DOCUMENT Page 1 / 14

INDEX REFERENCE DOCUMENT FOR CERTIFICATION OF THE SAFETY INTEGRITY LEVEL
DATE
UPDATED: OF PRODUCTS AND SYSTEMS LIKELY TO BE USED IN GUIDED TRANSPORTS
SYSTEMS, ACCORDING TO EN50126, EN50128 AND EN50129 STANDARDS 09/12/14
2
RF 0015
REFERENCE DOCUMENT
FOR THE CERTIFICATION

OF THE SAFETY INTEGRITY LEVEL
OF PRODUCTS OR SYSTEMS
LIKELY TO BE USED
IN GUIDED TRANSPORT SYSTEMS
ACCORDING TO EN50126 EN50128 and EN50129

STANDARDS
This document is the property of CERTIFIER. It may not be used, reproduced or disclosed without prior agreement.
Agence de Certification Ferroviaire - SIREN 411 047 285 - Code APE 9499Z
CERTIFER 1, Place de Boussu, BP70141, F-59416 ANZIN Cedex, France. Tel: +33 3 27 28 35 00 - Fax: +33 3 27 28 35 09
RF 0015
DATE
2
MEMBERS OF THE WORKING GROUP ESTABLISHING THE REFERENCE DOCUMENT

• Philippe BERNAGE, CERTIFER
• Sergio FURLAN, CERTIFER
• Patrick OZELLO, CERTIFER
MEMBERS OF THE COMMITTEE APPROVING THE REFERENCE DOCUMENT:

College A: users of certified products:
• Jean-Marc CEREZ, SNCF
• Sylvie REROLLE, SNCF
College B: suppliers of certified products:

• Paul BENOIT, SIEMENS
• Robert CAPEL, ALSTOM
College C: independents:
• François BARANOWSKI, IFSTTAR
APPROVAL OF THE REFERENCE DOCUMENT

Following a favourable opinion returned by the Approval Committee (in compliance with
CERTIFER procedure 7407), this reference document was signed by:
The Chairman and Managing Director of

CERTIFER
Jacques COUVERT
RF 0015
DATE
2
TABLE OF CONTENTS
Page
1. OBJET ET DOMAINE D’APPLICATION ......................................................................................................... 4

2. DOCUMENTS DE REFERENCE .................................................................................................................... 4
3. DEFINITIONS ET ABREVIATIONS ................................................................................................................ 5
4. PROCEDURE ET EXIGENCES ....................................................................................................................... 6
4.1. DEFINITION DETAILLEE DU PRODUIT OU DU SYSTEME A CERTIFIER ............................................................................ 6
4.2. ELABORATION DU PLAN D’EVALUATION .............................................................................................................. 6
4.3. ACCORD DU DEMANDEUR SUR LA CERTIFICATION PROPOSEE................................................................................... 7
4.4. MISSIONNEMENT DES INTERVENANTS................................................................................................................ 7
4.5. REALISATION DE L’EVALUATION ........................................................................................................................ 8
4.6. RAPPORT D’EVALUATION .............................................................................................................................. 12
4.7. DECISION DE CERTIFICATION .......................................................................................................................... 14
4.8. CERTIFICAT ................................................................................................................................................ 14
4.9. RECOURS, APPELS........................................................................................................................................ 14
4.10. UTILISATION DE LA MARQUE DU CERTIFICATEUR ............................................................................................ 14
4.11. OPERATIONS APRES CERTIFICATION ............................................................................................................. 14
Appendix 1: RFU-2-000-16: “Cross acceptance of Safety Case Assessments” of 01/04/2006.

Appendix 2: “Validity of test results” (CERTIFER origin) du 28/10/2014.
Appendix 3: Depth of documentary reviews.
RF 0015
DATE
2
1. OBJECT AND AREA OF APPLICATION

This reference document establishes the requirements and the procedure for the certification of
the safety integrity level of products1 likely to be used in guided transport systems.
The certification described in this reference document is a type-certification by design
examination, as specified in COFRAC document CPS-Ref-09.
Subsequently it does not fall under the scope of application of the French Consumer Code.
In this document, the text “EN 45011 / ISO 17065” refers to the requirements of the EN 45011
standard, which must be replaced by those of the ISO/CEI 17065 standard by 15 September 2015
at the latest.
2. REFERENCE DOCUMENTS
For undated references, the last published version applies.
• NF EN 45011 Standard (1998) “General requirements for bodies operating product
certification systems”, supplemented by application guide EA-6/01,
• ISO/CEI 17065: 2012 Standard “Conformity assessment – Requirements for bodies
certifying products, processes and services”
• COFRAC document n°CPS-Ref-09 (ver 00 2010) – “Type certification by design examination
”,
• EN 50126 (1999) standard: Railway applications – The specification and demonstration of
Reliability, Availability, Maintainability and Safety (RAMS)
• EN 50128 (2001, 2011) standard: Railway applications – Communications, signalling and
processing systems – Software for railway control and protections systems.
• EN 50129 (2003) standard: Railway applications – Communication, signalling and
processing systems – Safety related electronic systems for signalling.
1
In this reference document, the term “product” refers to both hardware and software products.
RF 0015
DATE
2
These may be supplemented, when required, by other standards (the last published version
applies):
• EN 50121: Railway applications - Electromagnetic compatibility (various parts)
• EN 50125: Railway applications - Environmental conditions for equipment
• EN 50155: Railways Applications Electronic Equipment Used on Rolling Stock
• EN 50159: Railway applications - Communication, signalling and processing systems.
Safety-related communication in transmission systems.
• EN 61508: Functional safety of electrical/electronic/ programmable electronic
safety-related systems (various parts).
3. DEFINITIONS AND ABBREVIATIONS

The definitions of the following reference documents are applicable:
COFRAC: COmité FRançais d’ACréditation
The safety integrity level of products and software is designated by the English acronym SIL,
(except under the EN50128:2001 Standard for software “Software safety integrity level”: English
acronym SSIL).
ISA: Independent Safety Assessor.
Manufacturer: entity responsible for demonstrating to the ISA that product or system being
assessed meets the required safety integrity level. They are responsible for organising the audits
required by the ISA and providing them with all necessary documents relating to the design,
manufacturing, installation, verification, testing, safety studies and use of the product or system.
THR: Tolerable Hazard Rate: the maximum permissible hazard rate.
RF 0015
DATE
2
4. PROCEDURES AND REQUIREMENTS

The following paragraphs describe the chronological stages and associated requirements.
All operations associated with the certification service, including those not mentioned in this
reference document, but appearing in the procedures of the ISA’s quality system, must be
executed in compliance with all requirements of the NF EN 45011 / ISO 17065 standard, the IAF
and EA guides and COFRAC documents applicable to the type certification.
In particular, the certification body must possess and maintain a complete system of procedures,
instructions and forms conforming to EN 45011 / ISO 17065.
4.1. Detailed definition of the product or system to be certified

The certification body must accurately define, in conjunction with the requesting party, the
limits of the product or system to be certified, explaining:
- the physical architecture, the components and the internal and external functional and
technical interfaces,
- the functions of the product or system,
- the list of software and hardware, as well as the safety integrity level (SIL and SSIL) and
the safety targets (THR, undesired events) for each one.
It is possible that the certification of the product or system also includes processes to be
assessed (e.g. processes such as parameterisation or downloading). These must be stipulated.
4.2. Creation of the assessment plan

The certification body will establish an assessment plan detailing at least the following aspects:
• The list of successive versions and modifications made
• The names of the writers (and verifiers, if any)
• The Identity of requesting party
• The context of the mission (a short description of the project which will use the
product or system, the assessment stages when there are more than one, the
history of assessments when previous versions have already been subject to an
assessment)
• The identity and limits of the product to be assessed (see §4.1 of this
document), as well as the processes to be assessed, if any
• Identification of the standards which will be used in the assessment (EN 50126,
EN 50128, EN50129, see § 4.5 below…). When assessing existing products which
have been modified, the applicable requirements of the standards must be
specified (in particular, see §1.9 of EN50128:2011)
RF 0015
DATE
2
• The stages included in the assessment (Risk analysis, Specifications, Allocation

of requirements, Design, manufacturing, Installation, unit testing, integration
testing, laboratory tests, on-site tests, safety file, operation and maintenance)
• If the assessment concerns a generic product, a generic application or a specific
application (such as those defined in the EN 50129 standard)
• The identification of the persons involved, if known
• The assessment method (number of audits, documentary reviews, visits, and if
possible, the depth of documentary reviews). Also state whether the
assessment is a gap assessment when a previous version of the product or
system has already been subject to an assessment
• The cross-acceptance activities (list of assessment reports to be sent to the ISA)
• The list of assessment tasks
• The deliverables (audit reports, assessment reports, certificate)
And, if required:
• A list of attachments and appendixes
• The special provisions (language, sampling, confidentiality, staff safety,
distribution of tasks to partners, sub-contractors or contractors, …)
• Assumptions
• A schedule
The assessment plan may be updated as many times as necessary during performance of the
service.
4.3. Agreement of the requesting party on the proposed certification

The requesting party must approve the assessment plan and undertake to comply with the
obligations of requesting party and custodian stipulated in the NF EN 45011 / ISO 17065
Standard.
4.4. Tasking of parties involved

The parties (individuals and/or organisations) responsible for assessing the conformity of the
products will be selected based on their competence and their independence. They undertake
to maintain all information gathered during their mission confidential.
RF 0015
DATE
2
4.5. Performance of the assessment

The parties tasked by the certification body perform the conformity examination in regards to
the standards specified in the assessment plan. They are then acting in the capacity of the
"assessment assessor” in regards to the following standards.
The standards used are:
• EN 50128 for software
• EN 50129 for signalling, telecommunications and processing products and systems.
Electronic safety systems for signalling.
• EN 50126 for systems and assemblies
• EN 50121 for EMC requirements
• EN50125 and EN50155 for requirements relating to physical environmental conditions
• EN50159 for requirements relating to safety communications
It is strongly recommended to commence and conduct the assessment in parallel with the
development cycle of the product or system.
The Independent safety assessment must include:
- An assessment of the quality and safety management system of the entity
(manufacturer) in charge of the design, manufacturing, installation, verification,
testing, safety study and use of the product or system.
- An assessment of the quality and safety management system applied during the
project.
- An examination of the design of the product or system.
When an assessment only covers modifications to the product or system and, in order to make the
modifications, the manufacturer resubmits the organisation and processes audited and accepted
by the ISA during the previous stage, the ISA may decide that a new audit of the quality and safety
management system is not required.
RF 0015
DATE
2
a) The quality and safety management system

The ISA must ensure that the requirements of §5.3.4 and 5.3.5 of the EN50126 standard are
complied with.
The ISA must ensure that the EN50126, EN50128, and EN50129 standards are implemented within
the framework of the policies applied by the company, based on a Quality Management System
which conforms to the provisions of the ISO9001-2008 standard.
When the manufacturer operates a certified quality management system by an accredited
certification body for the design and manufacturing of the product or system in question, the ISA
shall take this into account in his assessment.
The team of auditors must have experience in quality and safety management systems and have
at least one member experienced as an assessor in the product or system and the technology
concerned, as well as knowledge of the EN50126, EN50128, EN50129 standards.
The audit will include an assessment visit to the manufacturer’s premises. The team of auditors
will examine documentation describing the processes, methods and tools, as well as all technical
documents produced during the development of the product or system under assessment, in
order to verify the ability of the manufacturer to implement these processes, methods and tools
and to ensure conformity with the requirements of the EN50126, EN50128 and EN50129
standards.
The auditing team formalises their conclusions in an audit report.
b) Surveillance of the quality and safety management system

The purpose of surveillance is to make sure that the manufacturer duly fulfils the obligations
arising out of the approved quality management system.
The assessment will affect all phases, including design, manufacturing, installation, verification,
testing and safety studies.
The ISA will periodically perform audits to ensure that the manufacturer maintains and applies the
quality and safety management system. These audits will take place every two years at least.
The auditing team will formalise their conclusions in an audit report.
RF 0015
DATE
2
c) Examination of the design

The manufacturer must provide the ISA with all documentation regarding the product or system to
enable them to understand the design, manufacturing, installation, verifications, testing, as well as
safety studies and user manuals, in order to evaluate their compliance with the requirements of
the EN50126, EN50128 EN50129 standards.
The ISA must assess the documentation for all software, hardware, assemblies and
parameterisation processes. The ISA’s assessment will also affect the software development cycle,
the hardware development cycle and the software and hardware integration. During the
documentary assessment, the ISA will make sure that:
- the safety requirements are traceable over the entire life cycle
- the techniques and methods specified in the quality and safety management system are
implemented
- the safety verification and validation processes have been implemented
- the functional and technical safety requirements (correct operation under failure-free
conditions, the impacts of failures and external influences) are verified.
in compliance with the requirements of the EN50126, EN50128, EN50129 standards.
The ISA may perform sample verifications of the documentation, but may also perform a more in-
depth assessment depending on the criticality of the information contained in the documentation.
The depth of the assessment must always be at least equivalent to the "process audit + design
examination” stipulated in Appendix 3.
The documentary assessment must be conducted by assessors who are competent in the
techniques and methods implemented by the manufacturer.
The ISA must conduct visits during tests in order to gauge the relevance of the tools and methods
used and to ensure compliance with the quality and safety management system during testing.
The ISA may require additional tests to be performed.
When a part of the product or system has already been assessed by an independent
organisation, the ISA may take this into account to avoid repeating the assessment.
He will then examine:
• the recognition of the organisation performing the assessment
• the assessment method applied
• the assessment report provided
The assessment criteria used will be those defined in document RFU-2-000-16 drafted by NBRAIL.
(See Appendix 1).
The ISA may, if required, request additional information necessary to the proper
understanding of the results of the assessment report (safety case, description of the
conditions of use of the product…).
RF 0015
DATE
2
In terms of input data, the ISA will accept test reports (EMC, Environment…) produced by
laboratories, after making sure that all necessary tests have been performed based on the
intended use of the product or system. The ISA will make sure that the tests are properly
admissible. (Appendix 2).
The ISA will assess the safety case of the product or system. He will make sure that all risks
identified in the Hazard Log are covered, and that safety constraints relating to usage (integration,
operation or maintenance) are clearly defined.
RF 0015
DATE
2
4.6. Assessment reports

The assessment report(s) will cover at least the following aspects:
• A review of the context of the service
• The identity of the product undergoing conformity assessment
• The Identification of the standards used
• The identification of the Assessment Plan
• The Identification of the industrial designer or manufacturer of the product,
when it is not the client
• The names and roles of the persons involved (including sub-contractors) in the
conformity assessment
• The names of the writers, checkers and approvers of the report
• The scope of the assessment described in the report
The report must clearly detail the phases and/or parts of the product and/or
the sites subject to the conformity assessment referred to in the report (an
extract of the assessment plan is permissible).
It must be stated whether the assessment affects a generic product, a
generic application or a specific application (such as those defined in the EN
50129 standard)
It must also be stated whether the processes were subject to assessment
(e.g. parameterisation processes).
• The constraints and assumptions used in the conformity assessment, if any
When the results of the conformity assessment are only valid when
requirements are assumed to be complied with (functional, environmental,
operational…) these requirements, postulates and expectations must be
clearly defined. Assumptions made about non-assessed parties must also be
mentioned.
• Description of the conformity assessment work completed
And problems encountered, as well as provisions made to resolve them.
All discrepancies between the assessment plan and the actual work done
must be indicated and justified.
The visits and audits conducted during the project must be listed
• Conformity assessment methods
The depth of assessments must be indicated, e.g. listing the documents
assessed using a sampling process.
• Identification of assessed documents
• Results
The assessment report must contain the following elements:
- Justifications regarding cross-acceptance activities
RF 0015
DATE
2
- When the assessment uses results obtained from other assessment missions, the
assessment report will include a summary of the assessment results for each of
these reports
- The conclusions of audits of safety and quality management systems, as well as any
discrepancies found during the audits and their statuses (corrective actions in
progress, closed reservations…)
- The list of hardware and software components assessed, their versions, and the SIL
(or SSIL) achieved (specification of the “THR” is also recommended), as well as the
conclusions of the assessment for each of the components;
- The conclusions of the assessment of the product or system, its version, the SIL
achieved (specification of the “THR” is also recommended)
- The list of exported safety constraints, or a reference to the safety case when listed
therein.
Note: The assessment report must mention all discrepancies detected and
other open points, or refer to observation and question sheets and non-
conformity sheets, if any.
• Conclusions.
- On the progress of the service (tasks performed, in progress, pending).
- On the conformity (or lack of conformity) of the product or system. When
non-conformities are remaining, the report must specify the extent of
additional assessments required.
Special case for software
The EN50128 standard does not require that a software safety case be produced. Subsequently,
the ISA will not always have a safety case for the assessment of the exported use and safety
constraints. Furthermore, the behaviour of a piece of software will largely depend on the
hardware on which it is executed.
The ISA must therefore make sure that:

- all phases of the life-cycle of the software are covered by the assessment, including
software/hardware integration and validation
- the safety constraints exported to the user of the software are defined by the
manufacturer.
The ISA must include the following in their report or refer to a document:
- the list of exported safety constraints
- the hardware which can be used to execute the software
RF 0015
DATE
2
4.7. Certification decision

The decision to award certification or not is taken by a committee comprising (in application of
the certification body’s procedures) members who have not participated in the conformity
assessment. The committee will base its decision on:
- the contents of the assessment report
- the presentation made by the lead assessor
- the answers provided by the lead assessor to the committee questions.
4.8. Certificates
The text of the certificate stipulates that it in no way presumes the mass production of the
“type” certified, and that it only applies to the design of the product (referred to) and the
resulting descriptive dossier.
The term of validity of the certificate and the certificate surveillance procedure are specified in
the procedures used by the certification body.
4.9. Appeals
The certification body will make its appeals procedures available to the requesting party.
In particular, the notification of rejection of a certificate must describe the appeal procedures
against this decision.
4.10. Use of the certification body’s mark
Type certification does not allow for the marking of products, packaging, notices or guarantee
certificates, or the inclusion of the CERTIFER’s logo on any medium.
However, the holder may refer to the certificate in conformity and suitability for use
declarations, as well as in letters, technical files, commercial tenders etc. They must then
communicate:
- either the entirety of the information appearing on the certificate (including the list
of its appendixes)
- either the entirety of the information appearing on the certificate and its
Appendixes
so as to avoid any confusion about the scope of certification.
In order to refer to certification on advertising literature specific to the product (brochures,
leaflets, advertising materials, audiovisual media, websites etc.), the holder must have been
previously authorised to use a logo created by the certification body. The latter will send the
logo and its conditions of use to the applicant.
4.11. Operations after certification
The certification body will apply the procedures for the surveillance, maintenance and renewal
established in compliance with EN 45011 / ISO 17065.
RECOMMENDATION FOR USE RFU 2-000-16
CO-ORDINATION BETWEEN NOTIFIED BODIES
Issue: 02
DIRECTIVES 96/48/EC AND 2001/16/EC ON THE
Date: 01-04-2006
INTEROPERABILITY OF THE TRANS-EUROPEAN HIGH-SPEED
Page 1 of 3
AND CONVENTIONAL RAILWAY SYSTEMS
TITLE
CROSS ACCEPTANCE OF SAFETY CASE ASSESSMENTS
ORIGINATORS SUBJECT RELATED TO
CERTIFER / KEMA RAIL TRANSPORT CCS SUBSYSTEM CERTIFICATION
CERTIFICATION NOTIFIED BODY
DESCRIPTION AND BACKGROUND EXPLANATION
Scope
The scope of this proposal is limited to the conformity assessment procedure in the
framework of the Directive 96/48 and of the TSI Control, Command and Signalling. It is
not applicable to other TSI or Directives.
Abbreviation
IC : Interoperability Constituent
ISA : Independent Safety Assessor
NoBo : Notified Body
TSI EC96/48: Technical Specification for Interoperability of Control, Command and
Signalling of September 2002 (Directive 96/48).
Introduction
An ISA can be involved during IC or Sub-System conformity assessment.
According to the TSI:
- TSI § 6.1.1 conformity and suitability for use assessment procedure and
- TSI § 6.2.1 control command subsystem:
“The independent assessment in the safety acceptance and approval process as
described in Annex A, index 1 may be accepted by the notified body, without it being
repeated”.
Hence, Safety, which is an essential requirement, may be assessed by an ISA which is
not necessarily a Notified Body.
Note that the scope of ISA assessment can be an IC, a subsystem, or a part of an IC
or a subsystem such as an electronic board, software, or a sensor.
Therefore, it is important that an ISA involved in a Directive 96/48 conformity
assessment procedure, meets minimum criteria to give confidence to the NoBo
accepting the ISA results, and those accepting the ISA results in a cross acceptance
situation.
RFU PROPOSAL
Criteria for ISA Acceptance
The minimum criteria of independence, competence and quality for the acceptance of
the ISA results consist of the following three elements that are further explained below
RECOMMENDATION FOR USE

Issue: 02
Date: 01-04-2006
Page 2 of 3
and that shall be verified by the NoBo:
a. Acceptance of the ISA competency

b. Acceptance of the ISA entity
c. Acceptance of the safety assessment results
(a) Acceptance of the ISA competency

The NoBo shall verify that the ISA meets the following criterion:
1) The scope of competence of the ISA is appropriate. The competence of the
ISA is relative to the product or subsystem assessed, and also to the
standards and methods used in the assessment.
(b) Acceptance of the ISA entity

The NoBo shall verify that the ISA meets one of the following criteria:
1) The ISA is a Notified Body;
or
2) The ISA has a legal notification by a member state to perform safety
assessments;
or
3) The ISA has already performed an earlier safety assessment of the same
product that has been authorised by a member state to be put in service;
or
4) The ISA performs safety assessment of a modified product, and ISA has
already performed earlier the safety assessment of the original product that has
been authorised by a member state to be put in service;
or
5) The ISA is accredited to EN45011 (certification bodies);
or
6) In all other cases, there cannot be a cross acceptance on the proof that
the ISA meets the requirements of independence, competence and quality. The
NoBo will have to verify this himself. Therefore the ISA shall submit for
acceptance to the NoBo:
- the curriculum vitae of each assessor;
- a written statement from each assessor indicating his impartiality and the
absence of any conflict of interests;
- the safety assessment plan written by ISA team to assess the product.
This safety plan shall indicate the level of quality and methods used to
achieve this level, shall enable the scope of the assessment to be
understood and shall precisely describe the working methods that are

Issue: 02
Date: 01-04-2006
Page 3 of 3
applied in the assessment.

These requirements do not exclude that the ISA is also an inspection body with
EN 45004 accreditation or a testing laboratory with ISO 17025 accreditation, however
the above requirements must be fulfilled.
(c) Acceptance of the safety assessment results

Given the difficulties in establishing an exhaustive list of criteria the following is a
guide.
Before accepting the conclusion of the ISA assessment, the case for cross acceptance
shall demonstrate the following points which shall be verified by the NoBo:
1) the product (or subsystem) subject to the assessment is well defined
(description, documents, software configuration, …);
and
2) the standards or other normative documents used to establish the results
of safety assessment are well defined and appropriate;
and
3) the methodology (review of documents, audit, testing, modelling,
simulations, combinations of methods, …) used by safety assessors is well
defined and appropriate;
and
4) the environment of the product (physical, CEM, technical, functional, …) is
well defined;
and
5) the limits of validity of the safety assessment result are well defined;
and
6) the standards, methods, conditions, limitations and restrictions are also
applicable for the particular situation for which cross acceptance is desired.
DATE OF AGREEMENT AT NB RAIL PLENARY MEETING
th
16 February 2006 (PM 16)

Acceptance criteria for test results
This memorandum summarises the CERTIFER requirements for guaranteeing that test results are obtained
under conditions guaranteeing their validity.
These requirements are derived from legislation, European standards and the NBRAIL RFU:
- SAM X 001/ SAM X 009
- ISO 17020
- ISO 17025
- RFU-STR22
CERTIFER must ensure that the criteria listed below are complied with when:
- tests results are supplied by the client.
- tests are performed on behalf of CERTIFER and under their responsibility
- tests are performed by CERTIFER
Three criteria are used in the acceptance of test results:

- Criteria 1: the quality management system
- Criteria 2: minimal content of test reports
- Criteria 3: calibration
If conformity with the requirements listed below is, in the opinion of CERTIFER, insufficiently demonstrated in
the documents provided by the client, “open points” must be created in the questions and remarks follow-up
sheet : in the form of questions and/or requests for additional information.
Depending on the answers and new proofs provided by the client, the reservation can be closed or converted
to a discrepancy in the final report.
For tests in the fire/smoke domain, EN ISO/CEI 17025 accreditation is mandatory for the fire/smoke fields, as
well as the participation with success in the CERTIFER inter-laboratory campaigns.
CERTIFER may perform tests, provided that they fall within the normal activities of CERTIFER given its area of
certification.
28/10/2014 page 1 of 3
1 Acceptance criteria for tests results
1.1 Criteria 1: the quality management system of the test body
a) EN ISO/CEI 17025 accredited tests laboratory or body covering the tests under consideration:
The quality management system is acceptable. The tests report must meet criteria 2 above.
b) EN ISO/CEI 17025 accredited tests laboratory or body not covering the tests under consideration:
Acceptance of the report presenting the tests results is subordinate to the results of an audit of the
execution of the test, focused on the specific application, the particular techniques and the
implementation conditions of the test. The reference document for the audit is the EN ISO/CEI 17025
standard (See SAM X 009).
c) ISO9001 certified test bodies or laboratories
c1) case of tests intended to measure the physical characteristics of a product or system
Acceptance of the report presenting the tests results is subordinate to the results of an audit of the
execution of the test, in regards to its compliance with the additional requirements of the EN ISO/CEI
17025 standard compared to the requirements of ISO 9001:
- effective implementation of the quality management system in the test domain in question
- verification of the additional requirements of the EN ISO/CEI 17025 standard compared to the
requirements of ISO 9001 (this can be based on the SAM X009 audit outline).
- particulars techniques, methods, the competence of technical staff and the implementation
conditions for the test requested.
c2) case of tests intended to validate the compliance with the functional requirements of a product or
system
Acceptance of the report presenting the results of tests is subordinate to:
-the opinion of CERTIFER about the tests Plan (particularly presenting the test strategy and test tools)
-an opinion on the specifications of functional tests.
CERTIFER may require additional tests and/or attendance at certain tests.
d) Non ISO9001-certified test bodies or laboratories
d1) case of tests intended to measure the physical characteristics of a product or system
Acceptance of the report presenting the test results is subordinate to the results of an audit of the
execution of the test, in regards to its compliance with the requirements of EN ISO/CEI 17025.
d2) case of tests intended to validate the compliance with the functional requirements of a product or
system
Acceptance of the report presenting the results of tests is subordinate to:
-an audit of the execution of the test in regards to its compliance with the requirements of the
ISO9001 standard.
-An opinion of CERTIFER about the Tests Plan (particularly presenting the test strategy and test tools)
-an opinion on the specifications of functional tests.
CERTIFER may require additional tests and/or attendance at certain tests.
1.2 Criteria 2: Minimum content of the test report (or other admissible document)
To be admissible, the test report must include the following elements at the least:
28/10/2014 page 2 of 3
requirement Objective
1 a unique identification and, on each page, an indication Make sure that nothing has been removed or
indicating that the page is recognised as being part of the added
document, as well as a clear indication of the end of the
document.
2 the name and address of the entity performing the tests Make sure that the person responsible for the test
results is identified
3 description of (or reference to) the method Make sure that the method is relevant
4 The unambiguous description and identification of the object Make sure that the sample tested is representative
submitted to the test of the product being assessed
5 accurate identification of equipment, software and simulators Make sure that the tests are reproducible, and,
used where applicable, that the calibration proofs match
the devices used (or can be found)
6 the results of the test with the measurement units if required Make sure that the results demonstrate the
product compliance with the requirements
7 information relating to the specific conditions of the test, such Make sure that no test condition is likely to
as the ambient conditions, when they are likely to influence invalidate the results
the result
a) case of tests intended to measure the physical characteristics of a product or system

8 a declaration relating to the measurement uncertainty (if it is Make sure that the measurement error range does
important for the validity of the results or when they affect not exceed the admissible tolerances for the value
the conformity at the limits of a specification) of the product
b) case for tests intended to validate the compliance with the functional requirements of a product or
system
8 accurate identification of the functional specifications and of Make sure that the expected functional behaviour
the functional tests specifications of the product is clearly identified
9 Any other information required by the EN50126, EN50129, Make sure of the compliance with the
EN50128 standards (test coverage report, list of known requirements of the EN50126, EN50129 and
discrepancies and the impact these discrepancies may have EN50128 standards.
on usage...)
1.3 Criteria 3: Calibration

When the measured values are traceable to national or international standards, the certificates
demonstrating the validity of calibration of all the equipment used for measurements and tests having a
significant influence on the results of our assessment must be provided to CERTIFER by post, or
presented on site.
28/10/2014 page 3 of 3
Appendix 3 of CERTIFER reference document RF0015 version 2
Level of depth required in a documentary examination
Examples
Abbreviations used:
FR: fast reading
CR: critical reading
SR: sample reading
NE: not Examined
X: the method is used whatever the safety integrity level of the product;
X1: the method is used when the safety integrity level is SIL1;
1) Example: Audit of the process
Document to be examined NE FR SR CR
Quality Manual X (if X (if not
ISO9001) ISO9001)
Process and instruction sheets X X (if not
(if ISO9001)
ISO9001)
Management Plan X
Quality plan X
Safety plan X
Quality registration documents (minutes X
review, anomaly sheets, modification
sheets...)
System Risk analysis X

System Functional specifications X
System Architecture and safety principle X
System integration and installation tests X
specifications
System integration and installation tests X
results
System validation tests specifications X
System validation tests results X
System Safety case X
Hardware Risk analysis X

Hardware Functional specifications X
Hardware Architecture and safety principle X
Page 1 of 3
Hardware integration tests specifications X
Hardware integration tests results X
Hardware validation tests specifications X
Hardware validation tests results X
Software Risk analysis X

Software Functional specifications X
Software architecture X
Software Detailed design X
Source code X
Software integration tests specifications X
Software integration tests results X
Software validation tests specifications X
Software validation case X
2) Example: process audit + design examination
Quality Manual X (if X (if not
ISO9001) ISO9001)
Process and instruction sheets X X (if not
(if ISO9001) ISO9001)
Management Plan X
Quality plan X
Safety plan X
Quality registration documents (minutes X
review, anomaly sheets, modification
sheets...)
System risk analysis X

System Functional specifications X
System Architecture X1,X2 X3, X4
System Safety principles X1,X2 X3, X4
System integration and installation tests X1,X2 X3,X4
specifications
System integration and installation tests X1,X2 X3, X4
results
System validation tests specifications X X3, X4
System validation tests results X X3, X4
System Safety Case X X3, X4
Hardware Risk analysis X1,X2 X3,X4

Hardware Functional specifications X1,X2 X3,X4
Page 2 of 3
Hardware Architecture and safety principle X1,X2 X3,X4
Hardware integration tests specifications X1,X2 X3,X4
Hardware integration tests results X1,X2 X3,X4
Hardware validation tests specifications X1,X2 X3,X4
Hardware validation tests results X1,X2 X3,X4
Tests results in working environment (EMC, X
vibration, temperature…)
Software risk analysis X1,X2 X3,X4

Software functional specifications X1,X2 X3,X4
Software architecture X1,X2 X3,X4
Detailed design of the software X1,X2 X3,X4
Source code X
Test tool documentation X
Software integration tests specifications X1,X2 X3,X4
Software integration tests results X1,X2 X3,X4
Software validation tests specifications X1,X2 X3,X4
Software validation case X1,X2 X3,X4
Page 3 of 3

RF0015 Version 2 EN Compilée

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RF0015 Version 2 EN Compilée

Uploaded by

Copyright:

Available Formats

RF 0015

CERTIFER REFERENCE DOCUMENT Page 1 / 14

FOR THE CERTIFICATION

ACCORDING TO EN50126 EN50128 and EN50129

MEMBERS OF THE WORKING GROUP ESTABLISHING THE REFERENCE DOCUMENT

• Sergio FURLAN, CERTIFER

• Patrick OZELLO, CERTIFER

MEMBERS OF THE COMMITTEE APPROVING THE REFERENCE DOCUMENT:

• Sylvie REROLLE, SNCF

College B: suppliers of certified products:

• Robert CAPEL, ALSTOM

APPROVAL OF THE REFERENCE DOCUMENT

The Chairman and Managing Director of

1. OBJET ET DOMAINE D’APPLICATION ......................................................................................................... 4

Appendix 1: RFU-2-000-16: “Cross acceptance of Safety Case Assessments” of 01/04/2006.

1. OBJECT AND AREA OF APPLICATION

3. DEFINITIONS AND ABBREVIATIONS

COFRAC: COmité FRançais d’ACréditation

ISA: Independent Safety Assessor.

THR: Tolerable Hazard Rate: the maximum permissible hazard rate.

4. PROCEDURES AND REQUIREMENTS

4.1. Detailed definition of the product or system to be certified

4.2. Creation of the assessment plan

• The stages included in the assessment (Risk analysis, Specifications, Allocation

4.3. Agreement of the requesting party on the proposed certification

4.4. Tasking of parties involved

4.5. Performance of the assessment

a) The quality and safety management system

b) Surveillance of the quality and safety management system

c) Examination of the design

4.6. Assessment reports

Special case for software

The ISA must therefore make sure that:

4.7. Certification decision

RECOMMENDATION FOR USE

and that shall be verified by the NoBo:

a. Acceptance of the ISA competency

(a) Acceptance of the ISA competency

(b) Acceptance of the ISA entity

RECOMMENDATION FOR USE

applied in the assessment.

(c) Acceptance of the safety assessment results

RECOMMENDATION FOR USE

Three criteria are used in the acceptance of test results:

c) ISO9001 certified test bodies or laboratories

CERTIFER may require additional tests and/or attendance at certain tests.

d) Non ISO9001-certified test bodies or laboratories

CERTIFER may require additional tests and/or attendance at certain tests.

a) case of tests intended to measure the physical characteristics of a product or system

1.3 Criteria 3: Calibration

Level of depth required in a documentary examination

1) Example: Audit of the process

System Risk analysis X

Hardware Risk analysis X

Software Risk analysis X

2) Example: process audit + design examination

System risk analysis X

Hardware Risk analysis X1,X2 X3,X4

Software risk analysis X1,X2 X3,X4

You might also like