Upload
dangtram
View
216
Download
2
Embed Size (px)
Citation preview
Slide n° 1 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Safety Conference of Danish Transport and Construction Agency - Copenhagen, 28th October 2015
CSM for risk assessment: Proactive decision making instrument
Consequences and benefits of latest changes
Dragan JOVICIC, European Railway Agency
Slide n° 2 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Content
EU railway market opening and restructuring (historical background context of railways)
Place of the CSM for risk assessment within the risk based approach
Overview of harmonised methods for safety management and safety supervision
Overall presentation of the CSM for risk assessment and of its successive changes
Latest amendments of the CSM for risk assessment: CSM Design Targets (CSM DT)
Discussions – Questions & Answers
Slide n° 3 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
EU railway market opening and restructuring
Change of Roles & Responsibilities for management and supervision
of railway safety
Slide n° 4 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Remind
Historically, every country used different technical solutions, operational rules, standards, safety cultures and approaches in terms of safety acceptance and safety management
One state railway company where all functions integrated:
Vehicle owner/keeper Management of infrastructure Operation of railway transport (passengers and freight) Planning, management and performance of maintenance activities etc.
Railway company self-regulated, i.e. responsible for Regulation, Management and Supervision of a “safe operation” of railway transport
International traffic: no legal obligations - Made possible thanks to (voluntary) international or multilateral agreements
Slide n° 5 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
EU railway transport policy and railway legislation
Remove historical barriers to free circulation of trains and
make railways business oriented and competitive
Technical Harmonisation (TSIs) & Common approaches for safety management
Open railway market to competition for rail transport services and railway supply industry
Prevent sector from using safety as a barrier to market access or an excuse to resist
change
Slide n° 6 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Common safety instruments for opening railway market
EU railway legislation sets up a common approach for:
safety regulation
safety management
safety supervision
in line with the "new Commission approach" for the creation of a single European railway market
As many new railway players and interfaces are created, it is necessary to:
1) maintain at least the existing level of safety in the EU railways, and increase it when reasonably practicable
2) create a basis for mutual trust
Slide n° 7 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Common approach to safety within an open railway market
EU railway legislation
Safety Management
Safety Supervision
Safety Regulation
EU legislation defines “Roles & Responsibilities“
[RUs, IMs, Vehicle Keepers, ECMs, NSAs, Notified Bodies, Designated Bodies, Manufacturers and others]
Responsibility for safety of railway system put on those who OPERATE and MAINTAIN railways:
RUs, IMs must manage and monitor safely their activities through a Safety Management System
ECMs must manage and monitor maintenance activities through a “System of Maintenance”
WHO shall do WHAT?
NSAs & other bodies (e.g. ECM Certification Body, NoBo, DeBo, etc.) guarantee RUs, IMs and ECMs comply with their obligations
Slide n° 8 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Existing national railway systems usually based on use of rules and retrospective review of «bad experiences» from past
Directive 2004/49 requires to set up an SMS which shall «predict» what can happen and «prevent» it to happen instead of «reacting and fixing» to unwanted events
SMS introduces concept of RISK MANAGEMENT which requires to LOOK both FORWARD and RETROSPECTIVE
→ only new element in SMS from existing national railway systems: develop a «predict and prevent» way of thinking
Harmonised thinking in terms of «risk» & «risk based approach» Transition from different national practice towards an SMS approach
«What are the likely risks and the risk control measures I should put in place to manage safely my activities (my business)?»
In a “risk based approach” the key question is thus:
Slide n° 9 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Comparison of Proactive vs. Reactive approaches
Accidents are used to prevent same accidents
Costly with high impact on the system and society
Unable to control unknown risks
Reactive approach (React & Fix)
Competence and knowledge are used to control risks and
then to prevent accidents
No impact on the system and society Can effectively prevent the occurrence
of events
Proactive approach (Predict & Prevent)
Slide n° 10 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Place of the CSM for risk assessment within the risk based approach
Slide n° 11 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Risk Management is a key process of the safety management system (SMS):
“The SMS … shall ensure the control of all risks associated with the activity of the IM or RU, including the supply of maintenance and material and the use of contractors…”
The SMS organises the assessment and the management of risks
“procedures and methods for carrying out risk evaluation and implementing risk control measures whenever a change of the operating conditions or new material imposes new risks on the infrastructure or on operations;”
Risk Management: links between CSM and SMS
The implementation of a Safety Management System requires the application of the CSM for Risk Assessment
Directive 2004/49, Article 9(2)
Directive 2004/49, Annex III – art.2 Basic elements (d)
Slide n° 12 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Procedures
SMS
Risks
Processes
Rules
Why should I have a measure/procedure?
How can I avoid or decrease the risk?
What do I already have in place for that?
Building an SMS is a systematic review of "likely risks" linked to my operations and identification of "risk control measures"
Role of rules in SMS:
EU regulatory framework is not a conflict between a Risk & Rule based approaches but a combination of both
It is necessary to identify & understand how rules fit into the whole management system?
RU/IM SMS must consider not only National Rules but all rules necessary to deliver safely the operation
Slide n° 13 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
SMS provides a structured framework to ensure that:
1) PLAN: the company is designed (i.e. organised) to deliver safely the operation
2) DO: the company actually deploys the operational and support processes
3) CHECK: the company measures the effectiveness of the processes
4) ACT/ADJUST: the company takes preventive or corrective measures on detection of non-compliances
SMS is not an alternative to the existing set of safety related technical and operational rules. It is a structured way to apply them taking into account the risks related to the specific activities of the RU or IM
Objective of SMS: keep "set rules" up to date
SMS
DO
CHECK ACT
PLAN
Slide n° 14 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Risk manage
ment
Rules
Proces-ses
Proce-dures
What is an SMS?
A documented and structured framework for safe management of all company activities
Ensures appropriate processes, procedures and rules exist for controlling all company risks
Enables identification of hazards and continuous management of risks related to the company activities, with the aim of preventing accidents
Uses scientific "risk manage-ment" tools to support company managers in taking consciously decisions for their business
Slide n° 15 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Overview of harmonised methods for safety management and safety supervision
Slide n° 16 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Safe Operation & Safe Maintenance
European Railway Legislation Safety Regulatory Framework
Railway Safety Directive 2004/49/EC
CSM for Risk Assessment Regulation 402/2013
CSM for Monitoring Regulation 1078/2012
²
CSM for Conformity Assessment - Regulations 1158/2010 & 1169/2010
ECM Regulation 445/2011
CSM for Supervision Regulation 1077/2012
ECM Regulation 445/2011 (Annex III)
SMS/ MMS
Do
Check Act
Plan
Assessment Monitoring/Supervision/Surveillance
Freight wagons Freight wagons
Slide n° 17 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Overall presentation of the CSM for risk assessment
and of its successive changes
Slide n° 18 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Versions of CSM fo risk assessment
Regulation 402/2013
Regulation 2015/1136 R&R CSM AB
More categories of RAC-TS
19/07/2010 Technical changes 01/07/2012 TOO changes
21st May 2015 (Repealing Reg. 352/2009)
2012 to 2014
CSM DT [10-9 & 10-7 h-1]
2010 to 2012
3rd August 2015 (Amending Reg. 402/2013)
2005 to 2007
Regulation 352/2009
RAC-TS [10-9 h-1]
Slide n° 19 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
(a) System definition
(b) Hazard identification & classification
(c) Identification of safety measures
(d) Risk analysis based on use of exiting Risk Acceptance Principles (RAP):
1) Codes of practice 2) Reference Systems 3) Explicit risk estimation
There is no mandatory order of priority in use of these three RAP
(d) Risk evaluation for checking acceptance of risk(s)
(e) Definition of safety requirements from identified safety measures
Iterative Risk Management Process “triggered” by a Significant Change
Overview of the CSM for risk assessment Process in Annex I
Defines a common process for risk assessment
Demonstration of Compliance with Safety Requirements
Preliminary System
Definition
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T
RISK ANALYSIS
RISK EVALUATION (vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety measures to be implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION AND CLASSIFICATION
Codes of Practice
Similar Reference Systems
Explicit Risk
Estimation
Justify and document decision
352/2009
Slide n° 20 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Iterative Risk Management Process “triggered” by a Significant Change
Demonstration of Compliance with Safety Requirements
Preliminary System
Definition
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T
RISK ANALYSIS
RISK EVALUATION (vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety measures to be implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION AND CLASSIFICATION
Codes of Practice
Similar Reference Systems
Explicit Risk
Estimation
Justify and document decision
CSM for risk assessment also requires:
Update system definition with identified safety requirements;
Demonstrate compliance with system definition, and thus with safety requirements from risk assessment;
To support mutual recognition:
(a) Risk assessment and risk management must be documented in hazard record;
(b) Independent assessment by a CSM Assessment Body of correct application of the CSM Process and of appropriateness of results
Overview of the CSM for risk assessment Process in Annex I
352/2009
Slide n° 21 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Independent CSM Assessment Body Check correct application of CSM for risk assessment
When change significant, a CSM Assessment Body must be appointed
CSM assessment body shall carry out an independent assessment of:
correct application of risk management process in Annex I, and;
suitability of results from risk assessment process (Reg. 402/2013)
Criteria & requirements to be fulfilled Who, What, How, When, etc.?
Demonstration of Compliance with Safety Requirements
RISK EVALUATION (vs. Risk Acceptance Criteria)
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T
RISK ANALYSIS
Safety Requirements (i.e. safety measures to be implemented)
SYSTEM DEFINITION
RISK
ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION AND CLASSIFICATION
Codes of Practice
Similar Reference Systems
Explicit Risk
Estimation
Justify and document decision
Preliminary Sys Definition Article 6 of Regulation 352/2009
352/2009
Slide n° 22 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Compliance with existing standards General overview of risk management in ISO 31000
352/2009
Regardless of type of business, activity or function of company, Risk Management is 7 step based process
Defining context (System Definition)
Risk Assessment
Hazard/Risk Identification Risk Analysis Risk Evaluation
Risk Control
Risk Monitoring and Review
Communication with and consult staff on company and their activity risks
System Definition
Ris
k A
sse
ssm
ent
Communicate and Consult on risks
Hazard/Risk Identification
Risk Analysis
Risk Evaluation
Risk Control
Risk Monitoring and Review
Bas
ic P
roce
ss S
tep
s
‘Risk’ is dynamic and subject to constant change,
so Risk Management process includes continuous
Par
t o
f SM
S
Slide n° 23 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Traceability between CSM and CENELEC 352/2009
Demonstration of Compliance with Safety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
EsRisk
timation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety measures to be
implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
BOX 1
BOX 2
BOX 3
Concept
System Definition & Application Conditions
Risk Analysis
System Requirements
Apportionment of System Requirements
Design and Implementation
Manufacture
Installation
System Validation (including Safety Acceptance and Commissioning)
System Acceptance
2
3
4
5
6
7
8
9
10 11 14
Operation and Maintenance
Performance Monitoring
De-commissioning and Disposal
Modification and Retrofit
12
13
CSM's for RISK ASSESSMENT
Preliminary System Definition in CSM's
Demonstration of Compliance with the Safety Requirements
Safety Requirements
1
Re-application of the CSM
BOX 1
BOX 2
BOX 3
BOX 4
Slide n° 24 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Required when change is significant - Appointed by Proposer, if there is no contrary national legal obligation
Necessary for mutual recognition of results from risk assessments reduction of risk assessment costs and requests of unjustified additional demonstrations
Check correct application of CSM process and appropriateness of results
Deliver a safety assessment report to support Proposer in its decisions
WHEN? not explicitly required in CSM - Should be involved early in project and finishes with delivery of independent assessment report to Proposer
WHO? whoever fulfils general requirements in Annex II of Reg. 352/2009:
independence from design, manufacturing, construction, marketing, operation or maintenance of system under assessment
professional integrity and competence (skills, training, knowledge and experience) to perform independent safety assessment
civil liability insurance & commercial confidentiality
Independent CSM Assessment Body General Legal framework in Regulation 352/2009
352/2009
Slide n° 25 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
To establish sufficient trust and enable mutual recognition of independent assessment work of CSM AB, following questions needed an answer:
WHAT shall be assessed?
HOW assessments are to be performed?
WHAT is content of safety assessment report?
What is the interaction with other assessments (e.g. Safety certification & authorisation process for placing in service structural sub-systems)?
What specific criteria and requirements need to be fulfilled?
What area of competence are necessary?
WHICH scheme could ensure similar quality of independent assessment? or HOW to become a CSM Assessment Body?
Independent CSM Assessment Body Novelty in Regulation 402/2013
402/2013
Slide n° 32 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Correct application of CSM check of compliance with CSM process
Suitability of results of risk assessment check that system under assessment fulfils safely intended objectives of the change
Assessment include all steps of CSM process:
system definition hazard identification and risk analysis risk evaluation and risk acceptance demonstration of compliance with
safety requirements
Evaluation of significance of change needs not be checked
Independent CSM Assessment Body WHAT shall be assessed?
402/2013
Slide n° 33 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Independent CSM Assessment Body HOW is the independent assessment performed?
Independent assessment in Regulation 402/2013 different from NOBO work:
NOBO checks formal conformity of a structural sub-system vs. ALL requirements defined in relevant TSIs
whereas CSM assessment body makes JUDGEMENTS
To make its judgement, a complete, thorough review and follow up of all activities of “Proposer and its subcontractors” for design and implementation of change not cost effective and also is not necessary
Rather a 3 steps approach shall be undertaken based on:
thorough understanding of the change and of its specification
assessment of safety and quality processes put in place for the change
assessment of application of these processes for design and implementation of change based on e.g. auditing and sampling techniques [or vertical slice assessment of key risks] till delivery of safety assessment report
402/2013
Slide n° 34 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Safety assessment report delivered to Proposer, contains at least:
(a) identification of CSM assessment body; (b) independent safety assessment plan; (c) definition of scope and limitations of independent safety assessment; (d) results of independent safety assessment including in particular:
(1) detailed information on independent safety assessment activities for checking compliance with provisions of CSM;
(2) any identified cases of non-compliances with provisions of CSM and assessment body’s recommendations;
(e) conclusions on compliance of risk assessment and risk management with CSM requirements and appropriateness to fulfil safely intended objectives
Safety assessment report supports Proposer in decision to accept change It provides evidence to NSA, in particular within APIS structural sub-systems,
that Proposer correctly applied CSM process, It is useful for supervision activities of the proposer’s Management System
Independent CSM Assessment Body WHAT is the result of the independent assessment?
402/2013
Slide n° 35 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
European (Railway) Legislation related to Market Opening Assurance of compliance with EU legislation - Mutual trust/recognition
To avoid new assessments and new safety demonstrations for a same system, EU legislation introduces concepts of:
Certification (Independent) Conformity Assessment Body (CAB) Mutual Recognition or Acceptance (XA)
System or safety demonstration accepted in one MS or by one CAB must be cross accepted in another MS or by another CAB if used under the same functional, operational and environmental conditions
duplication of conformity assessments by different CABs involved in a project shall be avoided unless CAB demonstrates existence of a substantial safety risk
Conformity assessment bodies: NSAs, NoBos, DeBos, ECM Certification Bodies, CSM Assessment Bodies, National Accreditation Bodies & Recognition Bodies
Monitoring of experience is expected to build trust between MS & between CABs
Slide n° 36 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
TSI's
(NoBo)
National
Rules
(DeBo)
Other
measures
(CSM AB)
All risks identified with CSM for risk assessment
Safety demonstration by proposer/applicant + NSA authorisation based on evidences of:
Safe integration (AB]
Check of technical compatibility
Compliance with TSI's [NoBo] & National Rules (law) [DeBo]
Independent CSM Assessment Body WHAT is the interaction with other Conformity Assessment Bodies?
Check of correct application of CSM and of suitability of
results form risk assessment
Check of conformity with national rules applicable to the structural sub-system
Check of conformity with TSI requirements applicable to the structural sub-system
Duplication of independent assessment work between different Conformity Assessment Bodies involved in a project shall be avoided
402/2013
Slide n° 37 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Roles and responsibilities of CSM Assessment Body for placing in service Authorisation of Vehicles - Safe Integrations
Conformity with TSI
Check by NOBO
Conformity with NNR
Check by DEBO
RA according to CSM
Check by CSM Assessment
Body
Technical compatibility and safe integration within the vehicle
(Use of CSM for RA)
Technical File containing all Operational & Maintenance
Requirements linked to the design
Responsibilities of Applicant
Design, construct, install, test & demonstrate
Safe Integration within the vehicle
NSA Authorisation for placing in service
Responsibilities of Railway Undertaking
Check technical compatibility and demonstrate safe integration within the Route
Conformity with
infrastructure register (RINF)
Check by RU
Conformity with NNR
Check by RU
SMS update accor-ding to CSM for RA
Check by CSM Assessment Body
Technical compatibility and safe integration within the Route
(Use of CSM for RA)
RU decision of placing in service
Operation according to
RU SMS
Maintenance according to
ECM System of Maintenance
Responsibilities of RU & ECM
Operation & Maintenance according to Technical File
Supervision by NSA
Surveillance by ECM Cert Body
Supervision by NSA [Art 16(2)(f)]
Update of SMS
Return of experience
STEP 1 STEP 2 STEP 3
Slide n° 38 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Independent CSM Assessment Body WHAT specific criteria and requirements shall CSM Assessment Body fulfill?
Full compliance with ISO/IEC 17020:2012 standard which contains general criteria for "independence, competence, integrity and impartiality“
Following specific competence:
(a) competence in risk management, including knowledge and experience of standard safety analysis techniques and of relevant risk assessment and risk management standards;
(b) all relevant technical competence for assessing the change under assessment and its safe integration into the railway system;
(c) competence in checking the correct application of safety and quality management systems or in auditing management systems.
This is crucial since CSM AB not required to check all activities and details of risk assessment and risk management done by proposer
402/2013
Slide n° 39 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Independent CSM Assessment Body WHAT can be the areas of competence of the CSM Assessment Body?
By analogy to Article 28 of Directive 2008/57/EC concerning NoBo’s, CSM Assessment Body may be competent in different areas of railway system, or parts of it for which an essential safety requirement exists, including competence in operation and maintenance. Possible examples of classifications could be:
(a) infrastructure;
(b) energy;
(c) control command and signalling;
(d) rolling stock;
(e) braking components;
(f) operation, maintenance and traffic management;
(g) overall consistency and system approach (system level);
(h) specific engineering disciplines such as embedded real-time systems, telecommunications, hardware, software, human factor, …
(i) etc.
402/2013
Slide n° 40 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Independent CSM Assessment Body WHAT can be the areas of competence of the CSM Assessment Body?
A particular competence is needed to assess overall consistency of risk management and safe integration of system under assessment into railway system as a whole. This specific competence includes ability of CSM AB to check:
(j) the organisation or arrangements put in place by the proposer to ensure a coordinated approach to achieving system safety through a uniform understanding and application of risk control measures for its composing sub systems;
(k) the methodology for the evaluation of the methods and resources deployed by various stakeholders to support safety at both the sub-system and system levels; and
(l) the technical aspects necessary for assessing the relevance and completeness of risk assessments and the level of safety for the system as a whole.
The CSM assessment body may be accredited or recognised for one, several or all of the areas of competence
402/2013
Slide n° 41 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Article 12 - “Where the risk assessment for a significant change is not to be mutually recognised, the proposer shall appoint an assessment body meeting at least the competency, independency and impartiality requirements of Annex II. The other requirements of paragraph 1 in Annex II may be relaxed in agreement with the national safety authority in a non-discriminatory way.”
Accreditation or recognition enable mutual recognition.
Article 12 is an exception to those rules and principles. Foreseen for national purposes only when mutual recognition not needed and where accredited or recognised CSM AB not acceptable from economical point of view.
Example: changes affecting only domestic market, where international trains would never operate
Article 12 to be used with precautions and in duly justified cases.
Independent CSM Assessment Body Relaxed criteria where mutual recognition not necessary
402/2013
Slide n° 42 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Article 12 does not list criteria and requirements that could be relaxed.
It does neither prescribe process to be used nor actor who should check fulfilment of relaxed criteria. There are no requirements for surveillance
Independent safety assessment report of an assessment body accepted under Article 12 cannot benefit from mutually recognition granted to accredited or recognised CSM AB
Article 12 not intended to be used as normal and standard way of acknow-ledging independence, integrity, impartiality and competence of CSM AB
Article 12 does not support opening of European railway market. Article 12 should be used exceptionally and in duly justified cases
Whenever Article 12 is used, for transparency reasons, independent safety assessment report of CSM AB should clearly list criteria and requirements of Annex II of CSM for risk assessment that are relaxed.
Independent CSM Assessment Body Relaxed criteria where mutual recognition not necessary
402/2013
Slide n° 43 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
CSM for risk assessment Roles & Responsibilities of the Proposer and of the CSM Assessment Body
Proposer is responsible for application of CSM for risk assessment and to document/justify its decisions and results of risk assessment
When change is significant, Proposer shall appoint an Assessment Body
CSM Assessment Body provides proposer with a Safety Assessment Report
Proposer is responsible for determining if and how to take into account the conclusions of safety assessment report for safety acceptance of change
Proposer shall justify and document part(s) of safety assessment report for which he eventually disagrees with Assessment Body
Article 16: Declaration by Proposer
Based on results of application of CSM and on safety assessment report provided by assessment body, Proposer shall produce a written declaration that all identified hazards and associated risks are controlled to an acceptable level
402/2013
Slide n° 44 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
When the change is significant, in scope of authorisation for placing service of structural sub-systems, NSA shall accept Proposer’s Declaration … NSA may not request additional checks or risk analyses unless it is able to demonstrate the existence of a substantial safety risk
When a TSI requires application of CSM for risk assessment, if Proposer has contracted an Assessment Body to check compliance with CSM, NoBo shall accept Proposer’s Declaration … unless it justifies and documents its doubts concerning the assumptions made or the appropriateness of the results
CSM for risk assessment Mutual recognition by the NSA/NOBO of the Safety Assessment Report
402/2013
Slide n° 45 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
To enable ERA to keep updated Data Bases
Member States (MS) shall inform ERA which is their national accreditation body and/or recognition body or recognition bodies, as well as of assessment bodies they recognised directly in conformity with Article 9(1)(a)
National Accreditation Body shall inform ERA of assessment bodies accredited, as well as of area of competence from Annex II for which those assessment bodies are accredited
Recognition Body shall inform ERA of the assessment bodies recognised, as well as of the area of competence from Annex II for which those assessment bodies are recognised
MS, NAB, Recognition Bodies shall also notify any changes within one month so that ERA can make this information publicly available.
Independent CSM Assessment Body Provision of information to ERA – Roles of ERA
402/2013
Slide n° 46 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
1. Concept of mutual recognition in scope of CSM
2. Concepts and requirements contained in Regulation 352/2009 and OTIF UTP GEN-G of 1.5.2012:
3. General criteria in Annex II
4. Role of CSM assessment body
5. Who can be CSM assessment body?
6. Relationship between CSM assessment body and CENELEC ISA
7. When is a CSM assessment body required?
8. Who appoints the CSM assessment body?
9. Specific criteria and requirements to be fulfilled
10. Areas of competence
11. Use of external sub-contractors by CSM assessment body
12. Justification of use of ISO/IEC 17020:2012 standard
Additional information on CSM Assessment Body ERA/OTIF paper on CSM Assessment Body coming soon on ERA web page
Slide n° 47 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
13. Basis for trust in work of CSM Assessment Body: accreditation and recognition
14. Benefits of allowing use of recognition
15. Work of CSM assessment bodies EU wide and in OTIF Contracting States
16. Relaxed criteria and requirements of Article 12
17. Freedom for a MS to have or not a CSM assessment body in the country
18. Where to find the list of accredited and recognised CSM assessment bodies?
19. When should the CSM assessment body start its work?
20. When does CSM assessment body finish its work?
21. How is independent assessment to be done by CSM assessment body?
22. What is content of safety assessment report?
23. Are judgments and conclusions of CSM assessment body binding for proposer?
24. What are the interactions between the CSM assessment body and the other conformity assessment bodies [NoBo, DeBo, NSA]?
Additional information on CSM Assessment Body ERA/OTIF paper on CSM Assessment Body coming soon on ERA web page
Slide n° 48 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Latest amendments of CSM for risk assessment
CSM Design Targets (CSM DT) (Regulation 2015/1136)
Slide n° 49 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Scope of RAC-TS – CSM for risk assessment Needed in explicit risk estimation
EXPLICIT RISK ESTIMATION
RISK EVALUATION
Identification of Scenarios & associated Safety Measures
Estimate Frequency
Estimate Severity
Estimate Risk
Quantitative
Qualitative Safety Criteria?
RISK ASSESSMENT
RISK ANALYSIS
Acceptable Risk?
NO
Comparison with Criteria
YES
Explicit Quantitative or Qualitative RAC required Criteria required
Safety Requirements (i.e. the Safety Measures
to be implemented)
Demonstration of Compliance with Safety Requirements
RISK EVALUATION (vs. Risk Acceptance Criteria)
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T
RISK ANALYSIS
Safety Requirements (i.e. safety measures to be implemented)
SYSTEM DEFINITION
RISK
ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION AND CLASSIFICATION
Codes of Practice
Similar Reference Systems
Explicit Risk
Estimation
Justify and document decision
Preliminary Sys Definition
Harmonized safety requirements for design of E/E/PE Technical Systems (TS)
Used in 3rd risk acceptance principle (Explicit risk estimation) to permit Mutual Recognition of Risk Assessments of TS
To avoid confusion with other RAC, RAC-TS renamed into CSM-DT
2015/1136
Slide n° 50 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Objectives of setting up CSM-DT for technical systems Development costs proportionate to risks arising from failures of TS
For sustainability of EU railways and to permit safe competition of railways vs. other modes of transport, important development costs of TS are proportionate to risk associated with their failure
TS shall be safe enough but shall not be safer than actually needed because they would then be more expensive
It is thus important to be able to distinguish for technical systems:
failures having possibility to result in big consequence accidents, not limited to an area of train, i.e. catastrophic ones affecting many people, and; [examples: train collisions & derailments + failure of all train doors]
failures having possibility to result in less severe accidents, limited to an area of train, i.e. accidents affecting a reasonably small number of people [examples: unintended opening of a individual train doors]
2015/1136
Slide n° 51 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
2.5.5. Where hazards arise as a result of failures of functions of a technical system, … the following harmonised design targets shall apply to those failures:
(a) where a failure has a credible potential to lead directly to a catastrophic accident, the associated risk does not have to be reduced further if the frequency of the failure of the function has been demonstrated to be highly improbable
(b) where a failure has a credible potential to lead directly to a critical accident, the associated risk does not have to be reduced further if the frequency of the failure of the function has been demonstrated to be improbable
The choice between these definitions shall result from the most credible unsafe consequence of the failure.
CSM DT for technical systems in Regulation 2015/1136 amending Regulation 402/2013
2015/1136
Slide n° 52 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
New definitions in Article 3 of Regulation 402/2013
(23) ‘catastrophic accident’ means an accident typically affecting a large number of people and resulting in multiple fatalities;
(35) ‘critical accident’ means an accident typically affecting a very small number of people and resulting in at least one fatality;
(37) ‘highly improbable’ means an occurrence of a failure at a frequency less than or equal to 10-9 per operating hour;
(38) ‘improbable’ means an occurrence of a failure at a frequency less than or equal to 10-7 per operating hour;
Definitions associated to CSM-DT
Considering only one fatality would impose more severe requirements to railways
Aviation uses: “Serious or fatal injury to a relatively small number of the occupants other than the flight crew”
2015/1136
Slide n° 53 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
²
CSM-DT are based on existing standards, national legislation and national rules
Directive 2004/49 recognises that safety levels in Community rail system are generally high and those existing safety levels shall be maintained
Existing Technical Systems
Requirements currently defined in existing standards, national legislation
or national rules
Safety levels currently achieved judged to be generally high
Design of future Technical Systems
F(x), x=CSM-DT
Use of statistics from accidents involving technical systems
Return of experience
Set-up CSM-DT
2015/1136
Slide n° 54 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Compared to requirements currently defined in existing standards, national legislation or national rules for design of existing railway TS, proposed CSM-DT:
usable for electrical, electronic and programmable electronic TS design
neither decrease safety performance nor increase development costs
representative bodies and majority of workshop participants estimate CSM-DT correspond to present reality, experience and practice in railways CSM-DT fit to railway needs (although 2 NSAs ask for more validation)
no evidence validating possibility to quantify failures of purely mechanical and purely pneumatic technical systems
harmonised CSM-DT for light injury category is not needed
Proposed CSM-DT similar to aviation ones: similar requirements for similar consequences of TS failures [10–9 & 10–7 per flight hour/per operating hour] [all occupants] or [a relatively small number of occupants] CAN BE affected
2015/1136 CSM-DT are based on existing standards, national legislation and national rules
Slide n° 55 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
AVIATION
Catastrophic FC resulting in multiple fatalities usually with loss of plane (thus impacting all occupants) ≤ 10–9 per flight hour [Extremely improbable FC]
Hazardous FC reducing capability of air-plane, large reduction in safety margins, physical distress or excessive workload on crew and impacting a relatively small number of occupants ≤ 10–7 per flight hour [Extremely remote FC]
Major FC ≤ 10–5 per flight hour [remote]
Minor FC ≤ 10–3 per flight hour [probable]
Use of Design Targets in Aviation (Ref. AC/AMJ N°25.1309) Similarities with Railways and CSM-DT
RAILWAYS
Failures of functions having possibility to affect whole train (i.e. all occupants) and resulting in fatalities ≤ 10–9 per operating hour [≈catastrophic consequences]
Failures of functions having possibility to affect a limited area of train (thus a relatively small number of occupants) and resulting in at least one fatality ≤ 10–7 per operating hour [≈critical consequences]
Light injuries ≤ 10–5 per operating hour [≈major consequences] not included in amendment of 402/2013
They also use EQUIVALENT PROCESSES for Safety Assessments, HW&SW Development, Verification & Validation & Management of Systematic Failures
2015/1136
Slide n° 56 Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Many thanks for your attention!
E-mail: [email protected]