Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Slide n° 1
Dissemination of the Commission Regulation on Common Safety Methods
(CSM) on Risk Evaluationand Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 2
European Railway AgencyPresentation of the team involved in the dissemination
ERA Team involved in dissemination of CSM on risk assessment:
Karen DAVIES (Safety Certification Sector in SU of ERA)E-mail: [email protected]
Dragan JOVICIC (Safety Assessment Sector in SU of ERA)E-mail: [email protected]
Thierry BREYNE (Head of Safety Assessment Sector in SU of ERA)
E-mail: [email protected]
Maria ANTOVA (Safety Assessment Sector in SU of ERA)
E-mail: [email protected]
Nathalie DUQUENNE (Safety Assessment Sector in SU of ERA)
E-mail: [email protected]
Christophe CASSIR (Safety Assessment Sector in SU of ERA)
E-mail: [email protected]
Slide n° 3
Objectives & Organisation of the
CSM Dissemination Workshop
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 4
Purpose and Organisation of the workshop
Purpose of the workshop:
Explain to concerned actors of the railway sector the risk assessment and risk management process defined in the Commission Regulation (EC) N°352/2009
3 Steps for the present workshop:
1st Step: transmit a pre-workshop questionnaire to all participants
2nd Step: collect answers to that pre-workshop questionnaire to orientate the workshop to specific needs of the visited Member States
3rd Step: visit to Member States and presentation of CSM process
Presentation of CSM process split into an “INTRODUCTION”+ “6 Modules” (see next slides)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 5
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Modular Presentation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 6
Time sharing of the two days of the workshop
Presentation by the Agency of each module
Explanation of the requirements in the CSM Regulation (theory)
Presentation of the application of those CSM requirements to practical examples (concrete cases of risk assessment)
Relevant “QUESTIONS” from the participants on the presented module & “ANSWERS” by the Agency
“End of 1st day” & “end of module presentation on 2nd day”, all actors of same Member State asked to meet for “internal discussions among representatives of the MS” (Brainstorming)
followed by a session of Questions/Answers (Debriefing)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 8
Overall outputs of the CSM dissemination exercise
1st step: via both the “pre-workshop questionnaire” and the “8 CSM dissemination workshops” collect railway sector experience and feedback on risk assessment, their ideas and suggestions for improving CSM Regulation and/or associated guides
2nd step: continue CSM dissemination exercise by a review of and feedback based on real case examples of changes to railway system where CSM process is applied (coordin. with NSA)
2011: use results from “dissemination workshops” + from “review of real case examples” (i.e. 2nd step of CSM dissemination) for writing a report on experience with application of “CSM on Risk Assessment”. This report is to be submitted to the Commission by end of 2011. It is aimed to serve as a basis for improving CSM Regulation and/or the associated guides for application of CSM
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 9
Number of workshops
When GroupGroup composition
(Member State)Location
June 2009 1 DK FI NO SE Stockholm
September 2009 2 AT CH DE SL Maribor
October 2009 3 CZ HU PL SK Prague
November 2009 4 BE FR LU Amiens
February 2010 5 BG EL RO Sofia
March 2010 6 NL IE UK Utrecht
April 2010 7 IT PT ES Madrid
May 2010 8 EE LV LT Riga
Concluding
SeminarN/A All EU Member States Agency
Slide n° 10
Time schedule for CSM dissemination workshop
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 11
Time schedule for CSM dissemination workshop 1st day of workshop
1st day: 10:00 to 18:00
09:00 – 10:00: Welcome
10:00 – 10:45: Opening of Workshop & Introductory Presentations
10:45 – 11:00: Coffee Break
11:00 – 12:30: Significant Changes
12:30 – 13:30: Lunch Break
13:30 – 14:30: Hazard Identification
14:30 – 15:45: Risk Analysis and Evaluation
15:45 – 16:00: Coffee Break
16:00 – 16:30: Hazard Record
16:30 – 17:15: Internal discussions among representatives of each MS
17:15 – 18:00: Questions/discussion and feedback from those discussions
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 12
Time schedule for CSM dissemination workshop 2nd day of workshop
2nd day: 9:00 to 16:00
09:00 – 10:15: Demonstration of system compliance with safety requirements
10:15 – 11:00: Assessment Bodies
11:00 – 11:15: Coffee Break
11:15 – 12:15: internal discussions among representatives of each MS
12:15 – 13:15: Lunch Break
13:15 – 14:00: Questions/discussion and feedback from those discussions
14:00 – 14:15: Coffee Break
14:15 – 15:00: Conclusions and close out of the workshop
Slide n° 13
(1) Introduction
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 14
A. Role of the European Railway Agency
B. Overview of the Commission Regulation on CSM on Risk
Assessment
C. Guides for the application of the CSM Regulation
D. 6 Detailed Presentations for different steps in CSM Process
E. First Example for CSM Application: operational change
F. Second Example for CSM Application: organisational change
G. Third example for CSM Application: change of a technical system
1 - IntroductionContent of presentation
Slide n° 15
A. Role of the European Railway Agency
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 16
... to open the railway market to competition for the rail transport services and the railway supply industry!
... to make railways business oriented and competitive! need for technical harmonisation (interoperability)
... to prevent the sector from using safety as a barrier to market access or an excuse to resist change!
Some cornerstones in EC law for achieving those goals :
Separation of former vertically integrated railway companies into IM’s and RU’s
Moving the railways from self-regulation to regulation by public authorities
Introducing a framework for entry into the market for railway undertakings (licensing and safety certification)
Maintaining at least, and increasing when reasonably practicable, existing level of safety and creating a basis for mutual trust through the development of common approaches to safety, taking into account competitiveness of railways
Transparency of safety data and CSI, definition of CST and CSM
The objectives of the European Union are...
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 17
Need for support at Community Level establishment of the European Railway Agency
The technical harmonisation (interoperability) and the development of CSTs, CSMs and CSIs as well as the need to facilitate progress towards a common approach to railway safety requires technical support at Community level
the European Railway Agency (ERA) was therefore set up with the aim of helping to create this integrated railway area by establishing a European approach to railway safety (Safety Directive 2004/49/EC) and interoperability (Interoperability Directive 2008/57/EC )
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 19
The Agency’s tasks and, hence, its organisational structure are based on
mainly three components
A – Role of the European Railway AgencyLegal basis for the Agency’s work
ERAEuropean Directives
(Railway Safety Directive,
Interoperability Directives,…)
European Directives
(Railway Safety Directive,
Interoperability Directives,…)
European Directives
(Railway Safety Directive,
Interoperability Directives,…)
Work Programme
(annually adopted by the
Administrative Board)
Regulation (EC) N° 881/2004
(Agency Regulation)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 20
A – Role of the European Railway AgencyOrganisation Chart of the Agency
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 22
Safety Regulation
Validation and registration of the notifications of national safety
rules, including an analysis of their mode of publication
Technical advice on new national safety rules and on safety-related
aspects
Safety Reporting
Elaboration of common safety indicators as well as monitoring and
analysis of the development of safety on Europe’s railways ,
including dissemination of information
Common methods and approaches to accident investigation
Safety Certification
Common Safety Method for Conformity Assessment
Development of a migration strategy towards a single Community
certificate
Certification Scheme for the Entity in Charge of Maintenance
A – Role of the European Railway AgencyAgency Tasks (2/3)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 23
Safety Assessment
CSM for risk assessment
CSM on monitoring
Methodology for calculating and assessing the achievement of
safety targets for EU Member States
Definition, for each Member State, of their respective safety
targets including their assessment
Horizontal Activities
Support to the national safety authorities and investigating bodies
to facilitate their exchange of information and harmonisation of
decision making criteria by setting up networks and task forces
Public databases of safety related documents such as safety
certificates, licences, national safety rules, investigation reports
and indicators
A – Role of the European Railway AgencyAgency Tasks (3/3)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 25
A – Role of the European Railway AgencyInvolvement of the Railway Sector
* List established by Article 21 Committee on 22 February 2005
Article 3 of Agency Regulation (EC) N° 881/2004 obliges Agency to set up working groups
according to tasks given in regulation and by Agency Work Programme.
Sector Associations are asked to send
experts to participate and contribute.
Agency
Working Party
Working PartyNetwork of National
Safety Authorities
Working PartyNetwork of National
Investigation Bodies
…
Railway Sector
Experts
Sector organisations acting
at European level*:
UNIFE, CER, EIM, UITP,
UIP, UIRR, ERFA, ETF,
ALE
National Safety Authorities’
experts
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 26
European Railway Agency
No decision power for the Agency.
The Agency gives recommendations to
the Commission and technical opinions
upon specific request!
Working Party (CER, EIM,
UNIFE, NSA, ...)
NSA Network …
Internal reconcilement …
Commission / RISC
Social Partners
Passengers/
Customers
Adoption
Agency
Recommendation
A – Role of the European Railway AgencyDecision Process (Commitology)
Parliament Scrutiny
Slide n° 27
B. Overview of the Commission Regulation on CSM on Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 28
B – Overview of Commission Regulation on CSM on Risk Assessment Status
Sept 05 : Kick off meeting of the CSM WG (15 NSA, 5 CER,
2 EIM, 3UNIFE, 1 UITP) – Work program of the WG
2006 : Survey and inputs from CSM WG members
2007 :
o CSM recommendation drafted by the Agency with support of a dedicated TF – Reviews by the WG.
o Consultation of the social partners
o Dec 07 : ERA recommendation to the EC
ERA
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 29
B – Overview of Commission Regulation on CSM on Risk Assessment Status
2008 :
o Discussion within the RISC and dedicated workshop organised by the EC (technical support from the Agency)
o Positive opinion of the RISC in November 08
2009 :
o Scrutiny of the EU parliament
o Publication of the EC regulation (n°352/2009) in the OJ (L108) of the 24 April 09
o Dissemination by the Agency (continued in 2010)
ERA
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 30
TerminologyTerms in CSM Regulation – Terms in CENELEC
Safety Directive 2004/49 EN 50126-1
Infrastructure Manager (IM)Railway Undertaking (RU)
Railway Authority
National Safety Authority (NSA) Safety Regulatory Authority
Supplier/Manufacturing Industry
Railway Support Industry
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 31
TerminologyTerms in CSM Regulation – National Terms
Terms Estonian Lithuanian Latvian
Proposer taotleja pasiūlymo teikėjaspriekšlikumaiesniedzējs
InfrastructureManager
(IM)
raudteeinfrastruktuuri-ettevõtja
geležinkelių
infrastruktūros
valdytojas
infrastruktūras
pārvaldītājs
Railway Undertaking
(RU)raudtee-ettevõtja geležinkelio įmonė
dzelzceļa
pārvadājumu
uzņēmums
National Safety Authority
(NSA)
riiklikohutusasutus
nacionalinė saugos
institucija
valsts drošības
iestāde
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 32
Annex III(2)(d): "Procedures and methods for carrying out risk evaluation and
implementing risk control measures whenever a change of the operating condit-
ions or new material imposes new risks on the infrastructure or on operations"
One of the SMS processes in Annex III
B – Overview of Commission Regulation on CSM on Risk Assessment Link of CSM to RU/IM SMS in Article 9 of Safety Directive 2004/49/EC
Article 9 requires that "IM and RU shall establish their SMS..."
Basic elements of SMS in Annex III of Safety Directive 2004/49/EC
RU and IM SMS will thus achieve the compliance with the procedures and
methods required by the associated "conformity assessment criteria" [developed
by ERA Safe Certification Sector] by referring to the CSM on Risk Assessment
The obligation for RUs/IMs to have a risk assessment process in place
is a basic element of the SMS in Annex III of directive 2004/49/EC
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 33
B – Overview of Commission Regulation on CSM on Risk Assessment Link of CSM to Article 15 in Interoperability Directive 2008/57/EC
Article 15 requires among others that before authorising "the placing into service of those structural
subsystems constituting the rail system which are located or operated in its territory", "in particular" the
Member State "shall check":
"the technical compatibility of these subsystems with the system into which they are being integrated",
"the safe integration of these subsystems in accordance with Article 4(3) and Article 6(3) of Directive
2004/49/EC".
Article 6(3)(a) of Directive 2004/49/EC: "The CSMs shall describe how the safety level, and the
achievement of safety targets and compliance with other safety requirements, are assessed by
elaborating and defining risk evaluation and assessment methods"
Article 4(3) of Directive 2004/49/EC:
"Member States shall ensure that the responsibility for the safe operation of the railway system and
the control of risks associated with it is laid upon the infrastructure managers and railway
undertakings,..."
"Without prejudice to civil liability in accordance with the legal requirements of the Member States,
each infrastructure manager and railway undertaking shall be made responsible for its part of the
system and its safe operation,"
Article 6(3)(a) of SD referred to also in Articles 23(5) and 25(4) of ID
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 34
Two main considerations taken into account for developing CSM on RA
Harmonise a common approach for safety assessments based on existing
safety assessment methods in EU. Therefore:
As Railway Sector already has a strong safety culture, freedom is left to each
organisation to use its already approved Risk Assessment Methods/Tools/Techniques
CSM provide Common Principles but does not fix the Tools (e.g. FTA, FMECA)
CSM privileges the use of standards and reference systems
Advice of Risk Assessment “tools” done in a guideline developed alongside the CSM
Railway being organised into RU & IM, all activities at the interfaces between the
different actors must be managed carefully
Clear identification of the different actors’ responsibilities
Facilitate mutual recognition of results from risk assessments. This requires
harmonisation of:
risk management process;
exchange of safety related information between actors for managing the safety across
the different interfaces;
evidence resulting from application of risk management process
B – Overview of Commission Regulation on CSM on Risk Assessment Strategy for developing CSM based on existing methods in EU
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 35
B – Overview of Commission Regulation on CSM on Risk Assessment WHO shall apply the CSMs? Proposer
The risk management process described in the CSM shall be applied by
the person in charge of implementing the change under assessment. This
person is referred to in CSM Regulation as the "proposer".
The proposer can be one of the following actors:
(a) the Railway Undertakings and Infrastructure Managers in the
framework of the risk control measures they have to implement in
accordance with Article 4 of the Safety Directive 2004/49/EC;
(b) the contracting entities or the manufacturers when they invite a
notified body to apply the "EC" verification procedure in accordance
with Article 18(1) of the Interoperability Directive 2008/57/EC or the
applicant of an authorisation for placing in service of vehicles;
Where necessary, the proposer shall ensure, through contractual
arrangements, that suppliers and service providers, including their
subcontractors, participate in the risk management process described in
the CSM.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 36
Basically CSM is an iterative
process made of 3 steps:
(a) Identification of hazards,
associated safety measures
and resulting safety
requirements
(b) Risk analysis and risk
evaluation based on exiting
risk acceptance principles
(c) Demonstration of the system
compliance with the
identified safety
requirements
Additional requirements for
mutual recognition:
(a) Hazard Management
(b) Independent Assessment
(Assessment Body)Demonstration of Compliance with
Safety Requirements
Preliminary System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety
measures to be implemented)
SYSTEM DEFINITION²
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Iterative Risk Management Process “triggered” by a Significant Change
B – Overview of Commission Regulation on CSM on Risk Assessment Risk Management Process and Independent Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 37
CSM Regulation shall enter into force on the day following that of its publication in the
Official Journal of the European Union;
CSM Regulation shall apply in two steps:
(a) from 19 July 2010
(1) to all significant changes affecting vehicles, as defined in Article 2(c) of Directive
2008/57/EC;
(2) to all significant changes concerning structural sub-systems, where required by
Article 15(1) of Directive 2008/57/EC or by a TSI;
(b) from 1 July 2012 to the whole scope as referred to in Article 5(1) of CSM Regulation, i.e.
to other technical systems, operational and organisational changes considered to be
significant by application of paragraph 2 in Article 4 of CSM Regulation;
In order to gain experience and enable the Agency to get a feed back for reviewing the CSM
at latest at the end of 2011, the actors of the railway sector should apply the CSM
Regulation on a voluntary basis to other changes (technical, operational and organisational)
from 1 July 2010);
CSM Regulation shall not apply to systems and changes that are at an advanced stage of
development, as defined in Directive 2008/57/EC, at the date of entry into force of the
Regulation [Article 2(4) in CSM Regulation].
B – Overview of Commission Regulation on CSM on Risk Assessment Entry into force
Slide n° 38
C. Guides for the application of theCSM Regulation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 39
C - Guides for the application of the CSM RegulationHow was it elaborated?
During the elaboration of the CSM Recommendation, ERA worked in parallel on a
"Guidance for Use" for supporting the CSM Recommendation;
Inputs for the "CSM Guidance for Use" [purely informative and not legally binding]
were collected during CSM WG and CSM TF meetings, where members asked to
describe further in the "Guidance for Use" requirements that could not be detailed a
lot of in a legal text;
According to those requests, as well as to questions raised within internal ERA
meetings, ERA elaborated initial "Guidance for Use" and updated it vs. different
versions of the Agency CSM recommendation and Commission Regulation;
ERA regularly reported the progress on guidance for use to CSM WG during the
plenary meetings;
Based on content of "Guidance for Use", CSM WG and ERA agreed then to split the
"Guidance of Use" into two new separate documents:
1st document: "Guide for the Application of the Commission Regulation on
CSM on Risk Assessment"
2nd document: "Collection of Examples of Risk Assessments and some
possible Tools supporting the CSM"
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 40
C - Guides for the application of the CSM RegulationComplementarities between Guide and Collection of RA examples
Structure of both document mapped on the regulation;
Provides general comments
and explanations that could
not be put in the legal text.
ERA has taken care not to
introduce any new require-
ment via the document that is
not already identified in the
CSM Regulation;
[Guide] is more static and
would not be modified unless
the CSM process needs to be
updated;
Provides additional information (e.g.
reference to standards or possible ways
to address the requirements of the
CSM) and examples of risk asses-
sments performed in the railway sector
before the existence of the CSM;
Document offers the possibility to be
updated with first implementations of
CSM process and any useful tools and
techniques, or examples of RA, that
could help other actors to apply the
CSM;
[GUIDE] [COLLECTION OF EXAMPLES]
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 41
C - Guides for the application of the CSM RegulationComplementarities between Guide and Standards
ECR
egu
lati
on
Gu
ide
Current Situation
Co
llect
ion
of
Exam
ple
s
ECR
egu
lati
on
Gu
ide
Future Situation
Slide n° 42
D. 6 Detailed Presentations for different steps in CSM Process
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 43
D. Detailed Presentation of CSM ProcessGo through different steps of CSM Process
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 44
F. 2nd example for CSM Application - Operational Change Driver only operated train
1st example: operational change - System Definition
RU has decided to operate trains with Driver alone (Driver Only Operated train – DOO) on a route where previously there was an onboard guard to assist the driver with the train dispatching
Description of existing system: “explain clearly which tasks were
performed by driver and which other ones were carried out by
onboard staff (or guard) to assist the driver”
Description of change of driver's responsibilities due to removal of onboard assisting staff, “e.g. door closing before train departure”
Definition of additional technical requirements for system to cover needed changes in Driver Only Operation
Describe existing interfaces between onboard assisting staff, train driver and trackside staff of infrastructure manager
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 45
G. 3rd example for CSM Application - Organisational Change Outsourcing of a maintenance branch of an IM
2nd example: organisational change - System Definition
A branch of an IM organisation, that was performing until the change some maintenance activities (other than signalling and telematic), had to be put in competition with other companies working in same field Direct impact: need for downsizing and redistribution of staff and tasks within detached branch of IM organisation put in competition
description of tasks performed by existing organisation (i.e. by IM organisation before making the change)
description of changes planned in IM organisation to cope with subcontractors’ management
the interfaces of "branch to be detached" with other surrounding organisations or with physical environment were only briefly described. The boundaries were not 100 % clearly presented
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 46
G. 3rd example for CSM Application - Organisational Change Outsourcing of a maintenance branch of an IM
2nd example: organisational change – Concerns for IM
IM staff affected by change was in charge of emergency maintenance and repairs required by sudden errors on the infrastructure. Staff was also performing some planned or project based maintenance activities such as track packing, ballast cleaning, vegetation control
IM considered these tasks critical for safety and punctuality of operation must be analysed in order to find right measures which ensure that situation does not deteriorate as many of staff in charge of safety matters were leaving the IM organisation to the outsourced company
Same level of safety and train punctuality needed to be maintained during and after the change of the IM organisation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 47
E. First example for CSM Application - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
Movement Authority (MA)
Extension of Movement Authority (MA) (2)
Existing technical system
Trackside Loop Release the signal (1)
Radio In-fill Controller/Modem
Movement Authority (MA)
Extension of Movement Authority (MA) (2)
Intended Change
GSM
Release the signal (1)
Trackside Encoder
Trackside Encoder
3rd example: Change to a Technical System - System Definition
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 48
E. 1st example for CSM Application - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
3rd example - System Definition:
description of existing system: “loop+trackside encoder whose
function in CCS is to release signal RG on approach of a
train when section behind the signal is released by
preceding train”
description of change planned by the proposer and the manufacturer: “replace trackside loop by Radio-Infill + Radio
Controller + GSM” to achieve same function”
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 49
General remarks on pre-workshop questionnaire
ERA asked the NSA to send to the participants with the invitation a preparatory pre-workshop questionnaire
ERA did not receive a lot of answers. Hence there are no replies reported in the presentation
Consequently this will let more time for an open discussion(Questions/Answers) with the participants.
ILLUSTRATIVE EXAMPLES: in the questionnaire ERA invited participants to come with examples that they wanted to share and discuss with ERA and the other participants. As there were not many replies received, there were not proposed examples to illustrate some of the steps of CSM process on risk assessment
Slide n° 50
(2) Significant Change
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 51
2 – Significant ChangeFirst Step in CSM Process
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 52
Applies to any change of the railway
system in a Member State, as referred to
in point (2)(d) of Annex III to Safety
Directive 2004/49/EC, which is
CONSIDERED TO BE SIGNIFICANT
2 – Significant ChangeWHEN shall the CSMs be applied [Article 2]?
Annex III(2)(d): requires that RU/IM SMS
has "procedures and methods for carrying out risk evaluation ... whenever a change of the operating conditions or new material imposes new risks on the infrastructure or on operations"
Such changes may be of technical,
operational or organisational nature.
Demonstration of Compliance withSafety Requirements
Preliminary Sits Definition
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T
(II)(III)
Significant
Change?
RISK ASSESSMENT
(I)
i.e. must
CSM be
applied or
not ?
CSM shall be applied only to assess
"predicatively" safety of significant
changes of railway system in a MS
CSM process needs not to be applied
for non significant changes
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 53
When notified national rules do not define what is significant change, proposer evaluates the significance of change based on expert's judgement and criteria in CSM
1st check whether change safety related?
1) NOT safety-related not significant no CSM, but record decision ;
2) YES safety-related use other criteria to evaluate whether change significant
Proposer should analyse all criteria and decide on their importance, but could take decision based on only one or some of them
2 – Significant ChangeWHAT is a significant change? NR (if any) or expert judgement based on criteria
Article 4 of CSM Regulation
!Evaluate Σ of previous
non significant changes
Safety Relevance
Is it safety related? C: Not signi-ficant
No
Yes
Yes
No
When no notified national rules, expert's judgement based on criteria
Other criteria
1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?
B: Not signi-ficant
A: Significant Change Triggers CSM application
(Record the decision)
(Record and justify the decision) (PRA)
Change
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 54
2 – Significant Change RU/IM SMS – "Daily life" safety management
The process of deciding change will be set out in the SMS
Although for non significant safety related changes the
decisions need to be recorded (could be an SMS process)
Help the NSA in their supervisory role
[e.g. preliminary risk analyses, risk analyses, justifications,
arguments proportionate to the risk need to be documented]
CSM Regulation does not require
assessment body to check
evaluation of significance
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 55
2 – Significant Change - Discussions/QuestionsUse of criteria in CSM Regulation on some examples of changes
Agency and taskforce of experts from railway sector analysed typical examples of borderline cases
Analysis has shown that:
it is not possible to identify harmonised thresholds or rules;
it is not possible to provide an exhaustive list of significant changes;
decisions are unlikely to be same for all proposers.
Responsibility for decision is for proposer, who is responsible [in accordance with Article 4(3) of Railway Safety Directive 2004/49/EC] of safe operation and control of risks associated with their part of the system
Feedback from the application of the CSM will help the Agency to decide whether a possible revision of criteria and process is needed
Slide n° 56
Application to practical examples
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 59
● Change description : operate trains by the
driver alone (DOO) on a route where
previously there was an onboard guard to
assist the driver with the train dispatching
● significant change (need to cover all
questions) :
Safety relevant? YES
Completely different way of managing
train service operation
Low novelty? NO
Driver’s responsibility extended
requiring new tasks
Low complexity? NO
Driver’s errors could lead to
catastrophic consequences
● Consequence: apply CSM Process
Safety Relevance
Is it safety related?
Yes
No
Other criteria
1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?
Significant Change Apply CSM Process
Change: Driver Only Operation
2 – Significant Change – Operational ChangeDriver Only Operated Train (DOO)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 60
● Change description: outsource maintenance
branch of an IM and put it in competition
with other companies working in same field
● significant change (need to cover all
questions) :
Safety relevant? YES
Downsizing , redistribution of staff and
tasks same work with less staff
Low novelty? NO
Contractual relation and follow up
Low complexity? NO
New functions in IM remaining organisation
to follow up subcontractor
Easy monitoring? NO
Not easy to check subcontractor efficiency
● Consequence: apply CSM Process
Safety Relevance
Is it safety related?
Yes
No
Other criteria
1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?
Significant Change Apply CSM Process
Change: outsourcing of a maintenance branch of IM
2 – Significant Change – Organisational ChangeOutsourcing of a maintenance branch of an IM
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 61
● Change description: replace a trackside
loop located before a signal by a "radio
infill + GSM " sub-system;
● significant change: (need to cover
all questions)
Safety relevant ? YES
The signal in front of the train could be
released whereas preceding train still
occupies the section
Low novelty? NO
New principles and technology for the
manufacturer
Low complexity? NO
Change complex to carry out
● Consequence: apply CSM Process
Safety Relevance
Is it safety related?
Yes
No
Other criteria
1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?
Significant Change Apply CSM Process
Change: Loop Radio-In-fill
2 – Significant Change - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
Slide n° 62
Discussions/Questions
+
Replies to pre-workshop questionnaire
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 63
Question: Do you have a (1) national rules (2) criteria (3) examples of
significant/non significant change (1/3)
2 – Significant Change Answers received to questionnaire
Railway Act obliges IMs and RUs to inform Estonian Technical Surveillance Authority (ETSA=NSA) regarding changes in data of safety certificate.
Primarily influence on SMS as a whole – division of the enterprise, merger, changes in national legislation, technical reorganisation. There are no National Safety Rule in Estonia to judge whether the change is significant or not, but certainly failure consequence and novelty are considered.
Otherwise, there are no other criteria. In some cases quality management system is taken into account.
Example: one of the major developments is the introduction of one person crew in EMU.
When the safety related change is not significant, the assessment is documented through amendment of internal regulations.
Slide n° 64
(3) Hazard Identification
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 65
3 – Hazard Identification(2) Step in CSM Process
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 66
3 – Hazard Identification Why is it important?
• What is the “Hazard Identification” and why is it important:
The hazard identification is the first step in the risk analysis process.
The process needs to be re-iterated and completed until all reasonably foreseeable hazards have been identified correctly.
It is important because, if hazards are not identified, they will not be assessed and covered by the risk management process.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 67
3 – Hazard Identification What are the first steps?
The system definition is important because it specifies the functions and the interfaces of the system. Based on it, also the hazards could be identified properly.
It is necessary to look at the hazards from all relevant contributors.
Systematically identify the hazards
and the level of detail,
taking into account:
Modes ofoperation
Different types of the
system Human factors
Environment
Failure modes
Safety relevantfactors
THEN
• What are the first steps of the “Hazard Identification”:
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 68
3 – Hazard IdentificationWhat level of detail is required?
• What is the required level of detail:
The level of the hazard identification should correspond to the scope of the significant change under study and the requirements for proving acceptable risk.
If a code of practice or a reference system is used, then the level of detail for which the hazards are defined, needs only to correspond to the level defined by the code of practice or reference system.
It may involve several iterations in order to obtain the necessary level of detail to ensure that the correct decision is made on the necessary control measures.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 69
2nd Level
(causes)
Top level Hazard X
Sub-hazard Y
Controlled by reqsfrom CoP (e.g standard)
Owned by actor A (e.g. manufacturer)
Sub-hazard Z
Controlled by reqsfrom explicit risk analysis
Owned by actor B (e.g. RU)
3 – Hazard IdentificationLevels and iterations
• Talking about levels and iterations:
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 70
• What is “broadly acceptable”:
• A part of the “Hazard Identification” process is the decision if the hazards are broadly acceptable or not broadly acceptable.
• This means: considering and reviewing all the reasonably foreseeable hazards; classifying them according to the estimated risk arising from them.
• This process ensures that the correct priority is assigned to each of the hazards enabling the right selection of the risk control measures.
• The decision is based on expert judgement.
3 – Hazard IdentificationWhat is broadly acceptable?
Broadly acceptable risks
Nothing further requiredRegistered in the
Hazard record
Not broadly acceptable
Follow the risk management process
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 71
An expert is competent to make decisions that are suitable and sufficient for the situation that the expert is performing
The decision to label a hazard as “broadly acceptable” without further analysis is logged in the hazard record and will be reviewed by the Independent Safety Assessor.
3 – Hazard IdentificationWhat is expert judgement
Competence
Skills
KnowledgeExperience
• What is “expert judgement”:
Slide n° 72
Application to practical examples
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 73
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
System Description:
description of existing system: which tasks were performed by
train driver and which other ones by onboard staff (or guard) to
assist the driver;
existing interfaces between onboard assisting staff, driver and
trackside staff of Infrastructure Manager;
change of driver's responsibilities due to removal of onboard
assisting staff;
the technical requirements for the overall system to cover
changes in operation;
Hazard Identification: [HAZOP – Hazard and Operability Studies]
Brainstorming by a group of multidisciplinary experts with different
backgrounds:
Safety experts from RU;
Train drivers' and staff's representatives for their operational
experience (onboard accompanying staff);
IM representatives as the infrastructure could be also affected by
the change, implying e.g. changes to stations (e.g. installation of
mirrors/closed circuit television [CCTV] at platforms) to help the
Driver;
Trackside staff of IM;
3 – Hazard Identification – Operational ChangeDriver Only Operated Train (DOO)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 80
3 – Hazard Identification – Operational Change1st example: Driver Only Operated Train (DOO)
• Question answered during the HAZOP brainstorming session:
“What could be key operational hazards at stations and on existing routes where the driver is currently assisted by onboard or trackside staff (door opening, closure check, etc.)?”
• Each of the identified hazards was assigned a level of severity of risk and consequences (high, medium, low). The impact of the proposed change reviewed against them - (increased, unchanged, decreased) risk
• Example of identified hazards during the performed HAZOP (one way of proceeding) was:
Train departure without closing doors passengers could fall down on to track
Door opening on wrong side passengers could fall down on to track
Door closing while passengers still getting onboard passengers could be caught between doors
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 81
3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
• System Description:
Change: detachment of a new branch office from the mother
company, in order to put it in a competitive situation with other
similar companies.
Description of tasks performed by existing IM organisation;
Description of changes that are planned in this organisation;
Description of interfaces of the "branch to be detached" with
other surrounding organisations or with the physical
environment.
• Hazard Identification: [HAZOP – Hazard and Operability Studies]
Brainstorming by group of experts to find all hazards
associated with the intended change:
Safety experts from IM;
System engineers/experts;
Train drivers;
IM staff's representatives from maintenance department;
Etc.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 82
3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM
• During the HAZOP brainstorming session:
The hazards were identified and listed;
The causes for each hazard were listed;
The expected frequency (rough estimates) was documented;
The related consequences in terms of
o Severity → high, medium, low risk; o Impact of the change compared to the initial situation →
increased, unchanged, decreased risk;
The related actions that need to be taken in order to mitigate the respective risks were described;
Interdependencies and interfaces between the detached branch and rest of IM organisation were examined very carefully.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 83
3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis
Unwanted
event (Hazard)Cause Consequence
Type of
lossRisk
Responsible
for imple-
menting the
measure
Safety Measures
1: Reduced
motivation
among
employees
remaining in
Company.
-Staff
continuing to
leave without
stop.
- Demotivated /
worn out
managers
Missing
colleagues,
missing certain
tasks.
Lack of loyalty
knowing that the
workplace is not
going to stay.
Heavy workload.
Uncertainty.
Tasks not
performed.
Emergency
maintenance
instead of planned
maintenance.
Collective worker
actions (calling in
sick etc).
Lack of trust in
Company for the
managers at IM
Level.
Safety Higher New round of motivational work
for the staff, to be performed in
smaller groups.
Reallocation of funds so that
Company gets meaningful tasks
to perform.
More frequent inspections by
track manager.
Allocate funds to make sure that
key staff stays throughout the
process.
Give special attention to make
sure that information and
knowledge is transferred
between leaving employees and
those who take over the tasks.
Etc...
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 84
3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis
Unwanted
event
(Hazard)²
CauseConse-
quence
Type
of lossRisk
Responsible
for implem.
safety
measure
Safety Measures
10: Lack of
competency
in the
performance
of tasks
Subcontractors of IM lacking skill,
competency and quality control.
Violation of
safety rules.
Increased
accident
frequency.
Safety Higher Increased demand
for documented
competence.
Systematic control
of performed tasks.
11:
Uncertainty
of roles and
responsi-
bilities in the
interface
between
Company
and IM
Different understandings of roles and
responsibilities.
Track Manager responsible for
accessible tracks, but not for the
downsizing and can therefore not take
this in to account when planning/
prioritizing work tasks.
Track manager lacks overview of the
competencies available in Company.
Coordination problems for the delivery
when coordination responsibilities is
transferred to the track manager.
Tasks not
being
performed or
being
performed
twice.
Lack of
coordination
of resources.
Safety Higher Define roles and
responsibilities.
Map all interfaces
and define who is
responsible for the
interfaces.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 85
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
3 – Hazard Identification - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
System Description:
Existing system: "loop+encoder" and their functions in CCS.
"Release signal on approach of a train when the section
behind the signal (i.e. in front of the approaching train)
becomes unoccupied";
Change planned by proposer and manufacturer;
Description of the functional and physical interfaces of loop
with rest of system.
• Hazard Identification: [HAZOP – Hazard and Operability Studies]
Brainstorming by group of experts to find all hazards associated
with the intended change:
Safety experts from the manufacturer
Safety experts from the RU
Safety experts from the IM
Train drivers,
Designers of the trackside encoder and of the loop,
Experts in communication systems,
Etc.“
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 86
3 – Hazard Identification - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
• Example of identified hazards during the HAZOP (one way of proceeding):
“Loop & Radio infill” shall achieve same function, i.e. ”release the signal RG on approach of a train when section behind the signal is released by preceding train”
Same top level hazard: “provide a too permissive movement authority (MA) to the approaching train, whereas the preceding train still occupies section in front of the signal”
Sub-hazards of the top hazard (“provide too permissive MA…“):
“transmission by hackers of unsafe information in the air gap” since the "radio infill+GSM" is an open transmission sub-system
“delayed transmission or transmission of memorised data packets in the air gap” (i.e. possibly unsafe)
Systematic software errors in the additional equipment (gateway or Radio Controller) which has interfaces with the unchanged “Trackside encoder”
Etc.
Slide n° 87
Discussions/Questions
+
Replies to pre-workshop questionnaire
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 88
3 – Hazard IdentificationSUMMARY of the answers to questionnaire
Summary of the answers to questionnaire
2.4(a) Do you have a process to define and identify hazards? If so can you describe it?
Different approaches are used – for assessment of railway safety hazards standard EVS-EN 50126-1-2005 and methodology deriving from Emergency Act, for assessing hazards concerning working environment Working Environment Act is taken into account. Internal risks of the enterprise are assessed in accordance with the methodology of SMS risk assessment. Specific guides are absent
2.4(b) Do you assess all hazards or do you just assess certain types? What are your criteria?
Primary focus is on risks that lead to results described in § 40 of the Railway Act – accident, incident, precursors to incidents
2.4(c) How do you ensure that all the necessary hazards are identified?
Assurance will come from using specialists from different specific subject fields for internal audits, operational audits and accident statistics.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 89
3 – Hazard IdentificationSUMMARY of the answers to questionnaire
Summary of the answers to questionnaire
2.4(d) What issues do you consider when assessing hazards? How do you prioritise?
Primary focus is on risks that lead to results described in § 40 of the Railway Act (accident, incident, precursors to incidents). We distinguish different levels of difficulty of railway accidents and incidents: I and II category railway accidents, collisions, incidents and impacts
2.4(e) How do you define what is "broadly acceptable"?
Result is unlikely or does not lead to results described in § 40 of the Railway Act
2.4(f) Do you have a process for transferring hazards to different players involved in a project? If so describe the process? (1/2)
Primarily through internal office routines, in some cases taking into account the management system.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 90
3 – Hazard IdentificationSUMMARY of the answers to questionnaire
Summary of the answers to questionnaire
2.4(g)Is there a link between the level of detail in the hazard identification and the risk acceptance principles used for controlling the hazards? What rules do you apply for that?
Results described in § 40 of the Railway Act using documents (methodologies) named in 3.5 (a)
Slide n° 91
(4) Risk Analysis and Evaluation
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 92
4 – Risk Analysis and Evaluation(3) Step in CSM Process
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 94
4 – Risk Analysis and Evaluation Principles?Hazard Control based on 3 Risk Acceptance Principles
• Risk acceptability of non broadly acceptable hazards evaluated by one or more 3 Risk Acceptance Principles (RAP):
1. application of codes of practice2. comparison with similar Reference Syst3. explicit risk estimation & Risk Acc. Crit.
• Proposer is responsible to:
1. demonstrate selected RAP adequately applied
2. check selected RAP used consistently
• Output: set of safety requirements and measures to implement + demonstration of their achievement
CSM does not impose any order of priority between the 3 RAP
Iterative Risk Management Process
Demonstration of Compliance withSafety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety
measures to be implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 95
Demonstration of Compliance with the
Safety Requirements
EXPLICIT RISK ESTIMATION
RISK EVALUATION
YES
HA
ZA
RD
M
AN
AG
EM
EN
T
Identification of Scenarios & associated Safety Measures
Estimate Frequency
Estimate Severity
Estimate Risk
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
Quantitative
Acceptable Risk?
NO
Qualitative
Application of Codes of Practice
Similarity Analysis with Reference
System(s)
CODES OF PRACTICE SIMILAR REFERENCE
SYSTEM(S)
Safety Criteria?
Comparison with Criteria
Selection of Risk Acceptance
Principle
RISK ASSESSMENT
Hazards associated with Significant Risks
YES
Acceptable Risk?
NO
Comparison with Criteria
YES
Acceptable Risk?
NO
Comparison with Criteria
RISK ANALYSIS
Safety Requirements (i.e. the Safety Measures
to be implemented)
• If no notified National Rules, proposer free to decide RAP to use for controlling hazards [flexibility]
• Assessment Body shall refrain from imposing RAP to be used by proposer [challenge proposer]
Whatever RAP used, it must adequately be applied + link RAP-hazard recorded
Types of Risk Acceptance Principles:
(I) CoP e.g. TSI, EN standards, NNR, etc.
(compatible with rule based approaches)
(II) Similar Reference Systems e.g. GAME
(III) Explicit Risk Estimation(could be quantitative or qualitative)
4 – Risk Analysis and Evaluation WHO?Proposer decides on RAP to use
(III)(II)(I)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 96
4 – Risk Analysis and EvaluationUse of codes of practice (CoP) and risk evaluation (1/3)
• The Codes of Practice (CoP) shall at least satisfy the following requirements:
(a) be widely acknowledged in railway domain. If not the case, CoP have to be justified and be acceptable for the assessment body;
(b) be suitable for the control of the considered hazards;
(c) be publicly available for all actors who want to use them.
• Examples of CoP:
TSIs and other mandatory European standards;
Notified National Safety and Technical Rules (technical standards or statutory documents) and if relevant non mandatory European standards;
If the conditions for the usage of CoP are fulfilled, then internal rules or standards issued by an actor of the railway sector might be used as CoP too.
CoP from other industries (e.g. nuclear power, military and aviation) can also be applied for certain technical applications in railway systems, if demonstrated that this CoP is effective for controlling the considered railway hazards.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 97
4 – Risk Analysis and EvaluationUse of codes of practice (CoP) and risk evaluation (2/3)
• If the conditions for the usage of CoP are fulfilled, then for the hazards, which are controlled in this way:
The risks need not be analysed further and are considered as acceptable;
The risk management process may be limited to:
hazard identification;
registration in the Hazard Record of the use of CoP as a safety requirement for these hazards;
Therefore, in this case, the application of the complete CSM Process includes:
the correct application of the requirements from CoP;
the documentation of the evidences;
the independent assessment of the application of CoP.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 98
4 – Risk Analysis and EvaluationUse of codes of practice (CoP) and risk evaluation (3/3)
What to do when there are deviations from the CoP and the identified hazards cannot be controlled (completely) by a CoP?
• If one or more conditions from the CoP are not fulfilled by the system under assessment, then the related CoP can still be used for controlling the hazards, provided that the proposer demonstrates that at least the same level of safety is achieved
• If for a hazard, the risk cannot be made acceptable by the application of CoP, or if a CoP does not sufficiently cover identified hazards (e.g. CoP not applicable to full range of hazards), additional safety measures shall be identified for controlling those hazard(s) by using either other CoP or one of other 2 RAP (Ref Syst or Explicit Risk Estimation)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 99
4 – Risk Analysis and EvaluationUse of Reference Systems (RefSyst) and risk evaluation (1/2)
• The Reference Systems (RefS yst) shall at least satisfy the following requirements:
it has already been proven in-use to have an acceptable safety level and would still quality for approval (i.e. would be accepted) in the Member State where change is to be introduced
“would still be accepted in the Member State ”? E.g. it can happen that the safety performance of the considered Ref Syst is not appropriate for the system under assessment, because it is based on a too old technology.
it has similar functions and interfaces as system under assessment it is used under similar operational conditions as system under assessment; it is used under similar environmental conditions as system under assessment
• If the conditions for the usage of the Ref Syst are fulfilled, then for the hazards controlled in this way:
the risks are considered as acceptable ( no further risk analysis required); the safety requirements for the hazards covered by the Ref Syst may be derived
from the safety analysis, or from an evaluation of the safety records of the Ref Syst these safety requirements shall be registered in the Hazard Record as safety
requirements for the assessed hazard
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 100
4 – Risk Analysis and EvaluationUse of Reference Systems (RefSyst) and risk evaluation (2/2)
What to do when there are deviations from the Ref Syst and the identifiedhazards cannot be controlled completely by a Ref Syst?
• The risk evaluation shall demonstrate that the system under assessment achieves at least the same safety level as the Ref Syst. Therefore, on deviations:
Possible necessity for explicit risk estimation in order to show this correspondence (that the level of risk is at least as good as that of Ref Syst);
• If the same safety level as the one of the reference system cannot be demonstrated (or if the conditions are not fulfilled), then additional safety measures shall be identified for the deviations, applying one of the 2 other RAP (CoP or Explicit Risk Estimation)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 101
4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation
When hazards cannot be covered by CoP or Ref Syst then the demonstration of risk acceptability is to be performed by explicit risk estimation and evaluation
• Risks shall be estimated either quantitatively or qualitatively, taking into account the existing safety measures within the system
• For example, the need for the use of an explicit risk estimation could typically arise:
when the system under assessment is entirely new, or
where there are deviations from a CoP or a Ref Syst, or
when the chosen design strategy does not allow the usage of CoP or similar Ref Syst because e.g. of a wish to produce a more cost effective design that has not been tried before
• As soon as the risk(s), which are controlled by an explicit risk estimation are considered acceptable, then the identified safety measures are registered in the Hazard Record
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 102
4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation
• The explicit risk estimation is not necessarily always quantitative. Can be:
quantitative, if sufficient quantitative information available in terms of frequency of occurrence and severity;
semi-quantitative, e.g. if such quantitative information not sufficiently available, or
even qualitative, when quantification is not possible
• If the estimated risk is not acceptable in spite of the available safety measures, then in order to reduce risk to an acceptable level, additional safety measures shall be identified and implemented
Demonstration of Compliance with the
Safety Requirements
EXPLICIT RISK ESTIMATION
RISK EVALUATION
YES
HA
ZA
RD
M
AN
AG
EM
EN
T
Identification of Scenarios & associated Safety Measures
Estimate Frequency
Estimate Severity
Estimate Risk
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
Quantitative
Acceptable Risk?
NO
Qualitative
Application of Codes of Practice
Similarity Analysis with Reference
System(s)
CODES OF PRACTICE SIMILAR REFERENCE
SYSTEM(S)
Safety Criteria?
Comparison with Criteria
Selection of Risk Acceptance
Principle
RISK ASSESSMENT
Hazards associated with Significant Risks
YES
Acceptable Risk?
NO
Comparison with Criteria
YES
Acceptable Risk?
NO
Comparison with Criteria
RISK ANALYSIS
Safety Requirements (i.e. the Safety Measures
to be implemented)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 103
• In order to evaluate whether risks are acceptable or not, Risk Acceptance Criteria (RAC) are necessary. They can be either “implicit” or “explicit”: risks controlled by the application of a CoP or by a
comparison with a RefS yst are considered acceptable without a need to apply an additional “explicit” risk estimation
whereas the acceptability of risk(s) controlled by the application of an “explicit risk estimation” requires “explicit RAC” to be defined
• The level of the RAC needs to match with the complexity of the assessed significant change: e.g. when modifying the type of an axle in the RS, it is not
necessary to evaluate the overall railway system risk . The definition of the RAC can focus on the safety level of the RS.
respectively, large changes or additions to an existing systemshould not be evaluated only based on the safety performance of individual functions or changes. The acceptability of the change should be evaluated also at the level of the railway system as a whole
4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation - RAC
Demonstration of Compliance with the
Safety Requirements
EXPLICIT RISK ESTIMATION
RISK EVALUATION
YES
HA
ZA
RD
M
AN
AG
EM
EN
T
Identification of Scenarios & associated Safety Measures
Estimate Frequency
Estimate Severity
Estimate Risk
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
Quantitative
Acceptable Risk?
NO
Qualitative
Application of Codes of Practice
Similarity Analysis with Reference
System(s)
CODES OF PRACTICE SIMILAR REFERENCE
SYSTEM(S)
Safety Criteria?
Comparison with Criteria
Selection of Risk Acceptance
Principle
RISK ASSESSMENT
Hazards associated with Significant Risks
YES
Acceptable Risk?
NO
Comparison with Criteria
YES
Acceptable Risk?
NO
Comparison with Criteria
RISK ANALYSIS
Safety Requirements (i.e. the Safety Measures
to be implemented)
Harmonised Explicit RAC
Implicit RAC
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 104
4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation – RAC-TS
One RAC for technical systems has already been harmonised in the CSM Regulation:
• “Where hazards arise from failures of technical systems not covered by codes of practice or the use of a reference system, the following risk acceptance criterion shall apply for the design of the technical system:
For technical systems where a functional failure has a credible direct potential for a catastrophic consequence, the associated risk does not have to be reduced further if the rate of that failure is less than or equal to 10-9 per operating hour.”
Nevertheless, if the proposer can demonstrate that the national safety level can be maintained with a less demanding criterion than the 10-9, this criterion can be used by the proposer after agreement with the assessment body
• “If a technical system is developed by applying the 10-9 criterion defined in paragraph 4, mutual recognition shall be applied according to section 5.3”
• “Without prejudice to the procedure specified in Article 8 of Directive 2004/49/EC, a more demanding criterion may be requested, through a national rule, in order to maintain a national safety level. However, in the case of additional authorisations for placing in service of vehicles, the procedures of Articles 23 and 25 of Directive 2008/57/EC shall apply.”
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 106
• In general: the CSM Regulation requires mutual recognition of the results of the risk assessment (independently of the type of the used RAP)
• The mutual recognition shall be based on the evidences for the fulfilment of the harmonised requirements along the steps of CSM Process
• For this reason, for mutual recognition, the full CSM risk assessment process must be applied by the Proposer: identification of the safety measures and Safety Reqs, associated with the particular
hazard registration & management of the hazards and the safety measures in the Hazard Record demonstration of the system compliance with the safety requirements
• The documentation of all the evidences, showing the correct application of the CSM Process should be accessible for the Assessment Body. It shall at least include: the description of the organisation and experts put in place to carry out risk assessment the results from the different steps of the CSM Process, including a list of the SR to be
implemented to control the risks to an acceptable level
• Independent assessment by an AB the conclusions are an Assessment Report• Change accepted by the Proposer based on Independent Assessment Report
4 – Risk Analysis and EvaluationMutual Recognition
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 107
4 – Risk Analysis and EvaluationMutual Recognition – Independent Assessment by AB on Deviations
• The Assessment Bodies in other MS must apply mutual recognition on a system evaluated, assessed and accepted vs. the CSM Process (prev. slide)
• The system can be used in another MS, if the Proposer demonstrates that:
The system will be used under the same functional, operational and environmental conditions, which have been initially approved in related MS
An equivalent RAP (which is acceptable in the other MS) should be applied for controlling the identified hazards importance to link in the Hazard Record the [RAP-Hazard]
• If one of these conditions is not fulfilled, then mutual recognition is still possible but not automatic:
The Assessment Body should apply the principle of mutual recognition on a part of the system, which fulfils the conditions
The proposer will have to identify the deviations vs. the already accepted system and apply the CSM risk management & assessment process on the identified deviations
AB assesses independently the correct application of CSM Process on the deviations
Slide n° 108
Application to practical examples
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 109
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
4 – Risk Analysis and Evaluation – Operational Change1st example: Driver Only Operated Train (DOO)
• Use of Codes of Practice and Reference Systems:
Both CoP (i.e. a set of standards for Driver Only Operation) and similar Ref Systems used to define the safety requirements for identified hazards, such as:
revised operational procedures for the driver that are required to operate safely the trains without onboard assistance (in compliance with the requirements from the applicable CoP and the relevant Ref Syst);
requirement for additional equipment necessary onboard or on the track to ensure safe and reliable means of train dispatch;
a checklist for ensuring that the driver's cab is suitable, taking into account the interface between the railway system (both onboard and trackside) and the driver
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 110
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
4 – Risk Analysis and Evaluation – Organisational Change2nd example: Outsourcing of a maintenance branch of an IM
• “Use of Ref System and Risk Evaluation” + “Explicit risk estimation and evaluation”:
System before change judged to have acceptable level of safety. It was thus used to derive Risk Acceptance Criteria for the system under assessment, i.e. aim to “maintain at least the same level of safety and punctuality throughout the change process and after the change”
The HAZOP analysis went through a checklist method describing a list of hazards (unwanted events), their causes, the related consequences and frequencies (rough estimates) and the related actions that need to be taken to mitigate these risks. Interdependencies and interfaces between the detached branch and the rest of the IM organisation were particularly examined
Each hazard with increased risk was counterbalanced by appropriate identified risk reducing measures. The residual risk was compared against a RAP to check whether other additional measures need to be identified.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 111
4 – Risk Analysis and Evaluation – Organisational Change2nd example: Outsourcing of a maintenance branch of an IM
• This “Hazard and Risk Analysis” was documented in a table describing the identified hazards, evaluating the severity and suggesting risk mitigation / control measures (See next slides)
• The Risk Analysis table was mirrored within the Hazard Record/Log (see dedicated module in presentation). The Hazard Record includes additional information who is responsible for implementing the measure, the time deadline for the implementation and also who is in charge of the verification of the implementation and of the efficiency of the identified measure(s)
• Indeed, for such organisational changes, the efficiency of the identified actions and decisions had to be monitored to verify whether they fully control the considered risk
• This is natural as it may be difficult to foresee and measure the exact result of a safety measure related to an organisational issue (such as training, motivated work for staff, etc.) and that the effects have to be followed up closely in a longer process where the analysis is continuously updated
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 112
4 – Risk Analysis and Evaluation – Organisational Change2nd example: Outsourcing of a maintenance branch of an IM
• Therefore, the risk analysis and the hazard record/log were dynamic documents. The efficiency of decided actions was monitored at regular intervals to check if the conditions were changed and if the risk analysis and risk evaluation need to be updated. They were updated when actions were performed and hazards “closed”. A status field was updated to describe what actions were taken or were under the way to be taken
• If any circumstances changed compared to the initial context of the risk analysis, the risk analysis and hazard record/log had to be updated to ensure that hazard and risk were under control
• The hazards that could not be closed (as all the measures could not be implemented nor verified rapidly) were followed up. Their status was also monitored and rechecked on several occasions (and more dated status column added to the hazard record/log table) to verify that finally all the hazards will be closed
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 113
4 – Risk Analysis and Evaluation – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis
Unwanted
event (Hazard)Cause Consequence
Type of
lossRisk
Responsible
for implem.
safety
measure
Safety Measures
1: Reduced
motivation
among
employees
remaining in
Company.
-Staff
continuing to
leave without
stop.
- Demotivated /
worn out
managers
Missing
colleagues,
missing certain
tasks
Lack of loyalty
knowing that the
workplace is not
going to stay
Heavy workload
Uncertainty
Tasks not
performed,
increased build up
of unperformed
works. -
Emergency
maintenance
instead of planned
maintenance.
Collective worker
actions (calling in
sick etc)
Lack of trust in
Company for the
managers at IM
Level
Safety Higher New round of motivational work
for the staff, to be performed in
smaller groups
Reallocation of funds so that
Company gets meaningful tasks
to perform
More frequent inspections by
track manager.
Allocate funds to make sure that
key staff stays throughout the
process.
Give special attention to make
sure that information and
knowledge is transferred
between leaving employees and
those who take over the tasks.
Etc...
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 114
4 – Risk Analysis and Evaluation – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis
Unwanted
event
(Hazard)²
CauseConse-
quence
Type
of lossRisk
Responsible
for implem.
safety
measure
Safety Measures
10: Lack of
competency
in the
performance
of tasks
Subcontractors of IM lacking skill,
competency and quality control
Violation of
safety rules.
Increased
accident
frequency.
Safety Higher Increased demand
for documented
competence.
Systematic control
of performed tasks
11:
Uncertainty
of roles and
responsi-
bilities in the
interface
between
Company
and IM
Different understandings of roles and
responsibilities
Track Manager responsible for
accessible tracks, but not for the
downsizing and can therefore not take
this in to account when planning/
prioritizing work tasks.
Track manager lacks overview of the
competencies available in Company
Coordination problems for the delivery
when coordination responsibilities is
transferred to the track manager
Tasks not
being
performed or
being
performed
twice.
Lack of
coordination
of resources
Safety Higher Define roles and
responsibilities.
Map all interfaces
and define who is
responsible for the
interfaces.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 115
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
4 – Risk Analysis and Evaluation - Change to a Technical System3rd example: Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system
• Use of a Ref System and Risk Evaluation:
System before the change (loop) judged to have acceptable level of safety for the function of releasing signal. It is used as a Ref Syst to derive the safety requirements for the radio-infill sub-system.
• Explicit Risk Estimation and Evaluation:
The HAZID identified the following new hazards : delayed transmission or transmission of memorised data packets in
Radio Infill chain.
The new system is an open transmission sub-system → risk of transmission by hackers of unsafe information in air gap;
Used explicit risk estimation and use of RAC-TS for designing the Radio Infill Controller part;
• Use of CoP and Risk Evaluation:
Usage of EN 50159-2 - for safety related communication in open transmission systems provides the safety requirements for controlling the new hazards to an acceptable level, e.g. "data encrypting and protection" + "message sequencing and time stamping";
Usage of EN 50128 standard for the development of the Radio Infill Controller software ;
Slide n° 118
Current Status of harmonisation of Risk Acceptance Criteria (RAC)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 119
• Main points in the current development:
• Work on a short note explaining the scope of the RAC development:
Used when performing an explicit risk estimation (and not when using a Code of Practice or a Reference System);
Not improving the safety;
Aiming among others to support the cross acceptance and the opening of the railway market;
• Different possible types for RAC depending on the types of identified risks.
3 main types of changes discussed:
Technical;
Operational;
Organisational;
Combined? On-going work with CER and UIC.
Focus of the current development
4 – Risk Analysis and EvaluationCurrent Status of harmonisation of Risk Acceptance Criteria (RAC)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 120
• Main characteristics of the Risk Acceptance Criteria (work in progress):
Defined at the level, which the actors can control;
Attention should be paid to the need for integration;
Sufficient but not necessary;
Currently: for technical systems and thus mainly for manufacturers;
• Next steps in the RAC development:
Concerning the RAC for technical systems:
Definition of types of severities, which can be spotted during predictive studies
Definition of types of frequencies, which can be spotted during predictive studies
Verification of the defined RAC
Continue to develop the principles allowing to take into account safety barriers
Concerning the RAC for risks arising due to operational and organisational changes
Continue the development together with CER and UIC
4 – Risk Analysis and EvaluationCurrent Status of harmonisation of Risk Acceptance Criteria (RAC)
Slide n° 121
Discussions/Questions
+
Replies to pre-workshop questionnaire
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 122
4 – Risk Analysis and Evaluation SUMMARY of the answers to questionnaire
Summary of the answers to questionnaire
4.6(a) Do you have any risk acceptance criteria such as national rules notified under Article 8 of the Safety Directive? If so can you provide them?
The criteria vary between enterprises, no criteria are set on national level.
4.6(b) Do you have any published Codes of Practice or any available alternative methods? If so can you explain which ones?
The Codes of Practice exist within enterprises and they are public but not published
4.6(c) Do you have any examples of comparisons with reference systems? If so can you describe them?
In addition to SMS the documentation for environmental management, quality management and working environment management certification is used).
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 123
4 – Risk Analysis and Evaluation SUMMARY of the answers to questionnaire
Summary of the answers to questionnaire
4.6(d) Do you have criteria for explicit risk estimation which help to ensure that the risks are adequately controlled? If yes, can you provide further information on this?
The results described in Railway Act are taken as basis, the risks leading to the results are determined through internal audits. We don’t have certain criteria for explicit risk estimation for different railway-enterprises
4.6(e) How do you control the deviations of the system under assessment from the codes of practice or reference systems? Do you use preferably explicit risk estimation for that?
Case conclusions and internal audits are taken into account.
4.6(f) Do you have examples that you would like to discuss during the workshop? If so can you send them to the Agency? No
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 124
4 – Risk Analysis and Evaluation SUMMARY of the answers to questionnaire
Summary of the answers to questionnaire
4.6(g) How do you ensure that the identified hazards are clearly linked and closed out by the codes of practice or reference systems?
Assurance will come mostly by taking the SMS as reference
Slide n° 125
(5) Hazard Records
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 126
5 – Hazard Record Managing the hazards
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 127
5 – Hazard RecordWHY are they needed?
HA
ZAR
D M
AN
AG
EMEN
T [A
NN
EX II
I(2
)(G
) O
F SD
]
Control
Control
Control
Control
Hazard Records need to be created and updated by the proposer.Annex 1.4 of CSM Regulation.
They are an important part of the hazard management process
They track the progress of the process – identification of the hazard, the potential risk and how the risk needs to be controlledthrough the selected risk acceptance principles:• Codes of practice• Reference systems• Risk estimation
Hazard
Risk
Hazard
Risk
Hazard
Risk
Hazard
Risk
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 128
5 – Hazard RecordWHO is responsible?
If they are a number of actors involved in the project each may have responsibility for their part of the system under assessment. They will keep a record of the hazards for their part of the project.
There should be one overall actor (proposer) who has responsibility for the main record which covers all the necessary elements of the system under assessment.
It does not have to contain all the information from the actors involved, only the links and key safety related
Exchange of information will be important if the hazard cannot be controlled by one actor alone
Actor D Actor
C Actor B Actor
A
Hazard Record for the system under assessment
HA
ZAR
D M
AN
AG
EMEN
T
[AN
NEX
III(
2)(
G)
OF
SD]
Exchange of
information
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 129
5 – Hazard RecordWhat information should they contain?
All the hazards that the actor is responsible for, the associated safety measures, and the resulting safety requirements issued from the risk assessment process
All the assumptions taken into account within the definition of the system under assessment. These assumptions determine the limits and the validity of the risk assessment
All the hazards and the associated safety measures received from other actors in compliance with the project. These include all the assumptions and restrictions of use and generic product safety cases that are produced by the manufacturers
The status of the hazards (i.e. controlled or open) and of the associated safety measures (i.e. validated or open)
Note the level of detail required is related to the level of risk
HA
ZAR
D M
AN
AG
EMEN
T
[AN
NEX
III(
2)(
G)
OF
SD]
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 130
5 – Hazard RecordWhen should they be updated?
Whenever:
a new hazard is discovered or a new safety measure is identified
a new hazard is identified during the operation and maintenance of the system after its commissioning, so that the hazard can be assessed in compliance with the CSM as to whether it represents a significant change (this will be part of the SMS – Annex III (g))
it could be necessary to take into account accident and incident data
there are changes to the safety requirements or the assumptions about the system
HA
ZAR
D M
AN
AG
EMEN
T
[AN
NEX
III(
2)(
G)
OF
SD]
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 131
5 – Hazard RecordWhat are the links to the SMS?
RUs and IMs can use their procedures under their SMS
Annex III(2)(g) of the RSD requires the SMS to contain procedures and formats for how safety information is to be documented and designation of procedure for configuration control of vital safety information
The hazard record can therefore be part of the SMS for recording and managing risks that occur throughout the lifecycle of the equipment
It does not have to be a separate process
For other actors:
No legal requirement
But likely that they have a hazard management process
Existing processes can be adapted
HA
ZAR
D M
AN
AG
EMEN
T
[AN
NEX
III(
2)(
G)
OF
SD]
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 132
5 – Hazard RecordWhat are the benefits to the project?
Help map out and record the decision making process –provide transparency and consistency
Allow corrective actions to be taken promptly and quickly (link to SMS)
Exchange of information – allow for a number of players to contribute
Evidence of continuing compliance - accountability
Do not have to be complicated – targeted on the key issues
HA
ZAR
D M
AN
AG
EMEN
T
[AN
NEX
III(
2)(
G)
OF
SD]
Slide n° 133
Discussions/Questions
+
Replies to pre-workshop questionnaire
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 134
5 – Hazard RecordAnswers received to questionnaire
Internal listing and analyses in accordance with SMS are used
For information to keep in hazard record, the practices vary between enterprises, information crucial to safety of operations is primarily seen as paramount
There is no specific layout or tool for management recommended, enterprises use internal methods and/or tools.
Interfaces between a number of players: main responsibility (national level) is described in Railway Act or in other acts. Management is process-based in accordance with areas of responsibility stated in process description (enterprise level).
Hazard record monitoring: responsible departments and persons are appointed in enterprises. Those are mostly internal auditing units and employees responsible for safety.
Question: Do you have (1) a system of recording hazards and managing
interfaces (2) an example of a hazard record?
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 135
5 – Hazard Record – example (1) Answers received to questionnaire in other Workshops
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 136
5 – Hazard Record – example (2) Answers received to questionnaire in other Workshops
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 137
N°
HZDOrigin
Hazard description
Additional informationActor in charge
Safety MeasureUsed Risk
Acceptance Principle
Expor-ted
Status
1 HAZOPreport RX
Maximum speed of train set too high (Vmax)
Wrong specific configuration of the onboard sub-system (maintenance staff).Wrong Data Entry onboard (driver)
RU Define a procedure for the approval of the onboard sub-system confi-guration data;Define an operatio-nal procedure for Data Entry Process by the Driver
Explicit Risk Estimation
Yes Controlled(exported to RU)Refer also to section C.16.4.2. in Appendix C
2 HAZOPreport RX
Braking curves (i.e. Movement Authority) in onboard sub-system configuration data too permissive
The procedure for the specific configuration of the onboard sub-system depends on:
the safety margins taken for the train braking system;
the reaction delay of the train braking system (this one is directly dependent on the train length, especially for fret trains)
RU Specify correctly the system requirements in the System Definition;Take sufficient safety margins for the braking system of the specific train
Explicit Risk Estimation
Yes Controlled(exported to RU)Refer also to section C.16.4.2. in Appendix C
5 – Hazard RecordPartial Example of a Hazard Record/Log Table
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 138
5 – Hazard Record – Operational Change Driver Only Operated Train (DOO)
For the railway undertakings the hazard management process was part of their safety management system for recording and managing risks.
The identified hazards were registered in a hazard record (similar template as below) with the safety requirements controlling the associated risk, i.e. reference to additional onboard and trackside equipment as well as to the revised operational procedures.
The revised procedures were monitored, and reviewed when needed, to ensure that the identified hazards continue to be correctly controlled during the operation of the railway system
N°
HZDOrigin
Hazard description
CauseAdditional information
Actor in charge
Safety Measure
Used Risk Acceptance
PrincipleExported Status
1 HAZOPreport RX
Opening of doors – risk of passenger fatality
Driver Driver error through lack of competence or seating position
RU TrainingCab design
Code of Practice
Partly Partly closed
2 HAZOPreport RX
Failure of the CCTV – driver cannot see the platform
CCTV VandalismIncorrect/insufficientmaintenance
IM Protection of the equipmentRegular checks
Code of Practice
No Closed, measur
es in place
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 139
5 – Hazard Record – Organisational Change Outsourcing of a maintenance branch of an IM – Sample of Hazard Record
Description Safety Measures
Priority
Safety/
Punc-
tuality
Implement
-ationNotes
Respon
sibility
Dead-
line
Perfor
med
date
Responsibi
lity for
verification
Way of
verifi-
cation
Date
Status
xx.xx.xx
Reduced
motivation
among
employees
remaining in
Company
-Staff
continuing to
leave without
stop.
- Demotivated
/ worn out
managers
New round of motivational
work for the staff, to be
performed in smaller
groups
Reallocation of funds so
that Company gets
meaningful tasks to
perform
More frequent inspections
by track manager.
Allocate funds to make
sure that key staff stays
throughout the process.
Give special attention to
make sure that
information and
knowledge is transferred
between leaving
employees and those who
take over the tasks.
Etc...
High/High Coordinate
d by IOP.
Regions
must look
at
measures
to increase
control of
tracks,
overlap of
employees
and follow
up by line
managers.
Increased
inspec-
tions need
to be
included in
the
contracts.
Etc...
Company
Manager
Change of
conditions
of circum-
stances
have
reduced
this risk
signifi-
cantly
Work
environ-
ment
analysis
performed
and some
training of
staff.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 140
5 – Hazard Record – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample of Hazard Record
Description Safety Measures
Priority
Safety/
Punc-
tuality
Implement
-ationNotes
Respon
sibility
Dead-
line
Perfor
med
date
Responsibi
lity for
verification
Way of
verifi-
cation
Date
Status
xx.xx.xx
Subcontractor
s of the
entrepreneurs
lacking skill,
competency
and quality
control
Increased demand for
documented competence.
Systematic control of
performed tasks
High/
Medium
IM must
coordinate.
Regions
must
implement
measures
for requiring
compe
tence and
con -trolling
the work
Implemen
ted by
contract
follow up.
Input to
revision
planning.
Safety
manager
Increased
focus on
routines
for control
(2
operative
controls
per month
and
operative
area)
11:
Uncertainty of
roles and res-
ponsibilities in
the interface
between
Company and
IM (Track
manager).
Define roles and
responsibilities.
Map all interfaces and
define who is responsible
for the interfaces.
Medium/
Medium
In each
region
separately
Implemen
ted by
main-
enance
contract
and the
strategy
plan for
the
reorgani-
sation
Regional
directors
Safety
Manager
Regions
have
presented
their
strategy.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 141
The Hazard and Risk Analysis was a table describing the identified hazards, evaluating the severity and suggesting risk mitigation/ control
This information from the Risk Analysis table was mirrored within the Hazard Record/Log) which includes also additional information of who is responsible for implementing the measure, the time deadline for the implementation and also who is in charge of the verification of the implementation and the verification of the efficiency of the identified measure(s)
Indeed, for such organisational changes, the efficiency of the identified actions and decisions had to be monitored to verify whether they fully control the considered risk
This is natural as it may be difficult to foresee and measure the exact result of a safety measure related to an organisational issue (such as training, motivated work for staff, etc.) and that the effects have to be followed up closely in a longer process where the analysis is continuously updated
5 – Hazard Record – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample of Hazard Record
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 142
5 – Hazard Record – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample of Hazard Record
Therefore, the risk analysis and the hazard record/log were alive documents. The efficiency of decided actions was monitored at regular intervals to check if the conditions were changed and if the risk analysis and risk evaluation need to be updated. They were updated when actions were performed and hazards “closed”. A status field was updated to describe what actions were taken or were under the way to be taken
If any circumstances changed compared to the initial context of the risk analysis, the risk analysis and hazard record/log had to be updated to ensure that hazard and risk were under control
The hazards that could not be closed (as all the measures could not be implemented nor verified rapidly) were followed up. Their status was also monitored and rechecked on several occasions (and more dated status column added to the hazard record/log table) to verify that finally all the hazards will be closed
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 143
5 – Hazard RecordReplacement of a Trackside Loop by a Radio in-fill + GSM sub-
systemThe identified hazards, the safety measures and the resulting safety requirements issued from the risk assessment and the application of the three risk acceptance principles were registered and managed in a hazard record using a similar form than the table below
N°
HZDOrigin
Hazard description
CauseAdditional information
Actor in charge
Safety MeasureUsed Risk
Acceptance Principle
Exported Status
1 HAZOPreport RX
Transmission of old and unsafe messages
Radio in-fill controller hardware
Manufa-cturer
RAC-TS for Radio In-fill design
Explicit risk estimation
Radio In-fill sub-contra-
ctor
Closed
Radio in-fill controller softwareGSM
Manufa-cturer
CENELEC 50128, 50159-2
Code of Practice
Radio In-fill sub-contra-
ctor
Closed
2 HAZOPreport RX
Open-transmission medium
Radio in-fill controller
Hacker
Dedicated standards available
Manufa-cturer
CENELEC, 50159-2
Code of Practice
Radio In-fill sub-contra-
ctor
Closed
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 144
Time schedule for CSM dissemination workshop 2nd day of workshop
2nd day: 9:00 to 16:00
09:00 – 10:15: Demonstration of system compliance with safety requirements
10:15 – 11:00: Assessment Bodies
11:00 – 11:15: Coffee Break
11:15 – 12:15: internal discussions among representatives of each MS
12:15 – 13:15: Lunch Break
13:15 – 14:00: Questions/discussion and feedback from those discussions
14:00 – 14:15: Coffee Break
14:15 – 15:00: Conclusions and close out of the workshop
Slide n° 145
(6) Demonstration of system compliance with the safety requirements
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 146
6 – Demonstration of system compliance with safety requirements
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 147
6 – Demonstration of system compliance with safety requirementsRequirements in CSM Regulation [Chapter 3]
Prior to safety acceptance of change, fulfilment of safety requirements must be demonstrated (see next slide)
The demonstration is under the supervision of the proposer
But each actor is responsible for the demonstration of safety requirements for its part of the system
Approach chosen for the demonstration of compliance and the demonstration itself must be independently assessed by Assessment Body
Inadequacies of safety measures or new hazards discovered during the demons-tration must be reassessed vs. CSM
Demonstration of Compliance withSafety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety
measures to be implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 148
6 – Demonstration of system compliance with safety requirementsCorrespondence between CSM and CENELEC
Concept
System Definition & Application Conditions
Risk Analysis
System Requirements
Apportionment of System Requirements
Design and Implementation
Manufacture
Installation
System Validation (including Safety Acceptance and Commissioning)
System Acceptance
2
3
4
5
6
7
8
9
10 1114
Operation and Maintenance
Performance Monitoring
De-commissioning and Disposal
Modification and Retrofit
12
13
CSM's for RISK ASSESSMENT
Preliminary System Definition in CSM's
Demonstration of Compliance with the Safety Requirements
Safety Requirements
1
Re-application of the CSM
BOX 1
BOX 2
BOX 3
BOX 4
Demonstration of Compliance withSafety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
EsRisk
timation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of
SD
]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety measures to be
implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 149
CSM Process safety requirements expected to control identified hazards
System must then be developed against those safety requirements, e.g.:
for operational changes: definition, writing and validation of the opera-tional procedures vs. requirements
for technical systems: design, vali-dation and acceptance
Prior to the acceptance of change it must be demonstrated that:
3 RAP correctly applied and actually control hazards to acceptable level
the system actually complies with the specified safety requirements
6 – Demonstration of system compliance with safety requirementsPurpose of demonstration
Demonstration of Compliance withSafety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety
measures to be implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 150
6 – Demonstration of system compliance with safety requirementsProposer’s Responsibility – Other Actor’s Responsibility
Proposer has overall responsibility for coordinating and managing demonstration of compliance
But each actor, including proposer where relevant, must demonstrate compliance of sub-system it is responsible for with :
SR allocated to sub-system by proposer
SR transferred to relevant actor by other actors via interfaces
additional and internal SR from safety assessments and safety analyses done at sub-system level
To other
sub-systems
SYSTEM LEVEL
All identified safety
requirements (SR)
Sub-
System 1
Sub-
System 2
Sub-
System N
To other
sub-systems
From
Proposer
Safety Requirements
for SUB-SYSTEM
From
Internal
Risk
Analyses
To other
sub-systems
System
Requirements
for the Proposer
From
other
actors
INTERFACES
Registered in sub-system Hazard Records
Hazard
Reco
rd
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 151
Separation of the activities/functions between the actors involved in development and operation of railway systems (RU’s, IM’s, contractors, etc.) can result in risks at interfaces
It is thus important that the actors that are affected by the considered interface cooperate for managing the hazards at the Interface (shared risks)in order to have a [common understanding and agreement] of what to do
The management of the shared risks shall be coordinated by Proposer(system view) as the Proposer is the one that allocates the responsibilities to actors concerned by relevant interfaces
Using Hazard Records, the safety measures at the interfaces must then be transferred to right actors that are affected by the considered interface
The Proposer (with his assessment body) is responsible for the CSM application as well as for the integration of the system under assessment (INTERFACE) into the railway system as a whole
6 – Demonstration of system compliance with safety requirementsInterface Management – Cooperation for Shared Risks (1/2)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 152
CSM regulation requires to notify to the Proposer :
the safety measures related to interfaces that are transferred between the actors involved in the significant change, and;
the detected non-compliance(s) of safety measures in controlling effectively the identified hazards and the associated risk(s)
The Proposer will inform in turn the actor who is responsible for the implementation of the relevant safety measure
As a general requirement, any actor who discovers a non-compliance or a non identified hazard, and thus a hazard/risk that is not controlled, shall inform all actors that might be affected (either in the system under assessment or in existing systems as far as he might know, that could used it as a Reference System)
6 – Demonstration of system compliance with safety requirementsInterface Management – Notifications to Proposer (2/2)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 153
6 – Demonstration of system compliance with safety requirementsSub-System Safety Analyses (1/4)
To fulfil the safety requirements allocated to each sub-system, the actor in charge of the sub-system shall carry out in turn safety assessments and safety analyses to identify systematically:
all reasonably foreseeable causes within the sub-system that contribute to the hazards at the level of the system under assessment
the safety measures, and resulting safety requirements, at the sub-system level that are expected to control these causes and the associated risks to an acceptable level
The actor shall register into a Hazard Record all the hazards he must control as well as the safety measures to be implemented by the actor
Causal Analyses are an example of the safety assessments and safety analyses at the sub-system level. But other methods can also be used
The process defined in the CSM regulation is a generic process
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 154
6 – Demonstration of system compliance with safety requirementsSub-System Safety Analyses (2/4)
Example of Figure A.4 of EN 50 129: Definition of hazards with respect to the system boundary
Causes of hazards at level of system under assessment may be considered as hazards at the sub-system level (with respect to sub-system boundary).
Accident k
System Boundary
Accident l
Hazard (at System Level)
Cause (of a Hazard at Sub-System Level)
Sub-System Boundary
CAUSES CONSEQUENCES
Cause (of a Hazard at System Level)
Hazard (at Sub-System Level)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 155
6 – Demonstration of system compliance with safety requirementsSub-System Safety Analyses (3/4)
CSM Process steps can be repeated at each lower level phase of the CENELECV-Cycle to derive the safety measures and the safety requirements to be fulfilled by the next phase:
Hierarchical structuring Hazards-Causes vs. system & sub-systems boundaries
Systematic Hazard Identification & Causal Analysis activities (or any relevant method)
Systematic use of Hazard Records for registering and managing hazards and safety measures the actor in charge/responsible for
Use of Codes of Practice, similar Reference Systems and Explicit Risk Estimation
Derived sub-system safety requirements need then to be implemented and their fulfilment demonstrated by the concerned actor
NB: Proposer is responsible to demonstrate the compliance with safety requirements at the level of the system
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 156
Phase N in
CENELEC V-Cycle
Safety Requirements for Phase N
Safety Measures in Phase N
Safety Requirements (i.e. safety measures to be implemented)
Safety Requirements for Phase N+1
Phase N+1 in
CENELEC V-Cycle
Safety Measures in Phase N+1
Safety Requirements (i.e. safety measures to be implemented)
Safety Requirements for Phase N+2
Phase N-1 in CENELEC V-Cycle
6 – Demonstration of system compliance with safety requirementsSub-System Safety Analyses (4/4)
To other actors at level N+1
Phase N
All identified safety
requirements (SR)
Phase N+1 Phase N+1 Phase N+1
To other actors at level N+1
From
Level N
Safety Requirements
for Level N+1
From
Internal
Risk
Analyses
To other actors at level N+1
Safety
Requirements
for Phase N only
From
other
actors
INTERFACES
Safety Requirements for Level N+2 + Hazard Record
Ha
za
rd R
ec
ord
Level
N
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 157
6 – Demonstration of system compliance with safety requirementsIndependent Assessment by Assessment Body
Approach for demonstrating the compliance with the safety requirements + the demonstration itself independently assessed by AB
If there are no contractual obligations or MS legal requirements, each actor is free to appoint AB for the part of the system the actor is in charge
more than one AB can be involved in same the project
Proposer, with support of its AB, responsible for integrating different sub-systems and for coordinating different AB involved in the project
Demonstration of Compliance withSafety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety
measures to be implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 158
6 – Demonstration of system compliance with safety requirementsNew Iteration of CSM Process for detected non compliances
If inadequacies of safety measures or new hazards are discovered during the demonstration they need to be reassessed vs. CSM
E.g. choice of technical solution for design of system or sub-systems, not foreseen by SR, could create a new hazard
New hazards registered in Hazard Record
Deviations and/or new hazards considered as new inputs for a new loop in iterative risk assessment process
Demonstration of Compliance withSafety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety
measures to be implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Slide n° 159
Application to practical examples
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 160
6 – Demonstration of system compliance with safety requirementsOperational change - Driver Only Operated Train (DOO)
Demonstration of the system compliance with safety
requirements:
system implemented vs. identified safety
requirements (additional equipment and revised
procedures to enable Driver’s Only Operation)
the revised operational procedures are then
introduced in the RU safety management system
the correct application by the Driver of the revised
procedures, and their efficiency, is monitored and
reviewed, when needed, to ensure that the identified
hazards continue to be correctly controlled during
the operation of the railway system, i.e. that the
procedures and their application are appropriate to
ensure a sufficient level of safety without onboard
staff
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 161
6 – Demonstration of system compliance with safety requirementsOrganisational change - Outsourcing of a maintenance branch of an IM
Demonstration of the system compliance with safety
requirements:
Risk Analysis and Hazard Record show that
hazards cannot be closed until they are verified and
it is demonstrated that the safety requirements (i.e.
selected safety measures) are implemented.
Risk Analysis and Hazard Record are living
documents. The efficiency of decided actions is
monitored at regular intervals to check if the
conditions are changed and if the Risk Analysis and
Risk Evaluation need to be updated.
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 162
6 – Demonstration of system compliance with safety requirementsOutsourcing of a maintenance branch of an IM – Sample of Hazard Record
Description Safety Measures
Priority
Safety/
Punc-
tuality
Implement
-ationNotes
Respon
sibility
Dead-
line
Perfor
med
date
Responsibi
lity for
verification
Way of
verifi-
cation
Date
Status
xx.xx.xx
Reduced
motivation
among
employees
remaining in
Company
-Staff
continuing to
leave without
stop.
- Demotivated
/ worn out
managers
New round of motivational
work for the staff, to be
performed in smaller
groups
Reallocation of funds so
that Company gets
meaningful tasks to
perform
More frequent inspections
by track manager.
Allocate funds to make
sure that key staff stays
throughout the process.
Give special attention to
make sure that
information and
knowledge is transferred
between leaving
employees and those who
take over the tasks.
Etc...
High/High Coordinate
d by IOP.
Regions
must look
at
measures
to increase
control of
tracks,
overlap of
employees
and follow
up by line
managers.
Increased
inspec-
tions need
to be
included in
the
contracts.
Etc...
Company
Manager
Change of
conditions
of circum-
stances
have
reduced
this risk
signifi-
cantly
Work
environ-
ment
analysis
performed
and some
training of
staff.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 163
6 – Demonstration of system compliance with safety requirementsOutsourcing of a maintenance branch of an IM – Sample of Hazard Record
Description Safety Measures
Priority
Safety/
Punc-
tuality
Implement
-ationNotes
Respon
sibility
Dead-
line
Perfor
med
date
Responsibi
lity for
verification
Way of
verifi-
cation
Date
Status
xx.xx.xx
Subcontractor
s of the
entrepreneurs
lacking skill,
competency
and quality
control
Increased demand for
documented competence.
Systematic control of
performed tasks
High/
Medium
IM must
coordinate.
Regions
must
implement
measures
for requiring
compe
tence and
con -trolling
the work
Implemen
ted by
contract
follow up.
Input to
revision
planning.
Safety
manager
Increased
focus on
routines
for control
(2
operative
controls
per month
and
operative
area)
11:
Uncertainty of
roles and res-
ponsibilities in
the interface
between
Company and
IM (Track
manager).
Define roles and
responsibilities.
Map all interfaces and
define who is responsible
for the interfaces.
Medium/
Medium
In each
region
separately
Implemen
ted by
main-
enance
contract
and the
strategy
plan for
the
reorgani-
sation
Regional
directors
Safety
Manager
Regions
have
presented
their
strategy.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 164
6 – Demonstration of system compliance with safety requirementsReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Demonstration of the system compliance with
safety requirement:
follow up of the implementation of the safety
requirements through the development
process of the "radio infill + GSM” sub-system;
verification that the system, as designed and
installed, is compliant with the safety
requirements.
This includes follow-up during design and V&V
of Radio In-fill of all requirements from CoP
(CENELEC 50128 & 50159-2 for software of
Radio In-fill) + demonstration of achievement
of RAC-TS for random hardware failures of
Radio In-fill sub-system
Slide n° 165
Discussions/Questions
+
Replies to pre-workshop questionnaire
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 166
6 – Demonstration of system compliance with safety requirementsSUMMARY of the answers to questionnaire
National requirements? according to Railway Act every IM or RU must have appropriate SMS.
Priorities for demonstrating compliance? first of all safety of people, avoidance of environmental contamination and safety of community are the priorities.
Evidence included in the demonstration? documentation that proves the safety of the enterprise in all essential respects is included.
Quality assurance process for ensuring the adequacy of the compliance? is voluntary. Quality management systems and various certificates exist depending on the specific enterprise.
Continued compliance with any agreed safety assessment during the system operation and maintenance? internal audits, internal operational checks and also national surveillance on activities of SMS implementation.
Problems and difficulties that can be envisaged when proving safety compliance? at present there is not enough practice on this to report
Slide n° 167
(7) Assessment Bodies
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 168
7 – Assessment Bodies Checking the correct application of the CSM regulation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
An independent assessment of the
complete risk management process
undertaken by the proposer shall be
performed by an independent body to
verify the significant change and the
demonstration of compliance with the
identified requirements
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 169
General background / legal framework concerning Assessment Bodies:
For significant changes it is required to have an independent assessment of the correct application of the CSM regulation by an Assessment Body
Assessment Body is appointed/selected by the Proposer (if there is no contrary national legal obligation)
Assessment Body shall issue a safety assessment report to support the Proposer in the decision to accept the significant change
There shall be a mutual recognition of the independent assessments performed by the Assessment Body in the scope of the CMS on risk assessment
7 – Assessment Bodies General Background
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 170
To enable to mutual recognition of the independent assessments there a need to establish sufficient trust concerning the work performed by the assessment body
Different questions to be answered
WHY is Assessment Body needed?
WHO shall be Assessment Body?
WHEN shall independent assessment be done?
WHAT shall be assessed?
What is the interaction with other assessments (i.e. Safety certification & authorisation process for placing in service structural sub-systems)?
What are the additional requirements for the assessment body?
HOW assessments shall be performed ?
WHICH scheme could ensure similar quality of the assessments?
7 – Assessment Bodies Strategy for the development of their roles and responsibilities
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 171
Definition in Article 3(14) of regulation 352/2009/EC: "assessment body
means the independent and competent person, organisation or
entity which undertakes investigation to arrive at a judgement,
based on evidence, of the suitability of a system to fulfil its safety
requirements"
WHY is Assessment Body needed?
Support the proposer in the decision to accept significant changes by ensuring an independent check of the correct application of the risk management process defined in the CSM
Support and facilitate the mutual recognition of the results of the application of the CSM on risk assessment
7 – Assessment Bodies Definition of the Assessment Body and WHY is it needed?
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 172
WHO can be Assessment Body?
The criteria are listed in Annex II of the CSM regulation 352/2009/EC:
Independent from the design, manufacture, construction, marketing, operation or maintenance of the system
Professional integrity
Competence (skills, training, knowledge and experience) to perform the tasks required for them
Civil liability insurance
Commercial confidentiality
Following entities can be Assessment Bodies: NSA, NOBOs, Designated Bodies, in house ISA, external ISA (if they fulfil criteria in Annex II of CSMregulation)
Choice made by the Proposer if not imposed by national legislation
Different practices exist in the Member States
7 – Assessment Bodies Who can be Assessment Body
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 173
WHEN will the independent assessment start?
although it is not explicitly a requirement of the CSM regulation, the assessment body should be involved early on in the project
and the independent assessment shall stop with the delivery of the assessment report to the Proposer?
7 – Assessment Bodies When does independent assessment start?
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 174
WHAT shall be assessed? already defined in the CSM regulation
check of the compliance with the CSM process
check of the results of the application of the CSM
this shall include the check of:
the system definition the hazard identification and risk analysis the risk evaluation and risk acceptance the demonstration of compliance with the safety requirements,
including the chosen approach
They do not need to check the evaluation of the significance of the change
7 – Assessment Bodies What shall be assessed?
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 175
WHAT is the result of the independent assessment?
As defined in the CSM regulation, the assessment body shall provide the proposer with a safety assessment report
The safety assessment report shall at least:
set out the assessment body findings /opinion on the review of the risk management process
confirm that the system under assessment meets the requirements and whether it can be used safely
The safety assessment report will :
support the Proposer in the decision to accept the change provide evidences to the NSA that the Proposer has correctly applied the
CSM process, particularly if the change is related to an authorisation to place into service of structural sub systems
be useful in any inspections that the NSA undertakes in relation to the SMSand the application of the CSM
7 – Assessment Bodies Independent Safety Assessment Report
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 176
7 – Assessment Bodies How is the independent assessment performed?
HOW shall assessment body perform their assessment?
The independent assessment in the scope of CSM on risk assessment is different from NOBO checks:
NOBO checks formal conformity of a sub-syst with predefined requirements whereas the assessment body makes judgements
For this judgement to be made, a complete and thorough review and follow up of all activities of the Proposer and of its subcontractors for the design and implementation of the change may not be cost effective and also is not necessary
Rather a 3 steps approach shall be undertaken based on:
thorough understanding of the change and of its specification assessment of safety and quality processes put in place for the change assessment of the application of these processes for the design and
implementation of the change based on e.g. auditing and sampling techniques till the delivery of the assessment report
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 177
7 – Assessment Bodies Interaction with other Assessment Bodies
In order to avoid duplication of work, it is important to distinguish the tasks allocated to:
the Assessment Body in the CSM regulation on risk assessment who shall check the correct application of the CSM risk management process
the NSAs, NOBOs and DEBOs in the safety directive 2004/49/EC and interoperability directive 2008/57/EC, where the NSA will issues:
Safety Certificates and Safety Authorisations for RUs/IMs SMS
Authorisations for placing in service structural subsystems based on:
NOBO's "EC verification of conformity with TSI requirements" applicable to the sub-systems
Designated Body's check of conformity with national rules applicable to the sub-systems,
the check by the Assessment Body of the correct application of the CSMregulation on risk assessment.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 178
WHICH scheme could ensure similar quality of the assessments?
There is a need to establish the trust in the assessment body results
Hence the development of a common framework for evaluating the competence of assessment bodies
Similarly with ECM certifying bodies, assessment body could be either:
an accredited body accredited by a national accreditation body
a body/person recognised by the Member State
Choice for the accreditation of recognition by the Member State is to be left to Proposer unless it is imposed differently by national legislation
7 – Assessment Bodies Quality of assessments performed by the Assessment Body
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 179
WHICH scheme could ensure similar quality of the assessments?
Specific accreditation scheme
based on existing recognised standard ISO 17020 for inspection bodies most appropriate standard for safety assessment
The ISO standard 17020 is setting out “General criteria for the operation of various bodies performing inspection”. The Agency is currently investigating this possibility in cooperation with EA
possibility to accredit external as well as internal assessment bodies against ISO 17020
specific requirements/criteria on competence and independence to be elaborated
contact established with EA (European body for Accreditation) to assess feasibility of the scheme and acceptance by National Accreditation Bodies
7 – Assessment Bodies Accreditation scheme for Assessment Bodies
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 180
WHICH scheme could ensure similar quality of the assessments?
Recognition by Member State
Same specific criteria on competence and independence as for accredited bodies
Similar requirements as ISO 17020 for organisations (e.g. on quality management system)
Similar control and surveillance as in accreditation
Peer reviews similar to EA peer reviews necessary to ensure similar standards (e.g. NSA peer reviews)
7 – Assessment Bodies Recognition of Assessment Bodies by the Member State
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 181
Specific cases of some Member States where recognition is envisaged :
Recognition of individuals
Only criteria of competence and independence apply
Limited scope of work in the Member State where they are recognised
Recognition by NSA through SMS of RUs and IMs
Internal assessors within RUs/IMs
External assessors to RUs/IMs
Evaluation and surveillance by NSA through SMS audits
NSA itself acting as assessment body
Evaluation and surveillance may be performed internally
May require separation with other NSA functions
7 – Assessment Bodies Recognition of Assessment Bodies
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 182
The management of interfaces between the different railway actors involved in the management of the significant change is key activity throughout the development of the significant change
If more than one actor, and thus more than one assessment body, is involved in the change, the proposer with the support of his assessment body will need to co-ordinate the activities of the different actors and of their assessment bodies
This can:
help with the management of the interface between different actors be useful before switching over from one step of the risk assessment to
the next one
Duplication of work in terms of additional independent assessment shall be avoided – Reports shall not be called into question if there are no deviations from the initially accepted system
7 – Assessment Bodies Interfaces between different actors involved in the significant change
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 183
Next steps still to be developed:
Definition of accreditation scheme in collaboration with EA, including specific criteria of competence
Definition of requirements for the alternative of recognition by MS in the different envisaged cases
Definition of a harmonized format for safety assessment reports
7 – Assessment Bodies Next Steps
Slide n° 184
Discussions/Questions
+
Replies to pre-workshop questionnaire
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 185
7 – Assessment Bodies SUMMARY of the answers to questionnaire
Summary of the answers to questionnaire
Are assessment bodies used for checking that changes and safety requirements are correctly managed and implemented? yes, external auditors, but also national surveillance of SMS implementation.
How do you decide when to use them? decisions are made according to legislation and standards (depending on the specific field of assessment). It is always possible to rope in independent expert.
Are there any national requirements setting out the legal basis for their use? If so can you give some examples? the basic list is: Railway Act (SMS’ part), quality management standards, legislation regarding working environment, legislation regarding environment.
For assessments undertaken internally within the company, how do you ensure the independence of the assessment body? the assessor must not be associated with the area of assessment. General principles are stated in Anti-Corruption Act and relevant standards. The NSA (ETSA) has no right to choose assessors for enterprises and also has no obligation to take into consideration assessors’ opinion.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 186
7 – Assessment Bodies SUMMARY of the answers to questionnaire
Summary of the answers to questionnaire
Projects on which assessment bodies involved in? issue of permits, certificates and licences, mostly pre-processing activities with documentary. For example: to renew code of practice or another inner documentation, new risk-assessment, new manuals for some new technology etc.
Sort of documentary evidence they require? documents demanded in legislation and relevant standards.
When do they intervene in a management of a change (early or at the end of the project)? they intervene, if safety requirements are no longer fulfilled or licence/certificate has expired.
How do they carry out their assessment, i.e. what methodology do they apply? How are they “recognised” by the MS or do they need to be recognised by someone? assessment (surveillance) takes place continually throughout the validity of the licence/certificate. Recognition takes place according to relevant legislation.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 187
7 – Assessment Bodies SUMMARY of the answers to questionnaire
Summary of the answers to questionnaire
Do you work more with external or in-house assessment bodies? Why? enterprises prefer using internal auditors for initial audits but external auditors are also used.
How is the independent safety assessment report used? according to subject the report is taken into account and internal documents and procedures are amended accordingly. The NSA (ETSA) doesn’t have obligation to take into consideration assessors’ report, it’s non-binding.
Are the assessment body recommendations always followed? enterprises yes, NSA (ETSA) no (it’s non-binding for NSA).
Slide n° 188
(8) Conclusions
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Slide n° 189
Examples of application of the CSM Process
(All steps put together for the three examples)
Driver Only Operated Train (operational change) by RU
Organisational Change by IM
Radio In-fill by a Manufacturer
Slide n° 190
Operational Change – “Driver Only Operated Train – DOO”
CSM Application by the RU
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 191
Driver only operated trainSystem Definition
Example of an operational change - System Definition
RU has decided to operate trains with Driver alone (Driver Only Operated train – DOO) on a route where previously there was an onboard guard to assist the driver with the train dispatching
Description of existing system: “explain clearly which tasks were
performed by driver and which other ones were carried out by
onboard staff (or guard) to assist the driver”
Description of change of driver's responsibilities due to removal of onboard assisting staff, “e.g. door closing before train departure”
Definition of additional technical requirements for system to cover needed changes in Driver Only Operation
Describe existing interfaces between onboard assisting staff, train driver and trackside staff of infrastructure manager
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 192
● significant change (need to
cover all questions) :
Safety relevant? YES
Completely different way of
managing train service
operation
Low novelty? NO
Driver’s responsibility
extended requiring new tasks
Low complexity? NO
Driver’s errors could lead to
catastrophic consequences
● Consequence: apply CSM Process
Safety Relevance
Is it safety related?
Yes
No
Other criteria
1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?
Significant Change Apply CSM Process
Change: Driver Only Operation
Driver only operated trainEvaluation of the significance of the change
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 193
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Hazard Identification: (e.g. HAZOP)
brainstorming by group of experts to find all
hazards, with a relevant influence on risk brought
on by removal of onboard assisting staff and
additional tasks requested to the driver;
drivers' and staff's representatives involved for
their operational experience, IM representatives
as infrastructure could also be affected, implying
e.g. changes to stations (e.g. installation of
mirrors/closed circuit TV at platforms);
what could be key operational hazards at stations,
on existing routes where driver was assisted from
onboard or trackside staff (door opening, closure
check, etc.)
Driver only operated trainHazard Identification
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 194
HAZOP-studies is a structured method for identification of risks invented in the chemistry industry. It uses keywords to reveal the possible response of the system or process to changes or to deviations from the desired response. The method is described in IEC 61882.
The HAZOP is based on the principle that several experts with
different backgrounds can interact and identify more problems
when working together than when working separately and then
combining their results. This brainstorming method stimulates
creativity and generates ideas
What is a HAZOP?
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 195
The HAZOP is a systematic process that examines the following topics:
Intention, i.e. the expected functional behaviour of the system
Deviations: starts from possible deviations from desired functional states
Causes: for each deviation the reasons why the deviation should occur
Consequences: the result of the deviation
Hazard: the consequences, causing possible damage, injury or loss
Measures: possibility to reduce the hazardous condition/behaviour
The method needs: an educated leader (moderator/facilitator) to manage the session, good input information, documents of the system and processes. It is effective in finding risks, if properly conducted. For the critical functions/tasks/aspects, the method can be complemented by other systematic studies, e.g. by an FMECA (Failure, Mode, Effect and Criticality Analysis)
What is a HAZOP?
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 196
Examples of guide/key words:
No message/information or delayed message/information
Message/information available when not expected
False message – False information
Invalid message
Etc.
The guide/key words must be tailored to the system/item concerned, before starting a HAZOP study
What is a HAZOP?
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 197
Hazard Identification was done within a HAZOP session (Hazard and Operability studies), i.e. a brainstorming by group of multidisciplinary experts with different backgrounds, regrouping:
safety experts from RU
train drivers' and staff's representatives for their operational experience (onboard accompanying staff)
IM representatives as the infrastructure could be also affected by the change, implying e.g. changes to stations (e.g. installation of mirrors/ closed circuit television [CCTV] at platforms) to help the Driver
Trackside staff of IM
Each of the identified hazards was assigned a level of severity of risk and consequences (high, medium, low) and the impact of the proposed change reviewed against them (increased, unchanged, decreased) risk
Driver only operated trainHazard Identification
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 198
Based on system definition, the brainstorming team scrutinised additional tasks to be performed by train driver, in order to identify all foreseeable hazards that might occur consecutively to removal of onboard assisting staff
Particularly, hazard identification looked at what key operational hazards could be at stations, on existing routes where there was assistance from on board or trackside staff including the safe dispatch of the trains, specific issues related to the driver, the rolling stock (e.g. door opening/closure check), maintenance requirements, etc:
Example of identified hazards during HAZOP (one way of proceeding):
Train departure without closing doors passengers could fall down on to track
Door opening on wrong side passengers could fall down on to track Door closing while passengers still getting onboard passengers could
be caught between doors
Driver only operated trainHazard Identification
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 199
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Use of Codes of Practice and Reference Systems:
Both CoP (i.e. a set of standards for Driver Only
Operation) and similar Ref Systems used to define
safety requirements for identified hazards, such as:
revised operational procedures for the driver that
are required to operate safely the trains without
onboard assistance;
any additional equipment necessary onboard or
on the track to ensure safe and reliable means of
train dispatch;
a checklist for ensuring that the driver's cab is
suitable, taking into account the interface
between the railway system (both onboard and
trackside) and the driver
Revision of the necessary operational rules in
compliance with the requirements from the applicable
codes of practice and the relevant reference systems.
Driver only operated trainRisk Analysis and Evaluation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 200
For the railway undertakings the hazard management process was part of their safety management system for recording and managing risks.
The identified hazards were registered in a hazard record (similar template as below) with the safety requirements controlling the associated risk, i.e. reference to additional onboard and trackside equipment as well as to the revised operational procedures.
The revised procedures were monitored, and reviewed when needed, to ensure that the identified hazards continue to be correctly controlled during the operation of the railway system
N°
HZDOrigin
Hazard description
CauseAdditional information
Actor in charge
Safety Measure
Used Risk Acceptance
PrincipleExported Status
1 HAZOPreport RX
Opening of doors – risk of passenger fatality
Driver Driver error through lack of competence or seating position
RU TrainingCab design
Code of Practice
Partly Partly closed
2 HAZOPreport RX
Failure of the CCTV – driver cannot see the platform
CCTV VandalismIncorrect/insufficientmaintenance
IM Protection of the equipmentRegular checks
Code of Practice
No Closed, measur
es in place
Driver only operated trainHazard Record
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 201
Demonstration of the system compliance with safety
requirements:
system implemented vs. identified safety
requirements (additional equipment and revised
procedures to enable Driver’s Only Operation)
the revised operational procedures are then
introduced in the RU safety management system
the correct application by the Driver of the revised
procedures, and their efficiency, is monitored and
reviewed, when needed, to ensure that the identified
hazards continue to be correctly controlled during
the operation of the railway system, i.e. that the
procedures and their application are appropriate to
ensure a sufficient level of safety without onboard
staff
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Driver only operated trainDemonstration of system compliance with the safety requirements
Slide n° 202
Organisational Change – “Outsourcing of a maintenance branch of an IM”
CSM Application by the IM
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 203
Outsourcing of a maintenance branch of an IMSystem Definition
Example of an organisational change - System Definition
A branch of an IM organisation, that was performing until the change some maintenance activities (other than signalling and telematic), had to be put in competition with other companies working in same field Direct impact: need for downsizing and redistribution of staff and tasks within detached branch of IM organisation put in competition
description of tasks performed by existing organisation (i.e. by IM organisation before making the change)
description of changes planned in IM organisation to cope with subcontractors’ management
the interfaces of "branch to be detached" with other surrounding organisations or with physical environment could only be briefly described. The boundaries could not be 100 % clearly presented
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 204
Concerns for the IM (i.e. the remaining and not outsourced part)
IM staff affected by change was in charge of emergency maintenance and repairs required by sudden errors on the infrastructure. Staff was also performing some planned or project based maintenance activities such as track packing, ballast cleaning, vegetation control
IM considered these tasks critical for safety and punctuality of operation must be analysed in order to find right measures which ensure that situation does not deteriorate as many of staff in charge of safety matters were leaving the IM organisation to the outsourced company
Same level of safety and train punctuality needed to be maintained during and after the change of the IM organisation
Outsourcing of a maintenance branch of an IMSystem Definition
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 205
● significant change (need to cover all
questions) :
Safety relevant? YES
Downsizing , redistribution of staff and
tasks same work with less staff
Low novelty? NO
Contractual relation and follow up
Low complexity? NO
New functions in IM remaining
organisation to follow up subcontractor
Easy monitoring? NO
Not easy to check subcontractor
efficiency
● Consequence: apply CSM Process
Safety Relevance
Is it safety related?
Yes
No
Other criteria
1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?
Significant Change Apply CSM Process
Change: outsourcing of a maintenance branch of IM
Outsourcing of a maintenance branch of an IMEvaluation of the significance of the change
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 206
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Hazard Identification: (e.g. HAZOP)
brainstorming by group of experts to find all
hazards, with a relevant influence on risk
brought on by intended change.
Hazard Classification: high, medium, low risk
(Severity) and increased, unchanged,
decreased risk (impact of change) compared
to initial situation
Outsourcing of a maintenance branch of an IMHazard Identification
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 207
Hazard Identification was done within a HAZOP session (Hazard and Operability studies), i.e. a brainstorming by group of multidisciplinary experts with different backgrounds, regrouping:
safety experts from IM
System engineers/experts
Train drivers
IM staff's representatives from maintenance department
Etc.
The HAZOP analysis went through a checklist method describing a list of hazards (unwanted events), causes of these, related consequences and frequencies (rough estimates) and the related actions that need to be taken to mitigate these risks. Interdependencies and interface between detached branch and rest of IM organisation were particularly examined
Outsourcing of a maintenance branch of an IMHazard Identification
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 208
Unwanted
event (Hazard)Cause Consequence
Type of
lossRisk
Responsible
for implem.
safety
measure
Safety Measures
1: Reduced
motivation
among
employees
remaining in
Company.
-Staff
continuing to
leave without
stop.
- Demotivated /
worn out
managers
Missing
colleagues,
missing certain
tasks
Lack of loyalty
knowing that the
workplace is not
going to stay
Heavy workload
Uncertainty
Tasks not
performed,
increased build up
of unperformed
works. -
Emergency
maintenance
instead of planned
maintenance.
Collective worker
actions (calling in
sick etc)
Lack of trust in
Company for the
managers at IM
Level
Safety Higher New round of motivational work
for the staff, to be performed in
smaller groups
Reallocation of funds so that
Company gets meaningful tasks
to perform
More frequent inspections by
track manager.
Allocate funds to make sure that
key staff stays throughout the
process.
Give special attention to make
sure that information and
knowledge is transferred
between leaving employees and
those who take over the tasks.
Etc...
Outsourcing of a maintenance branch of an IMHazard Identification – Sample from the Risk Analysis
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 209
Unwanted
event
(Hazard)²
CauseConse-
quence
Type
of lossRisk
Responsible
for implem.
safety
measure
Safety Measures
10: Lack of
competency
in the
performance
of tasks
Subcontractors of IM lacking skill,
competency and quality control
Violation of
safety rules.
Increased
accident
frequency.
Safety Higher Increased demand
for documented
competence.
Systematic control
of performed tasks
11:
Uncertainty
of roles and
responsi-
bilities in the
interface
between
Company
and IM
Different understandings of roles and
responsibilities
Track Manager responsible for
accessible tracks, but not for the
downsizing and can therefore not take
this in to account when planning/
prioritizing work tasks.
Track manager lacks overview of the
competencies available in Company
Coordination problems for the delivery
when coordination responsibilities is
transferred to the track manager
Tasks not
being
performed or
being
performed
twice.
Lack of
coordination
of resources
Safety Higher Define roles and
responsibilities.
Map all interfaces
and define who is
responsible for the
interfaces.
Outsourcing of a maintenance branch of an IMHazard Identification – Sample from the Risk Analysis
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 210
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
“Use of Ref System and Risk Evaluation” + “Explicit risk estimation and evaluation”:
System before change judged to have acceptable level of safety. It was thus used to derive Risk Acceptance Criteria for system under assessment, i.e. “maintain at least the same level of safety and punctuality throughout the change process and after the change”
For each hazard with increased risk the IM decided to counterbalance the hazard by appropriate risk reducing measures. The residual risk was compared against RAC to check whether other additional measures need to be identified.
The Hazard and Risk Analysis was documented in a table describing the identified hazards, evaluating the severity and suggesting risk mitigation/ control measures (See in next slide risk analysis)
Outsourcing of a maintenance branch of an IMRisk Analysis and Evaluation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 211
Unwanted
event (Hazard)Cause Consequence
Type of
lossRisk
Responsible
for implem.
safety
measure
Safety Measures
1: Reduced
motivation
among
employees
remaining in
Company.
-Staff
continuing to
leave without
stop.
- Demotivated /
worn out
managers
Missing
colleagues,
missing certain
tasks
Lack of loyalty
knowing that the
workplace is not
going to stay
Heavy workload
Uncertainty
Tasks not
performed,
increased build up
of unperformed
works. -
Emergency
maintenance
instead of planned
maintenance.
Collective worker
actions (calling in
sick etc)
Lack of trust in
Company for the
managers at IM
Level
Safety Higher New round of motivational work
for the staff, to be performed in
smaller groups
Reallocation of funds so that
Company gets meaningful tasks
to perform
More frequent inspections by
track manager.
Allocate funds to make sure that
key staff stays throughout the
process.
Give special attention to make
sure that information and
knowledge is transferred
between leaving employees and
those who take over the tasks.
Etc...
Outsourcing of a maintenance branch of an IMRisk Analysis and Evaluation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 212
Unwanted
event
(Hazard)²
CauseConse-
quence
Type
of lossRisk
Responsible
for implem.
safety
measure
Safety Measures
10: Lack of
competency
in the
performance
of tasks
Subcontractors of IM lacking skill,
competency and quality control
Violation of
safety rules.
Increased
accident
frequency.
Safety Higher Increased demand
for documented
competence.
Systematic control
of performed tasks
11:
Uncertainty
of roles and
responsi-
bilities in the
interface
between
Company
and IM
Different understandings of roles and
responsibilities
Track Manager responsible for
accessible tracks, but not for the
downsizing and can therefore not take
this in to account when planning/
prioritizing work tasks.
Track manager lacks overview of the
competencies available in Company
Coordination problems for the delivery
when coordination responsibilities is
transferred to the track manager
Tasks not
being
performed or
being
performed
twice.
Lack of
coordination
of resources
Safety Higher Define roles and
responsibilities.
Map all interfaces
and define who is
responsible for the
interfaces.
Outsourcing of a maintenance branch of an IMRisk Analysis and Evaluation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 213
Description Safety Measures
Priority
Safety/
Punc-
tuality
Implement
-ationNotes
Respon
sibility
Dead-
line
Perfor
med
date
Responsibi
lity for
verification
Way of
verifi-
cation
Date
Status
xx.xx.xx
Reduced
motivation
among
employees
remaining in
Company
-Staff
continuing to
leave without
stop.
- Demotivated
/ worn out
managers
New round of motivational
work for the staff, to be
performed in smaller
groups
Reallocation of funds so
that Company gets
meaningful tasks to
perform
More frequent inspections
by track manager.
Allocate funds to make
sure that key staff stays
throughout the process.
Give special attention to
make sure that
information and
knowledge is transferred
between leaving
employees and those who
take over the tasks.
Etc...
High/High Coordinate
d by IOP.
Regions
must look
at
measures
to increase
control of
tracks,
overlap of
employees
and follow
up by line
managers.
Increased
inspec-
tions need
to be
included in
the
contracts.
Etc...
Company
Manager
Change of
conditions
of circum-
stances
have
reduced
this risk
signifi-
cantly
Work
environ-
ment
analysis
performed
and some
training of
staff.
Outsourcing of a maintenance branch of an IMHazard Record
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 214
Description Safety Measures
Priority
Safety/
Punc-
tuality
Implement
-ationNotes
Respon
sibility
Dead-
line
Perfor
med
date
Responsibi
lity for
verification
Way of
verifi-
cation
Date
Status
xx.xx.xx
Subcontractor
s of the
entrepreneurs
lacking skill,
competency
and quality
control
Increased demand for
documented competence.
Systematic control of
performed tasks
High/
Medium
IM must
coordinate.
Regions
must
implement
measures
for requiring
compe
tence and
con -trolling
the work
Implemen
ted by
contract
follow up.
Input to
revision
planning.
Safety
manager
Increased
focus on
routines
for control
(2
operative
controls
per month
and
operative
area)
11:
Uncertainty of
roles and res-
ponsibilities in
the interface
between
Company and
IM (Track
manager).
Define roles and
responsibilities.
Map all interfaces and
define who is responsible
for the interfaces.
Medium/
Medium
In each
region
separately
Implemen
ted by
main-
enance
contract
and the
strategy
plan for
the
reorgani-
sation
Regional
directors
Safety
Manager
Regions
have
presented
their
strategy.
Outsourcing of a maintenance branch of an IMHazard Record
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 215
Demonstration of the system compliance with safety requirements:
Risk Analysis and Hazard Record show that hazards cannot be closed until they are verified and it is demonstrated that the safety requirements (i.e. selected safety measures) are implemented.
Risk Analysis and Hazard Record are living documents. The efficiency of decided actions is monitored at regular intervals to check if the conditions are changed and if the Risk Analysis and Risk Evaluation need to be updated.
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Outsourcing of a maintenance branch of an IMDemonstration of system compliance with the safety requirements
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 216
Description Safety Measures
Priority
Safety/
Punc-
tuality
Implement
-ationNotes
Respon
sibility
Dead-
line
Perfor
med
date
Responsibi
lity for
verification
Way of
verifi-
cation
Date
Status
xx.xx.xx
Reduced
motivation
among
employees
remaining in
Company
-Staff
continuing to
leave without
stop.
- Demotivated
/ worn out
managers
New round of motivational
work for the staff, to be
performed in smaller
groups
Reallocation of funds so
that Company gets
meaningful tasks to
perform
More frequent inspections
by track manager.
Allocate funds to make
sure that key staff stays
throughout the process.
Give special attention to
make sure that
information and
knowledge is transferred
between leaving
employees and those who
take over the tasks.
Etc...
High/High Coordinate
d by IOP.
Regions
must look
at
measures
to increase
control of
tracks,
overlap of
employees
and follow
up by line
managers.
Increased
inspec-
tions need
to be
included in
the
contracts.
Etc...
Company
Manager
Change of
conditions
of circum-
stances
have
reduced
this risk
signifi-
cantly
Work
environ-
ment
analysis
performed
and some
training of
staff.
Outsourcing of a maintenance branch of an IMDemonstration of system compliance with the safety requirements
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 217
Description Safety Measures
Priority
Safety/
Punc-
tuality
Implement
-ationNotes
Respon
sibility
Dead-
line
Perfor
med
date
Responsibi
lity for
verification
Way of
verifi-
cation
Date
Status
xx.xx.xx
Subcontractor
s of the
entrepreneurs
lacking skill,
competency
and quality
control
Increased demand for
documented competence.
Systematic control of
performed tasks
High/
Medium
IM must
coordinate.
Regions
must
implement
measures
for requiring
compe
tence and
con -trolling
the work
Implemen
ted by
contract
follow up.
Input to
revision
planning.
Safety
manager
Increased
focus on
routines
for control
(2
operative
controls
per month
and
operative
area)
11:
Uncertainty of
roles and res-
ponsibilities in
the interface
between
Company and
IM (Track
manager).
Define roles and
responsibilities.
Map all interfaces and
define who is responsible
for the interfaces.
Medium/
Medium
In each
region
separately
Implemen
ted by
main-
enance
contract
and the
strategy
plan for
the
reorgani-
sation
Regional
directors
Safety
Manager
Regions
have
presented
their
strategy.
Outsourcing of a maintenance branch of an IMDemonstration of system compliance with the safety requirements
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 218
The Hazard and Risk Analysis was a table describing the identified hazards, evaluating the severity and suggesting risk mitigation/ control
This information from the Risk Analysis table was mirrored within the Hazard Record/Log) which includes also additional information of who is responsible for implementing the measure, the time deadline for the implementation and also who is in charge of the verification of the implementation and the verification of the efficiency of the identified measure(s)
Indeed, for such organisational changes, the efficiency of the identified actions and decisions had to be monitored to verify whether they fully control the considered risk
This is natural as it may be difficult to foresee and measure the exact result of a safety measure related to an organisational issue (such as training, motivated work for staff, etc.) and that the effects have to be followed up closely in a longer process where the analysis is continuously updated
Outsourcing of a maintenance branch of an IMHazard Record
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 219
Therefore, the risk analysis and the hazard record/log were alive documents. The efficiency of decided actions was monitored at regular intervals to check if the conditions were changed and if the risk analysis and risk evaluation needed to be updated. They were updated when actions were performed and hazards “closed”. A status field was updated to describe what actions were taken or were under the way to be taken
If any circumstances changed compared to the initial context of the risk analysis, the risk analysis and hazard record/log had to be updated to ensure that hazard and risk were under control
The hazards that could not be closed (as all the measures could not be implemented nor verified rapidly) were followed up. Their status was also monitored and rechecked on several occasions (and more dated status column added to the hazard record/log table) to verify that finally all the hazards will be closed
Outsourcing of a maintenance branch of an IMHazard Record
Slide n° 220
Technical System – “Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system”
CSM Application by the Manufacturer
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 221
Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemSystem Definition
Movement Authority (MA)
Extension of Movement Authority (MA) (2)
Existing technical system
Trackside Loop Release the signal (1)
Radio In-fill Controller/Modem
Movement Authority (MA)
Extension of Movement Authority (MA) (2)
Intended Change
GSM
Release the signal (1)
Trackside Encoder
Trackside Encoder
Change to a Technical System - SYSTEM DEFINITION
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 222
Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemSystem Definition
System Definition:
description of existing system: “loop+trackside encoder whose
function in CCS is to release signal RG on approach of a
train when section behind the signal is released by
preceding train”
description of change planned by the proposer and the manufacturer: “replace trackside loop by Radio-Infill + Radio
Controller + GSM” to achieve same function”
description of functional and physical interfaces of loop with the rest of system: “(P) Interface with Trackside Encoder” – “(F)
Transmit message in airgap (i.e. to Train Driver) the signal
aspect R or G”
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 223
● significant change: (need to cover all questions)
Safety relevant ? YES
The signal in front of the train could be released whereas preceding train still occupies the section
Low novelty? NO
New principles and technology for the manufacturer
Low complexity? NO
Change complex to carry out
● Consequence: apply CSM Process
Safety Relevance
Is it safety related?
Yes
No
Other criteria
1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?
Significant Change Apply CSM Process
Change: Loop Radio-In-fill
Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemEvaluation of the Significance of the Change
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 224
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Hazard Identification: e.g. by HAZOP
brainstorming by group of multidisciplinary experts (“safety experts from manufacturer, RU, IM, train drivers, designers of trackside encoder and loop, experts in communication systems, etc.“) to identify hazards, with a relevant influence on risk brought on by intended change.
Loop/Radio infill, releases signal risk provide too permissive MA to approaching train whereas preceding train still occupies section in front of the signal
Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemHazard Identification
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 225
Example of identified hazards during the HAZOP (one way of proceeding):
“Radio infill + GSM” sub-system shall achieve same function than “Loop sub-system”, i.e. ”release the signal RG
on approach of a train when section behind the
signal is released by preceding train” Same top level hazard: “provide too permissive MA to approaching train whereas preceding train still occupies section in front of the signal”
Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemHazard Identification
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 226
Example of identified hazards during HAZOP (one way of proceeding):
“Trackside encoder + loop” “Trackside encoder + Radio In-fill + GSM”
Sub-hazards of top hazard “provide too permissive MA…“:
“delayed transmission or transmission of memorised data packets in the air gap” (i.e. possibly unsafe)
Systematic software errors in the additional equipment (gateway or Radio Controller) that interfaces with the unchanged “Trackside encoder”
“transmission by hackers of unsafe information in the air gap” since the "radio infill+GSM" is an open transmission sub-system
Etc.
Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemHazard Identification
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 227
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Use of Ref System and Risk Evaluation:
System before the change (loop) judged to have acceptable level
of safety for releasing signal aspect. It is used as a Ref Syst to
derive the safety requirements for the radio-infill sub-system.
Explicit Risk Estimation and Evaluation:
analysis of deviation "Radio in-fill+GSM" vs. "Loop" sub-system
See HAZID new hazards for "radio infill + GSM" sub-system:
"radio infill+GSM" is an open transmission sub-system risk
of transmission by hackers of unsafe information in air gap;
delayed transmission or transmission of memorised data
packets in Radio Infill chain.
explicit risk estimation and use of RAC-TS for designing
Radio Infill Controller part;
Use of CoP and Risk Evaluation:
EN 50159-2 for safety related communication in open transmis-
sion systems provides the safety requirements for controlling the
new hazards to an acceptable level, e.g. "data encrypting and
protection" + "message sequencing and time stamping";
use EN 50 128 standard for the development of the Radio Infill
Controller software ;
Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemRisk Analysis and Evaluation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 228
Existing loop system ensures acceptable level of safety used as a Ref Syst, i.e. Radio In-fill + GSM system shall ensure same level of safety
Explicit risk estimation used to identify differences between system under assessment (Radio In-fill + GSM) and Ref. Syst. (Trackside Encoder + Loop)
Use explicit risk estimation and RAC-TS for designing Radio Infill Controller part
The new hazards identified for the deviations can be controlled by CoP
For development of software of Radio Controller, use CENELEC 50128 “Railway applications - Communication, signalling and processing
systems – Software for railway control and protection systems”
50128 standard specifies for each SIL, levels of independence and process (including possible techniques for software V&V), that are required for design, verification and validation of software. Note: 50128 also requires Independent Safety Assessment whose independence depends on SW SIL
SIL 4 Process for SW
Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemRisk Analysis and Evaluation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 229
For transmission in open-medium (air), use CENELEC 50159-2 “Railway
applications - Communication, signalling and processing systems - Part 2:
Safety related communication in open transmission systems”
Example of hazards linked to transmissions in an open medium (airgap)
Repetition of messages: “due to a hardware failure the Radio In-fill repeats an old message possibly unsafe”
Deletion of messages: “a message is deleted due to a hardware failure” Insertion of messages: “an authorised third party involuntary inserts a
message, e.g. Radio In-fill of another trackside section” Corruption of messages: “a message is accidentally changed (e.g. EMI) to
another formally correct message” Masquerade: “an unauthorised third party voluntary inserts a message” Etc.
50159-2 CoP provides measures for protecting against those hazards (e.g. CRC , time stamping, message sequencing, etc.). For more information see 50159-2
Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemRisk Analysis and Evaluation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 230
The identified hazards, the safety measures and the resulting safety requirements issued from the risk assessment and the application of the three risk acceptance principles were registered and managed in a hazard record using a similar form than the table below
N°
HZDOrigin
Hazard description
CauseAdditional information
Actor in charge
Safety MeasureUsed Risk
Acceptance Principle
Exported Status
1 HAZOPreport RX
Transmission of old and unsafe messages
Radio in-fill controller hardware
Manufa-cturer
RAC-TS for Radio In-fill design
Explicit risk estimation
Radio In-fill sub-contra-
ctor
Closed
Radio in-fill controller softwareGSM
Manufa-cturer
CENELEC 50128, 50159-2
Code of Practice
Radio In-fill sub-contra-
ctor
Closed
2 HAZOPreport RX
Open-transmission medium
Radio in-fill controller
Hacker
Dedicated standards available
Manufa-cturer
CENELEC, 50159-2
Code of Practice
Radio In-fill sub-contra-
ctor
Closed
Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemHazard Record
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 231
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Demonstration of the system compliance with safety requirement:
follow up of the implementation of the safety requirements through the development process of the "radio infill + GSM” sub-system;
verification that the system, as designed and installed, is compliant with the safety requirements.
This includes follow-up during design and V&V of
Radio In-fill of all requirements from CoP (CENELEC
50128 & 50159-2 for software of Radio In-fill) +
demonstration of achievement of RAC-TS for
random hardware failures of Radio In-fill sub-
system
Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemDemonstration of system compliance with the safety requirements
Slide n° 232
Conclusions of the workshop
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 233
8 – Conclusions
• CSM regulation N°352/2009 defines the overall framework for a harmonised and transparent risk management and risk assessment process in all EU Member States (i.e. WHAT must be done);
• The overall purpose is to:
maintain (and improve where necessary) the level of safety in European railways
enable the mutual recognition of results from risk assessments and limit the additional assessments and demonstrations only to the differences when going to operate in other Member States;
• CSM regulation N°352/2009 does not impose HOW to fulfil those overall requirements. There is nothing new in the CSM Regulation; It is based on existing EU practices for managing risks freedom left to the Proposer to decide what detailed methods and tools he will use for achieving the CSMregulation requirements
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 234
8 – Conclusions
• The regulation must be applied for significant changes;
• But although a change is not significant, the proposer must control the risks (this is an SMS requirement). The Hazard Record and Assessment Body are not mandatory for non significant changes
• CSM regulation uses the ISO standard terminology related to risk management and risk assessment EU railway actors need to:
compare their existing practices for managing railways safety with requirements in CSM regulation
identify the few new steps/tasks requested by CSM regulation perform new risk assessments using this new harmonised process
• The experience of other member states that apply such a process since long (e.g. Scandinavian countries) shows that for first applications the proposer produces too much documentation but with the increasing experience in risk assessment the amount of produced paper decreases
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 235
8 – Conclusions
• KEY INFORMATION TO REMEMBER CSM regulation requires that the proposer must:
know why the safety requirements from Codes of Practice – Similar Reference Systems – Explicit Risk Estimation are used
identify the hazards related to the change and ensure that the associated risks are controlled + link the identified hazards to the RAP used for controlling the associated risk
document the risk management and risk assessment use of a Hazard Record for recording the essential information
have a transparent and auditable process by an independent assessment body
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 236
8 – Conclusions
• European Railway Agency and Safety Assessment Sector team are available for answering questions you may have when applying the CSM regulation on risk assessment:
• E-mail addresses of the Safety Assessment Sector team:
Dragan JOVICIC (Safety Assessment Sector in SU of ERA)E-mail: [email protected]
Karen DAVIES (Safety Certification Sector in SU of ERA)E-mail: [email protected]
Thierry BREYNE (Head of Safety Assessment Sector in SU of ERA)E-mail: [email protected]
Nathalie DUQUENNE (Safety Assessment Sector in SU of ERA)E-mail: [email protected]
Maria ANTOVA (Safety Assessment Sector in SU of ERA)E-mail: [email protected]
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 237
Many thanks for your attention!