Dissemination of the Commission Regulation on Common Safety Methods (CSM… · 2017. 8. 21. · Dissemination of Commission Regulation on CSM on Risk Assessment Slide n° 2 European

Slide n° 1

Dissemination of the Commission Regulation on Common Safety Methods

(CSM) on Risk Evaluationand Risk Assessment

Dissemination of Commission Regulation

on CSM on Risk AssessmentSlide n° 2

European Railway AgencyPresentation of the team involved in the dissemination

ERA Team involved in dissemination of CSM on risk assessment:

Karen DAVIES (Safety Certification Sector in SU of ERA)E-mail: [email protected]

Dragan JOVICIC (Safety Assessment Sector in SU of ERA)E-mail: [email protected]

Thierry BREYNE (Head of Safety Assessment Sector in SU of ERA)

E-mail: [email protected]

Maria ANTOVA (Safety Assessment Sector in SU of ERA)


Nathalie DUQUENNE (Safety Assessment Sector in SU of ERA)


Christophe CASSIR (Safety Assessment Sector in SU of ERA)


mailto:[email protected]






Slide n° 3

Objectives & Organisation of the

CSM Dissemination Workshop



Purpose and Organisation of the workshop

Purpose of the workshop:

Explain to concerned actors of the railway sector the risk assessment and risk management process defined in the Commission Regulation (EC) N°352/2009

3 Steps for the present workshop:

1st Step: transmit a pre-workshop questionnaire to all participants

2nd Step: collect answers to that pre-workshop questionnaire to orientate the workshop to specific needs of the visited Member States

3rd Step: visit to Member States and presentation of CSM process

Presentation of CSM process split into an “INTRODUCTION”+ “6 Modules” (see next slides)



For presentation purposes, CSM Process split into 7 topics (see questionnaire)

(1) Introduction

(2) What is a significant change?

(3) Hazard Identification phase;

(4) Risk analysis and evaluation

(5) Hazard Management and Hazard Records;

(6) Demonstration of system compliance with the safety requirements

(7) Independent assessment of correct application of CSM Process by an Assessment Body

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)

Modular Presentation



Time sharing of the two days of the workshop

Presentation by the Agency of each module

Explanation of the requirements in the CSM Regulation (theory)

Presentation of the application of those CSM requirements to practical examples (concrete cases of risk assessment)

Relevant “QUESTIONS” from the participants on the presented module & “ANSWERS” by the Agency

“End of 1st day” & “end of module presentation on 2nd day”, all actors of same Member State asked to meet for “internal discussions among representatives of the MS” (Brainstorming)

followed by a session of Questions/Answers (Debriefing)



Overall outputs of the CSM dissemination exercise

1st step: via both the “pre-workshop questionnaire” and the “8 CSM dissemination workshops” collect railway sector experience and feedback on risk assessment, their ideas and suggestions for improving CSM Regulation and/or associated guides

2nd step: continue CSM dissemination exercise by a review of and feedback based on real case examples of changes to railway system where CSM process is applied (coordin. with NSA)

2011: use results from “dissemination workshops” + from “review of real case examples” (i.e. 2nd step of CSM dissemination) for writing a report on experience with application of “CSM on Risk Assessment”. This report is to be submitted to the Commission by end of 2011. It is aimed to serve as a basis for improving CSM Regulation and/or the associated guides for application of CSM



Number of workshops

When GroupGroup composition

(Member State)Location

June 2009 1 DK FI NO SE Stockholm

September 2009 2 AT CH DE SL Maribor

October 2009 3 CZ HU PL SK Prague

November 2009 4 BE FR LU Amiens

February 2010 5 BG EL RO Sofia

March 2010 6 NL IE UK Utrecht

April 2010 7 IT PT ES Madrid

May 2010 8 EE LV LT Riga

Concluding

SeminarN/A All EU Member States Agency

Slide n° 10

Time schedule for CSM dissemination workshop



Time schedule for CSM dissemination workshop 1st day of workshop

1st day: 10:00 to 18:00

09:00 – 10:00: Welcome

10:00 – 10:45: Opening of Workshop & Introductory Presentations

10:45 – 11:00: Coffee Break

11:00 – 12:30: Significant Changes

12:30 – 13:30: Lunch Break

13:30 – 14:30: Hazard Identification

14:30 – 15:45: Risk Analysis and Evaluation


16:00 – 16:30: Hazard Record

16:30 – 17:15: Internal discussions among representatives of each MS

17:15 – 18:00: Questions/discussion and feedback from those discussions



Time schedule for CSM dissemination workshop 2nd day of workshop

2nd day: 9:00 to 16:00

09:00 – 10:15: Demonstration of system compliance with safety requirements

10:15 – 11:00: Assessment Bodies


11:15 – 12:15: internal discussions among representatives of each MS

12:15 – 13:15: Lunch Break



14:15 – 15:00: Conclusions and close out of the workshop

Slide n° 13

(1) Introduction



A. Role of the European Railway Agency

B. Overview of the Commission Regulation on CSM on Risk

Assessment

C. Guides for the application of the CSM Regulation

D. 6 Detailed Presentations for different steps in CSM Process

E. First Example for CSM Application: operational change

F. Second Example for CSM Application: organisational change

G. Third example for CSM Application: change of a technical system

1 - IntroductionContent of presentation

Slide n° 15

A. Role of the European Railway Agency



... to open the railway market to competition for the rail transport services and the railway supply industry!

... to make railways business oriented and competitive! need for technical harmonisation (interoperability)

... to prevent the sector from using safety as a barrier to market access or an excuse to resist change!

Some cornerstones in EC law for achieving those goals :

Separation of former vertically integrated railway companies into IM’s and RU’s

Moving the railways from self-regulation to regulation by public authorities

Introducing a framework for entry into the market for railway undertakings (licensing and safety certification)

Maintaining at least, and increasing when reasonably practicable, existing level of safety and creating a basis for mutual trust through the development of common approaches to safety, taking into account competitiveness of railways

Transparency of safety data and CSI, definition of CST and CSM

The objectives of the European Union are...



Need for support at Community Level establishment of the European Railway Agency

The technical harmonisation (interoperability) and the development of CSTs, CSMs and CSIs as well as the need to facilitate progress towards a common approach to railway safety requires technical support at Community level

the European Railway Agency (ERA) was therefore set up with the aim of helping to create this integrated railway area by establishing a European approach to railway safety (Safety Directive 2004/49/EC) and interoperability (Interoperability Directive 2008/57/EC )



The Agency’s tasks and, hence, its organisational structure are based on

mainly three components

A – Role of the European Railway AgencyLegal basis for the Agency’s work

ERAEuropean Directives

(Railway Safety Directive,

Interoperability Directives,…)

European Directives



European Directives



Work Programme

(annually adopted by the

Administrative Board)

Regulation (EC) N° 881/2004

(Agency Regulation)



A – Role of the European Railway AgencyOrganisation Chart of the Agency



Safety Regulation

Validation and registration of the notifications of national safety

rules, including an analysis of their mode of publication

Technical advice on new national safety rules and on safety-related

aspects

Safety Reporting

Elaboration of common safety indicators as well as monitoring and

analysis of the development of safety on Europe’s railways ,

including dissemination of information

Common methods and approaches to accident investigation

Safety Certification

Common Safety Method for Conformity Assessment

Development of a migration strategy towards a single Community

certificate

Certification Scheme for the Entity in Charge of Maintenance

A – Role of the European Railway AgencyAgency Tasks (2/3)



Safety Assessment

CSM for risk assessment

CSM on monitoring

Methodology for calculating and assessing the achievement of

safety targets for EU Member States

Definition, for each Member State, of their respective safety

targets including their assessment

Horizontal Activities

Support to the national safety authorities and investigating bodies

to facilitate their exchange of information and harmonisation of

decision making criteria by setting up networks and task forces

Public databases of safety related documents such as safety

certificates, licences, national safety rules, investigation reports

and indicators

A – Role of the European Railway AgencyAgency Tasks (3/3)



A – Role of the European Railway AgencyInvolvement of the Railway Sector

* List established by Article 21 Committee on 22 February 2005

Article 3 of Agency Regulation (EC) N° 881/2004 obliges Agency to set up working groups

according to tasks given in regulation and by Agency Work Programme.

Sector Associations are asked to send

experts to participate and contribute.

Agency

Working Party

Working PartyNetwork of National

Safety Authorities

Working PartyNetwork of National

Investigation Bodies

…

Railway Sector

Experts

Sector organisations acting

at European level*:

UNIFE, CER, EIM, UITP,

UIP, UIRR, ERFA, ETF,

ALE

National Safety Authorities’

experts



European Railway Agency

No decision power for the Agency.

The Agency gives recommendations to

the Commission and technical opinions

upon specific request!

Working Party (CER, EIM,

UNIFE, NSA, ...)

NSA Network …

Internal reconcilement …

Commission / RISC

Social Partners

Passengers/

Customers

Adoption

Agency

Recommendation

A – Role of the European Railway AgencyDecision Process (Commitology)

Parliament Scrutiny

Slide n° 27

B. Overview of the Commission Regulation on CSM on Risk Assessment



B – Overview of Commission Regulation on CSM on Risk Assessment Status

Sept 05 : Kick off meeting of the CSM WG (15 NSA, 5 CER,

2 EIM, 3UNIFE, 1 UITP) – Work program of the WG

2006 : Survey and inputs from CSM WG members

2007 :

o CSM recommendation drafted by the Agency with support of a dedicated TF – Reviews by the WG.

o Consultation of the social partners

o Dec 07 : ERA recommendation to the EC

ERA



B – Overview of Commission Regulation on CSM on Risk Assessment Status

2008 :

o Discussion within the RISC and dedicated workshop organised by the EC (technical support from the Agency)

o Positive opinion of the RISC in November 08

2009 :

o Scrutiny of the EU parliament

o Publication of the EC regulation (n°352/2009) in the OJ (L108) of the 24 April 09

o Dissemination by the Agency (continued in 2010)

ERA



TerminologyTerms in CSM Regulation – Terms in CENELEC

Safety Directive 2004/49 EN 50126-1

Infrastructure Manager (IM)Railway Undertaking (RU)

Railway Authority

National Safety Authority (NSA) Safety Regulatory Authority

Supplier/Manufacturing Industry

Railway Support Industry



TerminologyTerms in CSM Regulation – National Terms

Terms Estonian Lithuanian Latvian

Proposer taotleja pasiūlymo teikėjaspriekšlikumaiesniedzējs

InfrastructureManager

(IM)

raudteeinfrastruktuuri-ettevõtja

geležinkelių

infrastruktūros

valdytojas

infrastruktūras

pārvaldītājs

Railway Undertaking

(RU)raudtee-ettevõtja geležinkelio įmonė

dzelzceļa

pārvadājumu

uzņēmums

National Safety Authority

(NSA)

riiklikohutusasutus

nacionalinė saugos

institucija

valsts drošības

iestāde



Annex III(2)(d): "Procedures and methods for carrying out risk evaluation and

implementing risk control measures whenever a change of the operating condit-

ions or new material imposes new risks on the infrastructure or on operations"

One of the SMS processes in Annex III

B – Overview of Commission Regulation on CSM on Risk Assessment Link of CSM to RU/IM SMS in Article 9 of Safety Directive 2004/49/EC

Article 9 requires that "IM and RU shall establish their SMS..."

Basic elements of SMS in Annex III of Safety Directive 2004/49/EC

RU and IM SMS will thus achieve the compliance with the procedures and

methods required by the associated "conformity assessment criteria" [developed

by ERA Safe Certification Sector] by referring to the CSM on Risk Assessment

The obligation for RUs/IMs to have a risk assessment process in place

is a basic element of the SMS in Annex III of directive 2004/49/EC



B – Overview of Commission Regulation on CSM on Risk Assessment Link of CSM to Article 15 in Interoperability Directive 2008/57/EC

Article 15 requires among others that before authorising "the placing into service of those structural

subsystems constituting the rail system which are located or operated in its territory", "in particular" the

Member State "shall check":

"the technical compatibility of these subsystems with the system into which they are being integrated",

"the safe integration of these subsystems in accordance with Article 4(3) and Article 6(3) of Directive

2004/49/EC".

Article 6(3)(a) of Directive 2004/49/EC: "The CSMs shall describe how the safety level, and the

achievement of safety targets and compliance with other safety requirements, are assessed by

elaborating and defining risk evaluation and assessment methods"

Article 4(3) of Directive 2004/49/EC:

"Member States shall ensure that the responsibility for the safe operation of the railway system and

the control of risks associated with it is laid upon the infrastructure managers and railway

undertakings,..."

"Without prejudice to civil liability in accordance with the legal requirements of the Member States,

each infrastructure manager and railway undertaking shall be made responsible for its part of the

system and its safe operation,"

Article 6(3)(a) of SD referred to also in Articles 23(5) and 25(4) of ID



Two main considerations taken into account for developing CSM on RA

Harmonise a common approach for safety assessments based on existing

safety assessment methods in EU. Therefore:

As Railway Sector already has a strong safety culture, freedom is left to each

organisation to use its already approved Risk Assessment Methods/Tools/Techniques

CSM provide Common Principles but does not fix the Tools (e.g. FTA, FMECA)

CSM privileges the use of standards and reference systems

Advice of Risk Assessment “tools” done in a guideline developed alongside the CSM

Railway being organised into RU & IM, all activities at the interfaces between the

different actors must be managed carefully

Clear identification of the different actors’ responsibilities

Facilitate mutual recognition of results from risk assessments. This requires

harmonisation of:

risk management process;

exchange of safety related information between actors for managing the safety across

the different interfaces;

evidence resulting from application of risk management process

B – Overview of Commission Regulation on CSM on Risk Assessment Strategy for developing CSM based on existing methods in EU



B – Overview of Commission Regulation on CSM on Risk Assessment WHO shall apply the CSMs? Proposer

The risk management process described in the CSM shall be applied by

the person in charge of implementing the change under assessment. This

person is referred to in CSM Regulation as the "proposer".

The proposer can be one of the following actors:

(a) the Railway Undertakings and Infrastructure Managers in the

framework of the risk control measures they have to implement in

accordance with Article 4 of the Safety Directive 2004/49/EC;

(b) the contracting entities or the manufacturers when they invite a

notified body to apply the "EC" verification procedure in accordance

with Article 18(1) of the Interoperability Directive 2008/57/EC or the

applicant of an authorisation for placing in service of vehicles;

Where necessary, the proposer shall ensure, through contractual

arrangements, that suppliers and service providers, including their

subcontractors, participate in the risk management process described in

the CSM.



Basically CSM is an iterative

process made of 3 steps:

(a) Identification of hazards,

associated safety measures

and resulting safety

requirements

(b) Risk analysis and risk

evaluation based on exiting

risk acceptance principles

(c) Demonstration of the system

compliance with the

identified safety

requirements

Additional requirements for

mutual recognition:

(a) Hazard Management

(b) Independent Assessment

(Assessment Body)Demonstration of Compliance with

Safety Requirements

Preliminary System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

Risk

Estimation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION

(vs. Risk Acceptance Criteria)

Safety Requirements (i.e. safety

measures to be implemented)

SYSTEM DEFINITION²

RISK ASSESSMENT

Significant

Change?

HAZARD IDENTIFICATION

AND CLASSIFICATION

Iterative Risk Management Process “triggered” by a Significant Change

B – Overview of Commission Regulation on CSM on Risk Assessment Risk Management Process and Independent Assessment



CSM Regulation shall enter into force on the day following that of its publication in the

Official Journal of the European Union;

CSM Regulation shall apply in two steps:

(a) from 19 July 2010

(1) to all significant changes affecting vehicles, as defined in Article 2(c) of Directive

2008/57/EC;

(2) to all significant changes concerning structural sub-systems, where required by

Article 15(1) of Directive 2008/57/EC or by a TSI;

(b) from 1 July 2012 to the whole scope as referred to in Article 5(1) of CSM Regulation, i.e.

to other technical systems, operational and organisational changes considered to be

significant by application of paragraph 2 in Article 4 of CSM Regulation;

In order to gain experience and enable the Agency to get a feed back for reviewing the CSM

at latest at the end of 2011, the actors of the railway sector should apply the CSM

Regulation on a voluntary basis to other changes (technical, operational and organisational)

from 1 July 2010);

CSM Regulation shall not apply to systems and changes that are at an advanced stage of

development, as defined in Directive 2008/57/EC, at the date of entry into force of the

Regulation [Article 2(4) in CSM Regulation].

B – Overview of Commission Regulation on CSM on Risk Assessment Entry into force

Slide n° 38

C. Guides for the application of theCSM Regulation



C - Guides for the application of the CSM RegulationHow was it elaborated?

During the elaboration of the CSM Recommendation, ERA worked in parallel on a

"Guidance for Use" for supporting the CSM Recommendation;

Inputs for the "CSM Guidance for Use" [purely informative and not legally binding]

were collected during CSM WG and CSM TF meetings, where members asked to

describe further in the "Guidance for Use" requirements that could not be detailed a

lot of in a legal text;

According to those requests, as well as to questions raised within internal ERA

meetings, ERA elaborated initial "Guidance for Use" and updated it vs. different

versions of the Agency CSM recommendation and Commission Regulation;

ERA regularly reported the progress on guidance for use to CSM WG during the

plenary meetings;

Based on content of "Guidance for Use", CSM WG and ERA agreed then to split the

"Guidance of Use" into two new separate documents:

1st document: "Guide for the Application of the Commission Regulation on

CSM on Risk Assessment"

2nd document: "Collection of Examples of Risk Assessments and some

possible Tools supporting the CSM"



C - Guides for the application of the CSM RegulationComplementarities between Guide and Collection of RA examples

Structure of both document mapped on the regulation;

Provides general comments

and explanations that could

not be put in the legal text.

ERA has taken care not to

introduce any new require-

ment via the document that is

not already identified in the

CSM Regulation;

[Guide] is more static and

would not be modified unless

the CSM process needs to be

updated;

Provides additional information (e.g.

reference to standards or possible ways

to address the requirements of the

CSM) and examples of risk asses-

sments performed in the railway sector

before the existence of the CSM;

Document offers the possibility to be

updated with first implementations of

CSM process and any useful tools and

techniques, or examples of RA, that

could help other actors to apply the

CSM;

[GUIDE] [COLLECTION OF EXAMPLES]



C - Guides for the application of the CSM RegulationComplementarities between Guide and Standards

ECR

egu

lati

on

Gu

ide

Current Situation

Co

llect

ion

of

Exam

ple

s

ECR

egu

lati

on

Gu

ide

Future Situation

Slide n° 42

D. 6 Detailed Presentations for different steps in CSM Process



D. Detailed Presentation of CSM ProcessGo through different steps of CSM Process


(1) Introduction







IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)



F. 2nd example for CSM Application - Operational Change Driver only operated train

1st example: operational change - System Definition

RU has decided to operate trains with Driver alone (Driver Only Operated train – DOO) on a route where previously there was an onboard guard to assist the driver with the train dispatching

Description of existing system: “explain clearly which tasks were

performed by driver and which other ones were carried out by

onboard staff (or guard) to assist the driver”

Description of change of driver's responsibilities due to removal of onboard assisting staff, “e.g. door closing before train departure”

Definition of additional technical requirements for system to cover needed changes in Driver Only Operation

Describe existing interfaces between onboard assisting staff, train driver and trackside staff of infrastructure manager



G. 3rd example for CSM Application - Organisational Change Outsourcing of a maintenance branch of an IM

2nd example: organisational change - System Definition

A branch of an IM organisation, that was performing until the change some maintenance activities (other than signalling and telematic), had to be put in competition with other companies working in same field Direct impact: need for downsizing and redistribution of staff and tasks within detached branch of IM organisation put in competition

description of tasks performed by existing organisation (i.e. by IM organisation before making the change)

description of changes planned in IM organisation to cope with subcontractors’ management

the interfaces of "branch to be detached" with other surrounding organisations or with physical environment were only briefly described. The boundaries were not 100 % clearly presented



G. 3rd example for CSM Application - Organisational Change Outsourcing of a maintenance branch of an IM

2nd example: organisational change – Concerns for IM

IM staff affected by change was in charge of emergency maintenance and repairs required by sudden errors on the infrastructure. Staff was also performing some planned or project based maintenance activities such as track packing, ballast cleaning, vegetation control

IM considered these tasks critical for safety and punctuality of operation must be analysed in order to find right measures which ensure that situation does not deteriorate as many of staff in charge of safety matters were leaving the IM organisation to the outsourced company

Same level of safety and train punctuality needed to be maintained during and after the change of the IM organisation



E. First example for CSM Application - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system

Movement Authority (MA)

Extension of Movement Authority (MA) (2)

Existing technical system

Trackside Loop Release the signal (1)

Radio In-fill Controller/Modem



Intended Change

GSM

Release the signal (1)

Trackside Encoder

Trackside Encoder

3rd example: Change to a Technical System - System Definition



E. 1st example for CSM Application - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system

3rd example - System Definition:

description of existing system: “loop+trackside encoder whose

function in CCS is to release signal RG on approach of a

train when section behind the signal is released by

preceding train”

description of change planned by the proposer and the manufacturer: “replace trackside loop by Radio-Infill + Radio

Controller + GSM” to achieve same function”



General remarks on pre-workshop questionnaire

ERA asked the NSA to send to the participants with the invitation a preparatory pre-workshop questionnaire

ERA did not receive a lot of answers. Hence there are no replies reported in the presentation

Consequently this will let more time for an open discussion(Questions/Answers) with the participants.

ILLUSTRATIVE EXAMPLES: in the questionnaire ERA invited participants to come with examples that they wanted to share and discuss with ERA and the other participants. As there were not many replies received, there were not proposed examples to illustrate some of the steps of CSM process on risk assessment

Slide n° 50

(2) Significant Change

Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment



2 – Significant ChangeFirst Step in CSM Process


(1) Introduction







IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)



Applies to any change of the railway

system in a Member State, as referred to

in point (2)(d) of Annex III to Safety

Directive 2004/49/EC, which is

CONSIDERED TO BE SIGNIFICANT

2 – Significant ChangeWHEN shall the CSMs be applied [Article 2]?

Annex III(2)(d): requires that RU/IM SMS

has "procedures and methods for carrying out risk evaluation ... whenever a change of the operating conditions or new material imposes new risks on the infrastructure or on operations"

Such changes may be of technical,

operational or organisational nature.

Demonstration of Compliance withSafety Requirements

Preliminary Sits Definition

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T

(II)(III)

Significant

Change?

RISK ASSESSMENT

(I)

i.e. must

CSM be

applied or

not ?

CSM shall be applied only to assess

"predicatively" safety of significant

changes of railway system in a MS

CSM process needs not to be applied

for non significant changes



When notified national rules do not define what is significant change, proposer evaluates the significance of change based on expert's judgement and criteria in CSM

1st check whether change safety related?

1) NOT safety-related not significant no CSM, but record decision ;

2) YES safety-related use other criteria to evaluate whether change significant

Proposer should analyse all criteria and decide on their importance, but could take decision based on only one or some of them

2 – Significant ChangeWHAT is a significant change? NR (if any) or expert judgement based on criteria

Article 4 of CSM Regulation

!Evaluate Σ of previous

non significant changes

Safety Relevance

Is it safety related? C: Not signi-ficant

No

Yes

Yes

No

When no notified national rules, expert's judgement based on criteria

Other criteria

1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?

B: Not signi-ficant

A: Significant Change Triggers CSM application

(Record the decision)

(Record and justify the decision) (PRA)

Change



2 – Significant Change RU/IM SMS – "Daily life" safety management

The process of deciding change will be set out in the SMS

Although for non significant safety related changes the

decisions need to be recorded (could be an SMS process)

Help the NSA in their supervisory role

[e.g. preliminary risk analyses, risk analyses, justifications,

arguments proportionate to the risk need to be documented]

CSM Regulation does not require

assessment body to check

evaluation of significance



2 – Significant Change - Discussions/QuestionsUse of criteria in CSM Regulation on some examples of changes

Agency and taskforce of experts from railway sector analysed typical examples of borderline cases

Analysis has shown that:

it is not possible to identify harmonised thresholds or rules;

it is not possible to provide an exhaustive list of significant changes;

decisions are unlikely to be same for all proposers.

Responsibility for decision is for proposer, who is responsible [in accordance with Article 4(3) of Railway Safety Directive 2004/49/EC] of safe operation and control of risks associated with their part of the system

Feedback from the application of the CSM will help the Agency to decide whether a possible revision of criteria and process is needed

Slide n° 56

Application to practical examples



● Change description : operate trains by the

driver alone (DOO) on a route where

previously there was an onboard guard to

assist the driver with the train dispatching

● significant change (need to cover all

questions) :

Safety relevant? YES

Completely different way of managing

train service operation

Low novelty? NO

Driver’s responsibility extended

requiring new tasks

Low complexity? NO

Driver’s errors could lead to

catastrophic consequences

● Consequence: apply CSM Process

Safety Relevance

Is it safety related?

Yes

No

Other criteria


Significant Change Apply CSM Process

Change: Driver Only Operation

2 – Significant Change – Operational ChangeDriver Only Operated Train (DOO)



● Change description: outsource maintenance

branch of an IM and put it in competition

with other companies working in same field


questions) :


Downsizing , redistribution of staff and

tasks same work with less staff

Low novelty? NO

Contractual relation and follow up

Low complexity? NO

New functions in IM remaining organisation

to follow up subcontractor

Easy monitoring? NO

Not easy to check subcontractor efficiency


Safety Relevance


Yes

No

Other criteria



Change: outsourcing of a maintenance branch of IM

2 – Significant Change – Organisational ChangeOutsourcing of a maintenance branch of an IM



● Change description: replace a trackside

loop located before a signal by a "radio

infill + GSM " sub-system;

● significant change: (need to cover

all questions)

Safety relevant ? YES

The signal in front of the train could be

released whereas preceding train still

occupies the section

Low novelty? NO

New principles and technology for the

manufacturer

Low complexity? NO

Change complex to carry out


Safety Relevance


Yes

No

Other criteria



Change: Loop Radio-In-fill

2 – Significant Change - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system

Slide n° 62

Discussions/Questions

+

Replies to pre-workshop questionnaire



Question: Do you have a (1) national rules (2) criteria (3) examples of

significant/non significant change (1/3)

2 – Significant Change Answers received to questionnaire

Railway Act obliges IMs and RUs to inform Estonian Technical Surveillance Authority (ETSA=NSA) regarding changes in data of safety certificate.

Primarily influence on SMS as a whole – division of the enterprise, merger, changes in national legislation, technical reorganisation. There are no National Safety Rule in Estonia to judge whether the change is significant or not, but certainly failure consequence and novelty are considered.

Otherwise, there are no other criteria. In some cases quality management system is taken into account.

Example: one of the major developments is the introduction of one person crew in EMU.

When the safety related change is not significant, the assessment is documented through amendment of internal regulations.

Slide n° 64

(3) Hazard Identification




3 – Hazard Identification(2) Step in CSM Process


(1) Introduction







IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)



3 – Hazard Identification Why is it important?

• What is the “Hazard Identification” and why is it important:

The hazard identification is the first step in the risk analysis process.

The process needs to be re-iterated and completed until all reasonably foreseeable hazards have been identified correctly.

It is important because, if hazards are not identified, they will not be assessed and covered by the risk management process.



3 – Hazard Identification What are the first steps?

The system definition is important because it specifies the functions and the interfaces of the system. Based on it, also the hazards could be identified properly.

It is necessary to look at the hazards from all relevant contributors.

Systematically identify the hazards

and the level of detail,

taking into account:

Modes ofoperation

Different types of the

system Human factors

Environment

Failure modes

Safety relevantfactors

THEN

• What are the first steps of the “Hazard Identification”:



3 – Hazard IdentificationWhat level of detail is required?

• What is the required level of detail:

The level of the hazard identification should correspond to the scope of the significant change under study and the requirements for proving acceptable risk.

If a code of practice or a reference system is used, then the level of detail for which the hazards are defined, needs only to correspond to the level defined by the code of practice or reference system.

It may involve several iterations in order to obtain the necessary level of detail to ensure that the correct decision is made on the necessary control measures.



2nd Level

(causes)

Top level Hazard X

Sub-hazard Y

Controlled by reqsfrom CoP (e.g standard)

Owned by actor A (e.g. manufacturer)

Sub-hazard Z

Controlled by reqsfrom explicit risk analysis

Owned by actor B (e.g. RU)

3 – Hazard IdentificationLevels and iterations

• Talking about levels and iterations:



• What is “broadly acceptable”:

• A part of the “Hazard Identification” process is the decision if the hazards are broadly acceptable or not broadly acceptable.

• This means: considering and reviewing all the reasonably foreseeable hazards; classifying them according to the estimated risk arising from them.

• This process ensures that the correct priority is assigned to each of the hazards enabling the right selection of the risk control measures.

• The decision is based on expert judgement.

3 – Hazard IdentificationWhat is broadly acceptable?

Broadly acceptable risks

Nothing further requiredRegistered in the

Hazard record

Not broadly acceptable

Follow the risk management process



An expert is competent to make decisions that are suitable and sufficient for the situation that the expert is performing

The decision to label a hazard as “broadly acceptable” without further analysis is logged in the hazard record and will be reviewed by the Independent Safety Assessor.

3 – Hazard IdentificationWhat is expert judgement

Competence

Skills

KnowledgeExperience

• What is “expert judgement”:

Slide n° 72




IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

System Description:

description of existing system: which tasks were performed by

train driver and which other ones by onboard staff (or guard) to

assist the driver;

existing interfaces between onboard assisting staff, driver and

trackside staff of Infrastructure Manager;

change of driver's responsibilities due to removal of onboard

assisting staff;

the technical requirements for the overall system to cover

changes in operation;

Hazard Identification: [HAZOP – Hazard and Operability Studies]

Brainstorming by a group of multidisciplinary experts with different

backgrounds:

Safety experts from RU;

Train drivers' and staff's representatives for their operational

experience (onboard accompanying staff);

IM representatives as the infrastructure could be also affected by

the change, implying e.g. changes to stations (e.g. installation of

mirrors/closed circuit television [CCTV] at platforms) to help the

Driver;

Trackside staff of IM;

3 – Hazard Identification – Operational ChangeDriver Only Operated Train (DOO)



3 – Hazard Identification – Operational Change1st example: Driver Only Operated Train (DOO)

• Question answered during the HAZOP brainstorming session:

“What could be key operational hazards at stations and on existing routes where the driver is currently assisted by onboard or trackside staff (door opening, closure check, etc.)?”

• Each of the identified hazards was assigned a level of severity of risk and consequences (high, medium, low). The impact of the proposed change reviewed against them - (increased, unchanged, decreased) risk

• Example of identified hazards during the performed HAZOP (one way of proceeding) was:

Train departure without closing doors passengers could fall down on to track

Door opening on wrong side passengers could fall down on to track

Door closing while passengers still getting onboard passengers could be caught between doors



3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

• System Description:

Change: detachment of a new branch office from the mother

company, in order to put it in a competitive situation with other

similar companies.

Description of tasks performed by existing IM organisation;

Description of changes that are planned in this organisation;

Description of interfaces of the "branch to be detached" with

other surrounding organisations or with the physical

environment.

• Hazard Identification: [HAZOP – Hazard and Operability Studies]

Brainstorming by group of experts to find all hazards

associated with the intended change:

Safety experts from IM;

System engineers/experts;

Train drivers;

IM staff's representatives from maintenance department;

Etc.



3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM

• During the HAZOP brainstorming session:

The hazards were identified and listed;

The causes for each hazard were listed;

The expected frequency (rough estimates) was documented;

The related consequences in terms of

o Severity → high, medium, low risk; o Impact of the change compared to the initial situation →

increased, unchanged, decreased risk;

The related actions that need to be taken in order to mitigate the respective risks were described;

Interdependencies and interfaces between the detached branch and rest of IM organisation were examined very carefully.



3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis

Unwanted

event (Hazard)Cause Consequence

Type of

lossRisk

Responsible

for imple-

menting the

measure

Safety Measures

1: Reduced

motivation

among

employees

remaining in

Company.

-Staff

continuing to

leave without

stop.

- Demotivated /

worn out

managers

Missing

colleagues,

missing certain

tasks.

Lack of loyalty

knowing that the

workplace is not

going to stay.

Heavy workload.

Uncertainty.

Tasks not

performed.

Emergency

maintenance

instead of planned

maintenance.

Collective worker

actions (calling in

sick etc).

Lack of trust in

Company for the

managers at IM

Level.

Safety Higher New round of motivational work

for the staff, to be performed in

smaller groups.

Reallocation of funds so that

Company gets meaningful tasks

to perform.

More frequent inspections by

track manager.

Allocate funds to make sure that

key staff stays throughout the

process.

Give special attention to make

sure that information and

knowledge is transferred

between leaving employees and

those who take over the tasks.

Etc...



3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis

Unwanted

event

(Hazard)²

CauseConse-

quence

Type

of lossRisk

Responsible

for implem.

safety

measure

Safety Measures

10: Lack of

competency

in the

performance

of tasks

Subcontractors of IM lacking skill,

competency and quality control.

Violation of

safety rules.

Increased

accident

frequency.

Safety Higher Increased demand

for documented

competence.

Systematic control

of performed tasks.

11:

Uncertainty

of roles and

responsi-

bilities in the

interface

between

Company

and IM

Different understandings of roles and

responsibilities.

Track Manager responsible for

accessible tracks, but not for the

downsizing and can therefore not take

this in to account when planning/

prioritizing work tasks.

Track manager lacks overview of the

competencies available in Company.

Coordination problems for the delivery

when coordination responsibilities is

transferred to the track manager.

Tasks not

being

performed or

being

performed

twice.

Lack of

coordination

of resources.

Safety Higher Define roles and

responsibilities.

Map all interfaces

and define who is

responsible for the

interfaces.



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

3 – Hazard Identification - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system

System Description:

Existing system: "loop+encoder" and their functions in CCS.

"Release signal on approach of a train when the section

behind the signal (i.e. in front of the approaching train)

becomes unoccupied";

Change planned by proposer and manufacturer;

Description of the functional and physical interfaces of loop

with rest of system.

• Hazard Identification: [HAZOP – Hazard and Operability Studies]

Brainstorming by group of experts to find all hazards associated

with the intended change:

Safety experts from the manufacturer

Safety experts from the RU

Safety experts from the IM

Train drivers,

Designers of the trackside encoder and of the loop,

Experts in communication systems,

Etc.“



3 – Hazard Identification - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system

• Example of identified hazards during the HAZOP (one way of proceeding):

“Loop & Radio infill” shall achieve same function, i.e. ”release the signal RG on approach of a train when section behind the signal is released by preceding train”

Same top level hazard: “provide a too permissive movement authority (MA) to the approaching train, whereas the preceding train still occupies section in front of the signal”

Sub-hazards of the top hazard (“provide too permissive MA…“):

“transmission by hackers of unsafe information in the air gap” since the "radio infill+GSM" is an open transmission sub-system

“delayed transmission or transmission of memorised data packets in the air gap” (i.e. possibly unsafe)

Systematic software errors in the additional equipment (gateway or Radio Controller) which has interfaces with the unchanged “Trackside encoder”

Etc.

Slide n° 87


+




3 – Hazard IdentificationSUMMARY of the answers to questionnaire

Summary of the answers to questionnaire

2.4(a) Do you have a process to define and identify hazards? If so can you describe it?

Different approaches are used – for assessment of railway safety hazards standard EVS-EN 50126-1-2005 and methodology deriving from Emergency Act, for assessing hazards concerning working environment Working Environment Act is taken into account. Internal risks of the enterprise are assessed in accordance with the methodology of SMS risk assessment. Specific guides are absent

2.4(b) Do you assess all hazards or do you just assess certain types? What are your criteria?

Primary focus is on risks that lead to results described in § 40 of the Railway Act – accident, incident, precursors to incidents

2.4(c) How do you ensure that all the necessary hazards are identified?

Assurance will come from using specialists from different specific subject fields for internal audits, operational audits and accident statistics.





2.4(d) What issues do you consider when assessing hazards? How do you prioritise?

Primary focus is on risks that lead to results described in § 40 of the Railway Act (accident, incident, precursors to incidents). We distinguish different levels of difficulty of railway accidents and incidents: I and II category railway accidents, collisions, incidents and impacts

2.4(e) How do you define what is "broadly acceptable"?

Result is unlikely or does not lead to results described in § 40 of the Railway Act

2.4(f) Do you have a process for transferring hazards to different players involved in a project? If so describe the process? (1/2)

Primarily through internal office routines, in some cases taking into account the management system.





2.4(g)Is there a link between the level of detail in the hazard identification and the risk acceptance principles used for controlling the hazards? What rules do you apply for that?

Results described in § 40 of the Railway Act using documents (methodologies) named in 3.5 (a)

Slide n° 91

(4) Risk Analysis and Evaluation




4 – Risk Analysis and Evaluation(3) Step in CSM Process


(1) Introduction







IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)



4 – Risk Analysis and Evaluation Principles?Hazard Control based on 3 Risk Acceptance Principles

• Risk acceptability of non broadly acceptable hazards evaluated by one or more 3 Risk Acceptance Principles (RAP):

1. application of codes of practice2. comparison with similar Reference Syst3. explicit risk estimation & Risk Acc. Crit.

• Proposer is responsible to:

1. demonstrate selected RAP adequately applied

2. check selected RAP used consistently

• Output: set of safety requirements and measures to implement + demonstration of their achievement

CSM does not impose any order of priority between the 3 RAP

Iterative Risk Management Process


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

Risk

Estimation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION




SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


AND CLASSIFICATION



Demonstration of Compliance with the

Safety Requirements

EXPLICIT RISK ESTIMATION

RISK EVALUATION

YES

HA

ZA

RD

M

AN

AG

EM

EN

T

Identification of Scenarios & associated Safety Measures

Estimate Frequency

Estimate Severity

Estimate Risk

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

Quantitative

Acceptable Risk?

NO

Qualitative

Application of Codes of Practice

Similarity Analysis with Reference

System(s)

CODES OF PRACTICE SIMILAR REFERENCE

SYSTEM(S)

Safety Criteria?

Comparison with Criteria

Selection of Risk Acceptance

Principle

RISK ASSESSMENT

Hazards associated with Significant Risks

YES

Acceptable Risk?

NO


YES

Acceptable Risk?

NO


RISK ANALYSIS

Safety Requirements (i.e. the Safety Measures

to be implemented)

• If no notified National Rules, proposer free to decide RAP to use for controlling hazards [flexibility]

• Assessment Body shall refrain from imposing RAP to be used by proposer [challenge proposer]

Whatever RAP used, it must adequately be applied + link RAP-hazard recorded

Types of Risk Acceptance Principles:

(I) CoP e.g. TSI, EN standards, NNR, etc.

(compatible with rule based approaches)

(II) Similar Reference Systems e.g. GAME

(III) Explicit Risk Estimation(could be quantitative or qualitative)

4 – Risk Analysis and Evaluation WHO?Proposer decides on RAP to use

(III)(II)(I)



4 – Risk Analysis and EvaluationUse of codes of practice (CoP) and risk evaluation (1/3)

• The Codes of Practice (CoP) shall at least satisfy the following requirements:

(a) be widely acknowledged in railway domain. If not the case, CoP have to be justified and be acceptable for the assessment body;

(b) be suitable for the control of the considered hazards;

(c) be publicly available for all actors who want to use them.

• Examples of CoP:

TSIs and other mandatory European standards;

Notified National Safety and Technical Rules (technical standards or statutory documents) and if relevant non mandatory European standards;

If the conditions for the usage of CoP are fulfilled, then internal rules or standards issued by an actor of the railway sector might be used as CoP too.

CoP from other industries (e.g. nuclear power, military and aviation) can also be applied for certain technical applications in railway systems, if demonstrated that this CoP is effective for controlling the considered railway hazards.




• If the conditions for the usage of CoP are fulfilled, then for the hazards, which are controlled in this way:

The risks need not be analysed further and are considered as acceptable;

The risk management process may be limited to:

hazard identification;

registration in the Hazard Record of the use of CoP as a safety requirement for these hazards;

Therefore, in this case, the application of the complete CSM Process includes:

the correct application of the requirements from CoP;

the documentation of the evidences;

the independent assessment of the application of CoP.




What to do when there are deviations from the CoP and the identified hazards cannot be controlled (completely) by a CoP?

• If one or more conditions from the CoP are not fulfilled by the system under assessment, then the related CoP can still be used for controlling the hazards, provided that the proposer demonstrates that at least the same level of safety is achieved

• If for a hazard, the risk cannot be made acceptable by the application of CoP, or if a CoP does not sufficiently cover identified hazards (e.g. CoP not applicable to full range of hazards), additional safety measures shall be identified for controlling those hazard(s) by using either other CoP or one of other 2 RAP (Ref Syst or Explicit Risk Estimation)



4 – Risk Analysis and EvaluationUse of Reference Systems (RefSyst) and risk evaluation (1/2)

• The Reference Systems (RefS yst) shall at least satisfy the following requirements:

it has already been proven in-use to have an acceptable safety level and would still quality for approval (i.e. would be accepted) in the Member State where change is to be introduced

“would still be accepted in the Member State ”? E.g. it can happen that the safety performance of the considered Ref Syst is not appropriate for the system under assessment, because it is based on a too old technology.

it has similar functions and interfaces as system under assessment it is used under similar operational conditions as system under assessment; it is used under similar environmental conditions as system under assessment

• If the conditions for the usage of the Ref Syst are fulfilled, then for the hazards controlled in this way:

the risks are considered as acceptable ( no further risk analysis required); the safety requirements for the hazards covered by the Ref Syst may be derived

from the safety analysis, or from an evaluation of the safety records of the Ref Syst these safety requirements shall be registered in the Hazard Record as safety

requirements for the assessed hazard



4 – Risk Analysis and EvaluationUse of Reference Systems (RefSyst) and risk evaluation (2/2)

What to do when there are deviations from the Ref Syst and the identifiedhazards cannot be controlled completely by a Ref Syst?

• The risk evaluation shall demonstrate that the system under assessment achieves at least the same safety level as the Ref Syst. Therefore, on deviations:

Possible necessity for explicit risk estimation in order to show this correspondence (that the level of risk is at least as good as that of Ref Syst);

• If the same safety level as the one of the reference system cannot be demonstrated (or if the conditions are not fulfilled), then additional safety measures shall be identified for the deviations, applying one of the 2 other RAP (CoP or Explicit Risk Estimation)



4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation

When hazards cannot be covered by CoP or Ref Syst then the demonstration of risk acceptability is to be performed by explicit risk estimation and evaluation

• Risks shall be estimated either quantitatively or qualitatively, taking into account the existing safety measures within the system

• For example, the need for the use of an explicit risk estimation could typically arise:

when the system under assessment is entirely new, or

where there are deviations from a CoP or a Ref Syst, or

when the chosen design strategy does not allow the usage of CoP or similar Ref Syst because e.g. of a wish to produce a more cost effective design that has not been tried before

• As soon as the risk(s), which are controlled by an explicit risk estimation are considered acceptable, then the identified safety measures are registered in the Hazard Record



4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation

• The explicit risk estimation is not necessarily always quantitative. Can be:

quantitative, if sufficient quantitative information available in terms of frequency of occurrence and severity;

semi-quantitative, e.g. if such quantitative information not sufficiently available, or

even qualitative, when quantification is not possible

• If the estimated risk is not acceptable in spite of the available safety measures, then in order to reduce risk to an acceptable level, additional safety measures shall be identified and implemented


Safety Requirements


RISK EVALUATION

YES

HA

ZA

RD

M

AN

AG

EM

EN

T


Estimate Frequency

Estimate Severity

Estimate Risk

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

Quantitative

Acceptable Risk?

NO

Qualitative



System(s)


SYSTEM(S)

Safety Criteria?



Principle

RISK ASSESSMENT


YES

Acceptable Risk?

NO


YES

Acceptable Risk?

NO


RISK ANALYSIS


to be implemented)



• In order to evaluate whether risks are acceptable or not, Risk Acceptance Criteria (RAC) are necessary. They can be either “implicit” or “explicit”: risks controlled by the application of a CoP or by a

comparison with a RefS yst are considered acceptable without a need to apply an additional “explicit” risk estimation

whereas the acceptability of risk(s) controlled by the application of an “explicit risk estimation” requires “explicit RAC” to be defined

• The level of the RAC needs to match with the complexity of the assessed significant change: e.g. when modifying the type of an axle in the RS, it is not

necessary to evaluate the overall railway system risk . The definition of the RAC can focus on the safety level of the RS.

respectively, large changes or additions to an existing systemshould not be evaluated only based on the safety performance of individual functions or changes. The acceptability of the change should be evaluated also at the level of the railway system as a whole

4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation - RAC


Safety Requirements


RISK EVALUATION

YES

HA

ZA

RD

M

AN

AG

EM

EN

T


Estimate Frequency

Estimate Severity

Estimate Risk

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

Quantitative

Acceptable Risk?

NO

Qualitative



System(s)


SYSTEM(S)

Safety Criteria?



Principle

RISK ASSESSMENT


YES

Acceptable Risk?

NO


YES

Acceptable Risk?

NO


RISK ANALYSIS


to be implemented)

Harmonised Explicit RAC

Implicit RAC



4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation – RAC-TS

One RAC for technical systems has already been harmonised in the CSM Regulation:

• “Where hazards arise from failures of technical systems not covered by codes of practice or the use of a reference system, the following risk acceptance criterion shall apply for the design of the technical system:

For technical systems where a functional failure has a credible direct potential for a catastrophic consequence, the associated risk does not have to be reduced further if the rate of that failure is less than or equal to 10-9 per operating hour.”

Nevertheless, if the proposer can demonstrate that the national safety level can be maintained with a less demanding criterion than the 10-9, this criterion can be used by the proposer after agreement with the assessment body

• “If a technical system is developed by applying the 10-9 criterion defined in paragraph 4, mutual recognition shall be applied according to section 5.3”

• “Without prejudice to the procedure specified in Article 8 of Directive 2004/49/EC, a more demanding criterion may be requested, through a national rule, in order to maintain a national safety level. However, in the case of additional authorisations for placing in service of vehicles, the procedures of Articles 23 and 25 of Directive 2008/57/EC shall apply.”



• In general: the CSM Regulation requires mutual recognition of the results of the risk assessment (independently of the type of the used RAP)

• The mutual recognition shall be based on the evidences for the fulfilment of the harmonised requirements along the steps of CSM Process

• For this reason, for mutual recognition, the full CSM risk assessment process must be applied by the Proposer: identification of the safety measures and Safety Reqs, associated with the particular

hazard registration & management of the hazards and the safety measures in the Hazard Record demonstration of the system compliance with the safety requirements

• The documentation of all the evidences, showing the correct application of the CSM Process should be accessible for the Assessment Body. It shall at least include: the description of the organisation and experts put in place to carry out risk assessment the results from the different steps of the CSM Process, including a list of the SR to be

implemented to control the risks to an acceptable level

• Independent assessment by an AB the conclusions are an Assessment Report• Change accepted by the Proposer based on Independent Assessment Report

4 – Risk Analysis and EvaluationMutual Recognition



4 – Risk Analysis and EvaluationMutual Recognition – Independent Assessment by AB on Deviations

• The Assessment Bodies in other MS must apply mutual recognition on a system evaluated, assessed and accepted vs. the CSM Process (prev. slide)

• The system can be used in another MS, if the Proposer demonstrates that:

The system will be used under the same functional, operational and environmental conditions, which have been initially approved in related MS

An equivalent RAP (which is acceptable in the other MS) should be applied for controlling the identified hazards importance to link in the Hazard Record the [RAP-Hazard]

• If one of these conditions is not fulfilled, then mutual recognition is still possible but not automatic:

The Assessment Body should apply the principle of mutual recognition on a part of the system, which fulfils the conditions

The proposer will have to identify the deviations vs. the already accepted system and apply the CSM risk management & assessment process on the identified deviations

AB assesses independently the correct application of CSM Process on the deviations

Slide n° 108




IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

4 – Risk Analysis and Evaluation – Operational Change1st example: Driver Only Operated Train (DOO)

• Use of Codes of Practice and Reference Systems:

Both CoP (i.e. a set of standards for Driver Only Operation) and similar Ref Systems used to define the safety requirements for identified hazards, such as:

revised operational procedures for the driver that are required to operate safely the trains without onboard assistance (in compliance with the requirements from the applicable CoP and the relevant Ref Syst);

requirement for additional equipment necessary onboard or on the track to ensure safe and reliable means of train dispatch;

a checklist for ensuring that the driver's cab is suitable, taking into account the interface between the railway system (both onboard and trackside) and the driver



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

4 – Risk Analysis and Evaluation – Organisational Change2nd example: Outsourcing of a maintenance branch of an IM

• “Use of Ref System and Risk Evaluation” + “Explicit risk estimation and evaluation”:

System before change judged to have acceptable level of safety. It was thus used to derive Risk Acceptance Criteria for the system under assessment, i.e. aim to “maintain at least the same level of safety and punctuality throughout the change process and after the change”

The HAZOP analysis went through a checklist method describing a list of hazards (unwanted events), their causes, the related consequences and frequencies (rough estimates) and the related actions that need to be taken to mitigate these risks. Interdependencies and interfaces between the detached branch and the rest of the IM organisation were particularly examined

Each hazard with increased risk was counterbalanced by appropriate identified risk reducing measures. The residual risk was compared against a RAP to check whether other additional measures need to be identified.




• This “Hazard and Risk Analysis” was documented in a table describing the identified hazards, evaluating the severity and suggesting risk mitigation / control measures (See next slides)

• The Risk Analysis table was mirrored within the Hazard Record/Log (see dedicated module in presentation). The Hazard Record includes additional information who is responsible for implementing the measure, the time deadline for the implementation and also who is in charge of the verification of the implementation and of the efficiency of the identified measure(s)

• Indeed, for such organisational changes, the efficiency of the identified actions and decisions had to be monitored to verify whether they fully control the considered risk

• This is natural as it may be difficult to foresee and measure the exact result of a safety measure related to an organisational issue (such as training, motivated work for staff, etc.) and that the effects have to be followed up closely in a longer process where the analysis is continuously updated




• Therefore, the risk analysis and the hazard record/log were dynamic documents. The efficiency of decided actions was monitored at regular intervals to check if the conditions were changed and if the risk analysis and risk evaluation need to be updated. They were updated when actions were performed and hazards “closed”. A status field was updated to describe what actions were taken or were under the way to be taken

• If any circumstances changed compared to the initial context of the risk analysis, the risk analysis and hazard record/log had to be updated to ensure that hazard and risk were under control

• The hazards that could not be closed (as all the measures could not be implemented nor verified rapidly) were followed up. Their status was also monitored and rechecked on several occasions (and more dated status column added to the hazard record/log table) to verify that finally all the hazards will be closed



4 – Risk Analysis and Evaluation – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis

Unwanted


Type of

lossRisk

Responsible

for implem.

safety

measure

Safety Measures

1: Reduced

motivation

among

employees

remaining in

Company.

-Staff

continuing to

leave without

stop.

- Demotivated /

worn out

managers

Missing

colleagues,

missing certain

tasks

Lack of loyalty

knowing that the

workplace is not

going to stay

Heavy workload

Uncertainty

Tasks not

performed,

increased build up

of unperformed

works. -

Emergency

maintenance

instead of planned

maintenance.

Collective worker

actions (calling in

sick etc)

Lack of trust in

Company for the

managers at IM

Level



smaller groups



to perform


track manager.



process.






Etc...



4 – Risk Analysis and Evaluation – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis

Unwanted

event

(Hazard)²

CauseConse-

quence

Type

of lossRisk

Responsible

for implem.

safety

measure

Safety Measures

10: Lack of

competency

in the

performance

of tasks


competency and quality control

Violation of

safety rules.

Increased

accident

frequency.


for documented

competence.

Systematic control

of performed tasks

11:

Uncertainty

of roles and

responsi-

bilities in the

interface

between

Company

and IM


responsibilities







competencies available in Company



transferred to the track manager

Tasks not

being

performed or

being

performed

twice.

Lack of

coordination

of resources


responsibilities.

Map all interfaces

and define who is

responsible for the

interfaces.



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

4 – Risk Analysis and Evaluation - Change to a Technical System3rd example: Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system

• Use of a Ref System and Risk Evaluation:

System before the change (loop) judged to have acceptable level of safety for the function of releasing signal. It is used as a Ref Syst to derive the safety requirements for the radio-infill sub-system.

• Explicit Risk Estimation and Evaluation:

The HAZID identified the following new hazards : delayed transmission or transmission of memorised data packets in

Radio Infill chain.

The new system is an open transmission sub-system → risk of transmission by hackers of unsafe information in air gap;

Used explicit risk estimation and use of RAC-TS for designing the Radio Infill Controller part;

• Use of CoP and Risk Evaluation:

Usage of EN 50159-2 - for safety related communication in open transmission systems provides the safety requirements for controlling the new hazards to an acceptable level, e.g. "data encrypting and protection" + "message sequencing and time stamping";

Usage of EN 50128 standard for the development of the Radio Infill Controller software ;

Slide n° 118

Current Status of harmonisation of Risk Acceptance Criteria (RAC)



• Main points in the current development:

• Work on a short note explaining the scope of the RAC development:

Used when performing an explicit risk estimation (and not when using a Code of Practice or a Reference System);

Not improving the safety;

Aiming among others to support the cross acceptance and the opening of the railway market;

• Different possible types for RAC depending on the types of identified risks.

3 main types of changes discussed:

Technical;

Operational;

Organisational;

Combined? On-going work with CER and UIC.

Focus of the current development

4 – Risk Analysis and EvaluationCurrent Status of harmonisation of Risk Acceptance Criteria (RAC)



• Main characteristics of the Risk Acceptance Criteria (work in progress):

Defined at the level, which the actors can control;

Attention should be paid to the need for integration;

Sufficient but not necessary;

Currently: for technical systems and thus mainly for manufacturers;

• Next steps in the RAC development:

Concerning the RAC for technical systems:

Definition of types of severities, which can be spotted during predictive studies

Definition of types of frequencies, which can be spotted during predictive studies

Verification of the defined RAC

Continue to develop the principles allowing to take into account safety barriers

Concerning the RAC for risks arising due to operational and organisational changes

Continue the development together with CER and UIC

4 – Risk Analysis and EvaluationCurrent Status of harmonisation of Risk Acceptance Criteria (RAC)

Slide n° 121


+




4 – Risk Analysis and Evaluation SUMMARY of the answers to questionnaire


4.6(a) Do you have any risk acceptance criteria such as national rules notified under Article 8 of the Safety Directive? If so can you provide them?

The criteria vary between enterprises, no criteria are set on national level.

4.6(b) Do you have any published Codes of Practice or any available alternative methods? If so can you explain which ones?

The Codes of Practice exist within enterprises and they are public but not published

4.6(c) Do you have any examples of comparisons with reference systems? If so can you describe them?

In addition to SMS the documentation for environmental management, quality management and working environment management certification is used).





4.6(d) Do you have criteria for explicit risk estimation which help to ensure that the risks are adequately controlled? If yes, can you provide further information on this?

The results described in Railway Act are taken as basis, the risks leading to the results are determined through internal audits. We don’t have certain criteria for explicit risk estimation for different railway-enterprises

4.6(e) How do you control the deviations of the system under assessment from the codes of practice or reference systems? Do you use preferably explicit risk estimation for that?

Case conclusions and internal audits are taken into account.

4.6(f) Do you have examples that you would like to discuss during the workshop? If so can you send them to the Agency? No





4.6(g) How do you ensure that the identified hazards are clearly linked and closed out by the codes of practice or reference systems?

Assurance will come mostly by taking the SMS as reference

Slide n° 125

(5) Hazard Records




5 – Hazard Record Managing the hazards


(1) Introduction







IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)



5 – Hazard RecordWHY are they needed?

HA

ZAR

D M

AN

AG

EMEN

T [A

NN

EX II

I(2

)(G

) O

F SD

]

Control

Control

Control

Control

Hazard Records need to be created and updated by the proposer.Annex 1.4 of CSM Regulation.

They are an important part of the hazard management process

They track the progress of the process – identification of the hazard, the potential risk and how the risk needs to be controlledthrough the selected risk acceptance principles:• Codes of practice• Reference systems• Risk estimation

Hazard

Risk

Hazard

Risk

Hazard

Risk

Hazard

Risk



5 – Hazard RecordWHO is responsible?

If they are a number of actors involved in the project each may have responsibility for their part of the system under assessment. They will keep a record of the hazards for their part of the project.

There should be one overall actor (proposer) who has responsibility for the main record which covers all the necessary elements of the system under assessment.

It does not have to contain all the information from the actors involved, only the links and key safety related

Exchange of information will be important if the hazard cannot be controlled by one actor alone

Actor D Actor

C Actor B Actor

A

Hazard Record for the system under assessment

HA

ZAR

D M

AN

AG

EMEN

T

[AN

NEX

III(

2)(

G)

OF

SD]

Exchange of

information



5 – Hazard RecordWhat information should they contain?

All the hazards that the actor is responsible for, the associated safety measures, and the resulting safety requirements issued from the risk assessment process

All the assumptions taken into account within the definition of the system under assessment. These assumptions determine the limits and the validity of the risk assessment

All the hazards and the associated safety measures received from other actors in compliance with the project. These include all the assumptions and restrictions of use and generic product safety cases that are produced by the manufacturers

The status of the hazards (i.e. controlled or open) and of the associated safety measures (i.e. validated or open)

Note the level of detail required is related to the level of risk

HA

ZAR

D M

AN

AG

EMEN

T

[AN

NEX

III(

2)(

G)

OF

SD]



5 – Hazard RecordWhen should they be updated?

Whenever:

a new hazard is discovered or a new safety measure is identified

a new hazard is identified during the operation and maintenance of the system after its commissioning, so that the hazard can be assessed in compliance with the CSM as to whether it represents a significant change (this will be part of the SMS – Annex III (g))

it could be necessary to take into account accident and incident data

there are changes to the safety requirements or the assumptions about the system

HA

ZAR

D M

AN

AG

EMEN

T

[AN

NEX

III(

2)(

G)

OF

SD]



5 – Hazard RecordWhat are the links to the SMS?

RUs and IMs can use their procedures under their SMS

Annex III(2)(g) of the RSD requires the SMS to contain procedures and formats for how safety information is to be documented and designation of procedure for configuration control of vital safety information

The hazard record can therefore be part of the SMS for recording and managing risks that occur throughout the lifecycle of the equipment

It does not have to be a separate process

For other actors:

No legal requirement

But likely that they have a hazard management process

Existing processes can be adapted

HA

ZAR

D M

AN

AG

EMEN

T

[AN

NEX

III(

2)(

G)

OF

SD]



5 – Hazard RecordWhat are the benefits to the project?

Help map out and record the decision making process –provide transparency and consistency

Allow corrective actions to be taken promptly and quickly (link to SMS)

Exchange of information – allow for a number of players to contribute

Evidence of continuing compliance - accountability

Do not have to be complicated – targeted on the key issues

HA

ZAR

D M

AN

AG

EMEN

T

[AN

NEX

III(

2)(

G)

OF

SD]

Slide n° 133


+




5 – Hazard RecordAnswers received to questionnaire

Internal listing and analyses in accordance with SMS are used

For information to keep in hazard record, the practices vary between enterprises, information crucial to safety of operations is primarily seen as paramount

There is no specific layout or tool for management recommended, enterprises use internal methods and/or tools.

Interfaces between a number of players: main responsibility (national level) is described in Railway Act or in other acts. Management is process-based in accordance with areas of responsibility stated in process description (enterprise level).

Hazard record monitoring: responsible departments and persons are appointed in enterprises. Those are mostly internal auditing units and employees responsible for safety.

Question: Do you have (1) a system of recording hazards and managing

interfaces (2) an example of a hazard record?



5 – Hazard Record – example (1) Answers received to questionnaire in other Workshops



5 – Hazard Record – example (2) Answers received to questionnaire in other Workshops



N°

HZDOrigin

Hazard description

Additional informationActor in charge

Safety MeasureUsed Risk

Acceptance Principle

Expor-ted

Status

1 HAZOPreport RX

Maximum speed of train set too high (Vmax)

Wrong specific configuration of the onboard sub-system (maintenance staff).Wrong Data Entry onboard (driver)

RU Define a procedure for the approval of the onboard sub-system confi-guration data;Define an operatio-nal procedure for Data Entry Process by the Driver

Explicit Risk Estimation

Yes Controlled(exported to RU)Refer also to section C.16.4.2. in Appendix C

2 HAZOPreport RX

Braking curves (i.e. Movement Authority) in onboard sub-system configuration data too permissive

The procedure for the specific configuration of the onboard sub-system depends on:

the safety margins taken for the train braking system;

the reaction delay of the train braking system (this one is directly dependent on the train length, especially for fret trains)

RU Specify correctly the system requirements in the System Definition;Take sufficient safety margins for the braking system of the specific train

Explicit Risk Estimation

Yes Controlled(exported to RU)Refer also to section C.16.4.2. in Appendix C

5 – Hazard RecordPartial Example of a Hazard Record/Log Table



5 – Hazard Record – Operational Change Driver Only Operated Train (DOO)

For the railway undertakings the hazard management process was part of their safety management system for recording and managing risks.

The identified hazards were registered in a hazard record (similar template as below) with the safety requirements controlling the associated risk, i.e. reference to additional onboard and trackside equipment as well as to the revised operational procedures.

The revised procedures were monitored, and reviewed when needed, to ensure that the identified hazards continue to be correctly controlled during the operation of the railway system

N°

HZDOrigin

Hazard description

CauseAdditional information

Actor in charge

Safety Measure

Used Risk Acceptance

PrincipleExported Status

1 HAZOPreport RX

Opening of doors – risk of passenger fatality

Driver Driver error through lack of competence or seating position

RU TrainingCab design

Code of Practice

Partly Partly closed

2 HAZOPreport RX

Failure of the CCTV – driver cannot see the platform

CCTV VandalismIncorrect/insufficientmaintenance

IM Protection of the equipmentRegular checks

Code of Practice

No Closed, measur

es in place



5 – Hazard Record – Organisational Change Outsourcing of a maintenance branch of an IM – Sample of Hazard Record

Description Safety Measures

Priority

Safety/

Punc-

tuality

Implement

-ationNotes

Respon

sibility

Dead-

line

Perfor

med

date

Responsibi

lity for

verification

Way of

verifi-

cation

Date

Status

xx.xx.xx

Reduced

motivation

among

employees

remaining in

Company

-Staff

continuing to

leave without

stop.

- Demotivated

/ worn out

managers

New round of motivational

work for the staff, to be

performed in smaller

groups

Reallocation of funds so

that Company gets

meaningful tasks to

perform

More frequent inspections

by track manager.

Allocate funds to make

sure that key staff stays

throughout the process.

Give special attention to

make sure that

information and


between leaving

employees and those who

take over the tasks.

Etc...

High/High Coordinate

d by IOP.

Regions

must look

at

measures

to increase

control of

tracks,

overlap of

employees

and follow

up by line

managers.

Increased

inspec-

tions need

to be

included in

the

contracts.

Etc...

Company

Manager

Change of

conditions

of circum-

stances

have

reduced

this risk

signifi-

cantly

Work

environ-

ment

analysis

performed

and some

training of

staff.



5 – Hazard Record – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample of Hazard Record


Priority

Safety/

Punc-

tuality

Implement

-ationNotes

Respon

sibility

Dead-

line

Perfor

med

date

Responsibi

lity for

verification

Way of

verifi-

cation

Date

Status

xx.xx.xx

Subcontractor

s of the

entrepreneurs

lacking skill,

competency

and quality

control

Increased demand for

documented competence.

Systematic control of

performed tasks

High/

Medium

IM must

coordinate.

Regions

must

implement

measures

for requiring

compe

tence and

con -trolling

the work

Implemen

ted by

contract

follow up.

Input to

revision

planning.

Safety

manager

Increased

focus on

routines

for control

(2

operative

controls

per month

and

operative

area)

11:

Uncertainty of

roles and res-

ponsibilities in

the interface

between

Company and

IM (Track

manager).

Define roles and

responsibilities.

Map all interfaces and

define who is responsible

for the interfaces.

Medium/

Medium

In each

region

separately

Implemen

ted by

main-

enance

contract

and the

strategy

plan for

the

reorgani-

sation

Regional

directors

Safety

Manager

Regions

have

presented

their

strategy.



The Hazard and Risk Analysis was a table describing the identified hazards, evaluating the severity and suggesting risk mitigation/ control

This information from the Risk Analysis table was mirrored within the Hazard Record/Log) which includes also additional information of who is responsible for implementing the measure, the time deadline for the implementation and also who is in charge of the verification of the implementation and the verification of the efficiency of the identified measure(s)

Indeed, for such organisational changes, the efficiency of the identified actions and decisions had to be monitored to verify whether they fully control the considered risk

This is natural as it may be difficult to foresee and measure the exact result of a safety measure related to an organisational issue (such as training, motivated work for staff, etc.) and that the effects have to be followed up closely in a longer process where the analysis is continuously updated





Therefore, the risk analysis and the hazard record/log were alive documents. The efficiency of decided actions was monitored at regular intervals to check if the conditions were changed and if the risk analysis and risk evaluation need to be updated. They were updated when actions were performed and hazards “closed”. A status field was updated to describe what actions were taken or were under the way to be taken

If any circumstances changed compared to the initial context of the risk analysis, the risk analysis and hazard record/log had to be updated to ensure that hazard and risk were under control

The hazards that could not be closed (as all the measures could not be implemented nor verified rapidly) were followed up. Their status was also monitored and rechecked on several occasions (and more dated status column added to the hazard record/log table) to verify that finally all the hazards will be closed



5 – Hazard RecordReplacement of a Trackside Loop by a Radio in-fill + GSM sub-

systemThe identified hazards, the safety measures and the resulting safety requirements issued from the risk assessment and the application of the three risk acceptance principles were registered and managed in a hazard record using a similar form than the table below

N°

HZDOrigin

Hazard description


Actor in charge



Exported Status

1 HAZOPreport RX

Transmission of old and unsafe messages

Radio in-fill controller hardware

Manufa-cturer

RAC-TS for Radio In-fill design

Explicit risk estimation

Radio In-fill sub-contra-

ctor

Closed

Radio in-fill controller softwareGSM

Manufa-cturer

CENELEC 50128, 50159-2

Code of Practice


ctor

Closed

2 HAZOPreport RX

Open-transmission medium

Radio in-fill controller

Hacker

Dedicated standards available

Manufa-cturer

CENELEC, 50159-2

Code of Practice


ctor

Closed



Time schedule for CSM dissemination workshop 2nd day of workshop

2nd day: 9:00 to 16:00

09:00 – 10:15: Demonstration of system compliance with safety requirements

10:15 – 11:00: Assessment Bodies


11:15 – 12:15: internal discussions among representatives of each MS

12:15 – 13:15: Lunch Break



14:15 – 15:00: Conclusions and close out of the workshop

Slide n° 145





6 – Demonstration of system compliance with safety requirements


(1) Introduction







IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)



6 – Demonstration of system compliance with safety requirementsRequirements in CSM Regulation [Chapter 3]

Prior to safety acceptance of change, fulfilment of safety requirements must be demonstrated (see next slide)

The demonstration is under the supervision of the proposer

But each actor is responsible for the demonstration of safety requirements for its part of the system

Approach chosen for the demonstration of compliance and the demonstration itself must be independently assessed by Assessment Body

Inadequacies of safety measures or new hazards discovered during the demons-tration must be reassessed vs. CSM


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

Risk

Estimation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION




SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


AND CLASSIFICATION



6 – Demonstration of system compliance with safety requirementsCorrespondence between CSM and CENELEC

Concept

System Definition & Application Conditions

Risk Analysis

System Requirements

Apportionment of System Requirements

Design and Implementation

Manufacture

Installation

System Validation (including Safety Acceptance and Commissioning)

System Acceptance

2

3

4

5

6

7

8

9

10 1114

Operation and Maintenance

Performance Monitoring

De-commissioning and Disposal

Modification and Retrofit

12

13

CSM's for RISK ASSESSMENT

Preliminary System Definition in CSM's

Demonstration of Compliance with the Safety Requirements

Safety Requirements

1

Re-application of the CSM

BOX 1

BOX 2

BOX 3

BOX 4


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

EsRisk

timation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of

SD

]

RISK ANALYSIS

RISK EVALUATION


Safety Requirements (i.e. safety measures to be

implemented)

SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


AND CLASSIFICATION



CSM Process safety requirements expected to control identified hazards

System must then be developed against those safety requirements, e.g.:

for operational changes: definition, writing and validation of the opera-tional procedures vs. requirements

for technical systems: design, vali-dation and acceptance

Prior to the acceptance of change it must be demonstrated that:

3 RAP correctly applied and actually control hazards to acceptable level

the system actually complies with the specified safety requirements

6 – Demonstration of system compliance with safety requirementsPurpose of demonstration


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

Risk

Estimation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION




SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


AND CLASSIFICATION



6 – Demonstration of system compliance with safety requirementsProposer’s Responsibility – Other Actor’s Responsibility

Proposer has overall responsibility for coordinating and managing demonstration of compliance

But each actor, including proposer where relevant, must demonstrate compliance of sub-system it is responsible for with :

SR allocated to sub-system by proposer

SR transferred to relevant actor by other actors via interfaces

additional and internal SR from safety assessments and safety analyses done at sub-system level

To other

sub-systems

SYSTEM LEVEL

All identified safety

requirements (SR)

Sub-

System 1

Sub-

System 2

Sub-

System N

To other

sub-systems

From

Proposer

Safety Requirements

for SUB-SYSTEM

From

Internal

Risk

Analyses

To other

sub-systems

System

Requirements

for the Proposer

From

other

actors

INTERFACES

Registered in sub-system Hazard Records

Hazard

Reco

rd



Separation of the activities/functions between the actors involved in development and operation of railway systems (RU’s, IM’s, contractors, etc.) can result in risks at interfaces

It is thus important that the actors that are affected by the considered interface cooperate for managing the hazards at the Interface (shared risks)in order to have a [common understanding and agreement] of what to do

The management of the shared risks shall be coordinated by Proposer(system view) as the Proposer is the one that allocates the responsibilities to actors concerned by relevant interfaces

Using Hazard Records, the safety measures at the interfaces must then be transferred to right actors that are affected by the considered interface

The Proposer (with his assessment body) is responsible for the CSM application as well as for the integration of the system under assessment (INTERFACE) into the railway system as a whole

6 – Demonstration of system compliance with safety requirementsInterface Management – Cooperation for Shared Risks (1/2)



CSM regulation requires to notify to the Proposer :

the safety measures related to interfaces that are transferred between the actors involved in the significant change, and;

the detected non-compliance(s) of safety measures in controlling effectively the identified hazards and the associated risk(s)

The Proposer will inform in turn the actor who is responsible for the implementation of the relevant safety measure

As a general requirement, any actor who discovers a non-compliance or a non identified hazard, and thus a hazard/risk that is not controlled, shall inform all actors that might be affected (either in the system under assessment or in existing systems as far as he might know, that could used it as a Reference System)

6 – Demonstration of system compliance with safety requirementsInterface Management – Notifications to Proposer (2/2)



6 – Demonstration of system compliance with safety requirementsSub-System Safety Analyses (1/4)

To fulfil the safety requirements allocated to each sub-system, the actor in charge of the sub-system shall carry out in turn safety assessments and safety analyses to identify systematically:

all reasonably foreseeable causes within the sub-system that contribute to the hazards at the level of the system under assessment

the safety measures, and resulting safety requirements, at the sub-system level that are expected to control these causes and the associated risks to an acceptable level

The actor shall register into a Hazard Record all the hazards he must control as well as the safety measures to be implemented by the actor

Causal Analyses are an example of the safety assessments and safety analyses at the sub-system level. But other methods can also be used

The process defined in the CSM regulation is a generic process




Example of Figure A.4 of EN 50 129: Definition of hazards with respect to the system boundary

Causes of hazards at level of system under assessment may be considered as hazards at the sub-system level (with respect to sub-system boundary).

Accident k

System Boundary

Accident l

Hazard (at System Level)

Cause (of a Hazard at Sub-System Level)

Sub-System Boundary

CAUSES CONSEQUENCES

Cause (of a Hazard at System Level)

Hazard (at Sub-System Level)




CSM Process steps can be repeated at each lower level phase of the CENELECV-Cycle to derive the safety measures and the safety requirements to be fulfilled by the next phase:

Hierarchical structuring Hazards-Causes vs. system & sub-systems boundaries

Systematic Hazard Identification & Causal Analysis activities (or any relevant method)

Systematic use of Hazard Records for registering and managing hazards and safety measures the actor in charge/responsible for

Use of Codes of Practice, similar Reference Systems and Explicit Risk Estimation

Derived sub-system safety requirements need then to be implemented and their fulfilment demonstrated by the concerned actor

NB: Proposer is responsible to demonstrate the compliance with safety requirements at the level of the system



Phase N in

CENELEC V-Cycle

Safety Requirements for Phase N

Safety Measures in Phase N

Safety Requirements (i.e. safety measures to be implemented)

Safety Requirements for Phase N+1

Phase N+1 in

CENELEC V-Cycle

Safety Measures in Phase N+1

Safety Requirements (i.e. safety measures to be implemented)

Safety Requirements for Phase N+2

Phase N-1 in CENELEC V-Cycle


To other actors at level N+1

Phase N

All identified safety

requirements (SR)

Phase N+1 Phase N+1 Phase N+1


From

Level N

Safety Requirements

for Level N+1

From

Internal

Risk

Analyses


Safety

Requirements

for Phase N only

From

other

actors

INTERFACES

Safety Requirements for Level N+2 + Hazard Record

Ha

za

rd R

ec

ord

Level

N



6 – Demonstration of system compliance with safety requirementsIndependent Assessment by Assessment Body

Approach for demonstrating the compliance with the safety requirements + the demonstration itself independently assessed by AB

If there are no contractual obligations or MS legal requirements, each actor is free to appoint AB for the part of the system the actor is in charge

more than one AB can be involved in same the project

Proposer, with support of its AB, responsible for integrating different sub-systems and for coordinating different AB involved in the project


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

Risk

Estimation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION




SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


AND CLASSIFICATION



6 – Demonstration of system compliance with safety requirementsNew Iteration of CSM Process for detected non compliances

If inadequacies of safety measures or new hazards are discovered during the demonstration they need to be reassessed vs. CSM

E.g. choice of technical solution for design of system or sub-systems, not foreseen by SR, could create a new hazard

New hazards registered in Hazard Record

Deviations and/or new hazards considered as new inputs for a new loop in iterative risk assessment process


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

Risk

Estimation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION




SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


AND CLASSIFICATION

Slide n° 159




6 – Demonstration of system compliance with safety requirementsOperational change - Driver Only Operated Train (DOO)

Demonstration of the system compliance with safety

requirements:

system implemented vs. identified safety

requirements (additional equipment and revised

procedures to enable Driver’s Only Operation)

the revised operational procedures are then

introduced in the RU safety management system

the correct application by the Driver of the revised

procedures, and their efficiency, is monitored and

reviewed, when needed, to ensure that the identified

hazards continue to be correctly controlled during

the operation of the railway system, i.e. that the

procedures and their application are appropriate to

ensure a sufficient level of safety without onboard

staff

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT



6 – Demonstration of system compliance with safety requirementsOrganisational change - Outsourcing of a maintenance branch of an IM


requirements:

Risk Analysis and Hazard Record show that

hazards cannot be closed until they are verified and

it is demonstrated that the safety requirements (i.e.

selected safety measures) are implemented.

Risk Analysis and Hazard Record are living

documents. The efficiency of decided actions is

monitored at regular intervals to check if the

conditions are changed and if the Risk Analysis and

Risk Evaluation need to be updated.

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT



6 – Demonstration of system compliance with safety requirementsOutsourcing of a maintenance branch of an IM – Sample of Hazard Record


Priority

Safety/

Punc-

tuality

Implement

-ationNotes

Respon

sibility

Dead-

line

Perfor

med

date

Responsibi

lity for

verification

Way of

verifi-

cation

Date

Status

xx.xx.xx

Reduced

motivation

among

employees

remaining in

Company

-Staff

continuing to

leave without

stop.

- Demotivated

/ worn out

managers




groups


that Company gets

meaningful tasks to

perform


by track manager.





make sure that

information and


between leaving



Etc...


d by IOP.

Regions

must look

at

measures

to increase

control of

tracks,

overlap of

employees

and follow

up by line

managers.

Increased

inspec-

tions need

to be

included in

the

contracts.

Etc...

Company

Manager

Change of

conditions

of circum-

stances

have

reduced

this risk

signifi-

cantly

Work

environ-

ment

analysis

performed

and some

training of

staff.



6 – Demonstration of system compliance with safety requirementsOutsourcing of a maintenance branch of an IM – Sample of Hazard Record


Priority

Safety/

Punc-

tuality

Implement

-ationNotes

Respon

sibility

Dead-

line

Perfor

med

date

Responsibi

lity for

verification

Way of

verifi-

cation

Date

Status

xx.xx.xx

Subcontractor

s of the

entrepreneurs

lacking skill,

competency

and quality

control




performed tasks

High/

Medium

IM must

coordinate.

Regions

must

implement

measures

for requiring

compe

tence and

con -trolling

the work

Implemen

ted by

contract

follow up.

Input to

revision

planning.

Safety

manager

Increased

focus on

routines

for control

(2

operative

controls

per month

and

operative

area)

11:

Uncertainty of

roles and res-

ponsibilities in

the interface

between

Company and

IM (Track

manager).

Define roles and

responsibilities.



for the interfaces.

Medium/

Medium

In each

region

separately

Implemen

ted by

main-

enance

contract

and the

strategy

plan for

the

reorgani-

sation

Regional

directors

Safety

Manager

Regions

have

presented

their

strategy.



6 – Demonstration of system compliance with safety requirementsReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

Demonstration of the system compliance with

safety requirement:

follow up of the implementation of the safety

requirements through the development

process of the "radio infill + GSM” sub-system;

verification that the system, as designed and

installed, is compliant with the safety

requirements.

This includes follow-up during design and V&V

of Radio In-fill of all requirements from CoP

(CENELEC 50128 & 50159-2 for software of

Radio In-fill) + demonstration of achievement

of RAC-TS for random hardware failures of

Radio In-fill sub-system

Slide n° 165


+




6 – Demonstration of system compliance with safety requirementsSUMMARY of the answers to questionnaire

National requirements? according to Railway Act every IM or RU must have appropriate SMS.

Priorities for demonstrating compliance? first of all safety of people, avoidance of environmental contamination and safety of community are the priorities.

Evidence included in the demonstration? documentation that proves the safety of the enterprise in all essential respects is included.

Quality assurance process for ensuring the adequacy of the compliance? is voluntary. Quality management systems and various certificates exist depending on the specific enterprise.

Continued compliance with any agreed safety assessment during the system operation and maintenance? internal audits, internal operational checks and also national surveillance on activities of SMS implementation.

Problems and difficulties that can be envisaged when proving safety compliance? at present there is not enough practice on this to report

Slide n° 167

(7) Assessment Bodies




7 – Assessment Bodies Checking the correct application of the CSM regulation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

An independent assessment of the

complete risk management process

undertaken by the proposer shall be

performed by an independent body to

verify the significant change and the

demonstration of compliance with the

identified requirements



General background / legal framework concerning Assessment Bodies:

For significant changes it is required to have an independent assessment of the correct application of the CSM regulation by an Assessment Body

Assessment Body is appointed/selected by the Proposer (if there is no contrary national legal obligation)

Assessment Body shall issue a safety assessment report to support the Proposer in the decision to accept the significant change

There shall be a mutual recognition of the independent assessments performed by the Assessment Body in the scope of the CMS on risk assessment

7 – Assessment Bodies General Background



To enable to mutual recognition of the independent assessments there a need to establish sufficient trust concerning the work performed by the assessment body

Different questions to be answered

WHY is Assessment Body needed?

WHO shall be Assessment Body?

WHEN shall independent assessment be done?

WHAT shall be assessed?

What is the interaction with other assessments (i.e. Safety certification & authorisation process for placing in service structural sub-systems)?

What are the additional requirements for the assessment body?

HOW assessments shall be performed ?

WHICH scheme could ensure similar quality of the assessments?

7 – Assessment Bodies Strategy for the development of their roles and responsibilities



Definition in Article 3(14) of regulation 352/2009/EC: "assessment body

means the independent and competent person, organisation or

entity which undertakes investigation to arrive at a judgement,

based on evidence, of the suitability of a system to fulfil its safety

requirements"

WHY is Assessment Body needed?

Support the proposer in the decision to accept significant changes by ensuring an independent check of the correct application of the risk management process defined in the CSM

Support and facilitate the mutual recognition of the results of the application of the CSM on risk assessment

7 – Assessment Bodies Definition of the Assessment Body and WHY is it needed?



WHO can be Assessment Body?

The criteria are listed in Annex II of the CSM regulation 352/2009/EC:

Independent from the design, manufacture, construction, marketing, operation or maintenance of the system

Professional integrity

Competence (skills, training, knowledge and experience) to perform the tasks required for them

Civil liability insurance

Commercial confidentiality

Following entities can be Assessment Bodies: NSA, NOBOs, Designated Bodies, in house ISA, external ISA (if they fulfil criteria in Annex II of CSMregulation)

Choice made by the Proposer if not imposed by national legislation

Different practices exist in the Member States

7 – Assessment Bodies Who can be Assessment Body



WHEN will the independent assessment start?

although it is not explicitly a requirement of the CSM regulation, the assessment body should be involved early on in the project

and the independent assessment shall stop with the delivery of the assessment report to the Proposer?

7 – Assessment Bodies When does independent assessment start?



WHAT shall be assessed? already defined in the CSM regulation

check of the compliance with the CSM process

check of the results of the application of the CSM

this shall include the check of:

the system definition the hazard identification and risk analysis the risk evaluation and risk acceptance the demonstration of compliance with the safety requirements,

including the chosen approach

They do not need to check the evaluation of the significance of the change

7 – Assessment Bodies What shall be assessed?



WHAT is the result of the independent assessment?

As defined in the CSM regulation, the assessment body shall provide the proposer with a safety assessment report

The safety assessment report shall at least:

set out the assessment body findings /opinion on the review of the risk management process

confirm that the system under assessment meets the requirements and whether it can be used safely

The safety assessment report will :

support the Proposer in the decision to accept the change provide evidences to the NSA that the Proposer has correctly applied the

CSM process, particularly if the change is related to an authorisation to place into service of structural sub systems

be useful in any inspections that the NSA undertakes in relation to the SMSand the application of the CSM

7 – Assessment Bodies Independent Safety Assessment Report



7 – Assessment Bodies How is the independent assessment performed?

HOW shall assessment body perform their assessment?

The independent assessment in the scope of CSM on risk assessment is different from NOBO checks:

NOBO checks formal conformity of a sub-syst with predefined requirements whereas the assessment body makes judgements

For this judgement to be made, a complete and thorough review and follow up of all activities of the Proposer and of its subcontractors for the design and implementation of the change may not be cost effective and also is not necessary

Rather a 3 steps approach shall be undertaken based on:

thorough understanding of the change and of its specification assessment of safety and quality processes put in place for the change assessment of the application of these processes for the design and

implementation of the change based on e.g. auditing and sampling techniques till the delivery of the assessment report



7 – Assessment Bodies Interaction with other Assessment Bodies

In order to avoid duplication of work, it is important to distinguish the tasks allocated to:

the Assessment Body in the CSM regulation on risk assessment who shall check the correct application of the CSM risk management process

the NSAs, NOBOs and DEBOs in the safety directive 2004/49/EC and interoperability directive 2008/57/EC, where the NSA will issues:

Safety Certificates and Safety Authorisations for RUs/IMs SMS

Authorisations for placing in service structural subsystems based on:

NOBO's "EC verification of conformity with TSI requirements" applicable to the sub-systems

Designated Body's check of conformity with national rules applicable to the sub-systems,

the check by the Assessment Body of the correct application of the CSMregulation on risk assessment.




There is a need to establish the trust in the assessment body results

Hence the development of a common framework for evaluating the competence of assessment bodies

Similarly with ECM certifying bodies, assessment body could be either:

an accredited body accredited by a national accreditation body

a body/person recognised by the Member State

Choice for the accreditation of recognition by the Member State is to be left to Proposer unless it is imposed differently by national legislation

7 – Assessment Bodies Quality of assessments performed by the Assessment Body




Specific accreditation scheme

based on existing recognised standard ISO 17020 for inspection bodies most appropriate standard for safety assessment

The ISO standard 17020 is setting out “General criteria for the operation of various bodies performing inspection”. The Agency is currently investigating this possibility in cooperation with EA

possibility to accredit external as well as internal assessment bodies against ISO 17020

specific requirements/criteria on competence and independence to be elaborated

contact established with EA (European body for Accreditation) to assess feasibility of the scheme and acceptance by National Accreditation Bodies

7 – Assessment Bodies Accreditation scheme for Assessment Bodies




Recognition by Member State

Same specific criteria on competence and independence as for accredited bodies

Similar requirements as ISO 17020 for organisations (e.g. on quality management system)

Similar control and surveillance as in accreditation

Peer reviews similar to EA peer reviews necessary to ensure similar standards (e.g. NSA peer reviews)

7 – Assessment Bodies Recognition of Assessment Bodies by the Member State



Specific cases of some Member States where recognition is envisaged :

Recognition of individuals

Only criteria of competence and independence apply

Limited scope of work in the Member State where they are recognised

Recognition by NSA through SMS of RUs and IMs

Internal assessors within RUs/IMs

External assessors to RUs/IMs

Evaluation and surveillance by NSA through SMS audits

NSA itself acting as assessment body

Evaluation and surveillance may be performed internally

May require separation with other NSA functions

7 – Assessment Bodies Recognition of Assessment Bodies



The management of interfaces between the different railway actors involved in the management of the significant change is key activity throughout the development of the significant change

If more than one actor, and thus more than one assessment body, is involved in the change, the proposer with the support of his assessment body will need to co-ordinate the activities of the different actors and of their assessment bodies

This can:

help with the management of the interface between different actors be useful before switching over from one step of the risk assessment to

the next one

Duplication of work in terms of additional independent assessment shall be avoided – Reports shall not be called into question if there are no deviations from the initially accepted system

7 – Assessment Bodies Interfaces between different actors involved in the significant change



Next steps still to be developed:

Definition of accreditation scheme in collaboration with EA, including specific criteria of competence

Definition of requirements for the alternative of recognition by MS in the different envisaged cases

Definition of a harmonized format for safety assessment reports

7 – Assessment Bodies Next Steps

Slide n° 184


+




7 – Assessment Bodies SUMMARY of the answers to questionnaire


Are assessment bodies used for checking that changes and safety requirements are correctly managed and implemented? yes, external auditors, but also national surveillance of SMS implementation.

How do you decide when to use them? decisions are made according to legislation and standards (depending on the specific field of assessment). It is always possible to rope in independent expert.

Are there any national requirements setting out the legal basis for their use? If so can you give some examples? the basic list is: Railway Act (SMS’ part), quality management standards, legislation regarding working environment, legislation regarding environment.

For assessments undertaken internally within the company, how do you ensure the independence of the assessment body? the assessor must not be associated with the area of assessment. General principles are stated in Anti-Corruption Act and relevant standards. The NSA (ETSA) has no right to choose assessors for enterprises and also has no obligation to take into consideration assessors’ opinion.





Projects on which assessment bodies involved in? issue of permits, certificates and licences, mostly pre-processing activities with documentary. For example: to renew code of practice or another inner documentation, new risk-assessment, new manuals for some new technology etc.

Sort of documentary evidence they require? documents demanded in legislation and relevant standards.

When do they intervene in a management of a change (early or at the end of the project)? they intervene, if safety requirements are no longer fulfilled or licence/certificate has expired.

How do they carry out their assessment, i.e. what methodology do they apply? How are they “recognised” by the MS or do they need to be recognised by someone? assessment (surveillance) takes place continually throughout the validity of the licence/certificate. Recognition takes place according to relevant legislation.





Do you work more with external or in-house assessment bodies? Why? enterprises prefer using internal auditors for initial audits but external auditors are also used.

How is the independent safety assessment report used? according to subject the report is taken into account and internal documents and procedures are amended accordingly. The NSA (ETSA) doesn’t have obligation to take into consideration assessors’ report, it’s non-binding.

Are the assessment body recommendations always followed? enterprises yes, NSA (ETSA) no (it’s non-binding for NSA).

Slide n° 188

(8) Conclusions


Slide n° 189

Examples of application of the CSM Process

(All steps put together for the three examples)

Driver Only Operated Train (operational change) by RU

Organisational Change by IM

Radio In-fill by a Manufacturer

Slide n° 190

Operational Change – “Driver Only Operated Train – DOO”

CSM Application by the RU



Driver only operated trainSystem Definition

Example of an operational change - System Definition

RU has decided to operate trains with Driver alone (Driver Only Operated train – DOO) on a route where previously there was an onboard guard to assist the driver with the train dispatching

Description of existing system: “explain clearly which tasks were

performed by driver and which other ones were carried out by

onboard staff (or guard) to assist the driver”

Description of change of driver's responsibilities due to removal of onboard assisting staff, “e.g. door closing before train departure”

Definition of additional technical requirements for system to cover needed changes in Driver Only Operation

Describe existing interfaces between onboard assisting staff, train driver and trackside staff of infrastructure manager



● significant change (need to

cover all questions) :


Completely different way of

managing train service

operation

Low novelty? NO

Driver’s responsibility

extended requiring new tasks

Low complexity? NO

Driver’s errors could lead to

catastrophic consequences


Safety Relevance


Yes

No

Other criteria



Change: Driver Only Operation

Driver only operated trainEvaluation of the significance of the change



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

Hazard Identification: (e.g. HAZOP)

brainstorming by group of experts to find all

hazards, with a relevant influence on risk brought

on by removal of onboard assisting staff and

additional tasks requested to the driver;

drivers' and staff's representatives involved for

their operational experience, IM representatives

as infrastructure could also be affected, implying

e.g. changes to stations (e.g. installation of

mirrors/closed circuit TV at platforms);

what could be key operational hazards at stations,

on existing routes where driver was assisted from

onboard or trackside staff (door opening, closure

check, etc.)

Driver only operated trainHazard Identification



HAZOP-studies is a structured method for identification of risks invented in the chemistry industry. It uses keywords to reveal the possible response of the system or process to changes or to deviations from the desired response. The method is described in IEC 61882.

The HAZOP is based on the principle that several experts with

different backgrounds can interact and identify more problems

when working together than when working separately and then

combining their results. This brainstorming method stimulates

creativity and generates ideas

What is a HAZOP?



The HAZOP is a systematic process that examines the following topics:

Intention, i.e. the expected functional behaviour of the system

Deviations: starts from possible deviations from desired functional states

Causes: for each deviation the reasons why the deviation should occur

Consequences: the result of the deviation

Hazard: the consequences, causing possible damage, injury or loss

Measures: possibility to reduce the hazardous condition/behaviour

The method needs: an educated leader (moderator/facilitator) to manage the session, good input information, documents of the system and processes. It is effective in finding risks, if properly conducted. For the critical functions/tasks/aspects, the method can be complemented by other systematic studies, e.g. by an FMECA (Failure, Mode, Effect and Criticality Analysis)

What is a HAZOP?



Examples of guide/key words:

No message/information or delayed message/information

Message/information available when not expected

False message – False information

Invalid message

Etc.

The guide/key words must be tailored to the system/item concerned, before starting a HAZOP study

What is a HAZOP?



Hazard Identification was done within a HAZOP session (Hazard and Operability studies), i.e. a brainstorming by group of multidisciplinary experts with different backgrounds, regrouping:

safety experts from RU

train drivers' and staff's representatives for their operational experience (onboard accompanying staff)

IM representatives as the infrastructure could be also affected by the change, implying e.g. changes to stations (e.g. installation of mirrors/ closed circuit television [CCTV] at platforms) to help the Driver

Trackside staff of IM

Each of the identified hazards was assigned a level of severity of risk and consequences (high, medium, low) and the impact of the proposed change reviewed against them (increased, unchanged, decreased) risk




Based on system definition, the brainstorming team scrutinised additional tasks to be performed by train driver, in order to identify all foreseeable hazards that might occur consecutively to removal of onboard assisting staff

Particularly, hazard identification looked at what key operational hazards could be at stations, on existing routes where there was assistance from on board or trackside staff including the safe dispatch of the trains, specific issues related to the driver, the rolling stock (e.g. door opening/closure check), maintenance requirements, etc:

Example of identified hazards during HAZOP (one way of proceeding):

Train departure without closing doors passengers could fall down on to track

Door opening on wrong side passengers could fall down on to track Door closing while passengers still getting onboard passengers could

be caught between doors




IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

Use of Codes of Practice and Reference Systems:

Both CoP (i.e. a set of standards for Driver Only

Operation) and similar Ref Systems used to define

safety requirements for identified hazards, such as:

revised operational procedures for the driver that

are required to operate safely the trains without

onboard assistance;

any additional equipment necessary onboard or

on the track to ensure safe and reliable means of

train dispatch;

a checklist for ensuring that the driver's cab is

suitable, taking into account the interface

between the railway system (both onboard and

trackside) and the driver

Revision of the necessary operational rules in

compliance with the requirements from the applicable

codes of practice and the relevant reference systems.

Driver only operated trainRisk Analysis and Evaluation



For the railway undertakings the hazard management process was part of their safety management system for recording and managing risks.

The identified hazards were registered in a hazard record (similar template as below) with the safety requirements controlling the associated risk, i.e. reference to additional onboard and trackside equipment as well as to the revised operational procedures.

The revised procedures were monitored, and reviewed when needed, to ensure that the identified hazards continue to be correctly controlled during the operation of the railway system

N°

HZDOrigin

Hazard description


Actor in charge

Safety Measure

Used Risk Acceptance

PrincipleExported Status

1 HAZOPreport RX

Opening of doors – risk of passenger fatality

Driver Driver error through lack of competence or seating position

RU TrainingCab design

Code of Practice

Partly Partly closed

2 HAZOPreport RX

Failure of the CCTV – driver cannot see the platform

CCTV VandalismIncorrect/insufficientmaintenance

IM Protection of the equipmentRegular checks

Code of Practice

No Closed, measur

es in place

Driver only operated trainHazard Record




requirements:

system implemented vs. identified safety

requirements (additional equipment and revised

procedures to enable Driver’s Only Operation)

the revised operational procedures are then

introduced in the RU safety management system

the correct application by the Driver of the revised

procedures, and their efficiency, is monitored and

reviewed, when needed, to ensure that the identified

hazards continue to be correctly controlled during

the operation of the railway system, i.e. that the

procedures and their application are appropriate to

ensure a sufficient level of safety without onboard

staff

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

Driver only operated trainDemonstration of system compliance with the safety requirements

Slide n° 202

Organisational Change – “Outsourcing of a maintenance branch of an IM”

CSM Application by the IM



Outsourcing of a maintenance branch of an IMSystem Definition

Example of an organisational change - System Definition

A branch of an IM organisation, that was performing until the change some maintenance activities (other than signalling and telematic), had to be put in competition with other companies working in same field Direct impact: need for downsizing and redistribution of staff and tasks within detached branch of IM organisation put in competition

description of tasks performed by existing organisation (i.e. by IM organisation before making the change)

description of changes planned in IM organisation to cope with subcontractors’ management

the interfaces of "branch to be detached" with other surrounding organisations or with physical environment could only be briefly described. The boundaries could not be 100 % clearly presented



Concerns for the IM (i.e. the remaining and not outsourced part)

IM staff affected by change was in charge of emergency maintenance and repairs required by sudden errors on the infrastructure. Staff was also performing some planned or project based maintenance activities such as track packing, ballast cleaning, vegetation control

IM considered these tasks critical for safety and punctuality of operation must be analysed in order to find right measures which ensure that situation does not deteriorate as many of staff in charge of safety matters were leaving the IM organisation to the outsourced company

Same level of safety and train punctuality needed to be maintained during and after the change of the IM organisation

Outsourcing of a maintenance branch of an IMSystem Definition




questions) :


Downsizing , redistribution of staff and

tasks same work with less staff

Low novelty? NO

Contractual relation and follow up

Low complexity? NO

New functions in IM remaining

organisation to follow up subcontractor

Easy monitoring? NO

Not easy to check subcontractor

efficiency


Safety Relevance


Yes

No

Other criteria



Change: outsourcing of a maintenance branch of IM

Outsourcing of a maintenance branch of an IMEvaluation of the significance of the change



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

Hazard Identification: (e.g. HAZOP)

brainstorming by group of experts to find all

hazards, with a relevant influence on risk

brought on by intended change.

Hazard Classification: high, medium, low risk

(Severity) and increased, unchanged,

decreased risk (impact of change) compared

to initial situation

Outsourcing of a maintenance branch of an IMHazard Identification



Hazard Identification was done within a HAZOP session (Hazard and Operability studies), i.e. a brainstorming by group of multidisciplinary experts with different backgrounds, regrouping:

safety experts from IM

System engineers/experts

Train drivers

IM staff's representatives from maintenance department

Etc.

The HAZOP analysis went through a checklist method describing a list of hazards (unwanted events), causes of these, related consequences and frequencies (rough estimates) and the related actions that need to be taken to mitigate these risks. Interdependencies and interface between detached branch and rest of IM organisation were particularly examined

Outsourcing of a maintenance branch of an IMHazard Identification



Unwanted


Type of

lossRisk

Responsible

for implem.

safety

measure

Safety Measures

1: Reduced

motivation

among

employees

remaining in

Company.

-Staff

continuing to

leave without

stop.

- Demotivated /

worn out

managers

Missing

colleagues,

missing certain

tasks

Lack of loyalty

knowing that the

workplace is not

going to stay

Heavy workload

Uncertainty

Tasks not

performed,

increased build up

of unperformed

works. -

Emergency

maintenance

instead of planned

maintenance.

Collective worker

actions (calling in

sick etc)

Lack of trust in

Company for the

managers at IM

Level



smaller groups



to perform


track manager.



process.






Etc...

Outsourcing of a maintenance branch of an IMHazard Identification – Sample from the Risk Analysis



Unwanted

event

(Hazard)²

CauseConse-

quence

Type

of lossRisk

Responsible

for implem.

safety

measure

Safety Measures

10: Lack of

competency

in the

performance

of tasks



Violation of

safety rules.

Increased

accident

frequency.


for documented

competence.

Systematic control

of performed tasks

11:

Uncertainty

of roles and

responsi-

bilities in the

interface

between

Company

and IM


responsibilities











Tasks not

being

performed or

being

performed

twice.

Lack of

coordination

of resources


responsibilities.

Map all interfaces

and define who is

responsible for the

interfaces.

Outsourcing of a maintenance branch of an IMHazard Identification – Sample from the Risk Analysis



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

“Use of Ref System and Risk Evaluation” + “Explicit risk estimation and evaluation”:

System before change judged to have acceptable level of safety. It was thus used to derive Risk Acceptance Criteria for system under assessment, i.e. “maintain at least the same level of safety and punctuality throughout the change process and after the change”

For each hazard with increased risk the IM decided to counterbalance the hazard by appropriate risk reducing measures. The residual risk was compared against RAC to check whether other additional measures need to be identified.

The Hazard and Risk Analysis was documented in a table describing the identified hazards, evaluating the severity and suggesting risk mitigation/ control measures (See in next slide risk analysis)

Outsourcing of a maintenance branch of an IMRisk Analysis and Evaluation



Unwanted


Type of

lossRisk

Responsible

for implem.

safety

measure

Safety Measures

1: Reduced

motivation

among

employees

remaining in

Company.

-Staff

continuing to

leave without

stop.

- Demotivated /

worn out

managers

Missing

colleagues,

missing certain

tasks

Lack of loyalty

knowing that the

workplace is not

going to stay

Heavy workload

Uncertainty

Tasks not

performed,

increased build up

of unperformed

works. -

Emergency

maintenance

instead of planned

maintenance.

Collective worker

actions (calling in

sick etc)

Lack of trust in

Company for the

managers at IM

Level



smaller groups



to perform


track manager.



process.






Etc...




Unwanted

event

(Hazard)²

CauseConse-

quence

Type

of lossRisk

Responsible

for implem.

safety

measure

Safety Measures

10: Lack of

competency

in the

performance

of tasks



Violation of

safety rules.

Increased

accident

frequency.


for documented

competence.

Systematic control

of performed tasks

11:

Uncertainty

of roles and

responsi-

bilities in the

interface

between

Company

and IM


responsibilities











Tasks not

being

performed or

being

performed

twice.

Lack of

coordination

of resources


responsibilities.

Map all interfaces

and define who is

responsible for the

interfaces.





Priority

Safety/

Punc-

tuality

Implement

-ationNotes

Respon

sibility

Dead-

line

Perfor

med

date

Responsibi

lity for

verification

Way of

verifi-

cation

Date

Status

xx.xx.xx

Reduced

motivation

among

employees

remaining in

Company

-Staff

continuing to

leave without

stop.

- Demotivated

/ worn out

managers




groups


that Company gets

meaningful tasks to

perform


by track manager.





make sure that

information and


between leaving



Etc...


d by IOP.

Regions

must look

at

measures

to increase

control of

tracks,

overlap of

employees

and follow

up by line

managers.

Increased

inspec-

tions need

to be

included in

the

contracts.

Etc...

Company

Manager

Change of

conditions

of circum-

stances

have

reduced

this risk

signifi-

cantly

Work

environ-

ment

analysis

performed

and some

training of

staff.

Outsourcing of a maintenance branch of an IMHazard Record




Priority

Safety/

Punc-

tuality

Implement

-ationNotes

Respon

sibility

Dead-

line

Perfor

med

date

Responsibi

lity for

verification

Way of

verifi-

cation

Date

Status

xx.xx.xx

Subcontractor

s of the

entrepreneurs

lacking skill,

competency

and quality

control




performed tasks

High/

Medium

IM must

coordinate.

Regions

must

implement

measures

for requiring

compe

tence and

con -trolling

the work

Implemen

ted by

contract

follow up.

Input to

revision

planning.

Safety

manager

Increased

focus on

routines

for control

(2

operative

controls

per month

and

operative

area)

11:

Uncertainty of

roles and res-

ponsibilities in

the interface

between

Company and

IM (Track

manager).

Define roles and

responsibilities.



for the interfaces.

Medium/

Medium

In each

region

separately

Implemen

ted by

main-

enance

contract

and the

strategy

plan for

the

reorgani-

sation

Regional

directors

Safety

Manager

Regions

have

presented

their

strategy.




Demonstration of the system compliance with safety requirements:

Risk Analysis and Hazard Record show that hazards cannot be closed until they are verified and it is demonstrated that the safety requirements (i.e. selected safety measures) are implemented.

Risk Analysis and Hazard Record are living documents. The efficiency of decided actions is monitored at regular intervals to check if the conditions are changed and if the Risk Analysis and Risk Evaluation need to be updated.

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

Outsourcing of a maintenance branch of an IMDemonstration of system compliance with the safety requirements




Priority

Safety/

Punc-

tuality

Implement

-ationNotes

Respon

sibility

Dead-

line

Perfor

med

date

Responsibi

lity for

verification

Way of

verifi-

cation

Date

Status

xx.xx.xx

Reduced

motivation

among

employees

remaining in

Company

-Staff

continuing to

leave without

stop.

- Demotivated

/ worn out

managers




groups


that Company gets

meaningful tasks to

perform


by track manager.





make sure that

information and


between leaving



Etc...


d by IOP.

Regions

must look

at

measures

to increase

control of

tracks,

overlap of

employees

and follow

up by line

managers.

Increased

inspec-

tions need

to be

included in

the

contracts.

Etc...

Company

Manager

Change of

conditions

of circum-

stances

have

reduced

this risk

signifi-

cantly

Work

environ-

ment

analysis

performed

and some

training of

staff.





Priority

Safety/

Punc-

tuality

Implement

-ationNotes

Respon

sibility

Dead-

line

Perfor

med

date

Responsibi

lity for

verification

Way of

verifi-

cation

Date

Status

xx.xx.xx

Subcontractor

s of the

entrepreneurs

lacking skill,

competency

and quality

control




performed tasks

High/

Medium

IM must

coordinate.

Regions

must

implement

measures

for requiring

compe

tence and

con -trolling

the work

Implemen

ted by

contract

follow up.

Input to

revision

planning.

Safety

manager

Increased

focus on

routines

for control

(2

operative

controls

per month

and

operative

area)

11:

Uncertainty of

roles and res-

ponsibilities in

the interface

between

Company and

IM (Track

manager).

Define roles and

responsibilities.



for the interfaces.

Medium/

Medium

In each

region

separately

Implemen

ted by

main-

enance

contract

and the

strategy

plan for

the

reorgani-

sation

Regional

directors

Safety

Manager

Regions

have

presented

their

strategy.




The Hazard and Risk Analysis was a table describing the identified hazards, evaluating the severity and suggesting risk mitigation/ control

This information from the Risk Analysis table was mirrored within the Hazard Record/Log) which includes also additional information of who is responsible for implementing the measure, the time deadline for the implementation and also who is in charge of the verification of the implementation and the verification of the efficiency of the identified measure(s)

Indeed, for such organisational changes, the efficiency of the identified actions and decisions had to be monitored to verify whether they fully control the considered risk

This is natural as it may be difficult to foresee and measure the exact result of a safety measure related to an organisational issue (such as training, motivated work for staff, etc.) and that the effects have to be followed up closely in a longer process where the analysis is continuously updated




Therefore, the risk analysis and the hazard record/log were alive documents. The efficiency of decided actions was monitored at regular intervals to check if the conditions were changed and if the risk analysis and risk evaluation needed to be updated. They were updated when actions were performed and hazards “closed”. A status field was updated to describe what actions were taken or were under the way to be taken

If any circumstances changed compared to the initial context of the risk analysis, the risk analysis and hazard record/log had to be updated to ensure that hazard and risk were under control

The hazards that could not be closed (as all the measures could not be implemented nor verified rapidly) were followed up. Their status was also monitored and rechecked on several occasions (and more dated status column added to the hazard record/log table) to verify that finally all the hazards will be closed


Slide n° 220

Technical System – “Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system”

CSM Application by the Manufacturer



Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemSystem Definition



Existing technical system

Trackside Loop Release the signal (1)

Radio In-fill Controller/Modem



Intended Change

GSM

Release the signal (1)

Trackside Encoder

Trackside Encoder

Change to a Technical System - SYSTEM DEFINITION



Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemSystem Definition

System Definition:

description of existing system: “loop+trackside encoder whose

function in CCS is to release signal RG on approach of a

train when section behind the signal is released by

preceding train”

description of change planned by the proposer and the manufacturer: “replace trackside loop by Radio-Infill + Radio

Controller + GSM” to achieve same function”

description of functional and physical interfaces of loop with the rest of system: “(P) Interface with Trackside Encoder” – “(F)

Transmit message in airgap (i.e. to Train Driver) the signal

aspect R or G”



● significant change: (need to cover all questions)

Safety relevant ? YES

The signal in front of the train could be released whereas preceding train still occupies the section

Low novelty? NO

New principles and technology for the manufacturer

Low complexity? NO

Change complex to carry out


Safety Relevance


Yes

No

Other criteria



Change: Loop Radio-In-fill

Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemEvaluation of the Significance of the Change



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

Hazard Identification: e.g. by HAZOP

brainstorming by group of multidisciplinary experts (“safety experts from manufacturer, RU, IM, train drivers, designers of trackside encoder and loop, experts in communication systems, etc.“) to identify hazards, with a relevant influence on risk brought on by intended change.

Loop/Radio infill, releases signal risk provide too permissive MA to approaching train whereas preceding train still occupies section in front of the signal

Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemHazard Identification



Example of identified hazards during the HAZOP (one way of proceeding):

“Radio infill + GSM” sub-system shall achieve same function than “Loop sub-system”, i.e. ”release the signal RG

on approach of a train when section behind the

signal is released by preceding train” Same top level hazard: “provide too permissive MA to approaching train whereas preceding train still occupies section in front of the signal”




Example of identified hazards during HAZOP (one way of proceeding):

“Trackside encoder + loop” “Trackside encoder + Radio In-fill + GSM”

Sub-hazards of top hazard “provide too permissive MA…“:

“delayed transmission or transmission of memorised data packets in the air gap” (i.e. possibly unsafe)

Systematic software errors in the additional equipment (gateway or Radio Controller) that interfaces with the unchanged “Trackside encoder”

“transmission by hackers of unsafe information in the air gap” since the "radio infill+GSM" is an open transmission sub-system

Etc.




IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

Use of Ref System and Risk Evaluation:

System before the change (loop) judged to have acceptable level

of safety for releasing signal aspect. It is used as a Ref Syst to

derive the safety requirements for the radio-infill sub-system.

Explicit Risk Estimation and Evaluation:

analysis of deviation "Radio in-fill+GSM" vs. "Loop" sub-system

See HAZID new hazards for "radio infill + GSM" sub-system:

"radio infill+GSM" is an open transmission sub-system risk

of transmission by hackers of unsafe information in air gap;

delayed transmission or transmission of memorised data

packets in Radio Infill chain.

explicit risk estimation and use of RAC-TS for designing

Radio Infill Controller part;

Use of CoP and Risk Evaluation:

EN 50159-2 for safety related communication in open transmis-

sion systems provides the safety requirements for controlling the

new hazards to an acceptable level, e.g. "data encrypting and

protection" + "message sequencing and time stamping";

use EN 50 128 standard for the development of the Radio Infill

Controller software ;

Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemRisk Analysis and Evaluation



Existing loop system ensures acceptable level of safety used as a Ref Syst, i.e. Radio In-fill + GSM system shall ensure same level of safety

Explicit risk estimation used to identify differences between system under assessment (Radio In-fill + GSM) and Ref. Syst. (Trackside Encoder + Loop)

Use explicit risk estimation and RAC-TS for designing Radio Infill Controller part

The new hazards identified for the deviations can be controlled by CoP

For development of software of Radio Controller, use CENELEC 50128 “Railway applications - Communication, signalling and processing

systems – Software for railway control and protection systems”

50128 standard specifies for each SIL, levels of independence and process (including possible techniques for software V&V), that are required for design, verification and validation of software. Note: 50128 also requires Independent Safety Assessment whose independence depends on SW SIL

SIL 4 Process for SW




For transmission in open-medium (air), use CENELEC 50159-2 “Railway

applications - Communication, signalling and processing systems - Part 2:

Safety related communication in open transmission systems”

Example of hazards linked to transmissions in an open medium (airgap)

Repetition of messages: “due to a hardware failure the Radio In-fill repeats an old message possibly unsafe”

Deletion of messages: “a message is deleted due to a hardware failure” Insertion of messages: “an authorised third party involuntary inserts a

message, e.g. Radio In-fill of another trackside section” Corruption of messages: “a message is accidentally changed (e.g. EMI) to

another formally correct message” Masquerade: “an unauthorised third party voluntary inserts a message” Etc.

50159-2 CoP provides measures for protecting against those hazards (e.g. CRC , time stamping, message sequencing, etc.). For more information see 50159-2




The identified hazards, the safety measures and the resulting safety requirements issued from the risk assessment and the application of the three risk acceptance principles were registered and managed in a hazard record using a similar form than the table below

N°

HZDOrigin

Hazard description


Actor in charge



Exported Status

1 HAZOPreport RX

Transmission of old and unsafe messages

Radio in-fill controller hardware

Manufa-cturer

RAC-TS for Radio In-fill design

Explicit risk estimation


ctor

Closed

Radio in-fill controller softwareGSM

Manufa-cturer

CENELEC 50128, 50159-2

Code of Practice


ctor

Closed

2 HAZOPreport RX

Open-transmission medium

Radio in-fill controller

Hacker

Dedicated standards available

Manufa-cturer

CENELEC, 50159-2

Code of Practice


ctor

Closed

Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemHazard Record



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

Demonstration of the system compliance with safety requirement:

follow up of the implementation of the safety requirements through the development process of the "radio infill + GSM” sub-system;

verification that the system, as designed and installed, is compliant with the safety requirements.

This includes follow-up during design and V&V of

Radio In-fill of all requirements from CoP (CENELEC

50128 & 50159-2 for software of Radio In-fill) +

demonstration of achievement of RAC-TS for

random hardware failures of Radio In-fill sub-

system

Replacement of a Trackside Loop by a Radio in-fill + GSM sub-systemDemonstration of system compliance with the safety requirements

Slide n° 232

Conclusions of the workshop



8 – Conclusions

• CSM regulation N°352/2009 defines the overall framework for a harmonised and transparent risk management and risk assessment process in all EU Member States (i.e. WHAT must be done);

• The overall purpose is to:

maintain (and improve where necessary) the level of safety in European railways

enable the mutual recognition of results from risk assessments and limit the additional assessments and demonstrations only to the differences when going to operate in other Member States;

• CSM regulation N°352/2009 does not impose HOW to fulfil those overall requirements. There is nothing new in the CSM Regulation; It is based on existing EU practices for managing risks freedom left to the Proposer to decide what detailed methods and tools he will use for achieving the CSMregulation requirements



8 – Conclusions

• The regulation must be applied for significant changes;

• But although a change is not significant, the proposer must control the risks (this is an SMS requirement). The Hazard Record and Assessment Body are not mandatory for non significant changes

• CSM regulation uses the ISO standard terminology related to risk management and risk assessment EU railway actors need to:

compare their existing practices for managing railways safety with requirements in CSM regulation

identify the few new steps/tasks requested by CSM regulation perform new risk assessments using this new harmonised process

• The experience of other member states that apply such a process since long (e.g. Scandinavian countries) shows that for first applications the proposer produces too much documentation but with the increasing experience in risk assessment the amount of produced paper decreases



8 – Conclusions

• KEY INFORMATION TO REMEMBER CSM regulation requires that the proposer must:

know why the safety requirements from Codes of Practice – Similar Reference Systems – Explicit Risk Estimation are used

identify the hazards related to the change and ensure that the associated risks are controlled + link the identified hazards to the RAP used for controlling the associated risk

document the risk management and risk assessment use of a Hazard Record for recording the essential information

have a transparent and auditable process by an independent assessment body



8 – Conclusions

• European Railway Agency and Safety Assessment Sector team are available for answering questions you may have when applying the CSM regulation on risk assessment:

• E-mail addresses of the Safety Assessment Sector team:

Dragan JOVICIC (Safety Assessment Sector in SU of ERA)E-mail: [email protected]

Karen DAVIES (Safety Certification Sector in SU of ERA)E-mail: [email protected]

Thierry BREYNE (Head of Safety Assessment Sector in SU of ERA)E-mail: [email protected]

Nathalie DUQUENNE (Safety Assessment Sector in SU of ERA)E-mail: [email protected]

Maria ANTOVA (Safety Assessment Sector in SU of ERA)E-mail: [email protected]








Many thanks for your attention!

Documents

Dissemination of the Commission Regulation on Common Safety Methods (CSM… · 2017. 8. 21. · Dissemination of Commission Regulation on CSM on Risk Assessment Slide n° 2 European