Dissemination of the Commission Regulation on … · Slide n° 1 Dissemination of the Commission...

Slide n° 1

Dissemination of the Commission Regulation on Common Safety Methods

(CSM) on Risk Evaluationand Risk Assessment

Slide n° 2

Objectives & Organisation of the

CSM Dissemination Workshop

Dissemination of Commission Regulation

on CSM on Risk AssessmentSlide n° 3

Purpose and Organisation of the workshop

Purpose of the workshop:

Explain to concerned actors of the railway sector the risk assessment and risk management process defined in the Commission Regulation (EC) N°352/2009

Steps for the workshop:

1st Step: transmit a pre-workshop questionnaire to all participants

2nd Step: collect answers to that pre-workshop questionnaire to orientate the workshop to specific needs of the visited Member States

3rd Step: visit to Member States and presentation of CSM process

Presentation of CSM process split into an “INTRODUCTION”+ “6 Modules” (see next slides)



For presentation purposes, CSM Process split into 7 topics (see questionnaire)

(1) Introduction

(2) What is a significant change?

(3) Hazard Identification phase;

(4) Risk analysis and evaluation

(5) Hazard Management and Hazard Records;

(6) Demonstration of system compliance with the safety requirements

(7) Independent assessment of correct application of CSM Process by an Assessment Body

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)

Modular Presentation



Time sharing of the two days of the workshop

Presentation by the Agency of each module

Explanation of the requirements in the CSM Regulation (theory)

Presentation of the application of those CSM requirements to practical examples (concrete cases of risk assessment)

Relevant “QUESTIONS” from the participants on the presented module & “ANSWERS” by the Agency

“End of 1st day” & “end of module presentation on 2nd day”, all actors of same Member State asked to meet for “internal discussions among representatives of the MS” (Brainstorming)

followed by a session of Questions/Answers (Debriefing)



Inputs from the participants of the workshopPre-workshop Questionnaire and Presentations of RA examples

In order to tailor CSM dissemination to specific expectations of visited Member States, Agency sends to participants via their NSAa pre-workshop “QUESTIONNAIRE”:

Purpose: enable the Agency to collect any useful information (e.g. real case examples, existing ways to fulfill CSM requirements, etc.) from railway sector in the relevant Member States and thus to improve the exchange of ideas and points of view during the dissemination exercise. For the success of the workshop, it is important that the participants answer to the questionnaire.

Presentation by the participants (having sent examples) of “real case examples of risk assessment” accompanied by a discussion of differences vs. CSM Process and explanation by Agency of the requirements in the CSM linked to those differences



Overall outputs of the CSM dissemination exercise

1st step: via both the “pre-workshop questionnaire” and the “8 CSM dissemination workshops” collect railway sector experience and feedback on risk assessment, their ideas and suggestions for improving CSM Regulation and/or associated guides

2nd step: continue CSM dissemination exercise by a review of and feedback based on real case examples of changes to railway system where CSM process is applied (coordination with NSA)

2011: use results from “dissemination workshops” + from “review of real case examples” (i.e. 2nd step of CSM dissemination) for writing a report on experience with application of “CSM on Risk Assessment”. This report is to be submitted to the Commission by end of 2011. It is aimed to serve as a basis for improving CSMRegulation and/or the associated guides for application of CSM



Number of workshops

When GroupGroup composition

(Member State)Location

June 2009 1 DK FI NO SE Stockholm

September 2009 2 AT CH DE SL Maribor

October 2009 3 CZ HU PL SK Prague

November 2009 4 BE FR LU Amiens

February 2010 5 BG EL RO Sofia

March 2010 6 NL IE UK Utrecht

April 2010 7 IT PT ES Madrid

May 2010 8 EE LV LT Riga

Concluding

SeminarN/A All EU Member States Agency



European Railway AgencyPresentation of the team involved in the dissemination

ERA Team involved in dissemination of CSM on risk assessment:

Karen DAVIES (Safety Certification Sector in SU of ERA)

Nathalie DUQUENNE (Safety Assessment Sector in SU of ERA)

Maria ANTOVA (Safety Assessment Sector in SU of ERA)

Thierry BREYNE (Head of Safety Assessment Sector in SU of ERA)

Christophe CASSIR (Safety Assessment Sector in SU of ERA)

Dragan JOVICIC (Safety Assessment Sector in SU of ERA)

Slide n° 10

Time schedule for CSM dissemination workshop



Time schedule for CSM dissemination workshop 1st day of workshop

1st day: 10:00 to 18:00

09:00–10:00: Welcome

10:00–10:45: Opening of Workshop & Introductory Presentations

10:45–11:00: Coffee Break

11:00–12:30: Significant Changes

12:30–13:30: Lunch Break

13:30–14:30: Hazard Identification

14:30–15:45: Risk Analysis and Evaluation + Examples from participants

15:45–16:00: Coffee Break

16:00–16:30: Hazard Record

16:30–17:15: Internal discussions among representatives of each MS

17:15–18:00: Questions/discussion and feedback from those discussions



Time schedule for CSM dissemination workshop 2nd day of workshop

2nd day: 10:00 to 16:00

09:30 – 10:45: Demonstration of system compliance with safety requirements

10:45 – 11:00: Coffee Break

11:30 – 12:30: Assessment Body

12:30 – 13:30: Lunch Break

13:30 – 14:00: Internal discussions among representatives of each MS

14:00 – 14:30: Questions/discussion and feedback from those discussions


14:45 – 15:45: Presentation of examples:

Presentations by participants of examples communicated to ERA

before the workshop

15:45 – 16:00: Conclusions and close out of the workshop

Slide n° 13

(1) Introduction



A. Role of the European Railway Agency

B. Overview of the Commission Regulation on CSM on Risk

Assessment

C. Guides for the application of the CSM Regulation

D. 6 Detailed Presentations for different steps in CSM Process

E. First Example for CSM Application: operational change

F. Second Example for CSM Application: organisational change

G. Third example for CSM Application: change of a technical system

1 - IntroductionContent of presentation

Slide n° 15

A. Role of the European Railway Agency



... to open the railway market to competition for the rail transport services and the railway supply industry!

... to make railways business oriented and competitive! need for technical harmonisation (interoperability)

... to prevent the sector from using safety as a barrier to market access or an excuse to resist change!

Some cornerstones in EC law for achieving those goals :

Separation of former vertically integrated railway companies into IM’s and RU’s

Moving the railways from self-regulation to regulation by public authorities

Introducing a framework for entry into the market for railway undertakings (licensing and safety certification)

Maintaining at least, and increasing when reasonably practicable, existing level of safety and creating a basis for mutual trust through the development of common approaches to safety, taking into account competitiveness of railways

Transparency of safety data and CSI, definition of CST and CSM

The objectives of the European Union are...



Need for support at Community Level establishment of the European Railway Agency

The technical harmonisation (interoperability) and the development of CSTs, CSMs and CSIs as well as the need to facilitate progress towards a common approach to railway safety requires technical support at Community level

the European Railway Agency (ERA) was therefore set up with the aim of helping to create this integrated railway area by establishing a European approach to railway safety (Safety Directive 2004/49/EC) and interoperability (Interoperability Directive 2008/57/EC )



Main tasks of European Railway AgencyInteroperability (TSI’s) and Harmonised approach to Safety

Develop economically viable common technical specifications (TSI’s), including unique ERTMS signalling solution, and

Develop harmonised approaches to safety the Agency:

issues recommendations concerning CSTs, CSMs, CSIs and further harmonisation measures/processes

monitors the development of railway safety in the Community

To take this forward, the Agency is working closely with railway sector stakeholders, national authorities and other concerned parties, as well as with the European institutions

All of the Agency’s work is aimed at facilitating the growth and development of freight and passenger traffic by harmonising safety processes, technical procedures and reducing delays caused by incompatible national systems



The Agency’s tasks and, hence, its organisational structure are based on

mainly three components

A – Role of the European Railway AgencyLegal basis for the Agency’s work

ERAEuropean Directives

(Railway Safety Directive,

Interoperability Directives,…)

European Directives



European Directives



Work Programme

(annually adopted by the

Administrative Board)

Regulation (EC) N° 881/2004

(Agency Regulation)



A – Role of the European Railway AgencyOrganisation Chart of the Agency



Agency is System Authority

Steering ERTMS activities, seeking for operational harmonisation,

ensuring change control management

Technical Specifications for Interoperability (TSIs)

Operational Interoperability

(TSI OPE, Vocational Competences, 1520-System, etc.)

Economic Studies for European funded infrastructure projects

Impact Analyses for the operational Units

Equivalence of national rules with basic parameters in TSIs

Processes of placing vehicles into service and their alignment with

the Interoperability Directive

A – Role of the European Railway AgencyAgency Tasks (1/3)



Safety Regulation

Validation and registration of the notifications of national safety

rules, including an analysis of their mode of publication

Technical advice on new national safety rules and on safety-related

aspects

Safety Reporting

Elaboration of common safety indicators as well as monitoring and

analysis of the development of safety on Europe’s railways ,

including dissemination of information

Common methods and approaches to accident investigation

Safety Certification

Common Safety Method for Conformity Assessment

Development of a migration strategy towards a single Community

certificate

Certification Scheme for the Entity in Charge of Maintenance




Safety Assessment

CSM for risk assessment

CSM on monitoring

Methodology for calculating and assessing the achievement of

safety targets for EU Member States

Definition, for each Member State, of their respective safety

targets including their assessment

Horizontal Activities

Support to the national safety authorities and investigating bodies

to facilitate their exchange of information and harmonisation of

decision making criteria by setting up networks and task forces

Public databases of safety related documents such as safety

certificates, licences, national safety rules, investigation reports

and indicators




The Agency is controlled by an

Administrative Board and has some binding

principles for its work

A – Role of the European Railway AgencyGovernance and Control

The Administrative Board

1 representative per Member State

4 Commission representatives

6 representatives of sector organisations (railway undertakings, infrastructure

managers, railway industry, trade unions, passengers, freight customers) – no

voting rights

Norway and Iceland – no voting rights

The Working Principles

Budgetary and financial control with regular evaluation of all work

Transparency and public access to documents

Neutrality and impartiality



A – Role of the European Railway AgencyInvolvement of the Railway Sector

* List established by Article 21 Committee on 22 February 2005

Article 3 of Agency Regulation (EC) N° 881/2004 obliges Agency to set up working groups

according to tasks given in regulation and by Agency Work Programme.

Sector Associations are asked to send

experts to participate and contribute.

Agency

Working Party

Working PartyNetwork of National

Safety Authorities

Working PartyNetwork of National

Investigation Bodies

…

Railway Sector

Experts

Sector organisations acting

at European level*:

UNIFE, CER, EIM, UITP,

UIP, UIRR, ERFA, ETF,

ALE

National Safety Authorities’

experts



European Railway Agency

No decision power for the Agency.

The Agency gives recommendations to

the Commission and technical opinions

upon specific request!

Working Party (CER, EIM,

UNIFE, NSA, ...)

NSA Network …

Internal reconcilement …

Commission / RISC

Social Partners

Passengers/

Customers

Adoption

Agency

Recommendation

A – Role of the European Railway AgencyDecision Process (Commitology)

Parliament Scrutiny

Slide n° 27

B. Overview of the Commission Regulation on CSM on Risk Assessment



B – Overview of Commission Regulation on CSM on Risk Assessment Status

Sept 05 : Kick off meeting of the CSM WG (15 NSA, 5 CER,

2 EIM, 3UNIFE, 1 UITP) – Work program of the WG

2006 : Survey and inputs from CSM WG members

2007 :

o CSM recommendation drafted by the Agency with support of a dedicated TF – Reviews by the WG.

o Consultation of the social partners

o Dec 07 : ERA recommendation to the EC

ERA



B – Overview of Commission Regulation on CSM on Risk Assessment Status

2008 :

o Discussion within the RISC and dedicated workshop organised by the EC (technical support from the Agency)

o Positive opinion of the RISC in November 08

2009 :

o Scrutiny of the EU parliament

o Publication of the EC regulation (n°352/2009) in the OJ (L108) of the 24 April 09

o Dissemination by the Agency

ERA



TerminologyTerms in CSM Regulation – Terms in CENELEC

Safety Directive 2004/49 EN 50126-1

Infrastructure Manager (IM)Railway Undertaking (RU)

Railway Authority

National Safety Authority (NSA)Safety Regulatory Authority

Supplier/Manufacturing Industry

Railway Support Industry



Annex III(2)(d): "Procedures and methods for carrying out risk evaluation and

implementing risk control measures whenever a change of the operating condit-

ions or new material imposes new risks on the infrastructure or on operations"

One of the SMS processes in Annex III

B – Overview of Commission Regulation on CSM on Risk Assessment Link of CSM to Article 9 in Safety Directive 2004/49/EC

Article 9 requires that "IM and RU shall establish their SMS..."

Basic elements of SMS in Annex III of Safety Directive 2004/49/EC

RU and IM SMS will thus achieve the compliance with the procedures and

methods required by the associated "conformity assessment criteria" [developed

by ERA Safe Certification Sector ] by referring to the CSM on Risk Assessment



B – Overview of Commission Regulation on CSM on Risk Assessment Link of CSM to Article 15 in Interoperability Directive 2008/57/EC

Article 15 requires among others that before authorising "the placing into service of those structural

subsystems constituting the rail system which are located or operated in its territory", "in particular" the

Member State "shall check":

"the technical compatibility of these subsystems with the system into which they are being integrated",

"the safe integration of these subsystems in accordance with Articles 4(3) and 6(3) of Directive

2004/49/EC".

Article 6(3)(a) of Directive 2004/49/EC: "The CSMs shall describe how the safety level, and the

achievement of safety targets and compliance with other safety requirements, are assessed by

elaborating and defining risk evaluation and assessment methods"

Article 4(3) of Directive 2004/49/EC:

"Member States shall ensure that the responsibility for the safe operation of the railway system and

the control of risks associated with it is laid upon the infrastructure managers and railway

undertakings,..."

"Without prejudice to civil liability in accordance with the legal requirements of the Member States,

each infrastructure manager and railway undertaking shall be made responsible for its part of the

system and its safe operation,"

Article 6(3)(a) of SD referred to also in Articles 23(5) and 25(4) of ID



Two main considerations taken into account for developing 1st Set of CSM

Harmonise a common approach for safety assessments based on existing

safety assessment methods in EU. Therefore:

As Railway Sector already has a strong safety culture, freedom is left to each

organisation to use its already approved Risk Assessment Methods/Tools/Techniques

CSM provide Common Principles but do not fix the Tools (e.g. FTA, FMECA)

CSM privilege the use of standards and reference systems

Advice of Risk Assessment “tools” done in a guideline developed alongside the CSM

Railway being organised into RU & IM, all activities at the interfaces between the

different actors must be managed carefully

Clear identification of the different actors’ responsibilities

Facilitate mutual recognition of results from risk assessments. This requires

harmonisation of:

risk management process;

exchange of safety related information between actors for managing the safety across

the different interfaces;

evidence resulting from application of risk management process

B – Overview of Commission Regulation on CSM on Risk Assessment Strategy for developing CSM based on existing methods in EU



B – Overview of Commission Regulation on CSM on Risk Assessment WHO shall apply the CSMs? Proposer

The risk management process described in the CSM shall be applied by

the person in charge of implementing the change under assessment. This

person is referred to in CSM Regulation as the "proposer".

The proposer can be one of the following actors:

(a) the Railway Undertakings and Infrastructure Managers in the

framework of the risk control measures they have to implement in

accordance with Article 4 of the Safety Directive 2004/49/EC;

(b) the contracting entities or the manufacturers when they invite a

notified body to apply the "EC" verification procedure in accordance

with Article 18(1) of the Interoperability Directive 2008/57/EC or the

applicant of an authorisation for placing in service of vehicles;

Where necessary, the proposer shall ensure, through contractual

arrangements, that suppliers and service providers, including their

subcontractors, participate in the risk management process described in

the CSM.



Basically CSM is an iterative

process made of 3 steps:

(a) Identification of hazards,

associated safety measures

and resulting safety

requirements

(b) Risk analysis and risk

evaluation based on exiting

risk acceptance principles

(c) Demonstration of the system

compliance with the

identified safety

requirements

Additional requirements for

mutual recognition:

(a) Hazard Management

(b) Independent Assessment

(Assessment Body)Demonstration of Compliance with

Safety Requirements

Preliminary System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

Risk

Estimation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION

(vs. Risk Acceptance Criteria)

Safety Requirements (i.e. safety

measures to be implemented)

SYSTEM DEFINITION²

RISK ASSESSMENT

Significant

Change?

HAZARD IDENTIFICATION

AND CLASSIFICATION

Iterative Risk Management Process “triggered” by a Significant Change

B – Overview of Commission Regulation on CSM on Risk Assessment Risk Management Process and Independent Assessment



CSM Regulation shall enter into force on the day following that of its publication in the

Official Journal of the European Union;

CSM Regulation shall apply in two steps:

(a) from 19 July 2010

(1) to all significant changes affecting vehicles, as defined in Article 2(c) of Directive

2008/57/EC;

(2) to all significant changes concerning structural sub-systems, where required by

Article 15(1) of Directive 2008/57/EC or by a TSI;

(b) from 1 July 2012 to the whole scope as referred to in Article 5(1) of CSM Regulation, i.e.

to other technical systems, operational and organisational changes considered to be

significant by application of paragraph 2 in Article 4 of CSM Regulation;

In order to gain experience and enable the Agency to get a feed back for reviewing the CSM

at latest at the end of 2011, the actors of the railway sector should apply the CSM

Regulation on a voluntary basis to other changes (technical, operational and organisational)

from 1 July 2010);

CSM Regulation shall not apply to systems and changes that are at an advanced stage of

development, as defined in Directive 2008/57/EC, at the date of entry into force of the

Regulation [Article 2(4) in CSM Regulation].

B – Overview of Commission Regulation on CSM on Risk Assessment Entry into force

Slide n° 37

C. Guides for the application of theCSM Regulation



C - Guides for the application of the CSM RegulationHow was it elaborated?

During the elaboration of the CSM Recommendation, ERA worked in parallel on a

"Guidance for Use" for supporting the CSM Recommendation;

Inputs for the "CSM Guidance for Use" [purely informative and not legally binding]

were collected during CSM WG and CSM TF meetings, where members asked to

describe further in the "Guidance for Use" requirements that could not be detailed a

lot of in a legal text;

According to those requests, as well as to questions raised within internal ERA

meetings, ERA elaborated initial "Guidance for Use" and updated it vs. different

versions of the Agency CSM recommendation and Commission Regulation;

ERA regularly reported the progress on guidance for use to CSM WG during the

plenary meetings;

Based on content of "Guidance for Use", CSM WG and ERA agreed then to split the

"Guidance of Use" into two new separate documents:

1st document: "Guide for the Application of the Commission Regulation on

CSM on Risk Assessment"

2nd document: "Collection of Examples of Risk Assessments and some

possible Tools supporting the CSM"



C - Guides for the application of the CSM RegulationComplementarities between Guide and Collection of RA examples

Structure of both document mapped on the regulation;

Provides general comments

and explanations that could

not be put in the legal text.

ERA has taken care not to

introduce any new require-

ment via the document that is

not already identified in the

CSM Regulation;

[Guide] is more static and

would not be modified unless

the CSM process needs to be

updated;

Provides additional information (e.g.

reference to standards or possible ways

to address the requirements of the

CSM) and examples of risk asses-

sments performed in the railway sector

before the existence of the CSM;

Document offers the possibility to be

updated with first implementations of

CSM process and any useful tools and

techniques, or examples of RA, that

could help other actors to apply the

CSM;

[GUIDE] [COLLECTION OF EXAMPLES]



C - Guides for the application of the CSM RegulationComplementarities between Guide and Standards

ECR

egu

lati

on

Gu

ide

Current Situation

Co

llect

ion

of

Exam

ple

s

ECR

egu

lati

on

Gu

ide

Future Situation

Slide n° 41

D. 6 Detailed Presentations for different steps in CSM Process



D. Detailed Presentation of CSM ProcessGo through different steps of CSM Process


(1) Introduction







IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)



F. 1st example for CSM Application - Operational Change Driver only operated train

1st example: operational change - System Definition

RU has decided to operate trains with Driver alone (Driver Only Operated train – DOO) on a route where previously there was an onboard guard to assist the driver with the train dispatching

Description of existing system: “explain clearly which tasks were

performed by driver and which other ones were carried out by

onboard staff (or guard) to assist the driver”

Description of change of driver's responsibilities due to removal of onboard assisting staff, “e.g. door closing before train departure”

Definition of additional technical requirements for system to cover needed changes in Driver Only Operation

Describe existing interfaces between onboard assisting staff, train driver and trackside staff of infrastructure manager



G. 2nd example for CSM Application - Organisational Change Outsourcing of a maintenance branch of an IM

2nd example: organisational change - System Definition

A branch of an IM organisation, that was performing until the change some maintenance activities (other than signalling and telematic), had to be put in competition with other companies working in same field Direct impact: need for downsizing and redistribution of staff and tasks within detached branch of IM organisation put in competition

description of tasks performed by existing organisation (i.e. by IM organisation before making the change)

description of changes planned in IM organisation to cope with subcontractors’ management

the interfaces of "branch to be detached" with other surrounding organisations or with physical environment were only briefly described. The boundaries were not 100 % clearly presented



G. 2nd example for CSM Application - Organisational Change Outsourcing of a maintenance branch of an IM

2nd example: organisational change – Concerns for IM

IM staff affected by change was in charge of emergency maintenance and repairs required by sudden errors on the infrastructure. Staff was also performing some planned or project based maintenance activities such as track packing, ballast cleaning, vegetation control

IM considered these tasks critical for safety and punctuality of operation must be analysed in order to find right measures which ensure that situation does not deteriorate as many of staff in charge of safety matters were leaving the IM organisation to the outsourced company

Same level of safety and train punctuality needed to be maintained during and after the change of the IM organisation



E. 3rd example for CSM Application - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system

Movement Authority (MA)

Extension of Movement Authority (MA) (2)

Existing technical system

Trackside Loop Release the signal (1)

Radio In-fill Controller/Modem



Intended Change

GSM

Release the signal (1)

Trackside Encoder

Trackside Encoder

3rd example: Change to a Technical System - System Definition



E. 3rd example for CSM Application - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system

3rd example - System Definition:

description of existing system: “loop+trackside encoder whose

function in CCS is to release signal RG on approach of a

train when section behind the signal is released by

preceding train”

description of change planned by the proposer and the manufacturer: “replace trackside loop by Radio-Infill + Radio

Controller + GSM” to achieve same function”

Slide n° 48

(2) Significant Change

Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment



2 – Significant ChangeFirst Step in CSM Process


(1) Introduction







IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)



Applies to any change of the railway

system in a Member State, as referred to

in point (2)(d) of Annex III to Safety

Directive 2004/49/EC, which is

CONSIDERED TO BE SIGNIFICANT

2 – Significant ChangeWHEN shall the CSMs be applied [Article 2]?

Annex III(2)(d): requires that RU/IM SMS

has "procedures and methods for carrying out risk evaluation ... whenever a change of the operating conditions or new material imposes new risks on the infrastructure or on operations"

Such changes may be of technical,

operational or organisational nature.

Demonstration of Compliance withSafety Requirements

Preliminary Sits Definition

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T

(II)(III)

Significant

Change?

RISK ASSESSMENT

(I)

i.e. must

CSM be

applied or

not ?

CSM shall be applied only to assess

"predicatively" safety of significant

changes of railway system in a MS

CSM process needs not to be applied

for non significant changes



When notified national rules do not define what is significant change, proposer evaluates the significance of change based on expert's judgement and criteria in CSM

1st check whether change safety related?

1) NOT safety-related not significant no CSM, but record decision ;

2) YES safety-related use other criteria to evaluate whether change significant

Proposer should analyse all criteria and decide on their importance, but could take decision based on only one or some of them

2 – Significant ChangeWHAT is a significant change? NR (if any) or expert judgement based on criteria

Article 4 of CSM Regulation

!Evaluate Σ of previous

non significant changes

Safety Relevance

Is it safety related? C: Not signi-ficant

No

Yes

Yes

No

When no notified national rules, expert's judgement based on criteria

Other criteria

1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?

B: Not signi-ficant

A: Significant Change Triggers CSM application

(Record the decision)

(Record and justify the decision) (PRA)

Change



2 – Significant Change RU/IM SMS – "Daily life" safety management

The process of deciding change will be set out in the SMS

Although for non significant safety related changes the

decisions need to be recorded (could be an SMS process)

Help the NSA in their supervisory role

[e.g. preliminary risk analyses, risk analyses, justifications,

arguments proportionate to the risk need to be documented]

CSM Regulation does not require

assessment body to check

evaluation of significance



2 – Significant Change - Discussions/QuestionsUse of criteria in CSM Regulation on some examples of changes

Agency and taskforce of experts from railway sector analysed typical examples of borderline cases

Analysis has shown that:

it is not possible to identify harmonised thresholds or rules;

it is not possible to provide an exhaustive list of significant changes;

decisions are unlikely to be same for all proposers.

Responsibility for decision is for proposer, who is responsible [in accordance with Article 4(3) of Railway Safety Directive 2004/49/EC] of safe operation and control of risks associated with their part of the system

Feedback from the application of the CSM will help the Agency to decide whether a possible revision of criteria and process is needed

Slide n° 54

Application to practical examples



Tone 1 confirmation by Level Crossing Operator

A B Manual level crossing (LC)

Tone 1 confirmation by Operator B

Tone 1 sent by Operator A

Tone 2 confirmation by Level Crossing Operator

Tone 2 confirmation by Operator A

Tone 2 sent by Operator B

Change: tone replaced by a vocal message and confirmed by both the other signalman and the level crossing Operator

Change: at a manually operated level crossing modify the way signalmen communicate

the information about the direction of a coming train to the level crossing operator

2 – Significant ChangeExample of application of criteria on significant changes (1/2)

Telephone message for controlling a level crossing



● Existing: train direction info in ringing tone.

● Change: old telephone obsolete replaced by

digital telephone that has not ringing tone

direction info by an operational procedure:

signalman informs both level crossing

operator and other signalman on

direction of coming train;

Information checked against timetable

and acknowledged by both level crossing

operator and other signalman.

● may suggest that change is not a significant;

● Some safety analysis or argument is anyway

necessary to show that, for this safety critical

task, replacing an old technical system by an

operational procedure (with personnel cross-

checking each other) would lead to a similar

level of safety.;

● Ultimate question: would full CSM application

(including hazard record, independent asses-

sment, etc) bring any added value towards

safe and efficient management of change?

Safety Relevance

Is it safety related? C: Not signi-ficant

No

Yes

Yes

No

When no notified national rules, expert's judgement based on criteria

Other criteria


B: Not signi-ficant

A: Significant Change Triggers CSM application

(Record the decision)

(Record and justify the decision) (PRA)

Change

2 – Significant ChangeExample of application of criteria on significant changes (2/2)

Telephone message for controlling a level crossing



● Change description : operate trains by the

driver alone (DOO) on a route where

previously there was an onboard guard to

assist the driver with the train dispatching

● significant change (need to cover all

questions) :

Safety relevant? YES

Completely different way of managing

train service operation

Low novelty? NO

Driver’s responsibility extended

requiring new tasks

Low complexity? NO

Driver’s errors could lead to

catastrophic consequences

● Consequence: apply CSM Process

Safety Relevance

Is it safety related?

Yes

No

Other criteria


Significant Change Apply CSM Process

Change: Driver Only Operation

2 – Significant Change – Operational ChangeDriver Only Operated Train (DOO)



● Change description: outsource maintenance

branch of an IM and put it in competition

with other companies working in same field

● significant change (need to cover all

questions) :

Safety relevant? YES

Downsizing , redistribution of staff and

tasks same work with less staff

Low novelty? NO

Contractual relation and follow up

Low complexity? NO

New functions in IM remaining organisation

to follow up subcontractor

Easy monitoring? NO

Not easy to check subcontractor efficiency


Safety Relevance


Yes

No

Other criteria



Change: outsourcing of a maintenance branch of IM

2 – Significant Change – Organisational ChangeOutsourcing of a maintenance branch of an IM



● Change description: replace a trackside

loop located before a signal by a "radio

infill + GSM " sub-system;

● significant change: (need to cover

all questions)

Safety relevant ? YES

The signal in front of the train could be

released whereas preceding train still

occupies the section

Low novelty? NO

New principles and technology for the

manufacturer

Low complexity? NO

Change complex to carry out


Safety Relevance


Yes

No

Other criteria



Change: Loop Radio-In-fill

2 – Significant Change - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system

Slide n° 60

Discussions/Questions

Slide n° 61

(3) Hazard Identification




3 – Hazard Identification(2) Step in CSM Process


(1) Introduction







IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)



3 – Hazard Identification Why is it important?

Hazard identification is the first step in the risk assessment process.

The process needs to be re-iterated and completed until all reasonably foreseeable hazards have been correctly identified.

It is important because if hazards are not identified, they will not be assessed and not covered in the risk management process.

The correct identification of hazards facilitates the correct application of the risk acceptance principles.



3 – Hazard Identification What are the first steps?

In order to properly identify the hazards, the system definition will be important to specify functions and interfaces.

It is necessary to look at hazards from all relevant contributors.

Systematically identify the hazards

and the level of detail,

taking into account:

Modes ofoperation

Different types of the

system Human factors

Environment

Failure modes

Safety relevantfactors

THEN



3 – Hazard IdentificationWhat level of detail is required?

The level of the hazard identification should correspond to the scope of the significant change under study and the requirements for proving acceptable risk.

This may involve several iterations in order to obtain the necessary level of detail to ensure that the correct decision is made on the necessary control measures.

If a code of practice or reference system is used, the level of detail for which the hazards are defined need only to correspond to the level defined by the code of practice or reference system.



Hazard identifiication level and transfer

2nd Level

(causes)

Top level Hazard X

Sub-hazard Y

- Controlled by reqsfrom CoP (e.g standard)

- Owned by actor A (e.g. manufacturer)

Sub-hazard Z

- Controlled by reqs from explicit risk analysis

- Owned by actor B (e.g. RU)



In order to correctly identify the hazards, a decision could be made as to whether they are broadly acceptable or not broadly acceptable

This means:

• considering and reviewing all the reasonably foreseeable hazards • classifying them according to the estimated risk arising from them

This process ensures that the correct priority is assigned to each of the hazards enabling the right selection of the risk control measures

The decision is based on expert judgement

3 – Hazard IdentificationWhat is broadly acceptable?

Broadly acceptable risks

Nothing further requiredRegistered in the

Hazard record

Not broadly acceptable

Follow the risk Management process



3 – Hazard IdentificationWhat is expert judgement

An expert is competent to make decisions that are suitable and sufficient for the situation that the expert is performing

The decision to label a hazard as broadly acceptable without further analysis is logged in the hazard record and will be reviewed by the ISA.

Competence

Skills

KnowledgeExperience

Slide n° 69




IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

System Description:

description of existing system: which tasks were performed by

train driver and which other ones by onboard staff (or guard) to

assist the driver;

existing interfaces between onboard assisting staff, driver and

trackside staff of Infrastructure Manager;

change of driver's responsibilities due to removal of onboard

assisting staff;

the technical requirements of the overall system to cover

changes in operation;

Hazard Identification: [HAZOP]

brainstorming by group of experts to find all hazards, with a

relevant influence on risk brought on by removal of onboard

assisting staff and additional tasks requested to the driver;

drivers' and staff's representatives involved for their operational

experience, IM representatives as infrastructure could also be

affected, implying e.g. changes to stations (e.g. installation of

mirrors/closed circuit TV at platforms);

what could be key operational hazards at stations, on existing

routes where driver was assisted from onboard or trackside staff

(door opening, closure check, etc.)

3 – Hazard Identification – Operational ChangeDriver Only Operated Train (DOO)



HAZOP-studies is a structured method for identification of risks invented in the chemistry industry. It uses keywords to reveal the possible response of the system or process to changes or to deviations from the desired response. The method is described in IEC 61882.

The HAZOP is based on the principle that several experts with

different backgrounds can interact and identify more problems

when working together than when working separately and then

combining their results. This brainstorming method stimulates

creativity and generates ideas

What is a HAZOP?



The HAZOP is a systematic process that examines the following topics:

Intention, i.e. the expected functional behaviour of the system

Deviations: starts from possible deviations from desired functional states

Causes: for each deviation the reasons why the deviation should occur

Consequences: the result of the deviation

Hazard: the consequences, causing possible damage, injury or loss

Measures: possibility to reduce the hazardous condition/behaviour

The method needs: an educated leader (moderator/facilitator) to manage the session, good input information, documents of the system and processes. It is effective in finding risks, if properly conducted. For the critical functions/tasks/aspects, the method can be complemented by other systematic studies, e.g. by an FMECA (Failure, Mode, Effect and Criticality Analysis)

What is a HAZOP?



Examples of guide/key words:

No message/information or delayed message/information

Message/information available when not expected

False message – False information

Invalid message

Etc.

The guide/key words must be tailored to the system/item concerned, before starting a HAZOP study

What is a HAZOP?



3 – Hazard Identification Parenthesis on the FMECA Hazard Analysis Tool

System FMECA worksheet Compiled by : RAMS team

System : Sub-system : ........Mode of operation :......

ISSUE N°... Page...

Id nr. Function Function

Failure Mode

Possible

Failure

Causes

Subsystem

effects

System

effects

Failure

Rate

Severi

ty

Criticali

ty

Means of

Detection

Compensating

Implemented

Provisions

Remarks

Subsystem/Detailed FMECA worksheet Compiled by : RAMS team

System : Sub-system : ........ Indenture Level : .......Mode of operation :......

ISSUE N°...Page...

Id nr. Item Function

(s)

Component

Failure

Mode

Possible

Failure

Causes

Local

effects

Next

higher

level

effects

System

effects

Failure

Rate

Sev. Crit. Means of

Detection

Compensating

Implemented

Provisions

Remar

ks



System FMECA

based on outputs of System Requirement

Specifications

HAZOP

Subsystem FMECA

subsystems/components level based on Sub-system Requirement Specification

Detailed FMECA

Further decomposition of critical elements based on detailed design documents

Hazard Record

Hazard Record

Hazard Record

Hazard Record

3 – Hazard IdentificationParenthesis on the FMECA Hazard Analysis Tool – Level of FMECA



IEC 61025Parenthesis on the Fault Tree Analysis Method (FTA)

Failure A1 Failure A2

Failure B1 Failure B2 Failure B3

Top-event

hazard

Logical AND

Logical ORCauses at the

subsystem or

component level

Basic event with

sufficient dataFailure C2Failure C1

Intermediate event

Not developed

tree. Event with

insufficient data




Hazard Identification e.g. by HAZOP (Hazard and Operability studies) brainstorming by group of multidisciplinary experts with different backgrounds:

safety experts from RU

train drivers' and staff's representatives for their operational experience (onboard accompanying staff)

IM representatives as the infrastructure could be also affected by the change, implying e.g. changes to stations (e.g. installation of mirrors/ closed circuit television [CCTV] at platforms) to help the Driver

Trackside staff of IM

Each of the identified hazards was assigned a level of severity of risk and consequences (high, medium, low) and the impact of the proposed change reviewed against them (increased, unchanged, decreased) risk




Based on System Definition, brainstorming team scrutinised additional tasks to be performed by train driver, in order to identify all foreseeable hazards that might occur consecutively to removal of onboard assisting staff

Particularly, hazard identification looked at what key operational hazards could be at stations, on existing routes where there was assistance from on board or trackside staff including the safe dispatch of the trains, specific issues related to the driver, the rolling stock (e.g. door opening/closure check), maintenance requirements, etc:

Example of identified hazards during HAZOP (one way of proceeding):

Train departure without closing doors passengers could fall down on to track

Door opening on wrong side passengers could fall down on to track Door closing while passengers still getting onboard passengers could

be caught between doors



3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

System Description:

description of tasks performed by existing IM

organisation, and description of changes that are

planned in this organisation. Description of interfaces

of the "branch to be detached" with other

surrounding organisations or with the physical

environment

Hazard Identification:

brainstorming by group of experts to find all hazards,

with a relevant influence on risk brought on by

intended change.

Hazard Classification: high, medium, low risk

(Severity) and increased, unchanged, decreased risk

(impact of change) compared to initial situation



3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM

Hazard Identification done by HAZOP (Hazard and Operability studies) brainstorming by group of multidisciplinary experts with different backgrounds:

safety experts from IM

System engineers/experts

Train drivers

IM staff's representatives from maintenance department

Etc.

The HAZOP analysis went through a checklist method describing a list of hazards (unwanted events), causes of these, related consequences and frequencies (rough estimates) and the related actions that need to be taken to mitigate these risks. Interdependencies and interface between detached branch and rest of IM organisation were particularly examined



3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis

Unwanted

event (Hazard)Cause Consequence

Type of

lossRisk

Responsible

for finding

safety

measure

Safety Measures

1: Reduced

motivation

among

employees

remaining in

Company.

-Staff

continuing to

leave without

stop.

- Demotivated /

worn out

managers

Missing

colleagues,

missing certain

tasks

Lack of loyalty

knowing that the

workplace is not

going to stay

Heavy workload

Uncertainty

Tasks not

performed,

increased build up

of unperformed

works. -

Emergency

maintenance

instead of planned

maintenance.

Collective worker

actions (calling in

sick etc)

Lack of trust in

Company for the

managers at IM

Level

Safety Higher New round of motivational work

for the staff, to be performed in

smaller groups

Reallocation of funds so that

Company gets meaningful tasks

to perform

More frequent inspections by

track manager.

Allocate funds to make sure that

key staff stays throughout the

process.

Give special attention to make

sure that information and

knowledge is transferred

between leaving employees and

those who take over the tasks.

Etc...



3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis

Unwanted

event

(Hazard)²

CauseConse-

quence

Type

of lossRisk

Responsible

for finding

safety

measure

Safety Measures

10: Lack of

competency

in the

performance

of tasks

Subcontractors of IM lacking skill,

competency and quality control

Violation of

safety rules.

Increased

accident

frequency.

Safety Higher Increased demand

for documented

competence.

Systematic control

of performed tasks

11:

Uncertainty

of roles and

responsi-

bilities in the

interface

between

Company

and IM

Different understandings of roles and

responsibilities

Track Manager responsible for

accessible tracks, but not for the

downsizing and can therefore not take

this in to account when planning/

prioritizing work tasks.

Track manager lacks overview of the

competencies available in Company

Coordination problems for the delivery

when coordination responsibilities is

transferred to the track manager

Tasks not

being

performed or

being

performed

twice.

Lack of

coordination

of resources

Safety Higher Define roles and

responsibilities.

Map all interfaces

and define who is

responsible for the

interfaces.



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

3 – Hazard Identification - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system

System Description:

existing system: "loop+encoder" and their functions in CCS.

"Release signal on approach of a train when the section

behind the signal (i.e. in front of the approaching train)

becomes unoccupied";

change planned by proposer and manufacturer;

functional and physical interfaces of loop with rest of system

Hazard Identification:

brainstorming by group of experts to identify hazards, with a

relevant influence on risk brought on by intended change.

Loop/Radio infill, releases signal risk provide too permissive

MA to approaching train whereas preceding train still occupies

section in front of the signal

Note: Hazard Identification e.g. by HAZOP (Hazard and Operability

studies). It is a brainstorming by group of multidisciplinary

experts: “safety experts from manufacturer and RU, train

drivers, designers of trackside encoder and loop, experts in

communication systems, etc.“




Example of identified hazards during the HAZOP (one way of proceeding):

“Loop & Radio infill” shall achieve same function, i.e. ”release the

signal RG on approach of a train when section behind the

signal is released by preceding train” Same top level hazard: “provide too permissive MA to approaching train whereas preceding train still occupies section in front of the signal”

See next pagesub-hazards

Trackside Encoder



Existing technical system

Trackside Loop Release the signal (1)

Radio In-fill Controller/Modem



Intended Change

GSM

Release the signal (1)

Trackside Encoder




Example of identified hazards during HAZOP (one way of proceeding):

“Trackside encoder + loop” “Trackside encoder + Radio In-fill + GSM”

Sub-hazards of top hazard “provide too permissive MA…“:

“transmission by hackers of unsafe information in the air gap” since the "radio infill+GSM" is an open transmission sub-system

“delayed transmission or transmission of memorised data packets in the air gap” (i.e. possibly unsafe)

Systematic software errors in the additional equipment (gateway or Radio Controller) that interfaces with the unchanged “Trackside encoder”

Etc.

Slide n° 86


Slide n° 87

(4) Risk Analysis and Evaluation




4 – Risk Analysis and Evaluation(3) Step in CSM Process


(1) Introduction







IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)



Hazards associated with broadly acceptable risks

need not be analysed further but register in Hazard Record with justification to allow independent assessment

Hazards associated with non broadly acceptable risks

further risk analysis and evaluation required

4 – Risk Analysis and Evaluation WHEN? Focus risk assessment on most important hazards/risks

HA

ZA

RD

MA

NA

GE

ME

NT

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

SYSTEM DEFINITION

(Scope, Functions, Interfaces, etc.)

RISK ASSESSMENT

YES


(What can happen? When? Where? How? Etc.

HAZARD CLASSIFICATION

(How critical?)

PRELIMINARY SYSTEM

DEFINITION

Broadly Acceptable?

Risk

NO

RISK ANALYSIS

HA

ZA

RD

ID

EN

TIF

ICA

TIO

N

AN

D C

LA

SS

IFIC

AT

ION

Substantial Change?

YES

(A)

(B)

(C)

Focus risk assessment on most important risks based on expert’s judgment, during Hazard Identification need for hazard classification at least into:



4 – Risk Analysis and Evaluation Principles?Hazard Control based on 3 Risk Acceptance Principles

Risk acceptability of non broadly acceptable hazards evaluated by one or more 3 RAP:

1. application of codes of practice2. comparison with similar Ref Syst3. explicit risk estimation & RAC

Proposer to:

1. demonstrate selected RAP adequately applied

2. check selected RAP used consistently

Output: set of SR to implement + demonstrate achievement

CSM does not impose any order of priority between 3 RAP

Iterative Risk Management Process


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

Risk

Estimation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION




SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


AND CLASSIFICATION



Demonstration of Compliance with the

Safety Requirements

EXPLICIT RISK ESTIMATION

RISK EVALUATION

YES

HA

ZA

RD

M

AN

AG

EM

EN

T

Identification of Scenarios & associated Safety Measures

Estimate Frequency

Estimate Severity

Estimate Risk

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

Quantitative

Acceptable Risk?

NO

Qualitative

Application of Codes of Practice

Similarity Analysis with Reference

System(s)

CODES OF PRACTICE SIMILAR REFERENCE

SYSTEM(S)

Safety Criteria?

Comparison with Criteria

Selection of Risk Acceptance

Principle

RISK ASSESSMENT

Hazards associated with Significant Risks

YES

Acceptable Risk?

NO


YES

Acceptable Risk?

NO


RISK ANALYSIS

Safety Requirements (i.e. the Safety Measures

to be implemented)

If no Notified National Rules, Proposer free to decide RAP to use for controlling hazards [flexibility]

AB shall refrain from imposing RAP to be used by proposer [challenge proposer]

Whatever RAP used must adequately applied + link RAP-hazard recorded (XA)

(I) CoP (e.g. Anerkannte Regeln der Technik);

e.g. TSI, EN standards, NNR, etc.

(compatible with rule based approaches)

(II) Similar Reference Systems (e.g. GAME)

(III)Explicit Risk Estimation(could be quantitative or qualitative)

4 – Risk Analysis and Evaluation WHO?Proposer decides on RAP to use

(III)(II)(I)



4 – Risk Analysis and EvaluationUse of codes of practice (CoP) and risk evaluation (1/3)

CoP shall at least satisfy following requirements:

(a) be widely acknowledged in railway domain. If not the case, CoP have to be justified and be acceptable to assessment body.

(b) be relevant for control of considered hazards in system under assessment.

(c) be publicly available for all actors who want to use them.

Examples of CoP:

TSI and mandatory European standards;

Notified National Safety and Technical Rules (technical standards or statutory documents) and if relevant non mandatory European standards;

Provided conditions for CoP fulfilled, internal rules or standards issued by an actor of railway sector

CoP from other fields (e.g. nuclear power, military and aviation) can also be applied for certain technical applications in railway systems provided demonstrated related CoP effective at controlling considered railway hazards




If conditions for CoP fulfilled, for hazards controlled by CoP:

risks need not be analysed further

risks considered IMPLICITLY as acceptable

risk management process may be limited to:

hazard identification.

registration in Hazard Record of use of CoP as SR for those hazards (i.e. link CoP-Hazard)

application of complete CSM Process, including:

correct application of requirements from CoP

documented evidences

independent assessment of application of CoP




What to do when there are deviations from CoP and identified hazards cannot be controlled (completely) by CoP?

Where an alternative approach is not fully compliant with CoP, proposer shall demonstrate that alternative approach taken leads to at least same level of safety

If one or more conditions from CoP not fulfilled by system under assessment, related CoP can still be used for controlling hazards provided proposer demonstrates that at least same level of safety is achieved

If for a hazard, the risk cannot be made acceptable by application of CoP, or if CoP does not sufficiently cover identified hazards (e.g. CoP not applicable to full range of hazards), additional safety measures shall be identified for controlling those hazard(s) by using either other CoP or one of other 2 RAP



4 – Risk Analysis and EvaluationUse of Reference Systems (Ref Syst) and risk evaluation (1/2)

Reference Systems shall at least satisfy following requirements:

it has already been proven in-use to have an acceptable safety level and would still qualify for acceptance in Member State where change is to be introduced

it has similar functions and interfaces as system under assessment

it is used under similar operational conditions as system under assessment;

it is used under similar environmental conditions as system under assessment




If conditions fulfilled, for hazards controlled by Reference Systems:

risks considered IMPLICITLY as acceptable ( further risk analysis not required)

safety requirements for hazards covered by Ref Syst may be derived from safety analyses or from an evaluation of safety records of Ref Syst

Ref Syst still "qualifies for acceptance" ? E.g. it can happen that safety performance of considered Ref Syst not appropriate for system under assessment because based on out of date technology (i.e. old fashioned technology).

these safety requirements shall be registered in Hazard Record as safety requirements for the relevant hazards




What to do when there are deviations from Ref Syst and identified hazards cannot be controlled (completely) by Ref Syst?

Risk evaluation shall demonstrate that system under assessment reaches at least same safety level as Ref Syst. Risks associated with hazards covered by Ref Syst shall then be considered as acceptable

This may require also explicit risk estimation in order to show that level of risk is at least as good as that of Ref Syst

If same safety level as reference system cannot be demonstrated (or if conditions not fulfilled), additional safety measures shall be identified for deviations, applying one of 2 other RAP

Corresponding hazards need to be considered as deviations from Ref Syst. They become new inputs for a new loop in iterative CSM risk assessment process. Additional safety measures can be identified by applying one of other 2 RAP



4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation

When hazards cannot be covered by CoP or Ref Syst risk acceptability demonstration performed by explicit risk estimation and evaluation

Risks shall be estimated either quantitatively or qualitatively, taking into account the existing safety measures within the system

E.g. Explicit risk estimation used when CoP or Ref Syst cannot be applied to control fully risk to an acceptable level. Could typically arise:

when system being assessed entirely new or where there are deviations from a CoP or a Ref Syst, or

when a design strategy chosen that does not allow use of CoP or similar Ref Syst because e.g. wish to produce a more cost effective design that has not been tried before

When risk(s) controlled by explicit risk estimation are considered acceptable identified safety measures registered in Hazard Record



4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation

Explicit risk estimation not necessarily always quantitative. Can be:

quantitative, if sufficient quantitative information available in terms of frequency of occurrence and severity,

semi-quantitative, e.g. if such quantitative information not sufficiently available, or

even qualitative, e.g. in terms of process for management of systematic errors/failures, when quantification is not possible

If with the safety measures, estimated risk not acceptable, additional safety measures shall be identified and implemented in order to reduce risk to an acceptable level


Safety Requirements


RISK EVALUATION

YES

HA

ZA

RD

M

AN

AG

EM

EN

T


Estimate Frequency

Estimate Severity

Estimate Risk

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

Quantitative

Acceptable Risk?

NO

Qualitative



System(s)


SYSTEM(S)

Safety Criteria?



Principle

RISK ASSESSMENT


YES

Acceptable Risk?

NO


YES

Acceptable Risk?

NO


RISK ANALYSIS


to be implemented)



In order to evaluate whether risks are acceptable or not, risk acceptance criteria (RAC) are necessary. They can be either implicit or explicit:

risks controlled by application of CoP and comparison with Ref Systare considered IMPLICITLY acceptable implicit RAC

whereas the acceptability of risk(s) controlled by application of explicit risk estimation requires explicit risk acceptance criteria (RAC) to be defined

4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation - RAC


Safety Requirements


RISK EVALUATION

YES

HA

ZA

RD

M

AN

AG

EM

EN

T


Estimate Frequency

Estimate Severity

Estimate Risk

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

Quantitative

Acceptable Risk?

NO

Qualitative



System(s)


SYSTEM(S)

Safety Criteria?



Principle

RISK ASSESSMENT


YES

Acceptable Risk?

NO


YES

Acceptable Risk?

NO


RISK ANALYSIS


to be implemented)

Harmonised Explicit RAC

Implicit RAC



RAC can be defined at different levels of railway system "pyramid of criteria“:

starting from high level RAC (expressed for instance as societal or individual risk)

going down to sub-systems and compo-nents, covering technial systems and human operators during operation & maintenance activities of system & sub-systems

4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation – Level of RAC (Pyramid)

Global Risk Acceptance Criteria:

Societal Risk

Individual Risk;

etc.

RAC-TS

Other RAC

Risk Profile

Level of RAC needs match with importance and complexity of significant change:

e.g. when modifying type of axle in RS, not necessary evaluate overall railway system risk . Definition of RAC can focus on rolling stock safety

reciprocally, large changes or additions to existing system should not evaluate solely only safety performance of individual functions or changes. Change acceptability should be evaluated also at railway system level as a whole



4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation – RAC-TS

RAC-TS harmonised in CSM Regulation:

“Where hazards arise from failures of technical systems not

covered by codes of practice or the use of a reference system,

the following risk acceptance criterion shall apply for the

design of the technical system:

For technical systems where a functional failure has a credible

direct potential for a catastrophic consequence, the associated

risk does not have to be reduced further if the rate of that

failure is less than or equal to 10-9 per operating hour.”

Nevertheless, if the applicant can demonstrate that the

national safety level can be maintained with a less demanding

criterion than the 10-9, this criterion can be used by the

applicant after agreement with the assessment body




RAC-TS harmonised in CSM Regulation (continuation):

“If a technical system is developed by applying the 10-9

criterion defined in paragraph 4, mutual recognition shall be

applied according to section 5.3”

“Without prejudice to the procedure specified in Article 8 of

Directive 2004/49/EC, a more demanding criterion may be

requested, through a national rule, in order to maintain a

national safety level. However, in the case of additional

authorisations for placing in service of vehicles, the

procedures of Articles 23 and 25 of Directive 2008/57/EC

shall apply.”




²²

Quantitative target evaluation must take into account for redundant systems the common components (e.g. common inputs, power supply, comparators, voters, etc.);

It shall consider the dormant or latent failure detection times;

A Common Cause/Mode Failure (CCF/CMF) analysis shall be done;

Independent Assessment

Considered Hazard for

the Technical System Technical System

Is the hazard controlled

by a CoP or a Ref Syst?

Apply Code of Practice or Reference System

YES (e.g. TS is NOT a

new nor innovative

design)

NO (e.g. TS is a new or

innovative design)

Code of Practice or

Reference System

NO

YES

Credible potential for Catastrophic

Consequence

Is it likely that hazard can

result in a catastr. conseq.?

Direct

Is catastr. conseq. a direct result of Techn. Syst. failure?

Apply a THR of 10-9

h-1

(SIL 4) for random hardware

failures of TS

Apply a SIL 4 Process for management of systematic

failures of TS

Use RAC-TS as reference point, evaluate contribution/ efficiency of

other additional safety barriers and derive safety requirements

NO (i.e. additional safety barriers can-

not prevent the

accident)

YES (i.e. no other safety barriers

that could prevent the accident)

Use other RAC for technical systems that still need to be

defined later on

Apply a QMP & SMP vs. SIL 4

relevant standards, e.g. EN 50 128 for software, and for hardware EN 50 121-3-2,

EN 50 121-4, EN 50 124-1, EN 50 124-2, EN 50 125-1 EN 50 125-3, EN 50 50081,

EN 50 155, EN 61000-6-2, etc.

Independent Assessment

Quantitative Requirement Process Requirement



CSM Regulation requires mutual recognition of risk assessment results

Mutual recognition shall be based on evidences of fulfilment of harmonised requirements along steps of CSM Process

Full CSM risk assessment process must be applied by Proposer:

identification of hazard associated safety measures and resulting SR registration & management of hazards and safety measures in Hazard Record demonstration of system compliance with safety requirements document application of CSM Process all necessary evidence showing

correct application accessible to Assessment Body. They shall at least include:

description of organisation and experts put in place to carry out risk assmnt

results from steps of CSM Process, including list of SR to be implemented to control risk to acceptable level

Independent assessment by AB conclusions is Assessment Report

Change accepted by Proposer based on Independent Assessment Report

4 – Risk Analysis and EvaluationMutual Recognition



4 – Risk Analysis and EvaluationMutual Recognition – Independent Assessment by AB on Deviations

Assessment Bodies in other MS must apply mutual recognition on a system evaluated, assessed and accepted vs. CSM Process (prev. slide)

system can be used in another MS provided Proposer demonstrates:

System will be used under same functional, operational and environmental conditions than initially approved in related MS

Equivalent RAC (acceptable in new MS) applied for controlling identified hazards importance to link in Hazard Record [RAP-Hazard]

If a condition not fulfilled, mutual recognition still possible but not automatical:

Assessment Body apply principle of mutual recognition on part of system and risk assessment that fulfils conditions

Proposer will have to identify deviations vs. already accepted system and apply CSM risk management & assessment process on identified deviations

AB assess independently correct application of CSM Process on deviations

Slide n° 107




IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

4 – Risk Analysis and Evaluation – Operational ChangeDriver Only Operated Train (DOO)

Use of Codes of Practice and Reference Systems:

Both CoP (i.e. a set of standards for Driver Only

Operation) and similar Ref Systems used to define

safety requirements for identified hazards, such as:

revised operational procedures for the driver that

are required to operate safely the rains without

onboard assistance;

any additional equipment necessary onboard or

on the track to ensure safe and reliable means of

train dispatch;

a checklist for ensuring that the driver's cab is

suitable, taking into account the interface

between the railway system (both onboard and

trackside) and the driver

Revision of the necessary operational rules in

compliance with the requirements from the applicable

codes of practice and the relevant reference systems.



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

4 – Risk Analysis and Evaluation – Organisational ChangeOutsourcing of a maintenance branch of an IM

“Use of Ref System and Risk Evaluation” + “Explicit risk

estimation and evaluation”:

System before change judged to have acceptable level

of safety. It was thus used to derive Risk Acceptance

Criteria for system under assessment, i.e. “maintain at

least the same level of safety and punctuality throughout

the change process and after the change”

The HAZOP analysis went through a checklist method

describing a list of hazards (unwanted events), causes

of these, related consequences and frequencies (rough

estimates) and the related actions that need to be taken

to mitigate these risks. Interdependencies and interface

between detached branch and rest of IM organisation

were particularly examined

Each hazard with increased risk was counterbalanced

by appropriate identified risk reducing measures. The

residual risk was compared against RAC to check

whether other additional measures need to be identified.




The Hazard and Risk Analysis was documented in a table describing the identified hazards, evaluating the severity and suggesting risk mitigation/ control measures (See in next slide risk analysis)

The Risk Analysis table was mirrored within the Hazard Record/Log) – See dedicated module in presentation. The Hazard Record includes additional information of who is responsible for implementing the measure, the time deadline for the implementation and also who is in charge of the verification of the implementation and of the efficiency of the identified measure(s)

Indeed, for such organisational changes, the efficiency of the identified actions and decisions had to be monitored to verify whether they fully control the considered risk

This is natural as it may be difficult to foresee and measure the exact result of a safety measure related to an organisational issue (such as training, motivated work for staff, etc.) and that the effects have to be followed up closely in a longer process where the analysis is continuously updated




Therefore, the risk analysis and the hazard record/log were alive documents. The efficiency of decided actions was monitored at regular intervals to check if the conditions were changed and if the risk analysis and risk evaluation need to be updated. They were updated when actions were performed and hazards “closed”. A status field was updated to describe what actions were taken or were under the way to be taken

If any circumstances changed compared to the initial context of the risk analysis, the risk analysis and hazard record/log had to be updated to ensure that hazard and risk were under control

The hazards that could not be closed (as all the measures could not be implemented nor verified rapidly) were followed up. Their status was also monitored and rechecked on several occasions (and more dated status column added to the hazard record/log table) to verify that finally all the hazards will be closed



4 – Risk Analysis and Evaluation – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis

Unwanted

event (Hazard)Cause Consequence

Type of

lossRisk

Responsible

for finding

safety

measure

Safety Measures

1: Reduced

motivation

among

employees

remaining in

Company.

-Staff

continuing to

leave without

stop.

- Demotivated /

worn out

managers

Missing

colleagues,

missing certain

tasks

Lack of loyalty

knowing that the

workplace is not

going to stay

Heavy workload

Uncertainty

Tasks not

performed,

increased build up

of unperformed

works. -

Emergency

maintenance

instead of planned

maintenance.

Collective worker

actions (calling in

sick etc)

Lack of trust in

Company for the

managers at IM

Level

Safety Higher New round of motivational work

for the staff, to be performed in

smaller groups

Reallocation of funds so that

Company gets meaningful tasks

to perform

More frequent inspections by

track manager.

Allocate funds to make sure that

key staff stays throughout the

process.

Give special attention to make

sure that information and


between leaving employees and

those who take over the tasks.

Etc...



4 – Risk Analysis and Evaluation – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis

Unwanted

event

(Hazard)²

CauseConse-

quence

Type

of lossRisk

Responsible

for finding

safety

measure

Safety Measures

10: Lack of

competency

in the

performance

of tasks

Subcontractors of IM lacking skill,

competency and quality control

Violation of

safety rules.

Increased

accident

frequency.

Safety Higher Increased demand

for documented

competence.

Systematic control

of performed tasks

11:

Uncertainty

of roles and

responsi-

bilities in the

interface

between

Company

and IM

Different understandings of roles and

responsibilities

Track Manager responsible for

accessible tracks, but not for the

downsizing and can therefore not take

this in to account when planning/

prioritizing work tasks.

Track manager lacks overview of the

competencies available in Company

Coordination problems for the delivery

when coordination responsibilities is

transferred to the track manager

Tasks not

being

performed or

being

performed

twice.

Lack of

coordination

of resources

Safety Higher Define roles and

responsibilities.

Map all interfaces

and define who is

responsible for the

interfaces.



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

4 – Risk Analysis and Evaluation - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system

Use of Ref System and Risk Evaluation:

System before the change (loop) judged to have acceptable level

of safety for releasing signal aspect. It is used as a Ref Syst to

derive the safety requirements for the radio-infill sub-system.

Explicit Risk Estimation and Evaluation:

analysis of deviation "Radio in-fill+GSM" vs. "Loop" sub-system

See HAZID new hazards for "radio infill + GSM" sub-system:

"radio infill+GSM" is an open transmission sub-system risk

of transmission by hackers of unsafe information in air gap;

delayed transmission or transmission of memorised data

packets in Radio Infill chain.

explicit risk estimation and use of RAC-TS for designing

Radio Infill Controller part;

Use of CoP and Risk Evaluation:

EN 50159-2 for safety related communication in open transmis-

sion systems provides the safety requirements for controlling the

new hazards to an acceptable level, e.g. "data encrypting and

protection" + "message sequencing and time stamping";

use EN 50 128 standard for the development of the Radio Infill

Controller software ;




Existing loop system ensures acceptable level of safety used as a Ref Syst, i.e. Radio In-fill + GSM system shall ensure same level of safety

Explicit risk estimation used to identify differences between system under assessment (Radio In-fill + GSM) and Ref. Syst. (Trackside Encoder + Loop)

Use explicit risk estimation and RAC-TS for designing Radio Infill Controller part

The new hazards identified for the deviations can be controlled by CoP

For development of software of Radio Controller, use CENELEC 50128 “Railway applications - Communication, signalling and processing

systems – Software for railway control and protection systems”

50128 standard specifies for each SIL, levels of independence and process (including possible techniques for software V&V), that are required for design, verification and validation of software. Note: 50128 also requires Independent Safety Assessment whose independence depends on SW SIL

SIL 4 Process for SW




For transmission in open-medium (air), use CENELEC 50159-2 “Railway

applications - Communication, signalling and processing systems - Part 2:

Safety related communication in open transmission systems”

Example of hazards linked to transmissions in an open medium (airgap)

Repetition of messages: “due to a hardware failure the Radio In-fill repeats an old message possibly unsafe”

Deletion of messages: “a message is deleted due to a hardware failure” Insertion of messages: “an authorised third party involuntary inserts a

message, e.g. Radio In-fill of another trackside section” Corruption of messages: “a message is accidentally changed (e.g. EMI) to

another formally correct message” Masquerade: “an unauthorised third party voluntary inserts a message” Etc.

50159-2 CoP provides measures for protecting against those hazards (e.g. CRC , time stamping, message sequencing, etc.). For more information see 50159-2

Slide n° 117

Current Status of harmonisation of Risk Acceptance Criteria (RAC)



General background

RAC needed for the “Explicit Risk Estimation” principle

RAC are implicit for two first principles (CoP and Ref Syst.)

RAC developed to support mutual recognition, cross border traffic, opening of the market

Different possible levels for RAC

4 – Risk Analysis and EvaluationCurrent Status of harmonisation of Risk Acceptance Criteria (RAC)

Global Risk Acceptance Criteria:

Societal Risk

Individual Risk;

etc.

RAC-TS

Other RAC

Risk Profile



Main concepts of the RAC development

Agreement to focus only on low level criteria

Where mutual recognition is needed

Where the proposer is in the condition to demonstrate it

CST are developed for “harmonising” high level RAC

Different types of low level RAC for technical systems.

1) Where the function is entirely covered by technical solutions

2) Where the function is covered by both a technical solution and a human action

3) Where the function is covered by human activities




Risk matrix based on the RAC-TS (direct catastrophic consequence) decided

Frequency of hazardous event

Risk matrix

Frequent Unacceptable Unacceptable Unacceptable Unacceptable

Occasional Acceptable Unacceptable Unacceptable Unacceptable

Rare Acceptable Acceptable Unacceptable Unacceptable

Improbable Acceptable Acceptable Acceptable Unacceptable

Incredible (10-9

per hour)Acceptable Acceptable Acceptable Acceptable (RAC-TS)

Insignificant Marginal Critical Catastrophic

Collective impact capable of resulting in deaths and several severe injuries.

The “slope” and definition of scale for frequency and consequence is under discussion.

This general approach has been agreed on with SSMG

Design Target for other failure consequences than catastrophic.

Possibility to derive THR for technical system when the catastrophic consequence is not direct through the use of a barrier analysis (additional technical barriers, human barriers, reduction factors)

The TF is developing an example for this.

Design targets for technical systems (for the two first types)




Matrix applicable but :

No evidence 10-9 h-1 can be used as starting point

Wish to avoid the development of a complex methodology for human factor quantification.

Work focussed on qualitative approach

Principles of redundancy for human activities

Close collaboration with SSMG

SSMG position - Focus on the relevant redundancies and working conditions:

It is mainly the relevant redundancies linked to certain failure modes that should be developed for now

Working conditions covered by SMS




All the proposed criteria should be seen as “sufficient but

not necessary” – as is the case for the RAC-TS.

Compliance with RAC shall lead to mutual recognition

Less demanding if proposer can demonstrate that it

maintains the safety level.

More demanding via NSR




Steps in the near future:

Definition of the minimum necessary set of consequences

for which RAC will be necessary for technical system

Elaborate further the concept of “reduction factor”

Continue to develop a tool supporting the application of

the matrix

Continue to develop the principles applicable for accepting

human actions/tasks redundancy


Slide n° 124


Slide n° 125

(5) Hazard Records




5 – Hazard Record Managing the hazards


(1) Introduction







IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)



5 – Hazard RecordWHY are they needed?

HA

ZAR

D M

AN

AG

EMEN

T [A

NN

EX II

I(2

)(G

) O

F SD

]

Control

Control

Control

Control

Hazard Records need to be created and updated by the proposer.Annex 1.4 of CSM Regulation.

They are an important part of the hazard management process

They track the progress of the process – identification of the hazard, the potential risk and how the risk needs to be controlledthrough the selected risk acceptance principles:• Codes of practice• Reference systems• Risk estimation

Hazard

Risk

Hazard

Risk

Hazard

Risk

Hazard

Risk



5 – Hazard RecordWHO is responsible?

If they are a number of actors involved in the project each may have responsibility for their part of the system under assessment. They will keep a record of the hazards for their part of the project.

There should be one overall actor (proposer) who has responsibility for the main record which covers all the necessary elements of the system under assessment.

It does not have to contain all the information from the actors involved, only the links and key safety related

Exchange of information will be important if the hazard cannot be controlled by one actor alone

Actor D Actor

C Actor B Actor

A

Hazard Record for the system under assessment

HA

ZAR

D M

AN

AG

EMEN

T

[AN

NEX

III(

2)(

G)

OF

SD]

Exchange of

information



5 – Hazard RecordWhat information should they contain?

All the hazards that the actor is responsible for, the associated safety measures, and the resulting safety requirements issued from the risk assessment process

All the assumptions taken into account within the definition of the system under assessment. These assumptions determine the limits and the validity of the risk assessment

All the hazards and the associated safety measures received from other actors in compliance with the project. These include all the assumptions and restrictions of use and generic product safety cases that are produced by the manufacturers

The status of the hazards (i.e. controlled or open) and of the associated safety measures (i.e. validated or open)

Note the level of detail required is related to the level of risk

HA

ZAR

D M

AN

AG

EMEN

T

[AN

NEX

III(

2)(

G)

OF

SD]



5 – Hazard RecordWhen should they be updated?

Whenever:

a new hazard is discovered or a new safety measure is identified

a new hazard is identified during the operation and maintenance of the system after its commissioning, so that the hazard can be assessed in compliance with the CSM as to whether it represents a significant change (this will be part of the SMS – Annex III (g))

it could be necessary to take into account accident and incident data

there are changes to the safety requirements or the assumptions about the system

HA

ZAR

D M

AN

AG

EMEN

T

[AN

NEX

III(

2)(

G)

OF

SD]



5 – Hazard RecordWhat are the links to the SMS?

RUs and IMs can use their procedures under their SMS

Annex III(2)(g) of the RSD requires the SMS to contain procedures and formats for how safety information is to be documented and designation of procedure for configuration control of vital safety information

The hazard record can therefore be part of the SMS for recording and managing risks that occur throughout the lifecycle of the equipment

It does not have to be a separate process

For other actors:

No legal requirement

But likely that they have a hazard management process

Existing processes can be adapted

HA

ZAR

D M

AN

AG

EMEN

T

[AN

NEX

III(

2)(

G)

OF

SD]



5 – Hazard RecordWhat are the benefits to the project?

Help map out and record the decision making process –provide transparency and consistency

Allow corrective actions to be taken promptly and quickly (link to SMS)

Exchange of information – allow for a number of players to contribute

Evidence of continuing compliance - accountability

Do not have to be complicated – targeted on the key issues

HA

ZAR

D M

AN

AG

EMEN

T

[AN

NEX

III(

2)(

G)

OF

SD]

Slide n° 133




N°

HZDOrigin

Hazard description

Additional informationActor in charge

Safety MeasureUsed Risk

Acceptance Principle

Expor-ted

Status

1 HAZOPreport RX

Maximum speed of train set too high (Vmax)

Wrong specific configuration of the onboard sub-system (maintenance staff).Wrong Data Entry onboard (driver)

RU Define a procedure for the approval of the onboard sub-system confi-guration data;Define an operatio-nal procedure for Data Entry Process by the Driver

Explicit Risk Estimation

Yes Controlled(exported to RU)Refer also to section C.16.4.2. in Appendix C

2 HAZOPreport RX

Braking curves (i.e. Movement Authority) in onboard sub-system configuration data too permissive

The procedure for the specific configuration of the onboard sub-system depends on:

the safety margins taken for the train braking system;

the reaction delay of the train braking system (this one is directly dependent on the train length, especially for fret trains)

RU Specify correctly the system requirements in the System Definition;Take sufficient safety margins for the braking system of the specific train

Explicit Risk Estimation

Yes Controlled(exported to RU)Refer also to section C.16.4.2. in Appendix C

5 – Hazard RecordPartial Example of a Hazard Record/Log Table



5 – Hazard Record – Operational Change Driver Only Operated Train (DOO)

For the railway undertakings the hazard management process was part of their safety management system for recording and managing risks.

The identified hazards were registered in a hazard record (similar template as below) with the safety requirements controlling the associated risk, i.e. reference to additional onboard and trackside equipment as well as to the revised operational procedures.

The revised procedures were monitored, and reviewed when needed, to ensure that the identified hazards continue to be correctly controlled during the operation of the railway system

N°

HZDOrigin

Hazard description

CauseAdditional information

Actor in charge

Safety Measure

Used Risk Acceptance

PrincipleExported Status

1 HAZOPreport RX

Opening of doors – risk of passenger fatality

Driver Driver error through lack of competence or seating position

RU TrainingCab design

Code of Practice

Partly Partly closed

2 HAZOPreport RX

Failure of the CCTV – driver cannot see the platform

CCTV VandalismIncorrect/insufficientmaintenance

IM Protection of the equipmentRegular checks

Code of Practice

No Closed, measur

es in place



5 – Hazard Record – Organisational Change Outsourcing of a maintenance branch of an IM – Sample of Hazard Record

Description Safety Measures

Priority

Safety/

Punc-

tuality

Implement

-ationNotes

Respon

sibility

Dead-

line

Perfor

med

date

Responsibi

lity for

verification

Way of

verifi-

cation

Date

Status

xx.xx.xx

Reduced

motivation

among

employees

remaining in

Company

-Staff

continuing to

leave without

stop.

- Demotivated

/ worn out

managers

New round of motivational

work for the staff, to be

performed in smaller

groups

Reallocation of funds so

that Company gets

meaningful tasks to

perform

More frequent inspections

by track manager.

Allocate funds to make

sure that key staff stays

throughout the process.

Give special attention to

make sure that

information and


between leaving

employees and those who

take over the tasks.

Etc...

High/High Coordinate

d by IOP.

Regions

must look

at

measures

to increase

control of

tracks,

overlap of

employees

and follow

up by line

managers.

Increased

inspec-

tions need

to be

included in

the

contracts.

Etc...

Company

Manager

Change of

conditions

of circum-

stances

have

reduced

this risk

signifi-

cantly

Work

environ-

ment

analysis

performed

and some

training of

staff.



5 – Hazard Record – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample of Hazard Record


Priority

Safety/

Punc-

tuality

Implement

-ationNotes

Respon

sibility

Dead-

line

Perfor

med

date

Responsibi

lity for

verification

Way of

verifi-

cation

Date

Status

xx.xx.xx

Subcontractor

s of the

entrepreneurs

lacking skill,

competency

and quality

control

Increased demand for

documented competence.

Systematic control of

performed tasks

High/

Medium

IM must

coordinate.

Regions

must

implement

measures

for requiring

compe

tence and

con -trolling

the work

Implemen

ted by

contract

follow up.

Input to

revision

planning.

Safety

manager

Increased

focus on

routines

for control

(2

operative

controls

per month

and

operative

area)

11:

Uncertainty of

roles and res-

ponsibilities in

the interface

between

Company and

IM (Track

manager).

Define roles and

responsibilities.

Map all interfaces and

define who is responsible

for the interfaces.

Medium/

Medium

In each

region

separately

Implemen

ted by

main-

enance

contract

and the

strategy

plan for

the

reorgani-

sation

Regional

directors

Safety

Manager

Regions

have

presented

their

strategy.



The Hazard and Risk Analysis was a table describing the identified hazards, evaluating the severity and suggesting risk mitigation/ control

This information from the Risk Analysis table was mirrored within the Hazard Record/Log) which includes also additional information of who is responsible for implementing the measure, the time deadline for the implementation and also who is in charge of the verification of the implementation and the verification of the efficiency of the identified measure(s)

Indeed, for such organisational changes, the efficiency of the identified actions and decisions had to be monitored to verify whether they fully control the considered risk

This is natural as it may be difficult to foresee and measure the exact result of a safety measure related to an organisational issue (such as training, motivated work for staff, etc.) and that the effects have to be followed up closely in a longer process where the analysis is continuously updated





Therefore, the risk analysis and the hazard record/log were alive documents. The efficiency of decided actions was monitored at regular intervals to check if the conditions were changed and if the risk analysis and risk evaluation need to be updated. They were updated when actions were performed and hazards “closed”. A status field was updated to describe what actions were taken or were under the way to be taken

If any circumstances changed compared to the initial context of the risk analysis, the risk analysis and hazard record/log had to be updated to ensure that hazard and risk were under control

The hazards that could not be closed (as all the measures could not be implemented nor verified rapidly) were followed up. Their status was also monitored and rechecked on several occasions (and more dated status column added to the hazard record/log table) to verify that finally all the hazards will be closed



5 – Hazard RecordReplacement of a Trackside Loop by a Radio in-fill + GSM sub-

systemThe identified hazards, the safety measures and the resulting safety requirements issued from the risk assessment and the application of the three risk acceptance principles were registered and managed in a hazard record using a similar form than the table below

N°

HZDOrigin

Hazard description

CauseAdditional information

Actor in charge

Safety MeasureUsed Risk

Acceptance Principle

Exported Status

1 HAZOPreport RX

Transmission of old and unsafe messages

Radio in-fill controller hardware

Manufa-cturer

RAC-TS for Radio In-fill design

Explicit risk estimation

Radio In-fill sub-contra-

ctor

Closed

Radio in-fill controller softwareGSM

Manufa-cturer

CENELEC 50128, 50159-2

Code of Practice


ctor

Closed

2 HAZOPreport RX

Open-transmission medium

Radio in-fill controller

Hacker

Dedicated standards available

Manufa-cturer

CENELEC, 50159-2

Code of Practice


ctor

Closed



Time schedule for CSM dissemination workshop 2nd day of workshop

2nd day: 10:00 to 16:00

09:30 – 10:45: Demonstration of system compliance with safety requirements


11:30 – 12:30: Assessment Body

12:30 – 13:30: Lunch Break

13:30 – 14:00: Internal discussions among representatives of each MS

14:00 – 14:30: Questions/discussion and feedback from those discussions


14:45 – 15:45: Presentation of examples:

Presentations by participants of examples communicated to ERA

before the workshop

15:45 – 16:00: Conclusions and close out of the workshop

Slide n° 142





6 – Demonstration of system compliance with safety requirements


(1) Introduction







IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

An

ne

x III

(2)(

g)

of S

D]

(5)

(4)

(3)

(2)

(7)(6)



6 – Demonstration of system compliance with safety requirementsRequirements in CSM Regulation [Chapter 3]

Prior to safety acceptance of change, fulfilment of safety requirements to be demonstrated

Demonstration under supervision of proposer

But each actor responsible for the demonstration of safety requirements for its part of system

Approach chosen for the compliance demonstration and demonstration to be independently assessed by AB

Inadequacies of safety measures or new hazards discovered during demonstration to be reassessed vs. CSM


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

Risk

Estimation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION




SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


AND CLASSIFICATION



CSM Process safety requirements expected to control identified hazards

System developed against those safety requirements (for technical systems designed, validated and accepted)

Prior to acceptance of change need to demonstrate that:

3 RAP correctly applied and actually control hazards to acceptable level

therefore system actually compliant with specified safety requirements

6 – Demonstration of system compliance with safety requirementsPurpose of demonstration


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

Risk

Estimation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION




SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


AND CLASSIFICATION



6 – Demonstration of system compliance with safety requirementsProposer’s Responsibility – Other Actor’s Responsibility

Proposer has overall responsibility for coordinating and managing demonstration of compliance

But each actor, including proposer where relevant, must demonstrate compliance of sub-system it is responsible for with :

SR allocated to sub-system by proposer

SR transferred to relevant actor by other actors via interfaces

additional and internal SR from safety assessments and safety analyses done at sub-system level

To other

sub-systems

SYSTEM LEVEL

All identified safety

requirements (SR)

Sub-

System 1

Sub-

System 2

Sub-

System N

To other

sub-systems

From

Proposer

Safety Requirements

for SUB-SYSTEM

From

Internal

Risk

Analyses

To other

sub-systems

System

Requirements

for the Proposer

From

other

actors

INTERFACES

Registered in Hazard Record

Hazard

Reco

rd



Separation of activities/functions between actors involved in development and operation of railway systems (RU’s, IM’s, contractors, etc.) can result in risks at interfaces

Concerned actors shall cooperate for managing hazards at INTERFACES (shared risks) [Common understanding and agreement]

Shared risks management shall be coordinated by Proposer (system view). Proposer allocates responsibilities to actors concerned by relevant interfaces

Safety measures at interfaces to be transferred to right actors via Hazard Records

Proposer responsible for CSM application as well as for integration of system under assessment (INTERFACE) into railway system as a whole

6 – Demonstration of system compliance with safety requirementsInterface Management – Cooperation for Shared Risks (1/2)



Notification to Proposer of transferred measures and non-compliance of safety measures (SM) Proposer inform in turn actor responsible for SM

Concerned actor shall inform all other actors affected (system under assessment + existing systems as far as known)

6 – Demonstration of system compliance with safety requirementsInterface Management – Notifications to Proposer (2/2)



6 – Demonstration of system compliance with safety requirementsSub-System Safety Analyses (1/4)

To fulfil SR allocated to each sub-system, actor in charge shall carry out safety assessments and safety analyses to identify systematically:

all reasonably foreseeable causes within the sub-system contributing to hazards at level of system under assessment

safety measures, and resulting SR, at sub-system level expected to control these causes and associated risks to an acceptable level

Register into Hazard Record all hazards actor must control + safety measures to be implemented by actor

Causal Analyses are example of safety assessments and safety analyses at sub-system level. But other methods can also be used




Example of Figure A.4 of EN 50 129: Definition of hazards with respect to the system boundary

Causes of hazards at level of system under assessment may be considered as hazards at the sub-system level (with respect to sub-system boundary).

Accident k

System Boundary

Accident l

Hazard (at System Level)

Cause (of a Hazard at Sub-System Level)

Sub-System Boundary

CAUSES CONSEQUENCES

Cause (of a Hazard at System Level)

Hazard (at Sub-System Level)




CSM Process steps can be repeated at each lower level phase of CENELECV-Cycle to derive safety measures and SR to fulfil by next phase:

Hierarchical structuring Hazards-Causes vs. system & sub-systems

Systematic Hazard Identification & Causal Analysis activities (or any relevant method)

Systematic use of Hazard Records for registering and managing hazards and safety measures actor in charge

Use of Codes of Practice, similar Reference Systems and Explicit Risk Estimation

Derived sub-system SR need to be implemented and their fulfilment demonstrated by concerned actor

NB: Proposer responsible to demonstrate compliance with safety requirements at system level



Phase N in

CENELEC V-Cycle

Safety Requirements for Phase N

Safety Measures in Phase N

Safety Requirements (i.e. safety measures to be implemented)

Safety Requirements for Phase N+1

Phase N+1 in

CENELEC V-Cycle

Safety Measures in Phase N+1

Safety Requirements (i.e. safety measures to be implemented)

Safety Requirements for Phase N+2

Phase N-1 in CENELEC V-Cycle


To other actors at level N+1

Phase N

All identified safety

requirements (SR)

Phase N+1 Phase N+1 Phase N+1


From

Level N

Safety Requirements

for Level N+1

From

Internal

Risk

Analyses


Safety

Requirements

for Phase N only

From

other

actors

INTERFACES

Safety Requirements for Level N+2 + Hazard Record

Ha

za

rd R

ec

ord

Level

N



6 – Demonstration of system compliance with safety requirementsIndependent Assessment by Assessment Body

Approach for demonstrating compliance with SR + demonstration itself independently assessed by AB

If no contractual obligations or MS legal requirements, each actor free to appoint AB for part of system actor is in charge

more than one AB can be involved in same project

Proposer, with support of its AB, responsible for integrating different sub-systems and for coordinating different AB involved in the project


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

Risk

Estimation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION




SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


AND CLASSIFICATION



6 – Demonstration of system compliance with safety requirementsNew Iteration of CSM Process for detected non compliances

Inadequacies of safety measures or new hazards discovered during demonstration to be reassessed vs. CSM

E.g. choice of technical solution for design of system or sub-systems, not foreseen by SR, could create a new hazard

New hazards registered in Hazard Record

Deviations and/or new hazards considered as new inputs for a new loop in iterative risk assessment process


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

Risk

Estimation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION




SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


AND CLASSIFICATION



6 – Demonstration of system compliance with safety requirementsCorrespondence between CSM and CENELEC

Concept

System Definition & Application Conditions

Risk Analysis

System Requirements

Apportionment of System Requirements

Design and Implementation

Manufacture

Installation

System Validation (including Safety Acceptance and Commissioning)

System Acceptance

2

3

4

5

6

7

8

9

10 1114

Operation and Maintenance

Performance Monitoring

De-commissioning and Disposal

Modification and Retrofit

12

13

CSM's for RISK ASSESSMENT

Preliminary System Definition in CSM's

Demonstration of Compliance with the Safety Requirements

Safety Requirements

1

Re-application of the CSM

BOX 1

BOX 2

BOX 3

BOX 4


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

EsRisk

timation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of

SD

]

RISK ANALYSIS

RISK EVALUATION


Safety Requirements (i.e. safety measures to be

implemented)

SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


AND CLASSIFICATION

Slide n° 156




6 – Demonstration of system compliance with safety requirementsOperational change - Driver Only Operated Train (DOO)

Demonstration of the system compliance with safety

requirements:

system implemented vs. identified safety

requirements (additional equipment and revised

procedures to enable Driver’s Only Operation)

the revised operational procedures are then

introduced in the RU safety management system

the correct application by the Driver of the revised

procedures, and their efficiency, is monitored and

reviewed, when needed, to ensure that the identified

hazards continue to be correctly controlled during

the operation of the railway system, i.e. that the

procedures and their application are appropriate to

ensure a sufficient level of safety without onboard

staff

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT



6 – Demonstration of system compliance with safety requirementsOrganisational change - Outsourcing of a maintenance branch of an IM

Demonstration of the system compliance with safety

requirements:

Risk Analysis and Hazard Record show that

hazards cannot be closed until they are verified and

it is demonstrated that the safety requirements (i.e.

selected safety measures) are implemented.

Risk Analysis and Hazard Record are living

documents. The efficiency of decided actions is

monitored at regular intervals to check if the

conditions are changed and if the Risk Analysis and

Risk Evaluation need to be updated.

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT



6 – Demonstration of system compliance with safety requirementsOutsourcing of a maintenance branch of an IM – Sample of Hazard Record


Priority

Safety/

Punc-

tuality

Implement

-ationNotes

Respon

sibility

Dead-

line

Perfor

med

date

Responsibi

lity for

verification

Way of

verifi-

cation

Date

Status

xx.xx.xx

Reduced

motivation

among

employees

remaining in

Company

-Staff

continuing to

leave without

stop.

- Demotivated

/ worn out

managers

New round of motivational

work for the staff, to be

performed in smaller

groups

Reallocation of funds so

that Company gets

meaningful tasks to

perform

More frequent inspections

by track manager.

Allocate funds to make

sure that key staff stays

throughout the process.

Give special attention to

make sure that

information and


between leaving

employees and those who

take over the tasks.

Etc...

High/High Coordinate

d by IOP.

Regions

must look

at

measures

to increase

control of

tracks,

overlap of

employees

and follow

up by line

managers.

Increased

inspec-

tions need

to be

included in

the

contracts.

Etc...

Company

Manager

Change of

conditions

of circum-

stances

have

reduced

this risk

signifi-

cantly

Work

environ-

ment

analysis

performed

and some

training of

staff.



6 – Demonstration of system compliance with safety requirementsOutsourcing of a maintenance branch of an IM – Sample of Hazard Record


Priority

Safety/

Punc-

tuality

Implement

-ationNotes

Respon

sibility

Dead-

line

Perfor

med

date

Responsibi

lity for

verification

Way of

verifi-

cation

Date

Status

xx.xx.xx

Subcontractor

s of the

entrepreneurs

lacking skill,

competency

and quality

control

Increased demand for

documented competence.

Systematic control of

performed tasks

High/

Medium

IM must

coordinate.

Regions

must

implement

measures

for requiring

compe

tence and

con -trolling

the work

Implemen

ted by

contract

follow up.

Input to

revision

planning.

Safety

manager

Increased

focus on

routines

for control

(2

operative

controls

per month

and

operative

area)

11:

Uncertainty of

roles and res-

ponsibilities in

the interface

between

Company and

IM (Track

manager).

Define roles and

responsibilities.

Map all interfaces and

define who is responsible

for the interfaces.

Medium/

Medium

In each

region

separately

Implemen

ted by

main-

enance

contract

and the

strategy

plan for

the

reorgani-

sation

Regional

directors

Safety

Manager

Regions

have

presented

their

strategy.



6 – Demonstration of system compliance with safety requirementsReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

MA

NA

GE

ME

NT

Demonstration of the system compliance with

safety requirement:

follow up of the implementation of the safety

requirements through the development

process of the "radio infill + GSM” sub-system;

verification that the system, as designed and

installed, is compliant with the safety

requirements.

This includes follow-up during design and V&V

of Radio In-fill of all requirements from CoP

(CENELEC 50128 & 50159-2 for software of

Radio In-fill) + demonstration of achievement

of RAC-TS for random hardware failures of

Radio In-fill sub-system

Slide n° 162


Slide n° 163

(7) Assessment Bodies




7 – Assessment Bodies Verifying the change

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Annex III

(2)(

g)

of S

D]

An independent assessment of the complete

risk management process undertaken by the

proposer should be undertaken by an

independent body to verify the change and

the demonstration of compliance



7 – Assessment BodiesWHO act as assessment body ?

Independent and competent person, organisation or entity (Article 3(14))

Open to NSA, NOBO, External or In house ISA meeting criteria identified in the Annex II of the regulation

BUT need to take into account the tasks allocated to NSA and NOBO in Directive 2004/49/EC and Directive 2008/57/EC

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT



7 – Assessment BodiesWHY & WHEN are they needed?

Support the proposer decision to accept significant changes by ensuring the correct application of the risk management process

Support and facilitate the mutual recognition of the results of the application of the CSM on risk assessment

Although it is not explicitly a requirement of the CSM, the assessment body should be involved early on in the project

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT



7 – Assessment BodiesWHAT do they do?

This will include:

The system definition

The hazard identification and risk analysis

The risk evaluation

The demonstration of compliance with the safety requirements, including the chosen approach

They do not need to check the evaluation of the significance of the change

The assessment body will provide the proposer with a Safety assessment report

The report will:

sets out their findings on the review of the risk management process

confirm that the system under assessment meets the requirements and whether it can be used safely

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT



7 – Assessment Bodies WHAT do they do?

The report will :

support to the proposer decision to accept the change

provide evidences to the NSA that the proposer has correctly applied the CSM process, particularly if the change related to an authorisation to place into service structural sub systems

be useful in any inspections that the NSA undertakes in relation to the SMS and the application of the CSMIN

DE

PE

ND

EN

T A

SS

ES

SM

EN

T



7 – Assessment Bodies Interfaces

The management of interfaces is key throughout the development of the project

If more than one assessment body is involved the proposer will need to co-ordinate the activities of the bodies

This can:

help with interface management

be useful before switching over from one step of the risk assessment to the next one

Duplication of work in term of independent assessment shall be avoided – Reports shall not be called into question

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT



7 – Assessment Bodies What is the criteria for their selection?

Independent from the design, manufacture, construction, marketing, operation or maintenance of the system

Professional integrity

Competent (skills, training, knowledge and experience) to perform the tasks required of them

Civil liability insurance

Commercial confidentiality

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT



7 – Assessment Bodies Ongoing work from the Task Force

Identified the interface between independent assessment, conformity assessment (for safety certification/authorisation and EC verification for sub-systems) – No answer to the “WHO?”

HOW ?

Expect to define a methodology for carrying out independent safety assessment

Expect to define a scheme for the voluntary accreditation of Assessment Bodies or alternatively recognition by NSAs

Timetable:

First position paper on the role and responsibilities of Assessment Bodies by the end of the year

Feed into the revision of the CSM on risk assessment planned in 2011

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

Slide n° 172


Slide n° 173

(8) Conclusions




Many thanks for your attention!

Date post:	21-Apr-2018
Category:	Documents
Upload:	vandien
View:	221 times
Download:	1 times

Dissemination of the Commission Regulation on … · Slide n° 1 Dissemination of the Commission...

Documents