Slide n° 1
Dissemination of the Commission Regulation on Common Safety Methods
(CSM) on Risk Evaluationand Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 3
Purpose and Organisation of the workshop
Purpose of the workshop:
Explain to concerned actors of the railway sector the risk assessment and risk management process defined in the Commission Regulation (EC) N°352/2009
Steps for the workshop:
1st Step: transmit a pre-workshop questionnaire to all participants
2nd Step: collect answers to that pre-workshop questionnaire to orientate the workshop to specific needs of the visited Member States
3rd Step: visit to Member States and presentation of CSM process
Presentation of CSM process split into an “INTRODUCTION”+ “6 Modules” (see next slides)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 4
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Modular Presentation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 5
Time sharing of the two days of the workshop
Presentation by the Agency of each module
Explanation of the requirements in the CSM Regulation (theory)
Presentation of the application of those CSM requirements to practical examples (concrete cases of risk assessment)
Relevant “QUESTIONS” from the participants on the presented module & “ANSWERS” by the Agency
“End of 1st day” & “end of module presentation on 2nd day”, all actors of same Member State asked to meet for “internal discussions among representatives of the MS” (Brainstorming)
followed by a session of Questions/Answers (Debriefing)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 6
Inputs from the participants of the workshopPre-workshop Questionnaire and Presentations of RA examples
In order to tailor CSM dissemination to specific expectations of visited Member States, Agency sends to participants via their NSAa pre-workshop “QUESTIONNAIRE”:
Purpose: enable the Agency to collect any useful information (e.g. real case examples, existing ways to fulfill CSM requirements, etc.) from railway sector in the relevant Member States and thus to improve the exchange of ideas and points of view during the dissemination exercise. For the success of the workshop, it is important that the participants answer to the questionnaire.
Presentation by the participants (having sent examples) of “real case examples of risk assessment” accompanied by a discussion of differences vs. CSM Process and explanation by Agency of the requirements in the CSM linked to those differences
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 7
Overall outputs of the CSM dissemination exercise
1st step: via both the “pre-workshop questionnaire” and the “8 CSM dissemination workshops” collect railway sector experience and feedback on risk assessment, their ideas and suggestions for improving CSM Regulation and/or associated guides
2nd step: continue CSM dissemination exercise by a review of and feedback based on real case examples of changes to railway system where CSM process is applied (coordination with NSA)
2011: use results from “dissemination workshops” + from “review of real case examples” (i.e. 2nd step of CSM dissemination) for writing a report on experience with application of “CSM on Risk Assessment”. This report is to be submitted to the Commission by end of 2011. It is aimed to serve as a basis for improving CSMRegulation and/or the associated guides for application of CSM
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 8
Number of workshops
When GroupGroup composition
(Member State)Location
June 2009 1 DK FI NO SE Stockholm
September 2009 2 AT CH DE SL Maribor
October 2009 3 CZ HU PL SK Prague
November 2009 4 BE FR LU Amiens
February 2010 5 BG EL RO Sofia
March 2010 6 NL IE UK Utrecht
April 2010 7 IT PT ES Madrid
May 2010 8 EE LV LT Riga
Concluding
SeminarN/A All EU Member States Agency
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 9
European Railway AgencyPresentation of the team involved in the dissemination
ERA Team involved in dissemination of CSM on risk assessment:
Karen DAVIES (Safety Certification Sector in SU of ERA)
Nathalie DUQUENNE (Safety Assessment Sector in SU of ERA)
Maria ANTOVA (Safety Assessment Sector in SU of ERA)
Thierry BREYNE (Head of Safety Assessment Sector in SU of ERA)
Christophe CASSIR (Safety Assessment Sector in SU of ERA)
Dragan JOVICIC (Safety Assessment Sector in SU of ERA)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 11
Time schedule for CSM dissemination workshop 1st day of workshop
1st day: 10:00 to 18:00
09:00–10:00: Welcome
10:00–10:45: Opening of Workshop & Introductory Presentations
10:45–11:00: Coffee Break
11:00–12:30: Significant Changes
12:30–13:30: Lunch Break
13:30–14:30: Hazard Identification
14:30–15:45: Risk Analysis and Evaluation + Examples from participants
15:45–16:00: Coffee Break
16:00–16:30: Hazard Record
16:30–17:15: Internal discussions among representatives of each MS
17:15–18:00: Questions/discussion and feedback from those discussions
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 12
Time schedule for CSM dissemination workshop 2nd day of workshop
2nd day: 10:00 to 16:00
09:30 – 10:45: Demonstration of system compliance with safety requirements
10:45 – 11:00: Coffee Break
11:30 – 12:30: Assessment Body
12:30 – 13:30: Lunch Break
13:30 – 14:00: Internal discussions among representatives of each MS
14:00 – 14:30: Questions/discussion and feedback from those discussions
14:30 – 14:45: Coffee Break
14:45 – 15:45: Presentation of examples:
Presentations by participants of examples communicated to ERA
before the workshop
15:45 – 16:00: Conclusions and close out of the workshop
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 14
A. Role of the European Railway Agency
B. Overview of the Commission Regulation on CSM on Risk
Assessment
C. Guides for the application of the CSM Regulation
D. 6 Detailed Presentations for different steps in CSM Process
E. First Example for CSM Application: operational change
F. Second Example for CSM Application: organisational change
G. Third example for CSM Application: change of a technical system
1 - IntroductionContent of presentation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 16
... to open the railway market to competition for the rail transport services and the railway supply industry!
... to make railways business oriented and competitive! need for technical harmonisation (interoperability)
... to prevent the sector from using safety as a barrier to market access or an excuse to resist change!
Some cornerstones in EC law for achieving those goals :
Separation of former vertically integrated railway companies into IM’s and RU’s
Moving the railways from self-regulation to regulation by public authorities
Introducing a framework for entry into the market for railway undertakings (licensing and safety certification)
Maintaining at least, and increasing when reasonably practicable, existing level of safety and creating a basis for mutual trust through the development of common approaches to safety, taking into account competitiveness of railways
Transparency of safety data and CSI, definition of CST and CSM
The objectives of the European Union are...
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 17
Need for support at Community Level establishment of the European Railway Agency
The technical harmonisation (interoperability) and the development of CSTs, CSMs and CSIs as well as the need to facilitate progress towards a common approach to railway safety requires technical support at Community level
the European Railway Agency (ERA) was therefore set up with the aim of helping to create this integrated railway area by establishing a European approach to railway safety (Safety Directive 2004/49/EC) and interoperability (Interoperability Directive 2008/57/EC )
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 18
Main tasks of European Railway AgencyInteroperability (TSI’s) and Harmonised approach to Safety
Develop economically viable common technical specifications (TSI’s), including unique ERTMS signalling solution, and
Develop harmonised approaches to safety the Agency:
issues recommendations concerning CSTs, CSMs, CSIs and further harmonisation measures/processes
monitors the development of railway safety in the Community
To take this forward, the Agency is working closely with railway sector stakeholders, national authorities and other concerned parties, as well as with the European institutions
All of the Agency’s work is aimed at facilitating the growth and development of freight and passenger traffic by harmonising safety processes, technical procedures and reducing delays caused by incompatible national systems
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 19
The Agency’s tasks and, hence, its organisational structure are based on
mainly three components
A – Role of the European Railway AgencyLegal basis for the Agency’s work
ERAEuropean Directives
(Railway Safety Directive,
Interoperability Directives,…)
European Directives
(Railway Safety Directive,
Interoperability Directives,…)
European Directives
(Railway Safety Directive,
Interoperability Directives,…)
Work Programme
(annually adopted by the
Administrative Board)
Regulation (EC) N° 881/2004
(Agency Regulation)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 20
A – Role of the European Railway AgencyOrganisation Chart of the Agency
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 21
Agency is System Authority
Steering ERTMS activities, seeking for operational harmonisation,
ensuring change control management
Technical Specifications for Interoperability (TSIs)
Operational Interoperability
(TSI OPE, Vocational Competences, 1520-System, etc.)
Economic Studies for European funded infrastructure projects
Impact Analyses for the operational Units
Equivalence of national rules with basic parameters in TSIs
Processes of placing vehicles into service and their alignment with
the Interoperability Directive
A – Role of the European Railway AgencyAgency Tasks (1/3)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 22
Safety Regulation
Validation and registration of the notifications of national safety
rules, including an analysis of their mode of publication
Technical advice on new national safety rules and on safety-related
aspects
Safety Reporting
Elaboration of common safety indicators as well as monitoring and
analysis of the development of safety on Europe’s railways ,
including dissemination of information
Common methods and approaches to accident investigation
Safety Certification
Common Safety Method for Conformity Assessment
Development of a migration strategy towards a single Community
certificate
Certification Scheme for the Entity in Charge of Maintenance
A – Role of the European Railway AgencyAgency Tasks (2/3)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 23
Safety Assessment
CSM for risk assessment
CSM on monitoring
Methodology for calculating and assessing the achievement of
safety targets for EU Member States
Definition, for each Member State, of their respective safety
targets including their assessment
Horizontal Activities
Support to the national safety authorities and investigating bodies
to facilitate their exchange of information and harmonisation of
decision making criteria by setting up networks and task forces
Public databases of safety related documents such as safety
certificates, licences, national safety rules, investigation reports
and indicators
A – Role of the European Railway AgencyAgency Tasks (3/3)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 24
The Agency is controlled by an
Administrative Board and has some binding
principles for its work
A – Role of the European Railway AgencyGovernance and Control
The Administrative Board
1 representative per Member State
4 Commission representatives
6 representatives of sector organisations (railway undertakings, infrastructure
managers, railway industry, trade unions, passengers, freight customers) – no
voting rights
Norway and Iceland – no voting rights
The Working Principles
Budgetary and financial control with regular evaluation of all work
Transparency and public access to documents
Neutrality and impartiality
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 25
A – Role of the European Railway AgencyInvolvement of the Railway Sector
* List established by Article 21 Committee on 22 February 2005
Article 3 of Agency Regulation (EC) N° 881/2004 obliges Agency to set up working groups
according to tasks given in regulation and by Agency Work Programme.
Sector Associations are asked to send
experts to participate and contribute.
Agency
Working Party
Working PartyNetwork of National
Safety Authorities
Working PartyNetwork of National
Investigation Bodies
…
Railway Sector
Experts
Sector organisations acting
at European level*:
UNIFE, CER, EIM, UITP,
UIP, UIRR, ERFA, ETF,
ALE
National Safety Authorities’
experts
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 26
European Railway Agency
No decision power for the Agency.
The Agency gives recommendations to
the Commission and technical opinions
upon specific request!
Working Party (CER, EIM,
UNIFE, NSA, ...)
NSA Network …
Internal reconcilement …
Commission / RISC
Social Partners
Passengers/
Customers
Adoption
Agency
Recommendation
A – Role of the European Railway AgencyDecision Process (Commitology)
Parliament Scrutiny
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 28
B – Overview of Commission Regulation on CSM on Risk Assessment Status
Sept 05 : Kick off meeting of the CSM WG (15 NSA, 5 CER,
2 EIM, 3UNIFE, 1 UITP) – Work program of the WG
2006 : Survey and inputs from CSM WG members
2007 :
o CSM recommendation drafted by the Agency with support of a dedicated TF – Reviews by the WG.
o Consultation of the social partners
o Dec 07 : ERA recommendation to the EC
ERA
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 29
B – Overview of Commission Regulation on CSM on Risk Assessment Status
2008 :
o Discussion within the RISC and dedicated workshop organised by the EC (technical support from the Agency)
o Positive opinion of the RISC in November 08
2009 :
o Scrutiny of the EU parliament
o Publication of the EC regulation (n°352/2009) in the OJ (L108) of the 24 April 09
o Dissemination by the Agency
ERA
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 30
TerminologyTerms in CSM Regulation – Terms in CENELEC
Safety Directive 2004/49 EN 50126-1
Infrastructure Manager (IM)Railway Undertaking (RU)
Railway Authority
National Safety Authority (NSA)Safety Regulatory Authority
Supplier/Manufacturing Industry
Railway Support Industry
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 31
Annex III(2)(d): "Procedures and methods for carrying out risk evaluation and
implementing risk control measures whenever a change of the operating condit-
ions or new material imposes new risks on the infrastructure or on operations"
One of the SMS processes in Annex III
B – Overview of Commission Regulation on CSM on Risk Assessment Link of CSM to Article 9 in Safety Directive 2004/49/EC
Article 9 requires that "IM and RU shall establish their SMS..."
Basic elements of SMS in Annex III of Safety Directive 2004/49/EC
RU and IM SMS will thus achieve the compliance with the procedures and
methods required by the associated "conformity assessment criteria" [developed
by ERA Safe Certification Sector ] by referring to the CSM on Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 32
B – Overview of Commission Regulation on CSM on Risk Assessment Link of CSM to Article 15 in Interoperability Directive 2008/57/EC
Article 15 requires among others that before authorising "the placing into service of those structural
subsystems constituting the rail system which are located or operated in its territory", "in particular" the
Member State "shall check":
"the technical compatibility of these subsystems with the system into which they are being integrated",
"the safe integration of these subsystems in accordance with Articles 4(3) and 6(3) of Directive
2004/49/EC".
Article 6(3)(a) of Directive 2004/49/EC: "The CSMs shall describe how the safety level, and the
achievement of safety targets and compliance with other safety requirements, are assessed by
elaborating and defining risk evaluation and assessment methods"
Article 4(3) of Directive 2004/49/EC:
"Member States shall ensure that the responsibility for the safe operation of the railway system and
the control of risks associated with it is laid upon the infrastructure managers and railway
undertakings,..."
"Without prejudice to civil liability in accordance with the legal requirements of the Member States,
each infrastructure manager and railway undertaking shall be made responsible for its part of the
system and its safe operation,"
Article 6(3)(a) of SD referred to also in Articles 23(5) and 25(4) of ID
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 33
Two main considerations taken into account for developing 1st Set of CSM
Harmonise a common approach for safety assessments based on existing
safety assessment methods in EU. Therefore:
As Railway Sector already has a strong safety culture, freedom is left to each
organisation to use its already approved Risk Assessment Methods/Tools/Techniques
CSM provide Common Principles but do not fix the Tools (e.g. FTA, FMECA)
CSM privilege the use of standards and reference systems
Advice of Risk Assessment “tools” done in a guideline developed alongside the CSM
Railway being organised into RU & IM, all activities at the interfaces between the
different actors must be managed carefully
Clear identification of the different actors’ responsibilities
Facilitate mutual recognition of results from risk assessments. This requires
harmonisation of:
risk management process;
exchange of safety related information between actors for managing the safety across
the different interfaces;
evidence resulting from application of risk management process
B – Overview of Commission Regulation on CSM on Risk Assessment Strategy for developing CSM based on existing methods in EU
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 34
B – Overview of Commission Regulation on CSM on Risk Assessment WHO shall apply the CSMs? Proposer
The risk management process described in the CSM shall be applied by
the person in charge of implementing the change under assessment. This
person is referred to in CSM Regulation as the "proposer".
The proposer can be one of the following actors:
(a) the Railway Undertakings and Infrastructure Managers in the
framework of the risk control measures they have to implement in
accordance with Article 4 of the Safety Directive 2004/49/EC;
(b) the contracting entities or the manufacturers when they invite a
notified body to apply the "EC" verification procedure in accordance
with Article 18(1) of the Interoperability Directive 2008/57/EC or the
applicant of an authorisation for placing in service of vehicles;
Where necessary, the proposer shall ensure, through contractual
arrangements, that suppliers and service providers, including their
subcontractors, participate in the risk management process described in
the CSM.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 35
Basically CSM is an iterative
process made of 3 steps:
(a) Identification of hazards,
associated safety measures
and resulting safety
requirements
(b) Risk analysis and risk
evaluation based on exiting
risk acceptance principles
(c) Demonstration of the system
compliance with the
identified safety
requirements
Additional requirements for
mutual recognition:
(a) Hazard Management
(b) Independent Assessment
(Assessment Body)Demonstration of Compliance with
Safety Requirements
Preliminary System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety
measures to be implemented)
SYSTEM DEFINITION²
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Iterative Risk Management Process “triggered” by a Significant Change
B – Overview of Commission Regulation on CSM on Risk Assessment Risk Management Process and Independent Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 36
CSM Regulation shall enter into force on the day following that of its publication in the
Official Journal of the European Union;
CSM Regulation shall apply in two steps:
(a) from 19 July 2010
(1) to all significant changes affecting vehicles, as defined in Article 2(c) of Directive
2008/57/EC;
(2) to all significant changes concerning structural sub-systems, where required by
Article 15(1) of Directive 2008/57/EC or by a TSI;
(b) from 1 July 2012 to the whole scope as referred to in Article 5(1) of CSM Regulation, i.e.
to other technical systems, operational and organisational changes considered to be
significant by application of paragraph 2 in Article 4 of CSM Regulation;
In order to gain experience and enable the Agency to get a feed back for reviewing the CSM
at latest at the end of 2011, the actors of the railway sector should apply the CSM
Regulation on a voluntary basis to other changes (technical, operational and organisational)
from 1 July 2010);
CSM Regulation shall not apply to systems and changes that are at an advanced stage of
development, as defined in Directive 2008/57/EC, at the date of entry into force of the
Regulation [Article 2(4) in CSM Regulation].
B – Overview of Commission Regulation on CSM on Risk Assessment Entry into force
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 38
C - Guides for the application of the CSM RegulationHow was it elaborated?
During the elaboration of the CSM Recommendation, ERA worked in parallel on a
"Guidance for Use" for supporting the CSM Recommendation;
Inputs for the "CSM Guidance for Use" [purely informative and not legally binding]
were collected during CSM WG and CSM TF meetings, where members asked to
describe further in the "Guidance for Use" requirements that could not be detailed a
lot of in a legal text;
According to those requests, as well as to questions raised within internal ERA
meetings, ERA elaborated initial "Guidance for Use" and updated it vs. different
versions of the Agency CSM recommendation and Commission Regulation;
ERA regularly reported the progress on guidance for use to CSM WG during the
plenary meetings;
Based on content of "Guidance for Use", CSM WG and ERA agreed then to split the
"Guidance of Use" into two new separate documents:
1st document: "Guide for the Application of the Commission Regulation on
CSM on Risk Assessment"
2nd document: "Collection of Examples of Risk Assessments and some
possible Tools supporting the CSM"
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 39
C - Guides for the application of the CSM RegulationComplementarities between Guide and Collection of RA examples
Structure of both document mapped on the regulation;
Provides general comments
and explanations that could
not be put in the legal text.
ERA has taken care not to
introduce any new require-
ment via the document that is
not already identified in the
CSM Regulation;
[Guide] is more static and
would not be modified unless
the CSM process needs to be
updated;
Provides additional information (e.g.
reference to standards or possible ways
to address the requirements of the
CSM) and examples of risk asses-
sments performed in the railway sector
before the existence of the CSM;
Document offers the possibility to be
updated with first implementations of
CSM process and any useful tools and
techniques, or examples of RA, that
could help other actors to apply the
CSM;
[GUIDE] [COLLECTION OF EXAMPLES]
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 40
C - Guides for the application of the CSM RegulationComplementarities between Guide and Standards
ECR
egu
lati
on
Gu
ide
Current Situation
Co
llect
ion
of
Exam
ple
s
ECR
egu
lati
on
Gu
ide
Future Situation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 42
D. Detailed Presentation of CSM ProcessGo through different steps of CSM Process
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 43
F. 1st example for CSM Application - Operational Change Driver only operated train
1st example: operational change - System Definition
RU has decided to operate trains with Driver alone (Driver Only Operated train – DOO) on a route where previously there was an onboard guard to assist the driver with the train dispatching
Description of existing system: “explain clearly which tasks were
performed by driver and which other ones were carried out by
onboard staff (or guard) to assist the driver”
Description of change of driver's responsibilities due to removal of onboard assisting staff, “e.g. door closing before train departure”
Definition of additional technical requirements for system to cover needed changes in Driver Only Operation
Describe existing interfaces between onboard assisting staff, train driver and trackside staff of infrastructure manager
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 44
G. 2nd example for CSM Application - Organisational Change Outsourcing of a maintenance branch of an IM
2nd example: organisational change - System Definition
A branch of an IM organisation, that was performing until the change some maintenance activities (other than signalling and telematic), had to be put in competition with other companies working in same field Direct impact: need for downsizing and redistribution of staff and tasks within detached branch of IM organisation put in competition
description of tasks performed by existing organisation (i.e. by IM organisation before making the change)
description of changes planned in IM organisation to cope with subcontractors’ management
the interfaces of "branch to be detached" with other surrounding organisations or with physical environment were only briefly described. The boundaries were not 100 % clearly presented
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 45
G. 2nd example for CSM Application - Organisational Change Outsourcing of a maintenance branch of an IM
2nd example: organisational change – Concerns for IM
IM staff affected by change was in charge of emergency maintenance and repairs required by sudden errors on the infrastructure. Staff was also performing some planned or project based maintenance activities such as track packing, ballast cleaning, vegetation control
IM considered these tasks critical for safety and punctuality of operation must be analysed in order to find right measures which ensure that situation does not deteriorate as many of staff in charge of safety matters were leaving the IM organisation to the outsourced company
Same level of safety and train punctuality needed to be maintained during and after the change of the IM organisation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 46
E. 3rd example for CSM Application - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
Movement Authority (MA)
Extension of Movement Authority (MA) (2)
Existing technical system
Trackside Loop Release the signal (1)
Radio In-fill Controller/Modem
Movement Authority (MA)
Extension of Movement Authority (MA) (2)
Intended Change
GSM
Release the signal (1)
Trackside Encoder
Trackside Encoder
3rd example: Change to a Technical System - System Definition
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 47
E. 3rd example for CSM Application - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
3rd example - System Definition:
description of existing system: “loop+trackside encoder whose
function in CCS is to release signal RG on approach of a
train when section behind the signal is released by
preceding train”
description of change planned by the proposer and the manufacturer: “replace trackside loop by Radio-Infill + Radio
Controller + GSM” to achieve same function”
Slide n° 48
(2) Significant Change
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 49
2 – Significant ChangeFirst Step in CSM Process
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 50
Applies to any change of the railway
system in a Member State, as referred to
in point (2)(d) of Annex III to Safety
Directive 2004/49/EC, which is
CONSIDERED TO BE SIGNIFICANT
2 – Significant ChangeWHEN shall the CSMs be applied [Article 2]?
Annex III(2)(d): requires that RU/IM SMS
has "procedures and methods for carrying out risk evaluation ... whenever a change of the operating conditions or new material imposes new risks on the infrastructure or on operations"
Such changes may be of technical,
operational or organisational nature.
Demonstration of Compliance withSafety Requirements
Preliminary Sits Definition
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T
(II)(III)
Significant
Change?
RISK ASSESSMENT
(I)
i.e. must
CSM be
applied or
not ?
CSM shall be applied only to assess
"predicatively" safety of significant
changes of railway system in a MS
CSM process needs not to be applied
for non significant changes
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 51
When notified national rules do not define what is significant change, proposer evaluates the significance of change based on expert's judgement and criteria in CSM
1st check whether change safety related?
1) NOT safety-related not significant no CSM, but record decision ;
2) YES safety-related use other criteria to evaluate whether change significant
Proposer should analyse all criteria and decide on their importance, but could take decision based on only one or some of them
2 – Significant ChangeWHAT is a significant change? NR (if any) or expert judgement based on criteria
Article 4 of CSM Regulation
!Evaluate Σ of previous
non significant changes
Safety Relevance
Is it safety related? C: Not signi-ficant
No
Yes
Yes
No
When no notified national rules, expert's judgement based on criteria
Other criteria
1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?
B: Not signi-ficant
A: Significant Change Triggers CSM application
(Record the decision)
(Record and justify the decision) (PRA)
Change
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 52
2 – Significant Change RU/IM SMS – "Daily life" safety management
The process of deciding change will be set out in the SMS
Although for non significant safety related changes the
decisions need to be recorded (could be an SMS process)
Help the NSA in their supervisory role
[e.g. preliminary risk analyses, risk analyses, justifications,
arguments proportionate to the risk need to be documented]
CSM Regulation does not require
assessment body to check
evaluation of significance
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 53
2 – Significant Change - Discussions/QuestionsUse of criteria in CSM Regulation on some examples of changes
Agency and taskforce of experts from railway sector analysed typical examples of borderline cases
Analysis has shown that:
it is not possible to identify harmonised thresholds or rules;
it is not possible to provide an exhaustive list of significant changes;
decisions are unlikely to be same for all proposers.
Responsibility for decision is for proposer, who is responsible [in accordance with Article 4(3) of Railway Safety Directive 2004/49/EC] of safe operation and control of risks associated with their part of the system
Feedback from the application of the CSM will help the Agency to decide whether a possible revision of criteria and process is needed
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 55
Tone 1 confirmation by Level Crossing Operator
A B Manual level crossing (LC)
Tone 1 confirmation by Operator B
Tone 1 sent by Operator A
Tone 2 confirmation by Level Crossing Operator
Tone 2 confirmation by Operator A
Tone 2 sent by Operator B
Change: tone replaced by a vocal message and confirmed by both the other signalman and the level crossing Operator
Change: at a manually operated level crossing modify the way signalmen communicate
the information about the direction of a coming train to the level crossing operator
2 – Significant ChangeExample of application of criteria on significant changes (1/2)
Telephone message for controlling a level crossing
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 56
● Existing: train direction info in ringing tone.
● Change: old telephone obsolete replaced by
digital telephone that has not ringing tone
direction info by an operational procedure:
signalman informs both level crossing
operator and other signalman on
direction of coming train;
Information checked against timetable
and acknowledged by both level crossing
operator and other signalman.
● may suggest that change is not a significant;
● Some safety analysis or argument is anyway
necessary to show that, for this safety critical
task, replacing an old technical system by an
operational procedure (with personnel cross-
checking each other) would lead to a similar
level of safety.;
● Ultimate question: would full CSM application
(including hazard record, independent asses-
sment, etc) bring any added value towards
safe and efficient management of change?
Safety Relevance
Is it safety related? C: Not signi-ficant
No
Yes
Yes
No
When no notified national rules, expert's judgement based on criteria
Other criteria
1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?
B: Not signi-ficant
A: Significant Change Triggers CSM application
(Record the decision)
(Record and justify the decision) (PRA)
Change
2 – Significant ChangeExample of application of criteria on significant changes (2/2)
Telephone message for controlling a level crossing
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 57
● Change description : operate trains by the
driver alone (DOO) on a route where
previously there was an onboard guard to
assist the driver with the train dispatching
● significant change (need to cover all
questions) :
Safety relevant? YES
Completely different way of managing
train service operation
Low novelty? NO
Driver’s responsibility extended
requiring new tasks
Low complexity? NO
Driver’s errors could lead to
catastrophic consequences
● Consequence: apply CSM Process
Safety Relevance
Is it safety related?
Yes
No
Other criteria
1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?
Significant Change Apply CSM Process
Change: Driver Only Operation
2 – Significant Change – Operational ChangeDriver Only Operated Train (DOO)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 58
● Change description: outsource maintenance
branch of an IM and put it in competition
with other companies working in same field
● significant change (need to cover all
questions) :
Safety relevant? YES
Downsizing , redistribution of staff and
tasks same work with less staff
Low novelty? NO
Contractual relation and follow up
Low complexity? NO
New functions in IM remaining organisation
to follow up subcontractor
Easy monitoring? NO
Not easy to check subcontractor efficiency
● Consequence: apply CSM Process
Safety Relevance
Is it safety related?
Yes
No
Other criteria
1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?
Significant Change Apply CSM Process
Change: outsourcing of a maintenance branch of IM
2 – Significant Change – Organisational ChangeOutsourcing of a maintenance branch of an IM
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 59
● Change description: replace a trackside
loop located before a signal by a "radio
infill + GSM " sub-system;
● significant change: (need to cover
all questions)
Safety relevant ? YES
The signal in front of the train could be
released whereas preceding train still
occupies the section
Low novelty? NO
New principles and technology for the
manufacturer
Low complexity? NO
Change complex to carry out
● Consequence: apply CSM Process
Safety Relevance
Is it safety related?
Yes
No
Other criteria
1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)?
Significant Change Apply CSM Process
Change: Loop Radio-In-fill
2 – Significant Change - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
Slide n° 61
(3) Hazard Identification
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 62
3 – Hazard Identification(2) Step in CSM Process
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 63
3 – Hazard Identification Why is it important?
Hazard identification is the first step in the risk assessment process.
The process needs to be re-iterated and completed until all reasonably foreseeable hazards have been correctly identified.
It is important because if hazards are not identified, they will not be assessed and not covered in the risk management process.
The correct identification of hazards facilitates the correct application of the risk acceptance principles.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 64
3 – Hazard Identification What are the first steps?
In order to properly identify the hazards, the system definition will be important to specify functions and interfaces.
It is necessary to look at hazards from all relevant contributors.
Systematically identify the hazards
and the level of detail,
taking into account:
Modes ofoperation
Different types of the
system Human factors
Environment
Failure modes
Safety relevantfactors
THEN
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 65
3 – Hazard IdentificationWhat level of detail is required?
The level of the hazard identification should correspond to the scope of the significant change under study and the requirements for proving acceptable risk.
This may involve several iterations in order to obtain the necessary level of detail to ensure that the correct decision is made on the necessary control measures.
If a code of practice or reference system is used, the level of detail for which the hazards are defined need only to correspond to the level defined by the code of practice or reference system.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 66
Hazard identifiication level and transfer
2nd Level
(causes)
Top level Hazard X
Sub-hazard Y
- Controlled by reqsfrom CoP (e.g standard)
- Owned by actor A (e.g. manufacturer)
Sub-hazard Z
- Controlled by reqs from explicit risk analysis
- Owned by actor B (e.g. RU)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 67
In order to correctly identify the hazards, a decision could be made as to whether they are broadly acceptable or not broadly acceptable
This means:
• considering and reviewing all the reasonably foreseeable hazards • classifying them according to the estimated risk arising from them
This process ensures that the correct priority is assigned to each of the hazards enabling the right selection of the risk control measures
The decision is based on expert judgement
3 – Hazard IdentificationWhat is broadly acceptable?
Broadly acceptable risks
Nothing further requiredRegistered in the
Hazard record
Not broadly acceptable
Follow the risk Management process
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 68
3 – Hazard IdentificationWhat is expert judgement
An expert is competent to make decisions that are suitable and sufficient for the situation that the expert is performing
The decision to label a hazard as broadly acceptable without further analysis is logged in the hazard record and will be reviewed by the ISA.
Competence
Skills
KnowledgeExperience
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 70
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
System Description:
description of existing system: which tasks were performed by
train driver and which other ones by onboard staff (or guard) to
assist the driver;
existing interfaces between onboard assisting staff, driver and
trackside staff of Infrastructure Manager;
change of driver's responsibilities due to removal of onboard
assisting staff;
the technical requirements of the overall system to cover
changes in operation;
Hazard Identification: [HAZOP]
brainstorming by group of experts to find all hazards, with a
relevant influence on risk brought on by removal of onboard
assisting staff and additional tasks requested to the driver;
drivers' and staff's representatives involved for their operational
experience, IM representatives as infrastructure could also be
affected, implying e.g. changes to stations (e.g. installation of
mirrors/closed circuit TV at platforms);
what could be key operational hazards at stations, on existing
routes where driver was assisted from onboard or trackside staff
(door opening, closure check, etc.)
3 – Hazard Identification – Operational ChangeDriver Only Operated Train (DOO)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 71
HAZOP-studies is a structured method for identification of risks invented in the chemistry industry. It uses keywords to reveal the possible response of the system or process to changes or to deviations from the desired response. The method is described in IEC 61882.
The HAZOP is based on the principle that several experts with
different backgrounds can interact and identify more problems
when working together than when working separately and then
combining their results. This brainstorming method stimulates
creativity and generates ideas
What is a HAZOP?
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 72
The HAZOP is a systematic process that examines the following topics:
Intention, i.e. the expected functional behaviour of the system
Deviations: starts from possible deviations from desired functional states
Causes: for each deviation the reasons why the deviation should occur
Consequences: the result of the deviation
Hazard: the consequences, causing possible damage, injury or loss
Measures: possibility to reduce the hazardous condition/behaviour
The method needs: an educated leader (moderator/facilitator) to manage the session, good input information, documents of the system and processes. It is effective in finding risks, if properly conducted. For the critical functions/tasks/aspects, the method can be complemented by other systematic studies, e.g. by an FMECA (Failure, Mode, Effect and Criticality Analysis)
What is a HAZOP?
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 73
Examples of guide/key words:
No message/information or delayed message/information
Message/information available when not expected
False message – False information
Invalid message
Etc.
The guide/key words must be tailored to the system/item concerned, before starting a HAZOP study
What is a HAZOP?
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 74
3 – Hazard Identification Parenthesis on the FMECA Hazard Analysis Tool
System FMECA worksheet Compiled by : RAMS team
System : Sub-system : ........Mode of operation :......
ISSUE N°... Page...
Id nr. Function Function
Failure Mode
Possible
Failure
Causes
Subsystem
effects
System
effects
Failure
Rate
Severi
ty
Criticali
ty
Means of
Detection
Compensating
Implemented
Provisions
Remarks
Subsystem/Detailed FMECA worksheet Compiled by : RAMS team
System : Sub-system : ........ Indenture Level : .......Mode of operation :......
ISSUE N°...Page...
Id nr. Item Function
(s)
Component
Failure
Mode
Possible
Failure
Causes
Local
effects
Next
higher
level
effects
System
effects
Failure
Rate
Sev. Crit. Means of
Detection
Compensating
Implemented
Provisions
Remar
ks
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 75
System FMECA
based on outputs of System Requirement
Specifications
HAZOP
Subsystem FMECA
subsystems/components level based on Sub-system Requirement Specification
Detailed FMECA
Further decomposition of critical elements based on detailed design documents
Hazard Record
Hazard Record
Hazard Record
Hazard Record
3 – Hazard IdentificationParenthesis on the FMECA Hazard Analysis Tool – Level of FMECA
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 76
IEC 61025Parenthesis on the Fault Tree Analysis Method (FTA)
Failure A1 Failure A2
Failure B1 Failure B2 Failure B3
Top-event
hazard
Logical AND
Logical ORCauses at the
subsystem or
component level
Basic event with
sufficient dataFailure C2Failure C1
Intermediate event
Not developed
tree. Event with
insufficient data
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 77
3 – Hazard Identification – Operational ChangeDriver Only Operated Train (DOO)
Hazard Identification e.g. by HAZOP (Hazard and Operability studies) brainstorming by group of multidisciplinary experts with different backgrounds:
safety experts from RU
train drivers' and staff's representatives for their operational experience (onboard accompanying staff)
IM representatives as the infrastructure could be also affected by the change, implying e.g. changes to stations (e.g. installation of mirrors/ closed circuit television [CCTV] at platforms) to help the Driver
Trackside staff of IM
Each of the identified hazards was assigned a level of severity of risk and consequences (high, medium, low) and the impact of the proposed change reviewed against them (increased, unchanged, decreased) risk
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 78
3 – Hazard Identification – Operational ChangeDriver Only Operated Train (DOO)
Based on System Definition, brainstorming team scrutinised additional tasks to be performed by train driver, in order to identify all foreseeable hazards that might occur consecutively to removal of onboard assisting staff
Particularly, hazard identification looked at what key operational hazards could be at stations, on existing routes where there was assistance from on board or trackside staff including the safe dispatch of the trains, specific issues related to the driver, the rolling stock (e.g. door opening/closure check), maintenance requirements, etc:
Example of identified hazards during HAZOP (one way of proceeding):
Train departure without closing doors passengers could fall down on to track
Door opening on wrong side passengers could fall down on to track Door closing while passengers still getting onboard passengers could
be caught between doors
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 79
3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
System Description:
description of tasks performed by existing IM
organisation, and description of changes that are
planned in this organisation. Description of interfaces
of the "branch to be detached" with other
surrounding organisations or with the physical
environment
Hazard Identification:
brainstorming by group of experts to find all hazards,
with a relevant influence on risk brought on by
intended change.
Hazard Classification: high, medium, low risk
(Severity) and increased, unchanged, decreased risk
(impact of change) compared to initial situation
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 80
3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM
Hazard Identification done by HAZOP (Hazard and Operability studies) brainstorming by group of multidisciplinary experts with different backgrounds:
safety experts from IM
System engineers/experts
Train drivers
IM staff's representatives from maintenance department
Etc.
The HAZOP analysis went through a checklist method describing a list of hazards (unwanted events), causes of these, related consequences and frequencies (rough estimates) and the related actions that need to be taken to mitigate these risks. Interdependencies and interface between detached branch and rest of IM organisation were particularly examined
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 81
3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis
Unwanted
event (Hazard)Cause Consequence
Type of
lossRisk
Responsible
for finding
safety
measure
Safety Measures
1: Reduced
motivation
among
employees
remaining in
Company.
-Staff
continuing to
leave without
stop.
- Demotivated /
worn out
managers
Missing
colleagues,
missing certain
tasks
Lack of loyalty
knowing that the
workplace is not
going to stay
Heavy workload
Uncertainty
Tasks not
performed,
increased build up
of unperformed
works. -
Emergency
maintenance
instead of planned
maintenance.
Collective worker
actions (calling in
sick etc)
Lack of trust in
Company for the
managers at IM
Level
Safety Higher New round of motivational work
for the staff, to be performed in
smaller groups
Reallocation of funds so that
Company gets meaningful tasks
to perform
More frequent inspections by
track manager.
Allocate funds to make sure that
key staff stays throughout the
process.
Give special attention to make
sure that information and
knowledge is transferred
between leaving employees and
those who take over the tasks.
Etc...
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 82
3 – Hazard Identification – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis
Unwanted
event
(Hazard)²
CauseConse-
quence
Type
of lossRisk
Responsible
for finding
safety
measure
Safety Measures
10: Lack of
competency
in the
performance
of tasks
Subcontractors of IM lacking skill,
competency and quality control
Violation of
safety rules.
Increased
accident
frequency.
Safety Higher Increased demand
for documented
competence.
Systematic control
of performed tasks
11:
Uncertainty
of roles and
responsi-
bilities in the
interface
between
Company
and IM
Different understandings of roles and
responsibilities
Track Manager responsible for
accessible tracks, but not for the
downsizing and can therefore not take
this in to account when planning/
prioritizing work tasks.
Track manager lacks overview of the
competencies available in Company
Coordination problems for the delivery
when coordination responsibilities is
transferred to the track manager
Tasks not
being
performed or
being
performed
twice.
Lack of
coordination
of resources
Safety Higher Define roles and
responsibilities.
Map all interfaces
and define who is
responsible for the
interfaces.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 83
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
3 – Hazard Identification - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
System Description:
existing system: "loop+encoder" and their functions in CCS.
"Release signal on approach of a train when the section
behind the signal (i.e. in front of the approaching train)
becomes unoccupied";
change planned by proposer and manufacturer;
functional and physical interfaces of loop with rest of system
Hazard Identification:
brainstorming by group of experts to identify hazards, with a
relevant influence on risk brought on by intended change.
Loop/Radio infill, releases signal risk provide too permissive
MA to approaching train whereas preceding train still occupies
section in front of the signal
Note: Hazard Identification e.g. by HAZOP (Hazard and Operability
studies). It is a brainstorming by group of multidisciplinary
experts: “safety experts from manufacturer and RU, train
drivers, designers of trackside encoder and loop, experts in
communication systems, etc.“
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 84
3 – Hazard Identification - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
Example of identified hazards during the HAZOP (one way of proceeding):
“Loop & Radio infill” shall achieve same function, i.e. ”release the
signal RG on approach of a train when section behind the
signal is released by preceding train” Same top level hazard: “provide too permissive MA to approaching train whereas preceding train still occupies section in front of the signal”
See next pagesub-hazards
Trackside Encoder
Movement Authority (MA)
Extension of Movement Authority (MA) (2)
Existing technical system
Trackside Loop Release the signal (1)
Radio In-fill Controller/Modem
Movement Authority (MA)
Extension of Movement Authority (MA) (2)
Intended Change
GSM
Release the signal (1)
Trackside Encoder
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 85
3 – Hazard Identification - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
Example of identified hazards during HAZOP (one way of proceeding):
“Trackside encoder + loop” “Trackside encoder + Radio In-fill + GSM”
Sub-hazards of top hazard “provide too permissive MA…“:
“transmission by hackers of unsafe information in the air gap” since the "radio infill+GSM" is an open transmission sub-system
“delayed transmission or transmission of memorised data packets in the air gap” (i.e. possibly unsafe)
Systematic software errors in the additional equipment (gateway or Radio Controller) that interfaces with the unchanged “Trackside encoder”
Etc.
Slide n° 87
(4) Risk Analysis and Evaluation
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 88
4 – Risk Analysis and Evaluation(3) Step in CSM Process
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 89
Hazards associated with broadly acceptable risks
need not be analysed further but register in Hazard Record with justification to allow independent assessment
Hazards associated with non broadly acceptable risks
further risk analysis and evaluation required
4 – Risk Analysis and Evaluation WHEN? Focus risk assessment on most important hazards/risks
HA
ZA
RD
MA
NA
GE
ME
NT
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
SYSTEM DEFINITION
(Scope, Functions, Interfaces, etc.)
RISK ASSESSMENT
YES
HAZARD IDENTIFICATION
(What can happen? When? Where? How? Etc.
HAZARD CLASSIFICATION
(How critical?)
PRELIMINARY SYSTEM
DEFINITION
Broadly Acceptable?
Risk
NO
RISK ANALYSIS
HA
ZA
RD
ID
EN
TIF
ICA
TIO
N
AN
D C
LA
SS
IFIC
AT
ION
Substantial Change?
YES
(A)
(B)
(C)
Focus risk assessment on most important risks based on expert’s judgment, during Hazard Identification need for hazard classification at least into:
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 90
4 – Risk Analysis and Evaluation Principles?Hazard Control based on 3 Risk Acceptance Principles
Risk acceptability of non broadly acceptable hazards evaluated by one or more 3 RAP:
1. application of codes of practice2. comparison with similar Ref Syst3. explicit risk estimation & RAC
Proposer to:
1. demonstrate selected RAP adequately applied
2. check selected RAP used consistently
Output: set of SR to implement + demonstrate achievement
CSM does not impose any order of priority between 3 RAP
Iterative Risk Management Process
Demonstration of Compliance withSafety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety
measures to be implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 91
Demonstration of Compliance with the
Safety Requirements
EXPLICIT RISK ESTIMATION
RISK EVALUATION
YES
HA
ZA
RD
M
AN
AG
EM
EN
T
Identification of Scenarios & associated Safety Measures
Estimate Frequency
Estimate Severity
Estimate Risk
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
Quantitative
Acceptable Risk?
NO
Qualitative
Application of Codes of Practice
Similarity Analysis with Reference
System(s)
CODES OF PRACTICE SIMILAR REFERENCE
SYSTEM(S)
Safety Criteria?
Comparison with Criteria
Selection of Risk Acceptance
Principle
RISK ASSESSMENT
Hazards associated with Significant Risks
YES
Acceptable Risk?
NO
Comparison with Criteria
YES
Acceptable Risk?
NO
Comparison with Criteria
RISK ANALYSIS
Safety Requirements (i.e. the Safety Measures
to be implemented)
If no Notified National Rules, Proposer free to decide RAP to use for controlling hazards [flexibility]
AB shall refrain from imposing RAP to be used by proposer [challenge proposer]
Whatever RAP used must adequately applied + link RAP-hazard recorded (XA)
(I) CoP (e.g. Anerkannte Regeln der Technik);
e.g. TSI, EN standards, NNR, etc.
(compatible with rule based approaches)
(II) Similar Reference Systems (e.g. GAME)
(III)Explicit Risk Estimation(could be quantitative or qualitative)
4 – Risk Analysis and Evaluation WHO?Proposer decides on RAP to use
(III)(II)(I)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 92
4 – Risk Analysis and EvaluationUse of codes of practice (CoP) and risk evaluation (1/3)
CoP shall at least satisfy following requirements:
(a) be widely acknowledged in railway domain. If not the case, CoP have to be justified and be acceptable to assessment body.
(b) be relevant for control of considered hazards in system under assessment.
(c) be publicly available for all actors who want to use them.
Examples of CoP:
TSI and mandatory European standards;
Notified National Safety and Technical Rules (technical standards or statutory documents) and if relevant non mandatory European standards;
Provided conditions for CoP fulfilled, internal rules or standards issued by an actor of railway sector
CoP from other fields (e.g. nuclear power, military and aviation) can also be applied for certain technical applications in railway systems provided demonstrated related CoP effective at controlling considered railway hazards
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 93
4 – Risk Analysis and EvaluationUse of codes of practice (CoP) and risk evaluation (2/3)
If conditions for CoP fulfilled, for hazards controlled by CoP:
risks need not be analysed further
risks considered IMPLICITLY as acceptable
risk management process may be limited to:
hazard identification.
registration in Hazard Record of use of CoP as SR for those hazards (i.e. link CoP-Hazard)
application of complete CSM Process, including:
correct application of requirements from CoP
documented evidences
independent assessment of application of CoP
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 94
4 – Risk Analysis and EvaluationUse of codes of practice (CoP) and risk evaluation (3/3)
What to do when there are deviations from CoP and identified hazards cannot be controlled (completely) by CoP?
Where an alternative approach is not fully compliant with CoP, proposer shall demonstrate that alternative approach taken leads to at least same level of safety
If one or more conditions from CoP not fulfilled by system under assessment, related CoP can still be used for controlling hazards provided proposer demonstrates that at least same level of safety is achieved
If for a hazard, the risk cannot be made acceptable by application of CoP, or if CoP does not sufficiently cover identified hazards (e.g. CoP not applicable to full range of hazards), additional safety measures shall be identified for controlling those hazard(s) by using either other CoP or one of other 2 RAP
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 95
4 – Risk Analysis and EvaluationUse of Reference Systems (Ref Syst) and risk evaluation (1/2)
Reference Systems shall at least satisfy following requirements:
it has already been proven in-use to have an acceptable safety level and would still qualify for acceptance in Member State where change is to be introduced
it has similar functions and interfaces as system under assessment
it is used under similar operational conditions as system under assessment;
it is used under similar environmental conditions as system under assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 96
4 – Risk Analysis and EvaluationUse of Reference Systems (Ref Syst) and risk evaluation (1/2)
If conditions fulfilled, for hazards controlled by Reference Systems:
risks considered IMPLICITLY as acceptable ( further risk analysis not required)
safety requirements for hazards covered by Ref Syst may be derived from safety analyses or from an evaluation of safety records of Ref Syst
Ref Syst still "qualifies for acceptance" ? E.g. it can happen that safety performance of considered Ref Syst not appropriate for system under assessment because based on out of date technology (i.e. old fashioned technology).
these safety requirements shall be registered in Hazard Record as safety requirements for the relevant hazards
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 97
4 – Risk Analysis and EvaluationUse of Reference Systems (Ref Syst) and risk evaluation (2/2)
What to do when there are deviations from Ref Syst and identified hazards cannot be controlled (completely) by Ref Syst?
Risk evaluation shall demonstrate that system under assessment reaches at least same safety level as Ref Syst. Risks associated with hazards covered by Ref Syst shall then be considered as acceptable
This may require also explicit risk estimation in order to show that level of risk is at least as good as that of Ref Syst
If same safety level as reference system cannot be demonstrated (or if conditions not fulfilled), additional safety measures shall be identified for deviations, applying one of 2 other RAP
Corresponding hazards need to be considered as deviations from Ref Syst. They become new inputs for a new loop in iterative CSM risk assessment process. Additional safety measures can be identified by applying one of other 2 RAP
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 98
4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation
When hazards cannot be covered by CoP or Ref Syst risk acceptability demonstration performed by explicit risk estimation and evaluation
Risks shall be estimated either quantitatively or qualitatively, taking into account the existing safety measures within the system
E.g. Explicit risk estimation used when CoP or Ref Syst cannot be applied to control fully risk to an acceptable level. Could typically arise:
when system being assessed entirely new or where there are deviations from a CoP or a Ref Syst, or
when a design strategy chosen that does not allow use of CoP or similar Ref Syst because e.g. wish to produce a more cost effective design that has not been tried before
When risk(s) controlled by explicit risk estimation are considered acceptable identified safety measures registered in Hazard Record
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 99
4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation
Explicit risk estimation not necessarily always quantitative. Can be:
quantitative, if sufficient quantitative information available in terms of frequency of occurrence and severity,
semi-quantitative, e.g. if such quantitative information not sufficiently available, or
even qualitative, e.g. in terms of process for management of systematic errors/failures, when quantification is not possible
If with the safety measures, estimated risk not acceptable, additional safety measures shall be identified and implemented in order to reduce risk to an acceptable level
Demonstration of Compliance with the
Safety Requirements
EXPLICIT RISK ESTIMATION
RISK EVALUATION
YES
HA
ZA
RD
M
AN
AG
EM
EN
T
Identification of Scenarios & associated Safety Measures
Estimate Frequency
Estimate Severity
Estimate Risk
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
Quantitative
Acceptable Risk?
NO
Qualitative
Application of Codes of Practice
Similarity Analysis with Reference
System(s)
CODES OF PRACTICE SIMILAR REFERENCE
SYSTEM(S)
Safety Criteria?
Comparison with Criteria
Selection of Risk Acceptance
Principle
RISK ASSESSMENT
Hazards associated with Significant Risks
YES
Acceptable Risk?
NO
Comparison with Criteria
YES
Acceptable Risk?
NO
Comparison with Criteria
RISK ANALYSIS
Safety Requirements (i.e. the Safety Measures
to be implemented)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 100
In order to evaluate whether risks are acceptable or not, risk acceptance criteria (RAC) are necessary. They can be either implicit or explicit:
risks controlled by application of CoP and comparison with Ref Systare considered IMPLICITLY acceptable implicit RAC
whereas the acceptability of risk(s) controlled by application of explicit risk estimation requires explicit risk acceptance criteria (RAC) to be defined
4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation - RAC
Demonstration of Compliance with the
Safety Requirements
EXPLICIT RISK ESTIMATION
RISK EVALUATION
YES
HA
ZA
RD
M
AN
AG
EM
EN
T
Identification of Scenarios & associated Safety Measures
Estimate Frequency
Estimate Severity
Estimate Risk
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
Quantitative
Acceptable Risk?
NO
Qualitative
Application of Codes of Practice
Similarity Analysis with Reference
System(s)
CODES OF PRACTICE SIMILAR REFERENCE
SYSTEM(S)
Safety Criteria?
Comparison with Criteria
Selection of Risk Acceptance
Principle
RISK ASSESSMENT
Hazards associated with Significant Risks
YES
Acceptable Risk?
NO
Comparison with Criteria
YES
Acceptable Risk?
NO
Comparison with Criteria
RISK ANALYSIS
Safety Requirements (i.e. the Safety Measures
to be implemented)
Harmonised Explicit RAC
Implicit RAC
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 101
RAC can be defined at different levels of railway system "pyramid of criteria“:
starting from high level RAC (expressed for instance as societal or individual risk)
going down to sub-systems and compo-nents, covering technial systems and human operators during operation & maintenance activities of system & sub-systems
4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation – Level of RAC (Pyramid)
Global Risk Acceptance Criteria:
Societal Risk
Individual Risk;
etc.
RAC-TS
Other RAC
Risk Profile
Level of RAC needs match with importance and complexity of significant change:
e.g. when modifying type of axle in RS, not necessary evaluate overall railway system risk . Definition of RAC can focus on rolling stock safety
reciprocally, large changes or additions to existing system should not evaluate solely only safety performance of individual functions or changes. Change acceptability should be evaluated also at railway system level as a whole
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 102
4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation – RAC-TS
RAC-TS harmonised in CSM Regulation:
“Where hazards arise from failures of technical systems not
covered by codes of practice or the use of a reference system,
the following risk acceptance criterion shall apply for the
design of the technical system:
For technical systems where a functional failure has a credible
direct potential for a catastrophic consequence, the associated
risk does not have to be reduced further if the rate of that
failure is less than or equal to 10-9 per operating hour.”
Nevertheless, if the applicant can demonstrate that the
national safety level can be maintained with a less demanding
criterion than the 10-9, this criterion can be used by the
applicant after agreement with the assessment body
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 103
4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation – RAC-TS
RAC-TS harmonised in CSM Regulation (continuation):
“If a technical system is developed by applying the 10-9
criterion defined in paragraph 4, mutual recognition shall be
applied according to section 5.3”
“Without prejudice to the procedure specified in Article 8 of
Directive 2004/49/EC, a more demanding criterion may be
requested, through a national rule, in order to maintain a
national safety level. However, in the case of additional
authorisations for placing in service of vehicles, the
procedures of Articles 23 and 25 of Directive 2008/57/EC
shall apply.”
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 104
4 – Risk Analysis and EvaluationUse of explicit risk estimation and evaluation – RAC-TS
²²
Quantitative target evaluation must take into account for redundant systems the common components (e.g. common inputs, power supply, comparators, voters, etc.);
It shall consider the dormant or latent failure detection times;
A Common Cause/Mode Failure (CCF/CMF) analysis shall be done;
Independent Assessment
Considered Hazard for
the Technical System Technical System
Is the hazard controlled
by a CoP or a Ref Syst?
Apply Code of Practice or Reference System
YES (e.g. TS is NOT a
new nor innovative
design)
NO (e.g. TS is a new or
innovative design)
Code of Practice or
Reference System
NO
YES
Credible potential for Catastrophic
Consequence
Is it likely that hazard can
result in a catastr. conseq.?
Direct
Is catastr. conseq. a direct result of Techn. Syst. failure?
Apply a THR of 10-9
h-1
(SIL 4) for random hardware
failures of TS
Apply a SIL 4 Process for management of systematic
failures of TS
Use RAC-TS as reference point, evaluate contribution/ efficiency of
other additional safety barriers and derive safety requirements
NO (i.e. additional safety barriers can-
not prevent the
accident)
YES (i.e. no other safety barriers
that could prevent the accident)
Use other RAC for technical systems that still need to be
defined later on
Apply a QMP & SMP vs. SIL 4
relevant standards, e.g. EN 50 128 for software, and for hardware EN 50 121-3-2,
EN 50 121-4, EN 50 124-1, EN 50 124-2, EN 50 125-1 EN 50 125-3, EN 50 50081,
EN 50 155, EN 61000-6-2, etc.
Independent Assessment
Quantitative Requirement Process Requirement
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 105
CSM Regulation requires mutual recognition of risk assessment results
Mutual recognition shall be based on evidences of fulfilment of harmonised requirements along steps of CSM Process
Full CSM risk assessment process must be applied by Proposer:
identification of hazard associated safety measures and resulting SR registration & management of hazards and safety measures in Hazard Record demonstration of system compliance with safety requirements document application of CSM Process all necessary evidence showing
correct application accessible to Assessment Body. They shall at least include:
description of organisation and experts put in place to carry out risk assmnt
results from steps of CSM Process, including list of SR to be implemented to control risk to acceptable level
Independent assessment by AB conclusions is Assessment Report
Change accepted by Proposer based on Independent Assessment Report
4 – Risk Analysis and EvaluationMutual Recognition
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 106
4 – Risk Analysis and EvaluationMutual Recognition – Independent Assessment by AB on Deviations
Assessment Bodies in other MS must apply mutual recognition on a system evaluated, assessed and accepted vs. CSM Process (prev. slide)
system can be used in another MS provided Proposer demonstrates:
System will be used under same functional, operational and environmental conditions than initially approved in related MS
Equivalent RAC (acceptable in new MS) applied for controlling identified hazards importance to link in Hazard Record [RAP-Hazard]
If a condition not fulfilled, mutual recognition still possible but not automatical:
Assessment Body apply principle of mutual recognition on part of system and risk assessment that fulfils conditions
Proposer will have to identify deviations vs. already accepted system and apply CSM risk management & assessment process on identified deviations
AB assess independently correct application of CSM Process on deviations
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 108
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
4 – Risk Analysis and Evaluation – Operational ChangeDriver Only Operated Train (DOO)
Use of Codes of Practice and Reference Systems:
Both CoP (i.e. a set of standards for Driver Only
Operation) and similar Ref Systems used to define
safety requirements for identified hazards, such as:
revised operational procedures for the driver that
are required to operate safely the rains without
onboard assistance;
any additional equipment necessary onboard or
on the track to ensure safe and reliable means of
train dispatch;
a checklist for ensuring that the driver's cab is
suitable, taking into account the interface
between the railway system (both onboard and
trackside) and the driver
Revision of the necessary operational rules in
compliance with the requirements from the applicable
codes of practice and the relevant reference systems.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 109
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
4 – Risk Analysis and Evaluation – Organisational ChangeOutsourcing of a maintenance branch of an IM
“Use of Ref System and Risk Evaluation” + “Explicit risk
estimation and evaluation”:
System before change judged to have acceptable level
of safety. It was thus used to derive Risk Acceptance
Criteria for system under assessment, i.e. “maintain at
least the same level of safety and punctuality throughout
the change process and after the change”
The HAZOP analysis went through a checklist method
describing a list of hazards (unwanted events), causes
of these, related consequences and frequencies (rough
estimates) and the related actions that need to be taken
to mitigate these risks. Interdependencies and interface
between detached branch and rest of IM organisation
were particularly examined
Each hazard with increased risk was counterbalanced
by appropriate identified risk reducing measures. The
residual risk was compared against RAC to check
whether other additional measures need to be identified.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 110
4 – Risk Analysis and Evaluation – Organisational ChangeOutsourcing of a maintenance branch of an IM
The Hazard and Risk Analysis was documented in a table describing the identified hazards, evaluating the severity and suggesting risk mitigation/ control measures (See in next slide risk analysis)
The Risk Analysis table was mirrored within the Hazard Record/Log) – See dedicated module in presentation. The Hazard Record includes additional information of who is responsible for implementing the measure, the time deadline for the implementation and also who is in charge of the verification of the implementation and of the efficiency of the identified measure(s)
Indeed, for such organisational changes, the efficiency of the identified actions and decisions had to be monitored to verify whether they fully control the considered risk
This is natural as it may be difficult to foresee and measure the exact result of a safety measure related to an organisational issue (such as training, motivated work for staff, etc.) and that the effects have to be followed up closely in a longer process where the analysis is continuously updated
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 111
4 – Risk Analysis and Evaluation – Organisational ChangeOutsourcing of a maintenance branch of an IM
Therefore, the risk analysis and the hazard record/log were alive documents. The efficiency of decided actions was monitored at regular intervals to check if the conditions were changed and if the risk analysis and risk evaluation need to be updated. They were updated when actions were performed and hazards “closed”. A status field was updated to describe what actions were taken or were under the way to be taken
If any circumstances changed compared to the initial context of the risk analysis, the risk analysis and hazard record/log had to be updated to ensure that hazard and risk were under control
The hazards that could not be closed (as all the measures could not be implemented nor verified rapidly) were followed up. Their status was also monitored and rechecked on several occasions (and more dated status column added to the hazard record/log table) to verify that finally all the hazards will be closed
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 112
4 – Risk Analysis and Evaluation – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis
Unwanted
event (Hazard)Cause Consequence
Type of
lossRisk
Responsible
for finding
safety
measure
Safety Measures
1: Reduced
motivation
among
employees
remaining in
Company.
-Staff
continuing to
leave without
stop.
- Demotivated /
worn out
managers
Missing
colleagues,
missing certain
tasks
Lack of loyalty
knowing that the
workplace is not
going to stay
Heavy workload
Uncertainty
Tasks not
performed,
increased build up
of unperformed
works. -
Emergency
maintenance
instead of planned
maintenance.
Collective worker
actions (calling in
sick etc)
Lack of trust in
Company for the
managers at IM
Level
Safety Higher New round of motivational work
for the staff, to be performed in
smaller groups
Reallocation of funds so that
Company gets meaningful tasks
to perform
More frequent inspections by
track manager.
Allocate funds to make sure that
key staff stays throughout the
process.
Give special attention to make
sure that information and
knowledge is transferred
between leaving employees and
those who take over the tasks.
Etc...
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 113
4 – Risk Analysis and Evaluation – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample from Risk Analysis
Unwanted
event
(Hazard)²
CauseConse-
quence
Type
of lossRisk
Responsible
for finding
safety
measure
Safety Measures
10: Lack of
competency
in the
performance
of tasks
Subcontractors of IM lacking skill,
competency and quality control
Violation of
safety rules.
Increased
accident
frequency.
Safety Higher Increased demand
for documented
competence.
Systematic control
of performed tasks
11:
Uncertainty
of roles and
responsi-
bilities in the
interface
between
Company
and IM
Different understandings of roles and
responsibilities
Track Manager responsible for
accessible tracks, but not for the
downsizing and can therefore not take
this in to account when planning/
prioritizing work tasks.
Track manager lacks overview of the
competencies available in Company
Coordination problems for the delivery
when coordination responsibilities is
transferred to the track manager
Tasks not
being
performed or
being
performed
twice.
Lack of
coordination
of resources
Safety Higher Define roles and
responsibilities.
Map all interfaces
and define who is
responsible for the
interfaces.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 114
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
4 – Risk Analysis and Evaluation - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
Use of Ref System and Risk Evaluation:
System before the change (loop) judged to have acceptable level
of safety for releasing signal aspect. It is used as a Ref Syst to
derive the safety requirements for the radio-infill sub-system.
Explicit Risk Estimation and Evaluation:
analysis of deviation "Radio in-fill+GSM" vs. "Loop" sub-system
See HAZID new hazards for "radio infill + GSM" sub-system:
"radio infill+GSM" is an open transmission sub-system risk
of transmission by hackers of unsafe information in air gap;
delayed transmission or transmission of memorised data
packets in Radio Infill chain.
explicit risk estimation and use of RAC-TS for designing
Radio Infill Controller part;
Use of CoP and Risk Evaluation:
EN 50159-2 for safety related communication in open transmis-
sion systems provides the safety requirements for controlling the
new hazards to an acceptable level, e.g. "data encrypting and
protection" + "message sequencing and time stamping";
use EN 50 128 standard for the development of the Radio Infill
Controller software ;
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 115
4 – Risk Analysis and Evaluation - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
Existing loop system ensures acceptable level of safety used as a Ref Syst, i.e. Radio In-fill + GSM system shall ensure same level of safety
Explicit risk estimation used to identify differences between system under assessment (Radio In-fill + GSM) and Ref. Syst. (Trackside Encoder + Loop)
Use explicit risk estimation and RAC-TS for designing Radio Infill Controller part
The new hazards identified for the deviations can be controlled by CoP
For development of software of Radio Controller, use CENELEC 50128 “Railway applications - Communication, signalling and processing
systems – Software for railway control and protection systems”
50128 standard specifies for each SIL, levels of independence and process (including possible techniques for software V&V), that are required for design, verification and validation of software. Note: 50128 also requires Independent Safety Assessment whose independence depends on SW SIL
SIL 4 Process for SW
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 116
4 – Risk Analysis and Evaluation - Change to a Technical SystemReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
For transmission in open-medium (air), use CENELEC 50159-2 “Railway
applications - Communication, signalling and processing systems - Part 2:
Safety related communication in open transmission systems”
Example of hazards linked to transmissions in an open medium (airgap)
Repetition of messages: “due to a hardware failure the Radio In-fill repeats an old message possibly unsafe”
Deletion of messages: “a message is deleted due to a hardware failure” Insertion of messages: “an authorised third party involuntary inserts a
message, e.g. Radio In-fill of another trackside section” Corruption of messages: “a message is accidentally changed (e.g. EMI) to
another formally correct message” Masquerade: “an unauthorised third party voluntary inserts a message” Etc.
50159-2 CoP provides measures for protecting against those hazards (e.g. CRC , time stamping, message sequencing, etc.). For more information see 50159-2
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 118
General background
RAC needed for the “Explicit Risk Estimation” principle
RAC are implicit for two first principles (CoP and Ref Syst.)
RAC developed to support mutual recognition, cross border traffic, opening of the market
Different possible levels for RAC
4 – Risk Analysis and EvaluationCurrent Status of harmonisation of Risk Acceptance Criteria (RAC)
Global Risk Acceptance Criteria:
Societal Risk
Individual Risk;
etc.
RAC-TS
Other RAC
Risk Profile
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 119
Main concepts of the RAC development
Agreement to focus only on low level criteria
Where mutual recognition is needed
Where the proposer is in the condition to demonstrate it
CST are developed for “harmonising” high level RAC
Different types of low level RAC for technical systems.
1) Where the function is entirely covered by technical solutions
2) Where the function is covered by both a technical solution and a human action
3) Where the function is covered by human activities
4 – Risk Analysis and EvaluationCurrent Status of harmonisation of Risk Acceptance Criteria (RAC)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 120
Risk matrix based on the RAC-TS (direct catastrophic consequence) decided
Frequency of hazardous event
Risk matrix
Frequent Unacceptable Unacceptable Unacceptable Unacceptable
Occasional Acceptable Unacceptable Unacceptable Unacceptable
Rare Acceptable Acceptable Unacceptable Unacceptable
Improbable Acceptable Acceptable Acceptable Unacceptable
Incredible (10-9
per hour)Acceptable Acceptable Acceptable Acceptable (RAC-TS)
Insignificant Marginal Critical Catastrophic
Collective impact capable of resulting in deaths and several severe injuries.
The “slope” and definition of scale for frequency and consequence is under discussion.
This general approach has been agreed on with SSMG
Design Target for other failure consequences than catastrophic.
Possibility to derive THR for technical system when the catastrophic consequence is not direct through the use of a barrier analysis (additional technical barriers, human barriers, reduction factors)
The TF is developing an example for this.
Design targets for technical systems (for the two first types)
4 – Risk Analysis and EvaluationCurrent Status of harmonisation of Risk Acceptance Criteria (RAC)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 121
Matrix applicable but :
No evidence 10-9 h-1 can be used as starting point
Wish to avoid the development of a complex methodology for human factor quantification.
Work focussed on qualitative approach
Principles of redundancy for human activities
Close collaboration with SSMG
SSMG position - Focus on the relevant redundancies and working conditions:
It is mainly the relevant redundancies linked to certain failure modes that should be developed for now
Working conditions covered by SMS
4 – Risk Analysis and EvaluationCurrent Status of harmonisation of Risk Acceptance Criteria (RAC)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 122
All the proposed criteria should be seen as “sufficient but
not necessary” – as is the case for the RAC-TS.
Compliance with RAC shall lead to mutual recognition
Less demanding if proposer can demonstrate that it
maintains the safety level.
More demanding via NSR
4 – Risk Analysis and EvaluationCurrent Status of harmonisation of Risk Acceptance Criteria (RAC)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 123
Steps in the near future:
Definition of the minimum necessary set of consequences
for which RAC will be necessary for technical system
Elaborate further the concept of “reduction factor”
Continue to develop a tool supporting the application of
the matrix
Continue to develop the principles applicable for accepting
human actions/tasks redundancy
4 – Risk Analysis and EvaluationCurrent Status of harmonisation of Risk Acceptance Criteria (RAC)
Slide n° 125
(5) Hazard Records
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 126
5 – Hazard Record Managing the hazards
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 127
5 – Hazard RecordWHY are they needed?
HA
ZAR
D M
AN
AG
EMEN
T [A
NN
EX II
I(2
)(G
) O
F SD
]
Control
Control
Control
Control
Hazard Records need to be created and updated by the proposer.Annex 1.4 of CSM Regulation.
They are an important part of the hazard management process
They track the progress of the process – identification of the hazard, the potential risk and how the risk needs to be controlledthrough the selected risk acceptance principles:• Codes of practice• Reference systems• Risk estimation
Hazard
Risk
Hazard
Risk
Hazard
Risk
Hazard
Risk
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 128
5 – Hazard RecordWHO is responsible?
If they are a number of actors involved in the project each may have responsibility for their part of the system under assessment. They will keep a record of the hazards for their part of the project.
There should be one overall actor (proposer) who has responsibility for the main record which covers all the necessary elements of the system under assessment.
It does not have to contain all the information from the actors involved, only the links and key safety related
Exchange of information will be important if the hazard cannot be controlled by one actor alone
Actor D Actor
C Actor B Actor
A
Hazard Record for the system under assessment
HA
ZAR
D M
AN
AG
EMEN
T
[AN
NEX
III(
2)(
G)
OF
SD]
Exchange of
information
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 129
5 – Hazard RecordWhat information should they contain?
All the hazards that the actor is responsible for, the associated safety measures, and the resulting safety requirements issued from the risk assessment process
All the assumptions taken into account within the definition of the system under assessment. These assumptions determine the limits and the validity of the risk assessment
All the hazards and the associated safety measures received from other actors in compliance with the project. These include all the assumptions and restrictions of use and generic product safety cases that are produced by the manufacturers
The status of the hazards (i.e. controlled or open) and of the associated safety measures (i.e. validated or open)
Note the level of detail required is related to the level of risk
HA
ZAR
D M
AN
AG
EMEN
T
[AN
NEX
III(
2)(
G)
OF
SD]
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 130
5 – Hazard RecordWhen should they be updated?
Whenever:
a new hazard is discovered or a new safety measure is identified
a new hazard is identified during the operation and maintenance of the system after its commissioning, so that the hazard can be assessed in compliance with the CSM as to whether it represents a significant change (this will be part of the SMS – Annex III (g))
it could be necessary to take into account accident and incident data
there are changes to the safety requirements or the assumptions about the system
HA
ZAR
D M
AN
AG
EMEN
T
[AN
NEX
III(
2)(
G)
OF
SD]
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 131
5 – Hazard RecordWhat are the links to the SMS?
RUs and IMs can use their procedures under their SMS
Annex III(2)(g) of the RSD requires the SMS to contain procedures and formats for how safety information is to be documented and designation of procedure for configuration control of vital safety information
The hazard record can therefore be part of the SMS for recording and managing risks that occur throughout the lifecycle of the equipment
It does not have to be a separate process
For other actors:
No legal requirement
But likely that they have a hazard management process
Existing processes can be adapted
HA
ZAR
D M
AN
AG
EMEN
T
[AN
NEX
III(
2)(
G)
OF
SD]
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 132
5 – Hazard RecordWhat are the benefits to the project?
Help map out and record the decision making process –provide transparency and consistency
Allow corrective actions to be taken promptly and quickly (link to SMS)
Exchange of information – allow for a number of players to contribute
Evidence of continuing compliance - accountability
Do not have to be complicated – targeted on the key issues
HA
ZAR
D M
AN
AG
EMEN
T
[AN
NEX
III(
2)(
G)
OF
SD]
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 134
N°
HZDOrigin
Hazard description
Additional informationActor in charge
Safety MeasureUsed Risk
Acceptance Principle
Expor-ted
Status
1 HAZOPreport RX
Maximum speed of train set too high (Vmax)
Wrong specific configuration of the onboard sub-system (maintenance staff).Wrong Data Entry onboard (driver)
RU Define a procedure for the approval of the onboard sub-system confi-guration data;Define an operatio-nal procedure for Data Entry Process by the Driver
Explicit Risk Estimation
Yes Controlled(exported to RU)Refer also to section C.16.4.2. in Appendix C
2 HAZOPreport RX
Braking curves (i.e. Movement Authority) in onboard sub-system configuration data too permissive
The procedure for the specific configuration of the onboard sub-system depends on:
the safety margins taken for the train braking system;
the reaction delay of the train braking system (this one is directly dependent on the train length, especially for fret trains)
RU Specify correctly the system requirements in the System Definition;Take sufficient safety margins for the braking system of the specific train
Explicit Risk Estimation
Yes Controlled(exported to RU)Refer also to section C.16.4.2. in Appendix C
5 – Hazard RecordPartial Example of a Hazard Record/Log Table
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 135
5 – Hazard Record – Operational Change Driver Only Operated Train (DOO)
For the railway undertakings the hazard management process was part of their safety management system for recording and managing risks.
The identified hazards were registered in a hazard record (similar template as below) with the safety requirements controlling the associated risk, i.e. reference to additional onboard and trackside equipment as well as to the revised operational procedures.
The revised procedures were monitored, and reviewed when needed, to ensure that the identified hazards continue to be correctly controlled during the operation of the railway system
N°
HZDOrigin
Hazard description
CauseAdditional information
Actor in charge
Safety Measure
Used Risk Acceptance
PrincipleExported Status
1 HAZOPreport RX
Opening of doors – risk of passenger fatality
Driver Driver error through lack of competence or seating position
RU TrainingCab design
Code of Practice
Partly Partly closed
2 HAZOPreport RX
Failure of the CCTV – driver cannot see the platform
CCTV VandalismIncorrect/insufficientmaintenance
IM Protection of the equipmentRegular checks
Code of Practice
No Closed, measur
es in place
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 136
5 – Hazard Record – Organisational Change Outsourcing of a maintenance branch of an IM – Sample of Hazard Record
Description Safety Measures
Priority
Safety/
Punc-
tuality
Implement
-ationNotes
Respon
sibility
Dead-
line
Perfor
med
date
Responsibi
lity for
verification
Way of
verifi-
cation
Date
Status
xx.xx.xx
Reduced
motivation
among
employees
remaining in
Company
-Staff
continuing to
leave without
stop.
- Demotivated
/ worn out
managers
New round of motivational
work for the staff, to be
performed in smaller
groups
Reallocation of funds so
that Company gets
meaningful tasks to
perform
More frequent inspections
by track manager.
Allocate funds to make
sure that key staff stays
throughout the process.
Give special attention to
make sure that
information and
knowledge is transferred
between leaving
employees and those who
take over the tasks.
Etc...
High/High Coordinate
d by IOP.
Regions
must look
at
measures
to increase
control of
tracks,
overlap of
employees
and follow
up by line
managers.
Increased
inspec-
tions need
to be
included in
the
contracts.
Etc...
Company
Manager
Change of
conditions
of circum-
stances
have
reduced
this risk
signifi-
cantly
Work
environ-
ment
analysis
performed
and some
training of
staff.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 137
5 – Hazard Record – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample of Hazard Record
Description Safety Measures
Priority
Safety/
Punc-
tuality
Implement
-ationNotes
Respon
sibility
Dead-
line
Perfor
med
date
Responsibi
lity for
verification
Way of
verifi-
cation
Date
Status
xx.xx.xx
Subcontractor
s of the
entrepreneurs
lacking skill,
competency
and quality
control
Increased demand for
documented competence.
Systematic control of
performed tasks
High/
Medium
IM must
coordinate.
Regions
must
implement
measures
for requiring
compe
tence and
con -trolling
the work
Implemen
ted by
contract
follow up.
Input to
revision
planning.
Safety
manager
Increased
focus on
routines
for control
(2
operative
controls
per month
and
operative
area)
11:
Uncertainty of
roles and res-
ponsibilities in
the interface
between
Company and
IM (Track
manager).
Define roles and
responsibilities.
Map all interfaces and
define who is responsible
for the interfaces.
Medium/
Medium
In each
region
separately
Implemen
ted by
main-
enance
contract
and the
strategy
plan for
the
reorgani-
sation
Regional
directors
Safety
Manager
Regions
have
presented
their
strategy.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 138
The Hazard and Risk Analysis was a table describing the identified hazards, evaluating the severity and suggesting risk mitigation/ control
This information from the Risk Analysis table was mirrored within the Hazard Record/Log) which includes also additional information of who is responsible for implementing the measure, the time deadline for the implementation and also who is in charge of the verification of the implementation and the verification of the efficiency of the identified measure(s)
Indeed, for such organisational changes, the efficiency of the identified actions and decisions had to be monitored to verify whether they fully control the considered risk
This is natural as it may be difficult to foresee and measure the exact result of a safety measure related to an organisational issue (such as training, motivated work for staff, etc.) and that the effects have to be followed up closely in a longer process where the analysis is continuously updated
5 – Hazard Record – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample of Hazard Record
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 139
5 – Hazard Record – Organisational ChangeOutsourcing of a maintenance branch of an IM – Sample of Hazard Record
Therefore, the risk analysis and the hazard record/log were alive documents. The efficiency of decided actions was monitored at regular intervals to check if the conditions were changed and if the risk analysis and risk evaluation need to be updated. They were updated when actions were performed and hazards “closed”. A status field was updated to describe what actions were taken or were under the way to be taken
If any circumstances changed compared to the initial context of the risk analysis, the risk analysis and hazard record/log had to be updated to ensure that hazard and risk were under control
The hazards that could not be closed (as all the measures could not be implemented nor verified rapidly) were followed up. Their status was also monitored and rechecked on several occasions (and more dated status column added to the hazard record/log table) to verify that finally all the hazards will be closed
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 140
5 – Hazard RecordReplacement of a Trackside Loop by a Radio in-fill + GSM sub-
systemThe identified hazards, the safety measures and the resulting safety requirements issued from the risk assessment and the application of the three risk acceptance principles were registered and managed in a hazard record using a similar form than the table below
N°
HZDOrigin
Hazard description
CauseAdditional information
Actor in charge
Safety MeasureUsed Risk
Acceptance Principle
Exported Status
1 HAZOPreport RX
Transmission of old and unsafe messages
Radio in-fill controller hardware
Manufa-cturer
RAC-TS for Radio In-fill design
Explicit risk estimation
Radio In-fill sub-contra-
ctor
Closed
Radio in-fill controller softwareGSM
Manufa-cturer
CENELEC 50128, 50159-2
Code of Practice
Radio In-fill sub-contra-
ctor
Closed
2 HAZOPreport RX
Open-transmission medium
Radio in-fill controller
Hacker
Dedicated standards available
Manufa-cturer
CENELEC, 50159-2
Code of Practice
Radio In-fill sub-contra-
ctor
Closed
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 141
Time schedule for CSM dissemination workshop 2nd day of workshop
2nd day: 10:00 to 16:00
09:30 – 10:45: Demonstration of system compliance with safety requirements
10:45 – 11:00: Coffee Break
11:30 – 12:30: Assessment Body
12:30 – 13:30: Lunch Break
13:30 – 14:00: Internal discussions among representatives of each MS
14:00 – 14:30: Questions/discussion and feedback from those discussions
14:30 – 14:45: Coffee Break
14:45 – 15:45: Presentation of examples:
Presentations by participants of examples communicated to ERA
before the workshop
15:45 – 16:00: Conclusions and close out of the workshop
Slide n° 142
(6) Demonstration of system compliance with the safety requirements
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 143
6 – Demonstration of system compliance with safety requirements
For presentation purposes, CSM Process split into 7 topics (see questionnaire)
(1) Introduction
(2) What is a significant change?
(3) Hazard Identification phase;
(4) Risk analysis and evaluation
(5) Hazard Management and Hazard Records;
(6) Demonstration of system compliance with the safety requirements
(7) Independent assessment of correct application of CSM Process by an Assessment Body
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
An
ne
x III
(2)(
g)
of S
D]
(5)
(4)
(3)
(2)
(7)(6)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 144
6 – Demonstration of system compliance with safety requirementsRequirements in CSM Regulation [Chapter 3]
Prior to safety acceptance of change, fulfilment of safety requirements to be demonstrated
Demonstration under supervision of proposer
But each actor responsible for the demonstration of safety requirements for its part of system
Approach chosen for the compliance demonstration and demonstration to be independently assessed by AB
Inadequacies of safety measures or new hazards discovered during demonstration to be reassessed vs. CSM
Demonstration of Compliance withSafety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety
measures to be implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 145
CSM Process safety requirements expected to control identified hazards
System developed against those safety requirements (for technical systems designed, validated and accepted)
Prior to acceptance of change need to demonstrate that:
3 RAP correctly applied and actually control hazards to acceptable level
therefore system actually compliant with specified safety requirements
6 – Demonstration of system compliance with safety requirementsPurpose of demonstration
Demonstration of Compliance withSafety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety
measures to be implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 146
6 – Demonstration of system compliance with safety requirementsProposer’s Responsibility – Other Actor’s Responsibility
Proposer has overall responsibility for coordinating and managing demonstration of compliance
But each actor, including proposer where relevant, must demonstrate compliance of sub-system it is responsible for with :
SR allocated to sub-system by proposer
SR transferred to relevant actor by other actors via interfaces
additional and internal SR from safety assessments and safety analyses done at sub-system level
To other
sub-systems
SYSTEM LEVEL
All identified safety
requirements (SR)
Sub-
System 1
Sub-
System 2
Sub-
System N
To other
sub-systems
From
Proposer
Safety Requirements
for SUB-SYSTEM
From
Internal
Risk
Analyses
To other
sub-systems
System
Requirements
for the Proposer
From
other
actors
INTERFACES
Registered in Hazard Record
Hazard
Reco
rd
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 147
Separation of activities/functions between actors involved in development and operation of railway systems (RU’s, IM’s, contractors, etc.) can result in risks at interfaces
Concerned actors shall cooperate for managing hazards at INTERFACES (shared risks) [Common understanding and agreement]
Shared risks management shall be coordinated by Proposer (system view). Proposer allocates responsibilities to actors concerned by relevant interfaces
Safety measures at interfaces to be transferred to right actors via Hazard Records
Proposer responsible for CSM application as well as for integration of system under assessment (INTERFACE) into railway system as a whole
6 – Demonstration of system compliance with safety requirementsInterface Management – Cooperation for Shared Risks (1/2)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 148
Notification to Proposer of transferred measures and non-compliance of safety measures (SM) Proposer inform in turn actor responsible for SM
Concerned actor shall inform all other actors affected (system under assessment + existing systems as far as known)
6 – Demonstration of system compliance with safety requirementsInterface Management – Notifications to Proposer (2/2)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 149
6 – Demonstration of system compliance with safety requirementsSub-System Safety Analyses (1/4)
To fulfil SR allocated to each sub-system, actor in charge shall carry out safety assessments and safety analyses to identify systematically:
all reasonably foreseeable causes within the sub-system contributing to hazards at level of system under assessment
safety measures, and resulting SR, at sub-system level expected to control these causes and associated risks to an acceptable level
Register into Hazard Record all hazards actor must control + safety measures to be implemented by actor
Causal Analyses are example of safety assessments and safety analyses at sub-system level. But other methods can also be used
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 150
6 – Demonstration of system compliance with safety requirementsSub-System Safety Analyses (2/4)
Example of Figure A.4 of EN 50 129: Definition of hazards with respect to the system boundary
Causes of hazards at level of system under assessment may be considered as hazards at the sub-system level (with respect to sub-system boundary).
Accident k
System Boundary
Accident l
Hazard (at System Level)
Cause (of a Hazard at Sub-System Level)
Sub-System Boundary
CAUSES CONSEQUENCES
Cause (of a Hazard at System Level)
Hazard (at Sub-System Level)
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 151
6 – Demonstration of system compliance with safety requirementsSub-System Safety Analyses (3/4)
CSM Process steps can be repeated at each lower level phase of CENELECV-Cycle to derive safety measures and SR to fulfil by next phase:
Hierarchical structuring Hazards-Causes vs. system & sub-systems
Systematic Hazard Identification & Causal Analysis activities (or any relevant method)
Systematic use of Hazard Records for registering and managing hazards and safety measures actor in charge
Use of Codes of Practice, similar Reference Systems and Explicit Risk Estimation
Derived sub-system SR need to be implemented and their fulfilment demonstrated by concerned actor
NB: Proposer responsible to demonstrate compliance with safety requirements at system level
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 152
Phase N in
CENELEC V-Cycle
Safety Requirements for Phase N
Safety Measures in Phase N
Safety Requirements (i.e. safety measures to be implemented)
Safety Requirements for Phase N+1
Phase N+1 in
CENELEC V-Cycle
Safety Measures in Phase N+1
Safety Requirements (i.e. safety measures to be implemented)
Safety Requirements for Phase N+2
Phase N-1 in CENELEC V-Cycle
6 – Demonstration of system compliance with safety requirementsSub-System Safety Analyses (4/4)
To other actors at level N+1
Phase N
All identified safety
requirements (SR)
Phase N+1 Phase N+1 Phase N+1
To other actors at level N+1
From
Level N
Safety Requirements
for Level N+1
From
Internal
Risk
Analyses
To other actors at level N+1
Safety
Requirements
for Phase N only
From
other
actors
INTERFACES
Safety Requirements for Level N+2 + Hazard Record
Ha
za
rd R
ec
ord
Level
N
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 153
6 – Demonstration of system compliance with safety requirementsIndependent Assessment by Assessment Body
Approach for demonstrating compliance with SR + demonstration itself independently assessed by AB
If no contractual obligations or MS legal requirements, each actor free to appoint AB for part of system actor is in charge
more than one AB can be involved in same project
Proposer, with support of its AB, responsible for integrating different sub-systems and for coordinating different AB involved in the project
Demonstration of Compliance withSafety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety
measures to be implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 154
6 – Demonstration of system compliance with safety requirementsNew Iteration of CSM Process for detected non compliances
Inadequacies of safety measures or new hazards discovered during demonstration to be reassessed vs. CSM
E.g. choice of technical solution for design of system or sub-systems, not foreseen by SR, could create a new hazard
New hazards registered in Hazard Record
Deviations and/or new hazards considered as new inputs for a new loop in iterative risk assessment process
Demonstration of Compliance withSafety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of S
D]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety
measures to be implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 155
6 – Demonstration of system compliance with safety requirementsCorrespondence between CSM and CENELEC
Concept
System Definition & Application Conditions
Risk Analysis
System Requirements
Apportionment of System Requirements
Design and Implementation
Manufacture
Installation
System Validation (including Safety Acceptance and Commissioning)
System Acceptance
2
3
4
5
6
7
8
9
10 1114
Operation and Maintenance
Performance Monitoring
De-commissioning and Disposal
Modification and Retrofit
12
13
CSM's for RISK ASSESSMENT
Preliminary System Definition in CSM's
Demonstration of Compliance with the Safety Requirements
Safety Requirements
1
Re-application of the CSM
BOX 1
BOX 2
BOX 3
BOX 4
Demonstration of Compliance withSafety Requirements
Preliminary
System Definition
Codes of
Practice
Similar
Reference
Systems
Explicit
EsRisk
timation
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Ax III
(2)(
g)
of
SD
]
RISK ANALYSIS
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety measures to be
implemented)
SYSTEM DEFINITION
RISK ASSESSMENT
Significant
Change?
HAZARD IDENTIFICATION
AND CLASSIFICATION
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 157
6 – Demonstration of system compliance with safety requirementsOperational change - Driver Only Operated Train (DOO)
Demonstration of the system compliance with safety
requirements:
system implemented vs. identified safety
requirements (additional equipment and revised
procedures to enable Driver’s Only Operation)
the revised operational procedures are then
introduced in the RU safety management system
the correct application by the Driver of the revised
procedures, and their efficiency, is monitored and
reviewed, when needed, to ensure that the identified
hazards continue to be correctly controlled during
the operation of the railway system, i.e. that the
procedures and their application are appropriate to
ensure a sufficient level of safety without onboard
staff
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 158
6 – Demonstration of system compliance with safety requirementsOrganisational change - Outsourcing of a maintenance branch of an IM
Demonstration of the system compliance with safety
requirements:
Risk Analysis and Hazard Record show that
hazards cannot be closed until they are verified and
it is demonstrated that the safety requirements (i.e.
selected safety measures) are implemented.
Risk Analysis and Hazard Record are living
documents. The efficiency of decided actions is
monitored at regular intervals to check if the
conditions are changed and if the Risk Analysis and
Risk Evaluation need to be updated.
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 159
6 – Demonstration of system compliance with safety requirementsOutsourcing of a maintenance branch of an IM – Sample of Hazard Record
Description Safety Measures
Priority
Safety/
Punc-
tuality
Implement
-ationNotes
Respon
sibility
Dead-
line
Perfor
med
date
Responsibi
lity for
verification
Way of
verifi-
cation
Date
Status
xx.xx.xx
Reduced
motivation
among
employees
remaining in
Company
-Staff
continuing to
leave without
stop.
- Demotivated
/ worn out
managers
New round of motivational
work for the staff, to be
performed in smaller
groups
Reallocation of funds so
that Company gets
meaningful tasks to
perform
More frequent inspections
by track manager.
Allocate funds to make
sure that key staff stays
throughout the process.
Give special attention to
make sure that
information and
knowledge is transferred
between leaving
employees and those who
take over the tasks.
Etc...
High/High Coordinate
d by IOP.
Regions
must look
at
measures
to increase
control of
tracks,
overlap of
employees
and follow
up by line
managers.
Increased
inspec-
tions need
to be
included in
the
contracts.
Etc...
Company
Manager
Change of
conditions
of circum-
stances
have
reduced
this risk
signifi-
cantly
Work
environ-
ment
analysis
performed
and some
training of
staff.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 160
6 – Demonstration of system compliance with safety requirementsOutsourcing of a maintenance branch of an IM – Sample of Hazard Record
Description Safety Measures
Priority
Safety/
Punc-
tuality
Implement
-ationNotes
Respon
sibility
Dead-
line
Perfor
med
date
Responsibi
lity for
verification
Way of
verifi-
cation
Date
Status
xx.xx.xx
Subcontractor
s of the
entrepreneurs
lacking skill,
competency
and quality
control
Increased demand for
documented competence.
Systematic control of
performed tasks
High/
Medium
IM must
coordinate.
Regions
must
implement
measures
for requiring
compe
tence and
con -trolling
the work
Implemen
ted by
contract
follow up.
Input to
revision
planning.
Safety
manager
Increased
focus on
routines
for control
(2
operative
controls
per month
and
operative
area)
11:
Uncertainty of
roles and res-
ponsibilities in
the interface
between
Company and
IM (Track
manager).
Define roles and
responsibilities.
Map all interfaces and
define who is responsible
for the interfaces.
Medium/
Medium
In each
region
separately
Implemen
ted by
main-
enance
contract
and the
strategy
plan for
the
reorgani-
sation
Regional
directors
Safety
Manager
Regions
have
presented
their
strategy.
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 161
6 – Demonstration of system compliance with safety requirementsReplacement of a Trackside Loop by a Radio in-fill + GSM sub-system
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
MA
NA
GE
ME
NT
Demonstration of the system compliance with
safety requirement:
follow up of the implementation of the safety
requirements through the development
process of the "radio infill + GSM” sub-system;
verification that the system, as designed and
installed, is compliant with the safety
requirements.
This includes follow-up during design and V&V
of Radio In-fill of all requirements from CoP
(CENELEC 50128 & 50159-2 for software of
Radio In-fill) + demonstration of achievement
of RAC-TS for random hardware failures of
Radio In-fill sub-system
Slide n° 163
(7) Assessment Bodies
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 164
7 – Assessment Bodies Verifying the change
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
HA
ZA
RD
M
AN
AG
EM
EN
T [
Annex III
(2)(
g)
of S
D]
An independent assessment of the complete
risk management process undertaken by the
proposer should be undertaken by an
independent body to verify the change and
the demonstration of compliance
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 165
7 – Assessment BodiesWHO act as assessment body ?
Independent and competent person, organisation or entity (Article 3(14))
Open to NSA, NOBO, External or In house ISA meeting criteria identified in the Annex II of the regulation
BUT need to take into account the tasks allocated to NSA and NOBO in Directive 2004/49/EC and Directive 2008/57/EC
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 166
7 – Assessment BodiesWHY & WHEN are they needed?
Support the proposer decision to accept significant changes by ensuring the correct application of the risk management process
Support and facilitate the mutual recognition of the results of the application of the CSM on risk assessment
Although it is not explicitly a requirement of the CSM, the assessment body should be involved early on in the project
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 167
7 – Assessment BodiesWHAT do they do?
This will include:
The system definition
The hazard identification and risk analysis
The risk evaluation
The demonstration of compliance with the safety requirements, including the chosen approach
They do not need to check the evaluation of the significance of the change
The assessment body will provide the proposer with a Safety assessment report
The report will:
sets out their findings on the review of the risk management process
confirm that the system under assessment meets the requirements and whether it can be used safely
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 168
7 – Assessment Bodies WHAT do they do?
The report will :
support to the proposer decision to accept the change
provide evidences to the NSA that the proposer has correctly applied the CSM process, particularly if the change related to an authorisation to place into service structural sub systems
be useful in any inspections that the NSA undertakes in relation to the SMS and the application of the CSMIN
DE
PE
ND
EN
T A
SS
ES
SM
EN
T
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 169
7 – Assessment Bodies Interfaces
The management of interfaces is key throughout the development of the project
If more than one assessment body is involved the proposer will need to co-ordinate the activities of the bodies
This can:
help with interface management
be useful before switching over from one step of the risk assessment to the next one
Duplication of work in term of independent assessment shall be avoided – Reports shall not be called into question
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 170
7 – Assessment Bodies What is the criteria for their selection?
Independent from the design, manufacture, construction, marketing, operation or maintenance of the system
Professional integrity
Competent (skills, training, knowledge and experience) to perform the tasks required of them
Civil liability insurance
Commercial confidentiality
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
Dissemination of Commission Regulation
on CSM on Risk AssessmentSlide n° 171
7 – Assessment Bodies Ongoing work from the Task Force
Identified the interface between independent assessment, conformity assessment (for safety certification/authorisation and EC verification for sub-systems) – No answer to the “WHO?”
HOW ?
Expect to define a methodology for carrying out independent safety assessment
Expect to define a scheme for the voluntary accreditation of Assessment Bodies or alternatively recognition by NSAs
Timetable:
First position paper on the role and responsibilities of Assessment Bodies by the end of the year
Feed into the revision of the CSM on risk assessment planned in 2011
IND
EP
EN
DE
NT
AS
SE
SS
ME
NT
Slide n° 173
(8) Conclusions
Dissemination of the Commission Regulation on Common Safety Methods (CSM) onRisk Evaluation and Risk Assessment