CSM for risk assessment: Proactive decision making .../media/Dokumenter... · Safety Conference of...

Slide n° 1 Safety Conference of Danish Transport and

Construction Agency - Copenhagen, 28th October 2015

Safety Conference of Danish Transport and Construction Agency - Copenhagen, 28th October 2015

CSM for risk assessment: Proactive decision making instrument

Consequences and benefits of latest changes

Dragan JOVICIC, European Railway Agency



Content

EU railway market opening and restructuring (historical background context of railways)

Place of the CSM for risk assessment within the risk based approach

Overview of harmonised methods for safety management and safety supervision

Overall presentation of the CSM for risk assessment and of its successive changes

Latest amendments of the CSM for risk assessment: CSM Design Targets (CSM DT)

Discussions – Questions & Answers



EU railway market opening and restructuring

Change of Roles & Responsibilities for management and supervision

of railway safety



Remind

Historically, every country used different technical solutions, operational rules, standards, safety cultures and approaches in terms of safety acceptance and safety management

One state railway company where all functions integrated:

Vehicle owner/keeper Management of infrastructure Operation of railway transport (passengers and freight) Planning, management and performance of maintenance activities etc.

Railway company self-regulated, i.e. responsible for Regulation, Management and Supervision of a “safe operation” of railway transport

International traffic: no legal obligations - Made possible thanks to (voluntary) international or multilateral agreements



EU railway transport policy and railway legislation

Remove historical barriers to free circulation of trains and

make railways business oriented and competitive

Technical Harmonisation (TSIs) & Common approaches for safety management

Open railway market to competition for rail transport services and railway supply industry

Prevent sector from using safety as a barrier to market access or an excuse to resist

change



Common safety instruments for opening railway market

EU railway legislation sets up a common approach for:

safety regulation

safety management

safety supervision

in line with the "new Commission approach" for the creation of a single European railway market

As many new railway players and interfaces are created, it is necessary to:

1) maintain at least the existing level of safety in the EU railways, and increase it when reasonably practicable

2) create a basis for mutual trust



Common approach to safety within an open railway market

EU railway legislation

Safety Management

Safety Supervision

Safety Regulation

EU legislation defines “Roles & Responsibilities“

[RUs, IMs, Vehicle Keepers, ECMs, NSAs, Notified Bodies, Designated Bodies, Manufacturers and others]

Responsibility for safety of railway system put on those who OPERATE and MAINTAIN railways:

RUs, IMs must manage and monitor safely their activities through a Safety Management System

ECMs must manage and monitor maintenance activities through a “System of Maintenance”

WHO shall do WHAT?

NSAs & other bodies (e.g. ECM Certification Body, NoBo, DeBo, etc.) guarantee RUs, IMs and ECMs comply with their obligations



Existing national railway systems usually based on use of rules and retrospective review of «bad experiences» from past

Directive 2004/49 requires to set up an SMS which shall «predict» what can happen and «prevent» it to happen instead of «reacting and fixing» to unwanted events

SMS introduces concept of RISK MANAGEMENT which requires to LOOK both FORWARD and RETROSPECTIVE

→ only new element in SMS from existing national railway systems: develop a «predict and prevent» way of thinking

Harmonised thinking in terms of «risk» & «risk based approach» Transition from different national practice towards an SMS approach

«What are the likely risks and the risk control measures I should put in place to manage safely my activities (my business)?»

In a “risk based approach” the key question is thus:



Comparison of Proactive vs. Reactive approaches

Accidents are used to prevent same accidents

Costly with high impact on the system and society

Unable to control unknown risks

Reactive approach (React & Fix)

Competence and knowledge are used to control risks and

then to prevent accidents

No impact on the system and society Can effectively prevent the occurrence

of events

Proactive approach (Predict & Prevent)



Place of the CSM for risk assessment within the risk based approach



Risk Management is a key process of the safety management system (SMS):

“The SMS … shall ensure the control of all risks associated with the activity of the IM or RU, including the supply of maintenance and material and the use of contractors…”

The SMS organises the assessment and the management of risks

“procedures and methods for carrying out risk evaluation and implementing risk control measures whenever a change of the operating conditions or new material imposes new risks on the infrastructure or on operations;”

Risk Management: links between CSM and SMS

The implementation of a Safety Management System requires the application of the CSM for Risk Assessment

Directive 2004/49, Article 9(2)

Directive 2004/49, Annex III – art.2 Basic elements (d)



Procedures

SMS

Risks

Processes

Rules

Why should I have a measure/procedure?

How can I avoid or decrease the risk?

What do I already have in place for that?

Building an SMS is a systematic review of "likely risks" linked to my operations and identification of "risk control measures"

Role of rules in SMS:

EU regulatory framework is not a conflict between a Risk & Rule based approaches but a combination of both

It is necessary to identify & understand how rules fit into the whole management system?

RU/IM SMS must consider not only National Rules but all rules necessary to deliver safely the operation



SMS provides a structured framework to ensure that:

1) PLAN: the company is designed (i.e. organised) to deliver safely the operation

2) DO: the company actually deploys the operational and support processes

3) CHECK: the company measures the effectiveness of the processes

4) ACT/ADJUST: the company takes preventive or corrective measures on detection of non-compliances

SMS is not an alternative to the existing set of safety related technical and operational rules. It is a structured way to apply them taking into account the risks related to the specific activities of the RU or IM

Objective of SMS: keep "set rules" up to date

SMS

DO

CHECK ACT

PLAN



Risk manage

ment

Rules

Proces-ses

Proce-dures

What is an SMS?

A documented and structured framework for safe management of all company activities

Ensures appropriate processes, procedures and rules exist for controlling all company risks

Enables identification of hazards and continuous management of risks related to the company activities, with the aim of preventing accidents

Uses scientific "risk manage-ment" tools to support company managers in taking consciously decisions for their business



Overview of harmonised methods for safety management and safety supervision



Safe Operation & Safe Maintenance

European Railway Legislation Safety Regulatory Framework

Railway Safety Directive 2004/49/EC

CSM for Risk Assessment Regulation 402/2013

CSM for Monitoring Regulation 1078/2012

²

CSM for Conformity Assessment - Regulations 1158/2010 & 1169/2010

ECM Regulation 445/2011

CSM for Supervision Regulation 1077/2012

ECM Regulation 445/2011 (Annex III)

SMS/ MMS

Do

Check Act

Plan

Assessment Monitoring/Supervision/Surveillance

Freight wagons Freight wagons



Overall presentation of the CSM for risk assessment

and of its successive changes



Versions of CSM fo risk assessment

Regulation 402/2013

Regulation 2015/1136 R&R CSM AB

More categories of RAC-TS

19/07/2010 Technical changes 01/07/2012 TOO changes

21st May 2015 (Repealing Reg. 352/2009)

2012 to 2014

CSM DT [10-9 & 10-7 h-1]

2010 to 2012

3rd August 2015 (Amending Reg. 402/2013)

2005 to 2007

Regulation 352/2009

RAC-TS [10-9 h-1]



(a) System definition

(b) Hazard identification & classification

(c) Identification of safety measures

(d) Risk analysis based on use of exiting Risk Acceptance Principles (RAP):

1) Codes of practice 2) Reference Systems 3) Explicit risk estimation

There is no mandatory order of priority in use of these three RAP

(d) Risk evaluation for checking acceptance of risk(s)

(e) Definition of safety requirements from identified safety measures

Iterative Risk Management Process “triggered” by a Significant Change

Overview of the CSM for risk assessment Process in Annex I

Defines a common process for risk assessment

Demonstration of Compliance with Safety Requirements

Preliminary System

Definition

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T

RISK ANALYSIS

RISK EVALUATION (vs. Risk Acceptance Criteria)

Safety Requirements (i.e. safety measures to be implemented)

SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?

HAZARD IDENTIFICATION AND CLASSIFICATION

Codes of Practice

Similar Reference Systems

Explicit Risk

Estimation

Justify and document decision

352/2009



Iterative Risk Management Process “triggered” by a Significant Change


Preliminary System

Definition

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T

RISK ANALYSIS



SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?


Codes of Practice


Explicit Risk

Estimation


CSM for risk assessment also requires:

Update system definition with identified safety requirements;

Demonstrate compliance with system definition, and thus with safety requirements from risk assessment;

To support mutual recognition:

(a) Risk assessment and risk management must be documented in hazard record;

(b) Independent assessment by a CSM Assessment Body of correct application of the CSM Process and of appropriateness of results

Overview of the CSM for risk assessment Process in Annex I

352/2009



Independent CSM Assessment Body Check correct application of CSM for risk assessment

When change significant, a CSM Assessment Body must be appointed

CSM assessment body shall carry out an independent assessment of:

correct application of risk management process in Annex I, and;

suitability of results from risk assessment process (Reg. 402/2013)

Criteria & requirements to be fulfilled Who, What, How, When, etc.?



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T

RISK ANALYSIS


SYSTEM DEFINITION

RISK

ASSESSMENT

Significant

Change?


Codes of Practice


Explicit Risk

Estimation


Preliminary Sys Definition Article 6 of Regulation 352/2009

352/2009



Compliance with existing standards General overview of risk management in ISO 31000

352/2009

Regardless of type of business, activity or function of company, Risk Management is 7 step based process

Defining context (System Definition)

Risk Assessment

Hazard/Risk Identification Risk Analysis Risk Evaluation

Risk Control

Risk Monitoring and Review

Communication with and consult staff on company and their activity risks

System Definition

Ris

k A

sse

ssm

ent

Communicate and Consult on risks

Hazard/Risk Identification

Risk Analysis

Risk Evaluation

Risk Control

Risk Monitoring and Review

Bas

ic P

roce

ss S

tep

s

‘Risk’ is dynamic and subject to constant change,

so Risk Management process includes continuous

Par

t o

f SM

S



Traceability between CSM and CENELEC 352/2009


Preliminary

System Definition

Codes of

Practice

Similar

Reference

Systems

Explicit

EsRisk

timation

IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T [

Ax III

(2)(

g)

of S

D]

RISK ANALYSIS

RISK EVALUATION

(vs. Risk Acceptance Criteria)

Safety Requirements (i.e. safety measures to be

implemented)

SYSTEM DEFINITION

RISK ASSESSMENT

Significant

Change?

HAZARD IDENTIFICATION

AND CLASSIFICATION

BOX 1

BOX 2

BOX 3

Concept

System Definition & Application Conditions

Risk Analysis

System Requirements

Apportionment of System Requirements

Design and Implementation

Manufacture

Installation

System Validation (including Safety Acceptance and Commissioning)

System Acceptance

2

3

4

5

6

7

8

9

10 11 14

Operation and Maintenance

Performance Monitoring

De-commissioning and Disposal

Modification and Retrofit

12

13

CSM's for RISK ASSESSMENT

Preliminary System Definition in CSM's

Demonstration of Compliance with the Safety Requirements

Safety Requirements

1

Re-application of the CSM

BOX 1

BOX 2

BOX 3

BOX 4



Required when change is significant - Appointed by Proposer, if there is no contrary national legal obligation

Necessary for mutual recognition of results from risk assessments reduction of risk assessment costs and requests of unjustified additional demonstrations

Check correct application of CSM process and appropriateness of results

Deliver a safety assessment report to support Proposer in its decisions

WHEN? not explicitly required in CSM - Should be involved early in project and finishes with delivery of independent assessment report to Proposer

WHO? whoever fulfils general requirements in Annex II of Reg. 352/2009:

independence from design, manufacturing, construction, marketing, operation or maintenance of system under assessment

professional integrity and competence (skills, training, knowledge and experience) to perform independent safety assessment

civil liability insurance & commercial confidentiality

Independent CSM Assessment Body General Legal framework in Regulation 352/2009

352/2009



To establish sufficient trust and enable mutual recognition of independent assessment work of CSM AB, following questions needed an answer:

WHAT shall be assessed?

HOW assessments are to be performed?

WHAT is content of safety assessment report?

What is the interaction with other assessments (e.g. Safety certification & authorisation process for placing in service structural sub-systems)?

What specific criteria and requirements need to be fulfilled?

What area of competence are necessary?

WHICH scheme could ensure similar quality of independent assessment? or HOW to become a CSM Assessment Body?

Independent CSM Assessment Body Novelty in Regulation 402/2013

402/2013



Correct application of CSM check of compliance with CSM process

Suitability of results of risk assessment check that system under assessment fulfils safely intended objectives of the change

Assessment include all steps of CSM process:

system definition hazard identification and risk analysis risk evaluation and risk acceptance demonstration of compliance with

safety requirements

Evaluation of significance of change needs not be checked

Independent CSM Assessment Body WHAT shall be assessed?

402/2013



Independent CSM Assessment Body HOW is the independent assessment performed?

Independent assessment in Regulation 402/2013 different from NOBO work:

NOBO checks formal conformity of a structural sub-system vs. ALL requirements defined in relevant TSIs

whereas CSM assessment body makes JUDGEMENTS

To make its judgement, a complete, thorough review and follow up of all activities of “Proposer and its subcontractors” for design and implementation of change not cost effective and also is not necessary

Rather a 3 steps approach shall be undertaken based on:

thorough understanding of the change and of its specification

assessment of safety and quality processes put in place for the change

assessment of application of these processes for design and implementation of change based on e.g. auditing and sampling techniques [or vertical slice assessment of key risks] till delivery of safety assessment report

402/2013



Safety assessment report delivered to Proposer, contains at least:

(a) identification of CSM assessment body; (b) independent safety assessment plan; (c) definition of scope and limitations of independent safety assessment; (d) results of independent safety assessment including in particular:

(1) detailed information on independent safety assessment activities for checking compliance with provisions of CSM;

(2) any identified cases of non-compliances with provisions of CSM and assessment body’s recommendations;

(e) conclusions on compliance of risk assessment and risk management with CSM requirements and appropriateness to fulfil safely intended objectives

Safety assessment report supports Proposer in decision to accept change It provides evidence to NSA, in particular within APIS structural sub-systems,

that Proposer correctly applied CSM process, It is useful for supervision activities of the proposer’s Management System

Independent CSM Assessment Body WHAT is the result of the independent assessment?

402/2013



European (Railway) Legislation related to Market Opening Assurance of compliance with EU legislation - Mutual trust/recognition

To avoid new assessments and new safety demonstrations for a same system, EU legislation introduces concepts of:

Certification (Independent) Conformity Assessment Body (CAB) Mutual Recognition or Acceptance (XA)

System or safety demonstration accepted in one MS or by one CAB must be cross accepted in another MS or by another CAB if used under the same functional, operational and environmental conditions

duplication of conformity assessments by different CABs involved in a project shall be avoided unless CAB demonstrates existence of a substantial safety risk

Conformity assessment bodies: NSAs, NoBos, DeBos, ECM Certification Bodies, CSM Assessment Bodies, National Accreditation Bodies & Recognition Bodies

Monitoring of experience is expected to build trust between MS & between CABs



TSI's

(NoBo)

National

Rules

(DeBo)

Other

measures

(CSM AB)

All risks identified with CSM for risk assessment

Safety demonstration by proposer/applicant + NSA authorisation based on evidences of:

Safe integration (AB]

Check of technical compatibility

Compliance with TSI's [NoBo] & National Rules (law) [DeBo]

Independent CSM Assessment Body WHAT is the interaction with other Conformity Assessment Bodies?

Check of correct application of CSM and of suitability of

results form risk assessment

Check of conformity with national rules applicable to the structural sub-system

Check of conformity with TSI requirements applicable to the structural sub-system

Duplication of independent assessment work between different Conformity Assessment Bodies involved in a project shall be avoided

402/2013



Roles and responsibilities of CSM Assessment Body for placing in service Authorisation of Vehicles - Safe Integrations

Conformity with TSI

Check by NOBO

Conformity with NNR

Check by DEBO

RA according to CSM

Check by CSM Assessment

Body

Technical compatibility and safe integration within the vehicle

(Use of CSM for RA)

Technical File containing all Operational & Maintenance

Requirements linked to the design

Responsibilities of Applicant

Design, construct, install, test & demonstrate

Safe Integration within the vehicle

NSA Authorisation for placing in service

Responsibilities of Railway Undertaking

Check technical compatibility and demonstrate safe integration within the Route

Conformity with

infrastructure register (RINF)

Check by RU

Conformity with NNR

Check by RU

SMS update accor-ding to CSM for RA

Check by CSM Assessment Body

Technical compatibility and safe integration within the Route

(Use of CSM for RA)

RU decision of placing in service

Operation according to

RU SMS

Maintenance according to

ECM System of Maintenance

Responsibilities of RU & ECM

Operation & Maintenance according to Technical File

Supervision by NSA

Surveillance by ECM Cert Body

Supervision by NSA [Art 16(2)(f)]

Update of SMS

Return of experience

STEP 1 STEP 2 STEP 3



Independent CSM Assessment Body WHAT specific criteria and requirements shall CSM Assessment Body fulfill?

Full compliance with ISO/IEC 17020:2012 standard which contains general criteria for "independence, competence, integrity and impartiality“

Following specific competence:

(a) competence in risk management, including knowledge and experience of standard safety analysis techniques and of relevant risk assessment and risk management standards;

(b) all relevant technical competence for assessing the change under assessment and its safe integration into the railway system;

(c) competence in checking the correct application of safety and quality management systems or in auditing management systems.

This is crucial since CSM AB not required to check all activities and details of risk assessment and risk management done by proposer

402/2013



Independent CSM Assessment Body WHAT can be the areas of competence of the CSM Assessment Body?

By analogy to Article 28 of Directive 2008/57/EC concerning NoBo’s, CSM Assessment Body may be competent in different areas of railway system, or parts of it for which an essential safety requirement exists, including competence in operation and maintenance. Possible examples of classifications could be:

(a) infrastructure;

(b) energy;

(c) control command and signalling;

(d) rolling stock;

(e) braking components;

(f) operation, maintenance and traffic management;

(g) overall consistency and system approach (system level);

(h) specific engineering disciplines such as embedded real-time systems, telecommunications, hardware, software, human factor, …

(i) etc.

402/2013



Independent CSM Assessment Body WHAT can be the areas of competence of the CSM Assessment Body?

A particular competence is needed to assess overall consistency of risk management and safe integration of system under assessment into railway system as a whole. This specific competence includes ability of CSM AB to check:

(j) the organisation or arrangements put in place by the proposer to ensure a coordinated approach to achieving system safety through a uniform understanding and application of risk control measures for its composing sub systems;

(k) the methodology for the evaluation of the methods and resources deployed by various stakeholders to support safety at both the sub-system and system levels; and

(l) the technical aspects necessary for assessing the relevance and completeness of risk assessments and the level of safety for the system as a whole.

The CSM assessment body may be accredited or recognised for one, several or all of the areas of competence

402/2013



Article 12 - “Where the risk assessment for a significant change is not to be mutually recognised, the proposer shall appoint an assessment body meeting at least the competency, independency and impartiality requirements of Annex II. The other requirements of paragraph 1 in Annex II may be relaxed in agreement with the national safety authority in a non-discriminatory way.”

Accreditation or recognition enable mutual recognition.

Article 12 is an exception to those rules and principles. Foreseen for national purposes only when mutual recognition not needed and where accredited or recognised CSM AB not acceptable from economical point of view.

Example: changes affecting only domestic market, where international trains would never operate

Article 12 to be used with precautions and in duly justified cases.

Independent CSM Assessment Body Relaxed criteria where mutual recognition not necessary

402/2013



Article 12 does not list criteria and requirements that could be relaxed.

It does neither prescribe process to be used nor actor who should check fulfilment of relaxed criteria. There are no requirements for surveillance

Independent safety assessment report of an assessment body accepted under Article 12 cannot benefit from mutually recognition granted to accredited or recognised CSM AB

Article 12 not intended to be used as normal and standard way of acknow-ledging independence, integrity, impartiality and competence of CSM AB

Article 12 does not support opening of European railway market. Article 12 should be used exceptionally and in duly justified cases

Whenever Article 12 is used, for transparency reasons, independent safety assessment report of CSM AB should clearly list criteria and requirements of Annex II of CSM for risk assessment that are relaxed.

Independent CSM Assessment Body Relaxed criteria where mutual recognition not necessary

402/2013



CSM for risk assessment Roles & Responsibilities of the Proposer and of the CSM Assessment Body

Proposer is responsible for application of CSM for risk assessment and to document/justify its decisions and results of risk assessment

When change is significant, Proposer shall appoint an Assessment Body

CSM Assessment Body provides proposer with a Safety Assessment Report

Proposer is responsible for determining if and how to take into account the conclusions of safety assessment report for safety acceptance of change

Proposer shall justify and document part(s) of safety assessment report for which he eventually disagrees with Assessment Body

Article 16: Declaration by Proposer

Based on results of application of CSM and on safety assessment report provided by assessment body, Proposer shall produce a written declaration that all identified hazards and associated risks are controlled to an acceptable level

402/2013



When the change is significant, in scope of authorisation for placing service of structural sub-systems, NSA shall accept Proposer’s Declaration … NSA may not request additional checks or risk analyses unless it is able to demonstrate the existence of a substantial safety risk

When a TSI requires application of CSM for risk assessment, if Proposer has contracted an Assessment Body to check compliance with CSM, NoBo shall accept Proposer’s Declaration … unless it justifies and documents its doubts concerning the assumptions made or the appropriateness of the results

CSM for risk assessment Mutual recognition by the NSA/NOBO of the Safety Assessment Report

402/2013



To enable ERA to keep updated Data Bases

Member States (MS) shall inform ERA which is their national accreditation body and/or recognition body or recognition bodies, as well as of assessment bodies they recognised directly in conformity with Article 9(1)(a)

National Accreditation Body shall inform ERA of assessment bodies accredited, as well as of area of competence from Annex II for which those assessment bodies are accredited

Recognition Body shall inform ERA of the assessment bodies recognised, as well as of the area of competence from Annex II for which those assessment bodies are recognised

MS, NAB, Recognition Bodies shall also notify any changes within one month so that ERA can make this information publicly available.

Independent CSM Assessment Body Provision of information to ERA – Roles of ERA

402/2013



1. Concept of mutual recognition in scope of CSM

2. Concepts and requirements contained in Regulation 352/2009 and OTIF UTP GEN-G of 1.5.2012:

3. General criteria in Annex II

4. Role of CSM assessment body

5. Who can be CSM assessment body?

6. Relationship between CSM assessment body and CENELEC ISA

7. When is a CSM assessment body required?

8. Who appoints the CSM assessment body?

9. Specific criteria and requirements to be fulfilled

10. Areas of competence

11. Use of external sub-contractors by CSM assessment body

12. Justification of use of ISO/IEC 17020:2012 standard

Additional information on CSM Assessment Body ERA/OTIF paper on CSM Assessment Body coming soon on ERA web page



13. Basis for trust in work of CSM Assessment Body: accreditation and recognition

14. Benefits of allowing use of recognition

15. Work of CSM assessment bodies EU wide and in OTIF Contracting States

16. Relaxed criteria and requirements of Article 12

17. Freedom for a MS to have or not a CSM assessment body in the country

18. Where to find the list of accredited and recognised CSM assessment bodies?

19. When should the CSM assessment body start its work?

20. When does CSM assessment body finish its work?

21. How is independent assessment to be done by CSM assessment body?

22. What is content of safety assessment report?

23. Are judgments and conclusions of CSM assessment body binding for proposer?

24. What are the interactions between the CSM assessment body and the other conformity assessment bodies [NoBo, DeBo, NSA]?

Additional information on CSM Assessment Body ERA/OTIF paper on CSM Assessment Body coming soon on ERA web page



Latest amendments of CSM for risk assessment

CSM Design Targets (CSM DT) (Regulation 2015/1136)



Scope of RAC-TS – CSM for risk assessment Needed in explicit risk estimation

EXPLICIT RISK ESTIMATION

RISK EVALUATION

Identification of Scenarios & associated Safety Measures

Estimate Frequency

Estimate Severity

Estimate Risk

Quantitative

Qualitative Safety Criteria?

RISK ASSESSMENT

RISK ANALYSIS

Acceptable Risk?

NO

Comparison with Criteria

YES

Explicit Quantitative or Qualitative RAC required Criteria required

Safety Requirements (i.e. the Safety Measures

to be implemented)



IND

EP

EN

DE

NT

AS

SE

SS

ME

NT

HA

ZA

RD

M

AN

AG

EM

EN

T

RISK ANALYSIS


SYSTEM DEFINITION

RISK

ASSESSMENT

Significant

Change?


Codes of Practice


Explicit Risk

Estimation


Preliminary Sys Definition

Harmonized safety requirements for design of E/E/PE Technical Systems (TS)

Used in 3rd risk acceptance principle (Explicit risk estimation) to permit Mutual Recognition of Risk Assessments of TS

To avoid confusion with other RAC, RAC-TS renamed into CSM-DT

2015/1136



Objectives of setting up CSM-DT for technical systems Development costs proportionate to risks arising from failures of TS

For sustainability of EU railways and to permit safe competition of railways vs. other modes of transport, important development costs of TS are proportionate to risk associated with their failure

TS shall be safe enough but shall not be safer than actually needed because they would then be more expensive

It is thus important to be able to distinguish for technical systems:

failures having possibility to result in big consequence accidents, not limited to an area of train, i.e. catastrophic ones affecting many people, and; [examples: train collisions & derailments + failure of all train doors]

failures having possibility to result in less severe accidents, limited to an area of train, i.e. accidents affecting a reasonably small number of people [examples: unintended opening of a individual train doors]

2015/1136



2.5.5. Where hazards arise as a result of failures of functions of a technical system, … the following harmonised design targets shall apply to those failures:

(a) where a failure has a credible potential to lead directly to a catastrophic accident, the associated risk does not have to be reduced further if the frequency of the failure of the function has been demonstrated to be highly improbable

(b) where a failure has a credible potential to lead directly to a critical accident, the associated risk does not have to be reduced further if the frequency of the failure of the function has been demonstrated to be improbable

The choice between these definitions shall result from the most credible unsafe consequence of the failure.

CSM DT for technical systems in Regulation 2015/1136 amending Regulation 402/2013

2015/1136



New definitions in Article 3 of Regulation 402/2013

(23) ‘catastrophic accident’ means an accident typically affecting a large number of people and resulting in multiple fatalities;

(35) ‘critical accident’ means an accident typically affecting a very small number of people and resulting in at least one fatality;

(37) ‘highly improbable’ means an occurrence of a failure at a frequency less than or equal to 10-9 per operating hour;

(38) ‘improbable’ means an occurrence of a failure at a frequency less than or equal to 10-7 per operating hour;

Definitions associated to CSM-DT

Considering only one fatality would impose more severe requirements to railways

Aviation uses: “Serious or fatal injury to a relatively small number of the occupants other than the flight crew”

2015/1136



²

CSM-DT are based on existing standards, national legislation and national rules

Directive 2004/49 recognises that safety levels in Community rail system are generally high and those existing safety levels shall be maintained

Existing Technical Systems

Requirements currently defined in existing standards, national legislation

or national rules

Safety levels currently achieved judged to be generally high

Design of future Technical Systems

F(x), x=CSM-DT

Use of statistics from accidents involving technical systems

Return of experience

Set-up CSM-DT

2015/1136



Compared to requirements currently defined in existing standards, national legislation or national rules for design of existing railway TS, proposed CSM-DT:

usable for electrical, electronic and programmable electronic TS design

neither decrease safety performance nor increase development costs

representative bodies and majority of workshop participants estimate CSM-DT correspond to present reality, experience and practice in railways CSM-DT fit to railway needs (although 2 NSAs ask for more validation)

no evidence validating possibility to quantify failures of purely mechanical and purely pneumatic technical systems

harmonised CSM-DT for light injury category is not needed

Proposed CSM-DT similar to aviation ones: similar requirements for similar consequences of TS failures [10–9 & 10–7 per flight hour/per operating hour] [all occupants] or [a relatively small number of occupants] CAN BE affected

2015/1136 CSM-DT are based on existing standards, national legislation and national rules



AVIATION

Catastrophic FC resulting in multiple fatalities usually with loss of plane (thus impacting all occupants) ≤ 10–9 per flight hour [Extremely improbable FC]

Hazardous FC reducing capability of air-plane, large reduction in safety margins, physical distress or excessive workload on crew and impacting a relatively small number of occupants ≤ 10–7 per flight hour [Extremely remote FC]

Major FC ≤ 10–5 per flight hour [remote]

Minor FC ≤ 10–3 per flight hour [probable]

Use of Design Targets in Aviation (Ref. AC/AMJ N°25.1309) Similarities with Railways and CSM-DT

RAILWAYS

Failures of functions having possibility to affect whole train (i.e. all occupants) and resulting in fatalities ≤ 10–9 per operating hour [≈catastrophic consequences]

Failures of functions having possibility to affect a limited area of train (thus a relatively small number of occupants) and resulting in at least one fatality ≤ 10–7 per operating hour [≈critical consequences]

Light injuries ≤ 10–5 per operating hour [≈major consequences] not included in amendment of 402/2013

They also use EQUIVALENT PROCESSES for Safety Assessments, HW&SW Development, Verification & Validation & Management of Systematic Failures

2015/1136



Many thanks for your attention!

E-mail: [email protected]

CSM for risk assessment: Proactive decision making .../media/Dokumenter... · Safety Conference of...

Documents

Transcript of CSM for risk assessment: Proactive decision making .../media/Dokumenter... · Safety Conference of...