Dissemination of the Commission Regulation on Common Safety Methods (CSM) on Risk Evaluation and Risk Assessment. Slide n 1

Transcription

1 Dissemination of the Commission Regulation on Common Safety Methods (CSM) on Risk Evaluation and Risk Assessment Slide n 1

2 Objectives & Organisation of the CSM Dissemination Workshop Slide n 2

3 Purpose of the workshop: Purpose and Organisation of the workshop Explain to concerned actors of the railway sector the risk assessment and risk management process defined in the Commission Regulation (EC) N 352/2009 Steps for the workshop: 1 st Step: transmit a pre-workshop questionnaire to all participants 2 nd Step: collect answers to that pre-workshop questionnaire to orientate the workshop to specific needs of the visited Member States 3 rd Step: visit to Member States and presentation of CSM process Presentation of CSM process split into an INTRODUCTION + 6 Modules (see next slides) Slide n 3

4 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Annex III(2)(g) of SD] (7) (2) (3) (4) (6) (5) For presentation purposes, CSM Process split into 7 topics (see questionnaire) (1) Introduction Modular Presentation (2) What is a significant change? (3) Hazard Identification phase; (4) Risk analysis and evaluation (5) Hazard Management and Hazard Records; (6) Demonstration of system compliance with the safety requirements (7) Independent assessment of correct application of CSM Process by an Assessment Body Slide n 4

5 Presentation by the Agency of each module Time sharing of the two days of the workshop Explanation of the requirements in the CSM Regulation (theory) Presentation of the application of those CSM requirements to practical examples (concrete cases of risk assessment) Relevant QUESTIONS from the participants on the presented module & ANSWERS by the Agency End of 1 st day & end of module presentation on 2 nd day, all actors of same Member State asked to meet for internal discussions among representatives of the MS (Brainstorming) followed by a session of Questions/Answers (Debriefing) Slide n 5

6 Inputs from the participants of the workshop Pre-workshop Questionnaire and Presentations of RA examples In order to tailor CSM dissemination to specific expectations of visited Member States, Agency sends to participants via their NSA a pre-workshop QUESTIONNAIRE : Purpose: enable the Agency to collect any useful information (e.g. real case examples, existing ways to fulfill CSM requirements, etc.) from railway sector in the relevant Member States and thus to improve the exchange of ideas and points of view during the dissemination exercise. For the success of the workshop, it is important that the participants answer to the questionnaire. Presentation by the participants (having sent examples) of real case examples of risk assessment accompanied by a discussion of differences vs. CSM Process and explanation by Agency of the requirements in the CSM linked to those differences Slide n 6

7 Overall outputs of the CSM dissemination exercise 1 st step: via both the pre-workshop questionnaire and the 8 CSM dissemination workshops collect railway sector experience and feedback on risk assessment, their ideas and suggestions for improving CSM Regulation and/or associated guides 2 nd step: continue CSM dissemination exercise by a review of and feedback based on real case examples of changes to railway system where CSM process is applied (coordination with NSA) 2011: use results from dissemination workshops + from review of real case examples (i.e. 2 nd step of CSM dissemination) for writing a report on experience with application of CSM on Risk Assessment. This report is to be submitted to the Commission by end of It is aimed to serve as a basis for improving CSM Regulation and/or the associated guides for application of CSM Slide n 7

8 Number of workshops When Group Group composition (Member State) Location June DK FI NO SE Stockholm September AT CH DE SL Maribor October CZ HU PL SK Prague November BE FR LU Amiens February BG EL RO Sofia March NL IE UK Utrecht April IT PT ES Madrid May EE LV LT Riga Concluding Seminar N/A All EU Member States Agency Slide n 8

9 European Railway Agency Presentation of the team involved in the dissemination ERA Team involved in dissemination of CSM on risk assessment: Karen DAVIES (Safety Certification Sector in SU of ERA) Nathalie DUQUENNE (Safety Assessment Sector in SU of ERA) Maria ANTOVA (Safety Assessment Sector in SU of ERA) Thierry BREYNE (Head of Safety Assessment Sector in SU of ERA) Christophe CASSIR (Safety Assessment Sector in SU of ERA) Dragan JOVICIC (Safety Assessment Sector in SU of ERA) Slide n 9

10 Time schedule for CSM dissemination workshop Slide n 10

11 1 st day: 10:00 to 18:00 09:00 10:00: Welcome Time schedule for CSM dissemination workshop 1 st day of workshop 10:00 10:45: Opening of Workshop & Introductory Presentations 10:45 11:00: Coffee Break 11:00 12:30: Significant Changes 12:30 13:30: Lunch Break 13:30 14:30: Hazard Identification 14:30 15:45: Risk Analysis and Evaluation + Examples from participants 15:45 16:00: Coffee Break 16:00 16:30: Hazard Record 16:30 17:15: Internal discussions among representatives of each MS 17:15 18:00: Questions/discussion and feedback from those discussions Slide n 11

12 Time schedule for CSM dissemination workshop 2 nd day of workshop 2 nd day: 10:00 to 16:00 09:30 10:45: Demonstration of system compliance with safety requirements 10:45 11:00: Coffee Break 11:30 12:30: Assessment Body 12:30 13:30: Lunch Break 13:30 14:00: Internal discussions among representatives of each MS 14:00 14:30: Questions/discussion and feedback from those discussions 14:30 14:45: Coffee Break 14:45 15:45: Presentation of examples: Presentations by participants of examples communicated to ERA before the workshop 15:45 16:00: Conclusions and close out of the workshop Slide n 12

13 (1) Introduction Slide n 13

14 1 - Introduction Content of presentation A. Role of the European Railway Agency B. Overview of the Commission Regulation on CSM on Risk Assessment C. Guides for the application of the CSM Regulation D. 6 Detailed Presentations for different steps in CSM Process E. First Example for CSM Application: operational change F. Second Example for CSM Application: organisational change G. Third example for CSM Application: change of a technical system Slide n 14

15 A. Role of the European Railway Agency Slide n 15

16 The objectives of the European Union are to open the railway market to competition for the rail transport services and the railway supply industry!... to make railways business oriented and competitive! need for technical harmonisation (interoperability)... to prevent the sector from using safety as a barrier to market access or an excuse to resist change! Some cornerstones in EC law for achieving those goals : Separation of former vertically integrated railway companies into IM s and RU s Moving the railways from self-regulation to regulation by public authorities Introducing a framework for entry into the market for railway undertakings (licensing and safety certification) Maintaining at least, and increasing when reasonably practicable, existing level of safety and creating a basis for mutual trust through the development of common approaches to safety, taking into account competitiveness of railways Transparency of safety data and CSI, definition of CST and CSM Slide n 16

17 Need for support at Community Level establishment of the European Railway Agency The technical harmonisation (interoperability) and the development of CSTs, CSMs and CSIs as well as the need to facilitate progress towards a common approach to railway safety requires technical support at Community level the European Railway Agency (ERA) was therefore set up with the aim of helping to create this integrated railway area by establishing a European approach to railway safety (Safety Directive 2004/49/EC) and interoperability (Interoperability Directive 2008/57/EC ) Slide n 17

18 Main tasks of European Railway Agency Interoperability (TSI s) and Harmonised approach to Safety Develop economically viable common technical specifications (TSI s), including unique ERTMS signalling solution, and Develop harmonised approaches to safety the Agency: issues recommendations concerning CSTs, CSMs, CSIs and further harmonisation measures/processes monitors the development of railway safety in the Community To take this forward, the Agency is working closely with railway sector stakeholders, national authorities and other concerned parties, as well as with the European institutions All of the Agency s work is aimed at facilitating the growth and development of freight and passenger traffic by harmonising safety processes, technical procedures and reducing delays caused by incompatible national systems Slide n 18

19 A Role of the European Railway Agency Legal basis for the Agency s work The Agency s tasks and, hence, its organisational structure are based on mainly three components Regulation (EC) N 881/2004 (Agency Regulation) European Directives European Directives (Railway European Safety Directives Directive, (Railway Safety Directive, (Railway Interoperability Safety Directives, ) Directive, Interoperability Directives, ) Interoperability Directives, ) ERA Work Programme (annually adopted by the Administrative Board) Slide n 19

20 A Role of the European Railway Agency Organisation Chart of the Agency Slide n 20

21 A Role of the European Railway Agency Agency Tasks (1/3) Agency is System Authority Steering ERTMS activities, seeking for operational harmonisation, ensuring change control management Technical Specifications for Interoperability (TSIs) Operational Interoperability (TSI OPE, Vocational Competences, 1520-System, etc.) Economic Studies for European funded infrastructure projects Impact Analyses for the operational Units Equivalence of national rules with basic parameters in TSIs Processes of placing vehicles into service and their alignment with the Interoperability Directive Slide n 21

22 A Role of the European Railway Agency Agency Tasks (2/3) Safety Regulation Validation and registration of the notifications of national safety rules, including an analysis of their mode of publication Technical advice on new national safety rules and on safety-related aspects Safety Reporting Elaboration of common safety indicators as well as monitoring and analysis of the development of safety on Europe s railways, including dissemination of information Common methods and approaches to accident investigation Safety Certification Common Safety Method for Conformity Assessment Development of a migration strategy towards a single Community certificate Certification Scheme for the Entity in Charge of Maintenance Slide n 22

23 A Role of the European Railway Agency Agency Tasks (3/3) Safety Assessment CSM for risk assessment CSM on monitoring Methodology for calculating and assessing the achievement of safety targets for EU Member States Definition, for each Member State, of their respective safety targets including their assessment Horizontal Activities Support to the national safety authorities and investigating bodies to facilitate their exchange of information and harmonisation of decision making criteria by setting up networks and task forces Public databases of safety related documents such as safety certificates, licences, national safety rules, investigation reports and indicators Slide n 23

24 The Agency is controlled by an Administrative Board and has some binding principles for its work The Administrative Board A Role of the European Railway Agency Governance and Control 1 representative per Member State 4 Commission representatives 6 representatives of sector organisations (railway undertakings, infrastructure managers, railway industry, trade unions, passengers, freight customers) no voting rights Norway and Iceland no voting rights The Working Principles Budgetary and financial control with regular evaluation of all work Transparency and public access to documents Neutrality and impartiality Slide n 24

25 A Role of the European Railway Agency Involvement of the Railway Sector Article 3 of Agency Regulation (EC) N 881/2004 obliges Agency to set up working groups according to tasks given in regulation and by Agency Work Programme. Sector Associations are asked to send experts to participate and contribute. Sector organisations acting at European level*: UNIFE, CER, EIM, UITP, UIP, UIRR, ERFA, ETF, ALE Railway Sector Experts Working Party Working Party Agency Network of National Safety Authorities National Safety Authorities experts Working Party Network of National Investigation Bodies * List established by Article 21 Committee on 22 February 2005 Slide n 25

26 No decision power for the Agency. The Agency gives recommendations to the Commission and technical opinions upon specific request! A Role of the European Railway Agency Decision Process (Commitology) Adoption Parliament Scrutiny European Railway Agency Working Party (CER, EIM, UNIFE, NSA,...) NSA Network Internal reconcilement Commission / RISC Social Partners Passengers/ Customers Agency Recommendation Slide n 26

27 B. Overview of the Commission Regulation Slide n 27

28 B Overview of Commission Regulation Status Sept 05 : Kick off meeting of the CSM WG (15 NSA, 5 CER, 2 EIM, 3UNIFE, 1 UITP) Work program of the WG ERA 2006 : Survey and inputs from CSM WG members 2007 : o CSM recommendation drafted by the Agency with support of a dedicated TF Reviews by the WG. o Consultation of the social partners o Dec 07 : ERA recommendation to the EC Slide n 28

29 2008 : B Overview of Commission Regulation Status o Discussion within the RISC and dedicated workshop organised by the EC (technical support from the Agency) ERA o Positive opinion of the RISC in November : o Scrutiny of the EU parliament o Publication of the EC regulation (n 352/2009) in the OJ (L108) of the 24 April 09 o Dissemination by the Agency Slide n 29

30 Terminology Terms in CSM Regulation Terms in CENELEC Safety Directive 2004/49 EN Infrastructure Manager (IM) Railway Undertaking (RU) Railway Authority National Safety Authority (NSA) Safety Regulatory Authority Supplier/ Manufacturing Industry Railway Support Industry Slide n 30

31 B Overview of Commission Regulation Link of CSM to Article 9 in Safety Directive 2004/49/EC Article 9 requires that "IM and RU shall establish their SMS..." Basic elements of SMS in Annex III of Safety Directive 2004/49/EC One of the SMS processes in Annex III Annex III(2)(d): "Procedures and methods for carrying out risk evaluation and implementing risk control measures whenever a change of the operating conditions or new material imposes new risks on the infrastructure or on operations" RU and IM SMS will thus achieve the compliance with the procedures and methods required by the associated "conformity assessment criteria" [developed by ERA Safe Certification Sector ] by referring to the CSM on Risk Assessment Slide n 31

32 B Overview of Commission Regulation Link of CSM to Article 15 in Interoperability Directive 2008/57/EC Article 15 requires among others that before authorising "the placing into service of those structural subsystems constituting the rail system which are located or operated in its territory", "in particular" the Member State "shall check": "the technical compatibility of these subsystems with the system into which they are being integrated", "the safe integration of these subsystems in accordance with Articles 4(3) and 6(3) of Directive 2004/49/EC". Article 4(3) of Directive 2004/49/EC: "Member States shall ensure that the responsibility for the safe operation of the railway system and the control of risks associated with it is laid upon the infrastructure managers and railway undertakings,..." "Without prejudice to civil liability in accordance with the legal requirements of the Member States, each infrastructure manager and railway undertaking shall be made responsible for its part of the system and its safe operation," Article 6(3)(a) of SD referred to also in Articles 23(5) and 25(4) of ID Article 6(3)(a) of Directive 2004/49/EC: "The CSMs shall describe how the safety level, and the achievement of safety targets and compliance with other safety requirements, are assessed by elaborating and defining risk evaluation and assessment methods" Slide n 32

33 B Overview of Commission Regulation Strategy for developing CSM based on existing methods in EU Two main considerations taken into account for developing 1 st Set of CSM Harmonise a common approach for safety assessments based on existing safety assessment methods in EU. Therefore: As Railway Sector already has a strong safety culture, freedom is left to each organisation to use its already approved Risk Assessment Methods/Tools/Techniques CSM provide Common Principles but do not fix the Tools (e.g. FTA, FMECA) CSM privilege the use of standards and reference systems Advice of Risk Assessment tools done in a guideline developed alongside the CSM Railway being organised into RU & IM, all activities at the interfaces between the different actors must be managed carefully Clear identification of the different actors responsibilities Facilitate mutual recognition of results from risk assessments. This requires harmonisation of: risk management process; exchange of safety related information between actors for managing the safety across the different interfaces; evidence resulting from application of risk management process Slide n 33

34 B Overview of Commission Regulation WHO shall apply the CSMs? Proposer The risk management process described in the CSM shall be applied by the person in charge of implementing the change under assessment. This person is referred to in CSM Regulation as the "proposer". The proposer can be one of the following actors: (a) the Railway Undertakings and Infrastructure Managers in the framework of the risk control measures they have to implement in accordance with Article 4 of the Safety Directive 2004/49/EC; (b) the contracting entities or the manufacturers when they invite a notified body to apply the "EC" verification procedure in accordance with Article 18(1) of the Interoperability Directive 2008/57/EC or the applicant of an authorisation for placing in service of vehicles; Where necessary, the proposer shall ensure, through contractual arrangements, that suppliers and service providers, including their subcontractors, participate in the risk management process described in the CSM. Slide n 34

35 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Ax III(2)(g) of SD] Basically CSM is an iterative process made of 3 steps: (a) (b) (c) Identification of hazards, associated safety measures and resulting safety requirements Risk analysis and risk evaluation based on exiting risk acceptance principles Demonstration of the system compliance with the identified safety requirements Additional requirements for mutual recognition: (a) (b) B Overview of Commission Regulation Risk Management Process and Independent Assessment Hazard Management Independent Assessment (Assessment Body) Preliminary System Definition Codes of Practice Significant Change? SYSTEM DEFINITION² HAZARD IDENTIFICATION AND CLASSIFICATION Similar Reference Systems RISK ASSESSMENT RISK ANALYSIS RISK EVALUATION (vs. Risk Acceptance Criteria) Explicit Risk Estimation Safety Requirements (i.e. safety measures to be implemented) Demonstration of Compliance with Safety Requirements Iterative Risk Management Process triggered by a Significant Change Slide n 35

36 B Overview of Commission Regulation Entry into force CSM Regulation shall enter into force on the day following that of its publication in the Official Journal of the European Union; CSM Regulation shall apply in two steps: (a) from 19 July 2010 (1) to all significant changes affecting vehicles, as defined in Article 2(c) of Directive 2008/57/EC; (2) to all significant changes concerning structural sub-systems, where required by Article 15(1) of Directive 2008/57/EC or by a TSI; (b) from 1 July 2012 to the whole scope as referred to in Article 5(1) of CSM Regulation, i.e. to other technical systems, operational and organisational changes considered to be significant by application of paragraph 2 in Article 4 of CSM Regulation; In order to gain experience and enable the Agency to get a feed back for reviewing the CSM at latest at the end of 2011, the actors of the railway sector should apply the CSM Regulation on a voluntary basis to other changes (technical, operational and organisational) from 1 July 2010); CSM Regulation shall not apply to systems and changes that are at an advanced stage of development, as defined in Directive 2008/57/EC, at the date of entry into force of the Regulation [Article 2(4) in CSM Regulation]. Slide n 36

37 C. Guides for the application of the CSM Regulation Slide n 37

38 C - Guides for the application of the CSM Regulation How was it elaborated? During the elaboration of the CSM Recommendation, ERA worked in parallel on a "Guidance for Use" for supporting the CSM Recommendation; Inputs for the "CSM Guidance for Use" [purely informative and not legally binding] were collected during CSM WG and CSM TF meetings, where members asked to describe further in the "Guidance for Use" requirements that could not be detailed a lot of in a legal text; According to those requests, as well as to questions raised within internal ERA meetings, ERA elaborated initial "Guidance for Use" and updated it vs. different versions of the Agency CSM recommendation and Commission Regulation; ERA regularly reported the progress on guidance for use to CSM WG during the plenary meetings; Based on content of "Guidance for Use", CSM WG and ERA agreed then to split the "Guidance of Use" into two new separate documents: 1 st document: "Guide for the Application of the Commission Regulation on CSM on Risk Assessment" 2 nd document: "Collection of Examples of Risk Assessments and some possible Tools supporting the CSM" Slide n 38

39 C - Guides for the application of the CSM Regulation Complementarities between Guide and Collection of RA examples [GUIDE] Provides general comments and explanations that could not be put in the legal text. ERA has taken care not to introduce any new requirement via the document that is not already identified in the CSM Regulation; [Guide] is more static and would not be modified unless the CSM process needs to be updated; [COLLECTION OF EXAMPLES] Provides additional information (e.g. reference to standards or possible ways to address the requirements of the CSM) and examples of risk assessments performed in the railway sector before the existence of the CSM; Document offers the possibility to be updated with first implementations of CSM process and any useful tools and techniques, or examples of RA, that could help other actors to apply the CSM; Structure of both document mapped on the regulation; Slide n 39

40 EC Regulation Guide C - Guides for the application of the CSM Regulation Complementarities between Guide and Standards Collection of Examples EC Regulation Guide Current Situation Future Situation Slide n 40

41 D. 6 Detailed Presentations for different steps in CSM Process Slide n 41

42 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Annex III(2)(g) of SD] (7) (2) (3) (4) (6) (5) D. Detailed Presentation of CSM Process Go through different steps of CSM Process For presentation purposes, CSM Process split into 7 topics (see questionnaire) (1) Introduction (2) What is a significant change? (3) Hazard Identification phase; (4) Risk analysis and evaluation (5) Hazard Management and Hazard Records; (6) Demonstration of system compliance with the safety requirements (7) Independent assessment of correct application of CSM Process by an Assessment Body Slide n 42

43 F. 1 st example for CSM Application - Operational Change Driver only operated train 1 st example: operational change - System Definition RU has decided to operate trains with Driver alone (Driver Only Operated train DOO) on a route where previously there was an onboard guard to assist the driver with the train dispatching Description of existing system: explain clearly which tasks were performed by driver and which other ones were carried out by onboard staff (or guard) to assist the driver Description of change of driver's responsibilities due to removal of onboard assisting staff, e.g. door closing before train departure Definition of additional technical requirements for system to cover needed changes in Driver Only Operation Describe existing interfaces between onboard assisting staff, train driver and trackside staff of infrastructure manager Slide n 43

44 G. 2 nd example for CSM Application - Organisational Change Outsourcing of a maintenance branch of an IM 2 nd example: organisational change - System Definition A branch of an IM organisation, that was performing until the change some maintenance activities (other than signalling and telematic), had to be put in competition with other companies working in same field Direct impact: need for downsizing and redistribution of staff and tasks within detached branch of IM organisation put in competition description of tasks performed by existing organisation (i.e. by IM organisation before making the change) description of changes planned in IM organisation to cope with subcontractors management the interfaces of "branch to be detached" with other surrounding organisations or with physical environment were only briefly described. The boundaries were not 100 % clearly presented Slide n 44

45 G. 2 nd example for CSM Application - Organisational Change Outsourcing of a maintenance branch of an IM 2 nd example: organisational change Concerns for IM IM staff affected by change was in charge of emergency maintenance and repairs required by sudden errors on the infrastructure. Staff was also performing some planned or project based maintenance activities such as track packing, ballast cleaning, vegetation control IM considered these tasks critical for safety and punctuality of operation must be analysed in order to find right measures which ensure that situation does not deteriorate as many of staff in charge of safety matters were leaving the IM organisation to the outsourced company Same level of safety and train punctuality needed to be maintained during and after the change of the IM organisation Slide n 45

46 E. 3 rd example for CSM Application - Change to a Technical System Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system 3 rd example: Change to a Technical System - System Definition Existing technical system Movement Authority (MA) Extension of Movement Authority (MA) (2) Trackside Loop Release the signal (1) Intended Change Trackside Encoder Movement Authority (MA) GSM Extension of Movement Authority (MA) (2) Release the signal (1) Trackside Encoder Radio In-fill Controller/Modem Slide n 46

47 E. 3 rd example for CSM Application - Change to a Technical System Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system 3 rd example - System Definition: description of existing system: loop+trackside encoder whose function in CCS is to release signal R G on approach of a train when section behind the signal is released by preceding train description of change planned by the proposer and the manufacturer: replace trackside loop by Radio-Infill + Radio Controller + GSM to achieve same function Slide n 47

48 Dissemination of the Commission Regulation on Common Safety Methods (CSM) on Risk Evaluation and Risk Assessment (2) Significant Change Slide n 48

49 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Annex III(2)(g) of SD] (2) (3) (5) 2 Significant Change First Step in CSM Process For presentation purposes, CSM Process split into 7 topics (see questionnaire) (7) (4) (6) (1) Introduction (2) What is a significant change? (3) Hazard Identification phase; (4) Risk analysis and evaluation (5) Hazard Management and Hazard Records; (6) Demonstration of system compliance with the safety requirements (7) Independent assessment of correct application of CSM Process by an Assessment Body Slide n 49

50 2 Significant Change WHEN shall the CSMs be applied [Article 2]? INDEPENDENT ASSESSMENT HAZARD MANAGEMENT Applies to any change of the railway system in a Member State, as referred to in point (2)(d) of Annex III to Safety Directive 2004/49/EC, which is CONSIDERED TO BE SIGNIFICANT Annex III(2)(d): requires that RU/IM SMS has "procedures and methods for carrying out risk evaluation... whenever a change of the operating conditions or new material imposes new risks on the infrastructure or on operations" Such changes may be of technical, operational or organisational nature. Preliminary Sits Definition Significant Change? i.e. must CSM be applied or not? RISK ASSESSMENT (I) Demonstration of Compliance with Safety Requirements (II) CSM shall be applied only to assess "predicatively" safety of significant changes of railway system in a MS CSM process needs not to be applied for non significant changes (III) Slide n 50

51 2 Significant Change WHAT is a significant change? NR (if any) or expert judgement based on criteria When notified national rules do not define what is significant change, Change proposer evaluates the significance of change based on expert's judgement and criteria in CSM 1 st check whether change safety related? 1) NOT safety-related not significant no CSM, but record decision ; 2) YES safety-related use other criteria to evaluate whether change significant Proposer should analyse all criteria and decide on their importance, but could take decision based on only one or some of them When no notified national rules, expert's judgement based on criteria Article 4 of CSM Regulation Safety Relevance No Is it safety related? C: Not significant (Record the decision) Yes Other criteria 1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)? No! Yes B: Not significant (Record and justify the decision) (PRA) Evaluate Σ of previous non significant changes A: Significant Change Triggers CSM application Slide n 51

52 2 Significant Change RU/IM SMS "Daily life" safety management The process of deciding change will be set out in the SMS Although for non significant safety related changes the decisions need to be recorded (could be an SMS process) Help the NSA in their supervisory role [e.g. preliminary risk analyses, risk analyses, justifications, arguments proportionate to the risk need to be documented] CSM Regulation does not require assessment body to check evaluation of significance Slide n 52

53 2 Significant Change - Discussions/Questions Use of criteria in CSM Regulation on some examples of changes Agency and taskforce of experts from railway sector analysed typical examples of borderline cases Analysis has shown that: it is not possible to identify harmonised thresholds or rules; it is not possible to provide an exhaustive list of significant changes; decisions are unlikely to be same for all proposers. Responsibility for decision is for proposer, who is responsible [in accordance with Article 4(3) of Railway Safety Directive 2004/49/EC] of safe operation and control of risks associated with their part of the system Feedback from the application of the CSM will help the Agency to decide whether a possible revision of criteria and process is needed Slide n 53

54 Application to practical examples Slide n 54

55 2 Significant Change Example of application of criteria on significant changes (1/2) Telephone message for controlling a level crossing Change: at a manually operated level crossing modify the way signalmen communicate the information about the direction of a coming train to the level crossing operator A Manual level crossing (LC) B Tone 1 sent by Operator A Tone 1 confirmation by Level Crossing Operator Tone 1 confirmation by Operator B Tone 2 confirmation by Operator A Tone 2 confirmation by Level Crossing Operator Tone 2 sent by Operator B Change: tone replaced by a vocal message and confirmed by both the other signalman and the level crossing Operator Slide n 55

56 Existing: train direction info in ringing tone. Change: old telephone obsolete replaced by digital telephone that has not ringing tone direction info by an operational procedure: signalman informs both level crossing operator and other signalman on direction of coming train; Information checked against timetable and acknowledged by both level crossing operator and other signalman. may suggest that change is not a significant; Some safety analysis or argument is anyway necessary to show that, for this safety critical task, replacing an old technical system by an operational procedure (with personnel crosschecking each other) would lead to a similar level of safety.; Ultimate question: would full CSM application (including hazard record, independent assessment, etc) bring any added value towards safe and efficient management of change? 2 Significant Change Example of application of criteria on significant changes (2/2) Telephone message for controlling a level crossing When no notified national rules, expert's judgement based on criteria Change Safety Relevance No Is it safety related? C: Not significant (Record the decision) Yes Other criteria 1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)? No Yes B: Not significant (Record and justify the decision) (PRA) A: Significant Change Triggers CSM application Slide n 56

57 2 Significant Change Operational Change Driver Only Operated Train (DOO) Change description : operate trains by the driver alone (DOO) on a route where previously there was an onboard guard to assist the driver with the train dispatching significant change (need to cover all questions) : Safety relevant? YES Completely different way of managing train service operation Low novelty? NO Driver s responsibility extended requiring new tasks Low complexity? NO Driver s errors could lead to catastrophic consequences Consequence: apply CSM Process Change: Driver Only Operation Significant Change Safety Relevance Is it safety related? Yes Other criteria 1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)? No Apply CSM Process Slide n 57

58 2 Significant Change Organisational Change Outsourcing of a maintenance branch of an IM Change description: outsource maintenance branch of an IM and put it in competition with other companies working in same field significant change (need to cover all questions) : Safety relevant? YES Downsizing, redistribution of staff and tasks same work with less staff Low novelty? NO Contractual relation and follow up Low complexity? NO New functions in IM remaining organisation to follow up subcontractor Easy monitoring? NO Not easy to check subcontractor efficiency Consequence: apply CSM Process Change: outsourcing of a maintenance branch of IM Significant Change Safety Relevance Is it safety related? Yes Other criteria 1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)? No Apply CSM Process Slide n 58

59 2 Significant Change - Change to a Technical System Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system Change description: replace a trackside loop located before a signal by a "radio infill + GSM " sub-system; significant change: (need to cover all questions) Change: Loop Radio-In-fill Safety Relevance Is it safety related? Safety relevant? YES The signal in front of the train could be released whereas preceding train still occupies the section Low novelty? NO New principles and technology for the manufacturer Yes Other criteria 1. low failure consequence? 2. low novelty? 3. low complexity? 4. easy monitoring? 5. high reversibility? 6. additionality (Σ non sign)? Low complexity? NO Change complex to carry out Consequence: apply CSM Process Significant Change No Apply CSM Process Slide n 59

60 Discussions/Questions Slide n 60

61 Dissemination of the Commission Regulation on Common Safety Methods (CSM) on Risk Evaluation and Risk Assessment (3) Hazard Identification Slide n 61

62 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Annex III(2)(g) of SD] (2) (3) (5) 3 Hazard Identification (2) Step in CSM Process For presentation purposes, CSM Process split into 7 topics (see questionnaire) (1) Introduction (7) (4) (6) (2) What is a significant change? (3) Hazard Identification phase; (4) Risk analysis and evaluation (5) Hazard Management and Hazard Records; (6) Demonstration of system compliance with the safety requirements (7) Independent assessment of correct application of CSM Process by an Assessment Body Slide n 62

63 3 Hazard Identification Why is it important? Hazard identification is the first step in the risk assessment process. The process needs to be re-iterated and completed until all reasonably foreseeable hazards have been correctly identified. It is important because if hazards are not identified, they will not be assessed and not covered in the risk management process. The correct identification of hazards facilitates the correct application of the risk acceptance principles. Slide n 63

64 3 Hazard Identification What are the first steps? In order to properly identify the hazards, the system definition will be important to specify functions and interfaces. It is necessary to look at hazards from all relevant contributors. THEN Modes of operation Different types of the system Systematically identify the hazards and the level of detail, taking into account: Human factors Environment Failure modes Safety relevant factors Slide n 64

65 3 Hazard Identification What level of detail is required? The level of the hazard identification should correspond to the scope of the significant change under study and the requirements for proving acceptable risk. This may involve several iterations in order to obtain the necessary level of detail to ensure that the correct decision is made on the necessary control measures. If a code of practice or reference system is used, the level of detail for which the hazards are defined need only to correspond to the level defined by the code of practice or reference system. Slide n 65

66 Hazard identifiication level and transfer Top level Hazard X 2 nd Level (causes) Sub-hazard Y - Controlled by reqs from CoP (e.g standard) - Owned by actor A (e.g. manufacturer) Sub-hazard Z - Controlled by reqs from explicit risk analysis - Owned by actor B (e.g. RU) Slide n 66

67 In order to correctly identify the hazards, a decision could be made as to whether they are broadly acceptable or not broadly acceptable This means: considering and reviewing all the reasonably foreseeable hazards classifying them according to the estimated risk arising from them This process ensures that the correct priority is assigned to each of the hazards enabling the right selection of the risk control measures The decision is based on expert judgement 3 Hazard Identification What is broadly acceptable? Broadly acceptable risks Nothing further required Registered in the Hazard record Not broadly acceptable Follow the risk Management process Slide n 67

68 3 Hazard Identification What is expert judgement Experience Competence Skills Knowledge An expert is competent to make decisions that are suitable and sufficient for the situation that the expert is performing The decision to label a hazard as broadly acceptable without further analysis is logged in the hazard record and will be reviewed by the ISA. Slide n 68

69 Application to practical examples Slide n 69

70 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT 3 Hazard Identification Operational Change Driver Only Operated Train (DOO) System Description: description of existing system: which tasks were performed by train driver and which other ones by onboard staff (or guard) to assist the driver; existing interfaces between onboard assisting staff, driver and trackside staff of Infrastructure Manager; change of driver's responsibilities due to removal of onboard assisting staff; the technical requirements of the overall system to cover changes in operation; Hazard Identification: [HAZOP] brainstorming by group of experts to find all hazards, with a relevant influence on risk brought on by removal of onboard assisting staff and additional tasks requested to the driver; drivers' and staff's representatives involved for their operational experience, IM representatives as infrastructure could also be affected, implying e.g. changes to stations (e.g. installation of mirrors/closed circuit TV at platforms); what could be key operational hazards at stations, on existing routes where driver was assisted from onboard or trackside staff (door opening, closure check, etc.) Slide n 70

71 What is a HAZOP? HAZOP-studies is a structured method for identification of risks invented in the chemistry industry. It uses keywords to reveal the possible response of the system or process to changes or to deviations from the desired response. The method is described in IEC The HAZOP is based on the principle that several experts with different backgrounds can interact and identify more problems when working together than when working separately and then combining their results. This brainstorming method stimulates creativity and generates ideas Slide n 71

72 What is a HAZOP? The HAZOP is a systematic process that examines the following topics: Intention, i.e. the expected functional behaviour of the system Deviations: starts from possible deviations from desired functional states Causes: for each deviation the reasons why the deviation should occur Consequences: the result of the deviation Hazard: the consequences, causing possible damage, injury or loss Measures: possibility to reduce the hazardous condition/behaviour The method needs: an educated leader (moderator/facilitator) to manage the session, good input information, documents of the system and processes. It is effective in finding risks, if properly conducted. For the critical functions/tasks/aspects, the method can be complemented by other systematic studies, e.g. by an FMECA (Failure, Mode, Effect and Criticality Analysis) Slide n 72

73 What is a HAZOP? Examples of guide/key words: No message/information or delayed message/information Message/information available when not expected False message False information Invalid message Etc. The guide/key words must be tailored to the system/item concerned, before starting a HAZOP study Slide n 73

74 3 Hazard Identification Parenthesis on the FMECA Hazard Analysis Tool System FMECA worksheet Compiled by : RAMS team System : Sub-system :... Mode of operation :... ISSUE N... Page... Id nr. Function Function Failure Mode Possible Failure Causes Subsystem effects System effects Failure Rate Severi ty Criticali ty Means of Detection Compensating Implemented Provisions Remarks Subsystem/Detailed FMECA worksheet Compiled by : RAMS team Id nr. Item FunctionComponent (s) Failure Mode System : Sub-system :... Indenture Level :... Mode of operation :... Possible Failure Causes Local effects Next higher level effects System effects Failure Rate Sev. Crit. Means of Detection ISSUE N...Page... Compensating Implemented Provisions Remar ks Slide n 74

75 3 Hazard Identification Parenthesis on the FMECA Hazard Analysis Tool Level of FMECA HAZOP Hazard Record System FMECA based on outputs of System Requirement Specifications Hazard Record Subsystem FMECA subsystems/components level based on Sub-system Requirement Specification Hazard Record Detailed FMECA Further decomposition of critical elements based on detailed design documents Hazard Record Slide n 75

76 IEC Parenthesis on the Fault Tree Analysis Method (FTA) Top-event hazard Logical AND Failure A1 Failure A2 Causes at the subsystem or component level Failure B1 Failure B2 Failure B3 Logical OR Intermediate event Not developed tree. Event with insufficient data Failure C1 Failure C2 Basic event with sufficient data Slide n 76

77 3 Hazard Identification Operational Change Driver Only Operated Train (DOO) Hazard Identification e.g. by HAZOP (Hazard and Operability studies) brainstorming by group of multidisciplinary experts with different backgrounds: safety experts from RU train drivers' and staff's representatives for their operational experience (onboard accompanying staff) IM representatives as the infrastructure could be also affected by the change, implying e.g. changes to stations (e.g. installation of mirrors/ closed circuit television [CCTV] at platforms) to help the Driver Trackside staff of IM Each of the identified hazards was assigned a level of severity of risk and consequences (high, medium, low) and the impact of the proposed change reviewed against them (increased, unchanged, decreased) risk Slide n 77

78 3 Hazard Identification Operational Change Driver Only Operated Train (DOO) Based on System Definition, brainstorming team scrutinised additional tasks to be performed by train driver, in order to identify all foreseeable hazards that might occur consecutively to removal of onboard assisting staff Particularly, hazard identification looked at what key operational hazards could be at stations, on existing routes where there was assistance from on board or trackside staff including the safe dispatch of the trains, specific issues related to the driver, the rolling stock (e.g. door opening/closure check), maintenance requirements, etc: Example of identified hazards during HAZOP (one way of proceeding): Train departure without closing doors passengers could fall down on to track Door opening on wrong side passengers could fall down on to track Door closing while passengers still getting onboard passengers could be caught between doors Slide n 78

79 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT 3 Hazard Identification Organisational Change Outsourcing of a maintenance branch of an IM System Description: description of tasks performed by existing IM organisation, and description of changes that are planned in this organisation. Description of interfaces of the "branch to be detached" with other surrounding organisations or with the physical environment Hazard Identification: brainstorming by group of experts to find all hazards, with a relevant influence on risk brought on by intended change. Hazard Classification: high, medium, low risk (Severity) and increased, unchanged, decreased risk (impact of change) compared to initial situation Slide n 79

80 3 Hazard Identification Organisational Change Outsourcing of a maintenance branch of an IM Hazard Identification done by HAZOP (Hazard and Operability studies) brainstorming by group of multidisciplinary experts with different backgrounds: safety experts from IM System engineers/experts Train drivers IM staff's representatives from maintenance department Etc. The HAZOP analysis went through a checklist method describing a list of hazards (unwanted events), causes of these, related consequences and frequencies (rough estimates) and the related actions that need to be taken to mitigate these risks. Interdependencies and interface between detached branch and rest of IM organisation were particularly examined Slide n 80

81 3 Hazard Identification Organisational Change Outsourcing of a maintenance branch of an IM Sample from Risk Analysis Unwanted event (Hazard) Cause Consequence Type of loss 1: Reduced motivation among employees remaining in Company. -Staff continuing to leave without stop. - Demotivated / worn out managers Missing colleagues, missing certain tasks Lack of loyalty knowing that the workplace is not going to stay Heavy workload Uncertainty Tasks not performed, increased build up of unperformed works. - Emergency maintenance instead of planned maintenance. Collective worker actions (calling in sick etc) Lack of trust in Company for the managers at IM Level Risk Responsible for finding safety measure Safety Measures Safety Higher New round of motivational work for the staff, to be performed in smaller groups Reallocation of funds so that Company gets meaningful tasks to perform More frequent inspections by track manager. Allocate funds to make sure that key staff stays throughout the process. Give special attention to make sure that information and knowledge is transferred between leaving employees and those who take over the tasks. Etc... Slide n 81

82 Unwanted event (Hazard)² 10: Lack of competency in the performance of tasks 11: Uncertainty of roles and responsibilities in the interface between Company and IM 3 Hazard Identification Organisational Change Outsourcing of a maintenance branch of an IM Sample from Risk Analysis Cause Subcontractors of IM lacking skill, competency and quality control Different understandings of roles and responsibilities Track Manager responsible for accessible tracks, but not for the downsizing and can therefore not take this in to account when planning/ prioritizing work tasks. Track manager lacks overview of the competencies available in Company Coordination problems for the delivery when coordination responsibilities is transferred to the track manager Consequence Violation of safety rules. Increased accident frequency. Tasks not being performed or being performed twice. Lack of coordination of resources Type of loss Risk Responsible for finding safety measure Safety Measures Safety Higher Increased demand for documented competence. Systematic control of performed tasks Safety Higher Define roles and responsibilities. Map all interfaces and define who is responsible for the interfaces. Slide n 82

83 INDEPENDENT ASSESSMENT 3 Hazard Identification - Change to a Technical System Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system HAZARD MANAGEMENT System Description: existing system: "loop+encoder" and their functions in CCS. "Release signal on approach of a train when the section behind the signal (i.e. in front of the approaching train) becomes unoccupied"; change planned by proposer and manufacturer; functional and physical interfaces of loop with rest of system Hazard Identification: brainstorming by group of experts to identify hazards, with a relevant influence on risk brought on by intended change. Loop/Radio infill, releases signal risk provide too permissive MA to approaching train whereas preceding train still occupies section in front of the signal Note: Hazard Identification e.g. by HAZOP (Hazard and Operability studies). It is a brainstorming by group of multidisciplinary experts: safety experts from manufacturer and RU, train drivers, designers of trackside encoder and loop, experts in communication systems, etc. Slide n 83

84 3 Hazard Identification - Change to a Technical System Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system Example of identified hazards during the HAZOP (one way of proceeding): Loop & Radio infill shall achieve same function, i.e. release the signal R G on approach of a train when section behind the signal is released by preceding train Same top level hazard: provide too permissive MA to approaching train whereas preceding train still occupies section in front of the signal See next page sub-hazards Existing technical system Movement Authority (MA) Trackside Loop Trackside Encoder Extension of Movement Authority (MA) (2) Release the signal (1) Intended Change Movement Authority (MA) GSM Extension of Movement Authority (MA) (2) Release the signal (1) Trackside Encoder Radio In-fill Controller/Modem Slide n 84

85 3 Hazard Identification - Change to a Technical System Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system Example of identified hazards during HAZOP (one way of proceeding): Trackside encoder + loop Trackside encoder + Radio In-fill + GSM Sub-hazards of top hazard provide too permissive MA : transmission by hackers of unsafe information in the air gap since the "radio infill+gsm" is an open transmission sub-system delayed transmission or transmission of memorised data packets in the air gap (i.e. possibly unsafe) Systematic software errors in the additional equipment (gateway or Radio Controller) that interfaces with the unchanged Trackside encoder Etc. Slide n 85

86 Discussions/Questions Slide n 86

87 Dissemination of the Commission Regulation on Common Safety Methods (CSM) on Risk Evaluation and Risk Assessment (4) Risk Analysis and Evaluation Slide n 87

88 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Annex III(2)(g) of SD] (2) (3) (5) 4 Risk Analysis and Evaluation (3) Step in CSM Process For presentation purposes, CSM Process split into 7 topics (see questionnaire) (1) Introduction (7) (4) (6) (2) What is a significant change? (3) Hazard Identification phase; (4) Risk analysis and evaluation (5) Hazard Management and Hazard Records; (6) Demonstration of system compliance with the safety requirements (7) Independent assessment of correct application of CSM Process by an Assessment Body Slide n 88

89 INDEPENDENT ASSESSMENT HAZARD IDENTIFICATION AND CLASSIFICATION HAZARD MANAGEMENT 4 Risk Analysis and Evaluation WHEN? Focus risk assessment on most important hazards/risks Focus risk assessment on most important risks based on expert s judgment, during Hazard Identification need for hazard classification at least into: PRELIMINARY SYSTEM DEFINITION (A) (B) Substantial Change? YES SYSTEM DEFINITION (Scope, Functions, Interfaces, etc.) HAZARD IDENTIFICATION (What can happen? When? Where? How? Etc. HAZARD CLASSIFICATION (How critical?) RISK ASSESSMENT RISK ANALYSIS Hazards associated with broadly acceptable risks need not be analysed further but register in Hazard Record with justification to allow independent assessment (C) Broadly Acceptable? Risk NO YES Hazards associated with non broadly acceptable risks further risk analysis and evaluation required Slide n 89

90 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Ax III(2)(g) of SD] Risk acceptability of non broadly acceptable hazards evaluated by one or more 3 RAP: 1. application of codes of practice 2. comparison with similar Ref Syst 3. explicit risk estimation & RAC Proposer to: 1. demonstrate selected RAP adequately applied 2. check selected RAP used consistently Output: set of SR to implement + demonstrate achievement 4 Risk Analysis and Evaluation Principles? Hazard Control based on 3 Risk Acceptance Principles Preliminary System Definition Codes of Practice Significant Change? SYSTEM DEFINITION HAZARD IDENTIFICATION AND CLASSIFICATION Similar Reference Systems RISK ASSESSMENT RISK ANALYSIS Demonstration of Compliance with Safety Requirements CSM does not impose any order of priority between 3 RAP Explicit Risk Estimation RISK EVALUATION (vs. Risk Acceptance Criteria) Safety Requirements (i.e. safety measures to be implemented) Iterative Risk Management Process Slide n 90

91 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT 4 Risk Analysis and Evaluation WHO? Proposer decides on RAP to use Selection of Risk Acceptance Principle RISK ASSESSMENT RISK ANALYSIS Hazards associated with Significant Risks If no Notified National Rules, Proposer free to decide RAP to use for controlling hazards [flexibility] CODES OF PRACTICE Application of Codes of Practice SIMILAR REFERENCE SYSTEM(S) Similarity Analysis with Reference System(s) EXPLICIT RISK ESTIMATION Identification of Scenarios & associated Safety Measures Qualitative Safety Criteria? Quantitative AB shall refrain from imposing RAP to be used by proposer [challenge proposer] (I) (II) Estimate Frequency Estimate Risk Estimate Severity (III) Whatever RAP used must adequately applied + link RAP-hazard recorded (XA) NO Comparison with Criteria Acceptable Risk? NO Comparison with Criteria Acceptable Risk? NO RISK EVALUATION Comparison with Criteria Acceptable Risk? (I) CoP (e.g. Anerkannte Regeln der Technik); e.g. TSI, EN standards, NNR, etc. (compatible with rule based approaches) YES YES YES (II) Similar Reference Systems (e.g. GAME) Safety Requirements (i.e. the Safety Measures to be implemented) Demonstration of Compliance with the Safety Requirements (III)Explicit Risk Estimation (could be quantitative or qualitative) Slide n 91

92 4 Risk Analysis and Evaluation Use of codes of practice (CoP) and risk evaluation (1/3) CoP shall at least satisfy following requirements: (a) be widely acknowledged in railway domain. If not the case, CoP have to be justified and be acceptable to assessment body. (b) be relevant for control of considered hazards in system under assessment. (c) be publicly available for all actors who want to use them. Examples of CoP: TSI and mandatory European standards; Notified National Safety and Technical Rules (technical standards or statutory documents) and if relevant non mandatory European standards; Provided conditions for CoP fulfilled, internal rules or standards issued by an actor of railway sector CoP from other fields (e.g. nuclear power, military and aviation) can also be applied for certain technical applications in railway systems provided demonstrated related CoP effective at controlling considered railway hazards Slide n 92

93 4 Risk Analysis and Evaluation Use of codes of practice (CoP) and risk evaluation (2/3) If conditions for CoP fulfilled, for hazards controlled by CoP: risks need not be analysed further risks considered IMPLICITLY as acceptable risk management process may be limited to: hazard identification. registration in Hazard Record of use of CoP as SR for those hazards (i.e. link CoP-Hazard) application of complete CSM Process, including: correct application of requirements from CoP documented evidences independent assessment of application of CoP Slide n 93

94 4 Risk Analysis and Evaluation Use of codes of practice (CoP) and risk evaluation (3/3) What to do when there are deviations from CoP and identified hazards cannot be controlled (completely) by CoP? Where an alternative approach is not fully compliant with CoP, proposer shall demonstrate that alternative approach taken leads to at least same level of safety If one or more conditions from CoP not fulfilled by system under assessment, related CoP can still be used for controlling hazards provided proposer demonstrates that at least same level of safety is achieved If for a hazard, the risk cannot be made acceptable by application of CoP, or if CoP does not sufficiently cover identified hazards (e.g. CoP not applicable to full range of hazards), additional safety measures shall be identified for controlling those hazard(s) by using either other CoP or one of other 2 RAP Slide n 94

95 4 Risk Analysis and Evaluation Use of Reference Systems (Ref Syst) and risk evaluation (1/2) Reference Systems shall at least satisfy following requirements: it has already been proven in-use to have an acceptable safety level and would still qualify for acceptance in Member State where change is to be introduced it has similar functions and interfaces as system under assessment it is used under similar operational conditions as system under assessment; it is used under similar environmental conditions as system under assessment Slide n 95

96 4 Risk Analysis and Evaluation Use of Reference Systems (Ref Syst) and risk evaluation (1/2) If conditions fulfilled, for hazards controlled by Reference Systems: risks considered IMPLICITLY as acceptable ( further risk analysis not required) safety requirements for hazards covered by Ref Syst may be derived from safety analyses or from an evaluation of safety records of Ref Syst Ref Syst still "qualifies for acceptance"? E.g. it can happen that safety performance of considered Ref Syst not appropriate for system under assessment because based on out of date technology (i.e. old fashioned technology). these safety requirements shall be registered in Hazard Record as safety requirements for the relevant hazards Slide n 96

97 4 Risk Analysis and Evaluation Use of Reference Systems (Ref Syst) and risk evaluation (2/2) What to do when there are deviations from Ref Syst and identified hazards cannot be controlled (completely) by Ref Syst? Risk evaluation shall demonstrate that system under assessment reaches at least same safety level as Ref Syst. Risks associated with hazards covered by Ref Syst shall then be considered as acceptable This may require also explicit risk estimation in order to show that level of risk is at least as good as that of Ref Syst If same safety level as reference system cannot be demonstrated (or if conditions not fulfilled), additional safety measures shall be identified for deviations, applying one of 2 other RAP Corresponding hazards need to be considered as deviations from Ref Syst. They become new inputs for a new loop in iterative CSM risk assessment process. Additional safety measures can be identified by applying one of other 2 RAP Slide n 97

98 4 Risk Analysis and Evaluation Use of explicit risk estimation and evaluation When hazards cannot be covered by CoP or Ref Syst risk acceptability demonstration performed by explicit risk estimation and evaluation Risks shall be estimated either quantitatively or qualitatively, taking into account the existing safety measures within the system E.g. Explicit risk estimation used when CoP or Ref Syst cannot be applied to control fully risk to an acceptable level. Could typically arise: when system being assessed entirely new or where there are deviations from a CoP or a Ref Syst, or when a design strategy chosen that does not allow use of CoP or similar Ref Syst because e.g. wish to produce a more cost effective design that has not been tried before When risk(s) controlled by explicit risk estimation are considered acceptable identified safety measures registered in Hazard Record Slide n 98

99 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT 4 Risk Analysis and Evaluation Use of explicit risk estimation and evaluation RISK ASSESSMENT Explicit risk estimation not necessarily RISK ANALYSIS Hazards associated with Significant Risks always quantitative. Can be: quantitative, if sufficient quantitative information available in terms of frequency of occurrence and severity, semi-quantitative, e.g. if such quantitative information not sufficiently available, or even qualitative, e.g. in terms of process for management of systematic errors/failures, when quantification is not possible If with the safety measures, estimated risk not acceptable, additional safety measures shall be identified and implemented in order to reduce risk to an acceptable level CODES OF PRACTICE Application of Codes of Practice NO Comparison with Criteria Acceptable Risk? YES SIMILAR REFERENCE SYSTEM(S) NO Selection of Risk Acceptance Principle Similarity Analysis with Reference System(s) Comparison with Criteria Acceptable Risk? YES Safety Requirements (i.e. the Safety Measures to be implemented) Demonstration of Compliance with the Safety Requirements EXPLICIT RISK ESTIMATION Identification of Scenarios & associated Safety Measures Qualitative Estimate Frequency NO Safety Criteria? Estimate Risk RISK EVALUATION Comparison with Criteria Acceptable Risk? YES Quantitative Estimate Severity Slide n 99

100 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT 4 Risk Analysis and Evaluation Use of explicit risk estimation and evaluation - RAC In order to evaluate whether risks are acceptable or not, risk acceptance criteria (RAC) are necessary. They can be either implicit or explicit: CODES OF PRACTICE Application of Codes of Practice Selection of Risk Acceptance Principle SIMILAR REFERENCE SYSTEM(S) Similarity Analysis with Reference System(s) RISK ASSESSMENT RISK ANALYSIS Hazards associated with Significant Risks EXPLICIT RISK ESTIMATION Identification of Scenarios & associated Safety Measures risks controlled by application of CoP and comparison with Ref Syst are considered IMPLICITLY acceptable implicit RAC Qualitative Estimate Frequency Safety Criteria? Estimate Risk Quantitative Estimate Severity whereas the acceptability of risk(s) controlled by application of explicit risk estimation requires explicit risk acceptance criteria (RAC) to be defined NO Comparison with Criteria Acceptable Risk? YES Implicit RAC NO Comparison with Criteria Acceptable Risk? YES Safety Requirements (i.e. the Safety Measures to be implemented) Demonstration of Compliance with the Safety Requirements NO RISK EVALUATION Comparison with Criteria Acceptable Risk? YES Harmonised Explicit RAC Slide n 100

101 4 Risk Analysis and Evaluation Use of explicit risk estimation and evaluation Level of RAC (Pyramid) RAC can be defined at different levels of railway system "pyramid of criteria : starting from high level RAC (expressed for instance as societal or individual risk) going down to sub-systems and components, covering technial systems and human operators during operation & maintenance activities of system & sub-systems RAC-TS Risk Profile Global Risk Acceptance Criteria: Societal Risk Individual Risk; etc. Other RAC Level of RAC needs match with importance and complexity of significant change: e.g. when modifying type of axle in RS, not necessary evaluate overall railway system risk. Definition of RAC can focus on rolling stock safety reciprocally, large changes or additions to existing system should not evaluate solely only safety performance of individual functions or changes. Change acceptability should be evaluated also at railway system level as a whole Slide n 101

102 4 Risk Analysis and Evaluation Use of explicit risk estimation and evaluation RAC-TS RAC-TS harmonised in CSM Regulation: Where hazards arise from failures of technical systems not covered by codes of practice or the use of a reference system, the following risk acceptance criterion shall apply for the design of the technical system: For technical systems where a functional failure has a credible direct potential for a catastrophic consequence, the associated risk does not have to be reduced further if the rate of that failure is less than or equal to 10-9 per operating hour. Nevertheless, if the applicant can demonstrate that the national safety level can be maintained with a less demanding criterion than the 10-9, this criterion can be used by the applicant after agreement with the assessment body Slide n 102

103 4 Risk Analysis and Evaluation Use of explicit risk estimation and evaluation RAC-TS RAC-TS harmonised in CSM Regulation (continuation): If a technical system is developed by applying the 10-9 criterion defined in paragraph 4, mutual recognition shall be applied according to section 5.3 Without prejudice to the procedure specified in Article 8 of Directive 2004/49/EC, a more demanding criterion may be requested, through a national rule, in order to maintain a national safety level. However, in the case of additional authorisations for placing in service of vehicles, the procedures of Articles 23 and 25 of Directive 2008/57/EC shall apply. Slide n 103

104 ²² Technical System Code of Practice or Reference System 4 Risk Analysis and Evaluation Use of explicit risk estimation and evaluation RAC-TS Considered Hazard for the Technical System Is the hazard controlled by a CoP or a Ref Syst? YES (e.g. TS is NOT a new nor innovative design) NO (e.g. TS is a new or innovative design) Apply Code of Practice or Reference System Credible potential for Catastrophic Consequence Is it likely that hazard can result in a catastr. conseq.? NO Use other RAC for technical systems that still need to be defined later on YES Direct Is catastr. conseq. a direct result of Techn. Syst. failure? NO (i.e. additional safety barriers can- not prevent the accident) Use RAC-TS as reference point, evaluate contribution/ efficiency of other additional safety barriers and derive safety requirements YES (i.e. no other safety barriers that could prevent the accident) Quantitative Requirement Process Requirement Apply a THR of 10-9 h -1 (SIL 4) for random hardware failures of TS Quantitative target evaluation must take into account for redundant systems the common components (e.g. common inputs, power supply, comparators, voters, etc.); It shall consider the dormant or latent failure detection times; A Common Cause/Mode Failure (CCF/CMF) analysis shall be done; Independent Assessment Apply a SIL 4 Process for management of systematic failures of TS Apply a QMP & SMP vs. SIL 4 relevant standards, e.g. EN for software, and for hardware EN , EN , EN , EN , EN EN , EN , EN , EN , etc. Independent Assessment Slide n 104

105 4 Risk Analysis and Evaluation Mutual Recognition CSM Regulation requires mutual recognition of risk assessment results Mutual recognition shall be based on evidences of fulfilment of harmonised requirements along steps of CSM Process Full CSM risk assessment process must be applied by Proposer: identification of hazard associated safety measures and resulting SR registration & management of hazards and safety measures in Hazard Record demonstration of system compliance with safety requirements document application of CSM Process all necessary evidence showing correct application accessible to Assessment Body. They shall at least include: description of organisation and experts put in place to carry out risk ass mnt results from steps of CSM Process, including list of SR to be implemented to control risk to acceptable level Independent assessment by AB conclusions is Assessment Report Change accepted by Proposer based on Independent Assessment Report Slide n 105

106 4 Risk Analysis and Evaluation Mutual Recognition Independent Assessment by AB on Deviations Assessment Bodies in other MS must apply mutual recognition on a system evaluated, assessed and accepted vs. CSM Process (prev. slide) system can be used in another MS provided Proposer demonstrates: System will be used under same functional, operational and environmental conditions than initially approved in related MS Equivalent RAC ( acceptable in new MS) applied for controlling identified hazards importance to link in Hazard Record [RAP-Hazard] If a condition not fulfilled, mutual recognition still possible but not automatical: Assessment Body apply principle of mutual recognition on part of system and risk assessment that fulfils conditions Proposer will have to identify deviations vs. already accepted system and apply CSM risk management & assessment process on identified deviations AB assess independently correct application of CSM Process on deviations Slide n 106

107 Application to practical examples Slide n 107

108 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT 4 Risk Analysis and Evaluation Operational Change Driver Only Operated Train (DOO) Use of Codes of Practice and Reference Systems: Both CoP (i.e. a set of standards for Driver Only Operation) and similar Ref Systems used to define safety requirements for identified hazards, such as: revised operational procedures for the driver that are required to operate safely the rains without onboard assistance; any additional equipment necessary onboard or on the track to ensure safe and reliable means of train dispatch; a checklist for ensuring that the driver's cab is suitable, taking into account the interface between the railway system (both onboard and trackside) and the driver Revision of the necessary operational rules in compliance with the requirements from the applicable codes of practice and the relevant reference systems. Slide n 108

109 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT 4 Risk Analysis and Evaluation Organisational Change Outsourcing of a maintenance branch of an IM Use of Ref System and Risk Evaluation + Explicit risk estimation and evaluation : System before change judged to have acceptable level of safety. It was thus used to derive Risk Acceptance Criteria for system under assessment, i.e. maintain at least the same level of safety and punctuality throughout the change process and after the change The HAZOP analysis went through a checklist method describing a list of hazards (unwanted events), causes of these, related consequences and frequencies (rough estimates) and the related actions that need to be taken to mitigate these risks. Interdependencies and interface between detached branch and rest of IM organisation were particularly examined Each hazard with increased risk was counterbalanced by appropriate identified risk reducing measures. The residual risk was compared against RAC to check whether other additional measures need to be identified. Slide n 109

110 4 Risk Analysis and Evaluation Organisational Change Outsourcing of a maintenance branch of an IM The Hazard and Risk Analysis was documented in a table describing the identified hazards, evaluating the severity and suggesting risk mitigation/ control measures (See in next slide risk analysis) The Risk Analysis table was mirrored within the Hazard Record/Log) See dedicated module in presentation. The Hazard Record includes additional information of who is responsible for implementing the measure, the time deadline for the implementation and also who is in charge of the verification of the implementation and of the efficiency of the identified measure(s) Indeed, for such organisational changes, the efficiency of the identified actions and decisions had to be monitored to verify whether they fully control the considered risk This is natural as it may be difficult to foresee and measure the exact result of a safety measure related to an organisational issue (such as training, motivated work for staff, etc.) and that the effects have to be followed up closely in a longer process where the analysis is continuously updated Slide n 110

111 4 Risk Analysis and Evaluation Organisational Change Outsourcing of a maintenance branch of an IM Therefore, the risk analysis and the hazard record/log were alive documents. The efficiency of decided actions was monitored at regular intervals to check if the conditions were changed and if the risk analysis and risk evaluation need to be updated. They were updated when actions were performed and hazards closed. A status field was updated to describe what actions were taken or were under the way to be taken If any circumstances changed compared to the initial context of the risk analysis, the risk analysis and hazard record/log had to be updated to ensure that hazard and risk were under control The hazards that could not be closed (as all the measures could not be implemented nor verified rapidly) were followed up. Their status was also monitored and rechecked on several occasions (and more dated status column added to the hazard record/log table) to verify that finally all the hazards will be closed Slide n 111

112 4 Risk Analysis and Evaluation Organisational Change Outsourcing of a maintenance branch of an IM Sample from Risk Analysis Unwanted event (Hazard) Cause Consequence Type of loss 1: Reduced motivation among employees remaining in Company. -Staff continuing to leave without stop. - Demotivated / worn out managers Missing colleagues, missing certain tasks Lack of loyalty knowing that the workplace is not going to stay Heavy workload Uncertainty Tasks not performed, increased build up of unperformed works. - Emergency maintenance instead of planned maintenance. Collective worker actions (calling in sick etc) Lack of trust in Company for the managers at IM Level Risk Responsible for finding safety measure Safety Measures Safety Higher New round of motivational work for the staff, to be performed in smaller groups Reallocation of funds so that Company gets meaningful tasks to perform More frequent inspections by track manager. Allocate funds to make sure that key staff stays throughout the process. Give special attention to make sure that information and knowledge is transferred between leaving employees and those who take over the tasks. Etc... Slide n 112

113 Unwanted event (Hazard)² 10: Lack of competency in the performance of tasks 11: Uncertainty of roles and responsibilities in the interface between Company and IM 4 Risk Analysis and Evaluation Organisational Change Outsourcing of a maintenance branch of an IM Sample from Risk Analysis Cause Subcontractors of IM lacking skill, competency and quality control Different understandings of roles and responsibilities Track Manager responsible for accessible tracks, but not for the downsizing and can therefore not take this in to account when planning/ prioritizing work tasks. Track manager lacks overview of the competencies available in Company Coordination problems for the delivery when coordination responsibilities is transferred to the track manager Consequence Violation of safety rules. Increased accident frequency. Tasks not being performed or being performed twice. Lack of coordination of resources Type of loss Risk Responsible for finding safety measure Safety Measures Safety Higher Increased demand for documented competence. Systematic control of performed tasks Safety Higher Define roles and responsibilities. Map all interfaces and define who is responsible for the interfaces. Slide n 113

114 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT 4 Risk Analysis and Evaluation - Change to a Technical System Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system Use of Ref System and Risk Evaluation: System before the change (loop) judged to have acceptable level of safety for releasing signal aspect. It is used as a Ref Syst to derive the safety requirements for the radio-infill sub-system. Explicit Risk Estimation and Evaluation: analysis of deviation "Radio in-fill+gsm" vs. "Loop" sub-system See HAZID new hazards for "radio infill + GSM" sub-system: "radio infill+gsm" is an open transmission sub-system risk of transmission by hackers of unsafe information in air gap; delayed transmission or transmission of memorised data packets in Radio Infill chain. explicit risk estimation and use of RAC-TS for designing Radio Infill Controller part; Use of CoP and Risk Evaluation: EN for safety related communication in open transmission systems provides the safety requirements for controlling the new hazards to an acceptable level, e.g. "data encrypting and protection" + "message sequencing and time stamping"; use EN standard for the development of the Radio Infill Controller software ; Slide n 114

115 4 Risk Analysis and Evaluation - Change to a Technical System Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system Existing loop system ensures acceptable level of safety used as a Ref Syst, i.e. Radio In-fill + GSM system shall ensure same level of safety Explicit risk estimation used to identify differences between system under assessment (Radio In-fill + GSM) and Ref. Syst. (Trackside Encoder + Loop) Use explicit risk estimation and RAC-TS for designing Radio Infill Controller part SIL 4 Process for SW The new hazards identified for the deviations can be controlled by CoP For development of software of Radio Controller, use CENELEC Railway applications - Communication, signalling and processing systems Software for railway control and protection systems standard specifies for each SIL, levels of independence and process (including possible techniques for software V&V), that are required for design, verification and validation of software. Note: also requires Independent Safety Assessment whose independence depends on SW SIL Slide n 115

116 4 Risk Analysis and Evaluation - Change to a Technical System Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system For transmission in open-medium (air), use CENELEC Railway applications - Communication, signalling and processing systems - Part 2: Safety related communication in open transmission systems Example of hazards linked to transmissions in an open medium (airgap) Repetition of messages: due to a hardware failure the Radio In-fill repeats an old message possibly unsafe Deletion of messages: a message is deleted due to a hardware failure Insertion of messages: an authorised third party involuntary inserts a message, e.g. Radio In-fill of another trackside section Corruption of messages: a message is accidentally changed (e.g. EMI) to another formally correct message Masquerade: an unauthorised third party voluntary inserts a message Etc CoP provides measures for protecting against those hazards (e.g. CRC, time stamping, message sequencing, etc.). For more information see Slide n 116

117 Current Status of harmonisation of Risk Acceptance Criteria (RAC) Slide n 117

118 4 Risk Analysis and Evaluation Current Status of harmonisation of Risk Acceptance Criteria (RAC) General background RAC needed for the Explicit Risk Estimation principle RAC are implicit for two first principles (CoP and Ref Syst.) RAC developed to support mutual recognition, cross border traffic, opening of the market Different possible levels for RAC RAC-TS Risk Profile Global Risk Acceptance Criteria: Societal Risk Individual Risk; etc. Other RAC Slide n 118

119 4 Risk Analysis and Evaluation Current Status of harmonisation of Risk Acceptance Criteria (RAC) Main concepts of the RAC development Agreement to focus only on low level criteria Where mutual recognition is needed Where the proposer is in the condition to demonstrate it CST are developed for harmonising high level RAC Different types of low level RAC for technical systems. 1) Where the function is entirely covered by technical solutions 2) Where the function is covered by both a technical solution and a human action 3) Where the function is covered by human activities Slide n 119

120 4 Risk Analysis and Evaluation Current Status of harmonisation of Risk Acceptance Criteria (RAC) Design targets for technical systems (for the two first types) Risk matrix based on the RAC-TS (direct catastrophic consequence) decided Design Target for other failure consequences than catastrophic. Possibility to derive THR for technical system when the catastrophic consequence is not direct through the use of a barrier analysis (additional technical barriers, human barriers, reduction factors) Frequency of hazardous event Risk matrix Frequent Unacceptable Unacceptable Unacceptable Unacceptable Occasional Acceptable Unacceptable Unacceptable Unacceptable Rare Acceptable Acceptable Unacceptable Unacceptable Improbable Acceptable Acceptable Acceptable Unacceptable Incredible (10-9 per hour) The TF is developing an example for this. Acceptable Acceptable Acceptable Acceptable (RAC-TS) Insignificant Marginal Critical Catastrophic Collective impact capable of resulting in deaths and several severe injuries. The slope and definition of scale for frequency and consequence is under discussion. This general approach has been agreed on with SSMG Slide n 120

121 4 Risk Analysis and Evaluation Current Status of harmonisation of Risk Acceptance Criteria (RAC) Principles of redundancy for human activities Matrix applicable but : No evidence 10-9 h -1 can be used as starting point Wish to avoid the development of a complex methodology for human factor quantification. Work focussed on qualitative approach Close collaboration with SSMG SSMG position - Focus on the relevant redundancies and working conditions: It is mainly the relevant redundancies linked to certain failure modes that should be developed for now Working conditions covered by SMS Slide n 121

122 4 Risk Analysis and Evaluation Current Status of harmonisation of Risk Acceptance Criteria (RAC) All the proposed criteria should be seen as sufficient but not necessary as is the case for the RAC-TS. Compliance with RAC shall lead to mutual recognition Less demanding if proposer can demonstrate that it maintains the safety level. More demanding via NSR Slide n 122

123 4 Risk Analysis and Evaluation Current Status of harmonisation of Risk Acceptance Criteria (RAC) Steps in the near future: Definition of the minimum necessary set of consequences for which RAC will be necessary for technical system Elaborate further the concept of reduction factor Continue to develop a tool supporting the application of the matrix Continue to develop the principles applicable for accepting human actions/tasks redundancy Slide n 123

124 Discussions/Questions Slide n 124

125 Dissemination of the Commission Regulation on Common Safety Methods (CSM) on Risk Evaluation and Risk Assessment (5) Hazard Records Slide n 125

126 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Annex III(2)(g) of SD] (7) (2) (3) (4) (6) (5) 5 Hazard Record Managing the hazards For presentation purposes, CSM Process split into 7 topics (see questionnaire) (1) Introduction (2) What is a significant change? (3) Hazard Identification phase; (4) Risk analysis and evaluation (5) Hazard Management and Hazard Records; (6) Demonstration of system compliance with the safety requirements (7) Independent assessment of correct application of CSM Process by an Assessment Body Slide n 126

127 HAZARD MANAGEMENT [ANNEX III(2)(G) OF SD] 5 Hazard Record WHY are they needed? Hazard Records need to be created and updated by the proposer. Annex 1.4 of CSM Regulation. They are an important part of the hazard management process Hazard Risk Hazard Control Control They track the progress of the process identification of the hazard, the potential risk and how the risk needs to be controlled through the selected risk acceptance principles: Codes of practice Reference systems Risk estimation Risk Hazard Risk Hazard Risk Control Control Slide n 127

128 5 Hazard Record WHO is responsible? HAZARD MANAGEMENT [ANNEX III(2)(G) OF SD] If they are a number of actors involved in the project each may have responsibility for their part of the system under assessment. They will keep a record of the hazards for their part of the project. There should be one overall actor (proposer) who has responsibility for the main record which covers all the necessary elements of the system under assessment. It does not have to contain all the information from the actors involved, only the links and key safety related Exchange of information will be important if the hazard cannot be controlled by one actor alone Actor D Actor C Actor B Actor A Exchange of information Hazard Record for the system under assessment Slide n 128

129 5 Hazard Record What information should they contain? HAZARD MANAGEMENT [ANNEX III(2)(G) OF SD] All the hazards that the actor is responsible for, the associated safety measures, and the resulting safety requirements issued from the risk assessment process All the assumptions taken into account within the definition of the system under assessment. These assumptions determine the limits and the validity of the risk assessment All the hazards and the associated safety measures received from other actors in compliance with the project. These include all the assumptions and restrictions of use and generic product safety cases that are produced by the manufacturers The status of the hazards (i.e. controlled or open) and of the associated safety measures (i.e. validated or open) Note the level of detail required is related to the level of risk Slide n 129

130 5 Hazard Record When should they be updated? HAZARD MANAGEMENT [ANNEX III(2)(G) OF SD] Whenever: a new hazard is discovered or a new safety measure is identified a new hazard is identified during the operation and maintenance of the system after its commissioning, so that the hazard can be assessed in compliance with the CSM as to whether it represents a significant change (this will be part of the SMS Annex III (g)) it could be necessary to take into account accident and incident data there are changes to the safety requirements or the assumptions about the system Slide n 130

131 5 Hazard Record What are the links to the SMS? HAZARD MANAGEMENT [ANNEX III(2)(G) OF SD] RUs and IMs can use their procedures under their SMS Annex III(2)(g) of the RSD requires the SMS to contain procedures and formats for how safety information is to be documented and designation of procedure for configuration control of vital safety information The hazard record can therefore be part of the SMS for recording and managing risks that occur throughout the lifecycle of the equipment It does not have to be a separate process For other actors: No legal requirement But likely that they have a hazard management process Existing processes can be adapted Slide n 131

132 5 Hazard Record What are the benefits to the project? HAZARD MANAGEMENT [ANNEX III(2)(G) OF SD] Help map out and record the decision making process provide transparency and consistency Allow corrective actions to be taken promptly and quickly (link to SMS) Exchange of information allow for a number of players to contribute Evidence of continuing compliance - accountability Do not have to be complicated targeted on the key issues Slide n 132

133 Discussions/Questions Slide n 133

134 N HZD Used Risk Hazard Origin description Additional information Actor in charge Safety Measure Acceptance Principle 1 HAZOP report R X 2 HAZOP report R X Maximum speed of train set too high (Vmax) Braking curves (i.e. Movement Authority) in onboard sub-system configuratio n data too permissive Wrong specific configuration of the onboard sub-system (maintenance staff). Wrong Data Entry onboard (driver) The procedure for the specific configuration of the onboard sub-system depends on: the safety margins taken for the train braking system; the reaction delay of the train braking system (this one is directly dependent on the train length, especially for fret trains) 5 Hazard Record Partial Example of a Hazard Record/Log Table RU RU Define a procedure for the approval of the onboard subsystem configuration data; Define an operational procedure for Data Entry Process by the Driver Specify correctly the system requirements in the System Definition; Take sufficient safety margins for the braking system of the specific train Explicit Risk Estimation Explicit Risk Estimation Exported Yes Yes Status Controlled (exported to RU) Refer also to section C in Appendix C Controlled (exported to RU) Refer also to section C in Appendix C Slide n 134

135 5 Hazard Record Operational Change Driver Only Operated Train (DOO) For the railway undertakings the hazard management process was part of their safety management system for recording and managing risks. The identified hazards were registered in a hazard record (similar template as below) with the safety requirements controlling the associated risk, i.e. reference to additional onboard and trackside equipment as well as to the revised operational procedures. The revised procedures were monitored, and reviewed when needed, to ensure that the identified hazards continue to be correctly controlled during the operation of the railway system N HZD 1 HAZOP report R X 2 HAZOP report R X Origin Hazard description Opening of doors risk of passenger fatality Failure of the CCTV driver cannot see the platform Cause Driver CCTV Additional information Driver error through lack of competence or seating position Vandalism Incorrect/insuffici ent maintenance Actor in charge RU IM Safety Measure Training Cab design Protection of the equipment Regular checks Used Risk Acceptance Principle Code of Practice Code of Practice Exported Partly No Status Partly closed Closed, measur es in place Slide n 135

136 5 Hazard Record Organisational Change Outsourcing of a maintenance branch of an IM Sample of Hazard Record Description Reduced motivation among employees remaining in Company -Staff continuing to leave without stop. - Demotivated / worn out managers Safety Measures New round of motivational work for the staff, to be performed in smaller groups Reallocation of funds so that Company gets meaningful tasks to perform More frequent inspections by track manager. Allocate funds to make sure that key staff stays throughout the process. Give special attention to make sure that information and knowledge is transferred between leaving employees and those who take over the tasks. Etc... Implement -ation Coordinate d by IOP. Regions must look at measures to increase control of tracks, overlap of employees and follow up by line managers. Notes Increased inspections need to be included in the contracts. Etc... Company Manager Priority Safety/ Punctuality High/High Responsibility Deadline Performed date Responsi bi lity for verification Way of verification Date Status xx.xx.xx Change of conditions of circumstances have reduced this risk significantly Work environment analysis performed and some training of staff. Slide n 136

137 5 Hazard Record Organisational Change Outsourcing of a maintenance branch of an IM Sample of Hazard Record Description Subcon tractor s of the entre preneurs lacking skill, competency and quality control 11: Uncertainty of roles and responsibilities in the interface between Company and IM (Track manager). Safety Measures Increased demand for documented competence. Systematic control of performed tasks Define roles and responsibilities. Map all interfaces and define who is responsible for the interfaces. High/ Medium Medium/ Medium Implement -ation Notes IM must Imple men coordinate. ted by Regions contract must follow up. implement Input to measures revision for requiring planning. compe tence and con -trolling the work In each region separately Imple men ted by mainenance contract and the strategy plan for the reorganisation Regional directors Priority Safety/ Punctuality Responsibility Deadline Performed date Responsi bi lity for verification Safety manager Safety Manager Way of verification Date Status xx.xx.xx Increased focus on routines for control (2 operative controls per month and operative area) Regions have presented their strategy. Slide n 137

138 5 Hazard Record Organisational Change Outsourcing of a maintenance branch of an IM Sample of Hazard Record The Hazard and Risk Analysis was a table describing the identified hazards, evaluating the severity and suggesting risk mitigation/ control This information from the Risk Analysis table was mirrored within the Hazard Record/Log) which includes also additional information of who is responsible for implementing the measure, the time deadline for the implementation and also who is in charge of the verification of the implementation and the verification of the efficiency of the identified measure(s) Indeed, for such organisational changes, the efficiency of the identified actions and decisions had to be monitored to verify whether they fully control the considered risk This is natural as it may be difficult to foresee and measure the exact result of a safety measure related to an organisational issue (such as training, motivated work for staff, etc.) and that the effects have to be followed up closely in a longer process where the analysis is continuously updated Slide n 138

139 5 Hazard Record Organisational Change Outsourcing of a maintenance branch of an IM Sample of Hazard Record Therefore, the risk analysis and the hazard record/log were alive documents. The efficiency of decided actions was monitored at regular intervals to check if the conditions were changed and if the risk analysis and risk evaluation need to be updated. They were updated when actions were performed and hazards closed. A status field was updated to describe what actions were taken or were under the way to be taken If any circumstances changed compared to the initial context of the risk analysis, the risk analysis and hazard record/log had to be updated to ensure that hazard and risk were under control The hazards that could not be closed (as all the measures could not be implemented nor verified rapidly) were followed up. Their status was also monitored and rechecked on several occasions (and more dated status column added to the hazard record/log table) to verify that finally all the hazards will be closed Slide n 139

140 5 Hazard Record Replacement of a Trackside Loop by a Radio in-fill + GSM subsystem The identified hazards, the safety measures and the resulting safety requirements issued from the risk assessment and the application of the three risk acceptance principles were registered and managed in a hazard record using a similar form than the table below N HZD 1 HAZOP report R X 2 HAZOP report R X Origin Hazard description Cause Additional information Transmissio n of old and unsafe messages Opentransmission medium Radio in-fill controller hardware Radio in-fill controller software GSM Radio in-fill controller Hacker Dedicated standards available Used Risk Actor in charge Safety Measure Acceptance Principle Manufa -cturer Manufa -cturer Manufa -cturer RAC-TS for Radio In-fill design CENELEC 50128, CENELEC, Explicit risk estimation Code of Practice Code of Practice Exported Radio Infill subcontractor Radio Infill subcontractor Radio Infill subcontractor Status Closed Closed Closed Slide n 140

141 Time schedule for CSM dissemination workshop 2 nd day of workshop 2 nd day: 10:00 to 16:00 09:30 10:45: Demonstration of system compliance with safety requirements 10:45 11:00: Coffee Break 11:30 12:30: Assessment Body 12:30 13:30: Lunch Break 13:30 14:00: Internal discussions among representatives of each MS 14:00 14:30: Questions/discussion and feedback from those discussions 14:30 14:45: Coffee Break 14:45 15:45: Presentation of examples: Presentations by participants of examples communicated to ERA before the workshop 15:45 16:00: Conclusions and close out of the workshop Slide n 141

142 Dissemination of the Commission Regulation on Common Safety Methods (CSM) on Risk Evaluation and Risk Assessment (6) Demonstration of system compliance with the safety requirements Slide n 142

143 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Annex III(2)(g) of SD] (7) (2) (3) (4) (6) (5) 6 Demonstration of system compliance with safety requirements For presentation purposes, CSM Process split into 7 topics (see questionnaire) (1) Introduction (2) What is a significant change? (3) Hazard Identification phase; (4) Risk analysis and evaluation (5) Hazard Management and Hazard Records; (6) Demonstration of system compliance with the safety requirements (7) Independent assessment of correct application of CSM Process by an Assessment Body Slide n 143

144 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Ax III(2)(g) of SD] 6 Demonstration of system compliance with safety requirements Requirements in CSM Regulation [Chapter 3] Prior to safety acceptance of change, fulfilment of safety requirements to be demonstrated Preliminary System Definition Significant Change? RISK ASSESSMENT Demonstration under supervision of proposer SYSTEM DEFINITION RISK ANALYSIS But each actor responsible for the demonstration of safety requirements for its part of system Codes of Practice HAZARD IDENTIFICATION AND CLASSIFICATION Similar Reference Systems Explicit Risk Estimation Approach chosen for the compliance demonstration and demonstration to be independently assessed by AB RISK EVALUATION (vs. Risk Acceptance Criteria) Inadequacies of safety measures or new hazards discovered during demonstration to be reassessed vs. CSM Safety Requirements (i.e. safety measures to be implemented) Demonstration of Compliance with Safety Requirements Slide n 144

145 6 Demonstration of system compliance with safety requirements Purpose of demonstration INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Ax III(2)(g) of SD] CSM Process safety requirements expected to control identified hazards Preliminary System Definition Significant Change? RISK ASSESSMENT System developed against those safety requirements (for technical systems designed, validated and accepted) SYSTEM DEFINITION HAZARD IDENTIFICATION AND CLASSIFICATION RISK ANALYSIS Prior to acceptance of change need to demonstrate that: Codes of Practice Similar Reference Systems Explicit Risk Estimation 3 RAP correctly applied and actually control hazards to acceptable level therefore system actually compliant with specified safety requirements RISK EVALUATION (vs. Risk Acceptance Criteria) Safety Requirements (i.e. safety measures to be implemented) Demonstration of Compliance with Safety Requirements Slide n 145

146 Hazard Record 6 Demonstration of system compliance with safety requirements Proposer s Responsibility Other Actor s Responsibility Proposer has overall responsibility for coordinating and managing demonstration of compliance But each actor, including proposer where relevant, must demonstrate compliance of sub-system it is responsible for with : SR allocated to sub-system by proposer SR transferred to relevant actor by other actors via interfaces additional and internal SR from safety assessments and safety analyses done at sub-system level SYSTEM LEVEL All identified safety requirements (SR) Sub- System 1 Sub- System 2 Safety Requirements for SUB-SYSTEM From Proposer From other actors INTERFACES System Requirements for the Proposer Sub- System N To other sub-systems To other sub-systems To other sub-systems From Internal Risk Analyses Registered in Hazard Record Slide n 146

147 6 Demonstration of system compliance with safety requirements Interface Management Cooperation for Shared Risks (1/2) Separation of activities/functions between actors involved in development and operation of railway systems (RU s, IM s, contractors, etc.) can result in risks at interfaces Concerned actors shall cooperate for managing hazards at INTERFACES (shared risks) [Common understanding and agreement] Shared risks management shall be coordinated by Proposer (system view). Proposer allocates responsibilities to actors concerned by relevant interfaces Safety measures at interfaces to be transferred to right actors via Hazard Records Proposer responsible for CSM application as well as for integration of system under assessment (INTERFACE) into railway system as a whole Slide n 147

148 6 Demonstration of system compliance with safety requirements Interface Management Notifications to Proposer (2/2) Notification to Proposer of transferred measures and non-compliance of safety measures (SM) Proposer inform in turn actor responsible for SM Concerned actor shall inform all other actors affected (system under assessment + existing systems as far as known) Slide n 148

149 6 Demonstration of system compliance with safety requirements Sub-System Safety Analyses (1/4) To fulfil SR allocated to each sub-system, actor in charge shall carry out safety assessments and safety analyses to identify systematically: all reasonably foreseeable causes within the sub-system contributing to hazards at level of system under assessment safety measures, and resulting SR, at sub-system level expected to control these causes and associated risks to an acceptable level Register into Hazard Record all hazards actor must control + safety measures to be implemented by actor Causal Analyses are example of safety assessments and safety analyses at sub-system level. But other methods can also be used Slide n 149

150 6 Demonstration of system compliance with safety requirements Sub-System Safety Analyses (2/4) Example of Figure A.4 of EN : Definition of hazards with respect to the system boundary Cause (of a Hazard at System Level) Hazard (at Sub-System Level) Hazard (at System Level) Accident k Accident l Cause (of a Hazard at Sub- System Level) Sub-System Boundary System Boundary CAUSES CONSEQUENCES Causes of hazards at level of system under assessment may be considered as hazards at the sub-system level (with respect to sub-system boundary). Slide n 150

151 6 Demonstration of system compliance with safety requirements Sub-System Safety Analyses (3/4) CSM Process steps can be repeated at each lower level phase of CENELEC V-Cycle to derive safety measures and SR to fulfil by next phase: Hierarchical structuring Hazards-Causes vs. system & sub-systems Systematic Hazard Identification & Causal Analysis activities (or any relevant method) Systematic use of Hazard Records for registering and managing hazards and safety measures actor in charge Use of Codes of Practice, similar Reference Systems and Explicit Risk Estimation Derived sub-system SR need to be implemented and their fulfilment demonstrated by concerned actor NB: Proposer responsible to demonstrate compliance with safety requirements at system level Slide n 151

152 Hazard Record Level N 6 Demonstration of system compliance with safety requirements Sub-System Safety Analyses (4/4) Phase N-1 in CENELEC V-Cycle Safety Requirements for Phase N Phase N in CENELEC V-Cycle Phase N All identified safety requirements (SR) Safety Requirements for Phase N only Safety Measures in Phase N Phase N+1 Phase N+1 Phase N+1 Safety Requirements (i.e. safety measures to be implemented) Safety Requirements for Phase N+1 Phase N+1 in CENELEC V-Cycle Safety Measures in Phase N+1 Safety Requirements (i.e. safety measures to be implemented) Safety Requirements for Phase N+2 Safety Requirements for Level N+1 From Level N From other actors INTERFACES To other actors at level N+1 To other actors at To other level N+1 actors at level N+1 From Internal Risk Analyses Safety Requirements for Level N+2 + Hazard Record Slide n 152

153 6 Demonstration of system compliance with safety requirements Independent Assessment by Assessment Body INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Ax III(2)(g) of SD] Approach for demonstrating compliance with SR + demonstration itself independently assessed by AB If no contractual obligations or MS legal requirements, each actor free to appoint AB for part of system actor is in charge Preliminary System Definition Codes of Practice Significant Change? SYSTEM DEFINITION HAZARD IDENTIFICATION AND CLASSIFICATION Similar Reference Systems RISK ASSESSMENT RISK ANALYSIS Explicit Risk Estimation more than one AB can be involved in same project RISK EVALUATION (vs. Risk Acceptance Criteria) Proposer, with support of its AB, responsible for integrating different sub-systems and for coordinating different AB involved in the project Safety Requirements (i.e. safety measures to be implemented) Demonstration of Compliance with Safety Requirements Slide n 153

154 INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Ax III(2)(g) of SD] 6 Demonstration of system compliance with safety requirements New Iteration of CSM Process for detected non compliances Inadequacies of safety measures or new hazards discovered during demonstration to be reassessed vs. CSM E.g. choice of technical solution for design of system or sub-systems, not foreseen by SR, could create a new hazard Preliminary System Definition Codes of Practice Significant Change? SYSTEM DEFINITION HAZARD IDENTIFICATION AND CLASSIFICATION Similar Reference Systems RISK ASSESSMENT RISK ANALYSIS Explicit Risk Estimation New hazards registered in Hazard Record Deviations and/or new hazards considered as new inputs for a new loop in iterative risk assessment process RISK EVALUATION (vs. Risk Acceptance Criteria) Safety Requirements (i.e. safety measures to be implemented) Demonstration of Compliance with Safety Requirements Slide n 154

155 6 Demonstration of system compliance with safety requirements Correspondence between CSM and CENELEC INDEPENDENT ASSESSMENT HAZARD MANAGEMENT [Ax III(2)(g) of SD] Preliminary System Definition in CSM's Concept 1 System Definition & Application Conditions 2 CSM's for RISK ASSESSMENT BOX 1 BOX 3 Demonstration of Compliance with the Safety Requirements System Acceptance BOX 4 Performance Monitoring 10 Operation and 11 Maintenance 12 De-commissioning and Disposal 14 Risk Analysis 3 BOX 2 Modification and Retrofit 13 System Requirements 4 Safety Requirements Apportionment of System Requirements 5 System Validation (including Safety Acceptance and Commissioning) 9 Re-application of the CSM Preliminary System Definition Significant Change? SYSTEM DEFINITION RISK ASSESSMENT Design and Implementation 6 Installation 8 Codes of Practice RISK ANALYSIS HAZARD IDENTIFICATION AND CLASSIFICATION Similar Reference Systems Explicit EsRisk timation Manufacture 7 RISK EVALUATION (vs. Risk Acceptance Criteria) Safety Requirements (i.e. safety measures to be implemented) Demonstration of Compliance with Safety Requirements Slide n 155

156 Application to practical examples Slide n 156

157 INDEPENDENT ASSESSMENT 6 Demonstration of system compliance with safety requirements Operational change - Driver Only Operated Train (DOO) HAZARD MANAGEMENT Demonstration of the system compliance with safety requirements: system implemented vs. identified safety requirements (additional equipment and revised procedures to enable Driver s Only Operation) the revised operational procedures are then introduced in the RU safety management system the correct application by the Driver of the revised procedures, and their efficiency, is monitored and reviewed, when needed, to ensure that the identified hazards continue to be correctly controlled during the operation of the railway system, i.e. that the procedures and their application are appropriate to ensure a sufficient level of safety without onboard staff Slide n 157

158 INDEPENDENT ASSESSMENT 6 Demonstration of system compliance with safety requirements Organisational change - Outsourcing of a maintenance branch of an IM HAZARD MANAGEMENT Demonstration of the system compliance with safety requirements: Risk Analysis and Hazard Record show that hazards cannot be closed until they are verified and it is demonstrated that the safety requirements (i.e. selected safety measures) are implemented. Risk Analysis and Hazard Record are living documents. The efficiency of decided actions is monitored at regular intervals to check if the conditions are changed and if the Risk Analysis and Risk Evaluation need to be updated. Slide n 158

159 6 Demonstration of system compliance with safety requirements Outsourcing of a maintenance branch of an IM Sample of Hazard Record Description Reduced motivation among employees remaining in Company -Staff continuing to leave without stop. - Demotivated / worn out managers Safety Measures New round of motivational work for the staff, to be performed in smaller groups Reallocation of funds so that Company gets meaningful tasks to perform More frequent inspections by track manager. Allocate funds to make sure that key staff stays throughout the process. Give special attention to make sure that information and knowledge is transferred between leaving employees and those who take over the tasks. Etc... Implement -ation Coordinate d by IOP. Regions must look at measures to increase control of tracks, overlap of employees and follow up by line managers. Notes Increased inspections need to be included in the contracts. Etc... Company Manager Priority Safety/ Punctuality High/High Responsibility Deadline Performed date Responsi bi lity for verification Way of verification Date Status xx.xx.xx Change of conditions of circumstances have reduced this risk significantly Work environment analysis performed and some training of staff. Slide n 159

160 6 Demonstration of system compliance with safety requirements Outsourcing of a maintenance branch of an IM Sample of Hazard Record Description Subcon tractor s of the entre preneurs lacking skill, competency and quality control 11: Uncertainty of roles and responsibilities in the interface between Company and IM (Track manager). Safety Measures Increased demand for documented competence. Systematic control of performed tasks Define roles and responsibilities. Map all interfaces and define who is responsible for the interfaces. High/ Medium Medium/ Medium Implement -ation Notes IM must Imple men coordinate. ted by Regions contract must follow up. implement Input to measures revision for requiring planning. compe tence and con -trolling the work In each region separately Imple men ted by mainenance contract and the strategy plan for the reorganisation Regional directors Priority Safety/ Punctuality Responsibility Deadline Performed date Responsi bi lity for verification Safety manager Safety Manager Way of verification Date Status xx.xx.xx Increased focus on routines for control (2 operative controls per month and operative area) Regions have presented their strategy. Slide n 160

161 INDEPENDENT ASSESSMENT 6 Demonstration of system compliance with safety requirements Replacement of a Trackside Loop by a Radio in-fill + GSM sub-system HAZARD MANAGEMENT Demonstration of the system compliance with safety requirement: follow up of the implementation of the safety requirements through the development process of the "radio infill + GSM sub-system; verification that the system, as designed and installed, is compliant with the safety requirements. This includes follow-up during design and V&V of Radio In-fill of all requirements from CoP (CENELEC & for software of Radio In-fill) + demonstration of achievement of RAC-TS for random hardware failures of Radio In-fill sub-system Slide n 161

162 Discussions/Questions Slide n 162

163 Dissemination of the Commission Regulation on Common Safety Methods (CSM) on Risk Evaluation and Risk Assessment (7) Assessment Bodies Slide n 163

164 INDEPENDENT ASSESSMENT 7 Assessment Bodies Verifying the change HAZARD MANAGEMENT [Annex III(2)(g) of SD] An independent assessment of the complete risk management process undertaken by the proposer should be undertaken by an independent body to verify the change and the demonstration of compliance Slide n 164

165 INDEPENDENT ASSESSMENT 7 Assessment Bodies WHO act as assessment body? Independent and competent person, organisation or entity (Article 3(14)) Open to NSA, NOBO, External or In house ISA meeting criteria identified in the Annex II of the regulation BUT need to take into account the tasks allocated to NSA and NOBO in Directive 2004/49/EC and Directive 2008/57/EC Slide n 165

166 INDEPENDENT ASSESSMENT 7 Assessment Bodies WHY & WHEN are they needed? Support the proposer decision to accept significant changes by ensuring the correct application of the risk management process Support and facilitate the mutual recognition of the results of the application of the CSM on risk assessment Although it is not explicitly a requirement of the CSM, the assessment body should be involved early on in the project Slide n 166

167 INDEPENDENT ASSESSMENT 7 Assessment Bodies WHAT do they do? This will include: The system definition The hazard identification and risk analysis The risk evaluation The demonstration of compliance with the safety requirements, including the chosen approach They do not need to check the evaluation of the significance of the change The assessment body will provide the proposer with a Safety assessment report The report will: sets out their findings on the review of the risk management process confirm that the system under assessment meets the requirements and whether it can be used safely Slide n 167

168 INDEPENDENT ASSESSMENT 7 Assessment Bodies WHAT do they do? The report will : support to the proposer decision to accept the change provide evidences to the NSA that the proposer has correctly applied the CSM process, particularly if the change related to an authorisation to place into service structural sub systems be useful in any inspections that the NSA undertakes in relation to the SMS and the application of the CSM Slide n 168

169 INDEPENDENT ASSESSMENT 7 Assessment Bodies Interfaces The management of interfaces is key throughout the development of the project If more than one assessment body is involved the proposer will need to co-ordinate the activities of the bodies This can: help with interface management be useful before switching over from one step of the risk assessment to the next one Duplication of work in term of independent assessment shall be avoided Reports shall not be called into question Slide n 169

170 INDEPENDENT ASSESSMENT 7 Assessment Bodies What is the criteria for their selection? Independent from the design, manufacture, construction, marketing, operation or maintenance of the system Professional integrity Competent (skills, training, knowledge and experience) to perform the tasks required of them Civil liability insurance Commercial confidentiality Slide n 170

171 INDEPENDENT ASSESSMENT 7 Assessment Bodies Ongoing work from the Task Force Identified the interface between independent assessment, conformity assessment (for safety certification/authorisation and EC verification for sub-systems) No answer to the WHO? HOW? Expect to define a methodology for carrying out independent safety assessment Expect to define a scheme for the voluntary accreditation of Assessment Bodies or alternatively recognition by NSAs Timetable: First position paper on the role and responsibilities of Assessment Bodies by the end of the year Feed into the revision of the CSM on risk assessment planned in 2011 Slide n 171

172 Discussions/Questions Slide n 172

173 Dissemination of the Commission Regulation on Common Safety Methods (CSM) on Risk Evaluation and Risk Assessment (8) Conclusions Slide n 173

174 Many thanks for your attention! Slide n 174