CSM for risk assessment:
Proactive decision making instrument
Consequences and benefits of latest changes
Safety Conference of Danish Transport and Construction
Agency - Copenhagen, 28th October 2015
Dragan JOVICIC, European Railway Agency
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 1
Content

EU railway market opening and restructuring
(historical background context of railways)

Place of the CSM for risk assessment
within the risk based approach

Overview of harmonised methods for
safety management and safety supervision

Overall presentation of the CSM for risk assessment and
of its successive changes

Latest amendments of the CSM for risk assessment:
CSM Design Targets (CSM DT)

Discussions – Questions & Answers
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 2
EU railway market
opening and restructuring
Change of Roles & Responsibilities for
management and supervision
of railway safety
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 3
Remind

Historically, every country used different technical solutions, operational
rules, standards, safety cultures and approaches in terms of safety
acceptance and safety management

One state railway company where all functions integrated:





Vehicle owner/keeper
Management of infrastructure
Operation of railway transport (passengers and freight)
Planning, management and performance of maintenance activities
etc.

Railway company self-regulated, i.e. responsible for Regulation,
Management and Supervision of a “safe operation” of railway transport

International traffic: no legal obligations - Made possible thanks to
(voluntary) international or multilateral agreements
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 4
EU railway transport policy and railway legislation
Open railway market to competition for rail transport
services and railway supply industry
Remove historical barriers
to free circulation of trains and
make railways business oriented
and competitive
Prevent sector from using
safety as a barrier to market
access or an excuse to resist
change
 Technical Harmonisation (TSIs) & Common approaches for safety management
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 5
Common safety instruments for opening railway market
As many new railway players and interfaces are created, it is necessary to:
1)
maintain at least the existing level of safety in the EU
railways, and increase it when reasonably practicable
2)
create a basis for mutual trust
EU railway legislation sets up a common approach for:



safety regulation
safety management
safety supervision
in line with the "new Commission approach" for the
creation of a single European railway market
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 6
Common approach to safety within an open railway market
EU railway
legislation
Safety
Regulation
EU legislation defines “Roles & Responsibilities“
[RUs, IMs, Vehicle Keepers, ECMs, NSAs, Notified Bodies,
Designated Bodies, Manufacturers and others]
WHO shall do WHAT?
Responsibility for safety of railway system put on those
who OPERATE and MAINTAIN railways:
Safety
Management
Safety
Supervision
RUs, IMs must manage and monitor safely their
activities through a Safety Management System
 ECMs must manage and monitor maintenance
activities through a “System of Maintenance”

NSAs & other bodies (e.g. ECM Certification Body, NoBo,
DeBo, etc.) guarantee RUs, IMs and ECMs comply with
their obligations
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 7
Harmonised thinking in terms of «risk» & «risk based approach»
Transition from different national practice towards an SMS approach

Existing national railway systems usually based on use of
rules and retrospective review of «bad experiences» from past

Directive 2004/49 requires to set up an SMS which shall
«predict» what can happen and «prevent» it to happen
instead of «reacting and fixing» to unwanted events

SMS introduces concept of RISK MANAGEMENT which
requires to LOOK both FORWARD and RETROSPECTIVE

→ only new element in SMS from existing national railway systems:
develop a «predict and prevent» way of thinking
In a “risk based approach” the key question is thus:
«What are the likely risks and the risk control measures I should
put in place to manage safely my activities (my business)?»
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 8
Comparison of Proactive vs. Reactive approaches


Proactive approach
Reactive approach
(Predict & Prevent)
(React & Fix)
Competence and knowledge
are used to control risks and
then to prevent accidents
Accidents are used to
prevent same accidents
No impact on the system and society
Can effectively prevent the occurrence
of events
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015


Costly with high impact on the
system and society
Unable to control unknown risks
Slide n° 9
Place of the CSM for risk assessment
within the risk based approach
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 10
Risk Management: links between CSM and SMS
Risk Management is a key process of the safety management system (SMS):
“The SMS … shall ensure the control of all risks associated with the activity of
the IM or RU, including the supply of maintenance and material and the use
of contractors…”
Directive 2004/49, Article 9(2)
The SMS organises the assessment and the management of risks
“procedures and methods for carrying out risk evaluation and implementing
risk control measures whenever a change of the operating conditions or new
material imposes new risks on the infrastructure or on operations;”
Directive 2004/49, Annex III – art.2 Basic elements (d)
The implementation of a Safety Management System requires the
application of the CSM for Risk Assessment
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 11
Building an SMS is a systematic review of "likely risks" linked
to my operations and identification of "risk control measures"
Role of rules in SMS:



EU regulatory framework is
not a conflict between a Risk
& Rule based approaches but
a combination of both
It is necessary to identify &
understand how rules fit into
the whole management
system?
RU/IM SMS must consider
not only National Rules but
all rules necessary to deliver
safely the operation
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
SMS
Risks
Procedures
Processes
Rules
Why should I have a
measure/procedure?
How can I avoid or
decrease the risk?
What do I already have
in place for that?
Slide n° 12
Objective of SMS: keep "set rules" up to date
SMS is not an alternative to the existing set of safety related technical and
operational rules. It is a structured way to apply them taking into account the
risks related to the specific activities of the RU or IM
SMS provides a structured framework to ensure that:
1) PLAN: the company is designed (i.e.
organised) to deliver safely the operation
2) DO: the company actually deploys the
operational and support processes
PLAN
SMS
3) CHECK: the company measures the
effectiveness of the processes
4) ACT/ADJUST: the company takes
preventive or corrective measures on
detection of non-compliances
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
DO
ACT
CHECK
Slide n° 13
What is an SMS?

A documented and structured
framework for safe management
of all company activities

Ensures appropriate processes,
procedures and rules exist for
controlling all company risks

Enables identification of hazards
and continuous management of
risks related to the company
activities, with the aim of
preventing accidents

Rules
Risk
manage
ment
Proces
-ses
Procedures
Uses scientific "risk management" tools to support company
managers in taking consciously
decisions for their business
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 14
Overview of harmonised methods for
safety management and safety supervision
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 15
European Railway Legislation
Safety Regulatory Framework
Railway Safety Directive 2004/49/EC
CSM for Risk Assessment
Regulation 402/2013
CSM for Monitoring
Regulation 1078/2012
Freight wagons
ECM Regulation
445/2011
Freight wagons
²
Plan
ECM Regulation
445/2011 (Annex III)
Do
SMS/
MMS
CSM for Conformity
Assessment - Regulations
1158/2010 & 1169/2010
Act
Assessment
CSM for Supervision
Regulation 1077/2012
Check
Monitoring/Supervision/Surveillance
Safe Operation & Safe Maintenance
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 16
Overall presentation of the
CSM for risk assessment
and of its successive changes
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 17
Versions of CSM fo risk assessment
19/07/2010 Technical changes
01/07/2012 TOO changes
21st May 2015
(Repealing Reg. 352/2009)
R&R CSM AB
Regulation
402/2013
RAC-TS [10-9 h-1]
Regulation
352/2009
2005 to 2007
3rd August 2015
(Amending Reg. 402/2013)
Regulation
2015/1136
CSM DT
[10-9 & 10-7 h-1]
More categories
of RAC-TS
2010 to 2012
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
2012 to 2014
Slide n° 18
Overview of the CSM for risk assessment
Process in Annex I
Defines a common process for risk assessment
1) Codes of practice
2) Reference Systems
3) Explicit risk estimation
There is no mandatory order of priority
in use of these three RAP
(d) Risk evaluation for checking acceptance
of risk(s)
(e) Definition of safety requirements from
identified safety measures
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Justify and
document
decision
Significant
Change?
RISK ASSESSMENT
SYSTEM DEFINITION
INDEPENDENT ASSESSMENT
(a) System definition
(b) Hazard identification & classification
(c) Identification of safety measures
(d) Risk analysis based on use of exiting Risk
Acceptance Principles (RAP):
Preliminary
System
Definition
RISK ANALYSIS
HAZARD IDENTIFICATION
AND CLASSIFICATION
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
RISK EVALUATION
(vs. Risk Acceptance Criteria)
HAZARD MANAGEMENT
352/2009
Safety Requirements (i.e. safety
measures to be implemented)
Demonstration of Compliance with
Safety Requirements
Iterative Risk Management Process
“triggered” by a Significant Change
Slide n° 19
352/2009
Overview of the CSM for risk assessment
Process in Annex I
Preliminary
System
Definition
CSM for risk assessment also requires:

Justify and
document
decision
Significant
Change?
Update system definition with
identified safety requirements;
RISK ASSESSMENT

Demonstrate compliance with system
definition, and thus with safety
requirements from risk assessment;
To support mutual recognition:
(a) Risk assessment and risk
management must be documented
in hazard record;
(b) Independent assessment by a CSM
Assessment Body of correct
application of the CSM Process and
of appropriateness of results
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
RISK ANALYSIS
HAZARD IDENTIFICATION
AND CLASSIFICATION
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
RISK EVALUATION
(vs. Risk Acceptance Criteria)
HAZARD MANAGEMENT

INDEPENDENT ASSESSMENT
SYSTEM DEFINITION
Safety Requirements (i.e. safety
measures to be implemented)
Demonstration of Compliance with
Safety Requirements
Iterative Risk Management Process
“triggered” by a Significant Change
Slide n° 20
Independent CSM Assessment Body
Check correct application of CSM for risk assessment
Article 6 of Regulation 352/2009


RISK
ASSESSMENT
When change significant, a CSM
Assessment Body must be appointed
CSM assessment body shall carry out
an independent assessment of:

correct application of risk
management process in Annex I,
and;

suitability of results from risk
assessment process (Reg. 402/2013)
Criteria & requirements to be fulfilled
Who, What, How, When, etc.?
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
SYSTEM DEFINITION
INDEPENDENT ASSESSMENT

Justify and
document
decision
Significant
Change?
Preliminary
Sys Definition
RISK ANALYSIS
HAZARD IDENTIFICATION
AND CLASSIFICATION
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
RISK EVALUATION
(vs. Risk Acceptance Criteria)
HAZARD MANAGEMENT
352/2009
Safety Requirements
(i.e. safety measures to be implemented)
Demonstration of Compliance
with Safety Requirements
Slide n° 21
Compliance with existing standards
General overview of risk management in ISO 31000
Risk Assessment
Hazard/Risk Identification
Risk Analysis
Risk Evaluation
Risk Control



‘Risk’ is dynamic and subject to constant change,
so Risk Management process includes continuous
Risk Monitoring and Review
Communication with and consult staff on
company and their activity risks
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Hazard/Risk
Identification
Risk Analysis
Risk Evaluation
Risk Assessment
Defining context (System Definition)
System Definition
Risk Control
Risk Monitoring and
Review
Communicate and
Consult on risks
Part of SMS
Regardless of type of business, activity or
function of company, Risk Management is 7
step based process
Basic Process Steps
352/2009
Slide n° 22
352/2009
Traceability between CSM and CENELEC
1
System Definition & 2
Application Conditions
Risk Analysis
BOX 3
Demonstration of
Compliance with the
Safety Requirements
CSM's for RISK
ASSESSMENT
3
System Acceptance
12
Operation and
Maintenance
11
Modification and
Retrofit
13
De-commissioning and
Disposal
14
BOX 2
System Requirements 4
Re-application of the CSM
System Validation
(including Safety
Acceptance and
Commissioning)
Safety Requirements
Apportionment of 5
System Requirements
Design and
Implementation
10
Performance
Monitoring
9
Preliminary
System Definition
RISK ASSESSMENT
BOX
2
6
Manufacture
Installation
7
8
SYSTEM DEFINITION
RISK ANALYSIS
HAZARD IDENTIFICATION
AND CLASSIFICATION
Codes of
Practice
Similar
Reference
Systems
Explicit
EsRisk
timation
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements (i.e. safety measures to be
implemented)
BOX
3
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
BOX
1
Significant
Change?
Demonstration of Compliance with
Safety Requirements
HAZARD MANAGEMENT [Ax III(2)(g) of SD]
Concept
BOX 4
BOX 1
INDEPENDENT ASSESSMENT
Preliminary System Definition in CSM's
Slide n° 23
352/2009
Independent CSM Assessment Body
General Legal framework in Regulation 352/2009

Required when change is significant - Appointed by Proposer, if there is no
contrary national legal obligation

Necessary for mutual recognition of results from risk assessments  reduction
of risk assessment costs and requests of unjustified additional demonstrations

Check correct application of CSM process and appropriateness of results

Deliver a safety assessment report to support Proposer in its decisions

WHEN?  not explicitly required in CSM - Should be involved early in project
and finishes with delivery of independent assessment report to Proposer

WHO?  whoever fulfils general requirements in Annex II of Reg. 352/2009:



independence from design, manufacturing, construction, marketing,
operation or maintenance of system under assessment
professional integrity and competence (skills, training, knowledge and
experience) to perform independent safety assessment
civil liability insurance & commercial confidentiality
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 24
402/2013

Independent CSM Assessment Body
Novelty in Regulation 402/2013
To establish sufficient trust and enable mutual recognition of independent
assessment work of CSM AB, following questions needed an answer:
WHAT shall be assessed?
 HOW assessments are to be performed?
 WHAT is content of safety assessment report?
 What is the interaction with other assessments
(e.g. Safety certification & authorisation process
for placing in service structural sub-systems)?
 What specific criteria and requirements need to be fulfilled?
 What area of competence are necessary?
 WHICH scheme could ensure similar quality of independent assessment?
or HOW to become a CSM Assessment Body?

Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 25
402/2013
Independent CSM Assessment Body
WHAT shall be assessed?

Correct application of CSM  check of compliance with CSM process

Suitability of results of risk assessment  check that system under
assessment fulfils safely intended objectives of the change

Assessment include all steps of CSM process:
system definition
hazard identification and risk analysis
 risk evaluation and risk acceptance
 demonstration of compliance with
safety requirements



Evaluation of significance of change
needs not be checked
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 32
402/2013

Independent CSM Assessment Body
HOW is the independent assessment performed?
Independent assessment in Regulation 402/2013 different from NOBO work:
NOBO checks formal conformity of a structural sub-system vs. ALL
requirements defined in relevant TSIs
 whereas CSM assessment body makes JUDGEMENTS


To make its judgement, a complete, thorough review and follow up of all
activities of “Proposer and its subcontractors” for design and
implementation of change not cost effective and also is not necessary

Rather a 3 steps approach shall be undertaken based on:
thorough understanding of the change and of its specification
 assessment of safety and quality processes put in place for the change
 assessment of application of these processes for design and implementation
of change based on e.g. auditing and sampling techniques [or vertical slice
assessment of key risks] till delivery of safety assessment report

Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 33
402/2013

Independent CSM Assessment Body
WHAT is the result of the independent assessment?
Safety assessment report delivered to Proposer, contains at least:
(a)
(b)
(c)
(d)
identification of CSM assessment body;
independent safety assessment plan;
definition of scope and limitations of independent safety assessment;
results of independent safety assessment including in particular:
(1) detailed information on independent safety assessment activities for
checking compliance with provisions of CSM;
(2) any identified cases of non-compliances with provisions of CSM and
assessment body’s recommendations;
(e) conclusions on compliance of risk assessment and risk management with
CSM requirements and appropriateness to fulfil safely intended objectives



Safety assessment report supports Proposer in decision to accept change
It provides evidence to NSA, in particular within APIS structural sub-systems,
that Proposer correctly applied CSM process,
It is useful for supervision activities of the proposer’s Management System
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 34
European (Railway) Legislation related to Market Opening
Assurance of compliance with EU legislation - Mutual trust/recognition

To avoid new assessments and new safety
demonstrations for a same system,
EU legislation introduces concepts of:



Certification
(Independent) Conformity Assessment Body (CAB)
Mutual Recognition or Acceptance (XA)

System or safety demonstration accepted in one MS or by one
CAB must be cross accepted in another MS or by another CAB
if used under the same functional, operational and environmental conditions

 duplication of conformity assessments by different CABs involved in a project
shall be avoided unless CAB demonstrates existence of a substantial safety risk

Conformity assessment bodies: NSAs, NoBos, DeBos, ECM Certification Bodies,
CSM Assessment Bodies, National Accreditation Bodies & Recognition Bodies
Monitoring of experience is expected to build trust between MS & between CABs
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 35
402/2013
Independent CSM Assessment Body
WHAT is the interaction with other Conformity Assessment Bodies?
Duplication of independent assessment work between different Conformity
Assessment Bodies involved in a project shall be avoided
All risks identified with CSM for risk assessment
Check of correct application
of CSM and of suitability of
results form risk assessment
Other
measures
(CSM AB)
Check of conformity with
national rules applicable to
the structural sub-system
National
Rules
(DeBo)
Check of conformity with
TSI requirements applicable
to the structural sub-system
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
TSI's
(NoBo)
Safety demonstration by
proposer/applicant
+ NSA authorisation based
on evidences of:

Safe integration (AB]

Check of technical
compatibility

Compliance with TSI's
[NoBo] & National Rules
(law) [DeBo]
Slide n° 36
Roles and responsibilities of CSM Assessment Body for placing in service
Authorisation of Vehicles - Safe Integrations
STEP 1
STEP 2
STEP 3
Responsibilities of Applicant
Responsibilities of Railway Undertaking
Design, construct, install, test
& demonstrate
Safe Integration within the vehicle
Check technical compatibility and demonstrate
safe integration within the Route
Responsibilities of
RU & ECM
Operation & Maintenance
according to Technical File
Return of experience
Technical File containing all
Operational & Maintenance
Requirements linked to the design
Update
of SMS
Technical compatibility and safe
integration within the vehicle
Technical compatibility and safe
integration within the Route
(Use of CSM for RA)
Conformity Conformity RA according
with TSI
with NNR
to CSM
(Use of CSM for RA)
Check by
NOBO
Check by
DEBO
Check by CSM
Assessment
Body
Conformity
with
infrastructure
register (RINF)
Check by RU
NSA Authorisation
for placing in service
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
SMS update accorConformity
ding to CSM for RA
with NNR
Check by CSM
Check by RU
Assessment Body
Operation
according to
RU SMS
Maintenance
according to
ECM System of
Maintenance
Supervision
by NSA
Surveillance by
ECM Cert Body
Supervision by NSA [Art 16(2)(f)]
RU decision of
placing in service
Slide n° 37
402/2013
Independent CSM Assessment Body
WHAT specific criteria and requirements shall CSM Assessment Body fulfill?

Full compliance with ISO/IEC 17020:2012 standard which contains general
criteria for "independence, competence, integrity and impartiality“

Following specific competence:
(a) competence in risk management, including knowledge and experience of
standard safety analysis techniques and of relevant risk assessment and
risk management standards;
(b) all relevant technical competence for assessing the change under
assessment and its safe integration into the railway system;
(c) competence in checking the correct application of safety and quality
management systems or in auditing management systems.
This is crucial since CSM AB not required to check all activities and details
of risk assessment and risk management done by proposer
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 38
402/2013
Independent CSM Assessment Body
WHAT can be the areas of competence of the CSM Assessment Body?
By analogy to Article 28 of Directive 2008/57/EC concerning NoBo’s, CSM
Assessment Body may be competent in different areas of railway system, or
parts of it for which an essential safety requirement exists, including competence
in operation and maintenance. Possible examples of classifications could be:
(a)
(b)
(c)
(d)
(e)
(f)
(g)
(h)
(i)
infrastructure;
energy;
control command and signalling;
rolling stock;
braking components;
operation, maintenance and traffic management;
overall consistency and system approach (system level);
specific engineering disciplines such as embedded real-time systems,
telecommunications, hardware, software, human factor, …
etc.
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 39
402/2013
Independent CSM Assessment Body
WHAT can be the areas of competence of the CSM Assessment Body?
A particular competence is needed to assess overall consistency of risk
management and safe integration of system under assessment into railway
system as a whole. This specific competence includes ability of CSM AB to check:
(j) the organisation or arrangements put in place by the proposer to ensure a
coordinated approach to achieving system safety through a uniform
understanding and application of risk control measures for its composing sub
systems;
(k) the methodology for the evaluation of the methods and resources deployed
by various stakeholders to support safety at both the sub-system and system
levels; and
(l) the technical aspects necessary for assessing the relevance and completeness
of risk assessments and the level of safety for the system as a whole.
The CSM assessment body may be accredited or recognised for one, several or
all of the areas of competence
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 40
402/2013
Independent CSM Assessment Body
Relaxed criteria where mutual recognition not necessary
Article 12 - “Where the risk assessment for a significant change is not to be
mutually recognised, the proposer shall appoint an assessment body meeting at
least the competency, independency and impartiality requirements of Annex II.
The other requirements of paragraph 1 in Annex II may be relaxed in agreement
with the national safety authority in a non-discriminatory way.”

Accreditation or recognition enable mutual recognition.

Article 12 is an exception to those rules and principles. Foreseen for national
purposes only when mutual recognition not needed and where accredited or
recognised CSM AB not acceptable from economical point of view.

Example: changes affecting only domestic market, where international trains
would never operate

Article 12 to be used with precautions and in duly justified cases.
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 41
402/2013
Independent CSM Assessment Body
Relaxed criteria where mutual recognition not necessary

Article 12 does not list criteria and requirements that could be relaxed.

It does neither prescribe process to be used nor actor who should check
fulfilment of relaxed criteria. There are no requirements for surveillance

Independent safety assessment report of an assessment body accepted under
Article 12 cannot benefit from mutually recognition granted to accredited or
recognised CSM AB

Article 12 not intended to be used as normal and standard way of acknowledging independence, integrity, impartiality and competence of CSM AB

Article 12 does not support opening of European railway market. Article 12
should be used exceptionally and in duly justified cases

Whenever Article 12 is used, for transparency reasons, independent safety
assessment report of CSM AB should clearly list criteria and requirements of
Annex II of CSM for risk assessment that are relaxed.
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 42
402/2013
CSM for risk assessment
Roles & Responsibilities of the Proposer and of the CSM Assessment Body

Proposer is responsible for application of CSM for risk assessment and to
document/justify its decisions and results of risk assessment

When change is significant, Proposer shall appoint an Assessment Body

CSM Assessment Body provides proposer with a Safety Assessment Report

Proposer is responsible for determining if and how to take into account the
conclusions of safety assessment report for safety acceptance of change

Proposer shall justify and document part(s) of safety assessment report for
which he eventually disagrees with Assessment Body

Article 16: Declaration by Proposer
Based on results of application of CSM and on safety assessment report
provided by assessment body, Proposer shall produce a written declaration
that all identified hazards and associated risks are controlled to an acceptable
level
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 43
402/2013
CSM for risk assessment
Mutual recognition by the NSA/NOBO of the Safety Assessment Report

When the change is significant, in scope of authorisation for placing service
of structural sub-systems, NSA shall accept Proposer’s Declaration
… NSA may not request additional checks or risk analyses unless it is able to
demonstrate the existence of a substantial safety risk

When a TSI requires application of CSM for risk assessment, if Proposer has
contracted an Assessment Body to check compliance with CSM, NoBo shall
accept Proposer’s Declaration … unless it justifies and documents its doubts
concerning the assumptions made or the appropriateness of the results
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 44
402/2013
Independent CSM Assessment Body
Provision of information to ERA – Roles of ERA
To enable ERA to keep updated Data Bases

Member States (MS) shall inform ERA which is their national
accreditation body and/or recognition body or recognition bodies, as
well as of assessment bodies they recognised directly in conformity with
Article 9(1)(a)

National Accreditation Body shall inform ERA of assessment bodies
accredited, as well as of area of competence from Annex II for which
those assessment bodies are accredited

Recognition Body shall inform ERA of the assessment bodies recognised,
as well as of the area of competence from Annex II for which those
assessment bodies are recognised

MS, NAB, Recognition Bodies shall also notify any changes within one
month so that ERA can make this information publicly available.
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 45
Additional information on CSM Assessment Body
ERA/OTIF paper on CSM Assessment Body coming soon on ERA web page
1. Concept of mutual recognition in scope of CSM
2. Concepts and requirements contained in Regulation 352/2009 and OTIF UTP
GEN-G of 1.5.2012:
3. General criteria in Annex II
4. Role of CSM assessment body
5. Who can be CSM assessment body?
6. Relationship between CSM assessment body and CENELEC ISA
7. When is a CSM assessment body required?
8. Who appoints the CSM assessment body?
9. Specific criteria and requirements to be fulfilled
10. Areas of competence
11. Use of external sub-contractors by CSM assessment body
12. Justification of use of ISO/IEC 17020:2012 standard
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 46
Additional information on CSM Assessment Body
ERA/OTIF paper on CSM Assessment Body coming soon on ERA web page
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
Basis for trust in work of CSM Assessment Body: accreditation and recognition
Benefits of allowing use of recognition
Work of CSM assessment bodies EU wide and in OTIF Contracting States
Relaxed criteria and requirements of Article 12
Freedom for a MS to have or not a CSM assessment body in the country
Where to find the list of accredited and recognised CSM assessment bodies?
When should the CSM assessment body start its work?
When does CSM assessment body finish its work?
How is independent assessment to be done by CSM assessment body?
What is content of safety assessment report?
Are judgments and conclusions of CSM assessment body binding for proposer?
What are the interactions between the CSM assessment body and the other
conformity assessment bodies [NoBo, DeBo, NSA]?
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 47
Latest amendments of
CSM for risk assessment
CSM Design Targets (CSM DT)
(Regulation 2015/1136)
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 48
2015/1136
Scope of RAC-TS – CSM for risk assessment
Needed in explicit risk estimation
Justify and
document
decision
Significant
Change?
Preliminary
Sys Definition
RISK
ASSESSMENT

Harmonized safety requirements for
design of E/E/PE Technical Systems (TS)

Used in 3rd risk acceptance principle
(Explicit risk estimation) to permit Mutual
Recognition of Risk Assessments of TS

To avoid confusion with other RAC,
RAC-TS renamed into CSM-DT
RISK ANALYSIS
HAZARD IDENTIFICATION
AND CLASSIFICATION
Codes of
Practice
Similar
Reference
Systems
Explicit
Risk
Estimation
RISK EVALUATION
(vs. Risk Acceptance Criteria)
Safety Requirements
HAZARD MANAGEMENT
INDEPENDENT ASSESSMENT
SYSTEM DEFINITION
RISK ASSESSMENT
RISK ANALYSIS
EXPLICIT RISK ESTIMATION
Identification of Scenarios &
associated Safety Measures
Qualitative
Safety
Criteria?
Quantitative
Estimate
Frequency
Estimate
Severity
Estimate
Risk
Explicit Quantitative or
Qualitative RAC required
Criteria required
RISK EVALUATION
Comparison
with Criteria
(i.e. safety measures to be implemented)
NO
Acceptable
Risk?
YES
Demonstration of Compliance
with Safety Requirements
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Safety Requirements
(i.e. the Safety Measures
to be implemented)
Slide n° 49
2015/1136
Objectives of setting up CSM-DT for technical systems
Development costs proportionate to risks arising from failures of TS

For sustainability of EU railways and to permit safe competition of
railways vs. other modes of transport, important development costs of TS
are proportionate to risk associated with their failure

TS shall be safe enough but shall not be safer than actually needed
because they would then be more expensive

It is thus important to be able to distinguish for technical systems:


failures having possibility to result in big consequence accidents, not
limited to an area of train, i.e. catastrophic ones affecting many people,
and;
[examples: train collisions & derailments + failure of all train doors]
failures having possibility to result in less severe accidents, limited to
an area of train, i.e. accidents affecting a reasonably small number of
people
[examples: unintended opening of a individual train doors]
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 50
2015/1136
CSM DT for technical systems in
Regulation 2015/1136 amending Regulation 402/2013
2.5.5. Where hazards arise as a result of failures of functions of a technical system,
… the following harmonised design targets shall apply to those failures:
(a) where a failure has a credible potential to lead directly to a
catastrophic accident, the associated risk does not have to be reduced
further if the frequency of the failure of the function has been
demonstrated to be highly improbable
(b) where a failure has a credible potential to lead directly to a critical
accident, the associated risk does not have to be reduced further if
the frequency of the failure of the function has been demonstrated to
be improbable
The choice between these definitions shall result from the most credible
unsafe consequence of the failure.
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 51
2015/1136
Definitions associated to CSM-DT
New definitions in Article 3 of Regulation 402/2013
(23) ‘catastrophic accident’ means an accident typically affecting a large
number of people and resulting in multiple fatalities;
(35) ‘critical accident’ means an accident typically affecting a very small
number of people and resulting in at least one fatality;
(37) ‘highly improbable’ means an occurrence of a failure at a frequency less
than or equal to 10-9 per operating hour;
(38) ‘improbable’ means an occurrence of a failure at a frequency less than or
equal to 10-7 per operating hour;
Considering only one fatality would impose more severe requirements to railways
Aviation uses: “Serious or fatal injury to a relatively small number of the
occupants other than the flight crew”
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 52
2015/1136
CSM-DT are based on existing standards,
national legislation and national rules
Directive 2004/49 recognises that safety levels in Community rail system are
generally high and those existing safety levels shall be maintained
Requirements currently defined in
existing standards, national legislation
or national rules
Use of statistics from accidents
involving technical systems
Set-up CSM-DT
²
Existing
Technical Systems
Design of future
Technical Systems
F(x), x=CSM-DT
Safety levels currently achieved
judged to be generally high
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Return of experience
Slide n° 53
2015/1136


CSM-DT are based on existing standards,
national legislation and national rules
Compared to requirements currently defined in existing standards, national
legislation or national rules for design of existing railway TS, proposed CSM-DT:

usable for electrical, electronic and programmable electronic TS design

neither decrease safety performance nor increase development costs

representative bodies and majority of workshop participants estimate CSMDT correspond to present reality, experience and practice in railways
 CSM-DT fit to railway needs (although 2 NSAs ask for more validation)

no evidence validating possibility to quantify failures of purely mechanical
and purely pneumatic technical systems

harmonised CSM-DT for light injury category is not needed
Proposed CSM-DT similar to aviation ones: similar requirements for similar
consequences of TS failures [10–9 & 10–7 per flight hour/per operating hour]
[all occupants] or [a relatively small number of occupants] CAN BE affected
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 54
2015/1136
Use of Design Targets in Aviation (Ref. AC/AMJ N°25.1309)
Similarities with Railways and CSM-DT
RAILWAYS
AVIATION

Catastrophic FC resulting in multiple
fatalities usually with loss of plane (thus
impacting all occupants) ≤ 10–9 per flight
hour [Extremely improbable FC]

Hazardous FC reducing capability of airplane, large reduction in safety margins,
physical distress or excessive workload
on crew and impacting a relatively small
number of occupants ≤ 10–7 per flight
hour [Extremely remote FC]



Failures of functions having possibility
to affect whole train (i.e. all occupants)
and resulting in fatalities ≤ 10–9 per
operating hour [≈catastrophic
consequences]

Failures of functions having possibility
to affect a limited area of train (thus a
relatively small number of occupants)
and resulting in at least one fatality ≤
10–7 per operating hour
[≈critical consequences]

Light injuries ≤ 10–5 per operating hour
[≈major consequences]  not included
in amendment of 402/2013
Major FC ≤ 10–5 per flight hour [remote]
Minor FC ≤
[probable]
10–3 per
flight hour
They also use EQUIVALENT PROCESSES for Safety Assessments, HW&SW
Development, Verification & Validation & Management of Systematic Failures
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 55
Many thanks for your attention!
E-mail: [email protected]
Safety Conference of Danish Transport and
Construction Agency - Copenhagen, 28th October 2015
Slide n° 56