Guidance for Use of CSM Recommendation - ERA - Europa

More documents

Recommendations

Info

European Railway Agency Collection of examples of risk assessments and of some possible tools supporting the CSM Regulation [G 2] The outputs of the risk assessment process in the CSM are (after iterations - see Figure 1): (a) the "system definition" updated with the "safety requirements" issued from the "risk analysis" and "risk evaluation" activities (see section 2.1.6); (b) the "apportionment of system requirements" down to the different sub-systems and components (Phase 5 in Figure 5); (c) the "hazard record" that registers: (1) all the identified hazards and the associated safety measures; (2) the resulting safety requirements; (3) the assumptions taken into account for the system that determine the limits and validity of the risk assessment (see point (g) in section 2.1.2); (d) and in general all the evidence resulting from the application of the CSM: see section 5. These risk assessment outputs of the CSM correspond to the safety related outputs of the Phase 4 in the CENELEC V-Cycle, i.e. to the system requirement specification in Figure 5. [G 3] The system definition updated with the results from the risk assessment and the hazard record constitute the inputs against which the system is designed and accepted. The "demonstration of the system compliance with the safety requirements" in the CSM corresponds to the following phases of the CENELEC V-Cycle (see BOX 3 in Figure 5): (a) Phase 6 in Figure 5: "design and implementation"; (b) Phase 7 in Figure 5: "manufacture"; (c) Phase 8 in Figure 5: "installation"; (d) Phase 9 in Figure 5: "system validation (including safety acceptance and commissioning)"; (e) Phase 10 in Figure 5: "system acceptance". [G 4] The demonstration of the system compliance with the safety requirements depends on whether the significant change is technical, operational or organisational. So, the different steps in the CENELEC V-cycle in Figure 5 may not be suitable for all significant changes of the given kind. The V-cycle in Figure 5 needs to be considered accordingly and used with appropriate judgement of what fits to each specific application (e.g. for operational and organisational changes, there is not manufacturing phase). [G 5] This means that the "demonstration of the system compliance with the safety requirements" in the CSM does not include only the "verification and validation" activities by tests or simulation. In practice, it covers all the phases "6 to 10" (see list here above and Figure 5) in the CENELEC V-Cycle. They include the design, manufacture, installation, verification and validation activities, as well as the associated RAMS activities and the system acceptance. [G 6] During the "demonstration of the system compliance with the safety requirements", the general principle is to focus the risk assessment only on the safety related functions and interfaces of the system. This means that whenever risk and safety assessment activities are required in the scope of one of the phases in the CENELEC V-Cycle in Figure 5, it focuses on: (a) the safety related functions and interfaces; (b) the sub-systems and/or components involved in the achievement of the safety related functions and/or interfaces assessed during the higher level risk assessment activities. [G 7] It results then from the comparison with the classical CENELEC V-Cycle in Figure 5 that: (a) the CSM covers the phases "1 to 10" and "13" of this V-Cycle. They include the set of activities required for the acceptance of the system under assessment; Reference: ERA/GUI/02-2008/SAF Version: 1.1 Page 34 of 105 File Name: Collection_of_RA_Ex_and_some_tools_for_CSM_V1.1.doc European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu
European Railway Agency Collection of examples of risk assessments and of some possible tools supporting the CSM Regulation (b) the CSM does not cover the phases "11", "12" and "14" of the system life-cycle: (1) the phases "11" and "12" are respectively related to the "operation and maintenance" and "performance monitoring" of the system after its acceptance based on the CSM. These two phases are covered by the RU and IM safety management system (SMS) – (See BOX 4 in Figure 5). However, if during the operation, the maintenance or the performance monitoring of the system it appears necessary to modify and retrofit the system (Phase 13 in Figure 5), whereas it is already in operation, the CSM is applied again on the new required changes in compliance with the Article 2. Therefore, if the change is significant: (i) the risk management and risk assessment processes in the CSM are applied to these new changes; (ii) an acceptance is needed for these new changes in compliance with Article 6; (2) the "de-commissioning and disposal" of a system already in operation (Phase 14) could also be considered as a significant change, and therefore, the CSM could be applied again in compliance with the Article 2 for the phase 14 in Figure 5 For more information about the scope of each phase or activity in the CENELEC V-Cycle recalled in Figure 5, refer to section § 6. of the EN 50 126-1 standard {Ref. 8} 2.1.2. The system definition should address at least the following issues: (a) system objective, e.g. intended purpose; (b) system functions and elements, where relevant (including e.g. human, technical and operational elements); (c) system boundary including other interacting systems; (d) physical (i.e. interacting systems) and functional (i.e. functional input and output) interfaces; (e) system environment (e.g. energy and thermal flow, shocks, vibrations, electromagnetic interference, operational use); (f) existing safety measures and, after iterations, definition of the safety requirements identified by the risk assessment process; (g) assumptions which shall determine the limits for the risk assessment. [G 1] Additional explanation is not judged necessary. 2.1.3. A hazard identification shall be carried out on the defined system, according to section 2.2. [G 1] Additional explanation is not judged necessary. 2.1.4. The risk acceptability of the system under assessment shall be evaluated by using one or more of the following risk acceptance principles: (a) the application of codes of practice (section 2.3); (b) a comparison with similar systems (section 2.4); (c) an explicit risk estimation (section 2.5). In accordance with the general principle referred to in section 1.1.5, the assessment body shall refrain from imposing the risk acceptance principle to be used by the proposer. Reference: ERA/GUI/02-2008/SAF Version: 1.1 Page 35 of 105 File Name: Collection_of_RA_Ex_and_some_tools_for_CSM_V1.1.doc European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu
Page 1 and 2: European Railway Agency Collection
Page 23 and 24: INDEPENDENT ASSESSMENT System Defin
Page 33: BOX 1 BOX 2 European Railway Agency
Page 85 and 86:
European Railway Agency Collection
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105:
show all

Guidance for Use of CSM Recommendation - ERA - Europa

Create successful ePaper yourself

Delete template?

Save as template?