Guidance for Use of CSM Recommendation - ERA - Europa
Guidance for Use of CSM Recommendation - ERA - Europa
Guidance for Use of CSM Recommendation - ERA - Europa
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
European Railway Agency<br />
Collection <strong>of</strong> examples <strong>of</strong> risk assessments and <strong>of</strong> some possible tools<br />
supporting the <strong>CSM</strong> Regulation<br />
<br />
[G 1] In general, the proposer will decide what risk acceptance principle is the most appropriate <strong>for</strong><br />
controlling the identified hazards based on the specific requirements <strong>of</strong> the project, as well as<br />
on the proposer's experience with the three principles.<br />
[G 2] It is not possible always to evaluate the risk acceptability at the system level through the use<br />
<strong>of</strong> only one <strong>of</strong> the three risk acceptance principles. The risk acceptance will <strong>of</strong>ten be based<br />
on a mix <strong>of</strong> these principles. If <strong>for</strong> a significant hazard, more than one risk acceptance<br />
principles need to be applied <strong>for</strong> controlling the associated risk, the related hazard needs to<br />
be divided into sub-hazards so that each individual sub-hazard is adequately controlled by<br />
only one risk acceptance principle.<br />
[G 3] The decision <strong>for</strong> controlling a hazard by a risk acceptance principle needs to take into<br />
account the hazard and the causes <strong>of</strong> the hazard already identified during the hazard<br />
identification phase. Thus, if two different and independent causes are associated to the<br />
same hazard, the hazard needs to be sub-divided into two different sub-hazards. Each subhazard<br />
will then be controlled by a single risk acceptance principle. The two sub-hazards<br />
need to be registered and managed in the hazard record. For example, if the hazard is<br />
caused by a design error this can be managed by the application <strong>of</strong> a code <strong>of</strong> practice,<br />
whereas if the cause <strong>of</strong> the hazard is a maintenance error, the code <strong>of</strong> practice alone may<br />
not be sufficient; the application <strong>of</strong> another risk acceptance principle is then needed.<br />
[G 4] The reduction <strong>of</strong> risk to an acceptable level might need several iterations between the risk<br />
analysis and risk evaluation phases until appropriate safety measures are identified.<br />
[G 5] The present residual risk returned from experience on the field <strong>for</strong> the existing systems and<br />
<strong>for</strong> the systems based on the application <strong>of</strong> codes <strong>of</strong> practice is recognised to be acceptable.<br />
The risk resulting from explicit risk estimation is based on expert's judgement and different<br />
assumptions taken by the expert during the analyses, or on data bases related to accident or<br />
operational experience. There<strong>for</strong>e the residual risk from explicit risk estimation cannot be<br />
confirmed immediately by return from the field. Such a demonstration requires time <strong>for</strong><br />
operating, monitoring and getting a representative experience <strong>for</strong> the related system(s). In<br />
general, the application <strong>of</strong> codes <strong>of</strong> practice and comparison with similar reference systems<br />
has the advantage to avoid the over specification <strong>of</strong> unnecessarily strict safety requirements<br />
that can result from excessively conservative (safety) assumptions in explicit risk<br />
estimations. However it could happen that some safety requirements from codes <strong>of</strong> practice<br />
or similar reference systems need not to be fulfilled <strong>for</strong> the system under assessment. In<br />
that case, the application <strong>of</strong> explicit risk estimation would have the advantage to avoid an<br />
unnecessary overdesign <strong>of</strong> the system under assessment and would enable to provide a<br />
more cost effective design that has not been tried be<strong>for</strong>e.<br />
[G 6] If the identified hazards and the associated risk(s) <strong>of</strong> the system under assessment cannot<br />
be controlled by the application <strong>of</strong> codes <strong>of</strong> practice or similar reference systems, an explicit<br />
risk estimation is per<strong>for</strong>med, based on quantitative or qualitative analyses <strong>of</strong> hazardous<br />
events. This situation arises when the system under assessment is entirely new (or the<br />
design is innovative) or when the system deviates from a code <strong>of</strong> practice or a reference<br />
system. The explicit risk estimation will then evaluate whether the risk is acceptable (i.e.<br />
further analysis is not needed) or whether additional safety measures are needed to reduce<br />
the risk further.<br />
[G 7] <strong>Guidance</strong> <strong>for</strong> risk reduction and risk acceptance can also be found in section § 8. <strong>of</strong> the<br />
EN 50 126-2 Guideline {Ref. 9}.<br />
[G 8] The used risk acceptance principle and its application need to be evaluated by the assessment<br />
body.<br />
<br />
Reference: <strong>ERA</strong>/GUI/02-2008/SAF Version: 1.1 Page 36 <strong>of</strong> 105<br />
File Name: Collection_<strong>of</strong>_RA_Ex_and_some_tools_<strong>for</strong>_<strong>CSM</strong>_V1.1.doc<br />
European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu