Guidance for Use of CSM Recommendation - ERA - Europa

More documents

Recommendations

Info

European Railway Agency Collection of examples of risk assessments and of some possible tools supporting the CSM Regulation [G 1] In general, the proposer will decide what risk acceptance principle is the most appropriate for controlling the identified hazards based on the specific requirements of the project, as well as on the proposer's experience with the three principles. [G 2] It is not possible always to evaluate the risk acceptability at the system level through the use of only one of the three risk acceptance principles. The risk acceptance will often be based on a mix of these principles. If for a significant hazard, more than one risk acceptance principles need to be applied for controlling the associated risk, the related hazard needs to be divided into sub-hazards so that each individual sub-hazard is adequately controlled by only one risk acceptance principle. [G 3] The decision for controlling a hazard by a risk acceptance principle needs to take into account the hazard and the causes of the hazard already identified during the hazard identification phase. Thus, if two different and independent causes are associated to the same hazard, the hazard needs to be sub-divided into two different sub-hazards. Each subhazard will then be controlled by a single risk acceptance principle. The two sub-hazards need to be registered and managed in the hazard record. For example, if the hazard is caused by a design error this can be managed by the application of a code of practice, whereas if the cause of the hazard is a maintenance error, the code of practice alone may not be sufficient; the application of another risk acceptance principle is then needed. [G 4] The reduction of risk to an acceptable level might need several iterations between the risk analysis and risk evaluation phases until appropriate safety measures are identified. [G 5] The present residual risk returned from experience on the field for the existing systems and for the systems based on the application of codes of practice is recognised to be acceptable. The risk resulting from explicit risk estimation is based on expert's judgement and different assumptions taken by the expert during the analyses, or on data bases related to accident or operational experience. Therefore the residual risk from explicit risk estimation cannot be confirmed immediately by return from the field. Such a demonstration requires time for operating, monitoring and getting a representative experience for the related system(s). In general, the application of codes of practice and comparison with similar reference systems has the advantage to avoid the over specification of unnecessarily strict safety requirements that can result from excessively conservative (safety) assumptions in explicit risk estimations. However it could happen that some safety requirements from codes of practice or similar reference systems need not to be fulfilled for the system under assessment. In that case, the application of explicit risk estimation would have the advantage to avoid an unnecessary overdesign of the system under assessment and would enable to provide a more cost effective design that has not been tried before. [G 6] If the identified hazards and the associated risk(s) of the system under assessment cannot be controlled by the application of codes of practice or similar reference systems, an explicit risk estimation is performed, based on quantitative or qualitative analyses of hazardous events. This situation arises when the system under assessment is entirely new (or the design is innovative) or when the system deviates from a code of practice or a reference system. The explicit risk estimation will then evaluate whether the risk is acceptable (i.e. further analysis is not needed) or whether additional safety measures are needed to reduce the risk further. [G 7] Guidance for risk reduction and risk acceptance can also be found in section § 8. of the EN 50 126-2 Guideline {Ref. 9}. [G 8] The used risk acceptance principle and its application need to be evaluated by the assessment body. Reference: ERA/GUI/02-2008/SAF Version: 1.1 Page 36 of 105 File Name: Collection_of_RA_Ex_and_some_tools_for_CSM_V1.1.doc European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu
European Railway Agency Collection of examples of risk assessments and of some possible tools supporting the CSM Regulation 2.1.5. The proposer shall demonstrate in the risk evaluation that the selected risk acceptance principle is adequately applied. The proposer shall also check that the selected risk acceptance principles are used consistently. [G 1] For example, if for the software of a component the application of the SIL 4 development process of the EN 50 128 standard is specified as the safety requirement, the demonstration will need to prove that the process recommended by the standard is fulfilled. This includes for example the demonstration that: (a) the requirements for independence in the organisation of the design, verification and validation of the software are fulfilled; (b) the correct methods of the EN 50 128 standard for the SIL 4 safety integrity level are applied; (c) etc. [G 2] For example, if a dedicated code of practice is to be used for manufacturing emergency brake electro valves, the demonstration will need to prove that all requirements from the code of practice are fulfilled during the manufacturing process. 2.1.6. The application of these risk acceptance principles shall identify possible safety measures which make the risk(s) of the system under assessment acceptable. Among these safety measures, the ones selected to control the risk(s) shall become the safety requirements to be fulfilled by the system. Compliance with these safety requirements shall be demonstrated in accordance with section 3. [G 1] Two types of safety measures can be identified: (a) "preventive safety measures" preventing the occurrence of hazards or their causes, and; (b) "mitigation safety measures" preventing hazards to evolve into accidents or reducing the consequences of accidents after their occurrence (protection measures) For the benefit of operability, prevention of causes is generally more efficient [G 2] The proposer will consider as the most appropriate the safety measures that give the best compromise between the cost to achieve the risk reduction and the level of the residual risk. The chosen safety measures become the safety requirements for the system under assessment. [G 3] It is important to check that the safety measures selected to control one hazard are not in conflict with other hazards. As represented in Figure 6, the following two cases may happen for example (13) : (a) CASE 1: if the same safety measure (measure A on Figure 6) can control different hazards without creating conflicts between them, and if economically justified, the related safety measure could be chosen alone as the associated "safety requirement". The total number of safety requirements to fulfil is smaller than implementing both the measures B and C; (13 ) It must be noted that the guide does not list all the situations where safety measures could be in conflict with other identified hazards. Only a few illustrative examples are provided. Reference: ERA/GUI/02-2008/SAF Version: 1.1 Page 37 of 105 File Name: Collection_of_RA_Ex_and_some_tools_for_CSM_V1.1.doc European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu
Page 1 and 2: European Railway Agency Collection
Page 23 and 24: INDEPENDENT ASSESSMENT System Defin
Page 33 and 34: BOX 1 BOX 2 European Railway Agency
Page 35: European Railway Agency Collection
Page 87 and 88:
European Railway Agency Collection
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105:
show all

Guidance for Use of CSM Recommendation - ERA - Europa

Create successful ePaper yourself

Delete template?

Save as template?