Guidance for Use of CSM Recommendation - ERA - Europa

European Railway Agency
Collection of examples of risk assessments and of some possible tools
supporting the CSM Regulation
4. HAZARD MANAGEMENT
4.1. Hazard management process
4.1.1. Hazard record(s) shall be created or updated (where they already exist) by the proposer
during the design and the implementation and till the acceptance of the change or the
delivery of the safety assessment report. The hazard record shall track the progress in
monitoring risks associated with the identified hazards. In accordance with point 2(g) of
Annex III to Directive 2004/49/EC, once the system has been accepted and is operated,
the hazard record shall be further maintained by the infrastructure manager or the
railway undertaking in charge with the operation of the system under assessment as
an integrated part of its safety management system.
[G 1] The use of a hazard record for registering, managing and controlling safety relevant
information is also recommended by the CENELEC 50 126-1 {Ref. 8} and 50 129 {Ref. 7}
standards.
[G 2] For example, depending on the complexity of the system, an actor could have one or more
hazard records. In both cases, the hazard record(s) is(/are) subject to independent
assessment by the assessment body (-ies). For example, one possible solution could be to
have:
(a) one "internal hazard record" for the management of all the internal safety requirements
applicable to the sub-system the actor is responsible for. Its size and amount of
management work depends on its structure and of course on the complexity of the subsystem.
However, as it is used for internal management purposes, the hazard record
does not need to be communicated to other actors. The internal hazard record contains
all the identified hazards that are controlled, as well as the associated safety measures
that are validated;
(b) one "external hazard record" for transferring to other actors hazards and the associated
safety measures (that the actor cannot implement fully himself) in compliance with the
section 1.2.2. Usually, this second hazard record is smaller and requires less
management work (see example in section C.16.4. of Appendix C).
[G 3] If it seems complicated to manage several hazard records, another possible solution is to
manage all hazards and the associated safety measures covered by the points (a) and (b)
above in a single hazard record but with the possibility of two hazard record reports (see
example in section C.16.3. of Appendix C):
(a) one internal hazard record report, which could even be not necessary if the hazard
record is well structured in order to enable independent assessment;
(b) one external hazard record report for transferring hazards and the associated safety
measures to other actors.
[G 4] As explained in section 4.2, at the end of the project when the system is accepted:
(a) all hazards that are transferred to other actors are controlled in the external hazard
record of the actor who transfers them. As they are imported and managed in the
internal hazard records of the other actors, they need not be managed further by the
considered actor during the (sub-)system life-cycle;
(b) however all the associated safety measures should not be validated in the hazard record
for the reasons that are explained in point [G 9] in section 4.2. Indeed, it is useful that
the organisation exporting the restrictions of use clearly points out in its hazard record
that the associated safety measures were not validated.
Reference: ERA/GUI/02-2008/SAF Version: 1.1 Page 51 of 105
File Name: Collection_of_RA_Ex_and_some_tools_for_CSM_V1.1.doc
European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu