Guidance for Use of CSM Recommendation - ERA - Europa

04.07.2015 Views
European Railway Agency Collection of examples of risk assessments and of some possible tools supporting the CSM Regulation [G 5] Reciprocally, all internal hazard records are maintained throughout the whole (sub-)system life-cycle. That enables to track the progress on monitoring risks associated with the identified hazards during the (sub-)system operation and maintenance, i.e. even after its commissioning: see BOX 4 in the CENELEC V-Cycle in Figure 5. 4.1.2. The hazard record shall include all hazards, together with all related safety measures and system assumptions identified during the risk assessment process. In particular, it shall contain a clear reference to the origin and to the selected risk acceptance principles and shall clearly identify the actor(s) in charge of controlling each hazard. [G 1] The information on hazards and the associated safety measures that is received from other actors (see section 1.2.2) includes also all the assumptions (15) and restrictions of use (15) (also called safety related application conditions) applicable to the different sub-systems, generic application and generic product safety cases that are produced by the manufacturers, where relevant. [G 2] A possible example of structure for the hazard record is described in section C.16. of Appendix C. 4.2. Exchange of information All hazards and related safety requirements which cannot be controlled by one actor alone shall be communicated to another relevant actor in order to find jointly an adequate solution. The hazards registered in the hazard record of the actor who transfers them shall only be “controlled” when the evaluation of the risks associated with these hazards is made by the other actor and the solution is agreed by all concerned. [G 1] For example, for the odometry sub-system of the ETCS onboard equipment, the manufacturer can validate in laboratory the algorithms by simulating the theoretical signals that could be generated by the associated odometric sensing devices. However, the complete validation of the odometry sub-system requires the help of the RU and IM for carrying out the validation with the use of a real train and the real train wheel to rail contact. [G 2] Other examples could be transfers by manufacturers to railway undertakings of operational or maintenance safety measures for technical equipment. These safety measures will need to be implemented by the railway undertaking. [G 3] In order to enable these hazards, the associated safety measures and risks to be reassessed jointly by the involved organisations, it is helpful that the organisation having identified them provides all the explanations necessary to understand clearly the problem. It could be possible that the initial wording of the hazards, safety measures and risks needs to be changed to make them understandable without having to discuss them again jointly. The joint reassessment of the hazards could lead to identify new safety measures. (15) Refer to point [G 5] in section 1.1.5 and to the footnotes (9) and (10) at page 24 of this document for further explanation about the terminology "generic product and generic application" safety cases, "assumptions and restrictions of use". Reference: ERA/GUI/02-2008/SAF Version: 1.1 Page 52 of 105 File Name: Collection_of_RA_Ex_and_some_tools_for_CSM_V1.1.doc European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu

European Railway Agency Collection of examples of risk assessments and of some possible tools supporting the CSM Regulation [G 4] The receiving actor responsible for the implementation, the verification and validation of the received or new safety measures registers in its own hazard record all the related hazards with the associated safety measures (both the imported and jointly identified ones). [G 5] When a safety measure is not fully validated, a clear restriction of use (e.g. operational mitigation measures) needs to be elaborated and registered in the hazard record. Indeed, it is possible that technical/design safety measures are: (a) not correctly implemented, or; (b) not completely implemented, or; (c) intentionally not implemented, for example because different safety measures are implemented instead of the ones registered in the hazard record (e.g. for cost purposes). As they are not validated, such safety measures need to be clearly identified in the hazard record. And evidence/justification needs to be provided why the safety measures implemented instead (16) are appropriate, as well as a demonstration that with the replacing safety measures the system complies with the safety requirements; (d) etc. In these cases the related technical/design safety measures cannot be verified and validated during the hazard management. The related hazard(s) and safety measures need then to remain open in the hazard record in order to avoid the misuse of the safety measures for other systems by the application of the "similar reference system" risk acceptance principle [G 6] Usually the "not correctly" and/or "not completely" implemented safety measures are detected early in the system life-cycle and corrected before the system acceptance. However, if detected too late for a correct and complete technical safety measure implementation, the organisation responsible for the implementation and management needs to identify and register in the hazard record clear restrictions of use for the system under assessment. These restrictions of use are often operational application constraints for the system under assessment. [G 7] It could also be useful to register in the hazard record whether the associated safety measures will be correctly implemented at a later stage of the system life-cycle or whether the system will continue to be used with the identified restrictions of use. It could be also useful to register in the hazard record the justification for not implementing correctly/completely the associated technical safety measures. [G 8] The actor who receives the restrictions of use: (a) imports all of them in its own hazard record; (b) ensures that the conditions of use of the system under assessment are compliant with all the received restrictions of use; (c) verifies and validates that the system under assessment complies with these restrictions of use [G 9] Depending on the decisions agreed by the involved organisations: (a) either the related technical safety measures are implemented correctly in the design at a later stage. The organisation exporting the restrictions of use continues to track the correct technical implementation of the associated safety measures. Consequently, the related safety (16) If different safety measures are implemented instead of the initially specified ones, they need to be also registered in the hazard record. Reference: ERA/GUI/02-2008/SAF Version: 1.1 Page 53 of 105 File Name: Collection_of_RA_Ex_and_some_tools_for_CSM_V1.1.doc European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu

Page 1 and 2: European Railway Agency Collection











Page 23 and 24: INDEPENDENT ASSESSMENT System Defin





Page 33 and 34: BOX 1 BOX 2 European Railway Agency









Page 51: European Railway Agency Collection


























Page 105: European Railway Agency Collection

railway

assessment

hazard

european

regulation

hazards

examples

requirements

technical

measures

guidance

recommendation

europa

saferail.nl

Guidance for Use of CSM Recommendation - ERA - Europa

Guidance for Use of CSM Recommendation - ERA - Europa ... View more Guidance for Use of CSM Recommendation - ERA - Europa

Delete template?

Save as template ?

Guidance for Use of CSM Recommendation - ERA - Europa Guidance for Use of CSM Recommendation - ERA - Europa