Guidance for Use of CSM Recommendation - ERA - Europa

More documents

Recommendations

Info

European Railway Agency Collection of examples of risk assessments and of some possible tools supporting the CSM Regulation (b) to enable the mutual recognition of technical systems since the associated risk and safety assessments will be evaluated against the same risk acceptance criterion in all the MS; (c) to save cost as it does not require unnecessarily high quantitative safety requirements; (d) to facilitate the competition between the manufacturers. The use of different risk acceptance criteria in function of either the proposer or Member State would lead the industry to perform a lot of different demonstrations on the same technical systems. That would consequently jeopardize the competitiveness of manufacturers and render products unnecessarily expensive. A.3.7.4. A.3.7.5. A.3.7.6. A.3.7.7. The semi-quantitative requirement contained in the RAC-TS is not always to be demonstrated for technical systems. Indeed, in the scope of the CSM, the RAC-TS needs only to be applied to technical systems for which the identified hazards can neither be adequately controlled by the use of codes of practice nor by comparison with reference systems. This allows to setting out lower safety requirements provided the global safety level can be maintained. Only when no code of practice exists and also no reference system, a harmonised semiquantitative risk acceptance criterion for technical systems is necessary. As the safety integrity level for systematic failures/errors is limited to SIL 4, the safety integrity level for the random hardware failures of technical systems needs also to be limited to SIL 4. This corresponds to a maximum tolerable hazard rate (THR) of 10 -9 h -1 (i.e. the maximum failure rate). According to CENELEC 50 129 standard, if more demanding safety requirements are required, it cannot be achieved with only one system; the architecture of the system needs to be changed, for example using two systems which unavoidably increases the costs of the technical system drastically. For more details, refer to section A.3.1. in Appendix A. Finally, section A.3.6. in Appendix A outlines how the RAC-TS can be used as a reference point for calibrating particular risk analysis methods when technical systems have a potential for less severe consequences than catastrophic. A.4. A.4.1. A.4.2. A.4.3. Evidence from safety assessment This section provides a guidance of evidences which are usually provided to an assessment body in order to allow the independent assessment and to get the safety acceptance without prejudice to the national requirements in a Member State. This can be used as a check list to verify that all associated aspects are covered and documented, when relevant, during the application of the CSM. Safety plan: CENELEC advises that a safety plan is produced at the beginning of the project, or if this is not convenient for the project that the associated description is included in any other relevant document. If assessment bodies are appointed at the beginning of the project, the safety plan can also be submitted for their opinion. In principle, the safety plan describes: (a) the organisation put in place and the competence of people involved in the development and in the risk assessment; (b) all the safety related activities that are planned along the various phases of the project, as well as the expected outputs; Evidences required from system definition phase: Reference: ERA/GUI/02-2008/SAF Version: 1.1 Page 68 of 105 File Name: Collection_of_RA_Ex_and_some_tools_for_CSM_V1.1.doc European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu
European Railway Agency Collection of examples of risk assessments and of some possible tools supporting the CSM Regulation (a) description of system: (1) definition of system scope/boundaries; (2) description of functions; (3) description of system structure; (4) description of operating and environmental conditions; (b) description of external interfaces; (c) description of internal interfaces; (d) description of life cycle phases; (e) description of safety principles; (f) description of the assumptions defining the limits for the risk assessment; A.4.4. A.4.5. A.4.6. In order to enable the risk assessment to be done, the context of the intended change is taken into account in the system definition: (a) if the intended change is a modification of an existing system, the system definition describes both the system before the change and also the intended change: (b) if the intended change is the construction of a new system, the description is limited to the definition of the system as there is no description of any existing system. Evidences required from hazard identification phase: (a) description and justification (including limitations) of methods and tools for hazard identification (top down method, bottom up, HAZOP, etc.); (b) results: (1) lists of hazards: (2) system (boundary) hazards; (3) sub-system hazards; (4) interface hazards; (5) the safety measures that could be identified during this phase; The following evidences is also needed from risk analysis phase: (a) when codes of practice are used for controlling hazards, demonstration that all relevant requirements from the codes of practice are fulfilled for the system under assessment. This includes the demonstration of the correct application of the relevant codes of practice; (b) when similar reference systems are used for controlling hazards: (1) definition for the system under assessment of the safety requirements from the relevant reference systems; (2) demonstration that the system under assessment is used under similar operational and environmental conditions as the relevant reference system. If this cannot be done demonstration that the deviations from the reference system are correctly assessed; (3) evidence that the safety requirements from reference systems are correctly implemented in the system under assessment; (c) when explicit risk estimation is used for controlling hazards: (1) description and justification (including limitations) of method and tools for risk analysis (qualitative, quantitative, semi-quantitative, non-regression analysis, ...); (2) identification of existing safety measures and risk reduction factors for each hazard (including human factor aspects); (3) evaluation and ranking of risk for each hazard: (i) estimation of consequences of hazard and justification (with assumption and conditions); Reference: ERA/GUI/02-2008/SAF Version: 1.1 Page 69 of 105 File Name: Collection_of_RA_Ex_and_some_tools_for_CSM_V1.1.doc European Railway Agency ● Boulevard Harpignies, 160 ● BP 20392 ● F-59307 Valenciennes Cedex ● France ● Tel. +33 (0)3 27 09 65 00 ● Fax +33 (0)3 27 33 40 65 ● http://www.era.europa.eu
Page 1 and 2:
European Railway Agency Collection
Page 3 and 4:
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18: European Railway Agency Collection
Page 23 and 24: INDEPENDENT ASSESSMENT System Defin
Page 33 and 34: BOX 1 BOX 2 European Railway Agency
Page 67: European Railway Agency Collection
Page 105: European Railway Agency Collection
show all

Guidance for Use of CSM Recommendation - ERA - Europa

Create successful ePaper yourself

Delete template?

Save as template?