common safety methods when using code of · pdf filecommon safety methods when using code of...

Common Safety Methods when using code f iof practice

“Tools for Planning” Banekonferencen 9. Maj 2012

Joakim Böcher

25/12/2012

CSM RA Code of Practice / Joakim Böcher

Who am I ? Joakim Böcher

- Bachelor from Copenhagen University College of Engineering (Electronic systems) 1981- DSB-Bane until 2000: Validation, assessment and safety management of signalling systems - From 2000: Det Norske Veritas Danmark A/S – now DNV KEMA –

- Experience in - Independent Assessment (ISA) on various types of railway systems- Safety Authority processes and procedures (External assistance)

- Just initiated the assessor role on the CSM-RA process

35/12/2012


Overview

1. Introduction and scope of this presentation

2. Facts from the CSM Regulation

3. Approach to identify pitfalls in the process and some advises

4. Checklist and “conclusion”

45/12/2012


Introduction

Background = COMMISSION REGULATION CSM

(EC) No 352/2009 of 24 April 2009 (CSM)

In force in DK from 1.1.2012 for all changes on railway infrastructure and rolling stocks [except historical lines and closed private lines]

Few projects in Denmark have used theFew projects in Denmark have used the regulation until now and no “state of the art” or common experiences exist

This presentation discusses some issues ?

related to the possible path in the regulation called “Application of code of Practice”

55/12/2012


Viewpoint in this presentationp pPreliminary system

definition ge

log

Significant change?

Document the judgement of not significant

Ekspert judgement based on a Preliminary system

definition.

Y

No

gC

hang

Yes

Risk assessmentSystem definition

Hazard identification

Safety requirements

Risk evaluation

y q

Demonstration of compliance

Slide 65/12/2012


The Code of Practice path

Detailed System definition

Risk assessmentReview af

systemdefinition

Yes

Hasard identification

Hasard identifikation and classification

Risk analysis

Clasify hasards: broadly acceptable and for all other chose

estimation methods A, B, or C

Document ”Broadly acceptable”

CEksplicit risk

estimation

BReference systemComparaison with a

ACode of praxis

Check validity of norms estimationQualitative or quantitative

Comparaison with a similar referencesystem

Check validity of norms or procedures and use

Risk evaluation

All nesesary safety requirements and external barriers identified

5/12/2012


7

Code of practice, facts from the regulationp , g

Wording from CSM-RA ExplanationCodes of Practice Is a written set of rules that when correctlyCodes of Practice (Chapter 2.3.x)

Is a written set of rules that, when correctly applied, can be used to control one or more specific hazards

Be widely acknowledged in the railway domain • International acknowledged rules or• National rules (notified or accepted as

generic in the domain) or• Justified and accepted by the assessment

body

Relevant for the control of the considered hazards in the system under assessment

Sufficient risk reduction is achieved by the relevant section/ paragraph in the rules and they are relevant in the context for the hazard(s)

P bli l il bl f ll t h t t T i l bli i d th b b ‘t t dPublicly available for all actors who want to use them

Typical publicised on the web by a ‘trusted party’. Should prevent technical barriers to trade and prepare for easier cross acceptance

Where an alternative approach is not fully Only few deviation from a de facto ‘code of pp ycompliant with a code of practice, the proposer shall demonstrate that the alternative approach taken leads to at least the same level of safety

ypractice’ are acceptable. Can be a derogation (dispensation) or a new rule but “rule shopping” will not be acceptable.

5/12/2012


8

Approach to identify pitfalls pp y pLets look here.Howe can the doorbe opened?be opened?

Safety Assessment System definition reportSystem definition

Authorization to put in service

GO!

95/12/2012


Sometimes we should try to start from “behind”yRisk assessment

System definition 4) Check that the hazard identification are relevant

Hazard identification

Ri k l ti

in question

identification are relevant and complete for the system in question

Safety requirements

Risk evaluation 3) Trace that each hazard and the risk reduction requirement have been evaluated according to ay q


evaluated according to a relevant criteria

with the safety requirements

Safety Assessment report

2) Trace that each requirement have linked hazards

1) Trace the evidence that each safety requirement have been complied to

Slide 105/12/2012


Evidence for each safety requirement have been complied to?y q p

Requirements must be

Assessable


Safety Case (recommended) Assessable - Measurable- Quantifiable

U bi

Safety Case (recommended) - Proof of safety- Test results

I ti- Unambiguous

Relevant for the system and the part(s) that

- Inspection - Validation- Etc. p ( )

contribute with the hazard

Challenge no. 1• The code of practice must include assessable requirements.

[Not ‘declaration of intent’, nor wording like ‘may’, ‘can’..etc.]

• Check that the rule is not too general / generic. It shall be dedicated to specific hazards and specific parts of the system.

115/12/2012


What could be a “code of practice” – a rule?pTypes of Codes of Practice Comment / pitfalls /problems EN XXXXX - Railway applications…ICE XXXXX

Covers often much more than needed to control a i l h dICE XXXXX

ISO XXXXXDIN XXXXXUIC Codes

single hazard.Typical the whole standard must be applied.Standards often uses references to other standards.

UIC CodesBN XXXXX (Approved)E.g. BN1-77-1 on signalman's MMI

Only available in Danish.BN2 may not be authorized.Often uses references to other standards.

EN 50126 - 129 These standards includes by themselves risk analysis and generic methods. A clear interface to CSM-RA and identification of used methods are required.

TSI xx (Technical specification of interoperability for xx)

Problem that TSI’s have no traceability between a hazard list and the requirements.

( f )Further this is checked by NoBo (Notified Body). NNTR (Notified National Technical Rules)

Problem that NNTR have no traceability between a hazard list and the requirements.F th thi i h k d b D B (d i t d B d )Further this is checked by DeBo (designated Body)

5/12/2012


12

Trace that each requirement have linked hazards q

Hazard EN XX XXX BN XX XXX ISO XX XXX BN XX XXXMitigating “codes of Practice” + requirement

Hazard EN XX XXX BN XX XXX ISO XX XXX BN XX XXX1 Chapter 4 and 52 Chapter w Complete3 Complete 4 Chapter 45 Chapter 7-10n

Challenge no. 2

Requirement

g• Each requirement shall have linked hazards • Each hazard shall have requirements linked.

135/12/2012


Risk evaluation

For each hazard X: Perform thorough investigation to decide if the Code of practice d th i d i t i lid f ti h d X

Valid for preventing alua

tion

NO

and the recognized requirement is valid for preventing hazard X.

Use another Implicit Risk Acceptance p g

hazard X?Eva

YES

Document justification for “valid” in hazard log.

principleAcceptance Criteria!

Establish safety requirements

j g

Challenge no. 3Fi d f l t li it th l ti it i• Find or formulate explicit the evaluation criteria

• Argue why the hazard can be controlled to an acceptable level

5/12/2012


14

Checklist

Find and formulate the evaluation criteria for the Code of Practice path

Make sure that the “code of practice” in fact is widely acknowledged and available

Rules, Standards etc. identified as Code of practice shall include specific requirements in order to create the demonstration (Safety Case) at the endrequirements in order to create the demonstration (Safety Case) at the end

Check that the rule is not too general / generic. It shall be dedicated tospecific hazards and specific parts of the system.

Use a matrix or list to document that each requirement has linked hazards and visa versa.

If generic standards that includes by themselves risk analysis and generic methods you shall try only to use relevant part of the standards.

If TSI are in force for the system special arrangements for the CSM RA have to be If TSI are in force for the system special arrangements for the CSM-RA have to be in place. For example: Divide the system in part fully covered by the TSI or create the relevant hazard list for the TSI.

155/12/2012


Conclusion

The first use of CSM-RA and Code of practice can be challenging

When the process is completed once there will be rooms for reuse for all project which have a similar scope and system definition

The company can beneficially create a common list of hazards and there associated “Code of practice”there associated Code of practice

Time will develop a common practice and a smooth use of CSM-RA

By then the CSM RA process will be innovative for the railway By then the CSM-RA process will be innovative for the railway industry

165/12/2012


Thank you!

www.dnvkema.com

175/12/2012


common safety methods when using code of · pdf filecommon safety methods when using code of...

Documents