ANNEX I
1. GENERAL PRINCIPLES APPLICABLE TO THE RISK MANAGEMENT PROCESS
1.1. General principles and obligations
1.1.1.
The risk management process shall start from a definition of the system under assessment and comprise the following activities:
(a)
the risk assessment process, which shall identify the hazards, the risks, the associated safety measures and the resulting safety requirements to be fulfilled by the system under assessment;
(b)
demonstration of the compliance of the system with the identified safety requirements; and
(c)
management of all identified hazards and the associated safety measures.
This risk management process is iterative and is depicted in the diagram of the Appendix. The process ends when compliance of the system with all the safety requirements necessary to accept the risks linked to the identified hazards is demonstrated.
1.1.2.
The risk management process shall include appropriate quality assurance activities and be carried out by competent staff. It shall be independently assessed by one or more assessment bodies.
1.1.3.
The proposer in charge of the risk management process shall maintain a hazard record in accordance with point 4.
1.1.4.
The actors who already have in place methods or tools for risk assessment may continue to apply them if such methods or tools are compatible with the provisions of this Regulation and subject to the following conditions:
(a)
the risk assessment methods or tools are described in a safety management system accepted by a national safety authority in accordance with Article 10(2)(a) or Article 11(1)(a) of Directive 2004/49/EC; or
(b)
the risk assessment methods or tools are required by a TSI or comply with publicly available recognised standards specified in notified national rules.
1.1.5.
Without prejudice to civil liability in accordance with the legal requirements of the Member States, the risk assessment process shall fall within the responsibility of the proposer. In particular the proposer shall decide, with agreement of the actors concerned, who will be in charge of fulfilling the safety requirements resulting from the risk assessment. The safety requirements assigned by the proposer to those actors shall not go beyond the scope of their responsibility and domain of control. This decision shall depend on the type of safety measures selected to control the risks to an acceptable level. The demonstration of compliance with the safety requirements shall be conducted in accordance with point 3.
1.1.6.
The first step of the risk management process shall be to identify in a document, to be drawn up by the proposer, the different actors’ tasks, and their risk management activities. The proposer is responsible for coordinating close collaboration between the different actors involved, according to their respective tasks, in order to manage the hazards and their associated safety measures.
1.1.7.
Evaluation of the correct application of the risk management process falls within the responsibility of the assessment body.
1.2. Interfaces management
1.2.1.
For each interface relevant to the system under assessment and without prejudice to specifications of interfaces defined in relevant TSIs, the rail-sector actors concerned shall cooperate in order to identify and manage jointly the hazards and related safety measures that need to be handled at these interfaces. The management of shared risks at the interfaces shall be coordinated by the proposer.
1.2.2.
If, in order to fulfil a safety requirement, an actor identifies the need for a safety measure that it cannot implement itself, it shall, after agreement with another actor, transfer the management of the related hazard to the latter in accordance with the process set out in point 4.
1.2.3.
For the system under assessment, any actor who discovers that a safety measure is non-compliant or inadequate is responsible for notifying it to the proposer, who shall in turn inform the actor implementing the safety measure.
1.2.4.
The actor implementing the safety measure shall then inform all the actors affected by the problem either within the system under assessment or, as far as known by the actor, within other existing systems using the same safety measure.
1.2.5.
When agreement cannot be reached between two or more actors it is the responsibility of the proposer to find a solution.
1.2.6.
When a requirement in a notified national rule cannot be fulfilled by an actor, the proposer shall seek advice from the relevant competent authority.
1.2.7.
Independently from the definition of the system under assessment, the proposer is responsible for ensuring that the risk management covers the system itself and its integration into the railway system as a whole.
2. DESCRIPTION OF THE RISK ASSESSMENT PROCESS
2.1. General description
2.1.1.
The risk assessment process is the overall iterative process that comprises:
(a)
the system definition;
(b)
the risk analysis including the hazard identification;
(c)
the risk evaluation.
The risk assessment process shall interact with hazard management in accordance with point 4.1.
2.1.2.
The system definition shall address at least the following issues:
(a)
system objective (intended purpose);
(b)
system functions and elements, where relevant (including human, technical and operational elements);
(c)
system boundary including other interacting systems;
(d)
physical (interacting systems) and functional (functional input and output) interfaces;
(e)
system environment (for example energy and thermal flow, shocks, vibrations, electromagnetic interference, operational use);
(f)
existing safety measures and, after the necessary relevant iterations, definition of the safety requirements identified by the risk assessment process;
(g)
assumptions that determine the limits for the risk assessment.
2.1.3.
A hazard identification shall be carried out on the defined system, in accordance with point 2.2.
2.1.4.
The risk acceptability of the system under assessment shall be evaluated by using one or more of the following risk acceptance principles:
(a)
the application of codes of practice (point 2.3);
(b)
a comparison with similar systems (point 2.4);
(c)
an explicit risk estimation (point 2.5).
In accordance with the principle referred to in point 1.1.5, the assessment body shall refrain from imposing the risk acceptance principle to be used by the proposer.
2.1.5.
The proposer shall demonstrate in the risk evaluation that the selected risk acceptance principle is adequately applied. The proposer shall also check that the selected risk acceptance principles are used consistently.
2.1.6.
The application of these risk acceptance principles shall identify possible safety measures that make the risk(s) of the system under assessment acceptable. Among these safety measures, those selected to control the risk(s) shall become the safety requirements to be fulfilled by the system. Compliance with these safety requirements shall be demonstrated in accordance with point 3.
2.1.7.
The iterative risk assessment process is considered to be completed when it is demonstrated that all safety requirements are fulfilled and no additional reasonably foreseeable hazards have to be considered.
2.2. Hazard identification
2.2.1.
The proposer shall systematically identify, using wide-ranging expertise from a competent team, all reasonably foreseeable hazards for the whole system under assessment, its functions where appropriate and its interfaces.
All identified hazards shall be registered in the hazard record in accordance with point 4.
2.2.2.
To focus the risk assessment efforts upon the most important risks, the hazards shall be classified according to the estimated risk arising from them. Based on expert judgement, hazards associated with a broadly acceptable risk need not be analysed further but shall be registered in the hazard record. Their classification shall be justified in order to allow independent assessment by an assessment body.
2.2.3.
As a criterion, risks resulting from hazards may be classified as broadly acceptable when the risk is so small that it is not reasonable to implement any additional safety measure. The expert judgement shall take into account that the contribution of all the broadly acceptable risks does not exceed a defined proportion of the overall risk.
2.2.4.
During the hazard identification, safety measures may be identified. They shall be registered in the hazard record in accordance with point 4.
2.2.5.
The hazard identification only needs to be carried out at a level of detail necessary to identify where safety measures are expected to control the risks in accordance with one of the risk acceptance principles referred to in point 2.1.4. Iteration may be necessary between the risk analysis and the risk evaluation phases until a sufficient level of detail is reached for the identification of hazards.
2.2.6.
Whenever a code of practice or a reference system is used to control the risk, hazard identification may be limited to:
(a)
verification of the relevance of the code of practice or reference system;
(b)
identification of the deviations from the code of practice or from the reference system.
2.3. Use of codes of practice and risk evaluation
2.3.1.
The proposer, with the support of other involved actors, shall analyse whether one, several or all hazards are appropriately covered by the application of relevant codes of practice.
2.3.2.
The codes of practice shall satisfy at least the following requirements:
(a)
They must be widely recognised in the railway domain. If this is not the case, the codes of practice will have to be justified and be acceptable to the assessment body;
(b)
They must be relevant for the control of the considered hazards in the system under assessment. Successful application of a code of practice for similar cases to manage changes and control effectively the identified hazards of a system in the sense of this Regulation is sufficient for it to be considered as relevant;
(c)
Upon request, they must be available to assessment bodies for them to either assess or, where relevant, mutually recognise, in accordance with Article 15(5), the suitability of both the application of the risk management process and of its results.
2.3.3.
Where compliance with TSIs is required by Directive 2008/57/EC and the relevant TSI does not impose the risk management process established by this Regulation, the TSIs may be considered as codes of practice for controlling hazards, provided requirement (b) of point 2.3.2 is fulfilled.
2.3.4.
National rules notified in accordance with Article 8 of Directive 2004/49/EC and Article 17(3) of Directive 2008/57/EC may be considered as codes of practice provided the requirements of point 2.3.2 are fulfilled.
2.3.5.
If one or more hazards are controlled by codes of practice fulfilling the requirements of point 2.3.2, then the risks associated with these hazards shall be considered acceptable. This means that:
(a)
these risks need not be analysed further;
(b)
the use of the codes of practice shall be registered in the hazard record as safety requirements for the relevant hazards.
2.3.6.
Where an alternative approach is not fully compliant with a code of practice, the proposer shall demonstrate that the alternative approach pursued leads to at least the same level of safety.
2.3.7.
If the risk for a particular hazard cannot be made acceptable by the application of codes of practice, additional safety measures shall be identified by applying one of the two other risk acceptance principles.
2.3.8.
When all hazards are controlled by codes of practice, the risk management process may be limited to:
(a)
hazard identification in accordance with point 2.2.6;
(b)
registration of the use of the codes of practice in the hazard record in accordance with point 2.3.5;
(c)
documentation of the application of the risk management process in accordance with point 5;
(d)
an independent assessment in accordance with Article 6.
2.4. Use of reference system and risk evaluation
2.4.1.
The proposer, with the support of other involved actors, shall analyse whether one, several or all hazards are appropriately covered by a similar system that could be taken as a reference system.
2.4.2.
A reference system shall satisfy at least the following requirements:
(a)
it has already been proven in-use to have an acceptable safety level and would therefore still qualify for approval in the Member State where the change is to be introduced;
(b)
it has similar functions and interfaces as the system under assessment;
(c)
it is used under similar operational conditions as the system under assessment;
(d)
it is used under similar environmental conditions as the system under assessment.
2.4.3.
If a reference system fulfils the requirements listed in point 2.4.2, then for the system under assessment:
(a)
the risks associated with the hazards covered by the reference system shall be considered as acceptable;
(b)
the safety requirements for the hazards covered by the reference system may be derived from the safety analyses or from an evaluation of safety records of the reference system;
(c)
these safety requirements shall be registered in the hazard record as safety requirements for the relevant hazards.
2.4.4.
If the system under assessment deviates from the reference system, the risk evaluation shall demonstrate that the system under assessment reaches at least the same safety level as the reference system, applying another reference system or one of the two other risk acceptance principles. The risks associated with the hazards covered by the reference system shall, in that case, be considered as acceptable.
2.4.5.
If at least the same safety level as the reference system cannot be demonstrated, additional safety measures shall be identified for the deviations, applying one of the two other risk acceptance principles.
2.5. Explicit risk estimation and evaluation
2.5.1.
If the hazards are not covered by one of the two risk acceptance principles laid down in points 2.3 and 2.4, the demonstration of risk acceptability shall be performed by explicit risk estimation and evaluation. Risks resulting from these hazards shall be estimated either quantitatively or qualitatively, taking existing safety measures into account.
2.5.2.
The acceptability of the estimated risks shall be evaluated using risk acceptance criteria either derived from or based on requirements contained in Union legislation or in notified national rules. Depending on the risk acceptance criteria, the acceptability of the risk may be evaluated either individually for each associated hazard or the combination of all hazards as a whole considered in the explicit risk estimation.
If the estimated risk is not acceptable, additional safety measures shall be identified and implemented in order to reduce the risk to an acceptable level.
2.5.3.
If the risk associated with one hazard or a combination of several hazards is considered acceptable, the identified safety measures shall be registered in the hazard record.
2.5.4.
If hazards arise from failures of technical systems not covered by codes of practice or the use of a reference system, the following risk acceptance criterion shall apply for the design of the technical system:
For technical systems where a functional failure has a credible direct potential for a catastrophic consequence, the associated risk does not have to be reduced further if the rate of that failure is less than or equal to 10 –9 per operating hour.
2.5.5.
Without prejudice to the procedure specified in Article 8 of Directive 2004/49/EC, a more demanding criterion then the one laid down in point 2.5.4 may be requested, through a notified national safety rule, in order to maintain a national safety level. In the case of additional authorisations for placing in service of vehicles, the procedures of Articles 23 and 25 of Directive 2008/57/EC shall apply.
2.5.6.
If a technical system is developed by applying the 10 –9 criterion laid down in point 2.5.4, the principle of mutual recognition is applicable in accordance with Article 15(5).
Nevertheless, if the proposer can demonstrate that the national safety level in the Member State of application can be maintained with a rate of failure higher than 10 –9 per operating hour, this criterion may be used by the proposer in that Member State.
2.5.7.
The explicit risk estimation and evaluation shall satisfy at least the following requirements:
(a)
the methods used for explicit risk estimation shall reflect correctly the system under assessment and its parameters (including all operational modes);
(b)
the results shall be sufficiently accurate to serve as robust decision support. Minor changes in input assumptions or prerequisites shall not result in significantly different requirements.
3. DEMONSTRATION OF COMPLIANCE WITH SAFETY REQUIREMENTS
3.1. Prior to the safety acceptance of the change, fulfilment of the safety requirements resulting from the risk assessment phase shall be demonstrated under the supervision of the proposer.
3.2. This demonstration shall be carried out by each of the actors responsible for fulfilling the safety requirements, as decided in accordance with point 1.1.5.
3.3. The approach chosen for demonstrating compliance with the safety requirements as well as the demonstration itself shall be independently assessed by an assessment body.
3.4. Any inadequacy of safety measures expected to fulfil the safety requirements or any hazards discovered during the demonstration of compliance with the safety requirements shall lead to reassessment and evaluation of the associated risks by the proposer in accordance with point 2. The new hazards shall be registered in the hazard record in accordance with point 4.
4. HAZARD MANAGEMENT
4.1. Hazard management process
4.1.1.
Hazard record(s) shall be created or updated (where they already exist) by the proposer during design and implementation until acceptance of the change or delivery of the safety assessment report. A hazard record shall track the progress in monitoring risks associated with the identified hazards. Once the system has been accepted and is in operation, the hazard record shall be further maintained by the infrastructure manager or the railway undertaking in charge of the operation of the system under assessment as an integrated part of its safety management system.
4.1.2.
The hazard record shall include all hazards, together with all related safety measures and system assumptions identified during the risk assessment process. It shall contains a clear reference to the origin of the hazards and to the selected risk acceptance principles and clearly identify the actor(s) in charge of controlling each hazard.
4.2. Exchange of information
All hazards and related safety requirements that cannot be controlled by one actor alone shall be communicated to another relevant actor in order to find jointly an adequate solution. The hazards registered in the hazard record of the actor who transfers them shall only be regarded as controlled when the evaluation of the risks associated with these hazards is made by the other actor and the solution is agreed by all concerned.
5. EVIDENCE FROM THE APPLICATION OF THE RISK MANAGEMENT PROCESS
5.1. The risk management process used to assess the safety levels and compliance with safety requirements shall be documented by the proposer in such a way that all the necessary evidence showing the suitability of both the application of the risk management process and of its results are accessible to an assessment body.
5.2. The documentation produced by the proposer under point 5.1 shall at least include:
(a)
a description of the organisation and the experts appointed to carry out the risk assessment process;
(b)
results of the different phases of the risk assessment and a list of all the necessary safety requirements to be fulfilled in order to control the risk to an acceptable level;
(c)
evidence of compliance with all the necessary safety requirements;
(d)
all assumptions relevant for system integration, operation or maintenance, which were made during system definition, design and risk assessment.
5.3. The assessment body shall establish its conclusion in a safety assessment report as defined in Annex III.