Commission Regulation (EC) No 352/2009
of 24 April 2009
on the adoption of a common safety method on risk evaluation and assessment as referred to in Article 6(3)(a) of Directive 2004/49/EC of the European Parliament and of the Council
(Text with EEA relevance) (repealed)
THE COMMISSION OF THE EUROPEAN COMMUNITIES,
Having regard to the Treaty establishing the European Community,
Having regard to Directive 2004/49/EC of the European Parliament and of the Council of 29 April 2004 on safety on the Community’s railways and amending Council Directive 95/18/EC on the licensing of railway undertakings and Directive 2001/14/EC on the allocation of railway infrastructure capacity and the levying of charges for the use of railway infrastructure and safety certification (Railway Safety Directive)(1), and in particular Article 6(1) thereof,
Whereas:
(1) Pursuant to Article 6(1) of Directive 2004/49/EC, the Commission should adopt the first set of common safety methods (hereinafter CSMs) covering at least the risk evaluation and assessment methods mentioned in Article 6(3)(a) of that Directive, on the basis of a recommendation of the European Railway Agency.
(2) The European Railway Agency made a recommendation on the first set of common safety methods (ERA-REC-02-2007-SAF) on 6 December 2007.
(3) In accordance with Directive 2004/49/EC, CSMs should be gradually introduced to ensure that a high level of safety is maintained and, when and where necessary and reasonably practicable, improved.
(4) Article 9(1) of Directive 2004/49/EC requires railway undertakings and infrastructure managers to establish their safety management systems in order to ensure that the railway system can achieve at least the common safety targets (CSTs). According to point (2)(d) of Annex III to Directive 2004/49/EC, the safety management system must include procedures and methods for carrying out risk evaluation and implementing risk control measures whenever a change of the operating conditions or new material imposes new risks on the infrastructure or on operations. That basic element of the safety management system is covered by this Regulation.
(5) As a consequence of the application of Council Directive 91/440/EEC of 29 July 1991 on the development of the Community’s railways(2) and of Article 9(2) of Directive 2004/49/EC, particular attention should be paid to risk management at the interfaces between the actors which are involved in the application of this Regulation.
(6) Article 15 of Directive 2008/57/EC of the European Parliament and of the Council of 17 June 2008 on the interoperability of the rail system within the Community(3) requires Member States to take all appropriate steps to ensure that the structural subsystems constituting the rail system may be placed in service only if they are designed, constructed and installed in such a way as to meet the essential requirements concerning them when integrated into the rail system. In particular, the Member States must check the technical compatibility of these subsystems with the railway system into which they are being integrated and the safe integration of these subsystems in accordance with this Regulation.
(7) The absence of a common approach for specifying and demonstrating compliance with safety levels and requirements of the railway system proved to be one of the obstacles to liberalisation of the railway market. Therefore, in the past, the Member States performed their own assessments in order to accept a system, or parts of it, which had already been developed and proven safe in other Member States.
(8) To facilitate mutual recognition between Member States, the methods used for identifying and managing risks should be harmonised among the actors involved in the development and operation of the railway system as well as the methods for demonstrating that the railway system in the territory of the Community conform to safety requirements. As a first step, it is necessary to harmonise the procedures and methods for carrying out risk evaluation and implementing control measures whenever a change of the operating conditions or new material imposes new risks on the infrastructure or on operations, as referred to in point (2)(d) of Annex III to Directive 2004/49/EC.
(9) If there is no notified national rule for defining whether or not a change is significant in a Member State, the person in charge of implementing the change (hereinafter referred to as the proposer) should initially consider the potential impact of the change in question on the safety of the railway system. If the proposed change has an impact on safety, the proposer should assess, by expert judgement, the significance of the change based on a set of criteria that should be set out in this Regulation. This assessment should lead to one of three conclusions. In the first situation the change is not considered to be significant and the proposer should implement the change by applying its own safety method. In the second situation the change is considered to be significant and the proposer should implement the change by applying this Regulation, without the need for a specific intervention of the safety authority. In the third situation the change is considered to be significant but there are Community provisions which require a specific intervention of the relevant safety authority, such as a new authorisation for placing in service of a vehicle or a revision/update of the safety certificate of a railway undertaking or a revision/update of the safety authorisation of an infrastructure manager.
(10) Whenever the railway system already in use is subject to a change, the significance of the change should also be assessed taking into account all safety-related changes affecting the same part of the system since the entry into force of this Regulation or since the last application of the risk management process described in this Regulation, whichever is the latest. The purpose is to assess whether or not the totality of such changes amounts to a significant change requiring the full application of the CSM on risk evaluation and assessment.
(11) The risk acceptability of a significant change should be evaluated by using one or more of the following risk acceptance principles: the application of codes of practice, a comparison with similar parts of the railway system, an explicit risk estimation. All principles have been used successfully in a number of railway applications, as well as in other transport modes and other industries. The ‘explicit risk estimation’ principle is frequently used for complex or innovative changes. The proposer should be responsible for the choice of the principle to apply.
(12) In accordance with the principle of proportionality as set out in Article 5 of the Treaty, this Regulation should not go beyond what is necessary to achieve its objective which is to establish a CSM on risk evaluation and assessment. When a widely recognised code of practice is applied, it should therefore be possible to reduce the impact of applying the CSM. In the same way, where there are Community provisions which require the specific intervention of the safety authority, the latter should be allowed to act as the independent assessment body in order to reduce double checking, undue costs to the industry and time to market.
(13) Article 6(5) of Directive 2004/49/EC requires the Member States to make any necessary amendments to their national safety rules to comply with the CSMs.
(14) In view of the different approaches currently in use for assessing safety, a transitional period is necessary, in order to give sufficient time to the actors concerned, where needed, to learn and apply the new common approach as well as to gain experience from it.
(15) As a formalised risk-based approach is relatively new in some Member States, the CSM on risk evaluation and assessment should remain voluntary with respect to operational or organisational changes until 1 July 2012. This should allow the European Railway Agency to assist such applications, where possible, and to propose improvements, if appropriate, to that CSM before 1 July 2012.
(16) The measures provided for in this Regulation are in accordance with the opinion of the Committee established in accordance with Article 27(1) of Directive 2004/49/EC,
HAS ADOPTED THIS REGULATION:
Article 1Purpose
1.This Regulation establishes a common safety method on risk evaluation and assessment (CSM) as referred to in Article 6(3)(a) of Directive 2004/49/EC.
2.The purpose of the CSM on risk evaluation and assessment is to maintain or to improve the level of safety on the Community’s railways, when and where necessary and reasonably practicable. The CSM shall facilitate the access to the market for rail transport services through harmonisation of:
(a)the risk management processes used to assess the safety levels and the compliance with safety requirements;
(b)the exchange of safety-relevant information between different actors within the rail sector in order to manage safety across the different interfaces which may exist within this sector;
(c)the evidence resulting from the application of a risk management process.
Article 2Scope
1.The CSM on risk evaluation and assessment shall apply to any change of the railway system in a Member State, as referred to in point (2)(d) of Annex III to Directive 2004/49/EC, which is considered to be significant within the meaning of Article 4 of this Regulation. Those changes may be of a technical, operational or organisational nature. As regards organisational changes, only those changes which could impact the operating conditions shall be considered.
2.Where the significant changes concern structural subsystems to which Directive 2008/57/EC applies, the CSM on risk evaluation and assessment shall apply:
(a)if a risk assessment is required by the relevant technical specification for interoperability (TSI). In this case the TSI shall, where appropriate, specify which parts of the CSM apply;
(b)to ensure safe integration of the structural subsystems to which the TSIs apply into an existing system, by virtue of Article 15(1) of Directive 2008/57/EC.
However, application of the CSM in the case referred to in point (b) of the first subparagraph must not lead to requirements contradictory to those laid down in the relevant TSIs which are mandatory.
Nevertheless if the application of the CSM leads to a requirement that is contradictory to that laid down in the relevant TSI, the proposer shall inform the Member State concerned which may decide to ask for a revision of the TSI in accordance with Article 6(2) or Article 7 of Directive 2008/57/EC or a derogation in accordance with Article 9 of that Directive.
3.This Regulation shall not apply to:
(a)metros, trams and other light rail systems;
(b)networks that are functionally separate from the rest of the railway system and intended only for the operation of local, urban or suburban passenger services, as well as railway undertakings operating solely on these networks;
(c)privately owned railway infrastructure that exists solely for use by the infrastructure owner for its own freight operations;
(d)heritage vehicles that run on national networks providing that they comply with national safety rules and regulations with a view to ensuring safe circulation of such vehicles;
(e)heritage, museum and tourist railways that operate on their own network, including workshops, vehicles and staff.
4.This Regulation shall not apply to systems and changes, which, on the date of entry into force of this Regulation, are projects at an advanced stage of development within the meaning of Article 2(t) of Directive 2008/57/EC.
Article 3Definitions
For the purpose of this Regulation the definitions in Article 3 of Directive 2004/49/EC shall apply.
The following definitions shall also apply:
‘risk’ means the rate of occurrence of accidents and incidents resulting in harm (caused by a hazard) and the degree of severity of that harm;
‘risk analysis’ means systematic use of all available information to identify hazards and to estimate the risk;
‘risk evaluation’ means a procedure based on the risk analysis to determine whether the acceptable risk has been achieved;
‘risk assessment’ means the overall process comprising a risk analysis and a risk evaluation;
‘safety’ means freedom from unacceptable risk of harm;
‘risk management’ means the systematic application of management policies, procedures and practices to the tasks of analysing, evaluating and controlling risks;
‘interfaces’ means all points of interaction during a system or subsystem life-cycle, including operation and maintenance where different actors of the rail sector will work together in order to manage the risks;
‘actors’ means all parties which are, directly or through contractual arrangements, involved in the application of this Regulation pursuant to Article 5(2);
‘safety requirements’ means the safety characteristics (qualitative or quantitative) of a system and its operation (including operational rules) necessary in order to meet legal or company safety targets;
‘safety measures’ means a set of actions either reducing the rate of occurrence of a hazard or mitigating its consequences in order to achieve and/or maintain an acceptable level of risk;
‘proposer’ means the railway undertakings or the infrastructure managers in the framework of the risk control measures they have to implement in accordance with Article 4 of Directive 2004/49/EC, the contracting entities or the manufacturers when they invite a notified body to apply the ‘EC’ verification procedure in accordance with Article 18(1) of Directive 2008/57/EC or the applicant of an authorisation for placing in service of vehicles;
‘safety assessment report’ means the document containing the conclusions of the assessment performed by an assessment body on the system under assessment;
‘hazard’ means a condition that could lead to an accident;
‘assessment body’ means the independent and competent person, organisation or entity which undertakes investigation to arrive at a judgement, based on evidence, of the suitability of a system to fulfil its safety requirements;
‘risk acceptance criteria’ means the terms of reference by which the acceptability of a specific risk is assessed; these criteria are used to determine that the level of a risk is sufficiently low that it is not necessary to take any immediate action to reduce it further;
‘hazard record’ means the document in which identified hazards, their related measures, their origin and the reference to the organisation which has to manage them are recorded and referenced;
‘hazard identification’ means the process of finding, listing and characterising hazards;
‘risk acceptance principle’ means the rules used in order to arrive at the conclusion whether or not the risk related to one or more specific hazards is acceptable;
‘code of practice’ means a written set of rules that, when correctly applied, can be used to control one or more specific hazards;
‘reference system’ means a system proven in use to have an acceptable safety level and against which the acceptability of the risks from a system under assessment can be evaluated by comparison;
‘risk estimation’ means the process used to produce a measure of the level of risks being analysed, consisting of the following steps: estimation of frequency, consequence analysis and their integration;
‘technical system’ means a product or an assembly of products including the design, implementation and support documentation; the development of a technical system starts with its requirements specification and ends with its acceptance; although the design of relevant interfaces with human behaviour is considered, human operators and their actions are not included in a technical system; the maintenance process is described in the maintenance manuals but is not itself part of the technical system;
‘catastrophic consequence’ means fatalities and/or multiple severe injuries and/or major damages to the environment resulting from an accident;
‘safety acceptance’ means status given to the change by the proposer based on the safety assessment report provided by the assessment body;
‘system’ means any part of the railway system which is subject to a change;
Article 4Significant changes
1.If there is no notified national rule for defining whether a change is significant or not in a Member State, the proposer shall consider the potential impact of the change in question on the safety of the railway system.
When the proposed change has no impact on safety, the risk management process described in Article 5 does not need to be applied.
2.When the proposed change has an impact on safety, the proposer shall decide, by expert judgement, the significance of the change based on the following criteria:
(a)failure consequence: credible worst-case scenario in the event of failure of the system under assessment, taking into account the existence of safety barriers outside the system;
(b)novelty used in implementing the change: this concerns both what is innovative in the railway sector, and what is new just for the organisation implementing the change;
(c)complexity of the change;
(d)monitoring: the inability to monitor the implemented change throughout the system life-cycle and take appropriate interventions;
(e)reversibility: the inability to revert to the system before the change;
(f)additionality: assessment of the significance of the change taking into account all recent safety-related modifications to the system under assessment and which were not judged as significant.
The proposer shall keep adequate documentation to justify his decision.
Article 5Risk management process
1.The risk management process described in Annex I shall apply:
(a)for a significant change as specified in Article 4, including the placing in service of structural subsystems as referred to in Article 2(2)(b);
(b)where a TSI as referred to in Article 2(2)(a) refers to this Regulation in order to prescribe the risk management process described in Annex I.
2.The risk management process described in Annex I shall be applied by the proposer.
3.The proposer shall ensure that risks introduced by suppliers and service providers, including their subcontractors, are managed. To this end, the proposer may request that suppliers and service providers, including their subcontractors, participate in the risk management process described in Annex I.
Article 6Independent assessment
1.An independent assessment of the correct application of the risk management process described in Annex I and of the results of this application shall be carried out by a body which shall meet the criteria listed in Annex II. Where the assessment body is not already identified by Community or national legislation, the proposer shall appoint its own assessment body which may be another organisation or an internal department.
2.Duplication of work between the conformity assessment of the safety management system as required by Directive 2004/49/EC, the conformity assessment carried out by a notified body or a national body as required by Directive 2008/57/EC and any independent safety assessment carried out by the assessment body in accordance with this Regulation, shall be avoided.
3.The safety authority may act as the assessment body where the significant changes concern the following cases:
(a)where a vehicle needs an authorisation for placing in service, as referred to in Articles 22(2) and 24(2) of Directive 2008/57/EC;
(b)where a vehicle needs an additional authorisation for placing in service, as referred to in Articles 23(5) and 25(4) of Directive 2008/57/EC;
(c)where the safety certificate has to be updated due to an alteration of the type or extent of the operation, as referred to in Article 10(5) of Directive 2004/49/EC;
(d)where the safety certificate has to be revised due to substantial changes to the safety regulatory framework, as referred to in Article 10(5) of Directive 2004/49/EC;
(e)where the safety authorisation has to be updated due to substantial changes to the infrastructure, signalling or energy supply, or to the principles of its operation and maintenance, as referred to in Article 11(2) of Directive 2004/49/EC;
(f)where the safety authorisation has to be revised due to substantial changes to the safety regulatory framework, as referred to in Article 11(2) of Directive 2004/49/EC.
4.Where the significant changes concern a structural subsystem that needs an authorisation for placing in service as referred to in Article 15(1) or Article 20 of Directive 2008/57/EC, the safety authority may act as the assessment body unless the proposer already gave that task to a notified body in accordance with Article 18(2) of that Directive.
Article 7Safety assessment reports
1.The assessment body shall provide the proposer with a safety assessment report.
2.In the case referred to in point (a) of Article 5(1), the safety assessment report shall be taken into account by the national safety authority in its decision to authorise the placing in service of subsystems and vehicles.
3.In the case referred to in point (b) of Article 5(1), the independent assessment shall be part of the task of the notified body, unless otherwise prescribed by the TSI.
If the independent assessment is not part of the task of the notified body, the safety assessment report shall be taken into account by the notified body in charge of delivering the conformity certificate or by the contracting entity in charge of drawing up the EC declaration of verification.
4.When a system or part of a system has already been accepted following the risk management process specified in this Regulation, the resulting safety assessment report shall not be called into question by any other assessment body in charge of performing a new assessment for the same system. The recognition shall be conditional on demonstration that the system will be used under the same functional, operational and environmental conditions as the already accepted system, and that equivalent risk acceptance criteria have been applied.
Article 8Risk control management/internal and external audits
1.The railway undertakings and infrastructure managers shall include audits of application of the CSM on risk evaluation and assessment in their recurrent auditing scheme of the safety management system as referred to in Article 9 of Directive 2004/49/EC.
2.Within the framework of the tasks defined in Article 16(2)(e) of Directive 2004/49/EC, the national safety authority shall monitor the application of the CSM on risk evaluation and assessment.
Article 9Feedback and technical progress
1.Each infrastructure manager and each railway undertaking shall, in its annual safety report referred to in Article 9(4) of Directive 2004/49/EC, report briefly on its experience with the application of the CSM on risk evaluation and assessment. The report shall also include a synthesis of the decisions related to the level of significance of the changes.
2.Each national safety authority shall, in its annual safety report referred to in Article 18 of Directive 2004/49/EC, report on the experience of the proposers with the application of the CSM on risk evaluation and assessment, and, where appropriate, its own experience.
3.The European Railway Agency shall monitor and collect feedback on the application of the CSM on risk evaluation and assessment and, where applicable, shall make recommendations to the Commission with a view to improving it.
4.The European Railway Agency shall submit to the Commission by 31 December 2011 at the latest, a report which shall include:
(a)an analysis of the experience with the application of the CSM on risk evaluation and assessment, including cases where the CSM has been applied by proposers on a voluntary basis before the relevant date of application provided for in Article 10;
(b)an analysis of the experience of the proposers concerning the decisions related to the level of significance of the changes;
(c)an analysis of the cases where codes of practice have been used as described in section 2.3.8 of Annex I;
(d)an analysis of overall effectiveness of the CSM on risk evaluation and assessment.
The safety authorities shall assist the Agency by identifying cases of application of the CSM on risk evaluation and assessment.
Article 10Entry into force
1.This Regulation shall enter into force on the 20th day following its publication in the Official Journal of the European Union.
2.This Regulation shall apply from 1 July 2012.
However, it shall apply from 19 July 2010:
(a)to all significant technical changes affecting vehicles as defined in Article 2(c) of Directive 2008/57/EC;
(b)to all significant changes concerning structural subsystems, where required by Article 15(1) of Directive 2008/57/EC or by a TSI.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 24 April 2009.
For the Commission
Antonio Tajani
Vice-President
ANNEX I
1. GENERAL PRINCIPLES APPLICABLE TO THE RISK MANAGEMENT PROCESS
1.1. General principles and obligations
1.1.1.The risk management process covered by this Regulation shall start from a definition of the system under assessment and comprise the following activities:
the risk assessment process, which shall identify the hazards, the risks, the associated safety measures and the resulting safety requirements to be fulfilled by the system under assessment;
demonstration of the compliance of the system with the identified safety requirements; and
management of all identified hazards and the associated safety measures.
This risk management process is iterative and is depicted in the diagram of the Appendix. The process ends when the compliance of the system with all safety requirements necessary to accept the risks linked to the identified hazards is demonstrated.
1.1.2.This iterative risk management process:
shall include appropriate quality assurance activities and be carried out by competent staff;
shall be independently assessed by one or more assessment bodies.
1.1.3.The proposer in charge of the risk management process required by this Regulation shall maintain a hazard record according to section 4.
1.1.4.The actors who already have in place methods or tools for risk assessment may continue to apply them as far as they are compatible with the provisions of this Regulation and subject to the following conditions:
the risk assessment methods or tools are described in a safety management system which has been accepted by a national safety authority in accordance with Article 10(2)(a) or Article 11(1)(a) of Directive 2004/49/EC; or
the risk assessment methods or tools are required by a TSI or comply with publicly available recognised standards specified in notified national rules.
1.1.5.Without prejudice to civil liability in accordance with the legal requirements of the Member States, the risk assessment process shall fall within the responsibility of the proposer. In particular the proposer shall decide, with agreement of the actors concerned, who will be in charge of fulfilling the safety requirements resulting from the risk assessment. This decision shall depend on the type of safety measures selected to control the risks to an acceptable level. The demonstration of compliance with the safety requirements shall be conducted according to section 3.
1.1.6.The first step of the risk management process shall be to identify in a document, to be drawn up by the proposer, the different actors’ tasks, as well as their risk management activities. The proposer shall coordinate close collaboration between the different actors involved, according to their respective tasks, in order to manage the hazards and their associated safety measures.
1.1.7.Evaluation of the correct application of the risk management process described in this Regulation falls within the responsibility of the assessment body.
1.2. Interfaces management
1.2.1.For each interface relevant to the system under assessment and without prejudice to specifications of interfaces defined in relevant TSIs, the rail-sector actors concerned shall cooperate in order to identify and manage jointly the hazards and related safety measures that need to be handled at these interfaces. The management of shared risks at the interfaces shall be coordinated by the proposer.
1.2.2.When, in order to fulfil a safety requirement, an actor identifies the need for a safety measure that it cannot implement itself, it shall, after agreement with another actor, transfer the management of the related hazard to the latter using the process described in section 4.
1.2.3.For the system under assessment, any actor who discovers that a safety measure is non-compliant or inadequate is responsible for notifying it to the proposer, who shall in turn inform the actor implementing the safety measure.
1.2.4.The actor implementing the safety measure shall then inform all the actors affected by the problem either within the system under assessment or, as far as known by the actor, within other existing systems using the same safety measure.
1.2.5.When agreement cannot be found between two or more actors it is the responsibility of the proposer to find an adequate solution.
1.2.6.When a requirement in a notified national rule can not be fulfilled by an actor, the proposer shall seek advice from the relevant competent authority.
1.2.7.Independently from the definition of the system under assessment, the proposer is responsible for ensuring that the risk management covers the system itself and the integration into the railway system as a whole.
2. DESCRIPTION OF THE RISK ASSESSMENT PROCESS
2.1. General description
2.1.1.The risk assessment process is the overall iterative process that comprises:
the system definition;
the risk analysis including the hazard identification;
the risk evaluation.
The risk assessment process shall interact with the hazard management according to section 4.1.
2.1.2.The system definition should address at least the following issues:
system objective, e.g. intended purpose;
system functions and elements, where relevant (including e.g. human, technical and operational elements);
system boundary including other interacting systems;
physical (i.e. interacting systems) and functional (i.e. functional input and output) interfaces;
system environment (e.g. energy and thermal flow, shocks, vibrations, electromagnetic interference, operational use);
existing safety measures and, after iterations, definition of the safety requirements identified by the risk assessment process;
assumptions which shall determine the limits for the risk assessment.
2.1.3.A hazard identification shall be carried out on the defined system, according to section 2.2.
2.1.4.The risk acceptability of the system under assessment shall be evaluated by using one or more of the following risk acceptance principles:
the application of codes of practice (section 2.3);
a comparison with similar systems (section 2.4);
an explicit risk estimation (section 2.5).
In accordance with the general principle referred to in section 1.1.5, the assessment body shall refrain from imposing the risk acceptance principle to be used by the proposer.
2.1.5.The proposer shall demonstrate in the risk evaluation that the selected risk acceptance principle is adequately applied. The proposer shall also check that the selected risk acceptance principles are used consistently.
2.1.6.The application of these risk acceptance principles shall identify possible safety measures which make the risk(s) of the system under assessment acceptable. Among these safety measures, the ones selected to control the risk(s) shall become the safety requirements to be fulfilled by the system. Compliance with these safety requirements shall be demonstrated in accordance with section 3.
2.1.7.The iterative risk assessment process can be considered as completed when it is demonstrated that all safety requirements are fulfilled and no additional reasonably foreseeable hazards have to be considered.
2.2. Hazard identification
2.2.1.The proposer shall systematically identify, using wide-ranging expertise from a competent team, all reasonably foreseeable hazards for the whole system under assessment, its functions where appropriate and its interfaces.
All identified hazards shall be registered in the hazard record according to section 4.
2.2.2.To focus the risk assessment efforts upon the most important risks, the hazards shall be classified according to the estimated risk arising from them. Based on expert judgement, hazards associated with a broadly acceptable risk need not be analysed further but shall be registered in the hazard record. Their classification shall be justified in order to allow independent assessment by an assessment body.
2.2.3.As a criterion, risks resulting from hazards may be classified as broadly acceptable when the risk is so small that it is not reasonable to implement any additional safety measure. The expert judgement shall take into account that the contribution of all the broadly acceptable risks does not exceed a defined proportion of the overall risk.
2.2.4.During the hazard identification, safety measures may be identified. They shall be registered in the hazard record according to section 4.
2.2.5.The hazard identification only needs to be carried out at a level of detail necessary to identify where safety measures are expected to control the risks in accordance with one of the risk acceptance principles mentioned in point 2.1.4. Iteration may thus be necessary between the risk analysis and the risk evaluation phases until a sufficient level of detail is reached for the identification of hazards.
2.2.6.Whenever a code of practices or a reference system is used to control the risk, the hazard identification can be limited to:
the verification of the relevance of the code of practices or of the reference system;
the identification of the deviations from the code of practices or from the reference system.
2.3. Use of codes of practice and risk evaluation
2.3.1.The proposer, with the support of other involved actors and based on the requirements listed in point 2.3.2, shall analyse whether one or several hazards are appropriately covered by the application of relevant codes of practice.
2.3.2.The codes of practice shall satisfy at least the following requirements:
be widely acknowledged in the railway domain. If this is not the case, the codes of practice will have to be justified and be acceptable to the assessment body;
be relevant for the control of the considered hazards in the system under assessment;
be publicly available for all actors who want to use them.
2.3.3.Where compliance with TSIs is required by Directive 2008/57/EC and the relevant TSI does not impose the risk management process established by this Regulation, the TSIs may be considered as codes of practice for controlling hazards, provided requirement (c) of point 2.3.2 is fulfilled.
2.3.4.National rules notified in accordance with Article 8 of Directive 2004/49/EC and Article 17(3) of Directive 2008/57/EC may be considered as codes of practice provided the requirements of point 2.3.2 are fulfilled.
2.3.5.If one or more hazards are controlled by codes of practice fulfilling the requirements of point 2.3.2, then the risks associated with these hazards shall be considered as acceptable. This means that:
these risks need not be analysed further;
the use of the codes of practice shall be registered in the hazard record as safety requirements for the relevant hazards.
2.3.6.Where an alternative approach is not fully compliant with a code of practice, the proposer shall demonstrate that the alternative approach taken leads to at least the same level of safety.
2.3.7.If the risk for a particular hazard cannot be made acceptable by the application of codes of practice, additional safety measures shall be identified applying one of the two other risk acceptance principles.
2.3.8.When all hazards are controlled by codes of practice, the risk management process may be limited to:
the hazard identification in accordance with section 2.2.6;
the registration of the use of the codes of practice in the hazard record in accordance with section 2.3.5;
the documentation of the application of the risk management process in accordance with section 5;
an independent assessment in accordance with Article 6.
2.4. Use of reference system and risk evaluation
2.4.1.The proposer, with the support of other involved actors, shall analyse whether one or more hazards are covered by a similar system that could be taken as a reference system.
2.4.2.A reference system shall satisfy at least the following requirements:
it has already been proven in-use to have an acceptable safety level and would still qualify for approval in the Member State where the change is to be introduced;
it has similar functions and interfaces as the system under assessment;
it is used under similar operational conditions as the system under assessment;
it is used under similar environmental conditions as the system under assessment.
2.4.3.If a reference system fulfils the requirements listed in point 2.4.2, then for the system under assessment:
the risks associated with the hazards covered by the reference system shall be considered as acceptable;
the safety requirements for the hazards covered by the reference system may be derived from the safety analyses or from an evaluation of safety records of the reference system;
these safety requirements shall be registered in the hazard record as safety requirements for the relevant hazards.
2.4.4.If the system under assessment deviates from the reference system, the risk evaluation shall demonstrate that the system under assessment reaches at least the same safety level as the reference system. The risks associated with the hazards covered by the reference system shall, in that case, be considered as acceptable.
2.4.5.If the same safety level as the reference system cannot be demonstrated, additional safety measures shall be identified for the deviations, applying one of the two other risk acceptance principles.
2.5. Explicit risk estimation and evaluation
2.5.1.When the hazards are not covered by one of the two risk acceptance principles described in sections 2.3 and 2.4, the demonstration of the risk acceptability shall be performed by explicit risk estimation and evaluation. Risks resulting from these hazards shall be estimated either quantitatively or qualitatively, taking existing safety measures into account.
2.5.2.The acceptability of the estimated risks shall be evaluated using risk acceptance criteria either derived from or based on legal requirements stated in Community legislation or in notified national rules. Depending on the risk acceptance criteria, the acceptability of the risk may be evaluated either individually for each associated hazard or globally for the combination of all hazards considered in the explicit risk estimation.
If the estimated risk is not acceptable, additional safety measures shall be identified and implemented in order to reduce the risk to an acceptable level.
2.5.3.When the risk associated with one or a combination of several hazards is considered as acceptable, the identified safety measures shall be registered in the hazard record.
2.5.4.Where hazards arise from failures of technical systems not covered by codes of practice or the use of a reference system, the following risk acceptance criterion shall apply for the design of the technical system:
For technical systems where a functional failure has credible direct potential for a catastrophic consequence, the associated risk does not have to be reduced further if the rate of that failure is less than or equal to 10-9 per operating hour.
2.5.5.Without prejudice to the procedure specified in Article 8 of Directive 2004/49/EC, a more demanding criterion may be requested, through a national rule, in order to maintain a national safety level. However, in the case of additional authorisations for placing in service of vehicles, the procedures of Articles 23 and 25 of Directive 2008/57/EC shall apply.
2.5.6.If a technical system is developed by applying the 10-9 criterion defined in point 2.5.4, the principle of mutual recognition is applicable in accordance with Article 7(4) of this Regulation.
Nevertheless, if the proposer can demonstrate that the national safety level in the Member State of application can be maintained with a rate of failure higher than 10-9 per operating hour, this criterion can be used by the proposer in that Member State.
2.5.7.The explicit risk estimation and evaluation shall satisfy at least the following requirements:
the methods used for explicit risk estimation shall reflect correctly the system under assessment and its parameters (including all operational modes);
the results shall be sufficiently accurate to serve as robust decision support, i.e. minor changes in input assumptions or prerequisites shall not result in significantly different requirements.
3. DEMONSTRATION OF COMPLIANCE WITH SAFETY REQUIREMENTS
3.1.Prior to the safety acceptance of the change, fulfilment of the safety requirements resulting from the risk assessment phase shall be demonstrated under the supervision of the proposer.
3.2.This demonstration shall be carried out by each of the actors responsible for fulfilling the safety requirements, as decided in accordance with point 1.1.5.
3.3.The approach chosen for demonstrating compliance with the safety requirements as well as the demonstration itself shall be independently assessed by an assessment body.
3.4.Any inadequacy of safety measures expected to fulfil the safety requirements or any hazards discovered during the demonstration of compliance with the safety requirements shall lead to reassessment and evaluation of the associated risks by the proposer according to section 2. The new hazards shall be registered in the hazard record according to section 4.
4. HAZARD MANAGEMENT
4.1. Hazard management process
4.1.1.Hazard record(s) shall be created or updated (where they already exist) by the proposer during the design and the implementation and till the acceptance of the change or the delivery of the safety assessment report. The hazard record shall track the progress in monitoring risks associated with the identified hazards. In accordance with point 2(g) of Annex III to Directive 2004/49/EC, once the system has been accepted and is operated, the hazard record shall be further maintained by the infrastructure manager or the railway undertaking in charge with the operation of the system under assessment as an integrated part of its safety management system.
4.1.2.The hazard record shall include all hazards, together with all related safety measures and system assumptions identified during the risk assessment process. In particular, it shall contain a clear reference to the origin and to the selected risk acceptance principles and shall clearly identify the actor(s) in charge of controlling each hazard.
4.2. Exchange of information
All hazards and related safety requirements which cannot be controlled by one actor alone shall be communicated to another relevant actor in order to find jointly an adequate solution. The hazards registered in the hazard record of the actor who transfers them shall only be ‘controlled’ when the evaluation of the risks associated with these hazards is made by the other actor and the solution is agreed by all concerned.
5. EVIDENCE FROM THE APPLICATION OF THE RISK MANAGEMENT PROCESS
5.1.The risk management process used to assess the safety levels and compliance with safety requirements shall be documented by the proposer in such a way that all the necessary evidence showing the correct application of the risk management process is accessible to an assessment body. The assessment body shall establish its conclusion in a safety assessment report.
5.2.The document produced by the proposer under point 5.1. shall at least include:
description of the organisation and the experts appointed to carry out the risk assessment process;
results of the different phases of the risk assessment and a list of all the necessary safety requirements to be fulfilled in order to control the risk to an acceptable level.
Appendix Risk management process and independent assessment
ANNEX II CRITERIA WHICH MUST BE FULFILLED BY THE ASSESSMENT BODIES
1.The assessment body may not become involved either directly or as authorised representatives in the design, manufacture, construction, marketing, operation or maintenance of the system under assessment. This does not exclude the possibility of an exchange of technical information between that body and all the involved actors.
2.The assessment body must carry out the assessment with the greatest possible professional integrity and the greatest possible technical competence and must be free of any pressure and incentive, in particular of a financial type, which could affect their judgement or the results of their assessments, in particular from persons or groups of persons affected by the assessments.
3.The assessment body must possess the means required to perform adequately the technical and administrative tasks linked with the assessments; it shall also have access to the equipment needed for exceptional assessments.
4.The staff responsible for the assessments must possess:
proper technical and vocational training,
a satisfactory knowledge of the requirements relating to the assessments that they carry out and sufficient practice in those assessments,
the ability to draw up the safety assessment reports which constitute the formal conclusions of the assessments conducted.
5.The independence of the staff responsible for the independent assessments must be guaranteed. No official must be remunerated either on the basis of the number of assessments performed or of the results of those assessments.
6.Where the assessment body is external to the proposer’s organisation must have its civil liability ensured unless that liability is covered by the State under national law or unless the assessments are carried out directly by that Member State.
7.Where the assessment body is external to the proposer’s organisation its staff are bound by professional secrecy with regard to everything they learn in the performance of their duties (with the exception of the competent administrative authorities in the State where they perform those activities) in pursuance of this Regulation.
OJ L 164, 30.4.2004, p. 44; corrected by OJ L 220, 21.6.2004, p. 16.