CSM-RA and EN 50126 – a difference of perspective?
Where the Common Safety Method on Risk Evaluation and Assessment (CSM-RA) must be applied for technical, operational or organisational changes to railway systems in the European Union, railway product suppliers tend to follow EN 50126 to fulfil the risk assessment role. This can lead to potentially complicated interfaces between parties, so how can this be managed?
INTRODUCTION
In the European Union and beyond, Railway Undertakings, which can be defined as “any public or private undertaking which provides services for the transport of goods and/or passengers by rail” (Ref. 1), must apply the CSM-RA (Ref. 2) for changes to the operational network. Railway product suppliers are not required to, and usually do not, follow CSM-RA. They instead choose to follow EN 50126 (Ref. 3) which, although Reliability, Availability and Maintainability (RAM) focussed, also provides a method of managing safety.
Whilst the two standards have differences, they fundamentally cover the same scope, with the Control, Command and Signalling (CCS) National Technical Specification Notice (NTSN) stating that compliance with EN 50126 (along with EN 50128, 50129 and 50159, as applicable) is “a means to fully comply to the [CSM-RA] risk management process” (Ref. 4).
UNDERSTANDING THE DIFFERENCES
A simple example of the differences between the standards is the different stated aims of hazard identification.
Under CSM-RA the aim is to identify “all reasonably foreseeable hazards”, a broad goal that would include minor accidents from a range of causes. However EN 50126 states that: “The purpose is not to catalogue every trivial hazard”, implying a focus on hazards with a higher severity.
This and other differences in approach can lead to potentially complicated interfaces between parties, overlap and gaps in external assessment and the development of safety arguments.
At a broader level, the differences in the standards can be best understood in the context of applying CSM-RA at the railway system level and EN 50126 as a process for incorporation of Safety Critical Systems into that system. It is useful to think of this as four separate, but connected, aspects:
- Scope
- The Safety Case
- Verification & Validation
- External Assessment
SCOPE
CSM-RA covers changes of a “technical, operational or organisational“ nature, a wider prevue than stated in EN 50126 which covers “Command, Control and Signalling, Rolling Stock and Fixed Installations”, noting that there is no mention of operational or organisational changes in this definition.
This difference speaks to the assertion that CSM-RA applies better to the operator, at rail system level, as the implementer of day-to-day activities on the railway.
EN 50126, on the other hand, provides a method for making a safety argument at the generic product or generic application level, where CSM-RA provides no guidance. EN 50126 essentially provides a method for the development of a system, but without clear knowledge of the way in which it will be used.
THE SAFETY CASE
The biggest difference in terms of the output of the safety management process is perhaps the requirement for a safety case. EN 50126 requires the production of a document that outlines; “the documented structured safety justification which provides the evidence of how the system under consideration complies with the specified safety requirements, within the defined scope of its proposed use”, or a safety case to you and I.
CSM-RA has no such requirement, however the intention of the safety case is somewhat achieved through other means. The Hazard Record is used to provide evidence of closure of Safety Requirements (called Safety Related Application Conditions (SRACs) under EN 50126) and independent assessment is undertaken throughout the process. Safety Requirements applicable in operation are usually transferred on to the Railway Undertaking for management.
VERIFICATION AND VALIDATION
Verification and validation provides assurance through the project lifecycle that requirements are being developed and met correctly. EN 50126 uses the V model to represent the lifecycle, with specification and verification of requirements a central aspect of the model.
CSM-RA does not mention verification or validation in its process at all in relation to the management of Safety Requirements, but does acknowledge that verification is required within CSM-RA through the wider Safety Management System (SMS).
The level of independence required in EN 50126 is focussed around the level of risk in question, again implying a focus on specific higher level risks than CSM-RA, where a broader set of hazards is implied.
INDEPENDENT ASSESSMENT
External independent assessment differs greatly between the two processes. The Independent Safety Assessor required under EN 50126 is required, amongst other responsibilities, to “give a professional view on the fitness of the developed outcome for its intended use”. This is a higher bar than that provided under CSM-RA, in which The Assessment Body is tasked with assessing that the process has been applied, as well as evaluating the results produced by the process.
Again, the outcome here is a potential difference in the level of assurance being provided by the two bodies, and therefore an implication on the types of risk expected to be managed under it.
CONCLUSION
The differences between CSM-RA and EN 50126 can be viewed as a difference in perspective. EN 50126 is a more highly controlled process focussed on the detailed analysis of fewer higher risk hazards, taking a bottom-up approach. It aligns more to the development and integration of specific safety products, such as a Train Protection & Warning System (TPWS) or a points machine.
CSM-RA, on the other hand, is top-down focussed assessment of a change to the railway system, and aims to manage a wider set of hazards, including those with a lower risk level.
EN 50126 can therefore be too onerous and focussed to be the best approach for projects with a broader range of lower risk hazards, but when interacting with CSM-RA, there is the ability to rely on EN 50126 compliant safety cases to make the specific safety argument for Safety Critical components.
References
- https://www.legislation.gov.uk/eur/2018/643/2020-01-31/data.pdf
- Office of Rail and Road, Common Safety Method for Risk Evaluation and Assessment, Guidance on the application of Commission Regulation (EU), 402/2013, September 2018, https://www.orr.gov.uk/sites/default/files/om/common-safety-method-guidance.pdf
- Railway Applications. The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS), BS EN 50126, Nov 2017
- September 2018 National Technical Specification Notice, Control, Command and Signalling (CCS), 1 January 2021, https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fassets.publishing.service.gov.uk%2Fmedia%2F5fe0972b8fa8f5149718d66c%2FNTSN_Control__Command_and_Signalling__CCS_.odt&wdOrigin=BROWSELINK
