Embed Size (px)
Citation preview
Vancouver, October 08th 2013
DB Systemtechnik GmbH
Marc Geisler
The challenge of transforming a rule-based system into a risk-based culture on an example of a rolling stock approval
Foto: DB Systemtechnik
Risk Management / Safety Assessment
2DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
1.
2.
3.
4.
5.
Introduction
Requirements on Safety Management Systems
Approval Process for Roling Stock in Europe
Example of Approval Process in Germany
Conclusions
The challenge of transforming a rule-based system into a risk-based culture on an example of a rolling stock approval
1. Introduction
Existing regulations like the European Common Safety Methods on Risk Evaluation and Assessment (CSM-RA) support the implementation of risk assessment processes.
Combination of the rule based approach by using Code of Practice with risk based approaches by using Reference Systems and explicit risk estimations as so called risk acceptance principles are part of the CSM-RA.
In particular for rolling stock approval guidelines were development in Germany to make the risk based approach as described in EN 50126, EN 50128 and EN 50129 usable for rolling stock.
One outcome is the TeSip (technical safety plan) including a number of exemplarily described functions and hazards of rolling stocks.
3DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
Safety Management Systems (SMS) focus on risk based approaches.
2. Requirements of Safety Management SystemsGuideline oriented safety management becomes risk oriented
Maintaining safety, keeping operation on a high quality level and ensuring a cost efficient railway system is a demanding task of today
4DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
Safety in changing cultures
2. Requirements of Safety Management SystemsKeeping Codes of Practise Safe
Hazards and associated risks are often not sufficiently described in current rules– No direct link between rules and hazards
possible– Comparison with CoP or Reference Systems
hardly possible as hazards are not described in existing rules and system descriptions.
5DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
A systematic approach as shown were in the past not always documented.
The extisting CoP need improvement for a risk based safety management.
3. Approval Process for Roling Stock in Europerequires safety demonstration in different ways
The Notified Body (NoBo) checks the conformity with European Technical Specification Interoperability. The TSI cover safety and technical aspects.
The Designated Body (DeBo) checks the conformity with notified national regulation, where safety and technical aspects are included.
The Assessment Body (AsBo) assesses the application of risk management activities following the CSM-RA process.
6DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
4. Example of Approval Process in GermanyA number of assessments are to be documented
Safety demonstration according to European and National requirements demand several documents for receiving the approval for Placing into Service of a Rolling Stock.
Some are listed below
Safety plan with the specific safety-process description for the project
Technical Safety Plan (TeSip) including the system safety requirement
specification
Safety Assessment Report of the AsBo according to CSM-RA
Conformity Certificates according to Technical Rules
Vehicle dossier and component dossiers according to German rule for
rolling stock approval
Several certificates, risk assessments, practical demonstration reports
etc.
Application Guide for the Vehicle with operational requirements and
limitations
Maintenance settings
7DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
4. Example of Approval Process in GermanySafety Plan structure and Approval process for Rolling Stock
8DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
Supplier
Engineering / Design
Safety Case
TeS
ip s
pecifi
c
am
en
dm
en
t
Authority
Approval
Placing into Service
Adju
stment o
f Safe
ty P
lan
Application for Approval
Safe
ty A
ssessm
ent R
eport
Specific safety plan
Specification of system-safety requirements
Assessments, Tests and SurveysS
afe
ty re
quire
ments
Conce
pts /
Sp
ecifi
catio
ns
Asse
ssments, Te
sts and S
urv
eys
Specification with safety requirements
Assessments and Surveys
Operator
TeSip specific amendment
Definition of safety responsibilitiesInformation
Contra
ct
Confo
rmity
Certifi
cate
s
Legal Act
Done by- NoBo- DeBo- AsBoaccording to European require-ments
Conformity and Safety
Assessment
4. Example of Approval Process in GermanyThe Technical Safety Plan (TeSip) in the Safety Case
9DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
Conformity and Safety
Assessment
Supplier
Engineering / Design
Safety Case
TeS
ip s
pecifi
c
am
en
dm
en
t
Authority
Approval
Placing into Service
Adju
stment o
f Safe
ty P
lan
Application for Approval
Safe
ty A
ssesm
ent R
eport
Specific safety plan
Specification of system-safety requirements
Assessments, Tests and Surveys
Safe
ty re
quire
ments
Conce
pts /
Specifi
catio
ns
Asse
ssments, Te
sts and
Surv
eys
Specification with safety requirements
Assessments and Surveys
Operator
TeSip specific amendment
Definition of safety responsibilities
Information
Contra
ct
Confirm
ity C
ertifi
cate
s
Legal Act
Sicherheitsanforderung Beispiele Gefährdung Gefährdungseinstufung
B Transportgut tragen, umschließen, schützen
B B 1 Transportgut tragen / aufnehmen
Die je nach Anw endungsgebiet/Fahrzeugkategorie spezif izierte Menge/Masse an Personen/Transportgut so tragen/aufzunehmen, dass die Fahrzeugstruktur (zulässige Grenzw erte für die Festigkeit, Steif igkeit und Stabilität) des Schienenfahrzeuges unter allen Betriebsbedingungen und Umgebungseinflüssen sicher erhalten bleibt. Das Transportgut ist in spezif izierter Lage festzuhalten (Ladungssicherung).
der Erhaltung der Fahrzeugstruktur
NICHT-Erhaltung der Fahrzeugstruktur
z.B. statische / dynamische Belastung,Schw ingungsfestigkeit, Verw indungssteif igkeit,mechanische Festigkeit durch Konstruktion gegeben
10fUnzureichende Festigkeit des Wagenkasten und befestigter Strukturen
7aVerletzung des Fahrzeugumgrenzungsprofils durch den Wagenkasten
5 mehrere Personen können betroffen sein
#NV 9 es kann mit Toten gerechnet w erden
#NV #NV 1,7Funktionsversagen führt nicht zw angsläufig zu Todesfällen
#NV #NV 1,3 w ährend gesamter Aufenthaltsdauer
#NV #NV 1 Vermeidung ist nicht möglich 99,45 3 ja
B B 2 Transportgut tragen / aufnehmenausreichender Ladungssicherung
Ladungsicherung versagt Ladungsicherung 11d Unzureichend gesicherte Ladung 7aVerletzung des Fahrzeugumgrenzungsprofils durch den Wagenkasten
5 mehrere Personen sind betroffen
#NV #NV 9 es kann mit Toten gerechnet w erden
lfd. N
r. Gefährdung ist gegeben, wenn…. Typische Themen Begründung
Para
met
er
Primäre Gefährdung I
Sicherheitsanforderun
gsstufe (SAS)
Haup
tfunk
tion
(DIN
25
002-
5)Te
ilfun
ktio
n (D
IN
2500
2-5) Funktion
(DIN 25002-5)
Sichere Gewährleistung
von…
TESIP FUNKTIONSLISTEFahrzeugfunktionen
Erläuterung der FunktionMittelbare Gefährdung(Erläuterung, Beispiel)
Betra
chtu
ng e
rford
erlic
h
Function Safety requirement Hazard Hazard Classification
Decision about- Rule based approach- Risk based approachaccording to Hazard Classification and existence of applicable rules
Apportionment of safety requirements and responsibilities
are detailed in Hazard Trees
Technical Safey Plan (TeSiP
4. Example of Approval Process in GermanyHazard Trees underpin the Technical Safety Plan
10DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
und
Keine zugweite Deaktivierung
HKLHH2_S1
Zugbegleiter deaktiviert nicht
alle HKLHH2_B1
SAS=1, I=29
SAS=1, I=33
SAS=0, I=2
Unzureichende Reaktion auf Brandereignis
HH2_F3
HH2 Gefährdung 5a:Brandgefährdung, RauchentwicklungAufteilung der Verantwortung
zwischen Brandursachen und Branderkennung
und
Keine Erkennung oder unzureichende Reaktion auf Brandergebnis
HH2_F1
Effektive ZündquelleHH2_N1
SAS=1, I=21,8
Brennstoff, Oxidationsmittel
HH2_N2
SAS=0, I=2
SAS=2, I=58,8
oder
Keine BranderkennungHH2_F2
SAS=1, I=33SAS=1, I=33Hier keine Detaillierte Betrachtung
Evakuierung nicht möglichoder behindert
HH2_F4
Unzureichende Brand-bekämpfung / -beherrschung
HH2_F5
SAS=1, I=31 SAS=0, I=2
und oder
Ineffektive Brandbekämpfung
HH2_N4
SAS=0, I=2 Kein Ausschalten betroffener EVB
HH2_H1
Kein Ausschalten betroffener EVB
HH2_S2
SAS=0, I=1SAS=0, I=1
Brandschutztüren werden nicht geschlossen
HH2_B2
SAS=0, I=2
und
Fahrgäste reagieren nicht
HH2_N3
SAS=0, I=2
The hazards listed in the TeSip are detailed by Hazard Trees to a level of functional architecture elements.
Safety responsibilities are specified – Orange means staff
responsibility – Yellow means technical
responsibility
Safety Requirements are broken down to different implementations.
Hazard classification follows the risk graph approach Example Hazard Tree “Fire and Smoke” from TeSiP
5. Conclusion (1)
The rule-based approach has been applied during design and maintenance of
rolling stock successful for many years and covers implicitly the safety aspects.
The today’s safety management system focuses on hazards to be controlled by
different risk acceptance principles.
– Therefore safety demonstration by implicit approaches needs
amendments.
The risk based approach requires specific knowledge about methods for risk
assessment and independent safety assessment which needs time to establish.
Experts in risk management support the design and implementation of functions
and subsystems into the next higher system level.
Safety managers ensure the safe integration and the independent safety
assessment body checks the overall procedures and requirements of the safety
case. 11DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
5. Conclusion (2)
The rule-based approach is still an important way to ensure safety
where the preconditions are well known.
For innovative and complex situations the risk-based approach is an
appropriate add-on to make railways reliable and safe.
A solely risk based approach does not cover all the needs of the modern
railways.
– Expert judgment about the application of rules-based or risk-oriented safety
demonstration is always a trustful way.
– The TeSip covering the standard functions of a rolling stock and its hazards
supports combining the rule-based safety demonstration with risk-based
cultures.
12DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
Thank you for your attention!
Do you have questions?
13DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
