You are on page 1of 101

Uncontrolled when printed

Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,


GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Date: December 2017

Guidance on the
Common Safety Method
for Risk Evaluation and
Assessment
Synopsis
This document gives guidance on
application of the principles in the
Common Safety Method for Risk
Assessment and Evaluation.

Copyright in the Railway Group documents is owned by Rail


Safety and Standards Board Limited. All rights are hereby
reserved. No Railway Group document (in whole or in part)
may be reproduced, stored in a retrieval system, or
transmitted, in any form or means, without the prior written
permission of Rail Safety and Standards Board Limited, or as
expressly permitted by law.

RSSB members are granted copyright licence in accordance


with the Constitution Agreement relating to Rail Safety and
Standards Board Limited.

In circumstances where Rail Safety and Standards Board


Limited has granted a particular person or organisation
permission to copy extracts from Railway Group documents,
Rail Safety and Standards Board Limited accepts no
responsibility for, nor any liability in connection with, the use
of such extracts, or any claims arising therefrom. This
disclaimer applies to all forms of media in which extracts
from Railway Group documents may be reproduced.

Published by RSSB

© Copyright 2017
Rail Safety and Standards Board Limited
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

Issue Record

Issue Date Comments


One 02/12/2017 This document supersedes guidance material on
CSM RA previously published in six separate
volumes following industry consultation and
revision.

This document will be updated when necessary by distribution of a complete


replacement.
Revisions have not been marked by a vertical black line in this issue because the
document has been revised throughout.

Superseded Documents
The following Railway Group documents are superseded, either in whole or in part as
indicated:

Superseded documents Sections superseded Date


superseded
GEGN8640 issue one Guidance All 02/12/2017
on Planning an Application of
the Common Safety Method on
Risk Evaluation and Assessment
GEGN8641 issue one Guidance All 02/12/2017
on System Definition
GEGN8642 issue two Guidance All 02/12/2017
on Hazard Identification and
Classification
GEGN8643 issue two Guidance All 02/12/2017
on Risk Evaluation and Risk
Acceptance
GEGN8644 issue one Guidance All 02/12/2017
on Safety Requirements and
Hazard Management
GE/GN8645 issue one Guidance All 02/12/2017
on Independent Assessment

Supply
The authoritative version of this document is available at www.rssb.co.uk/railway-
group-standards. Enquiries on this document can be forwarded to
enquirydesk@rssb.co.uk.

Page 2 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Contents

Section Description Page

Part 1 Introduction 7
G1.1 Purpose 7
G1.2 Background 7
G1.3 Structure of this document 7
G1.4 Approval and Authorisation 8

Part 2 Risk Management and Taking Safe Decisions 9


G2.1 Overview of risk management and taking safe decisions 9
G2.2 Legal requirements for risk management and risk assessment 10

Part 3 The CSM RA Risk Assessment Process 13


G3.1 Overview of the risk assessment process 13
G3.2 Overview of the CSM RA process 13
G3.3 CSM RA for TSIs and ‘safe integration’ with an existing system 17
G3.4 The CSM RA within a programme or large project 18
G3.5 The CSM RA and the Construction Design and Management
Regulations 19
G3.6 Further advice on risk assessment and the CSM RA process 20

Part 4 The CSM RA Significance Assessment 22


G4.1 The significance judgement for application of the CSM RA 22

Part 5 Planning for Application of the CSM RA 25


G5.1 Overview of safety planning for the CSM RA 25
G5.2 Planning a simple CSM RA application 25
G5.3 Contents of a safety plan 25
G5.4 Aspects of planning for application of the CSM RA 26
G5.5 Further advice on planning for application of the CSM RA 31

Part 6 System Definitions 32


G6.1 Overview of system definitions 32
G6.2 System definitions for the CSM RA 32
G6.3 Contents of a system definition 33
G6.4 Preliminary system definition to support a CSM RA significance test 39
G6.5 Iterative nature of system definitions 39
G6.6 Final system definition 40

RSSB Page 3 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G6.7 Further advice on system definitions 41

Part 7 Hazard Identification 42


G7.1 Overview of hazard identification 42
G7.2 What is a hazard? 42
G7.3 What is hazard identification 43
G7.4 Desk-based hazard identification 44
G7.5 Hazard identification workshops 45
G7.6 Human factors in hazard identification 45
G7.7 Hazard identification within a project life cycle 46
G7.8 The CSM RA hazard record 46
G7.9 Hazard classification and broadly acceptable risk in the CSM RA 47
G7.10 Hazard classification in broader use 48
G7.11 Further advice on hazard identification 49

Part 8 Risk Evaluation and Risk Acceptance 51


G8.1 Overview of risk evaluation and acceptance 51
G8.2 Selecting a CSM RA risk acceptance principle 51
G8.3 CSM RA risk acceptance principle - use of codes of practice and risk
evaluation 53
G8.4 CSM RA risk acceptance principle - use of reference system and risk
evaluation 57
G8.5 CSM RA risk acceptance principle - explicit risk estimation and
evaluation 60
G8.6 CSM Design Targets (CSM-DT) 65
G8.7 Risk evaluation and risk acceptance for non-CSM risk assessment 65
G8.8 Further advice on risk evaluation and risk acceptance 66

Part 9 Safety Requirements 67


G9.1 Overview of safety requirements in risk assessment 67
G9.2 Documenting safety requirements 68
G9.3 Demonstration of compliance with safety requirements 69
G9.4 Managing safety requirements 70
G9.5 Further advice on safety requirements 72

Part 10 Hazard Management 73


G10.1 Overview of hazard management and hazard records 73
G10.2 Producing a hazard record 74
G10.3 The hazard management process 75
G10.4 Co-ordinating hazard management activities 76

Page 4 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G10.5 Further advice on hazard management 78

Part 11 Independent Assessment 80


G11.1 Overview of independent assessment 80
G11.2 Independent assessment in the CSM RA 80
G11.3 The CSM RA assessment body (AsBo) 81
G11.4 CSM RA independent safety assessment plan 83
G11.5 Undertaking the CSM RA safety assessment work 83
G11.6 Avoiding duplication of safety assessment work 84
G11.7 Dealing with CSM RA non-compliances 87
G11.8 CSM RA Safety Assessment Report 88
G11.9 AsBo assessment outside a formal CSM RA application 90
G11.10 Further advice on independent assessment 90

Part 12 Completing the CSM RA Risk Assessment Process 91


G12.1 Completing a risk assessment 91
G12.2 Final deliverables of a risk assessment 91
G12.3 Further advice on completing a risk assessment and ongoing safety
management activities 92

Definitions 93

References 99

RSSB Page 5 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

List of Figures

Figure 1: The Taking Safe Decisions risk management framework 10

Figure 2: The CSM RA risk assessment process 16

Figure 3: Iterative development of the system definition and safety requirements 40

Figure 4: EN 50126 Illustration of hazards with respect to the system boundary 43

Figure 5: Applying the ‘codes of practice’ risk acceptance principle 56

Figure 6: Applying the ‘reference system’ risk acceptance principle 60

Figure 7: An example hazard life cycle 75

Page 6 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Part 1 Introduction
G1.1 Purpose

G1.1.1 This document gives guidance on applications of the principles outlined in the
Common Safety Method for Risk Evaluation and Assessment (CSM RA). Each part of
the document contains an overview which gives a summary of key points and
principles.
G1.1.2 It is intended to be used to support industry members in understanding obligations,
and suitably and efficiently applying the risk assessment process to manage change
under the CSM RA. Further related guidance material and example templates can be
found on the RSSB website www.rssb.co.uk.

G1.2 Background

G1.2.1 Risk management frameworks are required to fulfil obligations under the law. Some
obligations are in non-rail specific law such as:
a) Management of Health and Safety at Work Regulations 1999 (MHSWR).
b) Construction (Design and Management) Regulations 2015 (CDM).
G1.2.2 Others obligations are rail or transport sector specific such as:
a) Railways and Other Guided Transport Systems (Safety) Regulations 2006 (ROGS).
b) Railway Interoperability Regulations 2011 (RIR).
c) Common Safety Method for Risk Evaluation and Assessment (CSM RA).
G1.2.3 Together, these frameworks form a key part of an effective and comprehensive
Safety Management System (SMS). While the CSM RA process and its core areas of
application to meet legal obligations are the primary focus for this document, it can
also be used voluntarily to support the requirements of the other UK legislation if
suitably applied.
G1.2.4 The CSM RA risk management framework described in this guidance note is scalable
and should be applied in a way that is proportionate to the size and nature of the
change being considered. For example, it is equally applicable to a small simple
change to the railway, assessed in a day by a single person; or a more complex
change, bringing together many stakeholders within a large programme of work,
perhaps taking several years to complete, supported by a team of risk practitioners,
and requiring independent assessment and formal acceptance. Whereas the full
methodology specified in the CSM RA is mandatory only for changes deemed by a
proposer to be ‘significant’ after carrying out the significance test, application or
adaption of this methodology may well be helpful when considering ‘non-significant’
changes.

G1.3 Structure of this document

G1.3.1 The following parts of this document explain the context of risk assessment as part of
a wider risk management framework, and relate to the main components of the CSM
RA, which represent typical stages of a risk assessment process:

RSSB Page 7 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

• Part 2: Risk management and taking safe decisions: putting the risk assessment
process in context.
• Part 3: The CSM RA risk assessment process: a general overview of the CSM RA
process.
• Part 4: The CSM RA significance assessment: how to decide whether a proposed
change is ‘significant’, therefore requiring formal application of the CSM RA.
• Part 5: Planning a risk assessment process: what will be done, when and by whom.
• Part 6: System definition: describing what will be changed and how it will be
changed.
• Part 7: Hazard identification: what can go wrong and how it might impact safety.
• Part 8: Risk evaluation and risk acceptance: analysing risk and judging whether the
change is safe enough.
• Part 9: Safety requirements: identifying safety requirements to be implemented.
• Part 10: Hazard management: recording the results of the hazard management
process.
• Part 11: Independent assessment: reviewing the risk assessment process to be sure
it is appropriate.
• Part 12: Completing a risk assessment process: how the process concludes and
what outputs it produces.
G1.3.2 Guidance is provided as a series of sequentially numbered clauses.

G1.4 Approval and Authorisation

G1.4.1 The content of this document was approved by a Multifunctional Standards


Committee on 23 October 2017.
G1.4.2 This document was authorised by RSSB on 21 November 2017.

Page 8 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Part 2 Risk Management and Taking Safe Decisions


G2.1 Overview of risk management and taking safe decisions

G2.1.1 Risk assessment activities, such as those outlined in the CSM RA, should form part of a
wider risk management framework, and are used to ensure safety decision making is
done appropriately. The RSSB guidance document 'Taking Safe Decisions' sets out
the industry consensus view of how safety is taken into account when taking
decisions. It is a risk management framework that describes the principles that
companies apply to protect people's safety, satisfy the law, respect the interests of
stakeholders and meet commercial objectives.
G2.1.2 Every organisation needs to understand and manage its risks, both on an ongoing
basis and when it changes something. Risk management can be thought of as
comprising three related activities, which map to questions about safety-related
change as shown in Figure 1:
a) Monitoring: Is my operation safe? What is my risk profile? Do indicators suggest it
is changing? Do I need to take corrective or improvement actions?
b) Analysing and selecting options: What (if anything) should I change and what are
the safety implications of making the change?
c) Making a change: How do I make sure the change is acceptably safe?
G2.1.3 These activities are explained in the 'Taking Safe Decisions' document, which broadly
covers the aspects of the risk management framework as shown in Figure 1. The RSSB
website (www.rssb.co.uk) contains further information on 'Taking Safe Decisions'.
There is also guidance on aspects of SMSs, monitoring safety and CSM for
Monitoring.
G2.1.4 The techniques adopted during a risk assessment process may be used to support
monitoring, to better understand an emerging risk issue. Once a risk issue is identified
it is usual to consider several options to address it. The risk assessment techniques are
used to support analysis of these options to understand their risk implications, and
help select the most appropriate option to take forward for implementation.
G2.1.5 Once an option for a change has been selected, further risk assessment will be used to
understand the hazards and risk associated with that option, to identify suitable
safety requirements, and manage the risk associated with the hazards. The risk
assessment process is used to demonstrate that the residual level of risk is acceptable.
G2.1.6 Figure 1 shows how the risk assessment process stages for implementing a change
are integral to the 'taking safe decisions' cycle and indicates the parts of this
guidance document where information can be found on the various aspects:
a) System definition (Part 6)
b) Hazard identification (Part 7)
c) Risk evaluation and risk acceptance (Part 8)
d) Safety requirements (Part 9)
e) Hazard management (Part 10)
f) Independent assessment (Part 11).

RSSB Page 9 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G2.1.7 In addition, Part 4 of this document deals with the preliminary judgement on whether
a change is significant, therefore requiring formal application of the CSM RA risk
management process (the 'significance test'). Planning the risk assessment process,
in particular developing a safety plan, is dealt with in Part 5; Part 12 deals with
completion and conclusion of the risk management process.

Figure 1: The Taking Safe Decisions risk management framework

G2.2 Legal requirements for risk management and risk assessment

G2.2.1 There are several key pieces of legislation which require Great Britain (GB) transport
operators (railway or transport undertakings and infrastructure managers) to manage
risk related to the safe operation of their activities.
G2.2.2 Regulation 3 of the Management of Health and Safety at Work Regulations 1999
(MHSWR) requires that every employer shall 'make a suitable and sufficient
assessment of:
a) The risks to the health and safety of his employees to which they are exposed
whilst they are at work; and
b) The risks to the health and safety of persons not in his employment arising out of
or in connection with the conduct by him of his undertaking...'.

Page 10 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G2.2.3 The Railway Safety Directive 2004/49/EC was transposed into UK law as the Railways
and Other Guided Transport Systems (Safety) Regulations 2006 (ROGS) (with
subsequent amendments). ROGS requires railway undertakings (RUs) and
infrastructure managers (IMs) to have safety management systems (SMSs) in place.
Regulation 19 of ROGS (2006) requires that 'a transport operator shall make a
suitable and sufficient assessment of the risks to the safety of any persons for the
purpose of identifying the measures he needs to take to ensure safe operation of the
transport system in question insofar as this is affected by his operation.' ROGS also
imposes a duty of cooperation on all transport operators. (A Duty of Cooperation
Guide is available on www.rssb.co.uk.)
G2.2.4 On 24 April 2009 Commission Regulation (EC) No. 352/2009 (now superseded, see
below) established a 'common safety method on risk evaluation and assessment'
(known as the CSM RA). The CSM RA regulation sets out a harmonised risk
management process used to assess the impact on safety for technical, operational
and organisational changes to the railway system.
G2.2.5 From 21 May 2015 Commission Implementing Regulation (EU) 402/2013 applied,
and repealed and replaced EC 352/2009. Regulation 402/2013 clarified the
requirements for the independent assessment body (AsBo). It defined the criteria to
be fulfilled by the AsBo and the necessary requirements for accreditation or
recognition of its competence necessary for the mutual recognition of the
independent Safety Assessment Report (SAR) produced by the AsBo.
G2.2.6 On 3 August 2015 Commission Implementing Regulation (EU) 2015/1136 amended
Regulation 402/2013 on the CSM RA and came into force. Regulation 2015/1136
included harmonised risk acceptance criteria ('harmonised design targets', CSM DT)
that may be used to assess and demonstrate the acceptability of risks arising from
failures of functions of technical systems, in cases where the proposer chooses to use
the explicit risk estimation principle.
G2.2.7 The current CSM RA regulation, therefore, consists of the content of Regulation
402/2013, combined with several amendments and additions as outlined in
Regulation 2015/1136. All references in this document to 'the CSM RA regulation'
refer to this amended regulation. A consolidated version of the two regulations is
available on the website of the European Union Agency for Railways
(www.era.europa.eu).
G2.2.8 The CSM RA is intended to encourage a common standard process for managing risk
associated with changes to the railway system. The risk management process in
Annex I of the CSM RA regulation has applied to all 'significant' changes to the
railway system since 01 July 2012. The changes may be of a technical (engineering),
operational or organisational nature (where the organisational changes could have
an impact on the operation of the railway).
G2.2.9 Several Technical Specifications for Interoperability (TSIs) mandate the application
of the CSM RA process in Annex I of the regulation if a risk assessment is required by
a TSI; and the risk assessment is used to ensure safe integration of a structural
subsystem into an existing system in the context of an authorisation for placing in
service in accordance with the Railway Interoperability Directive 2008/57/EC.
Information on the Railway Interoperability Directive and TSIs can be found on the
RSSB website (www.rssb.co.uk).
RSSB Page 11 of 101
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G2.2.10 The Office of Rail and Road's (ORR's) guidance on the CSM RA sets out the following
relationship between risk assessment requirements and the particular requirements of
the CSM RA used for significant changes:

In cases where a change is not significant, it will fall to the proposer of the change
to consider domestic legislative requirements, such as those set out in regulation 19
of the Railways and Other Guided Transport Systems (Safety) Regulations 2006
(ROGS) and regulation 3 of the Management of Health and Safety at Work
Regulations 1999 (MHSWR), which require a suitable and sufficient risk assessment
to be undertaken. It is possible to adopt the approach of the risk management
process of the CSM RA even when there is no legal requirement to do so (for
example, when a change is not significant). Following the CSM approach correctly in
these circumstances is likely to mean that domestic safety legislation is complied
with.

G2.2.11 This means that even if the proposed change is assessed to be not requiring formal
application of the CSM RA, the proposer still needs to undertake a suitable and
sufficient risk assessment of the proposed change under other SMS responsibilities.
The risk management principles outlined in the CSM RA process are equally
applicable to non-significant changes even if their use in these cases is not
mandatory. They can be applied in a way that is proportionate to the size and nature
of the change being considered.
G2.2.12 It is recommended that when undertaking the significance test for application of the
CSM RA, the proposer considers whether there is a requirement for risk assessment
outside the requirements of the CSM RA Regulation. Although changes assessed as
non-significant may not require significant work to understand and reduce risk, all
reasonably practicable risk reduction should be considered.
G2.2.13 The Railways (Interoperability) Regulations 2011 (RIR 2011) transpose the Railway
Interoperability Directive 2008/57/EC ('the Directive') into UK law and came into
force on 16 January 2012. RIR 2011 require new, upgraded, or renewed structural
subsystems or vehicles to be authorised to be placed in service, before they can be put
into use on the mainline railway network in the UK. Part of the requirements of the
RIR is to demonstrate that a system can be 'safely integrated' - assured by
application of the risk management process set out in the CSM RA.
G2.2.14 The RSSB document 'Taking Safe Decisions' gives guidance on the wider
responsibilities of an organisation to understand and manage its risks, both on an
ongoing basis, and when it changes something, through monitoring, analysing and
selecting options and making a change.

Page 12 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Part 3 The CSM RA Risk Assessment Process


G3.1 Overview of the risk assessment process

G3.1.1 The objective of a risk assessment is to be able to demonstrate that all identified
hazards and associated risk related to a proposed change are suitably understood
and controlled to an acceptable level. Carrying out any risk assessment typically
involves planning and carrying out the following steps:
a) System definition: describe the thing that is going to be changed and how it is
going to be changed, whether it is a piece of equipment, a procedure or an
organisation etc.
b) Hazard identification: identify what can go wrong and how it might impact safety.
c) Risk evaluation and risk acceptance: determine how the identified hazards can be
adequately managed such that the residual level of risk can be demonstrated to
be acceptable. For CSM RA, the risk evaluation and risk acceptance process may
involve use of codes of practice, comparison with an existing reference system, or
explicit risk estimation, which involves qualitative or quantitative risk assessment.
The output from this activity is a complete set of safety requirements against
which the change will be implemented.
d) Safety requirements: identify safety requirements that might need to be in place
to ensure the level of risk associated with the hazards is considered safe enough.
The proposer will need to be able to demonstrate that the identified safety
requirements are implemented and that the risk is therefore acceptable.
e) Hazard management: a key output from the risk assessment process is a hazard
record identifying all the hazards that have been identified and showing how they
have been closed.
f) Independent assessment: a risk assessment process will usually involve some level
of independent review or checking to ensure it is robust and appropriate. This
checking should be proportionate to the size and nature of the risk.
G3.1.2 The risk management process described in the CSM RA regulation follows these
elements.

G3.2 Overview of the CSM RA process

G3.2.1 The CSM RA regulation applies to any change of the railway system in a member
state. Those changes may be technical, operational or organisational, which could
impact the operating conditions of the railway system. The risk management process
of the CSM RA regulation applies if a change is significant within the meaning of
Article 4 of the regulation.
G3.2.2 It is possible that a technical change (such as a new fleet of vehicles or the rebuilding
of a station) can result in consequential changes to operational systems or
organisational structures. This is distinct from an operational change such as the re-
casting of a timetable which does not involve any technical change. The competence
required to apply the CSM RA in such cases can be quite different (for example, rolling
stock technical expertise compared with railway operational experience).

RSSB Page 13 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G3.2.3 A project involving new manufacture (for example, a new fleet of trains or a new
station) is equally considered to be a change to the railway system, particularly at the
point at which it is brought into use and therefore impacts on the existing SMSs of an
infrastructure manager (IM), entity in charge of maintenance (ECM) or railway
undertaking (RU).
G3.2.4 The proposer of a change is responsible for applying the risk management process set
out in the CSM RA. In many circumstances, proposers will be RUs, ECMs or IMs.
However, a manufacturer may want to, or be legally obliged to, apply the CSM RA in
order to place a new or altered product or system on the market. Once the product is
placed on the market, an RU or IM wishing to use the product or system in a specific
application or location will be the proposer of a new change.
G3.2.5 A manufacturer can formally be a CSM RA 'proposer' as per the CSM RA regulation
(Article 3(11)(c)), relating to the application of the requirements of the Railway
Interoperability Directive 2008/57/EC:

a contracting entity or a manufacturer which invites a notified body to apply the


'EC' verification procedure in accordance with Article 18(1) of Directive 2008/57/EC
or a designated body according to Article 17(3) of that Directive

G3.2.6 Figure 2 shows the risk management process defined in the CSM RA. The process
essentially consists of the following steps.
a) Significance assessment: The proposer of a change produces a preliminary
definition of that change and the system to which it relates. The proposer then
examines the change against the significance criteria in the regulation. If a
change is deemed to be significant, then the regulation requires the proposer to
apply the CSM RA risk assessment process, and to appoint an independent AsBo
to assess application of the process.
If the change is deemed to be not significant under the CSM RA, the reasons
should be recorded and risk management should be carried out under the normal
requirements of the relevant SMS. The proposer may choose to apply some or all
of the CSM RA risk assessment process as it represents good practice, and contains
principles that should be applied to carry out a suitable and sufficient risk
assessment.
b) Safety plan: Once a change has been identified as significant under the CSM RA,
then it is good practice to produce a safety plan of how the risk assessment
process will be implemented.
c) System definition: The CSM RA risk assessment process requires the development
of the system definition, building on the preliminary system definition produced
for the significance assessment. This provides the key details of the system that is
being changed and how it is being changed: its purpose, functions, interfaces, and
the existing safety measures that apply to it. This system definition will be kept
live and updated as the change project progresses. It will form the reference for
the hazard identification and assessment processes.
d) Hazard identification: With reference to the system definition, all reasonably
foreseeable hazards are identified and their risk is classified as broadly acceptable
or taken forward for further assessment and management.

Page 14 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

e) Risk evaluation and risk acceptance, and development of safety requirements:


Identified hazards are then subjected to one or more of the three CSM RA risk
acceptance principles to identify potential safety measures to address each
hazard, sufficient to make the risk associated with the hazards acceptable. The
safety measures chosen for implementation become the safety requirements.
f) System definition update: As shown in Figure 2, the CSM RA process is iterative in
that the safety requirements identified in the risk evaluation process are
incorporated into an updated version of the system definition. It is then necessary
to repeat or review the hazard identification and risk evaluation, with the new
system definition, to identify whether any new hazards have arisen, or any
assumptions or conclusions have changed. This cycle will continue until the
identified safety requirements and system definition are finalised.
g) Hazard records: A hazard record is produced and maintained as a record of the
risk assessment process, and to track progress of the project's risk management
process in closing out the hazards. Depending on the complexity of the project,
demonstration of compliance with the final identified safety requirements might
also be recorded in the hazard record. If the safety requirements are not recorded
in the hazard record, they should be recorded somewhere else, and the safety plan
should explain where this information will be able to be found. Once the change
has been implemented and the CSM RA process is completed the hazard record
should be maintained throughout the life of the system under SMS obligations
and CSM for Monitoring.
h) Independent assessment: The independent AsBo follows the application of the
whole CSM RA risk management process and provides a SAR to the proposer,
giving an assessment of the suitability of both the application of the risk
management process and of its results. However, the proposer remains responsible
for safety and takes the decision to implement the proposed change or not.
i) Conclusion: In order to complete the CSM RA process the change proposer must
have demonstrated to the AsBo that the risk management process has been
suitably applied and that identified safety requirements have been complied with;
this is assessed in the AsBo's SAR. The proposer then produces a written
declaration (as described in Article 16 of the CSM RA regulation) that all identified
hazards and associated risks are controlled to an acceptable level.

RSSB Page 15 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

Figure 2: The CSM RA risk assessment process

Page 16 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G3.3 CSM RA for TSIs and ‘safe integration’ with an existing system

G3.3.1 In addition to fulfilling the requirements under the CSM RA regulation, use of the
CSM RA process is also required to fulfil requirements under the Railways
(Interoperability) Regulations 2011 (RIR 2011) for the application of TSIs; the CSM
RA regulation (Article 2(3)) states:

This Regulation shall apply also to structural sub-systems to which Directive


2008/57/EC applies:
(a) if a risk assessment is required by the relevant technical specification for
interoperability (TSI); in this case the TSI shall, where appropriate, specify which
parts of this Regulation apply;
(b) if the change is significant as set out in Article 4(2), the risk management
process set out in Article 5 shall be applied within the placing in service of structural
sub-systems to ensure their safe integration into an existing system, by virtue of
Article 15(1) of Directive 2008/57/EC.

G3.3.2 In both these cases, where application of the CSM RA is required, there would be no
need to carry out a significance test.
G3.3.3 Where a TSI mandates use of CSM RA, the TSI generally indicates which parts of the
CSM RA process applies.
G3.3.4 Commission recommendation 2014/897/EU (39) contains guidance on matters
related to the placing in service and use of structural subsystems and vehicles under
Directives 2008/57/EC and 2004/49/EC and the use of the CSM RA; it describes the
use of the term 'safe integration' as follows:

The term 'safe integration' may be used to cover:


(a) safe integration between the elements composing a subsystem;
(b) safe integration between subsystems that constitute a vehicle or a network
project; and, for vehicles:
(c) safe integration of a vehicle with the network characteristics;
(d) safe integration of vehicles into the SMS of railway undertakings. This includes
interfaces between vehicles, interfaces with the staff who will operate the
subsystem, and maintenance activities by an ECM; 12.12.2014 L 355/66 Official
Journal of the European Union EN
(e) safe integration of a train with the specific routes it operates over; and for
network projects:
(f) safe integration of a network project with the vehicle characteristics defined in
TSIs and national rules;
(g) safe integration with adjacent parts of the network (line sections);

RSSB Page 17 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

(h) safe integration of network project into the SMS of the infrastructure manager.
This includes interfaces with the staff who will operate the network project, and
maintenance activities by the infrastructure manager or its contractors;
(i) safe integration of a network project with the specific trains operating over it.

G3.3.5 The Railways (Interoperability) Regulations 2011 (RIR 2011) transpose the Railway
Interoperability Directive 2008/57/EC ('the Directive') into UK law and came into
force on 16 January 2012. RIR 2011 require new, upgraded, or renewed structural
subsystems or vehicles to be authorised to be placed in service, before they can be put
into use on the mainline railway network in the UK (that is, before they are 'used on
or as part of the rail system in the United Kingdom for the transportation of
passengers or freight or for the purpose for which it was designed').
G3.3.6 RIR 2011 require three elements to be checked before a vehicle or new infrastructure
is placed in service, where 'placing in service' means all the operations by which a
subsystem is put into its design operating state:
a) That it meets the essential requirements (that is, the specific requirements set out
in Annex III of Directive 2008/57/EC relating to safety, reliability and availability,
health, environmental protection, technical compatibility, and accessibility to
persons with disabilities and/or reduced mobility), including application of the
CSM RA where mandated.
b) That it is technically compatible with the system into which it will be integrated.
c) That it can be 'safely integrated' - assured by application of the risk management
process set out in the CSM RA.
G3.3.7 The use of the CSM RA risk management process requires independent assessment of
the correct application of that risk management process by an AsBo, which produces
a SAR. The report should confirm whether the proposer has presented suitable
evidence that the requirements of safe integration have been met.
G3.3.8 Where a proposed change is also within the scope of RIR 2011, then a Notified Body
(NoBo) will also be appointed to undertake assessment and certification of
compliance with relevant TSIs. The principle of the work of the AsBo not duplicating
the work of the NoBo is further explained in G5.4.4.

G3.4 The CSM RA within a programme or large project

G3.4.1 This section gives an overview of some of the aspects of applying the risk assessment
process in the context of a programme of work or large project. However, every
project or programme of work is different and can be simple or complex; therefore,
the principles should be adjusted to be appropriate and proportionate to the
individual project. A safety plan is where the project should outline and agree how risk
management activities will be integrated into the project stages, and determines
intended key outputs such as interim safety stage gate material. The safety plan
should also recognise the role of the CSM RA within a change project where other
independent assessment is being undertaken, for instance where a NoBo is also
appointed under RIR 2011. The safety plan may form part of a system integration
plan.

Page 18 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G3.4.2 Referring to the framework described in 'Taking Safe Decisions', risk management is
integral to any SMS and involves monitoring safety, analysing options for safety
improvement, and implementing safety changes. Consequently, it follows that risk
management should already be considered to some degree right from the beginning
of a change project at the initiation, concept and feasibility stages. For potentially
complex projects, it may be appropriate to formulate an initial safety plan and
undertake preliminary hazard identification activity to support option selection and
to inform the CSM RA significance test activity. The level of detail should be
appropriate to the early stage of the project and the complexity of the proposed
change.
G3.4.3 At the specification stage of a project the system definition should be more
substantial in order to be used as the basis for hazard identification and risk
evaluation. If the change is significant and being implemented under the CSM RA, an
AsBo should be appointed. An Independent Assessment Plan should then be
developed by the AsBo in consultation with the proposer so that the remit, scope and
depth of assessment is agreed with clear objectives. The safety requirements
identified at the specification stage should be incorporated into the system
definition, which will be taken forward to detailed design. Depending on the project,
the AsBo may produce SARs at defined stages within a programme. This is an
important consideration in the safety plan for a programme and large projects.
G3.4.4 At the detailed design stage of a change project, the hazard identification and risk
evaluation material should be reviewed and revised in light of emerging system
information, and improved understanding of assumptions. This process should
confirm whether the system definition and identified safety requirements are still
valid and appropriate, or whether they need to be further updated. It is usual that the
process of reviewing and revising the system definition, hazard identification, risk
evaluation, and safety requirements is iterative before final versions are agreed.
G3.4.5 When the change is implemented, commissioned and/or handed over to the final
users/operators of the change, the system definition should be updated to reflect the
'as built' or actual change made. Equally, the hazard records should be reviewed to
ensure they reflect the final change implemented, and confirm the safety
requirements have been complied with.
G3.4.6 Prior to implementing a change, the proposer of the change under the CSM RA will
receive a SAR from the AsBo. This should be used to support the proposer's
declaration that all identified hazards and associated risks are controlled to an
acceptable level. For all changes, whether significant or not, the system definition,
hazard management records, safety requirements and assumptions should be made
available to the final 'user' of the changed system, which will become part of their
SMS for ongoing monitoring and managing of risk.

G3.5 The CSM RA and the Construction Design and Management Regulations

G3.5.1 The Construction Design and Management Regulations 2015, also known as the CDM
Regulations, detail the process for planning, controlling and executing construction
projects. A construction project includes many of the types of physical changes to the
railway infrastructure that would be within scope of the CSM RA. The regulations
place responsibilities on various duty holders to ensure projects are carried out in a
RSSB Page 19 of 101
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

way that secures health and safety. The CDM Regulations require arrangements for
managing a construction project, to ensure that the construction work can be carried
out, so far as is reasonably practicable, without risks to the health or safety of any
person affected by the project. CDM includes the requirement to identify the
measures that should be taken to control the risks to health and safety (throughout
the life cycle of a construction project), by avoiding risks where possible, evaluating
those risks that cannot be avoided, and putting in place proportionate control
measures. The regulations cover management of risk associated with design and
construction, the maintenance activities once the project is complete, and eventual
de-commissioning.
G3.5.2 The principle aim of CDM is to protect the workforce and other persons who may be
affected by the construction work. From an operational safety perspective, CDM also
requires the designer to ensure the occupational health and safety of any person who
may be maintaining what they have designed, or using the structure or facility as a
place of work.
G3.5.3 The CSM RA is focused on the safety level of the changed operational railway system;
this includes all changes whether engineering 'construction' (as defined by CDM),
operational, or organisational. The CSM RA also includes 'non-construction'
engineering changes such as changes to trains. The CSM RA applies to any significant
technical, operational or organisational change to the railway system. It uses the risk
acceptance principles of Codes of Practice, comparison with Reference Systems, and
Explicit Risk Estimation, including the application of the SFAIRP principle, where
applicable, ensuring safety so far as is reasonably practicable. The scope of the CSM
RA includes the safety of workforce, passengers and members of the public affected
by the proposed change.
G3.5.4 In this way CDM and the CSM RA have some similarities in approach to risk
management, and there may be opportunity to integrate or re-use some risk
management material. CDM and the CSM RA overlap in the types of hazards and risk
they manage, but their scope is different, although some hazards may be in scope of
both CDM and the CSM RA. The regulations are not identical, and application of CDM
will not necessarily fulfil the requirements of the CSM RA.
G3.5.5 Hazards within the boundary of a CDM construction project are relevant to the scope
of a CSM RA assessment if they have the potential to impact operational safety
outside the construction project physical boundary or time boundary (that is, in the
operational phase, after construction project completion).

G3.6 Further advice on risk assessment and the CSM RA process

G3.6.1 The RSSB website (www.rssb.co.uk) contains additional information on how safety is
taken into account when taking decisions in the document 'Taking Safe Decisions'.
Additionally, there is also guidance on aspects of wider risk management and risk
assessment, including templates.
G3.6.2 Detailed advice on the CSM RA regulation's requirements, its scope and the
significance test that triggers the requirement to apply the risk management process
in full, is set out in the ORR's guidance on the CSM RA (orr.gov.uk). The guidance also
contains information on the relationship between the CSM RA and other risk

Page 20 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

assessment requirements, such as the requirement for a 'suitable and sufficient' risk
assessment.
G3.6.3 The European Union Agency for Railways website (www.era.europa.eu) contains
guidance material on the application of aspects of the CSM RA.
G3.6.4 Commission recommendation 2014/897/EU on matters related to the placing in
service and use of structural subsystems and vehicles under Directives 2008/57/EC
and 2004/49/EC contains guidance on the use of the CSM RA in the context of these
directives (particularly recommendations 38-41).
G3.6.5 ISO Guide 73:2009 contains definitions of commonly used risk management
vocabulary and ISO 31000:2009 contains material on risk management principles,
risk management frameworks and risk management processes. The related standard
EN 31010:2010 contains details of risk assessment techniques which may be useful to
support application of the CSM RA.
G3.6.6 EN 50126 for railway applications on the specification and demonstration of
reliability, availability, maintainability and safety, contains useful guidance on
aspects of risk assessment.
G3.6.7 HM treasury's document 'The Orange Book' provides a basic introduction to the
concepts, development and implementation of risk management processes in
government organisations. https://www.gov.uk/government/publications/orange-
book.
G3.6.8 RSSB research project T1049 contains example guidance on safe integration:
operating non-mainline vehicles on mainline infrastructure. This includes guidance on
how the CSM RA is used to support application of TSIs, placing in service, and putting
into use, a new sub-system. (www.sparkrail.org)
G3.6.9 Further information on implementation of the CDM Regulations is available on the
HSE website - http://www.hse.gov.uk/construction/cdm/2015/index.htm.

RSSB Page 21 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

Part 4 The CSM RA Significance Assessment


G4.1 The significance judgement for application of the CSM RA

G4.1.1 Before starting the CSM RA risk management process, a change proposer will
determine if the proposed change affects safety. If so, then the proposer needs to
consider whether the change is significant under the terms of the CSM RA regulation.
This should be thought of as a high-level initial judgement and should not normally
be a complex activity. A simple qualitative assessment is sufficient in most cases.
G4.1.2 Where the CSM RA is being used to support application of TSIs and 'safe integration'
before placing in service of structural sub-systems under Directive 2008/57/EC, the
significance test is not required. For further information on this use of the CSM RA,
guidance is available in Commission recommendation 2014/897/EU on matters
related to the placing in service and use of structural subsystems and vehicles under
Directives 2008/57/EC and 2004/49/EC.
G4.1.3 If a change is deemed to be significant, then the regulation requires the proposer to
apply the CSM RA risk management process, and to appoint an independent AsBo to
assess application of the process.
G4.1.4 If the change is deemed to be not significant under the CSM RA, the reasons should
be recorded and risk management should be carried out under the normal
requirements of a SMS. A change proposer may choose to apply some or all of the
CSM RA risk management process as it represents good practice, and contains
principles that should be applied to carry out a suitable and sufficient risk assessment.
G4.1.5 The ORR guidance on the CSM RA (Annex 1) contains detailed advice on determining
the significance of a change. The following sections give a brief summary.
G4.1.6 To determine if the change is significant, a preliminary system definition should be
developed to bring together preliminary safety and hazard material along with a
clear high-level system objective. Early project deliverables, such as a project remit,
feasibility studies etc, may provide some of the information needed to develop the
preliminary definition.
G4.1.7 Given its proposed use to support the significance test, the preliminary system
definition needs to contain enough information to allow the significance criteria in
the regulation to be considered effectively. The CSM RA regulation (Article 4(2))
states that:

When the proposed change has an impact on safety, the proposer shall decide, by
expert judgement, the significance of the change based on the following criteria:
(a) failure consequence: credible worst-case scenario in the event of failure of the
system under assessment, taking into account the existence of safety barriers
outside the system;
(b) novelty used in implementing the change: this concerns both what is innovative
in the railway sector, and what is new just for the organisation implementing the
change;
(c) complexity of the change;
Page 22 of 101 RSSB
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

(d) monitoring: the inability to monitor the implemented change throughout the
system life-cycle and take appropriate interventions;
(e) reversibility: the inability to revert to the system before the change;
(f) additionality: assessment of the significance of the change taking into account
all recent safety-related modifications to the system under assessment and which
were not judged as significant.

G4.1.8 The following paragraphs provide guidance on the detail that a proposer of a change
should consider in order to determine whether the change is considered significant
against the criteria.
G4.1.9 Additionality: The ORR Guidance suggests that 'additionality' should be considered
first in the significance assessment, as it helps set the scope of the change that is to
be assessed. The description of the wider programme of work might help with
considering the idea of 'additionality' and whether there have been small related
changes which have been deemed to be individually non-significant but which, when
considered together, could be significant. Not all the non-significant changes need be
considered. The proposer need only consider the changes that contribute to one of
the same hazards as the change being assessed. For example, if a passenger vehicle's
exterior doors are being modified, it is not necessary to consider previous changes to
the saloon lighting within the vehicle.
G4.1.10 Failure consequence: At the early stage of a project, a detailed risk assessment is
unlikely to be available to identify the consequences of credible worst-case scenarios.
However, a preliminary high-level qualitative analysis can still be undertaken, which
should make use of available information. For example, the RSSB Safety Risk Model
(SRM) provides a useful qualitative checklist of railway system hazards and accident
types; this information can be used to identify hazards relevant to the project.
Alternative sources of information may be generic hazard lists or industry 'bow tie'
models etc. A better understanding of the safety barriers already in place might be
obtained by considering controls applied in similar projects. It may be helpful to
consider and review existing standards (for example, TSIs, RSSB produced standards,
CEN/CENELEC standards, ISO/IEC standards, Company standards etc) that relate to
any hazards identified at this stage.
G4.1.11 Novelty: In order to consider the novelty of the proposed change, it is necessary to
produce a description of where and when, in implementing the change, it is planned
that novel equipment, configurations of equipment or operating practices are to be
used. It may also be helpful to identify where there are uncertainties about the exact
nature of the solution at this preliminary stage, and where novel systems or processes
could be used (for example, where it is known that a certain system is needed but no
decision has been made about which particular supplier to source it from). In
particular, it is important to understand the overlap between novelty and safety risk,
such as where a novel system is planned to be used to deliver some safety-critical
functions of the railway. Novelty is not restricted to changes that are new to the
railway industry or the UK. The scope of novelty includes where a change is new or
different to the organisation or team that is implementing the change or to those
who will operate it.

RSSB Page 23 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G4.1.12 Complexity: Complexity of a system may relate to its function, operation or


technology. A system, such as an engineered system on the railway, can be complex
in its function or technology, and therefore a full description would assess that
complexity. In the case of organisational complexity, some description of the
particular organisational structure and contractual arrangements that are to be used
to deliver a given change project would also be useful.
G4.1.13 Monitoring: Monitoring is the ability to detect when a change is not performing in
accordance with assumptions and results of a risk evaluation and assessment. With
respect to the ability to monitor the safety of a changed system, the RSSB document
'Measuring Safety Performance' provides guidance on monitoring safety
performance. The key to monitoring is the ability to intervene in time to prevent an
accident occurring.
G4.1.14 Reversibility: There are many aspects which affect the possibility to revert a system
to its previous state if the change is found to be inappropriate. A description of the
wider programme of projects into which the individual change project fits might help
to consider the ability to revert to the system before the change. This is because it is
likely that other change projects will place constraints on the individual change
project. Subsequent work may also depend on the delivery of the change meaning
there is no possibility to go back. This includes considering other change projects
undertaken before the current one is delivered, and those planned for subsequent
work. Other issues that might affect the 'reversibility' of the project could include the
loss of key skills, staff or equipment needed to revert to the previous way of working.

Page 24 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Part 5 Planning for Application of the CSM RA


G5.1 Overview of safety planning for the CSM RA

G5.1.1 In order to achieve the objectives of a risk assessment efficiently, effectively, on time
and to budget, it is good practice to plan the activities and resources that will be
needed. A plan typically describes the background to the project, with the scope of
the intended change. It should outline the planned approach for the risk
management activities and methods of working. It should include details of roles and
responsibilities, including stakeholders who are directly and indirectly supporting the
safety work. It may contain details of timing and required resources, and links to the
overall project schedule with possible dependent stage gates. The plan should also
explain any interfaces with related safety work, such as the CSM RA, CDM and EN
50126 activities. If a project is complex it is likely that the initial plan will have to be
revisited and updated as a project progresses and the safety management strategy is
refined.
G5.1.2 The CSM RA regulation (Annex I, point 1.1.6) states that:

The first step of the risk management process shall be to identify in a document, to
be drawn up by the proposer, the different actors' tasks, and their risk management
activities.

G5.1.3 In this way, the CSM RA regulation requires the change proposer to develop a plan,
which should describe the arrangements for applying the CSM RA process. This will
ensure that the objectives of the risk management principles are successfully and
efficiently achieved. For a change that is considered not to be significant under the
CSM RA, it is also good practice to produce a safety plan, proportionate to the
planned change, covering the same risk management principles.

G5.2 Planning a simple CSM RA application

G5.2.1 For a very simple change, a safety plan could be a single page, or even an email,
outlining the nature of the proposed change, the safety activities expected to be
carried out (such as meetings or assessments) and who will be carrying out the work,
either directly or in a supporting role. The plan may include details of how the work
will be concluded or judged acceptable.

G5.3 Contents of a safety plan

G5.3.1 The CSM RA regulation (Annex I) states that the proposer will have to document CSM
RA activities in the following way:

5.1. The risk management process used to assess the safety levels and compliance
with safety requirements shall be documented by the proposer in such a way that all
the necessary evidence showing the suitability of both the application of the risk
management process and of its results are accessible to an assessment body.

RSSB Page 25 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

5.2. The documentation produced by the proposer under point 5.1 shall at least
include:
a) a description of the organisation and the experts appointed to carry out the risk
assessment process;
b) results of the different phases of the risk assessment and a list of all the
necessary safety requirements to be fulfilled in order to control the risk to an
acceptable level;
c) evidence of compliance with all the necessary safety requirements;
d) all assumptions relevant for system integration, operation or maintenance, which
were made during system definition, design and risk assessment.

G5.3.2 Key outputs of the application of the CSM RA process include the various pieces of
evidence demonstrating its suitable application. These outputs should provide
evidence that risk has been appropriately managed, and provide demonstrable
evidence that is suitable for review by others, such as the AsBo. The safety plan
should describe how this evidence is to be produced and documented.
G5.3.3 The safety plan would typically contain the following elements:
a) Background to the project.
b) Initial system definition and scope of change.
c) Roles and responsibilities.
d) The planned approach for:
i) System definition development.
ii) Hazard identification and classification.
iii) Detailed risk analysis and evaluation.
iv) Development of safety requirements.
v) Hazard management.
vi) Programme of activities and timescales.
vii) Deliverables.
viii) Independent assessment.
ix) Safety approvals, acceptance or authorisation.

G5.4 Aspects of planning for application of the CSM RA

G5.4.1 Purpose of the safety plan


G5.4.1.1 The purpose of a safety plan includes:
a) It documents the responsibilities and activities to apply the risk management
processes.
b) It encourages thought and discussion about the process amongst the various
actors who will be involved in delivering it.
c) It provides clarity as to what the objectives and outputs of the work will be.

Page 26 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

d) It provides the basis to budget resources within a proposer's organisation, and to


budget and tender for external companies to contribute to a CSM RA application.
G5.4.1.2 Good planning will result in cost savings, more efficient working, better co-ordination
and fewer errors and re-working.
G5.4.1.3 Application of the CSM RA process is complementary to the proposer's existing
arrangements for the management of safety and any processes that the proposer is
required to undertake to meet other legislative requirements, such as the
Management of Health and Safety at Work Regulations. The safety plan should
describe how these related risk management activities are integrated to avoid
duplication and improve efficiency.
G5.4.1.4 When a change is not considered significant for full application of the CSM RA, then a
proportionate safety plan for its assessment under the proposer's existing SMS
arrangements should be developed.

G5.4.2 Project life cycle issues in safety planning


G5.4.2.1 The main steps of the CSM RA process to be considered when planning a safety
related change are shown in Figure 2. The plan therefore should set out specifically
how the elements of this process will be applied for a given change. The intent in
applying the process is to ensure that risks are controlled to an acceptable level and
also provide a transparent demonstration of this. Guidance on how to undertake each
element of the process is provided in other parts of this guidance note.
G5.4.2.2 Good safety planning early in any change project will significantly reduce the
likelihood of problems and extra costs at later stages. There are seven basic
components of a good safety plan:
a) What: describes what the work involves, including details of the tasks that need to
be done and the records required. The level of detail should reflect the needs of
the people using the plan and the consequence or costs of doing the wrong thing.
b) How: describes the method, often referring to a procedure or specification.
c) Where: describes the locations in which the work will take place.
d) When: describes the overall timescales, the order in which tasks are to be done
and their durations.
e) Who: names the people responsible for doing the work, contributing to it and
checking it.
f) With: describes the resources to be used (tools, materials, plant, supplier resources
etc).
g) Why: describes the rationale for the work so that it can be related back to an
organisation's goals and the overall railway goals.
G5.4.2.3 The CSM RA process is not usually expected to be run through in one single pass; it is
likely that the proposer of a change will need to undertake iterations of all or parts of
the process as shown in Figure 2. The safety plan should consider the iterative nature
of the process and the necessary review and revision cycles as the project develops.
For complex projects, with several work streams, there may need to be numerous
iterative cycles before a consistent and final set of system definitions, safety
requirements and assumptions are reached. For example, hazard identification and

RSSB Page 27 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

risk analysis may generate new safety requirements, which in turn may introduce new
hazards or change the assumptions made in the original system definition, requiring
further risk analysis and further refinement or revision of the safety requirements.
Similarly, as new project information emerges and safety assessment material is
produced, it may be necessary to review and revise the safety plan itself to ensure it
guides risk management activities appropriately and efficiently.
G5.4.2.4 The CSM RA process ends when:
a) The proposer is content that all safety requirements are fulfilled and no additional
reasonably foreseeable hazards have to be considered.
b) The proposer can demonstrate that all identified hazards and associated risks are
controlled to an acceptable level.
c) The AsBo has provided the proposer with a SAR to support the proposer's claims.
d) The proposer produces a written declaration that all identified hazards and
associated risks are controlled to an acceptable level.
G5.4.2.5 Following completion of a change project the CSM RA regulation (Annex I, point
4.1.1) states that:

...once the system has been accepted and is operated, the hazard record shall be
further maintained by the infrastructure manager or the railway undertaking in
charge with the operation of the system under assessment as an integrated part of
its safety management system.

G5.4.2.6 In this way, the safety plan should take into account the planned content of the
hazard record and related safety material that is to be handed over at the closure of
the change project.

G5.4.3 Roles and responsibilities in safety planning


G5.4.3.1 The CSM RA regulation states that:

Independently from the definition of the system under assessment, the proposer is
responsible for ensuring that the risk management covers the system itself and its
integration into the railway system as a whole. (Annex I, point 1.2.7)
And:
The first step of the risk management process shall be to identify in a document, to
be drawn up by the proposer, the different actors' tasks, and their risk management
activities. The proposer is responsible for coordinating close collaboration between
the different actors involved, according to their respective tasks, in order to manage
the hazards and their associated safety measures. (Annex I, point 1.1.6)
And:
The proposer shall ensure that risks introduced by its suppliers and its service
providers, including their subcontractors, are also managed in compliance with this
Regulation. To this end, the proposer may require through contractual
arrangements that its suppliers and its service providers, including their

Page 28 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

subcontractors, participate in the risk management process set out in Annex I.


(Article 5, point 2)

G5.4.3.2 Although a change may involve many stakeholders, from both within and outside the
proposer's organisation, the proposer ultimately is responsible for the control of risk
associated with the change, the application of the CSM RA process, and
demonstrating that the change is safe. The safety plan should identify all those
stakeholders, referred to as 'actors' in the CSM RA regulation, who will be needed to
support and contribute to the proposer's safety activities either directly or indirectly.
It should explain what is expected of stakeholders and may need to reference
resources and contractual arrangements to cover suppliers' and contractors'
responsibilities. A list of potential actors is given below:
a) CSM RA Proposer: overall responsibility for producing a written declaration that all
identified hazards and associated risks are controlled to an acceptable level
b) Department for Transport / Transport Scotland.
c) Project Sponsor / Project Manager.
d) Other IM/RU involved with / impacted by change (may be the proposer for an
associated change).
e) Supplier supplying off-the-shelf type products to set standards / specifications.
f) Supplier designing to prescribed design.
g) Supplier designing using CSM RA.
h) CSM RA AsBo.
i) Independent Safety Assessor (ISA) working to EN 50126.
j) Notified Body (NoBo).
k) Designated Body (DeBo).
l) ORR as the GB National Safety Authority (NSA).
m) Final Operator / Maintainer.
n) Interfacing Operator / Maintainer.
G5.4.3.3 The various stakeholders may need to supply information, contribute to safety
related meetings/workshops, review safety material, provide evidence of compliance,
accept and approve safety claims etc, in order to support the proposer's final
declaration that all identified hazards have been controlled to an acceptable level.
The list of stakeholders will be different for each project.
G5.4.3.4 Where a safety plan identifies companies external to the proposer, then the tasks and
activities will need to be agreed commercially. Unlike the CDM Regulations, CSM RA
only places a legal duty on the proposer. It is important for a project to plan costs and
budget implications for safety planning at an early stage.
G5.4.3.5 The CSM regulation requires a safety plan. Good planning and coordination of work
with others who are involved in the risk management process at an early stage is
likely to increase the chance that the CSM RA process will be effectively applied,
hazards will be suitably understood, project costs reduced, and the project's
objectives will be achieved. For example, the change proposer might not be best
placed to understand the operational impact of that change and so should
coordinate with others who do.

RSSB Page 29 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G5.4.3.6 For the application of the CSM RA, the proposer of a change to the system has overall
responsibility for the risk management process. Moreover, the regulation specifically
allocates to the proposer responsibility for certain aspects of the CSM RA process
discussed in this document, including:
a) Choosing the risk acceptance principles to apply (CSM RA preamble point (11)).
b) Ensuring that risks are managed (CSM RA Article 5(2)).
c) Maintaining a hazard record (CSM RA Annex I, point 1.1.3).
d) Deciding, with the agreement of the actors concerned, who will be responsible for
implementing each safety requirement (CSM RA Annex I, point 1.1.5).
e) Co-ordinating close collaboration between the different actors involved, according
to their respective tasks (CSM RA Annex I, point 1.1.6).
f) Co-ordinating the management of risk at interfaces (CSM RA Annex I, point 1.2.1).
g) Resolving conflicts regarding the management of risk (CSM RA Annex I, point
1.2.5).
h) Ensuring that the risk management covers the system itself and its integration
into the railway system as a whole (CSM RA Annex I, point 1.2.7).
G5.4.3.7 However, the regulation recognises that the proposer will often have to delegate
parts of the risk management process (CSM RA Article 5(3) and Annex I, points 1.1.5
and 1.1.6). Similarly, there are shared responsibilities such as where the proposer, with
the support of other involved actors, analyses whether one, several, or all hazards are
appropriately covered by the application of relevant codes of practice (CSM RA Annex
I, point 2.3.1).
G5.4.3.8 Where delivery of the change is being led by a prime contractor or supplier, it will
probably make sense to assign much of the day-to-day operation of the risk
management process to the contractor or supplier. If a proposer does this, they
should bear in mind that the contractor or supplier will rarely be responsible for
delivering the whole system, as this is likely to include changed operational and
maintenance procedures for which the proposer will be responsible. It will seldom
make sense to attempt to delegate aspects of the proposer's core business.
G5.4.3.9 Delivering a safe system always requires cooperation and collaboration. This may be
facilitated by forming cross-industry integrated safety teams as part of a project's
organisation. This does not remove the overall legal responsibilities of the proposer
under the CSM RA.
G5.4.3.10 This collaborative approach is likely to extend to other parties, such as other IMs and
RUs at interfaces. The CSM RA regulation (Annex 1, section 1.2 and 1.2.1) states:

...rail-sector actors concerned shall cooperate in order to identify and manage jointly
the hazards and related safety measures that need to be handled at these
interfaces.

G5.4.3.11 However, it is always the proposer who leads this process as the CSM RA regulation
(Annex 1, section 1.2.1) states:

Page 30 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

The management of shared risks at the interfaces shall be coordinated by the


proposer.

G5.4.4 Efficient application and avoiding duplication of work in safety planning


G5.4.4.1 The potential for duplication of effort should be identified and understood at the
start of a project, so that the safety plan, and any supporting contractual
arrangements, can be developed to integrate safety activities and avoid duplication.
G5.4.4.2 The Railway Interoperability Regulations 2011 (RIR 2011) require new, upgraded, or
renewed structural subsystems or vehicles to be authorised to be placed in service,
before they can be put into use on the mainline railway network in the UK (that is,
before they are 'used on or as part of the rail system in the United Kingdom for the
transportation of passengers or freight or for the purpose for which it was designed').
Compliance with these regulations requires any changed railway structural sub-
systems to be independently checked by a NoBo for compliance with the TSIs and by
a Designated Body (DeBo) for compliance with Notified National Technical Rules
(NNTRs). Additionally, there are some cases where a TSI mandates the use of the
CSM RA. The approach to these streams of safety work should be integrated in the
CSM RA safety plan to minimise duplication of work.
G5.4.4.3 Where a technical system is being designed and developed, various standards or
guidance documents may be used which have requirements that overlap with the
CSM RA activities. Key amongst these is the suite of RAMS (Reliability, Availability,
Maintainability and Safety) European harmonised standards: EN 50126, and domain
specific standards such as EN 50128 and EN 50129. These standards encompass
various aspects of risk management activity which, in many cases, have similar
objectives to CSM RA activities. In general, application of EN 50126 requires an
independent assessment of compliance to the requirements of the standard. To avoid
duplication of effort, safety work being carried out in the project under EN 50126 etc
should be considered in a CSM RA safety plan, especially the co-ordination of
independent assessment of compliance with the Euronorms and independent
assessment by an AsBo for the CSM RA processes. Further guidance on this issue is
given in the EU Agency for Railways Explanatory Note on the CSM RA AsBo.

G5.5 Further advice on planning for application of the CSM RA

G5.5.1 The RSSB website (www.rssb.co.uk) contains additional information, including


templates, on how to plan risk management activities for the CSM RA.
G5.5.2 Euronorms EN 50126 to EN 50129 contain guidance material which may be useful in
planning and integrating engineering safety management activities.

RSSB Page 31 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

Part 6 System Definitions


G6.1 Overview of system definitions

G6.1.1 Development of a suitable system definition is a critical part of any successful risk
assessment process. It will form the basis of hazard identification and risk analysis at
the various stages of a project, and so should be treated as a live, evolving document
(although it could take other forms such as spreadsheets, specifications, flow
diagrams, system architecture diagrams, photographs, charts or other graphical
representations etc). At each stage of a project, the system definition should be
maintained with the most up-to-date set of assumptions, which will inform the risk
assessment work. At the end of the project a final system definition will be handed
over as part of the ongoing hazard management record to be incorporated into the
operational SMS.
G6.1.2 The system definition fulfils two roles. The first is to provide sufficient background
information for hazard identification and risk analysis. The second is as a repository
of the identified safety requirements and project assumptions as the project develops
and once the risk assessment process has been completed.
G6.1.3 The amount of detail in a system definition will depend on the project; some may be
a simple single page explaining the proposed change, others may be a more complex
record with supporting documentation. The level of detail should be sufficient to
support the hazard identification process and risk analysis, and so should be
proportionate to the size and nature of the change project. The safety plan should
determine the complexity of the project and define a suitably proportionate
approach.
G6.1.4 The guidance on system definitions in the following section is also relevant when
carrying out risk assessment outside of a formal CSM RA application.

G6.2 System definitions for the CSM RA

G6.2.1 Production of a system definition is the first step in a risk management process and it
provides the basis for hazard identification, risk analysis and risk evaluation.
G6.2.2 The details of a change project develop throughout its duration, and so it is necessary
to review the system definition at various stages of the process. This is emphasised on
the CSM RA process diagram in Figure 2, which specifically shows how safety
requirements identified in the risk analysis should be used to revise the system
definition. It is also likely that in most projects there will be further layers of iteration
as new project information emerges and understanding of the change develops.
G6.2.3 The system definition provides:
a) A basis for assessment.
b) An understanding of the system scope, interfaces and boundaries.
c) A record of the assumptions on which the ultimate safety demonstration will rely.
d) A record of the safety requirements which will need to be put in place to deliver a
safe change; these will be identified and evolve as the safety assessment and
project progresses.

Page 32 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G6.3 Contents of a system definition

G6.3.1 CSM RA system definition requirements


G6.3.1.1 A system definition provides the key details of the system that is being changed and
how it is being changed - its purpose, functions, interfaces and the existing safety
measures that apply to it. The CSM RA regulation (Annex I, point 2.1.2) states that:

The system definition should address at least the following issues:


a) system objective, e.g. intended purpose;
b) system functions and elements, where relevant (including e.g. human, technical
and operational elements);
c) system boundary including other interacting systems;
d) physical (i.e. interacting systems) and functional (i.e. functional input and output)
interfaces;
e) system environment (e.g. energy and thermal flow, shocks, vibrations,
electromagnetic interference, operational use);
f) existing safety measures and, after iterations, definition of the safety
requirements identified by the risk assessment process;
g) assumptions which shall determine the limits of the risk assessment.

G6.3.1.2 These elements are explained in the following sections.

G6.3.2 System objective


G6.3.2.1 A system definition should start with defining the system objective, which is typically
a short statement of the purpose and function of the changed system, whether it is a
technical, operational or organisational change. Depending on the type of change, it
is useful to explain the reason for the change, such as if it is for a specific
improvement in capacity, safety, or reduction in cost. This information does not
necessarily directly support the risk analysis exercise, but does provide useful context.

G6.3.3 System function and elements


G6.3.3.1 In order to understand the safety of a system, it is important to understand not just
the technical elements of the system and their function, but also organisational and
operational procedures, human actions required and SMS. This is equally important
for technical, operational and organisational changes. Describing the various
functions and procedures in a clear way provides a sound basis for a structured
hazard identification and risk analysis. Often, early in a project, some of the
operational and procedural aspects remain to be defined, in which case assumptions
should be made and recorded so that they can be confirmed or updated at a later
stage of the project.
G6.3.3.2 Hazards often exist during non-standard modes of operation (for example, degraded
or emergency working). It is important to understand the risk associated with these
RSSB Page 33 of 101
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

modes of operation for the system under consideration, and so these should be
defined in the system definition, including how they may affect the people as part of
the system change.

G6.3.4 System boundaries, and physical and functional interfaces


G6.3.4.1 Defining the scope, boundaries and interfaces of a change is a key part of the system
definition.
G6.3.4.2 There is sometimes confusion about whether the system definition should be the
definition of a system or the definition of the change to the system. For CSM RA, the
regulation implies that it is the definition of the system after the change, as this is
what should be made safe. However, in order to make sure that the hazard analysis is
complete, all parts of the system should be defined that might be relevant to any
hazards created by the change, and it is necessary to understand the nature of the
change to make this judgement.
G6.3.4.3 An understanding of the boundary and interfaces with other systems will help the
proposer to identify other actors, parties or organisations, with whom agreement is
needed for implementation of safety requirements outside of the proposer's control.
Early understanding of the boundary and interfaces in the system definition enables
the key actors to be identified, creating the possibility for jointly planning work, and
ensuring that no interface gaps are overlooked.
G6.3.4.4 The regulation requires the boundary of the system to be defined, along with its
physical and functional interfaces. For example, the boundaries of the system might
include any of the following:
a) The limits of the railway (for example, the boundary between the railway and
public areas).
b) Different areas of the railway (for example, the lineside boundary).
c) Organisational or contractual interfaces, or limits of responsibility (for example,
the boundary between an RU's responsibilities and those of a manufacturer
delivering a system for them to use).
G6.3.4.5 An understanding of the boundary of the change is important to define and state the
limits of the change, and therefore the scope of the hazard identification and risk
evaluation activities. If it is found that safety requirements are needed beyond the
current boundary, then the boundary may need to be reviewed and expanded.
Assumptions about the nature of the railway or environment beyond the limits of the
boundary may need to be made to understand if they have an impact on the system
definition. As the project evolves, and assumptions are clarified, the understanding of
the boundary will improve and should be revised.
G6.3.4.6 Interfaces at the boundary of a system can be considered as points of interaction
during a system or subsystem life cycle, including operation and maintenance, where
different actors or parties of the rail sector will work together to manage hazards.
G6.3.4.7 Identification of the interfaces will indicate where a collaborative approach is needed,
by actors from either side of the interface, on how risk might be impacted by the
proposed change on either side of the interface. Safety requirements may be required
to control interface risk at the boundary of a system.

Page 34 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G6.3.4.8 Some interfaces across the rail system are understood and well specified, for example
in Railway Group Standards or TSIs. Where standards meet the criteria for 'Codes of
Practice', this can be an efficient way of addressing the hazards at these interfaces.
G6.3.4.9 There are other interfaces to consider such as:
a) Interfaces internal to the change that are under the direct control of the proposer
(but may cross internal systems or organisations).
b) Interfaces between the proposer's work and another actor's work, that are
internal to the system under change.
c) Interfaces internal to the change that are under the control of another actor.
d) Interfaces on the boundary of the change.
G6.3.4.10 The CSM RA regulation (Annex 1, point 1.2.5.) states that:

When agreement cannot be found between two or more actors it is the


responsibility of the proposer to find an adequate solution.

G6.3.4.11 Hence, a proposer would need to find some other way of managing risk to an
acceptable level if either:
a) Other actors do not agree or are not able to apply the safety requirements
identified for them by the proposer; or
b) Appropriate evidence that safety requirements have been met cannot be
obtained.
G6.3.4.12 Engineering change example interfaces: Considering an engineering change project
proposed by an IM to upgrade life-expired signalling assets in and around a small
station, the proposer might consider some of the following interfaces:
a) The interface between a new design and position of signal head and the driver of
the trains approaching it. This interface would be between the IM and the RU, and
there would be a need for the IM to ensure that the RU had implemented safety
requirements around appropriate training and briefing of drivers associated with
the new interface. National Technical Rules and National Safety Rules (for
example, contained in Railway Group Standards) define key requirements around
such an interface.
b) The interface between the train detection equipment and the signalling
interlocking. This would be an internal interface for the IM to consider in their
analysis.
c) The electromagnetic emissions from any equipment used might initially be
considered to cross the boundary of the change. An initial assumption might be
that the levels of emissions would not cause problems for rail and non-rail systems
outside the boundary. This assumption would need to be tested and might be
dependent on compliance with standards prescribing emission levels, for example.
d) Similarly, it might initially be assumed that emissions from systems external to the
change boundary would not impact on the functions of the signalling system, on
the basis of compliance with appropriate standards. This assumption would also
need to be tested; for example, where the signalling system was located near to
high-power radio transmissions systems.

RSSB Page 35 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G6.3.4.13 Operational change example interfaces: We can consider where an RU wishes to


change their dispatch procedures for a number of platforms from driver ‘look-back’ to
the use of platform-mounted cameras and monitors for viewing the train dispatch
corridor; in this case, some interfaces to consider might include:
a) The interface internal to the system boundary between the RU that is
implementing new procedures and the IM that is installing new lineside
equipment. The RU and IM need to work together to agree on which systems to
put in place (including technical systems and operational procedures), and how to
go about monitoring their use. Once implemented, the RU obtains evidence that
the IM had installed the cameras and monitors in accordance with the safety
requirements (for example by applying appropriate codes of practice). The IM also
provides evidence of the maintenance procedures that are to be applied.
b) The electrical signal sent from the train detection system to switch on the
platform monitors as the train approaches. This is fully under the control of the
IM. Evidence that this interface has been managed (including evidence that
safety requirements were derived according to the requirements of the CSM RA
regulation and their implementation demonstrated) would need to be passed to
the RU as the proposer of the change. The IM would also need to consider if this
aspect of the change has any ability to impact on other parts of the railway
system (for example the train detection interface with the rest of the control-
command and signalling sub-system) and if it was found that it did, this would
cause an extension of the boundary of the change.
c) An interface on the boundary of the system could be sources of light external to
the railway that might affect the ability to view the monitor. Initially assumptions
about the impact of these would be made but these assumptions would need to
be tested.
G6.3.4.14 Organisational change example interfaces: For organisational changes, the
interfaces and boundaries would include the shared information needed, shared
responsibilities or complementary processes and procedures across different
organisational structures. These interfaces could be internal or external, for example:
a) The interface between a RU and emergency services, when dealing with an
accident.
b) The interface between a maintenance department and operational department
within any transport operator.
c) The interface between a person planning a possession and the RU(s) whose
services will be affected by it.
G6.3.4.15 In some cases, there may be interfaces between actors that cross the life-cycle stages
of an overall project, in other words separated by time. For example, when new
technical systems are being developed, there is often an initial project to apply the
risk management process to the technical system itself. The boundary of this change
would be closely aligned to the boundary of the technical system. The proposer would
need to make assumptions around the interface of the technical system with its
future operation and maintenance. A later project, with a separate change proposer,
might involve the putting of that technical system into use. In this case, the proposer
would consider a different system boundary, with specific safety requirements
addressing operational use and maintenance of the technical system. Many of these

Page 36 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

requirements would be the implementation of the assumptions of use of the


technical system derived from the initial application of the process.

G6.3.5 System definition - Boundaries of responsibility


G6.3.5.1 A system definition should explain the responsibilities of the various different actors
or parties. Developing a system model with architectural and functional viewpoints
can be a useful input in defining a system boundary.
G6.3.5.2 The CSM RA regulation requires that all hazards and related safety requirements
which cannot be implemented by one actor alone should be communicated to other
relevant actors in order to coordinate and agree an adequate joint solution. This
means coordination of efforts to close hazards and implement safety requirements
across contractual and physical interfaces as well as at different stages of the project
life cycle.
G6.3.5.3 Actors in a supply chain supporting a change proposer may, in most circumstances,
undertake their own risk assessment process, and a set of safety requirements and
assumptions should be developed as a result. Effective communication between all
involved actors is therefore vital. As the project develops, assumptions may change.
Ultimately, it is the proposer's responsibility to understand all their safety
requirements falling within the scope of the project and their obligations under the
Regulation.
G6.3.5.4 Where an IM or RU is using a manufacturer's technical system as part of their project,
the manufacturer may not know the precise details of the environmental or
operational conditions in which the technical system will eventually operate. In this
case, the manufacturer records conditions for use for the safety of the technical
system, on the basis of the intended or most likely environment of use. The RU/IM will
review these conditions for use and consider the impact of any differences with the
intended environmental and operational conditions. The conditions for use would
therefore determine the technical system's initial limits of use, and be considered
'application conditions'.

G6.3.6 System definition - System environment


G6.3.6.1 The system environment characteristics are factors that can control or contribute to
hazards, or mitigate or exacerbate risk; accordingly, they are factors to be taken into
account in the risk assessment process. The system definition should consider where
and how the changed system will be used or put in place. The system environment
consists of anything that could influence or be influenced by the system. This may
include potentially relevant physical conditions such as, for example:
a) Temperature and humidity.
b) Shock and vibration.
c) Electromagnetic interference.
d) Noise.
e) Weather.
f) Lighting and illumination.
g) Visibility.

RSSB Page 37 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G6.3.6.2 Or operational conditions, such as:


a) Rules and procedures.
b) Staff competence.
c) Maintenance policies.
d) Vandalism.
e) Organisational arrangements.
f) SMS arrangements.
G6.3.6.3 The scope of EN 50125 'Railway applications - Environmental conditions for
equipment' covers the definitions and ranges of a number of environmental
parameters for rolling stock and on-board equipment, fixed electrical installations and
signalling and telecommunications.

G6.3.7 System definition - Safety measures and safety requirements


G6.3.7.1 Where the change relates to some existing part of the railway system, an existing set
of safety measures are likely to be in place already. These will be included in the
system definition so they can be considered in the subsequent risk assessment
process.
G6.3.7.2 The risk assessment process identifies safety requirements which are further
measures that are needed to be implemented to demonstrate the changed system
will operate with an acceptable level of risk. These then become part of the revised
system definition. Existing safety measures and newly identified safety requirements
can be recorded in the hazard record as it is developed. It may be practical to refer to
the hazard record as the primary list of safety requirements. All of the three CSM RA
risk acceptance principles (use of Codes of Practice, use of Reference system and
Explicit Risk Estimation) will identify safety requirements that should be complied
with to ensure that the changed system is safe. All of these safety requirements are
part of the system definition.

G6.3.8 System definition - Assumptions and other contextual information


G6.3.8.1 Stating assumptions provides a record of the particular circumstances for which the
risk assessment and derived safety requirements are valid. If these assumptions
change later, the risk assessment should be reviewed and, if necessary, revised.
G6.3.8.2 For example, if a change were being made to the dispatch arrangements for a certain
railway route, the change proposer would typically:
a) Define the planned procedure for dispatching trains: as it is through the
undertaking of this procedure, or the failure to do so, that risks might arise. An
assumption would be that the procedures are useable, and delivered to competent
staff, and that there is a good safety culture at the company, supporting the
implementation of the procedures.
b) Define the presence of dispatch-related equipment, and their function (such as
door mechanisms and alarms, monitors, cameras or mirrors). This would allow a
structured analysis of how effectively these systems support the dispatch
arrangements, and consideration of how their failure might lead to a hazard.

Page 38 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

c) Define the stock type in use (planned and reasonably foreseeable), carriage length
and numbers of carriages. This would help the risks associated with the dispatch to
be understood, such as difficulties viewing the whole length of the train on
dispatch.
d) Define issues in the environment that might cause risk, such as if a platform were
facing east-west, creating the possibility of a dispatcher having their visibility
impaired by having to look towards the sun when sending a train out at certain
times of the day.
e) Define the known passenger use profile of stations on the route, such as the
typical use profile, and potential sources of crowding. This would help the proposer
to understand the potential for crowding related risks to arise such as people
being pushed towards the train on dispatch, or an increased chance of people
being trapped in doors.
G6.3.8.3 Sometimes a generic system definition might be produced based on a set of
assumptions, and used to assess the risk of the change. Subsequently, a more
localised assessment might be carried out to refine the generic assumptions and
adjust the safety requirements to local conditions. For example, using the example
above, the dispatch risk might be assessed for a route using a general system
definition with generic assumptions. To complete a local risk assessment, a specific
local system definition might then be developed based on the generic definition,
containing more information about the specific nature of the dispatch arrangements
and characteristics of the particular platform.
G6.3.8.4 Some assumptions may take the form of safety requirements that other actors are
anticipated to implement (such as ongoing requirements for the maintenance of a
technical system). Such assumptions are sometimes referred to as 'application
conditions' and should be recorded in the hazard record.

G6.4 Preliminary system definition to support a CSM RA significance test

G6.4.1 In order to determine whether a proposed change should be considered as significant,


and therefore to formally apply the CSM RA, a preliminary system definition is
needed. This should be proportionate to the amount of information available at the
early stage, and the potential risk that the change may introduce. Early project
deliverables, such as a project remit and scope, feasibility studies, preliminary hazard
identification (if available) etc, will provide some of the information needed to
develop this. Because there will be many uncertainties at this stage, it is important to
record all assumptions, which may need to be validated or updated at a later stage.
Should a change be determined to be significant, the preliminary system definition
will be used to support the development of a more detailed and complete system
definition, which will then be used to support further risk assessment activities.
G6.4.2 More information on the CSM RA significance test is given in Part 4.

G6.5 Iterative nature of system definitions

G6.5.1 As the details of a project emerge and are clarified in various project deliverables, and
the risk assessment process itself identifies new information and safety requirements,
the system definition should be updated. Figure 3 shows the iterative nature of the

RSSB Page 39 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

system definition development through hazard identification, risk evaluation,


identification of safety requirements and revision of the system definition.

Figure 3: Iterative development of the system definition and safety requirements

G6.5.2 In complex changes, several companies, bodies, people or actors may be involved in
the development of the project detail. Some may be involved at the definition stage,
others may become involved at later stages. As the change implementation
progresses, however, each of the actors will clarify the detailed aspects of their own
work within the bigger project. This should be reflected in the system definition, which
may need several revisions during the life cycle of the change.

G6.6 Final system definition

G6.6.1 At the end of a project, to complete the risk assessment process, a final version of the
system definition should be produced, taking into account the complete final set of
safety requirements and finalised set of assumptions. This should be passed on to the
actor or party that accepts the changed system to be operated or managed. Some
safety requirements and assumptions will set out the limits and conditions of
operation which should be integrated into the ongoing SMS of the operation.
G6.6.2 The information included in the final system definition may have been captured in a
wide array of project documents and deliverables. It is important that these sources
are well documented so that the rationale and basis for safety requirements and
assumptions are clear and traceable. They may need to be reviewed and revised at
later stages of the system life.

Page 40 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G6.7 Further advice on system definitions

G6.7.1 The RSSB website (www.rssb.co.uk) contains additional information on how to


develop a system definition for risk assessment, including examples and templates.
G6.7.2 The ORR's guidance on the CSM RA contains guidance on system definitions,
including the preliminary system definition for the CSM RA significance test
(orr.gov.uk).
G6.7.3 EN 50126 for railway applications on the specification and demonstration of
reliability, availability, maintainability and safety, contains useful guidance on system
definitions, particularly in Annex D.
G6.7.4 EN 50125 'Railway applications - Environmental conditions for equipment' covers the
definitions and ranges of a number of environmental parameters for rolling stock and
on-board equipment, fixed electrical installations and signalling and
telecommunications.

RSSB Page 41 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

Part 7 Hazard Identification


G7.1 Overview of hazard identification

G7.1.1 Identifying hazards is the foundation of the risk management process, and therefore
it is vital to identify a comprehensive and complete list of all reasonably foreseeable
hazards. A thorough hazard identification will provide the foundation for a complete
and effective risk assessment and evaluation of the proposed change. The hazard
identification stage is usually iterative, requiring review and revision as a project
develops and more information becomes available. The hazard record is the output of
the process and should be considered a live record.
G7.1.2 There are various approaches to the systematic identification of hazards. Some are
complex, costly and time consuming, others are simpler, quicker and require less
resource. Some approaches are desk-based (typically involving an individual working
alone), others are workshop-based bringing together expert knowledge in a
collaborative environment. A hazard identification exercise may involve a
combination of the two. The most basic hazard identification exercise might be a
simple meeting between subject area experts to discuss and record conclusions on
potential hazards. The underlying principle is that the process should be
proportionate to the potential risk of the change being proposed, taking into account
its complexity and novelty. The approach to hazard identification should be agreed
and outlined in the safety plan.

G7.2 What is a hazard?

G7.2.1 A hazard is a condition that could lead to an accident, in which there is harm to
people, assets or the environment. CSM RA is focused on hazards that may lead to an
accident resulting in injuries or fatalities.
G7.2.2 Hazards can be expressed in various ways and at various levels. The way a hazard is
expressed has implications for the way it is understood; therefore, hazards need to be
described very carefully, and the level of detail should be proportionate to the change
proposed.
G7.2.3 Depending on the nature of the change, hazards caused by security or cyber security
vulnerabilities where they might impact safety may also be relevant.
G7.2.4 As hazards are conditions, they could have different potential causes, sometimes
referred to as sub-hazards or precursors. For example, the hazard 'train fails to stop at
an intended location' could be caused by brake failure, poor adhesion conditions,
driver performance etc. A robust, sensible and efficient approach to hazard definition
is one where a clear distinction is made between hazards and causes. This helps to
ensure that:
a) The number of top-level hazards is kept to a manageable level.
b) A more effective link between the hazards and the accident outcomes can be
made.
c) Individual causes can be effectively mitigated by lower level decision makers or
actors in the project, while still allowing an understanding of overall system safety.

Page 42 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G7.2.5 EN 50126 defines the hazard to exist on the boundary of the system under
consideration as shown in Figure 4. This also illustrates how hazards can be thought
of as hierarchical; in other words, one hazard can lead to another hazard at a
different level. Figure 4 shows how hazards and causes (the black boxes) can be
defined at different levels of the system. There is flexibility in the levels at which
hazards and causes are defined and there is no one single correct approach. This
flexibility is part of the normal hazard management thought process. The underlying
principle is that the hazards and causes should be defined at a level that is
appropriate to the complexity of the proposed system change, taking into account
boundaries and interfaces as appropriate. If the level is too high, then there will not
be enough detail to consider suitable control of the hazard; if the level of detail is too
low, this will result in too many hazards to be able to manage sensibly.

Figure 4: EN 50126 Illustration of hazards with respect to the system boundary

G7.3 What is hazard identification

G7.3.1 Hazard identification is a vital step in risk management and risk assessment
processes. It describes the process of systematically identifying hazards so that they -
and the risk they create - can be controlled effectively. If hazards can be eliminated,
for example by a changed design, then there is no further risk to control. This,
therefore, is the preferred approach to hazard closure where possible. However, in
many cases, hazards cannot be eliminated; thus, the risk they create should be
suitably controlled and reduced to an acceptable level.
G7.3.2 The CSM RA regulation (Annex I, point 2.2.1) states that:

The proposer shall systematically identify, using wide-ranging expertise from a


competent team, all reasonably foreseeable hazards for the whole system under
assessment, its functions where appropriate and its interfaces.

G7.3.3 There is no single ideal hazard identification method or technique that should be
applied in all cases but there are various commonly used methods or approaches

RSSB Page 43 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

which may be appropriate for a change project depending on its size and nature. The
most basic hazard identification exercise might be a simple meeting between subject
area experts to discuss and record conclusions on potential hazards.
G7.3.4 In selecting a suitable method for hazard identification, it is important to decide what
level of competency is required in terms of knowledge, skills and experience. This
should consider engineering, operational and organisational aspects, as appropriate,
as well as specialist knowledge where necessary. For example, when undertaking
team-based exercises such as hazard identification workshops it should be clear who
has participated and in what capacity. This information would normally be recorded
as part of the output of the activity as evidence of suitable competency management
and to confirm that appropriate knowledge, skills and experience have informed the
process. A competent team could include individuals from outside the proposer’s
organisation; for example, for a designer or manufacturer carrying out CSM RA for
the purposes of safe integration, it may be useful to involve the potential end user of
the product, as they may have operational knowledge that could assist hazard
identification.
G7.3.5 The following sections describe some methods which may be used to facilitate hazard
identification.

G7.4 Desk-based hazard identification

G7.4.1 There are various desk-based approaches to hazard identification. Perhaps the
simplest is to review available historical safety and performance data in order to
identify which failures, incidents and hazards have occurred to similar systems in
similar operational circumstances to those being analysed. This information can be
used to infer what the relevant hazards for the system in question might be. For
example, the GB rail industry has access to incident data through the Safety
Management Intelligence System (SMIS). Additionally, the RSSB Safety Risk Model
(SRM) contains a generic list of hazardous events with quantified risk data valid for
the current mainline rail network. Sources such as these can provide a good starting
point for change projects to promote creative thinking. Comparison with existing
checklists developed previously, which are relevant to the scope of the proposed
change, can provide a good starting point for hazard identification but can be quite
rudimentary; they should be used with care so as not to inhibit or constrain creative
thinking.
G7.4.2 A Functional Hazard Analysis (FHA) is a systematic, comprehensive examination of
functions to identify and classify failure conditions of those functions according to
their severity. For the analysis of a change to the railway, it may be appropriate to
apply the FHA at system level. This would involve a high-level, qualitative assessment
of the defined functions of the system (as specified in the system definition). The
system-level FHA is undertaken to identify and classify the failure conditions
associated with the system-level functions. FHA can be started earlier in a programme
of work because a specification, and not a detailed design, is all that is required.
However, FHA is not good at finding hazards that are not easily characterised as the
failure of a function (such as electromagnetic interference or fuel leakage).

Page 44 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G7.5 Hazard identification workshops

G7.5.1 Workshop-based approaches are commonly used to support hazard identification.


The technique of a workshop helps to ensure the completeness of hazard
identification by drawing on the collective experience and understanding of all the
workshop attendees. There are various different approaches that can be applied,
ranging from a structured Hazard and Operability (HAZOP) type study to a more
informal 'brainstorming' exercise.
G7.5.2 The HAZOP technique was initially developed to analyse chemical process systems,
but was later extended to other types of systems and industries. A HAZOP is a
qualitative technique for analysing a defined system by applying 'guide words' like
'no', 'more' or 'less than'. The guide words are applied to some attribute or intention
of the system, in order to consider how it might fail or behave abnormally, and what
the consequences of that failure might be, for example, 'no information', 'more
information', 'late information' etc. HAZOP is a rigorous and systematic study. Full
scale HAZOP can be very labour intensive and so often a more flexible and
proportionate approach is taken using HAZOP principles as appropriate. The
technique depends heavily on the expertise of the workshop attendees and their
familiarity with aspects of the technique.
G7.5.3 A more common approach is to undertake a structured brainstorming exercise or
Hazard Identification (HAZID) workshop. This can take on a variety of forms, but is
typically a variation of the HAZOP approach, involving the analysis of a given system,
set of functions and / or procedures using a prompt checklist of some type. The
checklist might be a set of potential causes of hazards, a list of known hazards, or a
list of different operational scenarios, standard failure mechanisms, or circumstances
relevant to the system.
G7.5.4 A typical way of conducting a workshop for the operational railway is to use a
structured checklist approach to analyse the functions and operation of the railway
for different 'phases of mission'. These 'phases of mission' might include 'train start-
up', 'normal operation' or 'degraded mode working', for example.
G7.5.5 To support this analysis, a description of the various functions and human actions
that would need to occur would be used (based on the system definition). The
workshop process then steps through these functions and actions in sequence, and
uses an appropriate checklist(s) to identify hazardous deviations from the intended
function or action. Hazard causes and consequences are then identified and recorded.
This approach is essentially a hybrid combination of task analysis and functional
hazard analysis.

G7.6 Human factors in hazard identification

G7.6.1 Human factors assessments can be particularly appropriate to the analysis of hazards
associated with railway operations and the analysis of procedures. They can be either
desk-based or workshop-based and can also be supported by observations at sites if
systems are already in operation. Qualitative human reliability assessment methods
are focused on identifying hazards related to human performance and the potential
influence of performance-shaping factors on that human performance. An approach
developed for the GB rail industry is Railway Action Reliability Assessment (RARA).
RSSB Page 45 of 101
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G7.6.2 Although not a hazard identification method in itself, task analysis can be used as a
way to describe tasks before they are systematically assessed by identifying potential
deviations from procedure, as well as the causes and consequences of these
deviations. Task analysis is a systematic method for describing a task in terms of its
goals, operations and plans. The goal is what the system or person operating within
the system is required to achieve. The operations describe the actions or decisions
performed by people interacting with the system, while the plans describe the
conditions under which the operations are performed. Task analyses are often
presented as written descriptions of the operations in a numbered sequence, or in the
form of a flowchart.
G7.6.3 To perform task analysis a certain level of data is required, such as the general
operating procedure including job descriptions, process diagrams and / or the
operating manual. If a system is in operation, observation at site and input from staff
are key to verify the task, understand human performance issues and understand
factors which may affect that performance (for example, the working environment or
quality of written procedures).
G7.6.4 The benefit of a task analysis is that it provides a sequential description of the
operators' tasks. This task analysis can be used as a basis for qualitative human
reliability assessment, which includes identifying human errors, and analysing causal/
contributory factors and consequences. The RARA manual provides practical
guidance on the approach. The approach has similarities with the structured HAZOP
process, in that it uses guide words to determine what errors could occur for each step
identified in the task analysis. It is key to use people experienced in the task being
analysed during these sessions, if the system is in operation.

G7.7 Hazard identification within a project life cycle

G7.7.1 It is considered good practice to carry out some form of basic hazard identification at
the initial feasibility stages of a project, and this should also support options analysis
and selection. With limited detailed information this will be basic, but will be useful to
support and guide planning of more detailed hazard identification activities, and it
will be useful to inform the CSM RA significance assessment.
G7.7.2 Typically, a preliminary design or change proposal will undergo hazard identification,
and this will be repeated, or reviewed and revised, later as project details are
confirmed and refined. Similarly, when a risk assessment cycle is completed, a set of
safety requirements is one of the outputs. These should be used to re-write the
system definition. The revised system definition should then be used to review and
revise, if necessary, the original hazard identification results. This iterative process will
need to be repeated, as appropriate, until the hazard record is consistent with the
final system definition, and final set of safety requirements and assumptions. In
addition to the necessary planned hazard identification activities, hazards might also
be identified in an ad hoc manner as project details develop.

G7.8 The CSM RA hazard record

G7.8.1 The output of the hazard identification and classification stage of a CSM RA risk
assessment will normally be recorded in a hazard record, hazard log, or hazard

Page 46 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

register. It will need to be reviewed and revised to maintain it up to date as the


project develops, as more information becomes available, and when further hazard
identification activities take place.
G7.8.2 Part 10 of this document gives further detail on hazard management and the hazard
record.

G7.9 Hazard classification and broadly acceptable risk in the CSM RA

G7.9.1 Hazard classification has a very particular meaning in the context of the CSM RA
regulation. It is a filtering exercise based on an initial assessment of the risk
associated with each hazard and is carried out as part of a process to identify which
hazards are considered 'broadly acceptable' and therefore do not need further
consideration.
G7.9.2 The CSM RA regulation (Annex I, point 2.2.2) states that:

To focus the risk assessment efforts upon the most important risks, the hazards shall
be classified according to the estimated risk arising from them. Based on expert
judgement, hazards associated with a broadly acceptable risk need not be analysed
further but shall be registered in the hazard record. Their classification shall be
justified in order to allow independent assessment by an assessment body.

G7.9.3 Classification of hazards allows the proposer to focus subsequent risk assessment and
hazard management work on the most significant hazards, by discounting those
hazards which need no further consideration at an early stage of the project. The
classification of a hazard is made based on expert judgement. In practice, this is
often undertaken based on the collective opinion of attendees at an expert judgment
hazard identification workshop. This could include simple consequence and likelihood
analysis or could be qualitative. A record of who took part in the hazard classification
will help demonstrate that the requirement to apply expert judgement has been met.
G7.9.4 The CSM RA regulation (Annex I, point 2.2.3) states that:

As a criterion, risks resulting from hazards may be classified as broadly acceptable


when the risk is so small that it is not reasonable to implement any additional safety
measure. The expert judgement shall take into account that the contribution of all
the broadly acceptable risks does not exceed a defined proportion of the overall risk.

G7.9.5 A judgement has to be made whether the risk associated with a hazard is 'broadly
acceptable'. The ORR Guidance on the CSM RA (point 3.22) states:

The risk management process uses the term 'broadly acceptable' to identify those
hazards which need not be analysed further. In this context, 'broadly acceptable'
applies to those hazards where the risk is, to all intents and purposes, insignificant or
negligible. This could be because the hazard is so unlikely to arise that there are no
feasible control measures that could be used to control the risk it creates (e.g.
earthquakes if in a low vulnerability area) or where there is a credible failure mode
but the consequences are negligible. By screening out the 'broadly acceptable'

RSSB Page 47 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

hazards at this stage, the risk analysis can focus on the more important hazards to
manage. It is unlikely that many hazards will be screened out in this way.

G7.9.6 'Hazard Classification', as described in the regulation, should therefore be thought of


as a filtering exercise to remove those hazards that have been identified during
hazard identification exercises but that - on further professional consideration - do
not merit further analysis. It is important that proposers record their rationale and
assumptions if they classify a hazard as broadly acceptable. During project
development, refinement of the system definition, assumptions and safety
requirements may change the initial evaluation that the risk is broadly acceptable
and so it may need to be re-classified.
G7.9.7 The CSM RA regulation (Annex I, point 2.2.3) also states that:

The expert judgement shall take into account that the contribution of all the
broadly acceptable risks does not exceed a defined proportion of the overall risk.

G7.9.8 If it has been concluded that the risk associated with a hazard is classified as 'broadly
acceptable', then the risk associated with the hazard is accepted without further
analysis. The ORR Guidance on the CSM RA confirms the ORR's position that it is
expected that only a small minority of hazards should be classified as 'broadly
acceptable' and so most hazards should be taken forward for an appropriate, but
proportionate, level of risk assessment. The 'broadly acceptable' classification should
only be used to screen those hazards which need not be analysed further, where the
risk is, to all intents and purposes, insignificant or negligible. Given that the broadly
acceptable risks are by definition very low, and that it would not be expected that
many hazards would be discounted in this way, it is likely that the contribution of all
broadly acceptable risks would be insignificant compared to the overall risk.
G7.9.9 Care should be taken with the term 'broadly acceptable risk' as it is sometimes used
with slightly different meanings in non-CSM RA contexts (for example, the HSE's
'Tolerability of Risk' and 'Reducing risks, protecting people' guidance documents).

G7.10 Hazard classification in broader use

G7.10.1 In related engineering safety management standards, such as EN 50126, hazard


classification has a broader use as an initial stage of risk assessment, often
incorporating the use of a risk matrix.
G7.10.2 In general terms, hazard classification involves putting an initial value on the risk
associated with a hazard in order to evaluate its importance. The risk associated with
a hazard is a combination of its potential safety consequence (that is, harm, injuries,
fatalities etc) and the likelihood or frequency of this consequence. In other words,
what can happen and how often or how likely it will happen.
G7.10.3 Once an estimate of the risk associated with each identified hazard is established, it is
possible to prioritise which hazards should receive more attention and apply a
proportionate approach to risk assessment and risk management. This then indicates
which hazards should be studied in more detail, for instance using more complex and
costly quantified risk assessment.
Page 48 of 101 RSSB
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G7.10.4 The broader approach to hazard classification might be beneficial in order to:
a) Prioritise hazards which should be considered in project option selection and
decision making early in the project; at this stage alternative design options are
still possible and the cost of design change is smaller than at later stages. This
approach should ensure that a project is able to select options which support
reducing risk to an acceptable level.
b) Prioritise hazards which are likely to require significant project resources to control.
c) Prioritise hazards which need greater consideration of whether or not safety
requirements reduce risk to an acceptable level. In general, the higher the risk of
the hazard the more consideration will need to be given to the sufficiency of its
associated safety requirements.
G7.10.5 The initial hazard classification stage is most useful for large scale projects (such as a
major engineering project) where there are a significant number of hazards to
consider. In these projects, hazard classification and prioritisation may help to
support an efficient, proportionate and cost-effective approach to hazard
management.
G7.10.6 The use of hazard classification can also be useful where there is significant novelty
or uncertainty at the early stages of a project. Initial simple hazard classification can
be a good starting point to guide more detailed risk assessment work to be
undertaken later in the application of the risk management process.
G7.10.7 The broader approach to hazard classification may not always be necessary in some
cases where the CSM RA is applied. For example, where it is clear that a hazard will be
addressed through the risk acceptance principles of use of codes of practice, or
comparison with a similar reference system, there may be little benefit in classifying
the risk, as the management of the hazard is likely to be the same whether the risk is
high or low.

G7.11 Further advice on hazard identification

G7.11.1 The RSSB website (www.rssb.co.uk) contains additional information and templates
relating to hazard identification. It also contains details on the Safety Management
Intelligence System (SMIS), and the RSSB Safety Risk Model (SRM) which may be
used to support hazard identification.
G7.11.2 The ORR's guidance on the CSM RA contains information on hazard identification,
including the use of the term 'broadly acceptable' in the context of the CSM RA
(orr.gov.uk).
G7.11.3 EN 50126 for railway applications on the specification and demonstration of
reliability, availability, maintainability and safety, contains useful guidance on hazard
identification and classification of hazards.
G7.11.4 Guidance on undertaking HAZOPs is found in BS IEC 61882:2001: Hazard and
operability studies (HAZOP studies). Application guide.
G7.11.5 Guidance on task analysis can be found in Hierarchical Task Analysis (Shepherd,
2001). Further guidance on human error identification and quantification can be
found in RSSB research project T270 (Railway Action Reliability Assessment: A

RSSB Page 49 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

technique for quantification of human error in the rail industry). General guidance on
aspects of Human Factors can be found on the RSSB website (www.rssb.co.uk).
G7.11.6 ISO 31000:2009 and the related standard EN 31010:2010 contain details on risk
identification, including hazard identification techniques which may be used to
support the CSM RA.

Page 50 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Part 8 Risk Evaluation and Risk Acceptance


G8.1 Overview of risk evaluation and acceptance

G8.1.1 The risk evaluation and acceptance part of the risk assessment process takes as its
starting point a classified list of hazards and delivers the following:
a) A set of safety requirements, which are the safety measures that will be put in
place to control risk to an acceptable level (these are documented in the system
definition and hazard record).
b) An updated hazard record and system definition.
c) A justified decision that the risk will be acceptable if all the safety requirements
are met.
G8.1.2 The CSM RA regulation defines three risk acceptance principles:
a) Application of codes of practice.
b) Comparison with reference system(s).
c) Explicit risk estimation.
G8.1.3 The CSM RA regulation (Annex I, point 2.1.4) requires that the acceptability of the
risk associated with a significant change is evaluated using one or more of these risk
acceptance principles. The risk associated with the change is acceptable when the risk
associated with each individual hazard is demonstrated as acceptable.
G8.1.4 Under the CSM RA regulation (Annex I, point 4.1.2) the hazard record should contain
the following information:

The hazard record shall include all hazards, together with all related safety measures
and system assumptions identified during the risk assessment process. In particular,
it shall contain a clear reference to the origin and to the selected risk acceptance
principles and shall clearly identify the actor(s) in charge of controlling each hazard.

G8.1.5 The risk evaluation process is iterative and will need to be reviewed and repeated as
the change project develops and new information emerges. This is particularly
relevant in complex projects where project details develop over time and in parallel,
resulting in revision of assumptions and update of the risk assessment results. For
simpler change projects, the assessment, review and iteration process can be
relatively uncomplicated.

G8.2 Selecting a CSM RA risk acceptance principle

G8.2.1 There are three CSM RA 'risk acceptance principles' that can be applied in a number
of ways, depending on the size and nature of the system change being assessed. The
risk acceptance principle should be selected based on what is the most efficient and
pragmatic approach. The following guidance describes the CSM RA, but the principles
are valid and can be used to fulfil other risk management obligations.
G8.2.2 For every hazard that is not 'broadly acceptable', one or more of the following CSM
RA risk acceptance principles should be applied:

RSSB Page 51 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

a) Application of codes of practice.


b) Comparison with reference system(s).
c) Explicit risk estimation.
G8.2.3 Different principles may be used for different hazards. The choice of principle
depends on the most appropriate way to manage the risk. However, it is usually
preferable to think first about where clauses within codes of practice are already
requirements for a project, as in many cases processes will already be in place to
demonstrate compliance with these requirements and they may be valid to support a
CSM RA process. Comparison with a reference system will often be second choice if
possible, followed by explicit risk estimation.
G8.2.4 Although not listed explicitly in priority order, the CSM RA regulation (Annex I, point
2.3.7) suggests a preference for codes of practice:

If the risk for a particular hazard cannot be made acceptable by the application of
codes of practice, additional safety measures shall be identified by applying one of
the two other risk acceptance principles.

G8.2.5 Equally the CSM RA regulation (Annex I, point 2.5.1) states that explicit risk
estimation should be used if codes of practice and reference system risk acceptance
principles are not applied:

If the hazards are not covered by one of the two risk acceptance principles laid
down in points 2.3 and 2.4, the demonstration of risk acceptability shall be
performed by explicit risk estimation and evaluation.

G8.2.6 However, there is no mandatory 'order of preference' for selection of risk acceptance
principles. The underlying criteria for selection should be to choose the risk
acceptance principle, or combination of principles, that most effectively and
efficiently addresses the hazard being considered.
G8.2.7 In some situations, codes of practice may provide a useful but incomplete set of
established safety measures to demonstrate an acceptable level of risk to control a
hazard. In this case, other principles may be needed to complete the application of
the CSM RA.
G8.2.8 Where it is applicable, the 'comparison with reference system' principle can provide
an efficient method of demonstrating acceptability of risk. For previously existing
hazards there is likely to be good understanding and experience of such hazards.
However, application of this principle requires careful consideration of the differences
of the railway in the existing and proposed locations and circumstances. The
challenge is to establish that the hazards and operating circumstances are sufficiently
similar that measures which are proven to be safe in one environment will effectively
manage risk in the proposed system. Therefore, it is preferable to use this principle
rather than explicit risk estimation if a suitable reference system already exists with
proven safety under a previous CSM RA application; however, it may be difficult to
demonstrate sufficient similarity.

Page 52 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G8.2.9 There are no restrictions on the use of the 'explicit risk estimation' principle, which is
likely to be used either to support and complete application of the other principles, or
when neither of the other two principles is applicable. Explicit risk estimation does not
necessarily imply complex and costly quantified risk assessment; a simple qualitative
assessment based on engineering judgement may be adequate, proportionate and
appropriate (for example a structured workshop based on expert judgement).
G8.2.10 Where two or more risk acceptance principles are to be applied to a hazard, the
hazard should be broken down into causes to the point where there is clarity on the
scope to which each principle is being applied. This enables the adequate application
of each principle to be justified. The CSM RA regulation (Annex I, point 2.2.5) states:

The hazard identification only needs to be carried out at a level of detail necessary
to identify where safety measures are expected to control the risks in accordance
with one of the risk acceptance principles...

G8.2.11 Guidance is provided on the application of each principle in the following sections.

G8.3 CSM RA risk acceptance principle - use of codes of practice and risk
evaluation

G8.3.1 The CSM RA regulation (Article 3, Definitions, (19)) defines a code of practice to
mean:

a written set of rules that, when correctly applied, can be used to control one or
more specific hazards.

G8.3.2 The CSM RA regulation (Annex I, point 2.3.2) places other requirements that codes of
practice must meet before they can be used for risk evaluation. It requires that:

(a) They must be widely recognised in the railway domain. If this is not the case, the
codes of practice will have to be justified and be acceptable to the assessment body;
(b) They must be relevant for the control of the considered hazards in the system
under assessment. Successful application of a code of practice for similar cases to
manage changes and control effectively the identified hazards of a system in the
sense of this Regulation is sufficient for it to be considered as relevant;
(c) Upon request, they must be available to assessment bodies for them to either
assess or, where relevant, mutually recognise, in accordance with Article 15(5), the
suitability of both the application of the risk management process and of its results.

G8.3.3 Compliance with these requirements could be justified largely generically, for
example, in the safety plan, with further justification for specific codes of practice
only where necessary.
G8.3.4 'Widely recognised in the railway domain' is a broad definition that may cover
documents described as standards, procedures or rule books, for example:
a) Technical Specifications for Interoperability (TSIs).
RSSB Page 53 of 101
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

b) National Technical Rules and National Safety Rules (including Railway Group
Standards) (NTRs and NSRs).
c) British Standards, Euronorms and other international standards.
d) Rail Industry Standards.
e) RDG (or ATOC) standards.
f) Internal/company standards, systems and processes (which should be available to
assessment bodies for assessment of suitability).
Note: This is not an exhaustive list.
G8.3.5 TSIs and NTRs, as well as Euronorms and other international standards, are generally
acknowledged as widely recognised, whereas the 'widely recognised' status for other
standards in some circumstances may need to be confirmed and justified. In
justifying the use of a code of practice that is not already 'widely recognised', the
following aspects should be considered:
a) Currency - does it represent good practice?
b) Production values - was there sufficient rigour in the drafting and review process
of the code of practice?
c) Completeness - is it sufficient to manage the risk to an acceptable level?
G8.3.6 The code of practice should be 'relevant'. The meaning of 'relevant' is not defined
explicitly in the CSM RA regulation but it is considered here to mean that the code of
practice is being used within its intended scope and appropriately addresses the
totality of the hazard to which it is being applied. This could be determined by expert
judgement. Where standards are used outside their original intent, consideration is
needed as to whether the safety measures are suitable and sufficient to control the
risk associated with the hazard. Where the scope of the hazard is wide, it may be
appropriate to break down the hazard to assist the judgement as to whether the code
of practice appropriately addresses the totality of the hazard.
G8.3.7 The example code of practice documents set out above may be a source of safety
measures. In some cases the proposer would only be concerned with the subset of
those measures that the proposer determined to be safety requirements needed to
close the hazard. The project may be using compliance with a code of practice to fulfil
other duties or legal requirements, other than to close a CSM RA hazard. The
potentially different functions of the codes of practice clauses should be considered.
They should be analysed and applied with care and, if selected, there is still a
requirement for the proposer of a change to use professional judgement to
demonstrate they are valid and appropriate to close a hazard under the CSM RA. The
proposer needs to establish that a code of practice is suitable and, in cases where it is
not widely recognised, they will also have to demonstrate its suitability to the AsBo to
secure their agreement to its use.
G8.3.8 The CSM RA regulation (Annex I, point 2.3.1) states:

The proposer, with the support of other involved actors [...] shall analyse whether
one or several hazards are appropriately covered by the application of relevant
codes of practice.

Page 54 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G8.3.9 The phrase 'appropriately covered' is not defined explicitly in the regulation but it is
considered here to have a meaning similar to 'relevant' in Annex I point 2.3.2. Where
standards are used outside their original intent, consideration is needed as to whether
the safety measures are suitable and sufficient to control the risk associated with the
hazard.
G8.3.10 When applying the code of practice principle to manage a hazard, the simplest case is
when safety measures from the codes of practice appropriately cover the hazard and
the codes of practice are fully complied with. In this case:
a) A reference to the code of practice in its entirety (or appropriate specific safety
measures) should be entered into the hazard record. In some cases, it may be
useful to record an argument as to how the code of practice addresses the
specified hazard. In other cases, it may be worth recording a generic argument
about how 'relevance' has been determined, for example by a group of suitably
competent experts.
b) Where a code of practice cannot be fully complied with, the clauses from the code
of practice which must be complied with should be entered into the hazard record.
c) The system definition should be updated to contain the complete set of safety
requirements.
G8.3.11 If safety measures from codes of practice cover most but not all of the risk associated
with a hazard, then the principle may still be used, provided that one or more of the
other principles is used to manage the parts of the hazard which are not covered (for
example, a simple explicit risk estimation to cover an aspect of the hazard not
sufficiently covered by the code of practice).
G8.3.12 There are several ways in which safety measures within codes of practice may control
causes and/or consequences of hazards (either singly or together), including the
following:
a) They may place constraints on the design of some equipment, which will make it
less likely to exhibit a hazard.
b) They may require the provision of protective measures, which prevents failures
from leading to accidents.
c) They may require interfaces between humans and machines to be designed in a
way that reduces the likelihood that people will make mistakes.
d) They may require operational procedures that control the effects of hazards or
prevent them from occurring.
G8.3.13 Some codes of practice will be mandatory in a project, for example when a project is
within scope of RIR 2011, relevant TSIs / ENs / NTRs will be applied. Where safety
measures from these codes of practice control hazards their use provides an
opportunity to consider and exploit them as a CSM RA codes of practice. It is good
practice early in the risk management process to identify if they can be used to
support the 'codes of practice' risk acceptance principle to support a CSM RA risk
assessment.
G8.3.14 Codes of practice are rarely written only to control hazards - they are normally also
written to deliver other benefits such as efficiency, interoperability and reliability.
Moreover, where a code of practice does control hazards, it may not specify explicitly
which requirements within it are safety related and which hazards they control.
RSSB Page 55 of 101
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

Therefore, it may be necessary to assemble a group of people with expertise in the


area to decide whether and how relevant codes of practice 'appropriately cover' a
hazard or not. For example, it may be necessary to assess the causes of a hazard, then
check that the Code of Practice adequately covers each cause. Rationale for this
assessment should be recorded.
G8.3.15 The flowchart shown in Figure 5 summarises the options for using codes of practice
as a risk acceptance principle.

Figure 5: Applying the ‘codes of practice’ risk acceptance principle

G8.3.16 If a fault in a safety measure in a code of practice is discovered which undermines its
ability to manage a hazard that it appears to be designed to control, then it is
advisable to bring the fault to the attention of the organisation issuing the code of
practice so that it may be corrected. It may be possible to use other risk acceptance
principles to complete the argument that the hazard is adequately controlled. If not,
Page 56 of 101 RSSB
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

it will be necessary to conclude that the code of practice no longer 'appropriately


covers' the hazard and to use alternative codes of practice or other risk acceptance
principles.

G8.4 CSM RA risk acceptance principle - use of reference system and risk
evaluation

G8.4.1 The idea behind the comparison with the reference system principle is
straightforward: the new proposed system is compared against an existing 'reference
system' which has been demonstrated to have a level of risk which is considered
acceptable, and would still qualify for approval. The similarity of the reference system
to the new system is considered, and if the systems are sufficiently similar that there
is no additional risk associated with the new system, then the risk from it is considered
acceptable. The safety measures and rationale from the reference system will be
adopted by the new system as safety requirements.
G8.4.2 The CSM RA regulation (Annex I, point 2.4.2) defines minimum requirements that a
reference system must meet:

(a) it has already been proven in-use to have an acceptable safety level and would
therefore still qualify for approval in the Member State where the change is to be
introduced;
(b) it has similar functions and interfaces as the system under assessment;
(c) it is used under similar operational conditions as the system under assessment;
(d) it is used under similar environmental conditions as the system under
assessment.

G8.4.3 It is necessary to check that a reference system meets these requirements before it is
used as a reference system. Point 2.4.2 (a) of the regulation states that it is not
sufficient that a system is currently in use; it must be the case that it would qualify for
approval if it were to be introduced today.
G8.4.4 In practice, professional judgement is required to analyse the safety of the existing
system and demonstrate that it is also appropriate for the proposed change. The
following aspects should be considered:
a) Is the safety of the existing reference system already 'proven in use'?
b) Is there sufficient similarity of the existing reference system to what is being
proposed?
c) Do the safety requirements of the existing reference system still represent current
good practice and still qualify for approval?
d) Is there robust understanding of how risk is managed in the reference system?
e) Was the process for identifying the safety requirements in the reference system
sufficiently rigorous?
G8.4.5 For some existing systems, evidence from a previous CSM RA safety justification may
be incomplete or not available. In such cases, it may be inappropriate for that system
to be used to apply the reference system risk acceptance principle without

RSSB Page 57 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

retrospectively applying the CSM RA process to complete the missing material which
could require significant effort. Nevertheless, this may still be more efficient overall
than other options.
G8.4.6 The CSM RA regulation contains the requirement that a reference system shall be
'proven in use'. This may be possible for a system that has many hours of operational
experience, or system demands, and associated safety data. However, this is more
difficult to prove for systems with potential for low frequency, high consequence
hazards where many years of operation or system demands would be needed to
prove the safety of the system 'in use'. The ORR guidance on the CSM RA gives the
following advice:

For technical changes, it is unlikely that evidence of in-service history alone can
prove that a high integrity system has an acceptable safety level, given the low
failure rates required of such systems. Evidence that sufficient safety engineering
principles have been applied in the development of the reference system will need
to be confirmed for each new application.

G8.4.7 Further information is given in the ORR Guidance document. The guidance suggests
EN 50129 as a source of suitable safety engineering principles to apply in this case.
G8.4.8 The status of 'proven in use' in the CSM RA and a system having grandfather rights
(that is, accepted in operation but not necessarily representing current standards) are
not the same. If a system is already in operation this does not automatically mean it
is 'proven in use', or appropriate to use as a CSM RA reference system; a CSM RA
reference system should represent current good practice, which is not necessarily the
case for systems operating under grandfather rights.
G8.4.9 The CSM RA regulation (Annex I, point 2.4.3) describes the process of applying the
reference system principle in the following three steps:

(a) the risks associated with the hazards covered by the reference system shall be
considered as acceptable;
(b) the safety requirements for the hazards covered by the reference system may be
derived from the safety analyses or from an evaluation of safety records of the
reference system;
(c) these safety requirements shall be registered in the hazard record as safety
requirements for the relevant hazards.

G8.4.10 To put these steps into practice, the application conditions of the reference system
are identified and these become safety requirements to be complied with by the
proposed change. Where a technical system is being applied that is exactly the same
as a reference system, it may be sufficient to formulate a safety requirement to
ensure that similarity (for example, citing a specific part number), and safety
requirements to capture the application conditions.
G8.4.11 The regulation (Annex I, point 2.4.4) also includes another approach to addressing
differences in existing and proposed systems. It states:

Page 58 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

If the system under assessment deviates from the reference system, the risk
evaluation shall demonstrate that the system under assessment reaches at least the
same safety level as the reference system, applying another reference system or one
of the two other risk acceptance principles. The risks associated with the hazards
covered by the reference system shall, in that case, be considered as acceptable.

G8.4.12 In practice, a proposed new system is unlikely to be identical to an existing reference


system; there are usually some differences. The impact of these differences on the
safety of the proposed system can be analysed by performing the following steps:
a) Identify all differences between the reference system and the new system under
assessment which might affect risk.
b) Identify all differences between the operational and environmental conditions
which might affect risk.
c) Assess for each difference the nature of the risk associated with the system under
assessment and whether it would be higher or lower than for the reference system.
d) Consider each hazard and if the estimated risk associated with the hazard is no
greater in the proposed system than in the reference system, then the risk
associated with that hazard may be considered acceptable. In this case, the level
of risk met by the reference system sets the risk acceptance criteria for the system
under assessment.
G8.4.13 In its simplest form, this assessment could be carried out as a workshop to evaluate
the differences in risk between the reference system and proposed new system, using
professional judgement of a group of experts. For a more complex change, more
involved assessment of the reference system may be needed to determine if it valid
to be used as a CSM RA reference system for risk evaluation.
G8.4.14 Analysis of a reference system will be easier, more effective and efficient if access is
possible to the original risk management records used for the reference system. If it is
practical, the assessment will be made easier by involving the same people who
carried out the original assessment.
G8.4.15 The CSM RA regulation (Annex I, point 2.4.5) also describes a hybrid approach. It
states:

If at least the same safety level as the reference system cannot be demonstrated,
additional safety measures shall be identified for the deviations, applying one of the
two other risk acceptance principles.

G8.4.16 Therefore, if the 'comparison with reference system' principle is not sufficient to
demonstrate an acceptable level on its own, it may still be used as a basis, using one
or more of the other principles to address the parts of the risk which are not covered.
G8.4.17 The flowchart shown in Figure 6 summarises the options described above.

RSSB Page 59 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

Figure 6: Applying the ‘reference system’ risk acceptance principle

G8.5 CSM RA risk acceptance principle - explicit risk estimation and evaluation

G8.5.1 Overview of explicit risk estimation


G8.5.1.1 The 'explicit risk estimation' principle is generally used when it has been decided not
to apply either of the other principles. This may be the case for a novel system where
the risk has not been previously analysed and there is no already established example
of good practice.
G8.5.1.2 The CSM RA regulation (Annex I, points 2.5.1 and 2.5.2) provides the following
introduction to the principle:

If the hazards are not covered by one of the two risk acceptance principles laid
down in points 2.3 and 2.4, the demonstration of risk acceptability shall be
performed by explicit risk estimation and evaluation. Risks resulting from these

Page 60 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

hazards shall be estimated either quantitatively or qualitatively, or when necessary


both quantitatively and qualitatively, taking existing safety measures into account.'
The acceptability of the estimated risks shall be evaluated using risk acceptance
criteria either derived from or based on requirements contained in Union legislation
or in notified national rules. Depending on the risk acceptance criteria, the
acceptability of the risk may be evaluated either individually for each associated
hazard or the combination of all hazards as a whole considered in the explicit risk
estimation.
If the estimated risk is not acceptable, additional safety measures shall be identified
and implemented in order to reduce the risk to an acceptable level.

G8.5.1.3 In the UK, the ORR has stated in the ORR Guidance on the CSM RA that the risk
acceptance criterion to be used for the UK is that risk should be reduced 'so far as is
reasonably practicable'. This criterion is sometimes referred to as the 'SFAIRP
principle', where SFAIRP signifies the criterion to ensure safety 'so far as is reasonably
practicable'. The 'explicit risk estimation' principle is the only risk acceptance
principle that explicitly invokes the SFAIRP principle. Using codes of practice or
reference system approaches implies an inherent SFAIRP argument that has been
previously established. There was already considerable experience in the UK of
explicitly evaluating risk using the SFAIRP principle before the CSM RA regulation was
introduced and this experience remains applicable in this context. RSSB's publication
'Taking Safe Decisions' gives guidance on taking decisions in a manner that is
consistent with the SFAIRP principle.
G8.5.1.4 The SFAIRP principle is not associated with a fixed threshold of acceptable risk, below
which risk can be accepted and above which it cannot. Instead, it requires
demonstration that there are no reasonably practicable options that could reduce risk
further.
G8.5.1.5 Explicit Risk Estimation risk assessment can take different forms, which should be
selected depending on the size and nature of the risk being considered.
a) Qualitative assessment (for example, based on engineering judgement).
b) Semi-quantified assessment (for example, based on engineering judgement/
workshops using matrix/risk ranking).
c) Quantified assessment (for example, using quantified data, quantitative risk
assessment).
G8.5.1.6 The risk management process allows risks to be evaluated either qualitatively or
quantitatively. Either approach can be applied to support a SFAIRP test. Performing
quantitative risk estimation is well established and the general principles are
straightforward; however, carrying out quantified analysis and calculations that
underpin the process can be relatively complex, costly and a specialist task.
Quantitative risk evaluation generally requires significant effort and significant
statistical data and is not always necessary. Qualitative risk assessment can be
relatively simple. It is often possible and appropriate to reach robust decisions using
qualitative methods. The underlying principle is that the chosen approach should be
proportionate to the size and nature of the risk.

RSSB Page 61 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G8.5.1.7 Hazards of railway systems are rarely unprecedented, and previous experience can
often be used to reach robust decisions more efficiently than working from first
principles. Use of generic hazard lists as a starting point for an assessment can be
helpful, although thought is still needed to apply them to a proposed system. If this
can be done, then it may be possible to draw upon existing sources of hazard and risk
information to assist with the risk evaluation, such as the RSSB Safety Risk Model
(SRM).
G8.5.1.8 As a preliminary step to performing detailed explicit risk estimation, it may be useful
to classify hazards as described in section G 7.10 of this guidance, where a
preliminary estimate is made of the risk associated with a hazard in order to evaluate
its importance. This may be the case, for example, when a second iteration hazard
identification is undertaken, use of COP and reference systems have been exhausted,
and explicit risk estimation is needed. At this point it may be useful to classify hazards
to decide the suitable level of detail for the assessment.
G8.5.1.9 For a straightforward hazard, the 'explicit risk estimation' principle may be applied
qualitatively following the general principles below:
a) Identify the causes of the hazard, and record them as a table or short explanation.
b) Identify the possible consequences of the hazard and the factors that affect those
consequences, and record them as a table or short explanation.
c) Identify the existing safety measures which control the hazard.
d) Identify any credible additional safety measures which might be implemented to
control the hazard further.
e) Review the additional safety measures, discard those that are judged not to be
reasonably practicable, and set safety requirements to implement those measures
that are judged to be reasonably practicable.
G8.5.1.10 Proceeding through these steps will lead to a robust decision, provided that:
a) There are people with sufficient skills, knowledge and experience relevant to the
scope of the risk assessment involved in each step.
b) There is consensus that the hazard is understood such that the results of each step
can be demonstrated to be based on experience and knowledge.
G8.5.1.11 Because the SFAIRP assessment process involves balancing the benefits and costs of
safety measures, and because a safety measure may affect the risk associated with
several hazards, it is normally carried out for all hazards of a system together, or for a
related group of hazards.
G8.5.1.12 The 'explicit risk estimation' principle may be applied quantitatively following the
general principles below:
a) Identify the causes of the hazard.
b) Identify the possible consequences of the hazard.
c) Identify the existing safety measures and further safety measures which control
the hazard and which it has been decided to implement. This is the baseline case.
d) Use the information from the previous steps to create a logical description of the
causal chains (sequence of precursor events) which may result in an accident,
usually using one or more specialist notations and computer programs. Estimate

Page 62 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

the likelihood of the events in these chains and derive the frequency with which
accidents occur.
e) Use these frequencies to quantify the risk associated with the baseline case as a
statistical estimate of the harm incurred per year. That harm may include both
fatalities and injuries, and conventions exist for combining these into a single
number, such as 'Fatalities and Weighted Injuries' (FWI). Risk is then measured in
FWI per year.
f) Identify all credible additional safety measures which might be implemented to
control the hazard further.
g) For each safety measure, re-assess the consequence and frequency of the hazard,
taking into account the anticipated effects of the safety measure, to estimate the
reduction of risk resulting from the safety measure. The decrease in risk is then
compared with the increase in cost. Industry-standard benchmarks exist for
deciding whether the option is reasonably practicable or not (see RSSB's
publication 'Taking Safe Decisions').
h) Set safety requirements to implement those safety measures which were
originally planned and those additional safety measures which were found to be
reasonably practicable.
G8.5.1.13 Any quantitative estimates of risk should clearly state what hazards they relate to.
Where the risk is associated with identical systems (for example, a fleet of trains), any
statement of quantified risk should make clear the scope to which it refers (for
example, a single train, or a fleet of trains, or a period of operation etc). This
information and any other assumptions used in calculations should be recorded to
justify the results. These assumptions may be reviewed and revised as new
information becomes available and the change project develops.
G8.5.1.14 In order to produce accurate quantitative estimates of risk, it is usually necessary to
have accurate estimates of the probability of equipment failures, human reliability
and other events. Equipment suppliers may be able to provide some of these
estimates. The SRM published by RSSB may also be a useful source of quantified
data. The RARA, also available from RSSB, provides guidance and data for
quantifying human reliability.
G8.5.1.15 No estimate of risk can ever be completely accurate, but the uncertainty can be
reduced by further data collection or analysis. Explicit risk estimation is used to
support decision making and it follows, therefore, that it should be refined until a
sufficiently robust decision can be justified. If uncertainty cannot be reduced further,
the degree of uncertainty can be taken into account using techniques such as
sensitivity analysis. When there is uncertainty about controlling risk, it is a generally
accepted principle that the worst credible case should be considered. This typically
means using a higher, more pessimistic, risk scenario within the credible range. This
cautious result can sometimes be refined and improved by analysing assumptions to
make them more accurate and robust.
G8.5.1.16 Significant uncertainty is often associated with the risk of multi-fatality accidents
because there is usually limited statistical data available, and because the severity of
such accidents may depend upon many factors. As explained in 'Taking Safe
Decisions', this uncertainty justifies a cautious approach to the estimation of risk of
multi-fatality accidents.

RSSB Page 63 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G8.5.1.17 Other EU states use different risk acceptance criteria for quantified risk assessment.
This will not be relevant to most changes made by UK organisations, but a proposer
of a change should bear this in mind if they plan to seek recognition of their risk
acceptance decision in another EU state, or if they plan to use a reference system
from a different EU state.

G8.5.2 Example explicit risk estimation techniques


G8.5.2.1 There is no single ideal explicit risk estimation method or technique that should be
applied in all cases, but there are various commonly used methods or approaches
which may be appropriate for a change project depending on its size and nature. The
following paragraphs give an overview of some commonly used techniques; however,
other techniques are available may be appropriate.
G8.5.2.2 Failure Mode and Effects Analysis (FMEA): A process for hazard identification where
all known failure modes of components or features of a system, are considered in turn
and undesired outcomes are noted. This technique is usually carried out by a single
person, rather than in a workshop. FMEA is a structured process to identify the
potential failure modes of the elements of a system, the causes of these failures and
their effects. Failure modes are identified for each component, and the effects of
each failure mode on larger assemblies and the whole system are identified. The
FMEA technique is sometimes used in non-safety specific areas, such as quality
assurance. Care should be taken to ensure it is used with sufficient rigour in a safety
context.
G8.5.2.3 Failure Mode, Effects and Criticality Analysis (FMECA): This is an extension of
Failure Mode and Effects Analysis (FMEA), in which the criticality of the failure effects
is also considered. FMEA and FMECA are rigorous and thorough if applied by a
competent analyst who understands both the technique and the system under
analysis. However, they can be time consuming.
G8.5.2.4 Bow-tie models: The 'bow tie' approach identifies in a graphical format the direct
relationship between objectives, outcomes, hazards, causes and consequences.
Controls are included to indicate what measures are in place to prevent the causes
and mitigate the consequences.
G8.5.2.5 Fault Tree Analysis (FTA): A method for representing the logical combinations of
various states or failure modes, which lead to a particular outcome (top event).
G8.5.2.6 Event Tree Analysis: A method of illustrating the intermediate and final outcomes
which may arise after the occurrence of a selected initial event (the top event in the
Fault Tree).
G8.5.2.7 Bow-tie models, FTA, and Event Tree Analysis share some characteristics. A combined
Fault and Event Tree has similarities to the bow-tie approach with a top event
(hazardous event) placed in the centre of the bow-tie. Defining the top event of a
fault tree or the central hazardous event will depend on the overall objectives, focus
and perspective of the risk assessment, and the nature of the change project as
described in section G 7.2. The key difference between the two methods is that Fault
and Event trees tend to be mathematically quantified models based on failure data,
whereas the bow-tie method is generally a qualitative graphical representation of the
hazard to aid understanding and identify controls. Bow-tie models, FTA, and Event

Page 64 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Tree Analysis may be developed in isolation and/or reviewed and developed in a


collaborative workshop environment.

G8.6 CSM Design Targets (CSM-DT)

G8.6.1 The CSM RA regulation (Annex I point 2.5.5 and 2.5.6) includes a special case of
quantified risk assessment and evaluation for technical systems which uses mutually
recognised safety design targets (CSM-DT).
G8.6.2 If the proposer of a change to a technical system can demonstrate that functional
failures of a technical system are no greater than specified design targets, then the
acceptability of the failure rate of these functions is, by definition, mutually
recognised in all EU member states. There are two classes of quantified design
targets described in the amendment:
a) Class (a) design target: this is for functional failures that have the potential to
lead to catastrophic accidents affecting a large number of people and resulting in
multiple fatalities. In this case the risk associated with a technical system does not
have to be reduced further if the frequency of the failures of the associated
function is demonstrated to be less than or equal to 10-9 per operating hour.
b) Class (b) design target: this is for functional failures that might lead to critical
accidents affecting a small number of people and resulting in at least one fatality.
For these failures the risk does not have to be reduced further if the frequency of
the failures of the associated function is demonstrated to be less than or equal to
10-7 per operating hour.
G8.6.3 Design targets are intended to be used in the design of Electrical, Electronic and
Programmable Electronic (E/E/PE) technical systems, where hazards arise as a direct
result of failure of their functions. They are not intended for the design of purely
mechanical systems.
G8.6.4 When introducing a new technical system or implementing a change to a technical
system, the proposer has the option to use the design targets, if the system has the
potential to lead to either catastrophic or critical accidents. Use of the design targets
is not mandatory; however, they can be used if the proposer is using the CSM risk
acceptance principle of 'explicit risk estimation' and wants to guarantee mutually
recognised acceptance of the change in other member states.
G8.6.5 It is considered unlikely that the CSM-DT targets will be used by RUs and IMs but they
may interface with suppliers that have applied this criterion.

G8.7 Risk evaluation and risk acceptance for non-CSM risk assessment

G8.7.1 Although the concepts of using codes of practice and comparison with reference
system are presented in the specific context of the CSM RA, they are valid approaches
to close hazards in any risk assessment, including their use in conjunction with use of
qualitative and quantitative risk assessment methods. The principles provided in this
guidance document, while framed by the CSM RA, can be used to guide other risk
assessment work.

RSSB Page 65 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G8.8 Further advice on risk evaluation and risk acceptance

G8.8.1 The RSSB website (www.rssb.co.uk) contains additional information and templates
relating to risk assessment, evaluation and risk acceptance. The guidance document
'Taking Safe Decisions' contains useful material on risk acceptance and decision-
making processes.
G8.8.2 The ORR's guidance on the CSM RA contains guidance on the CSM RA risk evaluation
and risk acceptance processes, including risk acceptance criteria in the context of the
CSM RA (orr.gov.uk).
G8.8.3 The European Union Agency for Railways has produced a guide for the application of
the CSM design targets (CSM-DT) (http://www.era.europa.eu/Document-Register/
Documents/ERA-REC-116-2015-GUI%20CSM%20DT%20V1%200.pdf).
G8.8.4 EN 50126 for railway applications on the specification and demonstration of
reliability, availability, maintainability and safety, contains useful guidance on risk
assessment, evaluation and risk acceptance. In addition, relevant guidance can also
be found in EN 50129 Railway applications. Communication, signalling and
processing systems. Safety related electronic systems for signalling, and CLC/TR
50451 Railway applications - Systematic allocation of safety integrity requirements.
G8.8.5 ISO 31000:2009 and the related standard EN 31010:2010 contain details on risk
analysis, and risk evaluation, including risk assessment techniques which may be used
to support the CSM RA.
G8.8.6 Guidance on FMEA and FMECA techniques is provided in EN 60812:2006 (Analysis
techniques for system reliability. Procedure for failure mode and effects analysis
(FMEA)).
G8.8.7 The Railway Action Reliability Assessment provides guidance and data for
quantifying human reliability as part of quantified risk assessment (https://
www.sparkrail.org/Lists/Records/DispForm.aspx?ID=24340).

Page 66 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Part 9 Safety Requirements


G9.1 Overview of safety requirements in risk assessment

G9.1.1 At the beginning of any risk assessment process the initial system definition will
contain a set of safety measures, that is to say, measures that are existing or planned
to be in place to ensure the safety of the proposed system. The risk assessment
process will then identify new potential safety measures and some of these will be
identified as being necessary to demonstrate the system is safe. These measures will
become the new safety requirements which will be added to the revised system
definition. The initial risk assessment will then be reviewed and updated to include all
the safety requirements. This iterative process will continue until a finalised set of
safety requirements is reached, which should be contained in the final system
definition. For simple changes, there may be only a small number of easily
identifiable safety requirements that are needed to control the risk.
G9.1.2 The concepts of 'safety measures' and 'safety requirements' are key to the
application of any risk management process. Safety measures are defined in the CSM
RA regulation (Article 3(10)) as:

a set of actions either reducing the frequency of occurrence of a hazard or


mitigating its consequences in order to achieve and/or maintain an acceptable level
of risk

G9.1.3 Safety measures could be measures that are in place prior to the proposed change,
new measures which might be considered for application, or the safety measures that
become formal safety requirements following the application of the risk assessment
principles.
G9.1.4 The formal definition of the term safety requirements in the CSM RA regulation
(Article 3(9)) is:

the safety characteristics (qualitative or quantitative, or when needed both


qualitative and quantitative) necessary for the design, operation (including
operational rules) and maintenance of a system in order to meet legal or company
safety targets.

G9.1.5 In other words, safety requirements can be considered as those safety measures that
are needed to be implemented in order to demonstrate that the safety targets of the
new system or change have been met. The CSM RA regulation (Annex I, point 2.1.6)
describes how they are developed through the risk assessment process:

The application of these risk acceptance principles shall identify possible safety
measures that make the risk(s) of the system under assessment acceptable. Among
these safety measures, those selected to control the risk(s) shall become the safety
requirements to be fulfilled by the system. Compliance with these safety
requirements shall be demonstrated...

RSSB Page 67 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G9.1.6 Safety requirements may include requirements on the technical system, but also
requirements on the operational, organisational and maintenance arrangements.
G9.1.7 Where the change affects organisational arrangements, the safety requirements are
likely to be concerned with features of those arrangements such as training,
communications, responsibilities, and transitional arrangements.
G9.1.8 Some safety requirements may have to be met by other actors. For example, if an RU
is introducing a new fleet of electric trains which will implement regenerative braking
for the first time on a route, then the IM may have to make adjustments to the power
supplies and to its operational maintenance arrangements to make the change
acceptably safe. The CSM RA regulation (Annex I, points 3.1 and 3.2.) states that:

Prior to the safety acceptance of the change, fulfilment of the safety requirements
resulting from the risk assessment phase shall be demonstrated under the
supervision of the proposer.
This demonstration shall be carried out by each of the actors responsible for
fulfilling the safety requirements.

G9.1.9 It is therefore the proposer's responsibility to demonstrate that all safety


requirements have been met, regardless of who is directly responsible for fulfilling
them.

G9.2 Documenting safety requirements

G9.2.1 The CSM RA regulation requires that safety requirements be recorded in a hazard
record and included or referenced in the system definition. The system definition
should be kept up to date as the project proceeds.
G9.2.2 Although the main body of the system definition is usually a document, in some cases
it may be more efficient and effective to reference the safety requirements managed
in a database or spreadsheet. This is particularly relevant for complex projects where
safety requirements need to be coordinated from various different safety activities
throughout the project life.
G9.2.3 The extent to which existing safety measures need to be formally documented as
safety requirements should be proportionate to the risk. For example, if existing
arrangements are in place to ensure that safety measures are in place (for example,
through a duty holder's existing SMS), then it may be sufficient to reference the
existing SMS where the detail is recorded.
G9.2.4 If safety requirements are being stored in a database, then recording existing safety
measures in a separate table within the same database may make it easier to
manage the complete set of safety requirements. A pragmatic and proportionate
approach should be taken.
G9.2.5 Safety requirements could include any of the following:
a) Requirements to implement features or functions of technical systems associated
with the change.

Page 68 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

b) Requirements to deliver minimum levels of integrity for functions of technical


systems.
c) Requirements on the operational and SMS arrangements, such as provision of user
manuals, provision of driver training, updates to operational procedures and
restrictions on use.
d) Requirements on the maintenance arrangements, such as provision of tools,
spares, special equipment and maintainer training, and inclusion of certain checks
within maintenance procedures.
e) Any temporary restrictions introduced for an initial period of operation to control
risk while assumptions about the behaviour of the system are being confirmed.
G9.2.6 It should be noted that safety requirements may include measures taken by parties
other than the proposer of the change, for example, a contractor engaged by the
proposer who is delivering some aspects of a change on the proposer's behalf.
G9.2.7 If codes of practice are being used as a basis for controlling a hazard, then point 2.3.5
of Annex I of the CSM RA regulation requires that the use of these codes of practice
shall be registered as safety requirements. Adding a requirement that 'the system
shall conform to <code of practice>' would comply with the regulation. However, this
may not always be appropriate. If there is an existing approach that is likely to
provide adequate and sufficient evidence of compliance with a code of practice that
can be cited as such, then it is acceptable to cite a code of practice in its entirety.
However, if this is not possible, consideration should be given to identification of the
clauses in the code of practice that specify individual safety requirements to be
complied with.
G9.2.8 A good safety requirement should be accurate, unambiguous, achievable and
testable. Where a requirement specifies different elements, which may be checked at
different times, it may be easier to split the requirement into multiple requirements. It
is good practice to record the rationale for a requirement, in case assumptions
change or new information emerges that means the requirement has to be reviewed,
revalidated or changed. This may be done by recording a requirement with cross-
references to documents containing the rationale for the requirement. Systematic
cross-referencing of this sort is often referred to as 'traceability' and some databases
can assist with the process of recording and maintaining traceability.

G9.3 Demonstration of compliance with safety requirements

G9.3.1 The CSM RA regulation (Annex I, points 3.1 and 3.2) requires that:

Prior to the safety acceptance of the change, fulfilment of the safety requirements
resulting from the risk assessment phase shall be demonstrated under the
supervision of the proposer.
and that:
This demonstration shall be carried out by each of the actors responsible for
fulfilling the safety requirements.

RSSB Page 69 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G9.3.2 The proposer is responsible for ensuring that compliance with all safety requirements
is demonstrated, and for gathering together the necessary evidence that this is the
case. However, some of that evidence may be developed by other actors.
G9.3.3 Compliance with a safety requirement may be demonstrated by testing, inspection,
certification, analysis or some combination thereof.
G9.3.4 It is good practice to plan how a safety requirement will be implemented and
demonstrated as soon as possible after the requirement has been identified. This
analysis may reveal further detail needed to specify the requirement more clearly at
an early stage where correction is easier.
G9.3.5 It may be possible to demonstrate compliance with some safety requirements by
existing standard project processes. It is good practice to review these existing
verification, validation and demonstration processes, such as NoBo and DeBo
activities, and take them into account to avoid duplication or unnecessary activities in
demonstrating compliance with safety requirements.
G9.3.6 When a supplier carries out demonstration of compliance on behalf of a proposer, the
proposer should agree the format of the demonstration records to facilitate the
proposer's task of co-ordinating all evidence of compliance. This may be detailed
records, or it may be sufficient to supply a summary of the results recorded in a
'certificate of compliance' or similar. The proposer should be pragmatic and
proportionate to the risk associated with the safety requirement.
G9.3.7 Demonstration records should contain full details such as the versions of the elements
that were tested, inspected or analysed. In this way, it is possible to trace, review and
if necessary repeat a demonstration activity as part of the iterative process of a
project development.
G9.3.8 Complete and sufficient evidence is needed to support independent assessment
activities (as required by the CSM RA process, but also if review activities are carried
out outside the CSM RA process). In a CSM RA assessment, the proposer and the
independent AsBo should agree the level of checking proportionate to the size and
nature of the risk. In some cases audit activity might encompass the witnessing of
some tests and in others, review of the records alone will be deemed sufficient. This
planning material should be included in the Safety Plan and the Independent
Assessment Plan.

G9.4 Managing safety requirements

G9.4.1 It is good practice to track the progress towards demonstrating compliance with the
safety requirements. In a complex project, with safety requirements produced by
different parties, this may be a significant task. This may be achieved in a table which
shows how compliance with each requirement will be demonstrated, and recording
when and how compliance has been achieved. In a simpler assessment with a smaller
number of safety requirements it might be more appropriate to manage them in a
simple document.
G9.4.2 The project hazard record may be used to track implementation of safety
requirements. Alternatively, if the safety requirements have been stored in a

Page 70 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

database, then additional tables within the same database may be used to record the
status of compliance with the safety requirements.
G9.4.3 Issues of three types may arise after safety requirements have been formulated:
a) The safety requirements are found to be inadequate to sufficiently cover a hazard.
b) It emerges that one or more safety requirements will not be implemented.
c) A safety requirement is based upon an assumption that requires confirmation or
changes.
G9.4.4 These issues are discussed below.
G9.4.5 The CSM RA regulation (Annex I, point 3.4) requires that:

Any inadequacy of safety measures expected to fulfil the safety requirements or


any hazards discovered during the demonstration of compliance with the safety
requirements shall lead to reassessment and evaluation of the associated risks by
the proposer [...]. The new hazards shall be registered in the hazard record [...].

G9.4.6 If the proposer identifies that the safety measures are inadequate, it will be
necessary to review the risk management results from the point where the
inadequacy was introduced, updating the hazard record, safety requirements and
other outputs, as necessary.
G9.4.7 If compliance with a safety requirement cannot be achieved because it is no longer
appropriate or possible, then the safety requirement needs to be amended or
withdrawn, otherwise the independent assessor would have to record it as a non-
compliance.
G9.4.8 The CSM RA regulation (Annex I, points 1.2.3, 1.2.4 and 1.2.5) requires that:

For the system under assessment, any actor who discovers that a safety measure is
non-compliant or inadequate is responsible for notifying it to the proposer, who
shall in turn inform the actor implementing the safety measure.
The actor implementing the safety measure shall then inform all the actors affected
by the problem either within the system under assessment or, as far as known by the
actor, within other existing systems using the same safety measure.
When agreement cannot be found between two or more actors it is the
responsibility of the proposer to find an adequate solution.

G9.4.9 If it is found that one or more of the identified safety requirements will not be
implemented, then the proposer should co-ordinate the parties involved to agree a
resolution. This may result in the identification of new hazards or new causes to
existing hazards, which in turn may lead to the identification of new safety
requirements. This may further require revising the system definition, reviewing or
repeating some of the risk evaluation process, and updating the hazard record to
confirm that the risk associated with all hazards is acceptable with the new set of
safety requirements.

RSSB Page 71 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G9.4.10 The risk assessment process and safety requirements will usually depend on a set of
assumptions, dependencies or caveats. These should be recorded in the system
definition. If safety requirements are stored in a database, then it is good practice to
store assumptions in a table in the same database so that hazards, safety
requirements and assumptions are traceable.
G9.4.11 As a project develops and more details are finalised the set of assumptions,
dependencies and caveats will need to be reviewed and validated. If they are found
to have changed, then the associated risk assessment will need to be reviewed and
updated as necessary. In some cases, the assumptions can only be confirmed once in
the operational phase of a project, that is, after handover. This highlights the
importance of defining and recording the assumptions and rationale as accurately
and traceably as possible. The ultimate aim is to have a stable system definition,
hazard record, safety requirements, and set of assumptions that are consistent with
the final project details, as built or implemented.

G9.5 Further advice on safety requirements

G9.5.1 The RSSB website (www.rssb.co.uk) contains additional information and templates
relating to management of safety requirements.
G9.5.2 The ORR's guidance on the CSM RA contains guidance on the identification and
management of safety requirements in the context of CSM RA (orr.gov.uk).
G9.5.3 EN 50126 for railway applications on the specification and demonstration of
reliability, availability, maintainability and safety, contains useful guidance on risk
assessment principles including safety requirements.
G9.5.4 ISO 31000:2009 and the related standard EN 31010:2010 contain details on
'controls assessment' and 'risk treatment' which relate to the identification of safety
measures and safety requirements to control risk. These are sometimes referred to as
'risk mitigation', 'risk elimination', 'risk prevention' and 'risk reduction'.

Page 72 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Part 10 Hazard Management


G10.1 Overview of hazard management and hazard records

G10.1.1 Hazard management is concerned with how identified and analysed hazards are
addressed in a proportionate manner. A key part of this process is recording and
demonstrating how hazards have been or will be controlled to ensure risk is
acceptable and the proposed change will be safe.
G10.1.2 The CSM RA regulation (Annex I, point 2.1.7) states:

The iterative risk assessment process can be considered as completed when it is


demonstrated that all safety requirements are fulfilled and no additional reasonably
foreseeable hazards have to be considered.

G10.1.3 The risk management process can be regarded as a process of identifying all hazards
and then moving them all to closure. A hazard is closed when there is demonstrable
evidence that the safety requirements controlling the hazard have been met.
However, some safety requirements may only be fully implemented once a system is
in operation.
G10.1.4 The hazard record is used to track progress towards the closure of hazards. It is good
practice to maintain a live document to track the progress of hazards in this way. The
hazard record may take different forms, such as, for example, a hazard log, or a risk or
hazard register. Other forms of hazard record may be suitable depending on the size
and nature of the change. It may be possible to combine the hazard record with
existing project recording processes, although it is important to be able to
demonstrate that hazards and safety requirements are being controlled, and so it
may be necessary at some point to separate safety requirements from other project
requirements. For a simple change project, the hazard record may be a relatively
simple document covering the aspects of hazard management outlined in this
section.
G10.1.5 The hazard record is a key output particularly after the application of the risk
management process is complete as it provides evidence that safety requirements
have been met, and that the hazards have been closed. It also provides a record of
the conditions under which the change should be operated (assumptions,
dependencies and caveats).
G10.1.6 The hazard record and demonstration of compliance with safety requirements will be
a key element used by the proposer of a change to support their 'Declaration by the
proposer' according to Article 16 of the CSM RA regulation:

Based on the results of the application of this Regulation and on the safety
assessment report provided by the assessment body, the proposer shall produce a
written declaration that all identified hazards and associated risks are controlled to
an acceptable level.

G10.1.7 It is the objective of the CSM RA process to ensure that all identified hazards and
associated risks are controlled to an acceptable level.
RSSB Page 73 of 101
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G10.2 Producing a hazard record

G10.2.1 The CSM RA regulation (Annex I, point 1.1.3) requires that:

The proposer in charge of the risk management process required by this Regulation
shall maintain a hazard record [...].

G10.2.2 Sometimes hazards may be managed by multiple actors or parties and, therefore, the
proposer's hazard record may be supported by other documents or hazard records
maintained by other actors. Where actors have been maintaining separate hazard
records, then the records will usually be handed over to the proposer at the
appropriate point in the project to be combined and coordinated. The proposer is
responsible for integrating or co-ordinating separate hazard records and managing
the overall system hazard record.
G10.2.3 Further detail is set out in points 4.1.1 and 4.1.2 of Annex I of the CSM RA regulation,
which requires that versions of the hazard record should be kept live and up to date
throughout the project. The final version is then used and maintained by the IM or
RU in charge of the operation of the system. The hazard record contains important
information that will be useful for managing the hazards after the change is
complete and operation is live. It is good practice for all risk assessments to track
hazards, safety requirements and assumptions, whether applied under the CSM RA or
not.
G10.2.4 A hazard record contains information about each hazard and usually takes the form
of a table with a row for each hazard and columns for the different sorts of
information that is kept for each hazard. The table may be maintained using a
database, spreadsheet or word processing tool. A database may be more appropriate
for more complex projects where there are a significant number of hazards from
various sources. For simple projects with a small number of hazards a simple word
document may be sufficient.
G10.2.5 At the end of a project, the proposer's project organisation hands over its combined
and finalised hazard record to the operational organisation (either internal or
external).
G10.2.6 When the final version of the hazard record is handed over to another party, it may
assist the recipient if information which was relevant to the project but is not relevant
to the rest of the asset life cycle is removed first; for example, the names of the
people who took actions may be of limited use to the final operating organisation.
G10.2.7 The CSM RA regulation (Annex I, point 4.1.1) states:

...once the system has been accepted and is operated, the hazard record shall be
further maintained by the infrastructure manager or the railway undertaking in
charge with the operation of the system under assessment as an integrated part of
its safety management system.

G10.2.8 The hazards from the project hazard record will ultimately need to be integrated into
the ongoing SMS of the operating organisation. Therefore, consideration should be

Page 74 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

given to structuring the records in such a way as to facilitate this integration. This
ensures transfer of knowledge and understanding of the hazards into the duty
holders' SMSs for their part of the operational railway.

G10.3 The hazard management process

G10.3.1 The hazard management process is a live iterative process as a project progresses,
and hazards can be considered to progress through a 'life cycle' or a series of states
throughout the life of a project. An example hazard life cycle is shown in Figure 7. The
ovals represent the states and the arrows depict possible transitions between states.
Other terms may be used.

Figure 7: An example hazard life cycle

G10.3.2 The meaning of each state is as follows:


a) Open: the initial status assigned when a hazard is identified.
b) Resolved: the risk evaluation process has been completed and safety requirements
have been identified which, when implemented, will be sufficient to control the
risk to an acceptable level.
c) Cancelled: the potential hazard has been determined not to be an actual hazard,
or to be wholly contained within another hazard, so no further action is necessary.
Care should be taken with this status as once a hazard is marked as cancelled it is
unlikely to receive any further consideration or scrutiny.
d) Transferred: the hazard has been transferred to another actor who now takes the
lead in delivering the associated safety requirements for controlling the risk of the
hazard. The proposer retains responsibility for managing the hazard.
RSSB Page 75 of 101
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

e) Managed: compliance with all safety requirements related to the hazard has been
demonstrated, any other actions associated with the hazard have been
satisfactorily completed, and so no further action is required for the stage of
implementation. It should be noted, however, that some safety requirements may
only be fully implemented, or confirmed with evidence, once a system is in
operation or live. It may be useful, in some instances, to describe a hazard as
'managed for design', 'managed for commissioning', etc., to acknowledge that
safety requirements have been implemented appropriate to different stages of
implementation.
f) Closed: a hazard is considered finally closed when it has been entirely eliminated,
or is no longer relevant due to changes, or there are absolutely no further actions
to be taken and the residual hazard has been transferred to the asset owner or
operator for managing under normal operations and maintenance.
G10.3.3 It may be necessary to reopen a resolved or managed hazard, for instance if
assumptions in the system definition change.
G10.3.4 Sometimes, progressing a hazard from 'Open' to 'Managed' may require co-
ordinating activity from more than one actor.
G10.3.5 There is a 'Transferred' state shown in this life cycle because sometimes hazards may
be managed by multiple actors managing multiple hazard records. The co-ordination
arrangements are discussed in the following section.
G10.3.6 The information in the hazard record is essential to the management of risk and
therefore care should be taken to ensure that it is accurate and contains a suitable
and proportionate amount of detail.
G10.3.7 Typically, a small number of people, or maybe a single hazard record manager, safety
engineer, or safety manager, will have responsibility for managing and updating the
hazard record. This may be a significant task for complex projects co-ordinating
hazard record material from various organisations.
G10.3.8 It is good practice to keep a log of the changes made to the hazard record and the
reasons for each change, and to archive versions of the hazard record. This makes it
easier to diagnose and correct any errors that are made when updating the hazard
record and to track changes in rationale and the effects of new information. If a
database is being used to hold the hazard record, then it may be possible to maintain
a change history using the journal facility of the database tool. If not, it may be
maintained as a separate part of the hazard record.
G10.3.9 An up-to-date version of the hazard record should be maintained and available to all
the actors responsible for controlling the hazards as the project progresses.

G10.4 Co-ordinating hazard management activities

G10.4.1 It is often the case that hazards will require activities by one or more parties or
organisations to close them. This requires co-ordination.
G10.4.2 Concerning the co-ordination of interfaces, the CSM RA regulation (Annex I, point
1.2.1) requires that:

Page 76 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

For each interface relevant to the system under assessment and without prejudice
to specifications of interfaces defined in relevant TSIs, the rail-sector actors
concerned shall cooperate in order to identify and manage jointly the hazards and
related safety measures that need to be handled at these interfaces. The
management of shared risks at the interfaces shall be coordinated by the proposer.

G10.4.3 To discharge these responsibilities, the proposer of a change should set up


arrangements for:
a) Exchanging information about hazards and related safety requirements (where
identified) with other actors involved in the change.
b) Ensuring that information that should be passed to another actor is passed on
promptly.
c) Ensuring that information passed to it by another actor, and which requires action,
is acted upon promptly.
G10.4.4 In the railway industry there are various clearly defined roles and responsibilities and
therefore some organisational interfaces that commonly arise. In all cases the
responsibility for co-ordination of hazard management activities and demonstration
of safety requirements remains with the proposer. The CSM RA regulation (Annex I,
point 4.2) requires that:

All hazards and related safety requirements which cannot be controlled by one actor
alone shall be communicated to another relevant actor in order to find jointly an
adequate solution. The hazards registered in the hazard record of the actor who
transfers them shall only be 'controlled' when the evaluation of the risks associated
with these hazards is made by the other actor and the solution is agreed by all
concerned.

G10.4.5 Ultimately it is the IM and/or RU that implements the change on the railway. Co-
ordination of arrangements to meet safety requirements associated with the
operation and maintenance of the railway is typically between these actors. The
proposer may need another actor to implement the safety requirement at a shared
interface, typically another RU or IM. In this case, the proposer should:
a) Make the other actor aware of the relevant hazards identified and agree with
them any additional safety measures needed to control the hazard risk.
b) Enter the relevant information in the hazard record, and system definition.
c) Maintain an appropriate dialogue with the other actor for the duration of the
project.
d) Gather evidence that the safety requirements have been met, at appropriate
points in the project life cycle.
G10.4.6 There are two broadly different approaches to co-ordinating hazard management
activities by a manufacturer, designer, or supplier, as described in the following
explanatory examples.
G10.4.7 In the first example of a manufacturer performing risk assessment of a system, the
design of the system might be quite separate from the specific change

RSSB Page 77 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

implementation project. The manufacturer would apply a risk management process,


based on certain operational assumptions, to derive safety measures whose
implementation would be outside its direct control. These safety measures are
sometimes referred to as application conditions. The operational environment
assumed by the manufacturer for its risk assessment would tend to be based on
commercial considerations, and the anticipated potential use of the system. Actors
who wish then to use the system being manufactured would need to implement the
identified measures, verify assumed environmental conditions are valid, and perform
a risk assessment specific to the actual change to be implemented. The organisation
putting the system into use would:
a) Consider the appropriateness and sufficiency of each safety requirement to their
project.
b) Implement the safety requirement.
c) Supervise the demonstration of compliance with the safety requirement.
d) Keep the system definition and hazard record up to date (that is, include any
additional hazards or hazard causes associated with the requirement, as
appropriate).
G10.4.8 In another example of a manufacturer performing a system risk assessment, an
actual change proposer, such as an RU or IM implementing a change, might have a
stronger influence on the design of the technical system, and work with the
manufacturer to develop a system as an integrated part of its change project. In this
case there is more likely to be a two-way dialogue where one or more safety
requirements and / or hazards would be passed to the manufacturer. In this instance
the RU or IM proposer should:
a) Instruct the manufacturer to implement the necessary parts of the risk
management process, including maintaining a hazard record.
b) Agree the transfer of the safety requirements, and reflect that in the system
definition and hazard record.
c) Discuss the transfer of hazards with the supplier and jointly agree an adequate
solution.
d) Supervise the demonstration of compliance with the safety requirements.
e) Keep the system definition and hazard record up to date.
G10.4.9 There may be variations in the above example arrangements; however, the key
principles of appropriate communication and co-ordination are valid and should be
managed.
G10.4.10 The co-ordination of the hazard management, and demonstration of implementation
of safety requirements will be the responsibility of the proposer of the change. But
this will also usually rely on the support of other organisations involved at different
stages of the project life cycle, such as the manufacturer or the operating and
maintaining organisations.

G10.5 Further advice on hazard management

G10.5.1 The RSSB website (www.rssb.co.uk) contains additional information and templates
relating to hazard management and hazard records.

Page 78 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G10.5.2 The ORR's guidance on the CSM RA contains guidance on the CSM RA risk evaluation
and risk acceptance processes, including the CSM RA hazard record (orr.gov.uk).
G10.5.3 EN 50126 for railway applications on the specification and demonstration of
reliability, availability, maintainability and safety, contains useful guidance on risk
assessment, including the production and management of a hazard log.

RSSB Page 79 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

Part 11 Independent Assessment


G11.1 Overview of independent assessment

G11.1.1 It is good practice to incorporate independent assessment, checking or review for all
risk assessment processes. This enhances the robustness of the process, validates the
results of the assessment, and ensures the risk management and decision-making
processes are suitable and sufficient. Review and checking could be carried out by a
different team member, a different department, a different organisation within an
alliance, or by a third-party AsBo. The guiding principle for any risk assessment is that
independent review should be proportionate to the nature and size of risk involved;
this should direct the quantity and depth of review, and the level of independence.
The strategy for independent review should be included in the safety plan.

G11.2 Independent assessment in the CSM RA

G11.2.1 Where a change has been determined to be significant, it is a mandatory requirement


of the CSM RA regulation (Article 6(1)) that:

An assessment body shall carry out an independent assessment of the suitability of


both the application of the risk management process as set out in Annex I and of its
results.

G11.2.2 Independent assessment of the 'results' means that they are reviewed to the extent
necessary to support the AsBo's judgement of how the process has been applied,
rather than checking and validation of every detail.
G11.2.3 It should be noted that it is not the AsBo's role to determine that the change is safe.
This remains the responsibility of the proposer; the ORR Guidance on the CSM RA
confirms that:

The assessment body's role in oversight does not remove the responsibility of the
proposer for overall safety. In all cases the proposer remains responsible for safety
and takes the decision to implement the proposed change.

G11.2.4 The CSM RA regulation sets out requirements that the AsBo must meet, including
requirements on competence and independence. The AsBo may be a separate
company, but it is possible for a proposer to meet these requirements while using a
department of its own organisation as the AsBo, provided it fulfils the criteria required
in Annex II of the CSM RA regulation. The decision should be pragmatic,
proportionate and justified.
G11.2.5 A good assessment will be one that provides early engagement and timely feedback
to the proposer, thereby encouraging a robust and efficient application of the CSM
RA risk management processes.

Page 80 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G11.3 The CSM RA assessment body (AsBo)

G11.3.1 The role of a CSM RA assessment body


G11.3.1.1 A CSM RA assessment body (AsBo) is appointed to perform the independent
assessment. According to the CSM RA regulation (Article 6), to perform the
assessment, the AsBo's role is to:

a) ensure it has a thorough understanding of the significant change based on the


documentation provided by the proposer.
b) conduct an assessment of the processes used for managing safety and quality
during the design and implementation of the significant change, if those processes
are not already certified by a relevant conformity assessment body.
c) conduct an assessment of the application of those safety and quality processes
during the design and implementation of the significant change.

G11.3.1.2 As such, an AsBo is required to assess two fundamental aspects of the proposer's
implementation of the CSM RA:
a) Has the risk management process (CSM RA, Annex I) been suitably applied?
b) Are the results emerging from the application of the risk management process
suitable?
G11.3.1.3 In fact, the two questions are interdependent; for example, the quality of the safety
material being produced will be dependent on, and an indication of, the rigour of the
risk management process being undertaken.
G11.3.1.4 AsBo activities should be focussed on addressing these two questions.

G11.3.2 Selecting and appointing an AsBo


G11.3.2.1 It is the responsibility of the proposer of a significant change to appoint an AsBo
(CSM RA regulation Article 6(1)).
G11.3.2.2 The following are the requirements for the AsBo as set out in the CSM RA regulation
(Annex II):

1 The assessment body shall fulfil all requirements of the ISO/IEC 17020:2012
standard and of its subsequent amendments. The assessment body shall exercise
professional judgement in performing the inspection work defined in that standard.
The assessment body shall fulfil both the general criteria concerning competence
and independence in that standard and the following specific competence criteria:
(a) competence in risk management: knowledge and experience of the standard
safety analysis techniques and of the relevant standards;
(b) all relevant competences for assessing the parts of the railway system affected
by the change;
(c) competence in the correct application of safety and quality management
systems or in auditing management systems.

RSSB Page 81 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

2 By analogy to Article 28 of Directive 2008/57/EC concerning the notification of


notified bodies, the assessment body shall be accredited or recognised for the
different areas of competence within the railway system, or parts of it for which an
essential safety requirement exists, including the area of competence involving the
operation and maintenance of the railway system.
3 The assessment body shall be accredited or recognised for assessing the overall
consistency of the risk management and the safe integration of the system under
assessment into the railway system as a whole. This shall include competence of the
assessment body in checking the following:
(a) organisation, that is the arrangements necessary to ensure a coordinated
approach to achieving system safety through a uniform understanding and
application of risk control measures for subsystems;
(b) methodology, that is evaluation of the methods and resources deployed by
various stakeholders to support safety at subsystem and system level; and
(c) the technical aspects necessary for assessing the relevance and completeness of
risk assessments and the level of safety for the system as a whole.

G11.3.2.3 For most significant changes, it will be necessary to form a team to act as the AsBo,
because often no single individual will possess all the necessary training, knowledge
and experience to cover all aspects.
G11.3.2.4 The competence of the AsBo and the degree of independence of the AsBo from the
organisation making the change are governed by the standard EN ISO/IEC
17020:2012 on Conformity assessment - Requirements for the operation of various
types of bodies performing inspection.
G11.3.2.5 In the UK, AsBos are accredited by UKAS (the United Kingdom Accreditation Service)
and the schedules of accreditation are published on UKAS's website. As ISO 17020
'Inspection Bodies', AsBos can be accredited as Type A (providing third party
inspections only), Type B (in-house inspection body only) or Type C (first/second party
providing in-house or external inspections).
G11.3.2.6 If the AsBo role is being performed by persons from within the proposer's
organisation, consideration needs to be given to the appropriate degree of separation
between responsibilities for project delivery and responsibilities for conducting the
assessment in accordance with EN ISO/IEC 17020. The ORR Guidance on the CSM RA
indicates the following factors that need to be considered to demonstrate that an in-
house AsBo is independent:
a) Different line management.
b) No involvement with the development of the safety measures associated with the
system under assessment.
c) Freedom from undue commercial influence or bias.
G11.3.2.7 The ability of an AsBo performing assessment from within a proposer's organisation
to manage such impartiality and independence issues will be reviewed by UKAS
during their accreditation visits to the AsBo.

Page 82 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G11.4 CSM RA independent safety assessment plan

G11.4.1 In entering into an agreement with an AsBo the proposer of a change will need to
agree the scope of the assessment with the AsBo.
G11.4.2 The activities required to carry out an independent assessment may be complex and
could require significant co-ordination between different parties, with the aim of
producing an effective final SAR. The CSM RA regulation requires that the AsBo
prepares a plan covering their scope of assessment. This plan should provide a clear
and common understanding between the proposer of the change and the AsBo.
Where the change project is simple and independent safety assessment is
uncomplicated, the plan could be relatively basic.
G11.4.3 A plan for independent assessment will usually be drawn up by the AsBo in
conjunction with the proposer and the other actors involved in the project, because
they will have to support the activities in the plan.
G11.4.4 The proposer and the AsBo should agree at the beginning of the assessment process
the number and types of assessment activities that the AsBo will carry out.
Ultimately, however, the AsBo will have to determine how much assessment is
required to reach an appropriate assessment conclusion. This can be outlined in the
plan and will indicate the anticipated depth and breadth of the independent
assessment necessary to support final conclusions, as well as indicating the expected
cost and effort required.
G11.4.5 It is good practice in larger projects to plan for interim SARs at different project
stages before the final SAR; interim SARs might be particularly useful at substantive
stages of a project, particularly, for example, operational ones for infrastructure
projects.

G11.5 Undertaking the CSM RA safety assessment work

G11.5.1 The CSM RA regulation (Annex I, point 5.1) states that:

The risk management process used to assess the safety levels and compliance with
safety requirements shall be documented by the proposer in such a way that all the
necessary evidence showing the suitability of both the application of the risk
management process and of its results are accessible to an assessment body.

G11.5.2 An AsBo will normally inspect a sample of safety evidence sufficient to support its
assessment conclusions. This avoids excessive and unnecessary costs which would be
involved in checking every element in detail. However, this does mean that the CSM
RA independent assessment does not usually provide a complete validation of every
detailed element of a change. The key principle should be that the depth and breadth
of review should be pragmatic and proportional to the size and nature of the risk
associated with the change. It is not expected that AsBos check everything in detail; a
sample based audit approach should be applied, focused on higher risk hazards,
guided by emerging findings.
G11.5.3 In a relatively simple project, there might be 50-100 hazards which could all be
considered in detail. However, in a bigger project or programme of work, with several
RSSB Page 83 of 101
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

hazard logs, it is not the AsBo's role to check every hazard in detail. In this case, it is
more appropriate to apply a combination of vertical and horizontal sample checking,
in other words, a broad general review of all hazards, then selecting a small number of
hazards to be reviewed in detail.
G11.5.4 The members of an AsBo's team may collect sample evidence through various
activities, including:
a) Inspecting documents.
b) Attending meetings.
c) Witnessing tests.
d) Inspecting equipment.
e) Carrying out audits to collect information about process operation.
G11.5.5 It will often be more efficient and effective to use a mixture of these activities,
because different activities will provide insight into different aspects of the project.
G11.5.6 The CSM RA regulation (Annex I, point 5.2) indicates the expected documentation
produced by the proposer for the AsBo:

(a) a description of the organisation and the experts appointed to carry out the risk
assessment process;
(b) results of the different phases of the risk assessment and a list of all the
necessary safety requirements to be fulfilled in order to control the risk to an
acceptable level;
(c) evidence of compliance with all the necessary safety requirements;
(d) all assumptions relevant for system integration, operation or maintenance,
which were made during system definition, design and risk assessment.

G11.6 Avoiding duplication of safety assessment work

G11.6.1 The CSM RA regulation states that:

Duplication of work between the conformity assessment of the safety management


system as required by Directive 2004/49/EC, the conformity assessment carried out
by a notified body or a national body as required by Directive 2008/57/EC and any
independent safety assessment carried out by the assessment body in accordance
with this Regulation, shall be avoided.

G11.6.2 Depending upon the nature of the project, some other form of independent
assessment may be required by other aspects of UK and European law, such as
assessment of conformity with TSIs and assessment of safety certificates (for RUs) or
safety authorisations (for IMs). The CSM RA regulation Article 6(3) emphasises that
duplication of work between these types of assessment and the assessment required
by the regulation 'shall be avoided'. For further information on avoiding duplication
of assessment processes see the ORR's Guidance on the CSM RA.

Page 84 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G11.6.3 Directive 2004/49/EC is the Railway Safety Directive. In the UK, the ORR performs the
conformity assessments of the SMSs operated by IMs and RUs. To avoid duplication
between a CSM RA independent assessment and one of these conformity
assessments, the ORR Guidance suggests that an AsBo looking at the processes
operated by an IM or RU with a valid safety certificate of safety authorisation need
not examine processes in general but only the way that they are applied on the
project. The CSM RA regulation Article 6(b) highlights this in that the role of the AsBo
is to 'conduct an assessment ..., if those processes are not already certified by a
relevant conformity AsBo.'
G11.6.4 If aspects of a change fall under the scope of the Interoperability Directive
2008/57/EC, then these aspects are subject to assessment by a NoBo and where
applicable a DeBo. The risk of duplication can be reduced by:
a) Using the TSI and national rules as codes of practice for the purpose of applying
the CSM RA 'Codes of practice' risk assessment principle, and/or
b) Ensuring NoBo and DeBo assessment work is taken into account for the CSM RA
independent assessment, where possible, and if there is more than one AsBo for
different areas of a project that they use results from each other where
appropriate.
G11.6.5 If the CSM RA assessment is being called up within a TSI as the relevant risk
assessment to be used; then under the CSM RA regulation (Article 15(4)):

a notified body in charge of delivering the conformity certificate must accept the
declaration by the proposer unless it justifies and documents its doubts concerning
the assumptions made or the appropriateness of the results.

G11.6.6 There may be outputs from other relevant independent assessments available, for
example assessments against European reliability, availability, maintainability and
safety (RAMS) standards, for example, EN 50126. There is the possibility to use these
outputs to demonstrate that elements of the CSM RA risk management processes
have been complied with.
G11.6.7 It is in the business interests of the proposer to avoid duplication because this reduces
the costs of assessment and also the risk of receiving inconsistent advice from
different assessment bodies.
G11.6.8 Careful co-ordination and planning of different assessments should help avoid
unnecessary duplication. In some cases, it might be practical and efficient to appoint
the same organisation to carry out multiple assessment roles. The CSM RA regulation
does not prohibit such an arrangement. An Independent Safety Assessor (ISA)
working under EN 50126, and an AsBo could be the same team or company if
managed with due diligence. This has the potential to reduce costs and avoid
potential duplication. However, in this case it would need to be clear what is being
done, for example as an ISA under EN 50126, and what is being done as an AsBo
under CSM RA. Roles, responsibilities, plans and reports should be clear, including legal
responsibilities.
G11.6.9 Where assessments are carried out by more than one organisation, duplication may
be avoided by co-ordinating the activities of the assessment bodies so that, where

RSSB Page 85 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

appropriate, one AsBo makes use of the results of assessments performed by another
AsBo. For example, the reports produced by another AsBo may be passed to the AsBo
as evidence for compliance with safety requirements.
G11.6.10 Appointing the same organisation as a NoBo and AsBo may make it easier to re-use
work between the assessments; this is providing a single organisation has the
necessary attributes to act in both roles.

G11.6.1 Recognition of safety material already assessed and accepted


G11.6.1.1 Mutual recognition of safety material is about accepting other independent review
work to support CSM RA independent assessment conclusions and avoid duplication.
There is a difference between general reuse of reasonable safety risk assessment
material, and a more formal 'CSM RA mutual recognition' between member states
under CSM-DT, that is, where a product accepted in one EU member state must be
accepted in another member state because it fulfils certain common acceptance
criteria; this is dealt with under mutually recognised CSM Design Targets (CSM-DT)
(see section G8.6).
G11.6.1.2 On mutual recognition of other safety material, the CSM RA regulation (Article 15(5))
states:

When a system or part of a system has already been accepted following the risk
management process specified in this Regulation, the resulting safety assessment
report shall not be called into question by any other assessment body in charge of
performing a new assessment for the same system. Mutual recognition shall be
conditional upon demonstration that the system will be used under the same
functional, operational and environmental conditions as the already accepted
system, and that equivalent risk acceptance criteria have been applied.

G11.6.1.3 Therefore, recognising and reusing existing explicit risk evaluation material and
independent assessment is possible and may help avoid duplication of work. However,
different acceptance criteria, other than the GB SFAIRP principle, may have been
used if the material was originally produced in another EU state. In this case there is a
requirement to demonstrate that the acceptance criteria are equivalent to GB
SFAIRP. There is also a requirement to demonstrate that the proposed system will be
used under the same functional, operational and environmental conditions as the
already accepted system or sub-system.

G11.6.2 EN 50126 ‘Independent Safety Assessor’ (ISA) activities


G11.6.2.1 The relationship between the review activities of an AsBo under the CSM RA and an
ISA under EN 50126, sometimes causes confusion as the two activities have related
goals but are not identical.
G11.6.2.2 An AsBo and an ISA perform two similar, but different and separate review roles. The
CSM RA AsBo is providing an independent assessment of the suitability of both the
application of the risk management process, as set out in the CSM RA regulation, and
of its results. The EN 50126 ISA is assessing compliance with the requirements of EN
50126.

Page 86 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

G11.6.2.3 It may be the case that ISA work produced under EN 50126 is relevant and can be
used as evidence to support an AsBo assessment, but it is not the case that both are
always needed. To accept ISA safety material, the AsBo has to have confidence in the
ISA's competency and the ISA's work. It should be noted that there can be variability
in quality and competency of ISA work and ISAs are not regulated in the way CSM RA
AsBos are. ISA material could be viewed as offering a second technical opinion, but is
not automatically valid for AsBo acceptance. Professional judgement and due
diligence is still required to evaluate ISA material's suitability in the context of a CSM
RA independent assessment.
G11.6.2.4 The European Union Agency for Railways has published an explanatory note on the
CSM RA AsBo which makes the following comment on using ISA material to avoid
duplicating work:

...for a significant change in order to avoid unnecessary duplication of independent


safety assessments by different conformity assessment bodies and unnecessary
duplication of inherent costs, it is not necessary to appoint also an independent
safety assessor (ISA) for exactly the same scope of work

G11.6.2.5 As previously stated, an ISA and AsBo could be the same team or company if
managed with due diligence. This has the potential to reduce costs and avoid
potential duplication. However, in this case it would need to be clear what is being
done as an ISA and what is being done as an AsBo. Roles, responsibilities, including
legal responsibilities, should be clear, and plans and reports should be separate for
AsBo and ISA activities.

G11.7 Dealing with CSM RA non-compliances

G11.7.1 At the end of the independent assessment, non-compliances are included in the SAR.
However, by the time that the final SAR is written, there may only exist limited, and
potentially costly, solutions to resolve significant non-compliances. The CSM RA
regulation (Article 6(1)) contains the requirement to appoint the AsBo at the 'earliest
appropriate stage of the risk assessment process.' To facilitate early resolution of
potential non-compliances, it is good practice for the proposer to:
a) Appoint the AsBo at an early stage in the project. A reasonable interpretation of
this would be before any substantive risk assessment work has been undertaken
that might lead to non-compliances being raised, and
b) Agree arrangements with the AsBo to ensure that non-compliances arising from
the assessment are promptly raised and dealt with. A good practice example of
this is to use a standard three-part form, with parts for the original non-
compliance, the project's response and the AsBo's response to the project's
response.
G11.7.2 The earlier that non-compliances are identified, communicated and addressed, the
easier and more cost effective it should be to resolve them. It will be in the proposer's
interest to discuss significant risk assessment material and assessment decisions with
the AsBo as early as possible. However, material given to the AsBo for review should
be relatively complete and final, otherwise, it may raise unnecessary non-
compliances, increasing assessment costs unnecessarily.
RSSB Page 87 of 101
Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

G11.7.3 In order to maintain independence, the AsBo should not give explicit advice on how
to resolve non-compliances; although they should not specify exactly how an issue
must be closed, they should give a sensible amount of information to the proposer so
they are able to understand what they need to do to resolve the issue.

G11.8 CSM RA Safety Assessment Report

G11.8.1 The CSM RA regulation (Article 15) requires that the AsBo provides the proposer with
a SAR. This is the ultimate deliverable and focus of the independent assessment
process. The conclusions of the report are a professional judgement on the suitability
of the application of the CSM RA process.

The assessment body shall provide the proposer with a safety assessment report in
accordance with the requirements set out in Annex III. The proposer shall be
responsible for determining if and how to take into account the conclusions of the
safety assessment report for the safety acceptance of the assessed change.

G11.8.2 The CSM RA regulation (Annex III) includes detailed requirements on the content of
the SAR by the AsBo:

The safety assessment report of the assessment body shall contain at least the
following information:
(a) identification of the assessment body;
(b) the independent assessment plan;
(c) the definition of the scope of the independent assessment as well as its
limitations;
(d) the results of the independent assessment including in particular:
(i) detailed information on the independent assessment activities for checking the
compliance with the provisions of this Regulation;
(ii) any identified cases of non-compliances with the provisions of this Regulation
and the assessment body's recommendations;
(e) the conclusions of the independent assessment.

G11.8.3 It is still the proposer's responsibility to use the output of the SAR to support its own
final declaration that 'all identified hazards and associated risks are controlled to an
acceptable level'. This final declaration should be the target for planning all risk
assessment and independent assessment activities.
G11.8.4 The SAR is provided before putting into use the new or changed system. It will form
an important part of the basis for the proposer's decision to proceed with putting into
use and, in some cases, it will be provided when seeking an authorisation for placing
in service under Directive 2008/57/EC.
G11.8.5 It is good practice in larger projects to produce interim SARs at different project
stages; interim SARs might be particularly useful at substantive stages of a project,

Page 88 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

particularly, for example, operational ones for infrastructure projects. This ensures
that issues or potential disagreements are discovered early, making resolution easier.
G11.8.6 When a project involves a number of individual changes, such as enabling works,
stageworks or putting into use in stages, multiple SARs (or multiple versions of the
SAR) may be required, each covering one or more such changes.
G11.8.7 The SAR is the final product of the independent assessment; ideally all issues should
have already been brought to the proposer's attention and resolved during the
assessment process. Arrangements for this should be covered in the overall safety
plan for the proposed change, and particularly in the safety assessment plan.
G11.8.8 Under the CSM RA regulation (Article 15(1)), if the proposer and AsBo disagree over
an element of the process as documented in the SAR, then the proposer has an
additional requirement:

The proposer shall be responsible for determining if and how to take into account
the conclusions of the safety assessment report for the safety acceptance of the
assessed change. The proposer shall justify and document the part of the safety
assessment report for which the proposer eventually disagrees.

G11.8.9 The term 'eventually' is taken to mean 'in the event of' rather than suggesting
inevitable disagreement between the proposer and AsBo.
G11.8.10 Where the proposer and AsBo disagree, they should make every effort to identify a
commonly acceptable solution. If the disagreement relates to details, or uncertainties
about how the system will operate, it may be sufficient to collect further data or carry
out further analysis. If the disagreement cannot be resolved, the proposer is free to
complete the CSM RA process without the support of the SAR. However, there are
implications with that decision, and discussion with the ORR would be prudent to
reach a common understanding on the acceptability of the risk. There may be
implications for the proposer's safety certification, safety authorisation, or
authorisation to place into service.
G11.8.11 Some projects may desire additional assurance to support their overall project
Engineering Safety Management objectives; in this case they might want
independent assessment support that goes beyond the formal scope of the CSM RA
AsBo. Consequently, the project may wish to expand and integrate assurance
activities with other reviews such as by commissioning an ISA under EN 50126.
Ideally, these activities should be coordinated and avoid duplication, and it may be
possible to commission the same body that is carrying out the AsBo role if managed
with due diligence. The European Union Agency for Railways Explanatory Note on the
role of the CSM RA AsBo (section 6) contains more guidance on avoiding duplication.
G11.8.12 The SAR should state clearly what is not in scope, and its limits. For example, the CSM
RA AsBo role is not the same as an Independent Safety Assessor (ISA) role under EN
50126 and, as such, the scopes of the two assessments are not necessarily identical.
It is not appropriate for the AsBo to state that the change is safe, or that all hazards
are safe. The SAR may contain a conclusion based on the CSM RA regulation text
along the lines that the AsBo considers that the risk management process, as set out
in Annex I, has been applied in such a way as to give suitable results. The European

RSSB Page 89 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

Union Agency for Railways Explanatory note on the role of the CSM RA AsBo (section
6) contains more guidance on the relation between the CSM RA AsBo and an EN
50126 ISA.
G11.8.13 The CSM RA is in line with the principles of ROGS in that the responsibility for
demonstrating safety lies with those who have the direct responsibility for the safety
change, that is, the IM and the RU etc; the proposer is ultimately responsible for
declaring that 'the proposed change is safe' and the role of the AsBo is to support
this (by providing a SAR saying that the CSM RA process has been suitably applied).

G11.9 AsBo assessment outside a formal CSM RA application

G11.9.1 There may be certain cases where it might be beneficial to carry out independent
assessment voluntarily, before it is formally required by the CSM RA. For example, a
designer or manufacturer might find it commercially interesting to offer a product
that is 'ready' for formal application of the CSM RA, backed up by some independent
assessment. For industry, this could have cost saving benefits where safety
development has already been progressed and reviewed at an early stage of the
change life cycle. The usefulness of this will depend on the context and complexity of
the project, product or system. It is likely to be useful, for example, in developing
products which will subsequently be used for a change that will involve full
application of the CSM RA. For complex systems, it might be beneficial; for simple
products it is less likely to be worthwhile. The underlying principle is of the risk
management process being proportional to the risk.

G11.10 Further advice on independent assessment

G11.10.1 The RSSB website (www.rssb.co.uk) contains additional material relating to


independent assessment.
G11.10.2 The ORR's guidance on the CSM RA contains guidance on independent assessment
(orr.gov.uk).
G11.10.3 The European Union Agency for Railways website (www.era.europa.eu) contains
guidance material on the application of aspects of the CSM RA, and in particular
there is an explanatory note on the role of the CSM RA AsBo.
G11.10.4 EN ISO/IEC 17020:2012 Conformity assessment - Requirements for the operation of
various types of bodies performing inspection, contains requirements for assessment
bodies including competence and independence.
G11.10.5 EN 50126 for railway applications on the specification and demonstration of
reliability, availability, maintainability and safety, contains guidance on the role of an
Independent Safety Assessment (ISA) relating to the principles of EN 50126.

Page 90 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Part 12 Completing the CSM RA Risk Assessment Process


G12.1 Completing a risk assessment

G12.1.1 A risk assessment process can be considered complete when its objectives are fulfilled.
The CSM RA and other risk assessment processes apply similar methods and have
similar objectives: to be able to demonstrate that all identified hazards and
associated risks related to a proposed change are suitably understood and controlled
to an acceptable level. Following the CSM RA framework appropriately should ensure
that this objective is achieved.
G12.1.2 As described in the ORR Guidance on risk assessment and the CSM RA, when an
organisation is considering a change, if the change is significant then the CSM RA
processes will be followed, and if the change is considered not significant it falls to
the proposer of the change to consider domestic legislative requirements, such as
those set out in Regulation 19 of ROGS and Regulation 3 of the Management of
Health and Safety at Work Regulations 1999 (MHSWR), which require a suitable and
sufficient risk assessment to be undertaken. It is possible to adopt the CSM RA
processes even when there is no legal requirement to do so. Following the CSM RA
approach suitably in these circumstances is likely to mean that domestic safety
legislation is complied with.

G12.2 Final deliverables of a risk assessment

G12.2.1 There are a number of elements that are built up iteratively over the course of risk
management processes within a change project applying the CSM RA. On completion
of the CSM RA process, these elements, or deliverables, should be stable and finalised,
and represent the concluding understanding and agreement of all relevant actors. In
combination, this material provides the evidence and a record of how hazards and
associated risks related to a proposed change are suitably understood and controlled
to an acceptable level. A typical list of deliverables is given below. Some of these
elements may be combined into a final safety report, depending on the size and
nature of the risk assessment. For a simple change project, it might be possible to
present all this evidence in a single relatively simple document.
a) Final System Definition - updated to represent the final design or implementation
details of a change, including safety requirements.
b) Final set of Safety Requirements - these may be recorded or referenced in the
system definition and/or maintained in a separate document, or database,
depending on the size and nature of the project.
c) Final Hazard Record - this should show the final status of all the hazards,
indicating how hazards have been closed, and any requiring further action,
including assumptions.
d) Demonstration of compliance with safety requirements and details of any non-
compliances - this should be linked to the set of safety requirements,
demonstrating that they have been implemented.
e) AsBo SAR - this should give an independent view on the validity and robustness of
all the safety material produced and the way in which it was produced. For a non-
CSM RA risk assessment it may still be appropriate to provide evidence of a

RSSB Page 91 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

suitable amount of independent review proportionate to the size and nature of


the risk.
f) Final System Safety Plan - although not essential it may be useful to future work
or review activities to update the system safety plan, particularly if the risk
management process changed significantly from the initial plan. In this way it
becomes a record of the process that was applied.
g) Proposer's CSM RA 'article 16 declaration' demonstrating and stating that 'all
identified hazards and associated risks are controlled to an acceptable level.' - the
combination of the other material should provide sufficient evidence for the
proposer of a change under the CSM RA to be able to make the required
declaration, supported by the AsBo SAR. It would be good practice to produce an
equivalent statement or declaration for risk assessments that are not formally
following the CSM RA, such as in a final safety report.
G12.2.2 Once all these elements of the risk assessment are completed, agreed and accepted,
the risk assessment process can be considered complete for the change. It then
becomes the responsibility of the operating organisation to incorporate the relevant
information, records, safety requirements etc, into their own ongoing SMS. For
example, the hazard record should be maintained as a live document as part of an
operation's SMS and used as a basis for applying the principles of CSM for monitoring
of hazards.

G12.3 Further advice on completing a risk assessment and ongoing safety


management activities

G12.3.1 The RSSB website (www.rssb.co.uk) contains guidance and templates on risk
assessment. It also contains information on how safety is taken into account when
taking decisions in the document 'Taking Safe Decisions', as well as aspects of SMSs,
monitoring safety, and CSM for monitoring.
G12.3.2 The ORR's website (orr.gov.uk) contains guidance on ROGS and other health and
safety legal requirements. It also has guidance on the CSM RA, and an overview of
the CSM for monitoring.
G12.3.3 The European Union Agency for Railways website (www.era.europa.eu) contains
guidance material on the application of aspects of the CSM RA and CSM for
monitoring.

Page 92 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Definitions

Accident An unwanted or unintended sudden event or a specific chain of


such events which have harmful consequences; accidents are
divided into the following categories: collisions, derailments, level-
crossing accidents, accidents to persons caused by rolling stock in
motion, fires and others. Source: Railway Safety Directive
Accreditation (of an Accreditation as defined in Article 2 of Regulation (EC) No
assessment body) 765/2008 and referenced in the revised regulation (402/2013):
‘An attestation by a national accreditation body that a conformity
assessment body meets the requirements set by harmonised
standards and, where applicable, any additional requirements
including those set out in relevant sectoral schemes, to carry out a
specific conformity assessment activity.’ Source: CSM RA
Actors All parties which are, directly or through contractual arrangements,
involved in the application of the CSM RA Regulation. Source: CSM
RA
As Low As Reasonably As Low As Reasonably Practicable: ALARP refers to the concept of
Practicable (ALARP) the requirement to reduce risk to a level that is ‘as low as
reasonably practicable’ (ALARP). This is similar to the term SFAIRP,
which is the term used in the Health and Safety at Work etc. Act
1974 and which places duties on employers in the UK to ensure
safety ‘so far as is reasonably practicable’ (SFAIRP). Although
SFAIRP and ALARP are different in law, they are used
interchangeably in the GB rail industry and are regarded as
representing the same health and safety legal test.
Assessment body The independent and competent external or internal individual,
organisation or entity which undertakes investigation to provide a
judgement, based on evidence, of the suitability of a system to
fulfil its safety requirements. Source: CSM RA
Barrier A technical, operational or organisational risk control measure
outside the system under assessment that either reduces the
frequency of occurrence of a hazard or mitigates the severity of the
potential consequence of that hazard. Source: CSM RA
Bow-tie model The ‘bow tie’ approach identifies the direct relationship between
objectives, outcomes, hazards, causes and consequences. Controls
are used to display what measures are in place to prevent the
causes and mitigate the consequences.
Catastrophic accident An accident typically affecting a large number of people and
resulting in multiple fatalities. Source: CSM RA
Certification body A body, designated in accordance with Article 10 of (EU) No
445/2011, responsible for the certification of entities in charge of
maintenance, on the basis of the criteria in Annex II CSM RA.

RSSB Page 93 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

Code of practice A written set of rules that, when suitably applied, can be used to
control one or more specific hazards. Source: CSM RA
Conformity assessment A conformity assessment body as defined in Article 2 of Regulation
body (EC) No 765/2008. Source: CSM RA
Critical accident An accident typically affecting a very small number of people and
resulting in at least one fatality. Source: CSM RA
CSM RA Common Safety Method for Risk Evaluation and Assessment.
COMMISSION REGULATION (EU) No 2015/1136 of 13 July 2015
amending Implementing Regulation (EU) No 402/2013 on the
common safety method for risk evaluation and assessment.
Designated Body(DeBo) Designated Bodies are independent third parties appointed by the
Secretary of State to assess and verify conformity of projects with
Notified National Technical Rules (NNTRs) in the United Kingdom.
They operate in tandem with Notified Bodies (NoBos) which assess
and verify conformity with Technical Specifications for
Interoperability (TSIs). Source: DfT Interoperability Glossary.
Entity in charge of An entity in charge of maintenance of a vehicle, and includes a
maintenance transport undertaking, an infrastructure manager or a keeper.
Source: ROGS 2006
ESM Engineering Safety Management
Hazard A condition that could lead to an accident. Source: CSM RA
Hazard identification The process of finding, listing and characterising hazards. Source:
CSM RA
Hazard record The document in which identified hazards, their related measures,
their origin and the reference to the actors that are required to
manage them are recorded and referenced. Source: CSM RA
Highly improbable An occurrence of failure at a frequency less than or equal to 10–9
per operating hour. Source: CSM RA
Incident An ‘incident’ means any occurrence, other than accident or serious
accident, associated with the operation of trains and affecting the
safety of operation. Source: CSM RA
Infrastructure Manager Any ‘body’ or undertaking that is responsible in particular for
(IM) establishing and maintaining railway infrastructure, or part thereof,
as defined in article 3 of Directive 91/440/EEC, which may also
include the management of infrastructure control and safety
systems. The functions of the infrastructure manager on a network
or part of a network may be allocated to different bodies or
undertakings. Source: Article 3 (b) of Directive 2004/49/EC.
Interfaces All points of interaction during a system or subsystem life cycle,
including operation and maintenance where different actors of the
rail sector will work together in order to manage the risks. Source:
CSM RA

Page 94 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

National accreditation body A national accreditation body as defined in Article 2 of Regulation


(EC) No 765/2008. Source: CSM RA
NNTR Notified National Technical Rules.
Notified body (NoBo) The bodies responsible for assessing the conformity or suitability
for use of the interoperability constituents or for appraising the EC
procedure for verification of the subsystems. Source: Article 2 (j) of
Directive 2008/57/EC.
Proposer Proposer is defined in the common safety method on risk
evaluation and assessment as one of the following:
(a) a railway undertaking or an infrastructure manager which
implements risk control measures in accordance with Article 4 of
Directive 2004/49/EC;
(b) an entity in charge of maintenance which implements
measures in accordance with Article 14a(3) of Directive
2004/49/EC;
(c) a contracting entity or a manufacturer which invites a notified
body to apply the ‘EC’ verification procedure in accordance with
Article 18(1) of Directive 2008/57/EC or a designated body
according to Article 17(3) of that Directive;
(d) an applicant for an authorisation for the placing in service of
structural sub-systems.
Source: CSM RA
Railway system The totality of the subsystems for structural and operational areas,
as defined in Directive 2011/18/EU, as well as the management
and operation of the system as a whole. The subsystems in Annex
II of Directive 2011/18/EU amend the original list from Directive
2008/57/EC and include:
(a) structural areas: — infrastructure, — energy, — trackside
control-command and signalling, — on-board control-command
and signalling, — rolling stock,
(b) functional areas: — operation and traffic management, —
maintenance, — telematics applications for passenger and freight
services.
In general terms, ‘railway system’ is often used to mean the
combination of all elements, whether engineering, operational,
procedural, or organisational, which combine to form the
operational railway.
Source: Railway Safety Directive
Railway Undertaking (RU) Any private or public undertaking the principal business of which is
to provide rail transport services for goods and/or passengers, with
a requirement that the undertaking must ensure traction; this also
includes undertakings which provide traction only. Source: Article 3
(a) of Directive 2004/49/EC.

RSSB Page 95 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

Recognition An attestation by a national body other than the national


accreditation body that the assessment body meets the
requirements set out in Annex II to this Regulation to carry out the
independent assessment activity specified in Article 6(1) and (2).
Source: CSM RA
Reference system A system proven in use to have an acceptable safety level and
against which the acceptability of the risks from a system under
assessment can be evaluated by comparison. Source: CSM RA
Risk The combination of the likelihood of occurrence of harm and the
severity of that harm (specifically defined in CSM RA regulation as:
the frequency of occurrence of accidents and incidents resulting in
harm (caused by a hazard) and the degree of severity of that
harm).
Risk acceptance criteria The terms of reference by which the acceptability of a specific risk
is assessed; these criteria are used to determine that the level of a
risk is sufficiently low that it is not necessary to take any
immediate action to reduce it further. Source: CSM RA
Risk acceptance principle The rules used in order to arrive at the conclusion whether or not
the risk related to one or more specific hazards is acceptable.
Source: CSM RA
Risk analysis The systematic use of all available information to identify hazards
and to estimate the risk. Source: CSM RA
Risk assessment The overall process comprising a risk analysis and a risk evaluation.
Source: CSM RA
Risk estimation The process used to produce a measure of the level of risks being
analysed, consisting of the following steps: estimation of
frequency, consequence analysis and their integration. Source: CSM
RA
Risk evaluation A procedure based on the risk analysis to determine whether an
acceptable level risk has been achieved. Source: CSM RA
Risk management The systematic application of management policies, procedures
and practices to the tasks of analysing, evaluating and controlling
risks. Source: CSM RA
Safe integration According to Commission Recommendation 2014/897/EU (2b) on
matters related to the placing in service and use of structural
subsystems and vehicles under Directives 2008/57/EC and
2004/49/EC, ‘safe integration’ means the action to ensure the
incorporation of an element (for example, a new vehicle type,
network project, subsystem, part, component, constituent,
software, procedure, organisation) into a bigger system, does not
create an unacceptable risk for the resulting system.
Safety The freedom from unacceptable risk of harm.

Page 96 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Safety acceptance Status given to the change by the proposer based on the Safety
Assessment Report provided by the assessment body. Source: CSM
RA
Safety Assessment Report The document containing the conclusions of the assessment
performed by an assessment body on the system under
assessment. Source: CSM RA
Safety management The organisation and arrangements established by an
system (SMS) infrastructure manager or a railway undertaking to ensure the safe
management of its operations. Source: Railway Safety Directive
Safety measures A set of actions either reducing the frequency of occurrence of a
hazard or mitigating its consequences in order to achieve and/or
maintain an acceptable level of risk. Source: CSM RA
Safety requirements The safety characteristics (qualitative or quantitative, or when
needed both qualitative and quantitative) necessary for the design,
operation (including operational rules) and maintenance of a
system in order to meet legal or company safety targets. Source:
CSM RA
Safety Risk Model (SRM) The RSSB Safety Risk Model is a quantitative representation of the
potential accidents resulting from the operation and maintenance
of the GB rail network. It is comprised of a number of individual
models, each representing a type of hazardous event, where a
hazardous event is defined as an event that has the potential to
result in injuries or fatalities.
Serious accident A ‘serious accident’ means any train collision or derailment of
trains, resulting in the death of at least one person or serious
injuries to five or more persons or extensive damage to rolling
stock, the infrastructure or the environment, and any other similar
accident with an obvious impact on railway safety regulation or the
management of safety; ‘extensive damage’ means damage that
can immediately be assessed by the investigating body to cost at
least EUR 2 million in total. Source: Railway Safety Directive
Significant change A significant change means a proposed change with an impact on
safety, implying the requirement to apply CSM RA, based on the
following criteria:
(a) failure consequence
(b) novelty used in implementing the change
(c) complexity of the change
(d) monitoring
(e) reversibility
(f) additionality.
Source: CSM RA
So Far As Is Reasonably The term SFAIRP is used in the Health and Safety at Work etc. Act
Practicable (SFAIRP) 1974 which places duties on employers in the UK to ensure safety

RSSB Page 97 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

‘so far as is reasonably practicable’ (SFAIRP). It is similar to the


term ALARP which refers to the principle of reducing risk to ‘As Low
As Reasonably Practicable’. Although SFAIRP and ALARP are
different in law, they are used interchangeably in the GB rail
industry and are regarded as representing the same health and
safety legal test.
System Any part of the railway system which is subjected to a change
whereby the change may be of a technical, operational or
organisational nature. Source: CSM RA
Systematic failure A failure that occurs repeatedly under some particular combination
of inputs or under some particular environmental or application
conditions. Source: CSM RA
Systematic fault An inherent fault in the specification, design, manufacturing,
installation, operation or maintenance of the system under
assessment. Source: CSM RA
Technical Specification for A TSI is a specification adopted in accordance with the Railway
Interoperability (TSI) Interoperability Directive 2008/57/EC by which each subsystem or
part subsystem is covered in order to meet the essential
requirements and ensure the interoperability of the rail system.
Technical system A product or an assembly of products including the design,
implementation and support documentation; the development of a
technical system starts with its requirements specification and ends
with its acceptance; although the design of relevant interfaces with
human behaviour is considered, human operators and their actions
are not included in a technical system; the maintenance process is
described in the maintenance manuals but is not itself part of the
technical system. Source: CSM RA
Transport operator An infrastructure manager or railway undertaking that must
implement the requirements in this standard.
Transport undertaking Any person who operates a vehicle in relation to any infrastructure
but shall not include a person who operates a vehicle solely within
an engineering possession. (In the case of RSSB standards
'transport undertaking' is equivalent to 'railway undertaking'.)
Source: ROGS 2006

Page 98 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

References

The Catalogue of Railway Group Standards gives the current issue number and status of
documents published by RSSB. This information is also available from www.rssb.co.uk/standards-
and-the-rail-industry.

RGSC 01 Railway Group Standards Code


RGSC 02 Standards Manual

Documents referenced in the text

RSSB Documents

GD-0001-SKP RSSB Taking Safe Decisions – how Britain’s railways take decisions
that affect safety
Measuring Safety RSSB guide on how to develop and manage safety performance
Performance indicators for Britain's railways
Research project T1049 Operating non-mainline vehicles on mainline infrastructure -
Guidance on the regulatory requirements
Research project T270 Railway Action Reliability Assessment: A technique for
quantification of human error in the rail industry
Research project T440 The weighting of non-fatal injuries: Fatalities and weighted injuries
Research project T955 Hazard analysis and risk assessment for rail projects
ROGS Duty of Cooperation Duty of Cooperation Guide - A guide to ROGS requirements for
Guide duty of cooperation between transport operators (Part 1 and Part
2)
Safety Risk Model RSSB Safety Risk Model Risk Profile Bulletin

Other References

2001/14/EC (as amended) Allocation of railway infrastructure capacity and the levying of
charges for the use of railway infrastructure and safety
certification.
2004/49/EC (as amended) Railway Safety Directive
2008/57/EC (as amended) Interoperability Directive
BS EN 31010:2010 Risk management - Risk assessment techniques
BS EN 50125-3:2003 Railway applications - Environmental conditions for equipment.
Equipment for signalling and telecommunications.
BS EN 50126-1:1999 Railway applications - The specification and demonstration of
Reliability, Availability, Maintainability and Safety (RAMS)
BS EN 50128:2011 Railway applications - Communication, signalling and processing
systems - Software for railway control and protection systems

RSSB Page 99 of 101


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Issue: One
Guidance on the Common Safety Method
Date: December 2017 for Risk Evaluation and Assessment

BS EN 50129:2003 Railway applications - Communication, signalling and processing


systems - Safety related electronic systems for signalling
BS EN 60812:2006 Analysis techniques for system reliability. Procedure for failure
mode and effects analysis (FMEA)
BS EN 61025:2007 Fault tree analysis (FTA)
BS EN 61508-1:2010 Functional safety of electrical/electronic/ programmable electronic
safety-related systems. General requirements
BS EN 62502:2011 Analysis techniques for dependability. Event tree analysis (ETA)
BS EN ISO/IEC 17020:2012 Conformity assessment - Requirements for the operation of various
types of bodies performing inspection
BS IEC 61882:2001 Hazard and operability studies (HAZOP studies). Application guide
BS ISO 31000:2009 Risk management - Principles and guidelines
CDM (2015) Construction (Design and Management) Regulations
EC No 352/2009 Commission Regulation on a Common Safety Method on risk
evaluation and assessment
ERA-GUI-01-2014-SAF Explanatory note on the CSM Assessment Body referred to in
Regulation (EU) N°402/2013 and in OTIF UTP GEN-G of 1.1.2014
on the Common Safety Method (CSM) for risk assessment
ERA-GUI-02-2008-SAF European Union Agency for Railways Collection of examples of risk
assessments and of some possible tools supporting the CSM
Regulation
ERA-REC-116-2015-GUI Guideline supporting the implementation of (EU) Regulation
2015/1136 on harmonised design targets (CSM DT) in the scope of
the CSM for risk assessment
EU No 2015/1136 Commission implementing Regulation (EU) 2015/1136 of 13 July
2015 amending implementing Regulation (EU) No 402/2013 on
the common safety method for risk evaluation and assessment
EU No 402/2013 Commission Implementing Regulation (EU) No 402/2013 of 30
April 2013 on the common safety method for risk evaluation and
assessment and repealing Regulation (EC) No 352/2009
MHSWR (1999) Management of Health and Safety at Work Regulations
ORR Guidance on CSM RA ORR guidance on the application of Commission Regulation (EU)
402/2013 - Common Safety Method for risk evaluation and
assessment
PD CLC/TR 50451:2007 Railway applications - Systematic allocation of safety integrity
requirements
PD ISO Guide 73:2009 Risk management — Vocabulary
ROGs 2006 (as amended) Railways and Other Guided Transport Systems (Safety) Regulations
2006

Page 100 of 101 RSSB


Uncontrolled when printed
Supersedes GEGN8640 Iss 1, GEGN8641 Iss 1, GEGN8642 Iss 2, GEGN8643 Iss 2,
GEGN8644 Iss 1 and GEGN8645 Iss 1 with effect from 02/12/2017
Guidance Note
GEGN8646
Guidance on the Common Safety Method Issue: One
for Risk Evaluation and Assessment Date: December 2017

Shepherd (2001) Hierarchical Task Analysis, Taylor and Francis: London


The Orange Book HM Treasury - The Orange Book: Management of Risk - Principles
and Concepts

RSSB Page 101 of 101