Common Safety Method for Risk Evaluation and Assessment (CSM-RA) vs CENELEC Standards

Introduction

There are many standards, regulations, and laws that projects must apply when demonstrating safety assurance within the railway industry. As part of this, some of the most common items referred to are the “CSM for risk evaluation and assessment - Commission Implementing Regulation (EU) No 402/2013” (henceforth referred to as the CSM-RA) and CENELEC standards (EN50126/8/9). However, it can be difficult to understand the interfaces between these especially when considered with other applicable standards or regulations.

Before detailing further, we must first clarify some terms. “Safety”, in isolation, is defined as the freedom from unacceptable risk of physical injury. “Functional Safety” on the other hand is more specific - it defines the overall safety which depends on functional and physical systems operating correctly in response to inputs, or failure, in a predictable manner.

CSM-RA and CENELEC (5012X)

CSMs were established in accordance with Article 6 of Directive (EU) 2016/798. Of these CSMs, the Common Safety Method for Risk Evaluation and Assessment Regulation was created to set out the risk assessment process to be applied in case of technical, operational, or organisational changes. It is the starting point for proposing any change within the mainline railway system and its significance must always be considered by the organisation or person making the change (“the proposer”). Note that this legislation does not apply to every railway environment (for example, metros or privately owned infrastructure for freight).

For a change determined as ‘Significant’ CSM-RA defines the requirement for a system definition, system safety plan, hazard identification and management process, risk evaluation, safety requirements management, and demonstration of compliance. In order to provide additional assurance, CSM-RA specifies an independent assessment, by an accredited Assessment Body (AsBo), is required that confirms the correct application of the risk assessment process, the results of the process and the safety demonstration of the system under assessment, that the necessary level of safety can be achieved.

In contrast, the railway specific CENELEC standards are derived from IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems). They are technically voluntary; however, national laws often require their application. For example, the Control Command and Signalling National Technical Specification Notice (NTSN, previously TSIs) specifically lists EN 50126, EN 50128, and EN 50129 as mandatory standards. These CENELEC standards are:

EN50126: Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS). This defines the terms of RAMS and a process based on the system V-lifecycle. It includes the activities involved with and responsibilities for the system definition, safety management, specification and management of system requirements, and validation activities. It does not define specific RAMS requirements (e.g. failure rates) and thus can be applied to any generic system.

EN50128: Communication, signalling, and processing systems — Software for railway control and protection systems. The standard provides comprehensive guidelines for rail software development activities through the specification of procedures, technical requirements, and V-lifecycle for the development of programmable electronic systems for usage in railway control and protection applications (safety related software only). This applies to application software, operating systems, support tools, and firmware.

EN50129: Communication, signalling and processing systems – Safety-related electronic systems for signalling. This standard is focused on the evidence to be presented for the acceptance of safety-related signalling systems (i.e. the safety case and associated evidence) and is highly related to the EN 50126. It covers details for the specification, allocation and implementation of safety requirements and safety integrity; the use of Safety Integrity Levels in safety-related systems for railway application; and the overall safety case structure. While originally designed for signalling, it can be applied to other systems as far as is reasonably practicable.

Similarly to CSM-RA, the CENELEC processes require independent assessment, though this is performed by the Independent Safety Assessor (ISA).

How do CENELEC and CSM-RA Interact and When Should we Apply Each?

CSM-RA and CENELEC have commonalities between them; for example, the risk evaluation and management processes for each are almost identical. However, they are aimed at different system application levels.

For example, when developing a new interlocking system for potential use in the railway environment, one should apply the CENELEC standards to demonstrate that the product (generically) meets the RAMS requirements, including the interfaces between each subsystem.

Now let’s consider that a proposer wishes to introduce this interlocking system into the main railway environment. As there is a significant change to the railway, the CSM-RA process must be followed and demonstrated by the proposer. This is used to demonstrate that the risk has been controlled before implementing any changes to the railway (also considers overall operational and maintenance regime changes). To support this, the supplier would also need to demonstrate through EN5012X that the project specific solution for this interlocking system (application data, hardware layout, architecture, etc.) has followed the requirements for RAMS and is safe to integrate into that specific railway environment (scoped to that interlocking system and any interfaces).

Sources

1. EN 50126 / IEC 62278 Issues and Interpretations, Troels Winther [https://en50126.blogspot.com/2008/07/velkommen.html]
2. The Formal Representation of the Safety Case Processes described in the EN 5012x norms, Technical University of Braunschweig [https://international-railway-safety-council.com/wp-content/uploads/2017/09/muller-the-formal-representation-of-the-safety-case-processes-en-5012x-norms-pres.pdf]
3. Guidance on the application of Commission Regulation (EU) 402/2013, Office of Road and Rail [https://www.orr.gov.uk/sites/default/files/om/common-safety-method-guidance.pdf]
4. Relation Between CSM and CENELEC Standards – How do they Interact, Jens Henker [https://certx.com/webinars/relation-between-csm-and-cenelec-standards-how-do-they-interact/]

Top of Form

Subscribe to our newsletter for more insights like this.