Transcript Neuerungen im Zulassungsverfahren für Eisenbahnfahrzeuge in

The challenge of transforming a rule-based
system into a risk-based culture on an
example of a rolling stock approval
DB Systemtechnik GmbH
Marc Geisler
Risk Management / Safety Assessment
Vancouver, October 08th 2013
Foto: DB Systemtechnik
The challenge of transforming a rule-based system into
a risk-based culture on an example of a rolling stock approval
1.
Introduction
2.
Requirements on Safety Management Systems
3.
Approval Process for Roling Stock in Europe
4.
Example of Approval Process in Germany
5.
Conclusions
DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
2
1. Introduction
Safety Management Systems (SMS) focus on risk based approaches.
 Existing regulations like the European Common Safety Methods on Risk Evaluation and
Assessment (CSM-RA) support the implementation of risk assessment processes.
 Combination of the rule based approach by using Code of Practice with risk based
approaches by using Reference Systems and explicit risk estimations as so called risk
acceptance principles are part of the CSM-RA.
 In particular for rolling stock approval guidelines were development in Germany to make
the risk based approach as described in EN 50126, EN 50128 and EN 50129 usable for
rolling stock.
 One outcome is the TeSip (technical safety plan) including a number of exemplarily
described functions and hazards of rolling stocks.
DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
3
2. Requirements of Safety Management Systems
Guideline oriented safety management becomes risk oriented
Safety in changing cultures
 Maintaining safety, keeping operation on a high quality level and ensuring a cost efficient
railway system is a demanding task of today
DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
4
2. Requirements of Safety Management Systems
Keeping Codes of Practise Safe
 Hazards and associated risks are often not sufficiently
described in current rules
– No direct link between rules and hazards possible
– Comparison with CoP or Reference Systems hardly
possible as hazards are not described in existing
rules and system descriptions.
 A systematic approach as
shown were in the past not
always documented.
 The extisting CoP need
improvement for a risk based
safety management.
DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
5
3. Approval Process for Roling Stock in Europe
requires safety demonstration in different ways
 The Notified Body (NoBo) checks
the conformity with European
Technical Specification
Interoperability. The TSI cover
safety and technical aspects.
 The Designated Body (DeBo)
checks the conformity with
notified national regulation, where
safety and technical aspects are
included.
 The Assessment Body (AsBo)
assesses the application of risk
management activities following
the CSM-RA process.
DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
6
4. Example of Approval Process in Germany
A number of assessments are to be documented
Safety demonstration according to European and National requirements demand several
documents for receiving the approval for Placing into Service of a Rolling Stock.
Some are listed below
 Safety plan with the specific safety-process description for the project
 Technical Safety Plan (TeSip) including the system safety requirement specification
 Safety Assessment Report of the AsBo according to CSM-RA
 Conformity Certificates according to Technical Rules
 Vehicle dossier and component dossiers according to German rule for rolling stock
approval
 Several certificates, risk assessments, practical demonstration reports etc.
 Application Guide for the Vehicle with operational requirements and limitations
 Maintenance settings
DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
7
4. Example of Approval Process in Germany
Safety Plan structure and Approval process for Rolling Stock
TeSip specific amendment
Definition of safety responsibilities
Operator
Information
Specific safety plan
Safety Case
Placing into Service
DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
8
Safety Assessment Report
Application for Approval
Conformity Certificates
Engineering / Design
Done by
- NoBo
- DeBo
- AsBo
according to
European requirements
Adjustment of Safety Plan
TeSip specific
amendment
Safety requirements
Supplier Assessments and Surveys
Concepts /
Specifications
Assessments, Tests
and Surveys
Contract
Specification with
safety requirements
Specification of system-safety Conformity
and Safety
requirements
Assessment
Assessments, Tests and Surveys
Authority
Approval
Legal Act
4. Example of Approval Process in Germany
The Technical Safety Plan (TeSip) in the Safety Case
TeSip specific amendment
Specific safety plan
Operator
Specification of system-safety
requirements
Safety Case
Information
Assessments, Tests and Surveys
Typische Themen
Transportgut tragen / aufnehmen
Die je nach
Anw endungsgebiet/Fahrzeugkategorie
spezifizierte Menge/Masse an
Personen/Transportgut so
tragen/aufzunehmen, dass die
Fahrzeugstruktur (zulässige Grenzw erte für
die Festigkeit, Steifigkeit und Stabilität) des
Schienenfahrzeuges unter allen
Betriebsbedingungen und
Umgebungseinflüssen sicher erhalten bleibt.
Das Transportgut ist in spezifizierter Lage
festzuhalten (Ladungssicherung).
Mittelbare Gefährdung
(Erläuterung, Beispiel)
Primäre Gefährdung
Specification with
Apportionment
of requirements
safety requirements
safety
Engineering / Design
and
responsibilities
Assessments
and Surveys
Supplier
are detailed in Hazard Trees
der Erhaltung der
Fahrzeugstruktur
NICHT-Erhaltung der Fahrzeugstruktur
z.B. statische / dynamische
Belastung,
Schw ingungsfestigkeit,
Verw indungssteifigkeit,
mechanische Festigkeit durch
Konstruktion gegeben
10f
Unzureichende Festigkeit des Wagenkasten und befestigter
Strukturen
7a
B
2
Transportgut tragen / aufnehmen
ausreichender
Ladungssicherung
Ladungsicherung versagt
Ladungsicherung
11d
DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
es kann mit Toten gerechnet w erden
Funktionsversagen führt nicht
zw angsläufig zu Todesfällen
#NV
1,3
w ährend gesamter Aufenthaltsdauer
#NV
1
Vermeidung ist nicht möglich
Verletzung des Fahrzeugumgrenzungsprofils durch den
Wagenkasten
5
mehrere Personen sind betroffen
#NV
9
#NV
#NV
9
mehrere Personen können betroffen sein
9
#NV
7a
5
1,7
#NV
Unzureichend gesicherte Ladung
Begründung
I
Sicherheits
anforderun
gsstufe
(SAS)
Decision about
- Rule based approach
- Risk based approach
according to Hazard
Classification and
Authority
existence of applicable
rules
Verletzung des Fahrzeugumgrenzungsprofils durch den
Wagenkasten
Application#NV for Approval
Placing into
Service
#NV
B
Gefährdungseinstufung
Hazard
Classification
Parameter
lfd. Nr.
Teilfunktion (DIN
25002-5)
Hauptfunktion (DIN
25002-5)
Gefährdung ist gegeben, wenn….
Safety Assesment Report
Sichere
Gewährleistung
von…
Gefährdung
Hazard
Confirmity Certificates
Erläuterung der Funktion
Sicherheitsanforderung
Beispiele
Safety
requirement
Adjustment of Safety Plan
TeSip specific
amendment
Safety requirements
Funktion
(DIN 25002-5)
B Transportgut tragen, umschließen, schützen
1
Concepts / Specifications
Function
B
Assessments, Tests and
Surveys
Contract
Technical
Safey Plan (TeSiP
TESIP FUNKTIONSLISTE
Fahrzeugfunktionen
B
Conformity
and Safety
Assessment
Betrachtung erforderlich
Definition of safety responsibilities
Approval
Legal
Act
es kann mit Toten gerechnet w erden
99,45
3
ja
4. Example of Approval Process in Germany
Hazard Trees underpin the Technical Safety Plan
 The hazards listed in the TeSip are
detailed by Hazard Trees to a level of
functional architecture elements.
 Safety responsibilities are
HH2 Gefährdung 5a:
Brandgefährdung,
Rauchentwicklung
Aufteilung der Verantwortung
zwischen Brandursachen und
Branderkennung
SAS=2, I=58,8
und
Effektive
Zündquelle
HH2_N1
Brennstoff,
Oxidationsmittel
HH2_N2
Fahrgäste
reagieren nicht
HH2_N3
SAS=1, I=21,8
SAS=0, I=2
SAS=0, I=2
specified
– Orange means staff responsibility
– Yellow means technical
responsibility
Keine Erkennung oder unzureichende
Reaktion auf Brandergebnis
HH2_F1
SAS=1, I=33
oder
Unzureichende Reaktion
auf Brandereignis
HH2_F3
Keine Branderkennung
HH2_F2
Hier keine Detaillierte Betrachtung
SAS=1, I=33
SAS=1, I=33
und
 Safety Requirements are broken
Evakuierung nicht möglich
oder behindert
HH2_F4
down to different implementations.
Unzureichende Brandbekämpfung / -beherrschung
HH2_F5
SAS=1, I=31
SAS=0, I=2
und
 Hazard classification follows the risk
graph approach
oder
Keine zugweite
Deaktivierung
HKL
HH2_S1
Zugbegleiter
deaktiviert nicht
alle HKL
HH2_B1
SAS=0, I=2
SAS=1, I=29
SAS=0, I=2
Example Hazard Tree “Fire and Smoke” from TeSiP
DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
10
und
Ineffektive
Brandbekämpfung
HH2_N4
Kein Ausschalten
betroffener EVB
HH2_H1
Kein Ausschalten
betroffener EVB
HH2_S2
SAS=0, I=1
SAS=0, I=1
Brandschutztüren
werden nicht
geschlossen
HH2_B2
SAS=0, I=2
5. Conclusion (1)
 The rule-based approach has been applied during design and maintenance of rolling stock
successful for many years and covers implicitly the safety aspects.
 The today’s safety management system focuses on hazards to be controlled by different
risk acceptance principles.
– Therefore safety demonstration by implicit approaches needs amendments.
 The risk based approach requires specific knowledge about methods for risk assessment
and independent safety assessment which needs time to establish.
 Experts in risk management support the design and implementation of functions and
subsystems into the next higher system level.
 Safety managers ensure the safe integration and the independent safety assessment body
checks the overall procedures and requirements of the safety case.
DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
11
5. Conclusion (2)
 The rule-based approach is still an important way to ensure safety where the
preconditions are well known.
 For innovative and complex situations the risk-based approach is an appropriate
add-on to make railways reliable and safe.
 A solely risk based approach does not cover all the needs of the modern railways.
– Expert judgment about the application of rules-based or risk-oriented safety demonstration
is always a trustful way.
– The TeSip covering the standard functions of a rolling stock and its hazards supports
combining the rule-based safety demonstration with risk-based cultures.
DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
12
Thank you for your attention!
Do you have questions?
DB Systemtechnik GmbH | Marc Geisler | 08.10.2013
13