European Railway Agency - ERA

Making the railway system work better for society

Risk management

In the case where Regulation (EU) No 402/2013 applies, its Article 4(2) sets criteria for assessing the significance of a change that should be analysed by the proposer. The proposer can take its decision on the significance of the safety-related change based on only one or some of those criteria. But it shall keep adequate documentation to justify his decision.

The application of the above criteria can only be done by expert judgement having regard to the particular context of the project.

The question on the significance of a safety-related change does not release the railway company from its obligation to perform a proper risk assessment in order to demonstrate that the level of safety is maintained or even improved, e.g. by the implementation of existing or new risk control measures. Even if the risk assessment process in Annex I of Regulation (EU) No 402/2013 does not apply, the railway company must still have a risk assessment procedure in place, as part of its safety management system, to identify and manage appropriately the risks related to its activities.

The examples listed in the question above are all changes with an impact on safety for which the risks are to be evaluated systematically in accordance with the risk assessment procedures set in the safety management system of the railway company. When the change is significant, in addition to the risk assessment which is to be done by the railway company, an independent assessment body which fulfils the requirements in Article 6 and Annex II of Regulation (EU) No 402/2013 must also be appointed to the project. Its role is to verify independently the correct application of the risk assessment process in Annex I of that Regulation.

The risk assessment procedure of the safety management system of the railway company must specify the methods and tools used by the railway company to evaluate the risks. The most common methods for the risk evaluation are the Failure Mode Effects and Criticality Analysis (FMECA), Fault Tree Analysis (FTA), Hazard and Operability study (HAZOP), etc.

Examples of techniques and tools for carrying out the risk assessment can be found in Annex E of Part 2 (Guide to the application of EN 50126-1 for safety) of CENELEC EN 50126 standard.

Regulation (EU) No 402/2013 presents three risk acceptance principles that are already recognised as current possible practices for controlling hazards and the associated risks in railway systems: the application of codes of practice, a comparison with similar reference systems and an explicit risk estimation.

More information can be found in the ERA guidelines.

It must be acknowledged the human behaviour plays a central role in the safe and efficient operation of the railway. Where that behaviour is considered to have contributed to an accident or incident, it may be that organisational factors, such as workload or job design, had an influence on that behaviour, and thus led to a lesser performance and aggravation of the consequences of that accident or incident. Therefore, it is essential that the railway undertakings and infrastructure managers take a systematic approach to supporting human performance and managing human and organisational factors within the safety management system.

Therefore, it can be expected from the railway companies, that, as part of their risk assessment, they identify and analyse all risks pertaining to their activities. Such risks should include those arising from human interventions and organisational factors such as workload, job design, fatigue or suitability of procedures, and the activities of other interested parties.

Railway undertakings and infrastructure managers must cooperate on shared interface risks in order to agree on the implementation of risk control measures.

Point 1.2.2 in Annex I of Regulation (EU) No 402/2013 stipulates that:

“When, in order to fulfil a safety requirement, an actor identifies the need for a safety measure that it cannot implement itself, it shall, after agreement with another actor, transfer the management of the related hazard to the latter using the process described in section 4.”

Point 4.2 in Annex I of Regulation (EU) No 402/2013 also stipulates that:

“All hazards and related safety requirements which cannot be controlled by one actor alone shall be communicated to another relevant actor in order to find jointly an adequate solution. The hazards registered in the hazard record of the actor who transfers them shall only be ‘controlled’ when the evaluation of the risks associated with these hazards is made by the other actor and the solution is agreed by all concerned.”

Even if Regulation (EU) No 402/2013 does not apply, the above provisions are recognised as good practice in hazard management.

In general, no, assuming that application of the code of practice reduces the risk to an acceptable level. Annex I of Regulation (EU) No 402/2013 provides further information about the conditions under which these risk acceptance criteria can be used without requesting other safety demonstration such as an explicit risk estimation (e.g. by means of a quantitative or semi-quantitative approach).

In accordance with Regulation (EU) No 402/2013, the risk acceptability of a significant change should be evaluated by using one or more of the following risk acceptance principles: the application of codes of practice, a comparison with similar reference systems, an explicit risk estimation. All principles have been used successfully in a number of railway applications, as well as in other transport modes and other industries. The ‘explicit risk estimation’ principle is frequently used for complex or innovative changes.

The proposer of the change is the one who is responsible for the choice of the principle to apply. Regulation (EU) No 402/2013 does not prescribe any order of priority between those three risk acceptance principles. However, Annex I of Regulation (EU) No 402/2013 requires the proposer to verify whether the considered code of practice or similar reference system satisfy the necessary conditions, and in particular whether it is appropriate for the control of the considered hazards of the system under assessment. This presumes that the proposer has well captured (i.e. identified), understood and analysed the specific hazards and risks related to the project.

It is to note that deviations from a code of practice or from a similar reference system must also be assessed and appropriate risk control measures put in place.

If Regulation (EU) No 402/2013 does not apply, the above approach can still be applied as it is widely recognised as good practice. A similar approach is also established in CENELEC standard EN 50126.