csm-ra assessment as a part of the suppliers scope · csm-ra - assessment as a part of the...

MAY 17TH 2016

CSM-RA - ASSESSMENT AS A PART OF THE SUPPLIERS SCOPE

CSM-RAASSESSMENT AS A PART OF THE SUPPLIERS SCOPE

MAY 17TH 2016


Current experience (e.g. Copenhagen Metro) with Employer’s assessor:

• Employer being Postilion d’amour between ISA and Supplier

• Unclear definition of deliverables

• Unpredictable plan

What we want:

• Clear definition of deliverable

• Predicable plan

• Clear responsibilities

• (and well defined economy)

RATIONALE

MAY 17TH 2016


PREPARATION - TENDER

• NSA clarification on concept with G-ISA/S-ISA

• Concerns on Independence

• Concerns on responsibility

• But all was inexperienced in such a large scale assessment task

• Definition in tender

• Proposed split of scope between G-ISA/S-ISA

• Deliverables is delivered when a clean ISA report is available

• Requirements to assessor

MAY 17TH 2016


EXPERIENCES SO FAR – FROM EMPLOYER (PROPOSER)

Pro:

• Employer need only to review on scope and context

• Limited discussion about delivery

• (Costs !)

Contra:

• CSM-RA versus CENELEC

• Product (generic application) versus specific application

• Roles Proposer/Actor crucial

• Assessment of Actor versus assessment of Proposer

• When are G-ISA satisfied with S-ISA assessment

CSM-REA - Assessment as a Part of

the Suppliers Scope

Dr. Daniel Woodland

Professional Head of Signalling & Train Control

Ricardo Rail

17th May 2016

6© Ricardo plc 201617th May 2016

• The G-ISA’s scope can be summarised as:

– Assessment within the scope of the Signalling Programme including the

interfaces between all involved parties, i.e. the SP projects, the two railways,

the suppliers, Banedanmark Operating Organisation (BDK OO), the RUs

and the independent assessment organisations involved in the project

– This covers everything from product development through to railway

integration and SRAC acceptance

• The G-ISA’s assessment activities sit above any assessment that

may be carried out by an S-ISA, Product ISA or under local

railway practice (e.g. Teknisk System Ansvarlig)

• The G-ISA is approved by the National Safety Authority (NSA) as

CSM-REA Assessment Body (AsBo), whereas the other types of

assessor are not

Overall Assessment


G-ISA assessment process

• G-ISA re-uses existing assessments– Where an appropriate independent

assessment has already been adequately

completed for some aspect, the G-ISA will

accept evidence from assessment reports

• G-ISA needs confidence that

assessments are adequately complete– G-ISA reviews the S-ISA Scope of Work,

Assessment Plans and assessment reports

– G-ISA carries out sample checks and audits

of assessment activities

– Where evidence that the CSM/AsBo criteria

have been met is not found, the G-ISA

requests additional evidence or fills the gaps

in assessment

• G-ISA produces a final Safety

Assessment Report to support APIS

• G-ISA completes assessment of the integrated system– including whole project or railway aspects that needs to be addressed

G-ISA Phase

Reports

G-ISA Safety

Assessment

Reports

G-ISA Safety

Notices


• Strengths of having ISA as a part of supplier scope:– Much of the activity required at product and Generic Application levels is not unique

to this one project

• It is more efficient for a Product ISA or S-ISA working for the supplier to assess

these aspects

– Clear independence of the G-ISA from the supplier

• Weaknesses of having ISA as a part of supplier scope:– The S-ISA is working to a remit from the supplier, who is in turn working to a remit

from the client. If the G-ISA needs something that isn’t in those remits then a gap in

assessment appears that needs to be filled

• This has potential to cause contractual argument and delays

• If this cannot be resolved, the G-ISA is forced to look back over activities the S-

ISA has already reviewed – resulting in inefficient duplication of effort

– The G-ISA can be unsighted as to what is happening, or when activity is expected

• Communication of programmes and co-ordination of assessment

activities are key to successfully managing the risks

Strengths and weaknesses in the adopted approach


• Co-ordination to enable efficient assessment activity:

– Sight of Assessment plans (early chance to raise observations)

– On-going updates on progress

• Indication as to what is coming up and what may need assessment / Audit

– Output that aligns with plans

• Clear explanation of any deviations and their potential impact on safety

– Regular communication with Safety Management team

• A quick discussion can facilitate efficient working and enable rapid progress

– Direct communication between G-ISA and S-ISA / TVEs where required

• Need to be able to ‘cut to the chase’ and gain answers (as well as

confidence in approaches being taken)

Communication and Co-ordination

www.thalesgroup.comTHALES GROUP INTERNAL

EN50126 vs. CSM-RA Assessment

A THALES SAFETY ASSESSMENT CENTRE (TAC) VIEW

11THALES GROUP INTERNALThis document may not be reproduced, modified, adapted, published,

translated, in any way, in whole or in part or disclosed to a third party

without the prior written consent of Thales - © Thales 2016 All rights

reserved.

Assessment Activities

Employer’s Requirement Specification

Employer’s Risk

Analysis

SuppliersHazard Analysis

Risks and

assigned THRs

National Railway Regulations and

Standards

G - ISA

S - ISA

CSM

Assessment

EN50126

AssessmentMitigation of risks

by assigned hazardsSuppliers

Requirements Specification

12THALES GROUP INTERNALThis document may not be reproduced, modified, adapted, published,

translated, in any way, in whole or in part or disclosed to a third party

without the prior written consent of Thales - © Thales 2016 All rights

reserved.

CSM-RA process

Content & Overview

Content of this presentation

• What we planned

• Status of the activities

• Next steps

• Lessons learned

Overview of the roles defined within the FIE project,

according to the definitions of CSM-RA

• BDK (Infrastructure Manager) = Proposer

• Ricardo (G-ISA) = AsBo

• Alstom (Supplier) = Actor

• Railcert (S-ISA) = Supplier’s Safety Assessor

May 17th, 2016 SLIDE

13

CSM-RA - Assessment as a Part of the Suppliers Scope in the FIE Signalling project

What we planned

From the ISA plan: the S-ISA will assess the compliance of

Alstom’s processes to /CSM-RA/, as applicable to its “actor” role,

in order to provide supporting evidences to the proposer (BDK).

Specifically, the S-ISA will consider:

• The system definition (i.e. proper definition of interfaces and

functions, ...).

• The Risk Assessment and Risk Analysis (completeness and

traceability of results).

• The Demonstration of Compliance with the Safety

Requirements (traceability of tests, test witnessing).

Most of the listed evidences are gathered during the ongoing ISA

according EN5012x as per the following slideMay 17th, 2016 SLIDE

14


What we planned (2)


Status of the activities

Compliance to CSM-RA to be confirmed (in progress) by a clause-

to-clause checklist, with cross-references to EN50129, EN50126


16

ANNEX I of /CSM-REA/ Comment of the Assessor

Result

(Y/N/

NA/OG)

Cross

reference

to

/50129/

Cross

reference

to

/50126/

lifecycle

1. GENERAL PRINCIPLES APPLICABLE TO THE RISK MANAGEMENT PROCESS

1.1 General principles and obligations

1.1.1. The risk management process covered by this Regulation

shall start from a definition of the system under

assessment and comprise the following activities:

(a) the risk assessment process, which shall identify the

hazards, the risks, the associated safety measures and

the resulting safety requirements to be fulfilled by the

system under assessment;

A risk analysis has been provided at signalling

programme level by BDK (ref. "SP-04-010009-

Safety Target determination and

apportionment" Rev. 6.0), assessed by the G-

ISA and submitted to the National Safety

Authority.

At project level, PHA, System HA and

Subsystem HAs identify applicable hazards,

associated safety measures, final risk

evaluation and acceptability.

Y SM - Risk

analysis, HL

SM - Safety

SYRS

3.

4.

1.1.1. (b) demonstration of the compliance of the system with

the identified safety requirements; and

V&V activities have been planned in order to

provide evidence of the safety requirements

fulfilling, not yet completed

OG SM - Safety

V&V

9.

10.

….

1.1.6 Safety organization: the different actors’ tasks, as well

as their risk management activities, shall be identified

and managed by the proposer

NA (in charge to BDK in his role of proposer) NA

….

4.2 All hazards and related safety requirements which

cannot be controlled by one actor alone shall be

communicated to another relevant actor in order to find

jointly an adequate solution. The hazards registered in

the hazard record of the actor who transfers them shall

only be ‘controlled’ when the evaluation of the risks

associated with these hazards is made by the other actor

and the solution is agreed by all concerned.

The Hazard Log generated at project level will

be coordinated with the Banedanmark Hazard

Log, in order to maintain their alignment and

ensure coordination at signalling programme

level among all the actors.

OG

NA

SM - Hazard

Log

3.

4.

11.

12.

Next steps

• Finalise the assessment of the deliverables provided by

Alstom (Actor & Supplier), according to the CSM-RA

requirements applicable to the “Actor” role:

“the rail-sector actors concerned shall cooperate in order to

identify and manage jointly the hazards”

“demonstration of compliance with safety requirements […]

shall be carried out by each of the actors responsible for

fulfilling the safety requirements”

• To be coordinated with the G-ISA (Assessment Body):

“Evaluation of the correct application of the risk management

process falls within the responsibility of the assessment body”


17


Lessons learned

Key points to improve the process:

1. Establish a clear definition of roles and tasks (mainly of the

Proposer) at the very beginning of the project

2. Clearly define the tasks included in the Supplier’s scope of

work (as an Actor): e.g. which kind of “support” to the

Proposer ? How to manage the Hazard Record ?

3. Define the assessment tasks at the boundary between

Supplier/Proposer, in order to avoid duplication of work:

“the assessment body shall: […] conduct an assessment of

the processes used for managing safety and quality during

the design and implementation of the significant change, if

those processes are not already certified by a relevant

conformity assessment body”May 17th, 2016 SLIDE

18CSM-RA - Assessment as a Part of the Suppliers Scope in the FIE Signalling project

MAY 17TH 2016


Daniel WoodlandProfessional Head of Signalling and Train Control

Ricardo Rail

T +44 (0)7772 618893 E [email protected]

Cristina ZecchiniSenior Assessor / Project Manager CoCoSigRailcert B.V. Via Montalenghe 8 - 10010 Scarmagno (TO) - Italy M: +39 320 3816039 E [email protected]

André FitzkeSafety Assessor Thales Assessment Centre - Thales DeutschlandM + 49 172 828 1431 E [email protected]

Stig MunckTechnical ManagerRail Safety – Rambøll Danmark A/SM + 45 51616375 E [email protected]

mailto:[email protected]



csm-ra assessment as a part of the suppliers scope · csm-ra - assessment as a part of the...

Documents