Common Safety Methods (CSMs): Determining importance of change in the railway
Whenever a change will have an impact on safety, Common Safety Methods (CSMs) will require the proponent to decide, through expert judgment, the importance of the change based on the criteria established in Commission Implementing Regulation (EU) No 402/2013.
These criteria are summarized as follows:
- Consequence of failure: the worst credible scenario in case of system failure under evaluation, taking into account the existence of safety barriers outside the system.
- Novelty used in the implementation of change: this refers both to what is innovative in the railway sector and to what is new only for the organization which implements the change.
- Complexity of change.
- Monitoring: the inability to monitor change implemented throughout the life cycle of the system and take appropriate interventions.
- Reversibility: inability to return to the system before change.
- Additionality: evaluation of the importance of change taking into account all recent modifications related to safety of the system being under evaluation and which were not considered significant.
MCS do not prescribe how to use these criteria, nor priority nor weighting given to none of them. Leedeo Engineering provides the method described below and which we believe may be useful for proponents, supplying a structure for decision-making.
Methodology to use the criteria of MCS
It is likely that the proponent should initiate preliminary work in order to identify and understand relevant hazards, before applying the significance test. A good general understanding of all hazards will help identify the most appropriate risk acceptance principle.
For a significant change, the proponent must submit "a written statement showing that all identified hazards and associated risks are controlled to an acceptable level". The proponent must also be clear that the risk is controlled at an acceptable level if any change is non-significant.
Taking criteria together, it would be reasonable to conclude that a change is non-significant if the proponent:
- Trusting that all significant risks have been identified -that is, those giving rise to a non-negligible risk-; and also
- It knows how to control the risk associated with an acceptable level; or
- Hoping that it will be easy to identify and implement the necessary measures to control the risk associated with an acceptable level.
If the proponent chooses to apply the criteria more explicitly, it will be possible to group and sequence the criteria in a way that will help with their application. The illustration shown below is a flow chart displaying a proposed application of the following criteria:
Additionality is one of the conditions to be evaluated in the first instance since, in some way, it defines the scope of the change to be evaluated. When 'A' change is proposed, other recent changes should be considered (B, C...). and, if necessary, include them within the scope of change being subject to the test of significance. That is, if necessary, change whose meaning will be decided is A + B + C... Additionality can be described as the consideration of other changes that have been made since the entry into force of the MCS (May 23, 2013) or since last application of the risk management process took place -whichever is later-.
Novelty and complexity
Novelty and complexity will measure the uncertainty of the result or the probability that the proposed change, once implemented, will behave or not as expected. Clearly, the more novel and complex a change is, the greater the likelihood that it can behave in an unpredictable and possibly undesirable way. Therefore, the more novel and complex the change, the more significant it will be.
Consequence of failure
"What is the worst that could happen if the system behaves in an undesirable way after introducing the proposed change?" Combining uncertainty of the result and consequence of the failure.
Risk is generally understood as probability x consequence. Similarly, "uncertainty of the result" x "consequence of the failure" can be considered as a factor that measures the potential scale of a change concerning safety. "Uncertainty of the result" is measured against innovation and complexity.
Judging the importance
It is possible and advisable to develop a simple matrix, to help judge whether a proposed change is 'significant' (high uncertainty, high consequence) or 'non-significant' (low uncertainty, low consequence) or when the criteria (monitoring capacity and reversibility ) must be applied to make a final decision (next figure).
Monitoring and reversibility
Monitoring and reversibility are additional criteria that should be considered when deciding whether the change is "significant" or "non-significant". It cannot be made based on the "uncertainty of the outcome x consequence of failure" test. The criterion in relation to monitoring is "the inability to monitor change implemented throughout the life cycle of the system and take appropriate interventions". In essence, ask yourself the following question: "Can I see what is happening and react in time?"
But, a more complex question that can have been done when thinking about monitoring as a criterion is the following one: "Is it possible and feasible to introduce a monitoring system that provides warning being enough fast enough to allow effective intervention and to prevent or to mitigate any danger arising from change? In this way, it is important to keep in mind that, for instance, it is not enough to simply install monitoring equipment. Support operating procedures are necessary to take note and react to warnings generated by the equipment.
The ability to intervene in a timely manner to prevent or mitigate any danger arising from change that has been made, when monitoring mechanisms will specify such intervention. If it is not possible to adequately monitor the effects of a change in order to "take appropriate interventions"; or if it is impossible to reverse the effects of a change, then the change is likely to be considered significant.