What is an independent safety assessment of a railway system?
The independent safety assessment process by an ISA, or Independent Safety Assessor, is regulated and defined by the regulations CENELEC EN 50126. It has a clear objective: provide an additional level of confidence to that provided by the technologist/ installer of a product or system by complying with RAMS CENELEC EN 50126 railway regulation, through a study of a certified and independent company to carry out such evaluation. The aim is preventing as far as possible systematic failures of the system being under evaluation and that may affect safety.
The Independent Safety Assessor or ISA are typically private companies which are accredited to be able to carry out such studies, through the National Accreditation Entity (ENAC) in Spain or an analogous public entity in the member states of the European Union. In accordance with Commission Implementing Regulation (EU) No 402/2013, accreditation or recognition granted by any State of the European Union to a safety assessment body is valid in the entire territory of the United States.
To this end, when a body is accredited or recognized, this will be communicated to the European Railway Agency. It is the institution which publishes safety assessment bodies -which can carry out their work in any EU state- in the following address of ERADIS (European Railway Agency Database of Interoperability).
During a safety assessment process, the responsibilities of ISAs will therefore be evaluating the conformity of the process and the result regarding the requirements of CENELEC EN 50126 standard, including the safety integrity level assigned (SIL level). In parallel, they will be responsible for evaluating the competence of the project team personnel and the organizational structure that has carried out the development of life cycle of the system being under analysis. Such structure must meet the quality and safety requirements, outlined in company systems.
Consequently, via their independent evaluation, ISAs allow giving confidence within railway industry. Regarding a specific product or system, not only the developer will confirm specific RAMS level, but also an independent company, with no additional interest. Such independent company will verify and attest, through a rigorous analysis and with full knowledge of the product, as well as of the process carried out, that indeed RAMS levels defined are real and that the requirements defined in CENELEC EN 50126 standard are met. Therefore, within the railway sector, we commonly see request for proof of successful fulfillment of RAM and Safety levels of a product or system, by requesting the so-called ISA (Independent Safety Assessor) certificate of the product. This request is carried out, typically, from client to supplier. Also, since the ISAs are companies certified by public governmental entities being responsible for such certification. These certificates are considered as totally valid and suitable to demonstrate compliance with any requirement related to the RAMS.
The process includes an evaluation and expert opinion to certify that life cycle being associated with the system or product being under analysis has been followed. All this, according to a quality management process and a safety management process and that, in addition, the product or system meet the requirements agreed with the customer. The life cycle also includes the verification and validation carried out and, therefore, it will be an important part of the evaluation. Such analysis of these two processes that will verify compliance with established processes and requirements.
In addition to the documentation generated by the technologist/ installer, the Independent Safety Assessor must specify a plan for the Independent Safety Assessment. That plan will become the basic guide for developing evaluation activities. Typically, it includes:
- Purpose and field of application (i.e., scope) of evaluation process activities.
- The set of activities of the entire evaluation process.
- Development elements, being normally documentation, of the technologist/ installer that will be used for the evaluation process, including their expected minimum requirements.
- How will non-conformities be managed and how the technologist/ installer must meet them.
Obviously, the evaluation process must strictly comply with the defined plan.
The Independent Safety Assessor will have to accomplish the following macro tasks:
- Understanding the product/ system, the process the way in which it has been developed, as well as the equipment (technical staff) that has been hired.
- Evaluating compliance with the RAMS validation plan carried out.
- Evaluating compliance with CENELEC EN 50126 standard, which defines the specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) for railway applications.
- Identifying and evaluating compliance, plus deviations from the requirements established in the independent safety assessment.
- Issuing of judgment on the evaluation conclusions, including analysis of relevant limitations, being related to application conditions that are linked to safety. All this ensuring that such conditions are sufficient to control the risks of the product/ system. This judgment will include the records of activities from the independent safety evaluation.
- Audit-type inspections of generic quality and safety processes, as well as specific compliance with such processes for life cycle of the analysed product or system.
In addition, from a technical point of view, we must classify our evaluation process into three different types, which will be associated with the system development:
- Generic product. The system is considered from a generic point of view, being meant to apply to different kinds of application. Therefore, the analysis will be carried out in an independent operational context, not being linked to the application. Safety study of a generic product is the evidence of compliance with RAMS requirements for the party that typically purchases the product. This party must configure, install, and put it into use, being normally a contracting entity or a supplier of such contracting entity.
- General application. The system is considered suitable for multiple applications of the same type. Therefore, the analysis will be carried out in an operational context, which is linked to the application. Safety process includes defining the design process application.
- Specific application. The system is considered for a specific application and particle. Physical implementation is included as a particular characteristic. The safety study of a specific application is the documentary evidence. This will ensure compliance with RAMS requirements to the party being in charge of the railway service -the operator or the infrastructure manager-.