Safety Management - A continual challenge for railway signalling systems

Signalling and train control technologies are integral to the safe handling of traffic across a rail network. Signalling comprises many individual components that contribute to overall system operability, providing a safe and reliable network. Alterations require accurate procedures to ensure safe operational use.

A continual challenge for railway signalling systems is the implementation of safety stories. Terms like AsBo, NoBo, ISA, Independent assessor, Safety files, TSI Compliance, Authorization and Permit To Commission are frequently used in the rail sector — often to the point of becoming buzzwords. Yet many professionals may not fully grasp the practical implications or the interconnections among these concepts.

This brief, rather technical, overview outlines the core safety issues commonly encountered in rail operations. It also highlights how these elements relate to one another.

Identify risks

In principle, anyone who makes changes to the railroad system (the initiator) must identify the risks that may arise. The next step is to determine whether the change is safety-relevant and important. If this is the case, the identified risks must be mitigated to an acceptable level. This involves using so-called risk acceptance criteria to see whether a risk has been sufficiently mitigated. 

A risk acceptance criterion commonly used in infrastructure projects is the code of practice. This involves applying a relevant standard or regulation and proving only that you have done so. Security is then, by definition, sufficiently assured. Once all risks are adequately mitigated, the file is presented to an AsBo* (Assessment Body), who then prepares a Safety Assessment Statement. In Europe, this process is called CSM REA (Common Safety Method for Risk Evaluation & Assessment) and is described in EU Regulation 402/2013. In Canada, it is the Canadian Method voor Risk Evaluation & Assessment (CM REA).

EN50129 – standard for safety-related electronic systems for railway signalling applications

If the change involves a signalling component, we quickly think of EN50129 Railway applications - Communication, and processing systems - Safety related electronic systems for signalling, which was written specifically for this purpose. Incidentally, the CCS TSI (the technical requirements for control command and signalling systems) requires the use of this standard if the modification concerns ETCS (European Train Control System). 

EN 50129 defines a methodology to ensure an electronic system is made as safe as necessary. Part of the methodology involves demonstrating safety in a Safety Case. This is a structured file that collects all evidence. For an independent assessment, the Safety Case should be presented to an ISA* (Independent Safety Assessor).

Using the EN 50129 does not exempt the initiator from the obligation to apply CSM REA. It always has to. However, the EN 50129 can easily be used as a code of practice. Almost always, the AsBo will assume the role of ISA and assess the whole, i.e. the application of CSM REA and the Safety Case in accordance with EN 50129. If the change concerns ETCS and the CCS TSI applies, the change must also be assessed for TSI Compliance. 

A NoBo* (Notified Body) does this. This NoBo assesses whether all TSI requirements are met. If so, he draws up a statement. So in the case of ETCS, the proposer must have the CSM REA process assessed by an AsBo, the mandatory EN 50128 and EN 50129 Safety Cases assessed by an ISA, and TSI Compliance assessed by a NoBo.

Permit for Commissioning 

But what motivates the proposer to take these actions? Mostly to be able to apply for a Permit for Commissioning e.g. from the National Safety Authority (NSA). The NSA in the Netherlands, for example, is the Inspectorate for the Environment and Transport (ILT). In neighbouring Belgium, it is NSA Rail Belgium, in the UK, the NSA is the Office of Rail Regulation (ORR) , in Denmark, the NSA is Trafikstyrelsen, in Spain Agencia Estatal de Seguridad Ferroviaria (AESF). In each territory, the application is achieved with the submission of a Permit File. In most countries globally, there isn't a single direct NSA (National Safety Authority) and other organisations or governments act as the primary regulator, developing rules, conducting inspections, and overseeing safety and security.

In most territories, the assessment period starts two to three months before the intended submission. By then, the Permit Application and Permit File must be received by NSA. In assessing the Permit Application, ILT relies on the assessments of AsBo, NoBo and ISA.

Eight weeks 

In the Netherlands, the assessment period for a Rail System Integration (RSI) starts about eight weeks before the intended submission. By then, the Permit Application and Permit File must be received by ILT. In assessing the Permit Application, ILT relies on the assessments of AsBo, NoBo and ISA. If these are all correct and positive, the permit is granted and the infrastructure can be put into operation.

Any questions or suggestions? Please contact the author: Sybolt.welledonker@ricardo.com. 

* ISA, AsBo, and NoBo?

• Independent Safety Assessor (ISA): an Independent Safety Assessment provides confidence that projects are meeting recognized industry, legal and regulatory standards.
• Assessment Body (AsBo): an Assessment Body assesses the application of the hazard management safety risk process during significant engineering, operational and organisational change.
• Notified Body (NoBo): Notified, Designated and Approved Bodies perform verification activities against relevant Directives.

For more information about independent assurance, visit certification.ricardo.com.