Vancouver, October 08th 2013 DB Systemtechnik GmbH Marc Geisler The challenge of transforming a rule-based system into a risk-based culture on an example of a rolling stock approval Foto: DB Systemtechnik Risk Management / Safety Assessment

2DB Systemtechnik GmbH | Marc Geisler | Introduction Requirements on Safety Management Systems Approval Process for Roling Stock in Europe Example of Approval Process in Germany Conclusions The challenge of transforming a rule-based system into a risk-based culture on an example of a rolling stock approval

1. Introduction Existing regulations like the European Common Safety Methods on Risk Evaluation and Assessment (CSM-RA) support the implementation of risk assessment processes. Combination of the rule based approach by using Code of Practice with risk based approaches by using Reference Systems and explicit risk estimations as so called risk acceptance principles are part of the CSM-RA. In particular for rolling stock approval guidelines were development in Germany to make the risk based approach as described in EN 50126, EN and EN usable for rolling stock. One outcome is the TeSip (technical safety plan) including a number of exemplarily described functions and hazards of rolling stocks. 3DB Systemtechnik GmbH | Marc Geisler | Safety Management Systems (SMS) focus on risk based approaches.

2. Requirements of Safety Management Systems Guideline oriented safety management becomes risk oriented Maintaining safety, keeping operation on a high quality level and ensuring a cost efficient railway system is a demanding task of today 4DB Systemtechnik GmbH | Marc Geisler | Safety in changing cultures

2. Requirements of Safety Management Systems Keeping Codes of Practise Safe Hazards and associated risks are often not sufficiently described in current rules –No direct link between rules and hazards possible –Comparison with CoP or Reference Systems hardly possible as hazards are not described in existing rules and system descriptions. 5DB Systemtechnik GmbH | Marc Geisler | A systematic approach as shown were in the past not always documented. The extisting CoP need improvement for a risk based safety management.

3. Approval Process for Roling Stock in Europe requires safety demonstration in different ways The Notified Body (NoBo) checks the conformity with European Technical Specification Interoperability. The TSI cover safety and technical aspects. The Designated Body (DeBo) checks the conformity with notified national regulation, where safety and technical aspects are included. The Assessment Body (AsBo) assesses the application of risk management activities following the CSM-RA process. 6DB Systemtechnik GmbH | Marc Geisler |

4. Example of Approval Process in Germany A number of assessments are to be documented Safety demonstration according to European and National requirements demand several documents for receiving the approval for Placing into Service of a Rolling Stock. Some are listed below Safety plan with the specific safety-process description for the project Technical Safety Plan (TeSip) including the system safety requirement specification Safety Assessment Report of the AsBo according to CSM-RA Conformity Certificates according to Technical Rules Vehicle dossier and component dossiers according to German rule for rolling stock approval Several certificates, risk assessments, practical demonstration reports etc. Application Guide for the Vehicle with operational requirements and limitations Maintenance settings 7DB Systemtechnik GmbH | Marc Geisler |

4. Example of Approval Process in Germany Safety Plan structure and Approval process for Rolling Stock 8DB Systemtechnik GmbH | Marc Geisler | Supplier Engineering / Design Safety Case TeSip specific amendment Authority Approval Placing into Service Adjustment of Safety Plan Application for Approval Safety Assessment Report Specific safety plan Specification of system-safety requirements Assessments, Tests and Surveys Safety requirementsConcepts / Specifications Assessments, Tests and Surveys Specification with safety requirements Assessments and Surveys Operator TeSip specific amendment Definition of safety responsibilities Information Contract Conformity Certificates Legal Act Done by -NoBo -DeBo -AsBo according to European require- ments Conformity and Safety Assessment

4. Example of Approval Process in Germany The Technical Safety Plan (TeSip) in the Safety Case 9DB Systemtechnik GmbH | Marc Geisler | Conformity and Safety Assessment Supplier Engineering / Design Safety Case TeSip specific amendment Authority Approval Placing into Service Adjustment of Safety Plan Application for Approval Safety Assesment Report Specific safety plan Specification of system-safety requirements Assessments, Tests and Surveys Safety requirementsConcepts / SpecificationsAssessments, Tests and Surveys Specification with safety requirements Assessments and Surveys Operator TeSip specific amendment Definition of safety responsibilities Information Contract Confirmity Certificates Legal Act FunctionSafety requirementHazardHazard Classification Decision about - Rule based approach - Risk based approach according to Hazard Classification and existence of applicable rules Apportionment of safety requirements and responsibilities are detailed in Hazard Trees Technical Safey Plan (TeSiP

4. Example of Approval Process in Germany Hazard Trees underpin the Technical Safety Plan 10DB Systemtechnik GmbH | Marc Geisler | The hazards listed in the TeSip are detailed by Hazard Trees to a level of functional architecture elements. Safety responsibilities are specified –Orange means staff responsibility –Yellow means technical responsibility Safety Requirements are broken down to different implementations. Hazard classification follows the risk graph approach Example Hazard Tree “Fire and Smoke” from TeSiP

5. Conclusion (1) The rule-based approach has been applied during design and maintenance of rolling stock successful for many years and covers implicitly the safety aspects. The today’s safety management system focuses on hazards to be controlled by different risk acceptance principles. –Therefore safety demonstration by implicit approaches needs amendments. The risk based approach requires specific knowledge about methods for risk assessment and independent safety assessment which needs time to establish. Experts in risk management support the design and implementation of functions and subsystems into the next higher system level. Safety managers ensure the safe integration and the independent safety assessment body checks the overall procedures and requirements of the safety case. 11DB Systemtechnik GmbH | Marc Geisler |

5. Conclusion (2) The rule-based approach is still an important way to ensure safety where the preconditions are well known. For innovative and complex situations the risk-based approach is an appropriate add-on to make railways reliable and safe. A solely risk based approach does not cover all the needs of the modern railways. –Expert judgment about the application of rules-based or risk-oriented safety demonstration is always a trustful way. –The TeSip covering the standard functions of a rolling stock and its hazards supports combining the rule-based safety demonstration with risk-based cultures. 12DB Systemtechnik GmbH | Marc Geisler |

Thank you for your attention! Do you have questions? 13DB Systemtechnik GmbH | Marc Geisler |