Commission Implementing Regulation (EU) No 402/2013 of 30 April 2013 on the common safety method for risk evaluation and assessment and repealing Regulation (EC) No 352/2009 Text with EEA relevance

Article 1

Subject matter

This Regulation shall facilitate the access to the market for rail transport services through harmonisation of:

(a) the risk management processes used to assess the impact of changes on safety levels and compliance with safety requirements;

(b) the exchange of safety-relevant information between different actors within the rail sector in order to manage safety across the different interfaces which may exist within this sector;

(c) the evidence resulting from the application of a risk management process.

Article 2

Scope

Such changes may be of a technical, operational or organisational nature. As regards organisational changes, only those changes which could impact the operational or maintenance processes shall be subjected to consideration under the rules of Article 4.

When, on the basis of an assessment under the criteria set out in Article 4(2)(a) to (f):

(a) the change is considered significant, the risk management process set out in Article 5 shall be applied;

(b) the change is considered not significant, keeping adequate documentation to justify the decision shall be sufficient.

This Regulation shall apply also to structural sub-systems to which Directive 2008/57/EC applies:

(a) if a risk assessment is required by the relevant technical specification for interoperability (TSI); in this case the TSI shall, where appropriate, specify which parts of this Regulation apply;

(b) if the change is significant as set out in Article 4(2), the risk management process set out in Article 5 shall be applied within the placing in service of structural sub-systems to ensure their safe integration into an existing system, by virtue of Article 15(1) of Directive 2008/57/EC.

Article 3

Definitions

For the purpose of this Regulation the definitions in Article 3 of Directive 2004/49/EC apply.

The following definitions also apply:

(1) ‘risk’ means the frequency of occurrence of accidents and incidents resulting in harm (caused by a hazard) and the degree of severity of that harm;

(2) ‘risk analysis’ means systematic use of all available information to identify hazards and to estimate the risk;

(3) ‘risk evaluation’ means a procedure based on the risk analysis to determine whether an acceptable level of risk has been achieved;

(4) ‘risk assessment’ means the overall process comprising a risk analysis and a risk evaluation;

(5) ‘safety’ means freedom from unacceptable risk of harm;

(6) ‘risk management’ means the systematic application of management policies, procedures and practices to the tasks of analysing, evaluating and controlling risks;

(7) ‘interfaces’ means all points of interaction during a system or subsystem life cycle, including operation and maintenance where different actors of the rail sector will work together in order to manage the risks;

(8) ‘actors’ means all parties which are, directly or through contractual arrangements, involved in the application of this Regulation;

(9) ‘safety requirements’ means the safety characteristics (qualitative or quantitative, or when needed both qualitative and quantitative) necessary for the design, operation (including operational rules) and maintenance of a system in order to meet legal or company safety targets;

(10) ‘safety measures’ means a set of actions either reducing the frequency of occurrence of a hazard or mitigating its consequences in order to achieve and/or maintain an acceptable level of risk;

(11) ‘proposer’ means one of the following: (a) a railway undertaking or an infrastructure manager which implements risk control measures in accordance with Article 4 of Directive 2004/49/EC; (b) an entity in charge of maintenance which implements measures in accordance with Article 14a(3) of Directive 2004/49/EC; (c) a contracting entity or a manufacturer which invites a notified body to apply the ‘EC’ verification procedure in accordance with Article 18(1) of Directive 2008/57/EC or a designated body according to Article 17(3) of that Directive; (d) an applicant for an authorisation for the placing in service of structural sub-systems;

(12) ‘safety assessment report’ means the document containing the conclusions of the assessment performed by an assessment body on the system under assessment;

(13) ‘hazard’ means a condition that could lead to an accident;

(14) ‘assessment body’ means the independent and competent external or internal individual, organisation or entity which undertakes investigation to provide a judgement, based on evidence, of the suitability of a system to fulfil its safety requirements;

(15) ‘risk acceptance criteria’ means the terms of reference by which the acceptability of a specific risk is assessed; these criteria are used to determine that the level of a risk is sufficiently low that it is not necessary to take any immediate action to reduce it further;

(16) ‘hazard record’ means the document in which identified hazards, their related measures, their origin and the reference to the organisation which has to manage them are recorded and referenced;

(17) ‘hazard identification’ means the process of finding, listing and characterising hazards;

(18) ‘risk acceptance principle’ means the rules used in order to arrive at the conclusion whether or not the risk related to one or more specific hazards is acceptable;

(19) ‘code of practice’ means a written set of rules that, when correctly applied, can be used to control one or more specific hazards;

(20) ‘reference system’ means a system proven in use to have an acceptable safety level and against which the acceptability of the risks from a system under assessment can be evaluated by comparison;

(21) ‘risk estimation’ means the process used to produce a measure of the level of risks being analysed, consisting of the following steps: estimation of frequency, consequence analysis and their integration;

(22) ‘technical system’ means a product or an assembly of products including the design, implementation and support documentation; the development of a technical system starts with its requirements specification and ends with its acceptance; although the design of relevant interfaces with human behaviour is considered, human operators and their actions are not included in a technical system; the maintenance process is described in the maintenance manuals but is not itself part of the technical system;

(23) ‘catastrophic accident’ means an accident typically affecting a large number of people and resulting in multiple fatalities;

(24) ‘safety acceptance’ means status given to the change by the proposer based on the safety assessment report provided by the assessment body;

(25) ‘system’ means any part of the railway system which is subjected to a change whereby the change may be of a technical, operational or organisational nature;

(26) ‘notified national rule’ means any national rule notified by Member States under Council Directive 96/48/EC (¹) or, Directive 2001/16/EC of the European Parliament and of the Council (²) and Directives 2004/49/EC and 2008/57/EC;

(27) ‘certification body’ means a certification body as defined in Article 3 of Regulation (EU) No 445/2011;

(28) ‘conformity assessment body’ means a conformity assessment body as defined in Article 2 of Regulation (EC) No 765/2008;

(29) ‘accreditation’ means accreditation as defined in Article 2 of Regulation (EC) No 765/2008;

(30) ‘national accreditation body’ means a national accreditation body as defined in Article 2 of Regulation (EC) No 765/2008;

(31) ‘recognition’ means an attestation by a national body other than the national accreditation body that the assessment body meets the requirements set out in Annex II to this Regulation to carry out the independent assessment activity specified in Article 6(1) and (2);

(32) ‘systematic failure’ means a failure that occurs repeatedly under some particular combination of inputs or under some particular environmental or application conditions;

(33) ‘systematic fault’ means an inherent fault in the specification, design, manufacturing, installation, operation or maintenance of the system under assessment;

(34) ‘barrier’ means a technical, operational or organisational risk control measure outside the system under assessment that either reduces the frequency of occurrence of a hazard or mitigates the severity of the potential consequence of that hazard;

(35) ‘critical accident’ means an accident typically affecting a very small number of people and resulting in at least one fatality;

(36) ‘highly improbable’ means an occurrence of failure at a frequency less than or equal to 10^{– 9} per operating hour;

(37) ‘improbable’ means an occurrence of failure at a frequency less than or equal to 10^{– 7} per operating hour.

Article 4

Significant changes

If the proposed change has no impact on safety, the risk management process described in Article 5 need not be applied.

If the proposed change has an impact on safety, the proposer shall decide, by expert judgement, on the significance of the change based on the following criteria:

(a) failure consequence: credible worst-case scenario in the event of failure of the system under assessment, taking into account the existence of safety barriers outside the system under assessment;

(b) novelty used in implementing the change: this concerns both what is innovative in the railway sector, and what is new for the organisation implementing the change;

(c) complexity of the change;

(d) monitoring: the inability to monitor the implemented change throughout the system life-cycle and intervene appropriately;

(e) reversibility: the inability to revert to the system before the change;

(f) additionality: assessment of the significance of the change taking into account all recent safety-related changes to the system under assessment and which were not judged to be significant.

Article 5

Risk management process

Article 6

Independent assessment

To perform the independent assessment, the assessment body shall:

(a) ensure it has a thorough understanding of the significant change based on the documentation provided by the proposer;

(b) conduct an assessment of the processes used for managing safety and quality during the design and implementation of the significant change, if those processes are not already certified by a relevant conformity assessment body;

(c) conduct an assessment of the application of those safety and quality processes during the design and implementation of the significant change.

Having completed its assessment in accordance with points (a), (b) and (c), the assessment body shall deliver the safety assessment report provided for in Article 15 and Annex III.

Duplication of work between the following assessments shall be avoided:

(a) the assessment of conformity of the safety management system and of the system of maintenance of entities in charge of maintenance as required by Directive 2004/49/EC; and

(b) the conformity assessment carried out by a notified body as defined by Article 2(j) of Directive 2008/57/EC or a body designated in accordance with Article 17 of that Directive; and

(c) any independent assessment carried out by the assessment body in accordance with this Regulation.

Without prejudice to Union legislation, the proposer may choose the national safety authority as assessment body where that national safety authority offers this service and where the significant changes concern the following cases:

(a) a vehicle needs an authorisation for placing in service, as referred to in Articles 22(2) and 24(2) of Directive 2008/57/EC;

(b) a vehicle needs an additional authorisation for placing in service, as referred to in Articles 23(5) and 25(4) of Directive 2008/57/EC;

(c) the safety certificate has to be updated due to alteration of the type or extent of the operation, as referred to in Article 10(5) of Directive 2004/49/EC;

(d) the safety certificate has to be revised due to substantial changes to the safety regulatory framework, as referred to in Article 10(5) of Directive 2004/49/EC;

(e) the safety authorisation has to be updated due to substantial changes to the infrastructure, signalling or energy supply, or to the principles of their operation and maintenance, as referred to in Article 11(2) of Directive 2004/49/EC;

(f) the safety authorisation has to be revised due to substantial changes to the safety regulatory framework, as referred to in Article 11(2) of Directive 2004/49/EC.

Where a significant change concerns a structural subsystem that needs an authorisation for placing in service as referred to in Article 15(1) or Article 20 of Directive 2008/57/EC, the proposer may choose the national safety authority as assessment body, where that national safety authority offers this service, unless the proposer has already given that task to a notified body in accordance with Article 18(2) of that Directive.

Article 7

Accreditation/recognition of the assessment body

The assessment body provided for in Article 6 shall be either:

(a) accredited by the national accreditation body referred to in Article 13(1) using the criteria defined in Annex II; or

(b) recognised by the recognition body referred to in Article 13(1) using the criteria defined in Annex II; or

(c) the national safety authority under the requirement of Article 9(2).

Article 8

Acceptance of accreditation/recognition

Article 9

Types of recognition of the assessment body

The following types of recognition of the assessment body may be used:

(a) recognition by the Member State of an entity in charge of maintenance, an organisation or a part of it or an individual;

(b) recognition by the national safety authority of the ability of an organisation or a part of it or an individual to conduct independent assessment through the assessment and supervision of the safety management system of a railway undertaking or an infrastructure manager;

(c) when the national safety authority is acting as certification body in conformity with Article 10 of Regulation (EU) No 445/2011, recognition by the national safety authority of the ability of an organisation or a part of it or an individual to conduct independent assessment through assessment and surveillance of the system of maintenance of an entity in charge of maintenance;

(d) recognition by a recognition body designated by the Member State of the ability of an entity in charge of maintenance, an organisation or a part of it or an individual to conduct independent assessment.

Article 10

Validity of recognition

In the case referred in Article 9(1)(b):

(a) the statement of recognition for a railway undertaking or an infrastructure manager shall be displayed on the relevant safety certificate in field 5 ‘Additional Information’ of the harmonised format of safety certificates provided in Annex I to Commission Regulation (EC) No 653/2007 (⁵) and in an appropriate part of the safety authorisations;

(b) the period of validity of recognition shall be limited to the validity of the safety certificate or authorisation under which it is granted. In this case, the request of recognition shall be made at the next application for renewal or update of the safety certificate or authorisation.

In the cases referred in Article 9(1)(c):

(a) the statement of recognition for an entity in charge of maintenance shall be displayed on the relevant certificate in field 5 ‘Additional Information’ of the harmonised format of certificates for entities in charge of maintenance provided in Annex V, or in Annex VI where relevant, of Regulation (EU) No 445/2011;

(b) the period of validity of recognition shall be limited to the validity of the certificate issued by the certification body under which it is granted. In this case, the request of recognition shall be made at the next application for renewal or update of that certificate.

Article 11

Surveillance by recognition body

Article 12

Relaxed criteria where a significant change is not to be mutually recognised

Where the risk assessment for a significant change is not to be mutually recognised, the proposer shall appoint an assessment body meeting at least the competency, independency and impartiality requirements of Annex II. The other requirements of paragraph 1 in Annex II may be relaxed in agreement with the national safety authority in a non-discriminatory way.

Article 13

Provision of information to the Agency

Article 14

Support from the Agency to accreditation or recognition of the assessment body

Article 15

Safety assessment reports

Article 16

Declaration by the proposer

Based on the results of the application of this Regulation and on the safety assessment report provided by the assessment body, the proposer shall produce a written declaration that all identified hazards and associated risks are controlled to an acceptable level.

Article 17

Risk control management and audits

Article 18

Feedback and technical progress

Before 21 May 2018 the Agency shall submit to the Commission a report containing:

(a) an analysis of the experience with the application of this Regulation, including cases where the CSM has been applied by proposers on a voluntary basis before the relevant date of application provided for in Article 20;

(b) an analysis of the experience of proposers concerning decisions on the level of significance of changes;

(c) an analysis of the cases where codes of practice have been used as set out in point 2.3.8 of Annex I;

(d) an analysis of the experience with the accreditation and recognition of assessment bodies;

(e) an analysis of the overall effectiveness of this Regulation.

The national safety authorities shall support the Agency in collecting such information.

Article 19

Repeal

Regulation (EC) No 352/2009 is repealed with effect from 21 May 2015.

References to the repealed Regulation shall be construed as references to this Regulation.

Article 20

Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 21 May 2015.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

ANNEX I

1. GENERAL PRINCIPLES APPLICABLE TO THE RISK MANAGEMENT PROCESS

1.1.   General principles and obligations

1.1.1.The risk management process shall start from a definition of the system under assessment and comprise the following activities:

(a) the risk assessment process, which shall identify the hazards, the risks, the associated safety measures and the resulting safety requirements to be fulfilled by the system under assessment;

(b) demonstration of the compliance of the system with the identified safety requirements; and

(c) management of all identified hazards and the associated safety measures.