Copyright DB Netz AG, licensed under CC-BY SA 3.0 DE (see full text in CC-BY-SA-3.0-DE)
ARCH.027 Evaluate operational safety risks
SM-2763
-
Populate Confluence page for activity definition: ARCH.027 Evaluate operational safety risks
Finished
SM-3977
-
Define the hazardous state likelihood categories
Finished
Goal | Specify how operational safety risks will be managed down to an acceptable level - operational safety risks evaluated |
---|---|
Requirements met by this process step | DB Regulation 0451.0100 CSM-SMS guidance 1.1 b), 3.1.1.1 a) CSM-RA guidance 4 |
Inputs | AMOD-030 Accident and hazard state model |
Outputs | AMOD-030 Accident and hazard state model (updated) |
Methodology | Once a safety risk state model (including variants) is completed for each hazard-accident scenario related to an Operational Capability then the natural probability shall be defined for each deviation/condition contributing to the transition from the safe state to the hazardous state and from the hazardous state to the accident state. Note: it is not necesary to define/assign probabilities for the complementary deviations/conditions for the transition between hazardous state and safe state and the self transition in the self state. Rationale: these probabilities are not needed for calculating and evaluating the safety risk. The probability of a deviation/condition occurrence shall be estimated with the support of Railway Experts if needed. If the probability can be estimated precisely, then the probability value shall be inserted manually. Otherwise a frequency category or a conditional probability category (as appropriate with respect to the deviation/condition) shall be chosen. In the latter case the probability for the selected category will be automatically derived from the upper boundary (greater value) of the bandwith defined in the "DBS (Safety) Frequency Categories" and the "DBS Conditional Probability Categories" tables in the DBS System Development Safety Plan (in preparation). When neither a particular probability is given nor a frequency/probability category is selected, 1 shall be considered as default probability. The probability of the transition to Hazard P(SS>HS) and the probability of the transition to accident P(HS>AS) can then be calculated, allowing the resulting natural accident state probability to be derived as the product of these 2 transition probabilities. The achievement of the accident state probability target is then to be verified. If the natural accident state probability does not meet the target, the needed accident probability reduction factor shall be derived based on the ratio between the accident state target and the natural accident state probability. This risk reduction factor will then have to be allocated on the operational risk control measures to be added to the risk state model and/or on the deviations/conditions of the risk state model that need to be constrained (see ARCH.028). |
Tools and non-human resources | Team for Capella |
Cardinality | Once per operational capability, for each related safety risk state model. To be reassessed for each project/prototype, as natural probabilities may then differ depending on particular context. |
Completion criteria | There exists an estimate of the probability of each deviation/condition of the current operational capability that could lead to a hazardous state occurrence or an accident state occurence. The natural accident state probability is estimated for each safety risk state model related to the operational capability. The output view conforms to its modelling rules |
Design review | ARCH.R.1 Operational capability review |
Step done by (Responsible) | RAMS architect |
Provides input to/assists (Contributes) |
|
Uses outputs (Informed) | System architect |