A possible universal approach for risk assessments

Posted: 23 March 2016 | | No comments yet

François Bianco, Isabella Mariani and Hanspeter Schlatter from the Swiss Federal Railways (SBB) Signalling Department present their risk assessment method and suggest that a possible universal approach could be used.

A possible universal approach for risk assessments

Common solutions versus different approaches in Europe

In any technical system there is no safety measure that entirely eliminates risk, as the concept of absolute safety is utopian – particularly in railway. As a consequence socially- and economically-acceptable safety values have to be established. In Europe the definition of a common risk assessment method is challenging, especially due to the cultural differences that influence every country’s decisions. An ongoing debate has been conducted for many years that aims to synthesise a harmonious solution. This led in 2009 to the definition of a European Common Safety Method (CSM) which1 states that; in case of significant changes in a railway system, the member countries have to assess the risk by applying codes of practices, given as a set of written rules, or by comparing the new system to an equivalent reference system using the GAMAB (‘globalement au moins aussi bon’) principle2 . In case none of these two methods can be used, the risk acceptability is performed using an explicit risk estimation.

For evaluation of the risk acceptance different approaches can be applied i.e. using quantitative analyses. For example: for hazards that arise from pure technical failures and which can have critical or catastrophic consequences, the so-called ‘harmonised design targets’ are, according to the CSM, defined as upper limits for technical failure rates that must not be exceeded3,4. Another approach represents the risk assessment according to the ALARP method (‘as low as reasonably practicable’), which focuses on a cost-benefit analysis and is socioeconomically oriented2 . Alternatively, the MEM (‘minimum endogenous mortality’) approach considers risk acceptability estimation on risk limits for the individual, i.e. the risk to which an individual using this system is exposed2 . This approach is also applied in the explicit risk analyses methodology recommended by the Swiss Federal Office of Transport (FOT) for railway projects that are not able to comply with all the statutory regulations. The aim is to prove that, despite the lack of compliance with the law, no unacceptable individual risks to passengers and railway employees can arise5 . There are many examples across Europe, beside transport, where the concept of individual risk is applied, for instance in civil engineering, natural hazards, or energy production.

These different approaches can be combined with each other, as we shall see in the UK and Italy, where quantitative analyses are used. Further details of the specifications of collective risk – also called ‘societal risk’ – and ‘individual risk’ are also given below.

British railway companies mostly assess the risk using the ALARP method6: the costs of implementing a particular safety measure are compared to the benefits of the risk reduction and the result is monetised accordingly. Additionally, the individual risk is calculated and classified according to the categories: acceptable, broadly acceptable or unacceptable. However, this is not used as a risk acceptance criterion, but rather integrated in the risk analysis and used as an indicator to prioritise the safety management efforts. The risk tolerability in the UK is established at a regulatory level.

In Italy the presidential decree for safety, police and regularity in railway7 sets the following principle (article 8(1)): “In the exercise of the railways measures and precautions must be taken, as suggested by technical and practical considerations, in order to prevent accidents.”. This principle was applied8, where one fatality is considered a ‘catastrophic’ consequence, yet in the EN 50126 it was characterised as a ‘critical’ consequence2. This is an example of how a risk may be perceived differently and also illustrates the difficulty with defining a harmonised risk evaluation framework across the European railways. Furthermore, the ministerial decree for safety in tunnels9 bases risk acceptability on the individual risk that is subdivided in three categories: acceptable, broadly acceptable or unacceptable. If the risk falls within the intermediate category, further studies and accurate documentation are needed and, in case of residual uncertainty, an ALARP evaluation must be conducted.

The risk assessment method at the signalling department of the SBB

The Safety Concept of the FOT states equivalently to the CSM10: ‘We accept residual risks only when, to the best of our knowledge, these risks are justifiable and cannot be eliminated by taking reasonable measures17.’ However, the FOT and the Swiss laws allow the railway companies the freedom to choose the exact method18. To evaluate if a risk is acceptable the SBB established, in recent years, some internal regulations concerning risk assessment12,13. Prior to these official regulations the Safety Team of the signalling department at SBB (hereafter SAZ, from ‘Sicherungsanlagen und Zugbeeinflussung’) independently developed a method to assess the risk linked to the operation of technical systems for signalling14. This method is a quantitative two-step approach based on a probabilistic risk assessment, coherent with the FOT concept10 and the SBB internal regulation13. When a possible hazard is identified, the first step is to compare the individual risk arising from this hazard with upper limits derived from the MEM. In a second step safety measures are evaluated according to the ALARP method. The explicit comparison of risk and measure is made through the monetisation of the collective risk, based on the so-called ‘value of preventing a fatality’, i.e. the ‘willingness to pay’ of society to prevent a fatality. Please note: this is not the value of a human being! This method thus focuses first on the acceptance of risk that every single person involved in the system intrinsically carries, and then moves to an economical practicable limit of the collective risk.

Risk estimation

The collective risk of a given hazard is defined as the product of its frequency of occurrence and its severity, i.e. the number and degree of fatalities (injuries19, as well as damages to rolling stock, infrastructure and environment can also be taken into account). Hazards are analysed, for example using failure or event trees which take into account the limit of the technical system as well as the human handling and error. In fact human beings possess, in most of the cases, base-rate errors that are much greater than the error rate of technical systems. On the other hand they can also help to avoid an accident when they notice that something is wrong or unexpected, i.e. stepping in when the technical system fails.

Assessment of the individual risk: ethical aspect

When the collective risk of the system is determined, based on numerical estimations or statistics, it is then distributed among the average number of heavy users of the system (i.e. commuters) and the number of train drivers involved in the region. This allows for estimating their respective individual risks. Different limits are attributed to the different risk categories, according to the fact that a train driver has more influence to prevent an accident compared to the less voluntary commuters, who sit in the train only. The threshold for the train driver is defined in relation to typical work related accidents at a value of 10-4 deaths per year5,16. The equivalent limit for passengers equals 1/20th of the MEM which corresponds to 10-5 deaths per year (see Table 1 on page 00)2. If the estimated individual risk is above these limits, compulsory measures are applied, regardless of their cost, as the risk is unacceptably high for individuals. This ensures that the railway system does not add an unjustifiable amount to the risk ‘budget’ of a single person. The dashed line in Figure 2 on page 00 is defined by the MEM criterion. Below this limit the ALARP principle is applied. According to our experience, the individual risk for passengers is usually in an acceptable range, whereas the railway workers are more often concerned with unacceptable individual risks.

Assessment of the collective risk: economical aspect

In the second instance, if the risk is acceptable from an individual point-of-view, we proceed with the ALARP criterion further. The collective risk of the different categories is monetised to enable comparison of the risk reduction and the cost of the safety measures. In order to do so we use, as a conversion factor, a marginal cost based on the ‘value of preventing a fatality’. Compared to the British Railway, where a unique value is applied6, at SAZ different marginal costs are assigned to the different risk categories, congruent with what is done for the individual risk acceptance criteria: higher marginal costs are associated to passengers compared to train drivers. We then consider the effect of aversion, by introducing a differential risk aversion weighting factor depending on the severity. This factor takes into account the public risk perception: in case of a bigger accident the risk is over-proportionally perceived compared to many small accidents of the same total severity. The concept of the aversion is controversial, however it is necessary to come to an agreement on how to consider it. The SAZ definition of the aversion factor is 0.8 times the square root of the severity11. The monetised collective risk is then given by the product of the collective risk, the marginal cost of the related category and the aversion weighting factor. The benefit of a measure is the difference between the initial collective risk and the residual risk after the application of the safety measure. The annual total cost of the measure is the sum of the investment distributed over its lifespan and its annual maintenance cost. Measures that are not cost effective have a cost over benefit ratio larger than one. The optimal measure corresponds to the smallest sum of residual risk and annual costs. Other losses during operation can also be taken into account in the effective cost to compare the possible measures.


The risk assessment method used by the signalling department of the Swiss Federal Railways defines the acceptance of a risk based on a two-step approach, which ensures the following: (i) no individual is exposed to an unacceptable risk according to the MEM principle, and (ii) the optimum in collective safety is achieved based on a cost-benefit analysis according to the ALARP approach. It takes into account the individual right to safety (ethical aspect) and the societal aversion of events with high severity. It is transparent, objective, plausible and comprehensible, as risks, costs and benefits of measures (economical aspect) can be calculated and compared. In recent years the method has proved its practicability for our everyday work life. Additionally, the presented technique is not only limited to railways signalling but can also be used elsewhere to define risk acceptance criteria.


We would like to thank Roman Slovak (FOT, Switzerland), George Bearfield (RSSB, UK), Maria Grazia Marzoni and Roberto Calamai (ANSF, Italy) for the fruitful discussions and for reviewing this article.


  1. European Union (2009) Commission implementing Regulation (EC) No 352/2009 of 24 April 2009 on the adoption of a common safety method on risk evaluation and assessment as referred to in Article 6(3)(a) of Directive 2004/49/EC of the European Parliament and of the Council, Belgium
  2. E.N.E.L.E.C. (2000) EN 50126 – Railway application – The specification and demonstration of dependability, reliability, availability, maintainability and safety (RAMS).
  3. European Union (2013) Commission implementing Regulation, (EU) No 402/2013 of 30 April 2013 on the common safety method for risk evaluation and assessment and repealing Regulation (EC) No 352/20091, Belgium
  4. European Union (2015) Commission implementing Regulation, (EU) 2015/1136 of 13 July 2015 amending implementing Regulation (EU) No 402/2013 on the common safety method for risk evaluation and assessment, Belgium
  5. Slovak, H. Meuli, H. Schlatter: Assessing the individual risk of rail transport for passengers and staff; 9th Symposium on Formal Methods for Automation and Safety in Railways and Automotive Systems FORMS/FORMAT 2012, Braunschweig 2012
  6. RSSB (2014) Taking Safe Decisions, United Kingdom
  7. Presidenza della Repubblica Italiana (1980) Decreto del Presidente della Repubblica n. 753 del 11 luglio 1980 – Nuove norme in materia di polizia, sicurezza e regolarità dell’esercizio delle ferrovie e di altri servizi di trasporto, Italy
  8. RFI (2007) Disposizione No 51 del 12 Nov. 2007 – Modifiche alla Disposizione del Gestore dell’Infrastruttura n.13 del 26 giugno 2001 e successive modifiche, Italy
  9. Ministero delle Infrastrutture e dei Trasporti (2005) – Decreto del Ministero delle Infrastrutture e dei Trasporti 28 ottobre 2005 – Sicurezza nelle gallerie ferroviarie, Italy
  10. Swiss Federal Office of Transport (2013), FOT Safety Concept v1.2_e, Ref. 051/2012-12-11/390, Switzerland
  11. Swiss Confederation (1999), Risikokonzept für Naturgefahren – Leitfaden, Teil A: Allgemeine Darstellung des Risikokonzepts, Switzerland
  12. Swiss Federal Railways (SBB), Regulation K 250 (2012), Umgang mit sicherheitsrelevanten Änderungen
  13. Swiss Federal Railways (SBB), Regulation K 252.0 (2015), Managementsystem SBB Konzern: Teil Safety – Methodik Riskmanagement Safety bei der SBB
  14. Swiss Federal Railways (SBB) I-SA, H.P. Schlatter and S. Einer (2008), Sicherheit bei SBB, I-SA: Das Risikokonzept zur Beurteilung von technischen Risiken zum Schutz von Reisenden und Angestellten, Version V 1.2
  15. Swiss Federal Office of Transport (2014), Methode zur Beurteilung des individuellen Risikos
  16. Hans A. Merz, Thomas Schneider, Hans Bohnenblust (1995), „Bewertung von technischen Risiken“; Polyprojekt Risiko und Sicherheit, Band Nr. 3, Hochschulverlag AG an der ETH-Z (vdf), ISBN 3-7281-2178-9
  17. The FOT is preparing a new safety regulation which will be published soon.
  18. A new method for assessing the individual risk is currently undergoing verification at the FOT5,13,14
  19. Conversion of medium, highly injured occurs by a change in the order of magnitude, i.e. 100 medium injuries = 10 high injuries = 1 fatality, as given in the annex of EN 501262.


Dr. François Bianco is a physicist and works as a Safety Engineer within the Safety Team of the Signalling Department at the Swiss Federal Railways. He obtained a Ph.D. in nanophysics at the University of Geneva.

Dr. Isabella Mariani is a physicist and works as a Safety Engineer within the Safety Team of the Signalling Department at the Swiss Federal Railways. She obtained a Ph.D. in climate sciences at the University of Bern.

Hanspeter Schlatter is an Engineer and is the Head of the Safety Team within the Signalling Department at the Swiss Federal Railways. He obtained his diploma in engineering at the ETH Zurich. He has been a safety specialist in railway systems for 15 years and is one of the authors of the risk assessment method described in this article.

Related organisations

Related regions

Send this to a friend