The Safety Validators: Understanding the Assessment Body (AsBo)

On a quiet March afternoon in 2012, a car approached the level crossing at Saint‑Amand‑de‑Vendôme, France. The barriers descended as usual, but the time between barrier closure and the train’s arrival had been shortened by 15 seconds—a “minor” modification approved by a regional safety committee without any formal risk analysis. The driver of the car misjudged the new timing, was struck by the TER train, and five people lost their lives. The official investigation, led by the Bureau d’Enquêtes sur les Accidents de Transport Terrestre (BEA‑TT), found that while the technical change was small, it was a significant change under the emerging European regulation because it affected the safety barrier between road and rail. Yet no independent body had verified the risk assessment. This tragedy became a key driver for the mandatory application of Regulation (EU) No 402/2013—the Common Safety Method for Risk Evaluation and Assessment (CSM‑RA)—which requires that any significant change be subjected to a rigorous risk management process, overseen by an independent Assessment Body (AsBo). The AsBo does not design, implement, or manage the change; it verifies that the proposer has identified all foreseeable hazards, evaluated risks, and demonstrated that the system is safe. It is the safety validator, ensuring that no shortcut in risk management goes unchallenged.

What Is an Assessment Body (AsBo)?

An Assessment Body (AsBo) is an independent organisation appointed to evaluate the risk management process applied to a significant change in the European railway system, in accordance with Regulation (EU) No 402/2013 (the Common Safety Method for Risk Evaluation and Assessment – CSM‑RA). The AsBo’s role is strictly process‑oriented: it does not perform risk analysis itself, nor does it design safety measures. Instead, it verifies that the applicant (the entity proposing the change) has correctly followed the four‑step CSM‑RA process: system definition, hazard identification, risk evaluation, and demonstration of risk acceptance. The AsBo assesses whether all reasonably foreseeable hazards have been identified, whether the chosen risk acceptance principle (Codes of Practice, Similar Reference Systems, or Explicit Risk Estimation) is appropriate and properly applied, and whether the resulting safety measures are correctly documented in a hazard log. The AsBo’s final output is the Safety Assessment Report (SAR), which states whether the risk management process is compliant and whether the system is safe to be placed into service. AsBos are typically accredited by national accreditation bodies (e.g., UKAS, DAKKS, COFRAC) against ISO 17020 (inspection bodies) or ISO 17065 (certification bodies), and they must demonstrate independence from the applicant and from the designers of the change. The AsBo’s assessment is a mandatory prerequisite for obtaining an Authorisation for Placing in Service (APIS) from the relevant National Safety Authority (NSA).

1. The CSM‑RA Process: A Four‑Step Risk Management Framework

Regulation (EU) 402/2013 defines a structured risk management process that the applicant must follow. The AsBo verifies each step:

• Step 1 – System Definition & Significance Test: The applicant defines the scope of the change, including the boundaries (what is included and excluded) and the interfaces with existing systems. The “significance” of the change is then determined based on criteria such as potential impact on safety, novelty of technology, and complexity. If the change is deemed significant, an AsBo must be appointed. The AsBo verifies that the system definition is complete and that the significance test was correctly applied.
• Step 2 – Hazard Identification & Analysis: The applicant conducts a systematic hazard analysis (e.g., using HAZOP, FMEA, or structured brainstorming). All reasonably foreseeable hazards are identified and recorded in a hazard log. The AsBo reviews the methodology, the completeness of the identification, and the plausibility of the hazard scenarios. It also checks that the hazard log is properly structured (e.g., with unique IDs, descriptions, and traceability).
• Step 3 – Risk Evaluation & Acceptance: For each hazard, the applicant evaluates the associated risk (often using a risk matrix or quantitative analysis) and determines whether the risk is tolerable. If not, risk reduction measures are defined. The AsBo verifies that the risk evaluation method is appropriate for the hazard and that the risk acceptance criteria are consistent with the railway’s safety targets (e.g., as defined in the infrastructure manager’s safety management system).
• Step 4 – Demonstration of Risk Acceptance: The applicant must demonstrate that the risk is reduced to a tolerable level using one of three principles (see next section). The AsBo assesses the evidence provided: for Codes of Practice, it checks that the referenced standards are applicable and correctly implemented; for Similar Reference Systems, it verifies that the reference is truly comparable; for Explicit Risk Estimation, it reviews the quantitative analysis, including assumptions and data sources.

The AsBo does not perform the analysis but assesses the completeness, correctness, and traceability of the applicant’s work.

2. The Three Risk Acceptance Principles

CSM‑RA allows three alternative ways to demonstrate that risk has been reduced to a tolerable level. The AsBo must verify that the chosen principle is justified and that the evidence is sufficient.

|

Often, a combination of principles is used: e.g., applying Codes of Practice for standard components, and Explicit Risk Estimation for novel interfaces. The AsBo assesses the overall consistency.

3. The Hazard Log & Safety Requirements Traceability

The hazard log is the central repository for all identified hazards and the safety measures (requirements) that address them. The AsBo scrutinises the hazard log to ensure:

• Completeness: The hazard identification process covered all relevant aspects (human factors, operational scenarios, external influences). The AsBo may challenge missing hazards based on experience or cross‑check with industry‑standard hazard lists.
• Consistent classification: Each hazard has a unique ID, a clear description, an initial risk estimate (severity and probability), and a target risk level after mitigation.
• Traceability: Each safety requirement (risk reduction measure) is traced back to the hazard it mitigates and forward to the verification evidence (e.g., test results, inspection reports). The AsBo verifies that all hazards classified as “tolerable” only after mitigation have corresponding requirements that are closed (verified).
• Closure: The hazard log must clearly indicate the status of each hazard (e.g., “open,” “mitigation defined,” “verified,” “closed”). The AsBo checks that the verification evidence for each hazard is sufficient and that residual risks are documented and accepted by the relevant authority (e.g., infrastructure manager).

A poorly maintained hazard log is a common reason for AsBo findings (non‑conformities). In the 2023 update of CSM‑RA, the European Union Agency for Railways (ERA) emphasised that the hazard log must be considered a living document, updated throughout the project lifecycle.

4. The Safety Assessment Report (SAR) & Authorisation for Placing in Service (APIS)

The final output of the AsBo is the Safety Assessment Report (SAR). This report is a formal document that states the AsBo’s conclusions. It typically includes:

• Scope of assessment: A clear description of the change, including boundaries and interfaces.
• Assessment methodology: How the AsBo conducted its work (document review, interviews, witness of tests).
• Findings: A list of observations, non‑conformities (if any), and open points. Non‑conformities must be resolved before the AsBo can issue a positive conclusion.
• Conclusion: A statement that the risk management process was correctly applied, that the hazard log is complete and closed, and that the system is safe for integration into the railway network. The conclusion may be positive (with or without conditions) or negative.

The SAR, along with the applicant’s technical file, is submitted to the National Safety Authority (NSA) of the Member State where the change will be placed into service. The NSA reviews the SAR and, if satisfied, issues an Authorisation for Placing in Service (APIS). Without a positive SAR from an AsBo, the NSA cannot authorise the change. This makes the AsBo a critical gatekeeper in the safety authorisation process.

Comparison: AsBo vs. ISA vs. NoBo vs. DeBo

Railway projects often require multiple independent assessments. The table below clarifies the distinct roles, legal bases, and outputs.

|

In practice, a major project (e.g., a new ERTMS line) will engage all four types: a NoBo for TSI compliance, an ISA for product safety (e.g., interlocking), an AsBo for system‑level risk integration, and possibly a DeBo for national legacy interfaces. The AsBo’s SAR is a prerequisite for the NSA’s authorisation, while the ISA’s report is often a key input to the AsBo’s assessment.

Frequently Asked Questions (FAQ)