Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002
Guidance on the Safety Validation of Change
Synopsis This document provides practical advice to members of the Railway Group on the safety validation of change including organisational, system, technological, equipment or asset change.
Signatures removed from electronic version
Submitted by
Elizabeth Fleming Standards Project Manager Authorised by
Brian Alston Controller, Railway Group Standards
This document is the property of Railway Safety. It should not be reproduced in whole or in part without the written permission of the Controller, Railway Group Standards, Railway Safety. Published by: Railway Safety Evergreen House 160 Euston Road London NW1 2DX © Copyright 2002 Railway Safety
Uncontrolled When Printed
This page has been left blank intentionally
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 1 of 1
Contents Section
Page
Part A A1 A2 A3 A4 A5 A6
Issue record Implementation of this document Responsibilities Health and safety responsibilities Technical content Supply
Part B B1 B2 B3 B4 B5 B6 B7 B8 B9 B10 B11
Purpose Application of this document Scope of this document Definitions Documented process for the safety validation of change Management of the safety validation process Safety validation documentation Safety validation process Authority to implement the change Records Monitoring and review
5 5 5 6 7 9 11 18 21 22 22
Change proposals that should be subject to safety validation Safety plans and safety cases
24 30
Appendices A B References
RAILWAY SAFETY
Description
2 2 2 2 3 3
34
1
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 2 of 2
Guidance on the Safety Validation of Change
Part A A1 Issue record Issue One
Date October 2002
Comments Original Document
This document will be updated when necessary by distribution of a complete replacement.
A2 Implementation of this document The publication date of this document is 5 October 2002. This document comes into force on 7 December 2002. This document does not supersede any other Railway Group Guidance Notes. This document supersedes the following Railtrack Approved Code of Practice in whole as indicated: Railway Group Guidance Note
Issue No.
Title
GN sections superseded by this document
Date(s) as of which sections are superseded
GA/RC6605
1 (September 1995)
Safety Assurance in the Management of Change
All
7 December 2002 (document withdrawn as of this date)
A3 Responsibilities Railway Group Guidance Notes are non-mandatory documents providing helpful information relating to the control of hazards and often set out a suggested approach, which may be appropriate for Railway Group* members to follow. * The Railway Group comprises Railtrack PLC, Railway Safety, and the train and station operators who hold railway safety cases for operation on or related to infrastructure controlled by Railtrack PLC. Railtrack PLC is known as Railtrack.
A4 Health and safety responsibilities In issuing this document, Railway Safety makes no warranties, express or implied, that compliance with all or any document published by Railway Safety is sufficient on its own to ensure safe systems of work or operation. Each user is reminded of its own responsibilities to ensure health and safety at work and its individual duties under health and safety legislation.
2
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 3 of 3
A5 Technical Content The technical content of this document has been approved by: Kevin Sutton, Railway Safety Case Assessment Manager, Railway Safety. Enquires to be directed to Railway Safety – Tel: 020 7904 7518
A6 Supply Controlled and uncontrolled copies of this document may be obtained from the Industry Safety Liaison Dept, Railway Safety, Evergreen House, 160 Euston Road, London NW1 2DX.
RAILWAY SAFETY
3
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 4 of 4
Guidance on the Safety Validation of Change
This page has been left blank intentionally
4
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 5 of 5
Part B B1 Purpose This document provides practical advice to Railway Group members , their contractors and suppliers on the safety validation of change.
B2 Application of this document B2.1 To whom the guidance applies This document contains guidance that is applicable to Railway Safety and the duty holders of the following categories of Railway Safety Case: a)
infrastructure controller
b)
station operator
c)
train operator.
This guidance is also applicable to contractors and suppliers that duty holders employ whose activities, products or services could affect the safety of, or safe interworking of activities falling within the scope of Railway Group Standards. This document specifically applies to any amendment, alteration, addition or removal, (whether or not classified as a project), that affects or may affect the safety performance of any organisation, activity, system, asset or operation. It gives practical advice to persons who: a)
intend to make changes
b)
formulate and plan changes
c)
authorise changes
d)
implement changes
e)
monitor and review changes.
B3 Scope of this document B3.1 There are a number of Railway Group Standards in place which mandate certain requirements that Railway Group members shall comply with when safety validating certain types of change. Many of the requirements contained within these Railway Group Standards relating to the management and safety validation of change are ‘high level’ and non-prescriptive. For example, they do not always provide guidance on the level of safety validation that should be applied to a proposed change or on the documentation that should be produced to support the safety validation of the change. There are also certain types of change that Railway Group members may want to introduce that are not covered by Railway Group Standards, but which may affect safety or safe interworking on Railtrack controlled infrastructure. B3.2 In order to address some of the gaps in the current Railway Group Standards portfolio identified above, this Guidance Note has been produced by Railway Safety to provide Railway Group members, their contractors and suppliers with guidance on the following:
RAILWAY SAFETY
5
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 6 of 6
Guidance on the Safety Validation of Change a)
all of the types of change that duty holders may wish to introduce which should be subject to safety validation. This list of the types of changes is contained in Appendix A of this document. As indicated above, not all of the types of change proposal identified are covered by requirements contained within Railway Group Standards. However, where a Railway Group Standard does apply, this has been identified in Appendix A in conjunction with the type of change to which it applies
b)
material that can enable Railway Group members as well as their contractors and suppliers to enhance the effectiveness and robustness of their safety validation procedures, including those safety validation procedures already in place that support requirements contained within other Railway Group Standards.
B3.3 This Guidance Note is not suggesting or recommending that all of criteria, details, stages and arrangements described within should be applied to every safety validation undertaken. Because it has been written to provide guidance relating to the safety validation of any type of change proposal, it is wide ranging in its content, encompassing guidance on the safety validation of change involving all levels of complexity or degrees of risk. Some of the criteria, sections and sections contained within this document are therefore not appropriate to the safety validation of some of the types of change identified in Appendix A or to changes which do not present significant degrees of risk. B3.4 An additional document that may be of use when carrying out the safety validation of certain types of change is the ‘Yellow Book’, Engineering Safety Management Issue 3, Volumes 1 & 2, Fundamentals and Guidance. This publication provides guidance on the safety validation of complex engineering change, particularly where new or modified assets, plant, equipment or information technology is/are being subject to safety validation. Some of the principles of the ‘Yellow Book’ have been incorporated within this Guidance Note where it is considered they would be of use to the safety validation of the portfolio of changes that Railway Group members and their contractors or suppliers may want to introduce that do not come within the scope of complex engineering change proposals.
B4 Definitions Accident An unplanned, uncontrolled and unintended event, giving rise to death, ill health, injury or other loss. ALARP As Low as Reasonably Practicable. Hazard A condition, situation or action which has the potential to give rise to death, ill health, injury or other loss. Hazardous event A hazardous event is an event that has the potential to lead directly to death or injury e.g. derailment, collision or fire. HSE Health & Safety Executive. Independent assessor A person with specified competence and experience requirements from a company or department separate to that being subject to safety validation (sometimes referred to as an external assessor).
6
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 7 of 7
Precursor A system failure, sub-system failure, component failure, human error or operational condition which could individually or in combination with other precursors (cause) result in the occurrence of a hazardous event eg broken rail, signal passed at danger (SPAD) or dragging brakes are precursors to the hazardous events derailment, collision and fire respectively. RSC Railway Safety Case. Safety authority The person or organisation ultimately responsible for approving the change. Safety validation A systematic and structured process to ensure that all risks associated with a change are identified and are reduced to as low as reasonably practicable (ALARP) before the change can be implemented. Safety validation panel Persons with specified competencies, skills and experience appointed with the task of assessing that the safety validation documentation meets the requirements and objectives of the company's safety validation process and where applicable, a duty holder's RSC. Sponsor The person proposing a change. System A combination of interacting hardware, software, people and processes which operate in a particular environment to achieve a specific objective. Technical specialist A person (often referred to as ‘the professional head’) identified in the duty holder's RSC as having designated competence, skills and experience requirements in a particular technical discipline.
B5 Documented process for the safety validation of change B5.1 Documented process B5.1.1 Railway Group members should: a)
have procedures in place for the safety validation of changes which have the potential to affect the safety of or safe interworking on Railtrack controlled infrastructure
b)
as far as is reasonably practicable, ensure that their contractors or suppliers whose activities, products or services which could affect the safety of, or safe interworking on Railtrack controlled infrastructure, are aware of the arrangements contained within this guidance note and where appropriate, have their own procedures in place for the safety validation of change.
B5.1.2 The safety validation process should provide assurance that any new risks or any potential increase in existing risks that is introduced by the change have been identified, assessed and controlled to a level which is as low as reasonably practicable. The level of residual risk following implementation of the change proposal should be at least the same or better than the residual risk that existed prior to the implementation of the change.
RAILWAY SAFETY
7
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 8 of 8
Guidance on the Safety Validation of Change B5.2 Different levels of safety validation B5.2.1 The different types of change that a Railway Group member might wish to introduce will potentially introduce varying degrees of risk. The degree of scrutiny of safety validation that should be carried out should be proportionate to the degree of risk potentially introduced by the change. It is therefore best practice for Railway Group members to have a range of safety validation procedures in place that can be applied which require an increasing level of scrutiny as the potential level of risk of the change increases. The range of levels of safety validation procedure available to a Railway Group member to apply should be appropriate to the types of change that the Railway Group member may wish to introduce. B5.2.2 The guidance set out in section B5.2.1 applies equally to contractors and suppliers where they are required to safety validate change proposals in accordance with section B5.1.1 (b). However, the nature of many contractors and suppliers activities will not necessitate having more than a couple of levels of safety validation process available to apply. B5.2.3 Each level of safety validation process should: a)
describe the safety validation documentation requirements (see section B7) including whether a project Safety Plan or a project Safety Case requires to be produced (see section B7.12 and Appendix B)
b)
describe the safety validation process (see section B8)
c)
specify whether the change should be managed as a project (see section B6.1.1) and whether a Project Manager should be appointed (see section B6.2.3)
d)
specify whether an Independent Assessor is required (see section B8.1.3)
e)
identify the Safety Authority responsible for endorsing/approving the safety validation documentation and authorising the implementation of the change (see section B9). The process should also specify whether a Certificate of Safety Validation requires to be issued (see section B9.4)
f)
provide criteria and guidance on the extent and nature of the consultation and briefing that should be carried out for the level of safety validation being applied.
B5.3 Determining the level of safety validation to apply B5.3.1 Railway Group members should have documented arrangements in place that provide guidance on which level of safety validation process should be applied to a change. A person with the necessary competence, skills and experience should be nominated within the procedure for determining which level of safety validation to apply to a change. This should normally be the Administrator (see section B6.2.4) in conjunction if necessary for the more complex changes, with the company’s Technical Specialists. A record should be kept of the reasons for the decision on the level of safety validation to be applied to a change. B5.3.2 The following is a non-exhaustive list of criteria that can be applied to determining which level of safety validation to apply: a)
8
the potential degree of risk presented by the change proposal. Where the change will obviously reduce residual risk or not increase existing residual risks, the level of the safety validation process applied to the change should be one that does not require an in depth scrutiny RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 9 of 9
b)
the overall extent and complexity of the change
c)
whether the change involves a significant change of safety policy or strategy, or elements of competency or safety management systems which control significant risks
d)
whether the change affects safety critical activities, key safety posts or the provision of technical support to an organisation
e)
the effect upon risk of introducing new activities to the company’s scope of operations or activities
f)
the extent to which the company’s risk profile may be affected by the change
g)
whether the change requires a material change to be made to the duty holder's accepted RSC
h)
whether the change is for implementation for a temporary period of time only
i)
whether the change is introducing new methods of working
j)
the extent to which it is necessary to revise an existing company standard, or procedure in response to an external factor such as a new Railway Group Standard, health & safety legislation or an accident investigation
k)
whether the change involves introducing new assets, plant or equipment which themselves introduce new risks or significantly change existing risks
l)
the degree to which the change invalidates previously undertaken safety validations
m) the extent to which the frequency at which or methods by which an asset, plant or equipment is designed, manufactured or built, inspected, monitored, maintained, renewed, tested, repaired, replaced etc is affected n)
the extent to which the supply chain is invoked or affected by the change
o)
the extent to which risk may increase if a particular level of safety validation is not carried out.
B5.3.3 Wherever possible, the documented process should include previous examples of safety validation exercises undertaken and the level of safety validation process that was applied. This detail of previous safety validations should include a statement as to whether an Independent Assessor was involved in the safety validation process (see section B8.1.3). B5.4 Types of change that should be subject to safety validation B5.4.1 Appendix A contains a non-exhaustive list of the types of change that should be considered as requiring safety validation. Where there is a Railway Group Standard that mandates requirements for the safety validation of particular types of change, this is also identified in Appendix A. See also section B3.2 concerning the content of Appendix A.
B6 Management of the safety validation process B6.1 Change proposal as a project B6.1.1 Except for those levels of safety validation process that are applied to changes which involve low levels of risk, consideration should be given to managing the safety validation process as a project.
RAILWAY SAFETY
9
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 10 of 10
Guidance on the Safety Validation of Change B6.2 Allocation of responsibilities B6.2.1 Procedures should be in place for allocating responsibilities to designated persons for the safety validation of change. The persons concerned should have these responsibilities defined in writing and the persons concerned must understand them. The competence, skills and experience of the persons concerned should be appropriate to the levels of safety validation that they are required to undertake. B6.2.2 Where responsibilities relating to either managing the safety validation process or for producing the safety validation documentation are to be contracted out, there should be arrangements in place which: a)
ensure the supplier is competent and resourced to undertake the activity concerned
b)
specify the requirements that are expected of the supplier
c)
assess, monitor and review the activities and output of the supplier.
B6.2.3 It is recommended that Railway Group members should allocate responsibilities as follows: a)
Sponsor A sponsor should be identified for all change proposals. It should be the responsibility of the sponsor to: i)
develop the change proposal
ii)
agree with the Administrator (see below) the level of safety validation process to be applied. For certain types of change, it may be necessary to consult with one or more of the company’s technical specialists
iii)
prepare the safety validation documentation in conjunction with guidance and support from the Administrator and other persons or organisations experienced in the safety validation of change as well as determine what other arrangements need to be in place to manage the change. Where a Project Manager is appointed (see below), the sponsor may allocate the responsibility for formulating elements of the safety validation documentation to the Project Manager, eg for complex change proposals, the production of project Safety Plan or project Safety Case (see section B7.12)
iv) implement the change.
10
b)
Project Manager The sponsor may determine a requirement to appoint a Project Manager to manage the change. It would be appropriate to have criteria in place to determine the levels of validation process that would necessitate the appointment of a Project Manager (see section B5.1.1). The sponsor should give the Project Manager a remit with support on the content of the remit provided by the Administrator. The remit should specify the level of safety validation to be applied.
c)
Administrator An Administrator should be identified to provide guidance and support to the Sponsor and Project Manager (if appointed) on the application and management of the safety validation process. This is likely to be the person responsible for the company’s documented procedures for the safety validation of change. The Administrator may be responsible for some of the RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 11 of 11
safety validation documentation outputs such as the risk assessment (see section B7.4) as well as assessing the fitness for purpose of documentation developed by either the Sponsor or Project Manager (where appointed).
B7 Safety validation documentation B7.1 Description and objectives of the change B7.1.1 The safety validation documentation should contain a description of the change. It should also incorporate a summary of the objectives of the change as well as a justification for the change. Persons affected by the change should be identified in the description provided. B7.1.2 The level of detail provided to explain the change should be proportionate to the degree of risk potentially introduced by the implementation of the change. In determining the level of detail, the objective should be to provide sufficient detail to enable a person reviewing the safety validation documentation to be assured that the change is clearly defined, well argued, necessary and will deliver the intended benefits. It should also enable the reviewer to conclude that the change will when implemented, not increase risk to affected persons. B7.1.3 For those complex changes where it is not possible to initially fully explain and define the change because of a lack of information, explicit assumptions should be made and indicated as such in the safety validation documentation. Any assumptions made should be confirmed at a later stage in the safety validation process as the necessary information becomes available. B7.1.4 It is possible that the objectives and definitions of the change will modify over the life cycle of the safety validation process. Should this occur, the safety validation documentation should be reviewed and revised as necessary. B7.2 Change proposals with a project life cycle B7.2.1 For certain types of change such as new or modified assets, plant, equipment or information technology which involve a project life cycle, it may be necessary for elements of the safety validation documentation set out in section B7 to consider the following life cycles of the project: a)
concept and feasibility
b)
requirements definition
c)
design
d)
implementation
e)
installation and handover
f)
operations and maintenance
g)
decommissioning and disposal.
B7.3 Safety and technical requirements B7.3.1 For certain types of change such as new or modified assets, plant, equipment or information technology, organisational changes and new or changed components of a safety or competence management system, the safety validation documentation should specify the safety requirements for the change proposal. Again, the level of detail provided to define the safety requirements should be proportionate to the degree of risk potentially introduced by the change. RAILWAY SAFETY
11
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 12 of 12
Guidance on the Safety Validation of Change B7.3.2 Safety requirements are formal requirements that should be met to make sure the safety risks presented by the change are reduced to as low as reasonably practicable. Safety requirements may specify: a)
features of functions of the change which help to ensure accidents do not occur
b)
what the change must not do in order to ensure risk is not increased
c)
features of the design including design principles and test specifications that will assure the safety of the design
d)
correct functional operation of the asset, plant or equipment in the absence of faults and external influences
e)
safety requirements in the event of all foreseeable faults that may occur in for example the operation of an asset, plant, equipment or software
f)
the rules, conditions and constraints which should be observed during the application of the system
g)
requirements to ensure that standards and regulations are complied with. Any non-conformances should be justified
h)
any restrictions that should be put in place
i)
external influences under which the change must operate to stay safe, eg environmental or vandalism
j)
targets for carrying out a function reliably
k)
competence, skills and experience requirements of persons with responsibilities for or affected by the change.
B7.3.3 Safety requirements should be justified. Where calculations have been undertaken or assumptions made in justifying the safety requirements, these should be detailed in the safety validation documentation together with the details of the techniques used. B7.3.4 The risk assessment described in B7.4, which should be undertaken to support the change, will identify many, if not all of the safety requirements of the change proposal. B7.4 Risk assessment B7.4.1 The safety validation documentation should include a suitable and sufficient risk assessment that can demonstrate that: a)
all risks identified with the change are controlled to ALARP
b)
the level of residual risk following implementation of the change is at least the same or better than the residual risk that existed prior to the implementation of the change.
B7.4.2 The methodology of risk assessment used should be appropriate and proportionate to the degree of risk potentially introduced by the change. The risk assessment principles set out in the duty holder’s RSC for systematically and assessing changes in risk should be applied. The methodology should also be appropriate for supporting the decision-making process associated with 12
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 13 of 13
determining the application of control measures for controlling risks associated with the change. B7.4.3 Depending on the nature of the change and therefore the potential degree of risk introduced, the risk assessment output should include the following, as appropriate to the methodology of risk assessment applied:
RAILWAY SAFETY
a)
a description of the methodology of risk assessment used together with an explanation as to why the methodology is considered suitable and sufficient for the change being risk assessed. In particular, for complex changes involving significant degrees of risk, justification should be given as to why a qualitative methodology is determined to be suitable and sufficient as against an alternative quantitative methodology
b)
a statement as to the persons involved in the hazard identification exercise together with their respective competence, skills and experience
c)
a statement of the significant hazards associated with the proposed change and if it is appropriate to the change being risk assessed, a statement as to the hazardous events that may occur following the introduction of the change together with an identification of the precursors that could singly or in combination with another precursor, cause each hazardous event to occur. Hazards/hazardous events that may occur throughout the life of the change project (see section B7.2.1) should be identified together with hazards associated with any abnormal operation of the system, asset, plant or item of equipment being subject to change. Human error and procedural errors should also be considered together with any transition specific hazards associated with the change
d)
for each hazard or hazardous event, a statement as to the groups of persons at risk (eg passengers, public, staff, contractors, other railway workers)
e)
only if it is appropriate to the change being risk assessed, for each hazardous event, carry out a consequence analysis assessment for each of the hazardous events identified, including typical outcome and if applicable, realistic worst case outcomes
f)
assess the overall risk of each hazard/hazardous event having firstly estimating the frequency of the hazard/hazardous event/precursor could occur and secondly the likely consequences of the hazard/hazardous event occurring. Where it is appropriate due to the degree of potential risk introduced by the change, determine whether the level of individual risk is broadly acceptable, tolerable or intolerable
g)
statements of the preventative and protective control measures to be applied to ensure risks are reduced to as low as reasonably practicable. Intolerable risks cannot be accepted. Risks are tolerable only if further risk reduction is impracticable or requires action that is grossly disproportionate to the benefits gained. If the risk is broadly acceptable, it is not necessary to reduce it further unless it can be done at reasonable cost. The description provided should encompass existing control measures and those additional controls identified as reasonably practicable for ensuring risks are mitigated to ALARP. Railway Group Standard requirements, company standards and procedures as well as other industry and legislative guidance and best practice that form control measures should be referenced
h)
details of any assumptions, data, judgements and interpretations which have been used in the development of the risk assessment.
13
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 14 of 14
Guidance on the Safety Validation of Change B7.4.4 Where the change being risk assessed is a type of change that is described in B7.2.1 as being subject to a project life cycle, there may be insufficient information to perform a detailed risk assessment for each stage of the project life cycle. The information available should be sufficient to support early decisions but as the scope, functionality and design of the change proposal develops, the suitability and sufficiency of the risk assessment output should be reviewed and enhanced as appropriate to the nature of the change. B7.4.5 For some projects, for example those involving new or modifications to existing assets, plant or equipment, the level of risk to exposed population groups may change over the life of the project as various stages are completed. This should also be reflected in the risk assessment output. B7.5 Disposition statement B7.5.1 Where it is appropriate to the change being subject to safety validation, a disposition statement should be prepared comparing existing control measures with those proposed in the changed arrangement. Where control measures are either dispensed with or reduced, the safety validation should demonstrate why it has been determined that risk will not be increased by the changed control measures. Examples include:
14
a)
organisational change and the need to identify all existing safety responsibilities, accountabilities, authorities, competencies, skills and experience of the posts affected by the change and ensuring that each of these has been allocated to a post in the new organisation. Where responsibilities, etc are not required in the new organisation, the reason for dispensation should be documented. In addition, any known safety information or assumptions held about safety conditions by persons affected by the change should be identified and passed on to new post holders, as appropriate. The same principles apply to responsibilities passing between companies as part of a change
b)
the identification of the controls provided by an existing asset, item of plant or equipment that is to be modified, replaced or subject to a changed asset management regime and how these control measures are affected by the change. Where controls are to be modified or dispensed with, the validation documentation should demonstrate by means of risk assessment, why the revised control arrangements are considered to be suitable and sufficient
c)
the identification of control measures contained within an existing standard, procedure, instruction, guidance note or code of practice and where these control measures have been documented within new or revised documentation. Where the risk assessment has determined that control measures can be dispensed with, the reason should be documented together with a demonstration of the reason(s) for dispensation. This sort of safety validation may for example be necessary following the introduction of new or revised Railway Group Standards or health & safety legislation, recommendations from Formal Inquiries or the introduction of new technology.
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 15 of 15
B7.6 Resources B7.6.1 Where it is appropriate to the change being safety validated, the safety validation documentation should include a description of the resources required to ensure that the change is managed objectively, safely, effectively and in a timely way. B7.6.2 Resource considerations include, but are not limited to: a)
the availability of adequate numbers of competent personnel with the necessary competence, skills and experience
b)
adequate levels of finance to ensure the change objectives are delivered and the change is managed safely
c)
adequate material resources such as raw materials, plant, equipment, goods and supplies, where appropriate.
B7.7 Interfaces B7.7.1 Where it is appropriate to the change being safety validated, the safety validation documentation should include details of all of the interfaces affected by the change. This should include, as appropriate to the change, interfaces with other duty holders, contractors, suppliers, the HSE, emergency services, local authorities and environmental agencies. B7.7.2 As well as identifying affected stakeholders, the proposal should: a)
describe the extent to which each identified interface is affected by the change
b)
detail the allocation of responsibilities for communicating to each affected stakeholder details of the change and if appropriate, how the interface arrangements will be changed
c)
describe the revised interface management arrangements including altered communication and liaison arrangements.
B7.8 Changes to company documentation B7.8.1 Where it is appropriate to the change being safety validated, the safety validation documentation should include details of any new or revisions to existing company standards, codes of practice, guidance notes, procedures, specifications, instructions, systems of work, risk assessments and safety policy statements that should be undertaken as a result of the change. Examples include post title changes following organisational changes, new or revised procedures to accompany new or modified assets, plant or equipment and new or revised methods of working such as the introduction of Driver Only Operation or revised train preparation procedures following rolling stock modifications. B7.8.2 The safety validation documentation should specify whether identified changes to company documentation should be completed before the change is implemented or whether completion can be undertaken within a specified timescale following implementation of the change. For certain changes, the Safety Authority (see section B9) approving the change may require the safety validation documentation to incorporate the proposed changes to affected company documentation.
RAILWAY SAFETY
15
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 16 of 16
Guidance on the Safety Validation of Change B7.8.3 Where changes are identified as needing to be carried out to company documentation, the safety validation documentation should detail the post holder(s) responsible for making the necessary changes together with timescales for completion. B7.9 Changes to the Railway Safety Case B7.9.1 Where it is appropriate to the change being subject to safety validation, the safety validation documentation should identify what changes require to be made to the duty holder’s Railway Safety Case (RSC). Certain categories of change may require a material change to the RSC being carried out. The Duty Holder should consult with the HSE as to whether the change proposal constitutes the acceptance of a material change to the duty holder’s RSC. Railway Safety’s guidance on material changes to Railway Safety Cases is contained in GA/GN6510. B7.9.2 Where the change requires changes to be made to the duty holder's RSC, these should be incorporated within the safety validation documentation. B7.10 Consultation and briefing B7.10.1 The safety validation documentation should: a)
describe the consultation and briefing that requires to be carried out before the change is implemented and the nature that the briefing and consultation should take, eg meetings, correspondence, notices, circulars, etc
b)
identify affected staff, contractors, suppliers, other duty holders and other affected stakeholders that require to be consulted or briefed
c)
detail the post holder(s) responsible for compiling the consultation and briefing documentation
d)
allocate responsibilities for the carrying out of consultation and briefing
e)
describe the arrangements whereby feedback, comments, suggestions, concerning the change are captured and considered by the Sponsor and/or Project Manager (where appointed) and where appropriate, responses formulated for return to the organisation or person concerned.
B7.10.2 The benefits that can be obtained from meaningful consultation and briefing in ensuring the objectives of the change are achieved should not be under estimated. Sponsors and Project Managers (where appointed) should consider at what stages of the management of the change proposal consultation and briefing will deliver material benefits to the change process. B7.11 Timescales B7.11.1 The safety validation documentation should detail the timescales for the implementation for the change including if it is appropriate to the nature of the change, start and completion dates for each stage of the safety validation process and any transitional arrangements. B7.11.2 Criteria to consider for incorporation within the safety validation documentation relating to timescales for the completion of the safety validation process and on determining actual timescales for the implementation of the change include, but are not limited to:
16
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 17 of 17
a)
the intended timescales for the implementation of the change. Where implementation is being staged, the proposed implementation of each stage should be documented
b)
timescales to complete each stage of the safety validation process
c)
identification of any critical paths within either the safety validation process or the actual implementation of the change
d)
where a material change to the duty holder’s RSC is required, timescales for submission, assessment and acceptance of the material change. See Guidance Note GA/GN6510
e)
the availability of an Independent Assessor where required by the safety validation process (see section B8.1.3)
f)
timescales for the completion of any new or revisions to company documentation
g)
timescales for the filling of vacancies or any training or competency assessments that must be completed
h)
timescales for tender documentation to be prepared, bids to be received and assessed and contracts let
i)
timescales for the completion of feasibility studies and subsequent design approval
j)
completion of the construction or installation phases of a change
k)
undertaking of safety assessments or safety audits by an Independent Assessor on the safety validation panel (see section B8.1.3)
l)
completion of consultation and briefing
m) any transitional stages n)
potential risks introduced if the change is not implemented to the agreed and specified timescales
o)
if the change itself is to be implemented for only a temporary period, the length of time that the revised arrangements will apply
p)
timescales for statutory approval from HSE of changes to assets, plant and equipment which are subject to the provisions of the Railways and other Transport Systems (Approval of Works, Plant and Equipment) Regulations 1994
q)
the requirements of European Commission legislation, ie the Safety and Interoperability Directives.
B7.11.3 The safety validation documentation should include a description of any transitional arrangements associated with the implementation of the change. Examples of transitional arrangements include phased or staged introduction of the change, temporary control measure arrangements, temporary allocation of responsibilities, trial operations and the temporary use of assets, plant or equipment.
RAILWAY SAFETY
17
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 18 of 18
Guidance on the Safety Validation of Change B7.12 Project Safety Plan or Safety Case B7.12.1 Consideration should be given to managing changes, which are either complex in nature or involve significant degrees in risk, as a project (see section B6.1.1). To support the project, consideration should be given to incorporating the various elements of the safety validation documentation (sections B7.1 to B7.11 as appropriate) within a project Safety Plan. Appendix B provides guidance as to the content of a Safety Plan. B.7.12.2 For certain types of complex changes, duty holders may determine a requirement to produce a project Safety Case (this is not to be confused with the legal requirement for a Railway Safety Case in accordance with the Railways (Safety Case) Regulations 2000). A Safety Case is a document, which provides evidence, arguments, and assumptions aimed at providing assurance that all hazards associated with a change are identified, managed and controlled to ALARP. Guidance on the content of a project Safety Case is also contained in Appendix B. For the approval of certain more complex change proposals, the Safety Authority approving the change may require the submission of a Safety Case.
B8 Safety validation process B8.1 Application of the safety validation process B8.1.1 Section B5.2.1 describes how Railway Group members and also, their contractors and suppliers as appropriate, should have different levels of safety validation process that can be applied to different types of change proposal. These different levels of safety validation should provide for increasing levels of scrutiny depending on the potential degree of risk presented by the change. B8.1.2 For those levels of safety validation that do not require an in-depth scrutiny to be carried out, the safety validation documentation that is produced as described in section B7 should not require to undergo the procedures set out in sections B8.2 and B8.3. All that should be required is the process for approving the change as set out in section B9. For more complex change proposals involving the potential for the introduction of significant degrees of risk, the safety validation process should require the stages set out in sections B8.2 and B8.3 to be undertaken. Where these stages are a requirement of the safety validation process, sections B8.2 and B8.3 provide guidance to Railway Group members on how to make these stages of the safety validation process as effective as possible. B8.2 Appointment of a safety validation panel B8.2.1 For the safety validation of more complex changes, the level of safety validation to be applied as described in section B5.1 may require the convening of a safety validation panel. The objectives of the safety validation panel are to assess the safety validation documentation as described in section B7 in order to determine that: a)
all significant risks associated with the change have been identified
b)
that the existing and proposed control measures ensure that these risks have been reduced to ALARP
c)
the change is necessary and will deliver the intended objectives.
B8.2.2 Where the safety validation process being applied requires the convening of a safety validation panel, the process should:
18
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 19 of 19
a)
identify the post holder responsible for appointing the safety validation panel and a panel chairman. This should normally be the Administrator for the safety validation process in conjunction with the Sponsor, Project Manager (where appointed) and if necessary, Technical Specialists
b)
describe the criteria for determining both numbers and the competence, skills and experience requirements of panel members to ensure that all aspects of the change proposal can be robustly safety validated
c)
summarise the responsibilities of the safety validation panel members
d)
incorporate criteria as to when it is necessary for the safety validation panel members to meet with the Sponsor, and where applicable, the Project Manager, in order to discuss the contents of the safety validation documentation and any issues raised by panel members. Such a forum is normally referred to as a safety validation panel meeting. Minutes of these forums should be kept, which may be by means of an Issues log
e)
allow sufficient time for panel members to review and comment upon the safety validation documentation.
B8.2.3 In addition to the appointment of a safety validation panel, the safety validation process may require the appointment of an Independent Assessor to sit on the safety validation panel. Where the level of safety validation being applied requires an Independent Assessor, the process should: a)
document the competence, skills and experience requirements of the Independent Assessor, which may vary depending on the complexity and the degree of risk presented by the change
b)
describe the criteria to be applied in determining from which type of organisation the Independent Assessor should be obtained from, eg another member of the Railway Group or a company or consultant with safety management or risk assessment as a core business activity or indeed an Independent Assessor from another department within the organisation not directly affected by the change. The level of independence should depend on the complexity and the degree of risk presented by the change.
B8.2.4 Consideration should be given to producing a remit for the Independent Assessor. This should be done with input from the Administrator of the validation process, Sponsor and Project Manager (where appointed). The remit should include a requirement for the Independent Assessor to produce a report of the safety assessment or safety audit, which may include the raising, and closing of issues. The objectives of the Independent Assessor should be as those shown for the safety validation panel in B8.2.1 but could also encompass:
RAILWAY SAFETY
a)
undertaking process and technical safety assessments and/or safety audits, depending on the complexity of the change
b)
to recommend improvements to the safety validation documentation
c)
ensuring that the company's procedure for the safety validation of change has been complied with.
19
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 20 of 20
Guidance on the Safety Validation of Change B8.3 Recording and closing of issues B8.3.1 The safety validation process should include arrangements whereby the safety validation panel members and the Independent Assessor (where appointed) can raise and record issues. An Issue should be considered as a matter that involves a deficiency of information, ambiguity or a failing to demonstrate within the safety validation documentation, that requires to be resolved to enable the panel member raising the issue to be satisfied that the objectives of the safety validation have been achieved. B8.3.2 Issues should normally be recorded on an issues log and scope provided on the log for: a)
a unique reference identification to be allocated to each issue raised
b)
the issue to be recorded together with the panel member raising the issue
c)
categorisation of issues which might include: i)
identifying those issues that require to be addressed before the change can be implemented
ii)
issues that may be addressed over specified timescales following implementation of the change. It may be necessary to allocate specific control measures to mitigate levels of risk over the specified timescales
iii)
issues of a minor nature that the safety validation panel or Independent Assessor (where used) are satisfied can be addressed by the Sponsor or Project Manager (where appointed) without reference back to the panel member concerned. However, when these minor issues are combined, and it is established by the safety validation panel that they represent sufficient residual risk, the safety validation panel and Independent Assessor (where appointed) should agree with the Sponsor and/or Project Manager (where appointed) the arrangements for confirming closure of the issues.
d)
the Sponsor or Project Manager (where appointed) to respond to the issues raised
e)
the panel member to indicate whether issues have been satisfactorily addressed as ‘closed’ or require to be re-raised. This may be by signature on the issue log itself or a written confirmation to support the issue log indicating that issues have been satisfactorily addressed.
B8.3.3 Where an issue requires an enhancement or amendment to be made to the safety validation documentation, these amendments should normally be completed before the issue can be considered to have been satisfactorily addressed. B8.3.4 Where applicable, the safety validation process should provide for the Independent Assessor's output to be forwarded to the Safety Authority (see section B9) that will be approving the change. Indeed, the Independent Assessor's output may include recommendations for the Safety Authority approving the change that subsequent reviews or assessments should be undertaken following the implementation of the change.
20
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 21 of 21
B9 Authority to implement the change B9.1 Approval of the change proposal B9.1.1 The safety validation process should describe the arrangements for authorising the implementation of the change following successful completion of the safety validation process. Authorisation should normally be obtained from the Safety Authority specified in the process that has been applied to the safety validation of the change. For the majority of changes, the Safety Authority will be a senior representative of the company undertaking the change such as the Managing Director, a Functional Director or a Technical Specialist. Changes that require an acceptance of a material change in accordance with the Railways (Safety Case) Regulations 2000 or approval under the Railways and other Transport Systems (Approval of Works, Plant and Equipment) Regulations 1994 will also require authorisation from the HSE. B9.2 Certification B9.2.1 For all but the most straightforward of changes, a Certificate of Safety Validation should be issued and signed by the Safety Authority. Where the safety validation process does not require a Certificate of Safety Validation to be issued, a designated post holder should issue a letter of authority to the Sponsor to proceed with the implementation of the change. B9.2.2 Where the safety validation process has involved an Independent Assessor sitting on the safety validation panel, it is normal practice for the Independent Assessor to also issue a Certificate of Safety Validation. The Independent Assessor should only complete a Certificate of Safety Validation when satisfied that the safety validation process has been completed in accordance with the specified procedure and that the objectives of the independent assessment have been satisfactorily achieved. B9.3 Restrictions B9.3.1 The Certificate of Safety Validation should include details of any restrictions associated with the change being introduced. B9.3.2 The safety validation process would normally have been expected to identify any likely restrictions that would appear on the Safety Validation Certificate. Accordingly, these should have been documented in the safety validation documentation together with: a)
details of staff, contractors, suppliers, other duty holders and other affected stakeholders who need to be advised of the restrictions together with a description of the arrangements by which they will be advised
b)
details of any company standards, procedures, etc that should reflect the restrictions.
B9.4 Implementation B9.4.1 The change proposal should not be implemented until the Certificate of Safety Validation or other authority to proceed has been received by the Sponsor from the Safety Authority. Where a project Safety Case has been produced (see section B7.12), implementation of the change proposal should not occur until the Safety Case is endorsed or approved as appropriate.
RAILWAY SAFETY
21
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 22 of 22
Guidance on the Safety Validation of Change B9.4.2 Where the change requires regulatory approval such as a material change to the duty holder's RSC or approval under the Railways and other Transport Systems (Approval of Works, Plant and Equipment) Regulations 1994, the change should not be implemented until the necessary authority has been obtained (ie the HSE performing the role of the Safety Authority). B9.4.3 Where the implementation of a change is to be staged, a Certificate of Safety Validation should only be issued when each stage of the change has received approval from the Safety Authority.
B10 Records B10.1 Retention of records B10.1.1 All records of the safety validation documentation should be retained in accordance with the company's arrangements for the retention of records. Records should be retained for the purposes of: a)
monitoring and review
b)
audit
c)
providing guidance on future safety validations of change
d)
enabling lessons to be learnt from the application of the safety validation process.
B10.1.2 The volume of records retained should be dependent on the level of safety validation applied to the change and accordingly, related to the degree of risk presented by the change.
B11 Monitoring and review B11.1 Monitoring and review arrangements B11.1.1 The safety validation process should include scope for assessing confidence in the successful implementation and management of the change process. The frequency and nature of the monitoring, audit and review undertaken should be proportionate to the degree of risk potentially introduced by the change. B11.1.2 Output from audits, reviews and monitoring undertaken should be presented to the designated personnel and forums identified in company documentation, the safety validation documentation and if applicable, the duty holder’s RSC. B11.1.3 The monitoring, audit and review arrangements should be able to determine that the new or revised control measures have been properly implemented and are effective. In addition, the arrangements should establish that the objectives verified in the safety validation process have been achieved. B11.1.4 The safety validation documentation should detail:
22
a)
the allocation of responsibilities for undertaking reviews
b)
the periodicity of post implementation reviews.
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 23 of 23
B11.2 Performance indicators B11.2.1 For certain types of change, where it is appropriate to do so, performance indicators and other critical success factors should be set in order to establish whether the predicted levels of safety performance associated with the implementation of the change are being achieved. Where monitoring identifies that the desired levels of safety performance are not being met, the process should allow for corrective actions to be taken in a timely manner in order to ensure the original safety objectives are achieved. B11.2.2 Performance indicators and critical success factors should be set by the Sponsor and/or Project Manger (where appointed) before implementation of the change and in liaison with appropriate personnel and affected stakeholders. B11.2.3 Depending on the complexity of the change, consideration should be given to setting performance indicators as part of the actual safety validation process.
RAILWAY SAFETY
23
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 24 of 24
Guidance on the Safety Validation of Change Appendix A Change proposals that should be subject to safety validation The following is a list, but is not limited to, the types of change that should be subject to safety validation. In addition, where there are mandatory requirements set out in Railway Group Standards concerning the safety validation of the type of change, details of the Railway Group Standards concerned are provided. This is to assist Railway Group members and their contractors and suppliers in identifying all requirements relating to the safety validation of a change proposal and to then enable them to consider how the contents of this Guidance Note can be used to enhance the robustness, effectiveness and delivery of the respective safety validation documentation and process. Some of these types of change proposal may require a material change to a duty holder's Railway Safety Case. Guidance is provided in GA/GN6510. a)
Types of train operated and geographical scope of operation: i)
a change in the type of train operated by a duty holder, eg the operation of regular passenger, charter, freight, dangerous goods, parcels, special, on-track machine (OTM), road-rail vehicle (RRV) or rail mounted maintenance machine (RMMM) where the type of train has previously not been operated
ii)
a change to the geographical scope operated over by a duty holder, eg operation of passenger, freight, charter or OTM trains over a new route(s) or extending the geographical area of operation of RRVs or RMMMs on the national rail network
iii)
a change in the type of vehicle operated, eg the operation of electric or diesel traction, locomotive hauled rolling stock, multiple units, tilting trains, steam, power operated door, central door locking, selective or slam door, container, piggy-back, trainload, multipurpose vehicle, tamper where this type of vehicle has not been previously operated. Also, where a similar type of vehicle is operated but there are features about the new type of vehicle to be operated that require safety validation.
The following Railway Group Standards are also relevant: G0/RT3270 - Route Acceptance of Rail Vehicles b)
Station operations: i)
opening of a new station or significant design modifications at an existing station. Also, becoming the operator of a station that was previously operated by another station operator
ii)
significant changes in the operational arrangements at a station, particularly where the change would affect passenger flows or station evacuation arrangements, eg introduction or revisions to one way systems
iii)
changes to the arrangements for the despatch of trains from a station
iv) significant changes to the arrangements for the operation of powered platform vehicles at a station or the introduction of such vehicles to a station for the first time v)
24
introduction of automatic ticket gates (ATGs) at a station or an alteration to an existing ATG scheme RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 25 of 25
vi) the introduction of new or significant changes to existing risks at a station, eg a station that is re-categorised as sub-surface, revised permissive working arrangements, changes to the arrangements for short platform working. The following Railway Group Standards are also relevant: GC/RT5161 - Station Design and Maintenance Requirements c)
Train operations: i)
new or revised train loading patterns or new types of load to be carried by train, eg the carriage of dangerous goods
ii)
introduction of driver-only operation (passenger or non-passenger) or changes to existing driver-only operation schemes
iii)
new or significantly revised arrangements for train working or train preparation
iv) new or revised arrangements relating to defective on-train equipment v)
new or revised arrangements for the evacuation of passengers from a train
vi) new or significantly revised arrangements for identifying, reporting and rectifying sites of low rail adhesion vii) new or significantly revised arrangements for controlling the risks associated with exceptional weather. The following Railway Group Standards are also relevant: GO/RT3271 - Driver Only Operation GO/RT3356 - Identification, Reporting and Rectification of Conditions of Low Rail Adhesion GO/RT3411 - Exceptional weather – Managing the risks GO/RT3437 - Defective On-Train Equipment d)
Train timetable: i)
significant changes to the train timetable including revised frequencies, stopping patterns, train routings, platform working and changes in the class of traction/rolling stock allocated to timetabled workings. This should encompass risks associated with high passenger loadings of trains
ii)
the effect upon the usage of existing assets such as track and structures as a result of timetable frequency changes or changes in the mix or type of traction/rolling stock operating over a particular asset
iii)
small, incremental changes to the train timetable affecting service levels over a period of time which amount to a significant change
iv) significant changes in train regulation policy. e)
Funding Any significant change to the arrangements for the funding of safety policy, safety strategy, safety activities or safety systems and the provision of resources to enable these safety responsibilities and requirements to be delivered.
RAILWAY SAFETY
25
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 26 of 26
Guidance on the Safety Validation of Change f)
Legislation Any significant change in the requirements of health & safety legislation that have implications for safety and competence management systems.
g)
Organisation: i)
significant changes to the reporting lines, responsibilities and accountabilities of key post holders managing either safety activities or safety critical staff
ii)
significant changes in the resource levels of personnel undertaking safety critical work or in the resource levels of line managers or supervisors responsible for safety critical personnel. Also, significant changes in the resource levels of other posts within the organisation responsible for the management of safety activities, eg safety departments
iii)
the introduction of alliancing and partnering arrangements with contractors or suppliers and significant changes to alliancing and partnering arrangements
iv) the contracting out of key safety responsibilities, activities and services or bringing such responsibilities, activities or services back into the organisation where previously contracted out v)
a change in the holder of the franchise for a passenger train operator and also company take-overs where there might be implications for the continuing management of safety within the company
vi) organisational changes which involve a synergy between two or more organisations in the management of safety activities or responsibilities. The following Railway Group Standard is also relevant: GH/RT4003 - Safety Validation of Organisational Change h)
Competence and fitness: i)
significant changes in the competence, skill and experience requirements of personnel carrying out safety critical work and any post holder within the organisation who has key safety responsibilities
ii)
significant changes in competence management systems, including recruitment, selection, training, qualification, post-qualification, assessment, monitoring and briefing arrangements
iii)
significant changes in the arrangements for ensuring the fitness of personnel carrying out safety critical work
iv) significant changes in the location of personnel responsible for carrying out safety critical activities or in the location of persons responsible for the management or supervision of such personnel. The following is a non-exhaustive list of Railway Group Standards that are also relevant: GK/RT0101 - Competence Standards for Signalling and Telecommunications Staff
26
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 27 of 27
GO/RT3251 - Train Driving GO/RT3255 - Train Working – Competence and fitness GO/RT3259 - Competence and Fitness Requirements for Signallers and Crossing Keepers GO/RT3260 - Competence management for Safety Critical Work GO/RT3261 - Person in Charge of Possession (PICOP) and Engineering Supervisor (ES) GO/RT3263 - Auxiliary Operating Duties GO/RT3352 - Lookouts and Site Wardens GO/RT3406 - Competence requirements for Safe Loading of Rail Vehicles GH/RT4000 - Drugs and alcohol GH/RT4004 - Changes in working hours – Safety Critical i)
Risk management Significant changes in the risk assessment principles or methodologies applied within the organisation.
j)
Safety or competence management system: i)
the introduction of a significant new standard, code of practice, guidance note, procedure or instruction that is to form an element of the safety or competence management system
ii)
any significant change to the arrangements described in an existing standard, code of practice, guidance note, procedure or instruction that forms part of the company's safety or competence management system.
The following Railway Group Standards are also relevant: GA/RT6001 - Railway Group Standard Change Procedures GE/RT8004 - Local Operating Instructions k)
Assets, plant and equipment: i)
the introduction of a new asset, plant or equipment type
ii)
any significant change to the frequency at which, or methods by which, an asset, plant or equipment is designed, manufactured or built, inspected, monitored, maintained, renewed, tested, repaired, replaced, etc
iii)
any significant change in the division of responsibility for the management (including maintenance, repair and renewal) of assets, plant or equipment.
The following is a non-exhaustive list of Railway Group Standards that are also relevant: GK/RT0007 - Alterations to Permissible Speeds GK/RT0206 - Signalling and Operational Telecommunications Systems: Safety Requirements GK/RT0207 - Signalling Design GK/RT0208 - Installation of Signalling and Operational Telecommunications Equipment GK/RT0209 - Testing and Commissioning of Signalling and Operational Telecommunications Systems GK/RT0210 - Asset management for the Safety of Signalling and Operational Telecommunication Systems and Equipment GM/RT1300 - Engineering Acceptance of Road-Rail Vehicles GM/RT1310 - Design Requirements and Acceptance of Portable/Transportable Infrastructure Plant and Equipment RAILWAY SAFETY
27
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 28 of 28
Guidance on the Safety Validation of Change GM/RT2000 - Engineering Acceptance of Rail Vehicles GM/RT2001 - Design Scrutiny of the Engineering Acceptance of Rail vehicles GM/RT2003 - Certification Requirements for Registration of Steam Locomotives GM/RT2004 - Requirements for Rail vehicle Maintenance GM/RT2402 - Engineering Acceptance of Rail Mounted Maintenance Machines GC/RT5011 - Switches and Crossings GC/RT5014 - Track Standards for Ballast and Formation GC/RT5021 - Track System Requirements GC/RT5101 - Technical Approval Requirements for Changes to the Infrastructure GC/RT5110 - Design Requirements for Structures GC/RT5112 - Loading Requirements for the Design of Bridges GC/RT5208 - Civil Engineering Requirements for Level Crossings GI/RT7002 - Acceptance of Systems, Equipment and Materials for Use on Railtrack Controlled Infrastructure GI/RT7003 - Management of Construction Work in the Operational Railway Environment GI/RT7004 - Requirements for the Design, Operation and Maintenance of Points GI/RT7006 - Prevention and Mitigation of Overruns – Risk Assessment GE/RT8016 - Verification of Electrification Systems and Interactions GE/RT8023 - Compatibility between Electric Trains and Electrification Systems l)
Procurement and contractors: i)
the contracting out of key safety activities such as the maintenance, modification, repair and renewal of assets, plant or equipment
ii)
the contracting out of key safety services such as the training, assessment or monitoring of personnel undertaking safety critical work
iii)
the contracting out of key safety responsibilities
iv) a change of contractor or supplier for a key safety activity or service v)
any significant change to the arrangements for the procurement of products, resources, services, assets, plant or equipment.
The following Railway Group Standard is also relevant: GM/RT2450 - Qualification of Suppliers of Safety Critical Engineering products and Services m) Interfaces:
n)
28
i)
new key safety interfaces or significant changes in the management of existing key interfaces, eg key interfaces between Railtrack and train and station operators or interfaces with principal contractors and suppliers
ii)
significant changes to lease structures or obligations, eg between station operators and Railtrack on the matter of station leases or between train operators and Railtrack on the matter of depot leases or leases of other assets.
Operational premises
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 29 of 29
New or significant changes to existing operational premises, eg a new or modified depot, stabling location, signal control centre, electrification control room, or operations control centre facility.
RAILWAY SAFETY
29
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 30 of 30
Guidance on the Safety Validation of Change o)
Communication New methods of communication or significant changes in existing communication arrangements. The following Railway Group Standard is also relevant: GO/RT3410 - Train Radio Communication
p)
Information technology New safety related information technology systems or significant changes to existing systems. The following Railway Group Standard is also relevant: GO/RT3435 - Management and Development of Railway Group Safety Related Computer Information Systems
30
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 31 of 31
Appendix B Safety plans and safety cases 1 Safety plan 1.1 Significant changes should be managed as a project. To support the project, the safety validation documentation (see section B7) should be incorporated within a Safety Plan. The size, scope and depth of the Safety Plan will depend upon the complexity of and the degree of risk presented by the change. The Safety Plan may be an evolutionary document, particular for complex changes involving new or modified assets such as new or modified rolling stock, re-modelling of track layouts, re-signalling schemes or new or extensively altered structures such as tunnels, bridges or stations. Indeed, a Preliminary Safety Plan may be produced early on in the project, which sets out the risk assessment methodology and findings as part of the process for determining the safety requirements. As the project progresses, the Safety Plan would then incorporate the safety requirements. 1.2 The responsibility for producing the project Safety Plan should rest with the Project Manager (see section B6) although the Project Manager may delegate the task to suitably qualified and competent persons. On completion of the Safety Plan or as required during the project life cycle (for example, following revision to reflect new information), the Safety Plan should be presented to the appropriate Safety Authority (see section B9) for endorsement or approval. 1.3 The following information should be incorporated within the Safety Plan:
RAILWAY SAFETY
a)
an introduction describing the aims, purpose, scope and structure of the Safety Plan
b)
a description of and justification for the level of safety validation applied to the change
c)
a description of the change
d)
details of any safety principles underpinning the approach to safety
e)
description of the stages of the project
f)
a description of the key safety personnel involved with the project together with their key safety roles, responsibilities and competencies. It may also be necessary to identify the reporting lines between these key personnel. Roles and responsibilities associated with the safety validation process being carried out by contractors or suppliers should be identified together with an identification of the reporting lines for the management of contractors or suppliers. Where training is required to enable any of these key persons to carry out their roles and responsibilities, these training requirements should be identified in the Safety Plan
g)
a description of the change proposal project life cycle that is being subject to safety validation
31
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 32 of 32
Guidance on the Safety Validation of Change h)
details of and justification for the risk assessment methodology adopted for determining the levels of risk associated with the change. The output of the risk assessment should include a statement of the significant hazards or hazardous events, the groups of persons at risk from each hazard or hazardous event, the overall levels of risk identified and the safety requirements and other preventative and protective control measures which will ensure risks have been reduced to as low as reasonably practicable
i)
details of any standards, procedures, or other safety related documentation that requires to be produced or revised
j)
the output of the safety validation process including completed issue logs and other safety assessments undertaken. This should include reports produced by an Independent Assessor where one has been appointed
k)
details of any safety audits undertaken during the life cycle of the project
l)
a description of the arrangements for ensuring that any activities or services being carried out or products produced by contractors or suppliers will meet the safety requirements of the change. The description provided may encompass the arrangements by which such contractors or suppliers have been qualified, whether there has been a requirement for contractors or suppliers to produce a Safety Plan, outputs from risk assessments undertaken by contractors or suppliers, whether safety audits or safety assessments have been undertaken on contractors or suppliers and monitoring the output of contractors or suppliers activities
m) identification of all relevant safety related documentation and safety related items n)
the arrangements for analysing the operation of the system, asset, plant or equipment, as appropriate to ensure compliance with all safety requirements
o)
details of any restrictions concerning the operation of the system, asset, plant or equipment as appropriate
p)
details of any safety engineering activities undertaken
q)
the main engineering steps and tasks to be taken to reduce risk including details of methods used, verification (testing, inspection or review), validation and documentation that requires to be produced
r)
identification of any safety related items which are external to the change being subject to safety validation (eg tools, equipment and components) and how the risks arising from such items have been identified and controlled to as low as reasonably practicable
s)
the arrangements for gaining authorisation from the appropriate safety authority (see section B9).
Further detail on the content of a Safety Plan can be obtained from Engineering Safety Management Issue 3, Volumes 1 & 2, ‘Fundamentals and Guidance’ 'The Yellow Book'.
32
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 33 of 33
2 Safety Case 2.1 For complex changes, one of the levels of safety validation that may be applied is the requirement to produce a project Safety Case. Examples would be the build of a new or modification to an existing class of rolling stock, the building of a new or structural alterations to an existing station, an automatic ticket gating scheme at a large station, replacing an existing bridge with a new bridge, a re-signalling scheme, new safety critical software, or a major organisational change. This should not be confused with the requirements of the Railways (Safety Case) Regulations 2000 that requires infrastructure controllers, train and station operators to have a Railway Safety Case accepted by the Health & Safety Executive. The project Safety Case should provide much of the evidence for safety that the Safety Authority (see section B9) requires to grant safety approval of the change proposal. The size of the Safety Case should depend on the degree of risk and complexity potentially introduced by the change. 2.2 Where it is intended to produce a Safety Case to support a change, the following guidance should be considered as part of the process for formulating and managing the Safety Case: a)
where a Safety Case is being produced, a Project Manager (see section B6.2.4) would normally have been appointed to manage the change. This person should remain responsible for ensuring that the Safety Case is prepared even if the task is delegated to another person or contracted out to a supplier to produce
b)
certain change projects will require interim Safety Case submissions to be made to the Safety Authority
c)
the stages at which the Safety Case should be submitted should be detailed in the project Safety Plan (see section 1 of Appendix B)
d)
interim versions of the Safety Case may be submitted to the Safety Authority as the change project proceeds
e)
the requirements of the Safety Authority endorsing or approving the Safety Case should be determined
f)
consideration should be given to the users of a Safety Case when determining format and content, not just the Safety Authority to whom the Safety Case is submitted
g)
the Safety Case should be modified over the life cycle of the project if the system is changed or new information becomes available
h)
the Safety Case should reference supporting safety validation documentation where appropriate.
2.3 The content of a Safety Case should include all of the requirements identified for a Safety Plan shown in section 1.3 of Appendix B. In addition, depending on the nature of the change, the following should also be incorporated:
RAILWAY SAFETY
a)
a technical safety report that should identify the technical principles, which assure the safety of the design of the system, asset, plant or equipment being subject to safety validation. Supporting evidence might include design principles, calculations, test specifications and associated results
b)
a description of the arrangements for ensuring the correct functional operation of the system, asset, plant or equipment, routine maintenance, the effect of faults and operation with external influences (eg weather,
33
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 34 of 34
Guidance on the Safety Validation of Change vandalism, electromagnetic interference). Relevant safety features and alternative operating procedures should be described c)
specify or reference the rules, conditions and constraints which should be observed during the application or operation of the system, asset, plant or equipment
d)
evidence of test activities carried out which demonstrate that each safety requirement has been met
e)
references to any other Safety Cases upon which the Safety Case being developed for approval also depends.
Further detail on the content of a Safety Case can be obtained from Engineering Safety Management Issue 3, Volumes 1 & 2, ‘Fundamentals and Guidance’ 'The Yellow Book'.
34
RAILWAY SAFETY
Uncontrolled When Printed
Guidance on the Safety Validation of Change
Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 35 of 35
References Railway Group Standards and other Railway Group Documents
RAILWAY SAFETY
GK/RT0007
Alterations to Permissible Speeds
GK/RT0101
Competence Standards for Signalling and Telecommunications Staff
GK/RT0206
Signalling and Operational Telecommunications Systems: Safety Requirements
GK/RT0207
Signalling Design
GK/RT0208
Installation of Signalling and Operational Telecommunications Equipment
GK/RT0209
Testing and Commissioning of Signalling and Operational Telecommunications Systems
GK/RT0210
Asset Management for the Safety of Signalling and Operational Telecommunication Systems and Equipment
GM/RT1300
Engineering Acceptance of Road-Rail Vehicles
GM/RT1310
Design Requirements and Acceptance of Portable/Transportable Infrastructure Plant and Equipment
GM/RT2000
Engineering Acceptance of Rail Vehicles
GM/RT2001
Design Scutiny of the Engineering Acceptance of Rail Vehicles
GM/RT2003
Certification Requirements for Registration of Steam Locomotives
GM/RT2004
Requirements for Rail Vehicle Maintenance
GM/RT2402
Engineering Acceptance of Rail Mounted Maintenance Machines
GM/RT2450
Qualification of Suppliers of Safety-Critical Engineering Products and Services
GO/RT3251
Train Driving
GO/RT3255
Train Working – Competence and Fitness
GO/RT3259
Competence an Fitness Requirements for Signallers and Crossing Keepers
GO/RT3260
Competence Management for Safety Critical Work
GO/RT3261
Person in Charge of Possession (PICOP) and Engineering Supervisor (ES)
GO/RT3263
Auxiliary Operating Duties
GO/RT3270
Route Acceptance of Rail Vehicles
GO/RT3271
Driver Only Operation
GO/RT3352
Lookouts and Site Wardens
GO/RT3356
Identification, Reporting and Rectification of Conditions
GO/RT3406
Competence Requirements for Safe Loading of Rail Vehicles
GO/RT3410
Train Radio Communication
GO/RT3411
Exceptional Weather – Managing the Risks
GO/RT3435
Management and Development of Railway Group Safety Related Computer Information Systems (See also GE/RT8054 Management of Shared Information Systems)
GO/RT3437
Defective On-Train Equipment
GH/RT4000
Drugs and Alcohol
GH/RT4003
Safety Validation of Organisational Change
GH/RT4004
Changes in Working Hours – Safety Critical
35
Uncontrolled When Printed Railway Group Guidance Note GE/GN8658 Issue One Date October 2002 Page 36 of 36
Guidance on the Safety Validation of Change
GC/RT5011
Switches and Crossings
GC/RT5014
Track Standards for Ballast and Formation
GC/RT5021
Track System Requirements
GC/RT5101
Technical Approval Requirements for Changes to the Infrastructure
GC/RT5110
Design Requirements for Structures
GC/RT5112
Loading Requirements for the Design of Bridges
GC/RT5161
Station Design and Maintenance Requirements
GC/RT5208
Civil Engineering Requirements for Level Crosings
GA/RT6001
Railway Group Standard Change Procedures
GA/GN6510
Guidance on Submitting Material Revisions to Railway Safety Cases
GI/RT7002
Acceptance of Systems, Equipment and Materials for Use on Railtrack Controlled Infrastructure
GI/RT7003
Management of Construction Work in the Operational Railway Environment
GI/RT7004
Requirements for the Desihn, operation and Maintenance of Points
GI/RT7006
Prevention and Mitigation of Overruns – Risk Assessment
GE/RT8004
Local Operating Instructions
GE/RT8016
Verification of Electrification Systems and Interactions
GE/RT8023
Compatibility Between Electric Trains and Electrification Systems
Other References Engineering Safety Management, Volumes 1 & 2- 'The Yellow Book' Railways and other Transport Systems (Approval of Works, Plant and Equipment)
Regulations 1994 Railways (Safety Case) Regulations 2000
36
RAILWAY SAFETY
