Recent investment into UK rail infrastructure has prompted a boom in construction and related industries. With new recruits entering the rail industry, Adam Wilson provides an overview of one of the most significant rail safety legislation changes in recent times.
With Network Rail looking to invest £37.5bn in the UK rail infrastructure over the coming years and Crossrail already channelling £17bn in to what is Europe’s largest infrastructure project, the rail sector is undergoing a huge transformation, characterised by a spurt in construction and other related activities.
At the same time, this high hazard industry faces a skills shortage, as individuals and companies enter the sector anew. We therefore need a brief introduction to the complex framework for railway safety legislation, as it applies to infrastructure projects and the construction industry.
European Commission regulations (unlike European directives) become enforceable without national legislation transposing them into UK law. Commission Regulation (EC) 402/2013, or the Common Safety Method for Risk Evaluation and Assessment (CSM REA), is the safety method that most in the construction rail industry will come into contact with.
CSM REA, which has widely applied since mid-2012, provides legal obligations and a mandatory framework for the evaluation and assessment of risk in terms of engineering, operational and organisational changes to the railway.
The CSM REA places duties onto the proposer, who is also likely to be a duty holder under the Railways and Other Guided Transport Systems (Safety) Regulations 2006 (ROGS), or Railways (Interoperability) Regulations 2011 (RIR).
Unlike the CDM Regulations (for example), it does not place duties onto the non–railway system supply chain (beyond co-operation), but does for manufacturers of assets to be placed on to the railway, such as trains or signalling equipment.
In the regulation itself, and on page six of the Office of Rail Regulation (ORR) guidance, it states that, “Other bodies in the rail sector – such as suppliers and service providers – may need to participate in the [CSM REA] process. This involvement should be coordinated by the proposer, possibly supported by contractual arrangements”.[1]
Crossrail, which I believe has been leading the industry on the implementation of CSM REA, has made it a contractual requirement for its suppliers (consultancies and design and build contractors) to provide engineering safety management services to implement the requirements of CSM REA onto its projects.
For readers familiar with the designer duties under the CDM Regulations 2007, there appears to be common ground with CSM REA. While there is some overlap in scope of application, compliance with the CDM Regulations is unlikely to meet the requirements of the CSM REA.
For those supply-chain organisations engaging in engineering or design, it would be prudent to review their contract to check for additional tasks and obligations, and possibly the insurance implications.
CSM REA defines widely the scope of its application to all “significant changes to all railway subsystems, significant changes to the operation of the railway, and significant organisational changes that could impact on the operating conditions of the railway system” (see table 1 above ).
For any change to the railway that meets the significance criteria, the starting point of the CSM REA process is the creation of the system definition. This is a living document that will be updated through the risk management process and should define:
a) system objective, e.g. intended purpose;
b) system functions and elements, where relevant (including e.g. human, technical and operational elements);
c) system boundary, including other interacting systems;
d) physical (i.e. interacting systems) and functional (i.e. functional input and output) interfaces;
e) system environment (e.g. energy and thermal flow, shocks, vibrations, electromagnetic interference, operational use);
f) existing safety measures and, after iterations, definition of the safety requirements identified by the risk assessment process;
g) assumptions which shall determine the limits for the risk assessment.
The second stage is called hazard identification and should identify all reasonably foreseeable hazards for any change as defined in the system definition.
CSM REA does not explicitly define how the proposer should perform this hazard identification, but it suggests that established methods are still valid. These include:
- structured brainstorming;
- hazard identification studies (HAZIDs);
- checklists, task analysis, hazard and operability studies (HAZOPs); and
- failure mode and effects analysis (FMEA).
The identified hazards must be added to a hazard record.
Next, a filtering exercise (hazard classification) is performed to identify those hazards that do not require any further analysis – risks arising from hazards, which are insignificant or negligible. For any remaining hazards a determination is then made, on which one (or more) of the three-risk acceptance principles (RAPs) shall be applied to generate safety requirements and safety measures (see box A, right ).
If the identified hazard is too broad in scope or it is difficult to apply a RAP, then it may be a top hazard and require further analysis to identify sub-hazards. In the UK, we can choose between (with no hierarchy or preference) the RAPs. Once the appropriate RAP has been applied, the project must implement the identified safety requirements and measures, and record the evidence that these have been implemented.
The proposer manages the hazard record throughout the design and implementation of the change. Once the change has been accepted, the hazard record is handed over to the infrastructure manager to manage the hazards over the life of the asset. The EU goal is that the hazard record, once embedded in the industry, will become a useful data source for the application of the RAP on reference systems.
The hazard record should record:
- all identified hazards (including origin);
- the safety measures and system assumptions (from the risk assessment);
- which RAP is being applied; and
- who owns the hazard (the actor responsible).
The Rail Safety and Standards Board (RSSB) has provided a template for a hazard record in its guidance documents, and it is not dissimilar to the hazard log, for those familiar with engineering safety management and the ‘yellow book’.
In addition to the hazard record, assurance evidence (documentation) is required to record the application of the risk management process, including:
- a description of the organisation and the experts appointed to carry out the risk assessment process;
- the results of the different phases of risk assessments;
- a list of the safety requirements generated from that process to meet the chosen RAP;
- evidence that the design and implementation complies with the safety requirements; and
- the relevant assumptions for system integration, operation or maintenance.
In practice, most organisations will probably combine the additional documentation and evidence into the hazard record, or at least signpost it from there (as evidence) to their document management system.
CSM REA requires the proposer to appoint an assessment body (AsBo or AB), whose role is to perform an independent assessment, both of the suitability of the application of the risk management process (as defined by CSM REA), and of the outputs.
The assessment body will produce a formal assessment report that will form part of the decision to accept the changed system, and/or as part of a submission to the ORR for safety authorisation where RIR 2011 also applies.
Adam Wilson associate director of WSP UK (at the time of the article’s submission).
Reference:
- http://orr.gov.uk/__data/assets/pdf_file/0006/3867/common_safety_method_guidance.pdf
Further information:
CSM REA: RISK ACCEPTANCE PRINCIPLES
Codes of practice
A deterministic method to assess and demonstrate the safety of a design/product and its implementation against (compliance to) publically available codes of practice. These codes must be accepted in the railway industry, and are relevant for the control of the specific hazard. Examples include Technical Specification for Interoperability (TSIs), Notified National Technical Rule (NNTR), Notified National Safety Rules (NNSR), ATOC standards, Network Rail standards and railway-specific British standards.
The proposer needs to demonstrate (evidence) that the codes address the particular hazards identified, and that the codes have been successfully implemented. It is implicit that a code of practice is an authoritative example of good practice, which in the UK is often a means of determining if a risk has been reduced to so far as is reasonably practicable. Where compliance to a code is only partially achieved, then further demonstration is required by the proposer, to show that the level of safety is not reduced below the level if compliance was achieved. This might require the use of one of the other RAPs.
A comparison with a reference system(s)
A reference system can be used to determine the safety requirements for a similar system. On the understanding that if an existing system has been accepted as being safe enough, then it should be acceptable for a similar system to provide at least the same level of safety; for the same type of hazards.
To utilise this method, the proposer must demonstrate that: the reference system has been proven in use and has an acceptable safety level; it is being used under similar functional, operation and environmental condition; and has similar interfaces.
While this approach appears to be less onerous, even where operational safety and reliability data is available, a lack of safety failure during operations for highly reliable or complex systems is unlikely to be a satisfactory justification that the reference system has an acceptable level of safety.
The ORR suggests evidence may be required that engineering safety was applied in the reference system design and implementation. For the hazards that are not addressed by the reference system, then one of the other RAPs will have to be applied.
Explicit risk estimation (assessment)
A qualitative or quantitative (or hybrid) risk assessment must be used if the hazards cannot be assessed as acceptably safe using the other RAPs. The resulting estimated risks shall be evaluated using risk acceptance criteria (RAC); in the UK this means that risks should be reduced ‘as far as is reasonably practicable’.
CSM REA defines a failure rate (RAC for technical systems/RAC-TS) for those technical systems which cannot be demonstrated as safe by the other two RAPs; where there is a credible direct potential for a catastrophic consequence. The failure rate is given as 10-9 per operating hour, at which point no further risk reduction is required, unless required by a TSI, NNTR or NNSR.
All risk assessments are required to correctly reflect the system under assessment and its parameters (all its operating modes). The results are required to be ‘sufficiently accurate’ to support robust decision making, and minor changes in input assumption and variables shall not significantly change the assessment output.
The Safety Conversation Podcast: Listen now!
The Safety Conversation with SHP (previously the Safety and Health Podcast) aims to bring you the latest news, insights and legislation updates in the form of interviews, discussions and panel debates from leading figures within the profession.
Find us on Apple Podcasts, Spotify and Google Podcasts, subscribe and join the conversation today!