Rob Davis & Paul Cheeseman

Technical Programme Delivery

International Engineering Safety Management

Systems Engineering and Systems Safety Engineering - A case study

Contents

• System Safety and Systems Engineering

• Case Study ESM roll out in Railways

• An introduction to iESM Handbook

– Aims

– What is in it?

Synergies & Differences

• Safety is an important emergent property

• Many similarities if done well – Formal process (eg requirements), competent people

etc

– A reliable working railway is usually a safe railway

• Some things are different or in conflict? – Failsafe or working?

– Deliver what we have time for or to a standard

– Formal acceptance?

What we have in common

• Getting projects to do anything

• Getting projects to do enough

• Getting projects to do it early enough

• Getting projects to use it to make early decisions

• Getting projects to do it right

• Helping the decision makers understand it

So ……. What can we learn ….

Drivers for Change - 1992

q Restructuring of the UK rail industry

q Accelerated rate of technological change

q Changes in legislation and regulation

q Advances in best practice • including emergence of CENELEC railway

application standards

Requirements in 1992 - UK Law

Health and Safety at Work etc Act 1974

s Management of Health & Safety at Work Regulations 1999

s Construction (Design & Management) Regs 1995

s Railways (Safety Critical Work) Regs 1994

s Railways (Safety Case) Regulations 1994

s Health & Safety Regulations 1992

Transport and Works Act 1992

s Railway and Other Transport Systems (Approval of Works, Plant and Equipment) Regs 1994

Requirements - Good Practice - 1992

q Engineering Council Code of Practice

q Hazards Forum Guidance for Engineers

q IEC 61508

q CENELEC Safety standards for railway applications

• EN 50126, Railway Applications: The Specification and Demonstration of Reliability, Availability, Maintainability and Safety

• prEN 50128, Railway Applications: Software for Railway Control and Protection Systems

• ENV 50129, Railway Applications: Safety Related Electronic Systems for Signalling

Requirements - 1992 - Business Objectives

q Formal process to do things right

q Minimise lifecycle costs

q Identifying issues early

Later requirements:

q Separate fundamentals from guidance

q Encouraging consistency and re-use

q Scaling with problem

“YB0” – early 1990’s

Network SouthEast

Signalling and Telecomms

“YB0” – early 1990’s Network SouthEast

Signalling and

Telecomms

“YB0” – early 1990’s

Network SouthEast

Signalling and Telecomms

YB1 -1996 UK Railtrack EE&CS

“YB0” – early 1990’s Network SouthEast

Signalling and

Telecomms

“YB0” – early 1990’s

Network SouthEast

Signalling and Telecomms

YB1 -1996 UK Railtrack EE&CS

YB2 -1997 UK Railtrack

“YB0” – early 1990’s Network SouthEast

Signalling and

Telecomms YB1 -1996 Railtrack

Electrical

Engineering

and Control Systems

YB2 -

1997 Railtrack

“YB0” – early 1990’s

Network SouthEast

Signalling and Telecomms

YB1 -1996 UK Railtrack EE&CS

YB2 -1997 UK Railtrack

YB3 -2000 UK Rail Industry

“YB0” – early 1990’s Network SouthEast

Signalling and

Telecomms YB1 -1996 Railtrack

Electrical

Engineering

and Control Systems

YB2 -

1997 Railtrack

“YB0” – early 1990’s

Network SouthEast

Signalling and Telecomms

YB1 -1996 UK Railtrack EE&CS

YB2 -1997 UK Railtrack

YB3 -2000 UK Rail Industry

YB4 -2005 Generic

“YB0” – early 1990’s Network SouthEast

Signalling and

Telecomms YB1 -1996 Railtrack

Electrical

Engineering

and Control Systems

YB2 -

1997 Railtrack

“YB0” – early 1990’s

Network SouthEast

Signalling and Telecomms

YB1 -1996 UK Railtrack EE&CS

YB2 -1997 UK Railtrack

YB3 -2000 UK Rail Industry

YB4 -2005 Generic

International Emerging

Good Practice

ESM - History “YB0” – early 1990’s Network SouthEast Signalling and Telecomms

YB1 -1996 Railtrack Electrical Engineering and Control Systems

YB2 -1997 Railtrack

YB3 -2000 Rail Industry

YB4 -2005 Generic

“YB0” – early 1990’s Network SouthEast Signalling and Telecomms

YB1 -1996 UK Railtrack EE&CS

YB2 -1997 UK Railtrack

YB3 -2000 UK Rail Industry

YB4 -2005 Generic

iESM -2013 International Handbook on Engineering Safety Management

International Emerging Good Practice

So what have we learnt so far?

• A sound theoretical basis is essential

– Something that really works

– Logical underpinning

• A strong commitment is essential

– Senior management

– Contractual

So what have we learnt so far? 2

• Problems blamed unfairly?

– It creates a paperwork mountain

– It will delay the project

– It is a new requirement

– It is not necessary

– It needs to be independent of the project

– It is out of date …..

So what have we learnt so far? 3

• Accessibility is important

– Appearance – It looks important

– Complex and scientific Plain English, but…

– Free Handbooks available on my desk

– Training

• Management & Practitioner & exam

– Correctly pitched principles/fundamentals

• that are so obvious no one can argue against them – even the boss or Project Manager!

So what have we learnt so far? 4

• Steering Group of Practitioners

– Practitioners are better than representatives

– Willingness to contribute

– Informed by experience

– Will to do things right

– Ambassadors to the cause

So what have we learnt so far? 5

• Good Practice vs Standards

• Advisory vs Mandatory

• Help not just requirements

• Informed by real users

• Boldly go where no one has gone before ….

• Then go there again …….

………. And don’t be talked in to withdrawing it!!

International ESM

• So over to Paul to say how we’ve done it this time ……….

iESM - Who is producing it?

• Dr Rob Davis – the originator of the risk-based safety engineering process in rail as part of the BR NSE quality system later published as “Yellow Book”. Established Yellow Book and the YB Steering Group (YBSG) and now chair of iESM WG.

• Paul Cheeseman – part of the BR team and the last chair of YBSG.

• Bruce Elliot – editor of the Yellow Book content throughout 1991 -2007 and iESM 2012-13

© TPD 2013

Guidance Development • Drafting by TPD as part of its R&D programme

incorporating: – Experience from EN50126/8/9 Standards

– UK Yellow Book

– Experience of system assurance, acceptance & ISA: • UK

• Mainland Europe

• Asia

• Australia

• Review by iESM Working Group of practitioners

iESM Working Group • Act as authority for iESM and

develop/support the creation of associated supporting materials);

• Facilitate the efficient and effective application of iESM;

• Promote and facilitate the exchange of ideas for good practice that are found in the world railway community and other relevant industries;

• Sponsored by MTR Corporation, Hong Kong.

© TPD 2012

iESM supporters Worldwide

© TPD 2012

iESM - Structure

Layer 1: Principles and Process

Volume 1

Layer 2: Methods, tools and techniques

Volume 2(Projects)

Further volumes to be

announced

Layer 3: Specialized Guidance

Application notes as required

Volume 0

iESM is more than a Handbook

www.intesm.org Website

iESM Overview

Training [1 day]

iESM ISA Training

[1 & 2 day]

iESM for Hazard Management

Training [1 day]

iESM

Application Notes

iESM User Group iESM Refresher /

Conversion [half day]

iESM Handbook

Volumes 0, 1, 2

Register of

Practitioners

iESM Working Group

More ….

Resources Training

iESM - What’s in? Emerging good practice

• Common Safety Methods for Risk Assessment have been mandated on parts of the railway by European Directives

• Recent EN50128 with focus on roles and competence

• New CENELEC EN50126 incorporating the former EN50128/9/155

• Guidance from RSSB UK “Taking Safe Decisions”

• Increasing use of“Cross Acceptance” fast track

• Increasing awareness and demand for a risk-based approach internationally especially in emerging economies

CENELEC Changes

EN50126:201x – The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS) Part 1 Generic RAMS process Part 2: Systems Approach to Safety Part 4: Functional Safety –EEP Electronic Systems Part 5: Software

EN50126 EN50128 EN50129 EN50155 and more

iESM - What’s out?

• Bias towards any one legal system or regulatory framework (e.g. requirement to reduce risk ALARP)

• Known deficiencies and poor practice e.g. using risk matrices as a sole method for risk acceptance

• Templates, checklists, techniques etc to layer 3

• Explicit consideration of maintenance activities – (temporary)

• English spellings!

iESM - Overview #1 DEFINITION

Planning safety activities

Defining the scope

Determining safety obligations,

targets and objectives

To RISK ASSESSMENT

RISK ANALYSIS

Identifying hazards

Applying standards

Comparing with a reference system

Estimating risk explicitly

EstimatingRisk

To RISK EVALUATION AND CONTROL

1. Estimating risk by applying standards

• The standard shall at least satisfy following requirements: – be widely acknowledged in railway domain. If not

the case, the standard will have to be justified; – be relevant for control of considered hazards in

system under assessment; – be publicly available for all who want to use it.

IEEE1474 – thank you

Standards - example

• Station lighting – dazzle / distraction to drivers

© TPD 2013

2. Estimating risk by comparing with a reference system

• A Reference System shall at least satisfy following:

– it has already been proven in-use to have an acceptable safety level and would still qualify for acceptance where change is to be introduced;

– it has similar functions and interfaces as system under assessment;

– it is used under similar operational conditions as system under assessment;

– it is used under similar environmental conditions as system under assessment.

Reference system - example

• Mind the gap

© TPD 2013

3. Estimating risk by explicit risk estimation

• The need for the use of an explicit risk estimation could typically arise:

– when the system under assessment is entirely new, OR

– where there are deviations from a Standard or a Reference System, OR

– when the chosen design strategy does not allow the usage of a Standard or similar Reference System because e.g. of a wish to produce a more cost effective design that has not been tried before

iESM Overview #2

RISK CONTROL

Preparing a cross acceptance argument

Setting safety requirements

Compiling evidence of safety

No

Obtaining approval

Evaluating risk

Monitoring risk

Implementing and validating control measures

Is risk acceptable?

Is evidence adequate?

Yes

Yes

No

FROM RISK ANALYSIS

Conflicting Safety Requirements

© TPD 2013

iESM & CENELEC

© TPD 2013

iESM Definition

iESM Risk Control

Re-application of iESM

iESM Risk Analysis

iESM - Technical Support Processes

• Managing hazards

• Independent assessment

• Configuration management & records

iESM - Team Support Processes

• Managing safety responsibilities

• Promoting a good safety culture

• Building & managing competence

• Working with suppliers

• Communicating and co-ordinating

iESM - Business benefits

• Identifying risks early – Integrate with financial approval

• Encouraging consistency and re-use

• Integrating diverse approaches

• Scaling with the problem – an integrated approach

• Empowering project managers and supporting users through a common approach and common “language”

$

Time

Incurred

Committed

iESM - Summary

• Is advisory, not mandatory; • Provides good practice guidance and will continue to

reflect emerging good practice; • Is applicable in an international market; • Supports use of CENELEC standards and Common

Safety Methods (CSM) for risk assessment, with practical, cost-effective advice;

• Assists in discharging legal & professional obligations; • Is guided by an international Working Group of

practitioners and supporters.

www.intesm.org

..and finally

“There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction.“

John F. Kennedy

robert.davis@tpd.uk.com

paul.cheeseman@tpd.uk.com

Training Status

• Newly trained 25

• Conversion/Refresher trained 25

• Training bookings 35

• Practical Course – ready for booking

Competence

• Up to date Domain knowledge – empirical & scientific

• Experience of application

• Drive and motivation to achieve the goals and to strive for betterment/excellence

• The ability to perform the requisite tasks efficiently and to minimise wastage of physical and virtual resources

• Ability to adapt to changing circumstances and demands by creating new know-how to get the job done

• Education & Training

• Experience levels

• Improvement

Competence Categories

• iESM Aware

• iESM Certified

• iESM Practitioner

• iESM Expert Practitioner

Competence Management Group

• To develop and oversee the competence management and iESM Competence management & registration arrangements for iESM

Competence Management Group

• On behalf of iESM WG:

– iESM Working Group Chairman

– iESM Working Group Member from a Railway Client organisation

– iESM Working Group Member from a Supplier organisation

– iESM Secretariat

iESM Competence

• Current & Up to date

• Different levels – to allow competence progression

• Register to be available via Website

Future Developments - Guidance

• Hazard checklists

• Document Outlines

• Tools & Techniques

• Maintenance

• ISA

• HF

• Specific More detailed guidance eg Hazard Id

Future Developments - Training

• ISA Course

• Specific activity based courses eg Hazard Id & Establishing a Hazard Log

A final thought

Absolute safety is not achievable in the real world and therefore success relies on two fundamentals:

1) good processes, and 2) good people;

such that when there is a problem or failure in one, the railway can be sustained by the other.