Safety Assessments for Waivers to Standards

Disclaimers:

• This article is focused on safe systems engineering design for Railway Infrastructure assets and may not be applicable to other areas of use. It is a recommendation on steps to take in performing safety assessments for the purpose of a standard waiver. Usage of the content of this article will need to be assessed and applied by the reader for their own industry and at their own risk.
• This article is focused on the application within Australia. Readers outside of this jurisdiction will need to assess its applicability within their own domains.
• Opinions expressed in this article is my own and is not representative of any organisation or body.
• This article is focused towards the safety assessment in a waiver and does not represent all the considerations needed. This is to keep the article to a reasonable length, although the philosophy of the article is applicable to considerations outside of the safety assessment.

What are Engineering Standards?

To perform a safety assessment for a waiver to a standard, one must first understand what standards are and what they represent, and the purpose of standards.

Engineering standards are essential specifications that define the characteristics of railway assets, ensuring interoperability, safety, efficiency, and reliability across complex networks. These standards encompass a broad spectrum of interfaces, including physical, functional, performance, legislative, and strategic considerations, creating a holistic framework for railway development and operation. Examples include:

Systemic Physical Interface

• Track Gauge: Standardised track gauges ensure compatibility between rolling stock and track infrastructure across different regions.
• Rail Profiles: Standards define the dimensions and shape of rails, ensuring proper wheel-rail interaction and safe train operation.
• Signaling Equipment Interfaces: Standards define the physical connections and mounting requirements for signaling equipment, ensuring compatibility between different manufacturers.
• Rolling Stock Interfaces: Standards for couplings, buffers, and other interfaces ensure compatibility between different types of rolling stock.

Systemic Functional Interface

• Signaling Protocols: Standards like ERTMS/ETCS define how signaling systems communicate with trains, ensuring safe and efficient train movements.
• Communication Systems: Standards for railway communication networks (e.g., GSM-R) ensure reliable communication between trains, control centers, and other systems.
• Control Systems Interfaces: Standards define how different control systems (e.g., for traffic management, power supply, or station management) interact and exchange information.

Performance Interface

• Track Quality: Standards define acceptable tolerances for track geometry (e.g., rail alignment, level, and gauge), ensuring safe and comfortable train operation.
• Signaling System Reliability: Standards define the required reliability and availability of signaling systems, minimizing the risk of signal failures and delays.
• Power Supply Performance: Standards define the required voltage, current, and stability of the power supply system, ensuring reliable operation of electric trains.

Legislative Interface

• Safety Regulations: Standards define specific requirements for safety critical components and systems, ensuring compliance with relevant safety legislation.
• Accessibility Standards: Standards address accessibility requirements for passengers with disabilities, ensuring compliance with relevant accessibility legislation.
• Building Codes: Standards for station buildings and other infrastructure elements must comply with local and national building codes, ensuring structural safety and accessibility.
• Environmental Regulations: Standards may specify limits on noise emissions from trains or requirements for the use of environmentally friendly materials, demonstrating adherence to environmental legislation.

Strategic Interface

• Promote Interoperability: National or international standards can be used to ensure interoperability between different railway networks, facilitating cross border train operations and creating a unified railway system.
• Support Sustainability: Standards can be used to promote sustainable practices in the railway industry, such as reducing energy consumption or using recycled materials.
• Define Asset Management Strategies: Standards for asset management can guide the maintenance, renewal, and upgrade of railway infrastructure assets, ensuring long-term performance and cost-effectiveness.

Essentially, standards are a product of baselined design, and represent a Configuration State. They help with modularity of design and streamline repeatable work i.e. if the requirements in the standard are met, there is no need to go back to first principles of design.

1. Performing the Safety Impact Assessment

As discussed above, the clauses of a standard have various objectives; therefore, not all waivers to standards have a safety impact. Nevertheless, all waivers must include an assessment of the safety impact to arrive at that conclusion.

In determining whether or not a waiver application has a safety impact, the following should be considered.

Direct Mitigation to a Standard Clause’s Rationale

Each standard clause exists to mitigate specific risks, whether related to safety, performance, regulations, or future planning. These clauses often have parameters with various components. By understanding the purpose and rationale of a clause, we can understand if there is a safety function and thus, understand the extent of the safety impact.

Understanding Safety Functions of a Requirement

The best way to address safety concerns when considering a waiver is to understand the standard clause itself. Examples of standard clauses and their purpose include:

• The Rolling Stock’s Kinematic Envelope: This considers factors like speed, track curvature, gradients, track quality and construction tolerances to ensure safe operation.
• Vertical Clearances: These account for the type of rolling stock, overhead structures, and other potential obstacles.
• Gradient requirements: These consider factors like train type, maintenance needs, braking effectiveness, and travel times to ensure safe operation on inclines and declines.

Understanding the function of a standard clause is crucial to identifying potential safety impact (the safety function) and applicable mitigation actions.

For example, if a track clearance waiver reduces the clearance from 3 meters to 2.5 meters, one safety function of the 3-meter standard is mitigating derailment risks. To maintain safety, a potential mitigation could be installing guardrails to achieve a similar risk profile with the reduced clearance.

Understanding the safety function and its associated hazards helps determine the design solution for the waiver. Based on this understanding, one can then assess whether the waiver has a safety impact.

Using First Principles

If the reasoning or rationale behind a standard clause is unclear, the safety function must be derived. Standards often define requirements for how different parts of a system interact safely.

The following analysis should be conducted to identify the clause’s potential safety mitigation rationale.

• System/Sub-system Hazard Analysis: Analyse the safety impact of physical system reliance on the clause
• Functional Hazard Analysis: Analyse the safety impact of functional reliance on the clause
• Interface Hazard Analysis: Analyse the safety impact of dependency across systems and functions of the clause
• Operating & Support Hazard Analysis: Analyse the safety impact of operations, maintenance and Human Factors considerations on the clause

The analyses do not need to cover the entire system; focus on how the waiver impacts safety within the specific area of concern. Consider how far-reaching the consequences of waiving the clause might be.

Overall Goal: Understanding the Safety Impact

The objective of this step is to understand the safety function and associated hazards the standard clause addresses. This helps determine whether the waiver has a safety impact, and ultimately, the design solution for the waiver.

If the assessment is that there is no safety impact, then the above safety assessment constitutes sufficient due diligence.

If it is assessed that there is a safety impact, then the next stage of work is required.

2. Perform the safe So Far As Is Reasonably Practicable (SFAIRP) assessment

Once it is established that there is a safety impact and the safety functional requirement is known, the waiver solution must demonstrate safe SFAIRP.

Tailoring for Risk Appetite

The depth of due diligence rigour required will depend on the severity of the harm if the safety function has failed. The concept of Fatality Weighted Injuries (FWI) may be used to determine the rigour required. This tailoring activity is dependent on the organisation's risk appetite.

It is recommended that a safety function failure that has a FWI impact of 1 and above, will require quantitative analysis to support the development of due diligence evidence. If the safety function failure has an FWI impact of less than 1, the rigour required may be reduced to qualitative assessments.

Development of Safe SFAIRP Due Diligence Evidence

In accordance with the Work Health and Safety Act 2011, Clause 18a and the Rail Safety National Law Act 2012, Section 47a, the following points will need to be established for "reasonably practicable".

The likelihood of the hazard or the risk concerned occurring

Evidence required in the Safety Assessment:

• Pre-solution likelihood of the safety hazard which the standard’s clause is mitigating without being compliant to the standard.
• Resultant likelihood of each safety hazard which the standard’s clause is mitigating if the solution is compliant to the standard.
• Post-solution likelihood for each of the identified available and suitable ways

These points will help determine the safety benefit to support the Safety Cost Benefit Analysis (SCBA), if required. It can also be used to support justification that proposed solution is safer or has the same risk profile as the compliant to the standard solution.

The following tools may be used to facilitate the assessment:

• Fault Tree Analysis (AS IEC 61025)
• Analysis techniques for dependability – Event Tree Analysis (AS IEC 62502)
• Reliability Block Diagrams (AS IEC 61078)
• Historical Data - through Statistical Distribution Probability
• Engineering Judgement - through Risk Assessments and structured workshops with participants with necessary experience and competency

The degree of harm that might result from the hazard or the risk

Evidence required in the Safety Assessment:

• Pre-solution severity of the safety hazard which the standard’s clause is mitigating without being compliant to the standard.
• Resultant severity of each safety hazard which the standard’s clause is mitigating if the solution is compliant to the standard.
• Post-solution severity for each of the identified available and suitable ways

These points will help determine the safety benefit to support the SCBA, if required. It can also be used to support justification that proposed solution is safer or has the same risk profile as the compliant to the standard solution.

The following tools may be used to facilitate the assessment:

• Failure modes and effects analysis (FMEA and FMECA) (AS IEC 60812)
• Hazard and operability studies (HAZOP studies) – Application guide (AS IEC 61882)

• Historical Data - through Statistical Distribution Probability
• Engineering Judgement - through Risk Assessments and structured workshops with participants with necessary experience and competency

What the person concerned knows, or ought reasonably to know, about the hazard or risk

Rationales as identified in Step 1 above.

Impact Analysis identifying impacts on (where applicable):

• assets (including interfacing between assets)
• maintenance
• operations
• training
• documentation
• competency
• tools and resources
• safety implications, including any change to the risk of injury to the operational staff, customers and public
• financial and lifecycle cost including initial cost, maintenance cost, disposal cost, economic life and renewal cost, etc.
• other deviations in another multi-discipline area
• other projects that interface with the project of interest (seeking the deviation)

The above points will help determine the safety benefit and cost of safety investment to support the SCBA, if required.

The following tools may be used to facilitate the assessment:

• Structured Workshops
• "Day-in-the-life-of" Analysis
• Consultation
• Risk Assessments
• Market Research
• Historical occurrences
• Other industries
• Australian Standards/International Standards
• Industry publications, including scientific, academic and technical literature

Ways of eliminating or minimising the risk; and the availability and suitability of ways to eliminate or minimise the risk

Hazard control options assessment that includes:

• Evidence that multiple control options were considered both in availability and suitability of the option.
• At least 1 control option that eliminates the need for a waiver entirely. An assessment of whether this option is suitable shall be performed.
• The effectiveness of the control option to mitigate the identified hazards.
• Rejection of available and suitable options must be supported by valid justifications, not those listed as deficient in the article “Deficient justifications for controls or options rejection used in SFAIRP arguments”.

The following tools may be used to facilitate the assessment:

• Structured Workshops
• Consultation
• Product specifications
• Market Research

The cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk

Cost-effectiveness analysis by means of a SCBA is required if:

• The proposed solution is less safe compared to the solution that is compliant to the standard.
• An identified available and suitable way is rejected based on cost (the SCBA is used to support the justification for rejection).

Accountable organisations may have published the necessary processes to facilitate the assessment on whether the cost is grossly disproportionate to the risk. If the publication is available, it should be used. If there is no published process, then the following tools may be used to facilitate the assessment:

• Safety Cost Benefit Analysis – UK Health and Safety Executive CBA Checklist
• Societal Risk Appetite - Safe Work Australia: Demonstrating the Adequacy of Safety Management and Control Measures, Appendix C
• Disproportionate Factor – Sizewell B Public Inquiry
• Value of Statistical Life – Office of Impact Analysis, Prime Minister’s Office
• Layers of Protection Analysis (LOPA) - Australian Business Licence and Information Service
• Fatality Weighted Injury – RISSB/ONRSR (200:10:1 weighting)
• Lifecycle Cost Analysis – AS 4536
• Application guide – Lifecycle costing as the reference documents towards performing the LCCA - AS IEC 60300.3.3 Dependability Management, Part 3.3

Low-probability, High-consequence Hazards

Low-probability, high-consequences hazards will need to be mitigated SFAIRP, unless the probability is so low that it is deemed to be insignificant i.e. not reasonably foreseeable.

For an explanation of 'Reasonable,' 'Reasonably Foreseeable,' and 'Reasonably Practicable,' and their relationship, see the article "What is safe SFAIRP?".