The importance of the Train Operator's Safety Case in securing operational safety

Roderick I Muttram FREng

4Insightth

4Insightth

Operations are at the heart of an effective and safe railway

• Successful operations rely on three elements:– Competent People– Clear and effective tools and processes (including

Standards)– Well designed and well maintained equipment

• All three elements are needed; the best equipment in the world will fail if not used correctly, but really competent people can sometimes compensate for deficiencies in the other areas – so it is worth investing in people development

UK History

• UK response to 91/440 EC involved break up and privatisation of British Rail

4Insightth

UK History

4Insightth

Rolling StockLeasing Companies

Many other maintenance and service companies

20+ Franchise operators

Why a safety case?

• Many European Railways have reorganised, responsibilities have been moved and many new organisations have entered the industry

• A Safety Case is a way of documenting, and thus facilitating the verification of, an organisation’s safety management system to ensure it meets minimum requirements

• The Safety Case should provide a structured argument, supported by evidence, to deliver a comprehensive, compelling, clear and valid case that a system (either technical or operational) is safe in a given environment and taking into account all of its interfaces

• It is an essential part of managing safety where ‘goal setting’ rather than ‘prescriptive’ standards are used 4Insight

th

Advantages of the approach• Makes the organisation ‘think through’ all of its safety

arrangements• Allows partners and the Regulator to check that all the key

elements of the operator’s safety management system are present and implemented effectively

• Standards compliance and interpretation can be monitored and feedback gained to allow Standards development

• Enables alignment between the safety arrangements of different involved organisations (e.g. different operators using the same track and stations, infrastructure managers)

• Allows a small number of really competent and experienced staff at the Regulatory body (and/or its advisors) to have a wide influence on safety improvement – a ‘force multiplier’ 4Insight

th

Arrangements for Verification and Validation

• Safety case acceptance normally involves an independent competent body of some kind (often a Regulator) which not only approves the organisation’s safety case but regularly audits compliance

• Following railway restructuring in 1994 the UK Operator’s safety cases were first approved by Railtrack as the ‘Infrastructure Controller’, then by Railway Safety as an independent body and then (from 2003) by the Office of Rail Regulation (a government body)

• The ‘reporting line’ really does not matter as long as those carrying out approval and audit are competent and reasonably independent and the link to Standards development is present – most of the benefit comes from the rigour of the process 4Insight

th

What should be in an Operator’s Safety Case?

• There is no one template• It is vital that the case is developed based on specific

circumstances rather than being ‘cut and paste’• There is a lot of guidance available from open sources

though the internet but much relates to ‘Technical Safety Cases’ so care is needed in what is used

• Information relating to the content of safety management systems is much more useful in providing a check that all aspects have been covered

• The Safety Case needs to be detailed and should relate to specific locations and assets

4Insightth

Useful Guidance from the ERA• As the EU Directives have developed through the later Interoperability

Directives and the Railway Safety Directive, Europe has moved somewhat back towards a more prescriptive approach to ensure commonality and free access between member states

• The Safety Directive brought in the Common Safety Method (CSM) and Common Safety Targets (CST)

• Through a common structured process, including a requirement for independent assessment, the CSM is intended to:

a) provide assurance that, when significant changes are proposed, safety levels are least maintained, and, if reasonably practicable, improved

b) facilitate the access to the market for rail transport services through harmonisation of risk management processes.

• Whilst these techniques may not be wholly applicable in China the overall guidance on safety management systems on the ERA website is useful

4Insightth

The ERA Safety Wheel

4Insightth

http://www.era.europa.eu/tools/sms/Pages/default.aspx

The key elements (a personal view) Competence Management

• Need a clear system which should include– An assessment of all roles to determine the skills and

competences needed – formalised role descriptions – is the work content deliverable?

– A process for evaluating people’s capability to fulfil the role – do they have the necessary physical and mental characteristics to be able to become competent and do the job well?

– An appropriate training and/or education package for each role

– An effective competence assessment system– A process for ongoing regular re-assessment and re-

training if required – competence maintenance 4Insightth

Competence

• Clearly driver training is very important but so are the other systems and processes that support them

• Human factors must be recognised– Human beings are error prone– Environment, systems and processes can reduce

or enhance the probability of error– Need to ensure the overall system is robust

4Insightth

• Such plans– Should be appropriately detailed and

location specific (not just high level and generalised)

– Should cover all credible ‘what ifs’ however remote

– Individual staff should know their roles and practise them regularly

– Roles should all be ‘covered off’ in the event of any absences 4Insight

th

Contingency/Emergency Plans

Contingency/emergency plans (2)

• Stations are a key part – individual plans for each station should cover:– Fire and smoke– Environmental incidents – high wind, flooding,

earthquake– Overcrowding due to disruption of service or from any

other cause– Power/systems failures– Passenger flows/behaviour/panic under all of the above

scenarios and combinations of them; some areas merit special attention > 4Insight

th

Contingency/emergency plans (3)

4Insightth

•All Doors and exits•Ticket barriers•Escalators•Underground areas

• Train evacuation and management plans for incidents on track– Need clear instructions for managing on-board failures of

safety and safety related equipment– Train protection systems– Public address– Lighting– Radio– Brakes etc

– Procedures for evacuating trains in remote areas– Management of severe overcrowding

4Insightth

Contingency/emergency plans (4)

The risk of not having clear failure management

4Insightth

Southall, West London, 19th September 1997. High speed train collided with crossing freight train. Seven people died. Automatic warning system in driver’s cab defective. Alternative ATP not used, opportunity to turn train not taken. Rules and standards at the time did notrequire any specific action for failure of the system concerned except in fog.

Vehicle Interiors/windows• In a number of UK rail accidents fatalities have been recorded due to

passengers being thrown through windows or falling onto broken windows when the train has derailed onto its side and is still moving

• Current UK standards therefore require laminated (shatterproof) glass in all carriage side windows except at the ends

• Instances of single leaf carriage end doors being too heavy to open when the train is on its side have led to double leaf designs being adopted

• Interior designs have been examined for sharp corners and impact points that could produce injuries under sudden deceleration

• Aviation industry experience was used to look at ‘pinch points’ in interior design

4Insightth

Aviation experienceOn 22nd August 1985 a British Airtours Boeing 737suffered an uncontained engine failure and aborted its take off. The plane pulled off onto a taxiway where a light wind blew the subsequent fire against the fuselage. 53 passengers and 2 crew died, mostly from smoke inhalation

•The exit and evacuation process came under scrutiny and it became clear that below a certain width major problems can occur with exits becoming jammed by two or more people attempting to exit at once in a panic situation•Research by Professor Helen Muir at Cranfield University in the UK led to significant mandatory changes in emergency exit design•Professor Muir also advised on railway carriage design after the accident at Ladbroke Grove in the UK and this is incorporated into current UK standards - gangways/openings of less than 30ins (0.75metres) in width should be avoided.•Consideration should be made in contingency plans as to how carriages can be evacuated when they are not in their normal orientation. 4Insight

th

What happens in a derailment?

4Insightth

Maintenance• Good maintenance is essential to maintaining

equipment/asset performance.• Where maintenance is carried out by an organisation different

to the operator, scope and responsibilities must be very carefully defined

• A comprehensive asset register and maintenance records should ensure maintenance tasks are not missed

• In particular the boundary between maintenance and renewal requires great care – if renewal falls outside the maintenance organisation’s responsibility there is an incentive to neglect assets and push them into requiring renewal (In the UK Network Rail took much track maintenance back ‘in-house’ because of this issue) 4Insight

th

Maintenance (2)

• Whether the maintenance organisation is separate or integrated excellent feedback from the field to the maintainers is essential

• The maintenance arrangements for new equipment must be carefully designed not ‘force fitted’ to existing processes

• Trends and sudden changes are both important in detecting emerging risks

• There is a place for engineering judgement but standards are also important

• The arrangements for decision making and escalation should be clearly defined and set out in the safety case

4Insightth

Examples

Bexley, UK, 4th February 1997Eschede, Germany, 3rd June 1998

4Insightth

Organisational Change• When organisational change occurs it is essential to ensure that all

safety responsibilities are properly re-assigned so that none are ‘lost’.• An organisational change management process should include:

a) Definition of the extent of the change being made b) Preparation of disposition statements indicating where the safety responsibilities are

transferred from one job description to the job description of the new role c) Checking that the new job roles specify the correct competency levels for the safety

functions that have been transferred d) Carrying out a risk assessment commensurate with the scale of the change to

determine the potential impact of the change and that adequate mitigation measures have been put in place. A possible risk assessment approach for a significant organisational change is presented in the Appendix to this guidance.

e) Recording and maintaining the outputs of the risk assessment in a hazard record f) Establishing the go-live criteria that need to be achieved before the organisational

change is implemented g) Documentation of records relating to (a) to (f) above

4Insightth

Audit

• Compliance with the commitments given in the Operator’s Railway Safety Case should be regularly audited by independent, competent auditors

• Who those auditors work for is not particularly important provided they are competent and empowered to identify issues

• The audit reports must not be just ‘filed away’ but should be a key tool for ensuring on-going compliance and identifying improvements to processes, Standards and skills

4Insightth

Santiago de Compostela

• High speed derailment in Spain on 24 July which killed 79 people and injured around 140

• Train was a Talgo 250 ‘dual’ which is capable of running on overhead line or under its own power using generators in two intermediate ‘technical cars’ – it is also a dual gauge train that can run on 1435mm and 1668mm (classic Iberian) tracks

4Insightth

Santiago de Compostela (2)

• The accident is still under investigation but we know:– The train was travelling too fast; circa 153km/hr when entering an

80km/hr speed restricted bend– The train emergency brake had been applied and it was braking from

a higher speed of circa 195km/hr– The train had recently left an ERTMS level 1 area where there was

speed supervision and entered an area fitted only with the older Spanish ASFA system which had train stops but only speed warnings, not speed supervision

– It appears at the time of the accident that the driver was talking on the phone to his control about his routing

– The driver has been charged with charged with 79 counts of homicide by professional recklessness

4Insightth

Santiago de Compostela (3)

• Some issues that still need to be considered:– Human Factors:

• Why was speed supervision ended just before such a critical permanent speed reduction rather than after it (system design)

• Why was the control talking to the driver whilst he was driving the train on anything other than an urgent operational control matter

– Technical• The derailment seems to have initiated at the interface

between the coaches and the Technical Car rather than by pure overturning so the stability of the Talgo 250 Dual under emergency braking needs to be re-checked 4Insight

th

Conclusion• An Operator’s safety case is a good way of documenting and

allowing the verification of an operating organisation’s safety management system

• I have outlined some of what I consider to be the most important features and why – what I have covered is by no means exclusive

• All of the operational arrangements need to be regularly exercised/practised so staff become familiar with them

• The approach compliments risk based, goal setting Standards allowing interpretation and implementation to be monitored and promoting improvement by feedback from the field

Thank you for your attention

4Insightth