320 likes | 471 Views
The importance of the Train Operator's Safety Case in securing operational safety. Roderick I Muttram FREng. 4. th. Insight. Operations are at the heart of an effective and safe railway. Successful operations rely on three elements: Competent People
E N D
The importance of the Train Operator's Safety Case in securing operational safety Roderick I Muttram FREng 4 th Insight
Operations are at the heart of an effective and safe railway • Successful operations rely on three elements: • Competent People • Clear and effective tools and processes (including Standards) • Well designed and well maintained equipment • All three elements are needed; the best equipment in the world will fail if not used correctly, but really competent people can sometimes compensate for deficiencies in the other areas – so it is worth investing in people development 4 th Insight
UK History • UK response to 91/440 EC involved break up and privatisation of British Rail 4 th Insight
UK History Rolling Stock Leasing Companies Many other maintenance and service companies 20+ Franchise operators 4 th Insight
Why a safety case? • Many European Railways have reorganised, responsibilities have been moved and many new organisations have entered the industry • A Safety Case is a way of documenting, and thus facilitating the verification of, an organisation’s safety management system to ensure it meets minimum requirements • The Safety Case should provide a structured argument, supported by evidence, to deliver a comprehensive, compelling, clear and valid case that a system (either technical or operational) is safe in a given environment and taking into account all of its interfaces • It is an essential part of managing safety where ‘goal setting’ rather than ‘prescriptive’ standards are used 4 th Insight
Advantages of the approach • Makes the organisation ‘think through’ all of its safety arrangements • Allows partners and the Regulator to check that all the key elements of the operator’s safety management system are present and implemented effectively • Standards compliance and interpretation can be monitored and feedback gained to allow Standards development • Enables alignment between the safety arrangements of different involved organisations (e.g. different operators using the same track and stations, infrastructure managers) • Allows a small number of really competent and experienced staff at the Regulatory body (and/or its advisors) to have a wide influence on safety improvement – a ‘force multiplier’ 4 th Insight
Arrangements for Verification and Validation • Safety case acceptance normally involves an independent competent body of some kind (often a Regulator) which not only approves the organisation’s safety case but regularly audits compliance • Following railway restructuring in 1994 the UK Operator’s safety cases were first approved by Railtrack as the ‘Infrastructure Controller’, then by Railway Safety as an independent body and then (from 2003) by the Office of Rail Regulation (a government body) • The ‘reporting line’ really does not matter as long as those carrying out approval and audit are competent and reasonably independent and the link to Standards development is present – most of the benefit comes from the rigour of the process 4 th Insight
What should be in an Operator’s Safety Case? • There is no one template • It is vital that the case is developed based on specific circumstances rather than being ‘cut and paste’ • There is a lot of guidance available from open sources though the internet but much relates to ‘Technical Safety Cases’ so care is needed in what is used • Information relating to the content of safety management systems is much more useful in providing a check that all aspects have been covered • The Safety Case needs to be detailed and should relate to specific locations and assets 4 th Insight
Useful Guidance from the ERA • As the EU Directives have developed through the later Interoperability Directives and the Railway Safety Directive, Europe has moved somewhat back towards a more prescriptive approach to ensure commonality and free access between member states • The Safety Directive brought in the Common Safety Method (CSM) and Common Safety Targets (CST) • Through a common structured process, including a requirement for independent assessment, the CSM is intended to: • provide assurance that, when significant changes are proposed, safety levels are least maintained, and, if reasonably practicable, improved • facilitate the access to the market for rail transport services through harmonisation of risk management processes. • Whilst these techniques may not be wholly applicable in China the overall guidance on safety management systems on the ERA website is useful 4 th Insight
The ERA Safety Wheel 4 th Insight http://www.era.europa.eu/tools/sms/Pages/default.aspx
The key elements (a personal view) Competence Management • Need a clear system which should include • An assessment of all roles to determine the skills and competences needed – formalised role descriptions – is the work content deliverable? • A process for evaluating people’s capability to fulfil the role – do they have the necessary physical and mental characteristics to be able to become competent and do the job well? • An appropriate training and/or education package for each role • An effective competence assessment system • A process for ongoing regular re-assessment and re-training if required – competence maintenance 4 th Insight
Competence • Clearly driver training is very important but so are the other systems and processes that support them • Human factors must be recognised • Human beings are error prone • Environment, systems and processes can reduce or enhance the probability of error • Need to ensure the overall system is robust 4 th Insight
Contingency/Emergency Plans • Such plans • Should be appropriately detailed and location specific (not just high level and generalised) • Should cover all credible ‘what ifs’ however remote • Individual staff should know their roles and practise them regularly • Roles should all be ‘covered off’ in the event of any absences 4 th Insight
Contingency/emergency plans (2) • Stations are a key part – individual plans for each station should cover: • Fire and smoke • Environmental incidents – high wind, flooding, earthquake • Overcrowding due to disruption of service or from any other cause • Power/systems failures • Passenger flows/behaviour/panic under all of the above scenarios and combinations of them; some areas merit special attention > 4 th Insight
Contingency/emergency plans (3) • All Doors and exits • Ticket barriers • Escalators • Underground areas 4 th Insight
Contingency/emergency plans (4) • Train evacuation and management plans for incidents on track • Need clear instructions for managing on-board failures of safety and safety related equipment • Train protection systems • Public address • Lighting • Radio • Brakes etc • Procedures for evacuating trains in remote areas • Management of severe overcrowding 4 th Insight
The risk of not having clear failure management Southall, West London, 19th September 1997. High speed train collided with crossing freight train. Seven people died. Automatic warning system in driver’s cab defective. Alternative ATP not used, opportunity to turn train not taken. Rules and standards at the time did not require any specific action for failure of the system concerned except in fog. 4 th Insight
Vehicle Interiors/windows • In a number of UK rail accidents fatalities have been recorded due to passengers being thrown through windows or falling onto broken windows when the train has derailed onto its side and is still moving • Current UK standards therefore require laminated (shatterproof) glass in all carriage side windows except at the ends • Instances of single leaf carriage end doors being too heavy to open when the train is on its side have led to double leaf designs being adopted • Interior designs have been examined for sharp corners and impact points that could produce injuries under sudden deceleration • Aviation industry experience was used to look at ‘pinch points’ in interior design 4 th Insight
Aviation experience On 22nd August 1985 a British Airtours Boeing 737 suffered an uncontained engine failure and aborted its take off. The plane pulled off onto a taxiway where a light wind blew the subsequent fire against the fuselage. 53 passengers and 2 crew died, mostly from smoke inhalation • The exit and evacuation process came under scrutiny and it became clear that below a certain width major problems can occur with exits becoming jammed by two or more people attempting to exit at once in a panic situation • Research by Professor Helen Muir at Cranfield University in the UK led to significant mandatory changes in emergency exit design • Professor Muir also advised on railway carriage design after the accident at Ladbroke Grove in the UK and this is incorporated into current UK standards - gangways/openings of less than 30ins (0.75metres) in width should be avoided. • Consideration should be made in contingency plans as to how carriages can be evacuated when they are not in their normal orientation. 4 th Insight
What happens in a derailment? 4 th Insight
Maintenance • Good maintenance is essential to maintaining equipment/asset performance. • Where maintenance is carried out by an organisation different to the operator, scope and responsibilities must be very carefully defined • A comprehensive asset register and maintenance records should ensure maintenance tasks are not missed • In particular the boundary between maintenance and renewal requires great care – if renewal falls outside the maintenance organisation’s responsibility there is an incentive to neglect assets and push them into requiring renewal (In the UK Network Rail took much track maintenance back ‘in-house’ because of this issue) 4 th Insight
Maintenance (2) • Whether the maintenance organisation is separate or integrated excellent feedback from the field to the maintainers is essential • The maintenance arrangements for new equipment must be carefully designed not ‘force fitted’ to existing processes • Trends and sudden changes are both important in detecting emerging risks • There is a place for engineering judgement but standards are also important • The arrangements for decision making and escalation should be clearly defined and set out in the safety case 4 th Insight
Examples Bexley, UK, 4th February 1997 Eschede, Germany, 3rd June 1998 4 th Insight
Organisational Change • When organisational change occurs it is essential to ensure that all safety responsibilities are properly re-assigned so that none are ‘lost’. • An organisational change management process should include: • Definition of the extent of the change being made • Preparation of disposition statements indicating where the safety responsibilities are transferred from one job description to the job description of the new role • Checking that the new job roles specify the correct competency levels for the safety functions that have been transferred • Carrying out a risk assessment commensurate with the scale of the change to determine the potential impact of the change and that adequate mitigation measures have been put in place. A possible risk assessment approach for a significant organisational change is presented in the Appendix to this guidance. • Recording and maintaining the outputs of the risk assessment in a hazard record • Establishing the go-live criteria that need to be achieved before the organisational change is implemented • Documentation of records relating to (a) to (f) above 4 th Insight
Audit • Compliance with the commitments given in the Operator’s Railway Safety Case should be regularly audited by independent, competent auditors • Who those auditors work for is not particularly important provided they are competent and empowered to identify issues • The audit reports must not be just ‘filed away’ but should be a key tool for ensuring on-going compliance and identifying improvements to processes, Standards and skills 4 th Insight
Santiago de Compostela • High speed derailment in Spain on 24 July which killed 79 people and injured around 140 • Train was a Talgo 250 ‘dual’ which is capable of running on overhead line or under its own power using generators in two intermediate ‘technical cars’ – it is also a dual gauge train that can run on 1435mm and 1668mm (classic Iberian) tracks 4 th Insight
Santiago de Compostela (2) • The accident is still under investigation but we know: • The train was travelling too fast; circa 153km/hr when entering an 80km/hr speed restricted bend • The train emergency brake had been applied and it was braking from a higher speed of circa 195km/hr • The train had recently left an ERTMS level 1 area where there was speed supervision and entered an area fitted only with the older Spanish ASFA system which had train stops but only speed warnings, not speed supervision • It appears at the time of the accident that the driver was talking on the phone to his control about his routing • The driver has been charged with charged with 79 counts of homicide by professional recklessness 4 th Insight
Santiago de Compostela (3) • Some issues that still need to be considered: • Human Factors: • Why was speed supervision ended just before such a critical permanent speed reduction rather than after it (system design) • Why was the control talking to the driver whilst he was driving the train on anything other than an urgent operational control matter • Technical • The derailment seems to have initiated at the interface between the coaches and the Technical Car rather than by pure overturning so the stability of the Talgo 250 Dual under emergency braking needs to be re-checked 4 th Insight
Conclusion • An Operator’s safety case is a good way of documenting and allowing the verification of an operating organisation’s safety management system • I have outlined some of what I consider to be the most important features and why – what I have covered is by no means exclusive • All of the operational arrangements need to be regularly exercised/practised so staff become familiar with them • The approach compliments risk based, goal setting Standards allowing interpretation and implementation to be monitored and promoting improvement by feedback from the field Thank you for your attention 4 th Insight