Engineering Procedure

Design
Withdrawn - for reference only

Engineering Procedure
EPD 0008

DESIGN SAFETY MANAGEMENT

Version 2.0
Issued June 2010

Owner: Manager, Engineering Standards and Configuration

Approved Jagath Peiris Authorised Jim Modrouvanos
by: Manager by: General Manager

Engineering Standards and Chief Engineers Division

Configuration

Disclaimer
This document was prepared for use on the RailCorp Network only.
RailCorp makes no warranties, express or implied, that compliance with the contents of this document shall be
sufficient to ensure safe systems or work or operation. It is the document user’s sole responsibility to ensure that the
copy of the document it is viewing is the current version of the document as in use by RailCorp.
RailCorp accepts no liability whatsoever in relation to the use of this document by any party, and RailCorp excludes

any liability which arises in any manner by the use of this document.

Copyright
The information in this document is protected by Copyright and no part of this document may be reproduced, altered,
stored or transmitted by any person without the prior consent of RailCorp.

UNCONTROLLED WHEN PRINTED Page 1 of 14

 RailCorp Engineering Procedure — Design
Design safety management EPD 0008

Document control

Withdrawn - for reference only

Revision Date Summary of change
1.0 First issue
1.1 Section numbering updated, reference corrections and
document control page added
1.2 Replace reference from RIC to RailCorp – reference
made to RailCorp Safety Management System
1.3 August 2005 Standardising format
Title changed from “Hazard and risk analysis”
Re-formatted to conform to new ES&S document
formats and document numbering conventions.
Content restructured to provide designers with overview
of safety change management.
Content updated to align with revised and new SMS
documents resulting in —
2.0 June 2010
• Reference documents updated
• Revised content
• Text added for SCARD, SIL, human factor risks
Scope changed to reflect new structure and information.
Roles and responsibilities expanded.
Design safety argument - Requirements added for
Design Safety Report (DSR).

© Rail Corporation Page 2 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0
 RailCorp Engineering Procedure — Design
Design safety management EPD 0008

Contents
Withdrawn - for reference only
1 Introduction .............................................................................................................................4

2 Scope and purpose.................................................................................................................4

3 Referenced documents ..........................................................................................................4

4 Definitions and terms .............................................................................................................5

5 General requirements .............................................................................................................5

5.1 Safety change management......................................................................................5

5.2 Requirements for reduced safety change processing ...............................................5

5.3 Safety Change Assessment and Reporting Determination (SCARD) .......................6

5.4 Requirements for risk assessment and evaluation....................................................7

6 Design safety risk management ............................................................................................7

6.1 Overview ....................................................................................................................7

6.2 Scope of risk assessment..........................................................................................8

6.3 Steps for risk assessment..........................................................................................8

6.4 Demonstrating ALARP.............................................................................................10

6.5 Risk assessment tools .............................................................................................10

6.6 Design stages ..........................................................................................................10

6.7 Functional safety analysis of software that controls electrical or

electronic systems ...................................................................................................11

7 Application as part of configuration change action..........................................................11

7.1 Managing hazard and risk .......................................................................................11

7.2 Operational interfaces..............................................................................................11

8 Human factor risks................................................................................................................12

9 Reports...................................................................................................................................12

9.1 Hazard identification and risk assessment ..............................................................12

9.2 Design safety report (DSR)......................................................................................12

10 Responsibilities.....................................................................................................................13

10.1 Chief Engineers .......................................................................................................13

10.2 Design Engineers ....................................................................................................13

10.3 Change Managers ...................................................................................................13

Appendix A Typical Designer and Change Manager roles.....................................................14

© Rail Corporation Page 3 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0

 RailCorp Engineering Procedure — Design

Design safety management EPD 0008

1 Introduction
Withdrawn - for reference only
RailCorp’s vision is to deliver safe, clean and reliable passenger services that are
efficient, sustainable and are to the satisfaction of its customers. Safety of its assets
contributes greatly to the quality of services RailCorp provides to its customers. Safety of
assets can be mostly influenced at their design phase and designing for safety therefore
is an important consideration in any design whether it is for a new asset or for an
alteration of an existing asset. All designs have to meet the requirements of OHS
legislation, rail safety legislation, environmental legislation and applicable national and
international standards.

RailCorp Safety Management System (SMS) requires risks to be identified, assessed and
controlled. In controlling risk, RailCorp seeks to comply with all relevant legislation and
compliance requirements and has adopted a philosophy whereby unacceptable risks are
eliminated and unavoidable risks are either managed to a level that the residual risk is
either negligible or is reduced to as low as reasonably practicable (ALARP).

Design safety management process is an iterative process conducted at each stage of

the design development. It is an integral part of the reliability, availability, maintenance
and safety (RAMS) analysis that is carried out for design. The analysis of RAM is covered
in design procedure EPD 0009.

2 Scope and purpose

This procedure describes the process through which safety risks are identified at design
stage and managed. Types of risks considered are functional risks (associated with
functions performed by the system being designed) and technical risks (introduced by the
design).

The purpose of the procedure is to provide a reference for Designers to understand and
apply requirements for safety management in the design phase.

Project and management risks associated with design tasks, such as schedule and
financial risks, are not addressed in this procedure.

3 Referenced documents
SMS-06-FM-1404 Human Factors Work Determination Form
SMS-06-GD-0031 Hazard Identification and Safety Risk Assessment Guide
SMS-06-GD-1370 Safety Integrity Levels Allocation and Compliance
SMS-06-PR-1339 Human Factors Work Determination
SMS-06-PR-1365 Managing Safety Change
SMS-06-PR-1367 Hazard Log Management
SMS-06-PR-1382 ALARP Determination and Demonstration
SMS-06-SR-0034 Human Factors
SMS-06-SR-0048 Safety Change Management
SMS-06-TP-0210 Human Factors Integration Plan
SMS-06-TP-1386 Safety Risk Assessment Report
SMS-06-TP-1387 Hazard Identification Workshop Worksheet
SMS-12-PR-0371 Managing Engineering Design Control
EN 50128:2001 Railway Applications—Communications, signalling and processing
systems – Software for railway control and protection systems
EN 50129:2003 Railway Applications—Communications, signalling and processing
systems –Safety related electronic systems for signalling

© Rail Corporation Page 4 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0
 RailCorp Engineering Procedure — Design
Design safety management EPD 0008

The following are not referenced in this procedure but have been used to develop the
procedure and contain further relevant information.
Withdrawn - for reference only
New South Wales Rail Safety Act 2008
New South Wales Occupational Health and Safety Regulation 2001
AS/NZS 3931:1998 (IEC 60300-3-9:1995) Risk analysis of technological systems —
Application guide
AS 4292.1—2006 Railway safety management Part 1: General requirements
AS/NZS 4804:2001 Occupational health and safety management systems — General
guidelines on principles, systems and supporting techniques
AS/NZS ISO 31000:2009 Risk management — Principles and guidelines
EN 50126:2001 Railway applications—The specification and demonstration of reliability,
availability, maintainability and safety (RAMS)

SMS-06-GD-1369 Safety Assurance Documentation

SMS-06-TP-0053 Safety Assurance Report

4 Definitions and terms

Refer to the glossary in EPD 0001 for general definitions and terms used in this
procedure.

5 General requirements
5.1 Safety change management
The responsibility for producing reports and assessments of hazards and risks is taken by
the Change Manager. Designers may be required to provide input of an engineering or
technical aspect to the assessments. Designers should also identify and report hazards
arising from their designs to the Change Manager.

A flow chart indicating typical roles of the Designer and the Change Manager is in
Appendix A.

5.2 Requirements for reduced safety change processing

Some safety related changes require only limited assessment and processing. These
situations have either reduced safety risks or have prescribed design controls. These are
summarised in Figure 1

SMS-06-SR-0048 describes a number of changes that are outside the scope of safety
change management and so do not require further safety change management. These
include:

• A like-for-like change where the new item is similar in form (shape, material, etc.), fit
(size and means of installation), and function (performs the same role) to the previous
item.
• Type-approved replacements in accordance with RailCorp Engineering Standards,
and which take account of the safety change process. The function of the
infrastructure that the type-approved items are part of must be passive and its
functionality or performance must not be directly impacted by its application on the
network. For example, concrete sleepers can be excluded from further safety change
management but signalling equipment cannot. Refer SMS-06-PR-1365.
• Low-level changes to non-safety related components or sub-systems where a
configuration management or change management system is established and in use.

© Rail Corporation Page 5 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0
 RailCorp Engineering Procedure — Design
Design safety management EPD 0008

SMS-06-SR-0048 also describes Safety Change Assessment and Reporting

Determination (SCARD). If the level of safety impact is classified as minor, no further
safety assurance activities are required, apart from a Safety Statement completed by the
Withdrawn - for reference only
Change Manager. Refer Section 5.3 for further description of SCARD.

SMS-06-PR-1382 identifies a number of controls for demonstrating without further risk

assessment that the risk is as low as reasonably practical (ALARP):

• A control representing current, relevant, established good practice.

• A control that has a clear safety benefit and the costs are considered reasonable, as
established by an appropriate group of experts. Judgments of this type should also be
made where the costs of undertaking further analysis to ascertain the benefit could
add significant cost to the overall cost of introducing the control.
• A control based on a legal requirement.
Designers should use their professional judgement when using controls where no further
safety risk assessment is necessary and should verify that assumptions or criteria used
are valid.

Figure 1 Safety change and ALARP control types

5.3 Safety Change Assessment and Reporting Determination

(SCARD)
A SCARD is produced at the beginning of a project by the Change Manager. SCARD
impact levels are classified as significant, important or minor and related requirements
are summarised in the table below. The SCARD is reviewed by the Change Manager if
there is a change in scope or increase in the safety risk. SMS-06-SR-0048 has further
information.

© Rail Corporation Page 6 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0
 RailCorp Engineering Procedure — Design
Design safety management EPD 0008

SCARD IMPACT LEVEL

Requirement
Significant Important Minor
Withdrawn - for reference only
Safety Change Plan (SCP) Yes No No
Project Hazard Log (PHL) Yes Yes No
Human Factors Work
Yes Yes No
Determination (HFWD)
Safety Assurance Safety Assurance Safety
Report
Reports Statement Statement

5.4 Requirements for risk assessment and evaluation

SMS-12-PR-0371 provides the following requirements for risk and hazard assessment.

Hazard identification and assessment of risks shall be performed during the design
process for all design aspects of the project life cycle, including the design aspects of the
following —

• construction (including methods, processes and materials)

• use and maintenance (especially risk arising out of the nature of the design itself)
• removal, demolition or decommissioning (especially where there is risk arising from
the materials or processes used in the design).
Hazard identification and risk assessment shall be carried out in accordance with the
following to reduce the risks to as low as reasonably practicable (ALARP):

• Safety Change Management system requirement (SMS-06-SR-0048)

• Operational Safety Risk Management system requirement (SMS-06-SR-1384)
• Workplace Risk Management procedure (SMS-06-PR-0104)
• Hazard Identification and Safety Risk Assessment guide (SMS-06-GD-0031).
Safety assessment is also carried out if there are changes to the design during any phase
of the project life cycle.

6 Design safety risk management

6.1 Overview
Design safety risk management covers risk identification, analysis, evaluation and
control.
The typical steps for design safety risk management are:

Process Responsibility
Preliminary Hazard Analysis (PHA) with Preliminary Hazard List
(PHL) at the onset of the design process
1
– to identify hazards and risks that need addressing in the design
– to analyse hazards and risks. Change
Manager
2 Risk assessment, i.e. risk allocation, evaluation and ranking
3 Risk control and management
4 Documentation
Safety assurance in design (presenting the safety argument). Refer
5 Designer
Section 9.2.

© Rail Corporation Page 7 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0
 RailCorp Engineering Procedure — Design
Design safety management EPD 0008

The level of detail in a risk assessment should be broadly proportionate to the risk. For
example, if the risk is low and completely covered by a standard or authoritative good
practice, then showing that this has been followed may be enough to show that the risk is
Withdrawn - for reference only
acceptable..

6.2 Scope of risk assessment

A plan for doing risk identification and assessment at each design stage should be
incorporated in the project plan by the Project Manager, including the time, resources,
equipment and people required.

The risk assessment shall take into account risks that are present during design, or may
arise during the life cycle phases of the asset, such as during construction, operations,
maintenance, decommissioning and disposal.

Designers should advise changes to the hazards and risks to the Change Manager so
that reports can be updated as the design proceeds. Designs shall have a Design Safety
Report produced by the Designer, refer Section 9.2.

6.3 Steps for risk assessment

SMS-06-GD-0031 provides guidance for hazard identification and risk assessment.
Hazard identification and risk assessment are the responsibility of the Change Manager
who may require input from Designers.

Risk assessment is the overall process of risk identification, risk analysis and risk
evaluation. The risk assessment process is in SMS-06-GD-0031. A summary of the steps
is as follows:

1. Risk analysis begins with hazard identification, which includes checking an

appropriate extract of the RailCorp Safety Risk Register. Typical primary hazard
sources and risks to consider are shown in Figure 2.

Figure 2 Typical primary sources of risks and hazards

© Rail Corporation Page 8 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0
 RailCorp Engineering Procedure — Design
Design safety management EPD 0008

2. Each hazard shall be analysed and entered into a hazard log which should be
maintained in the Hazard Log Management System (HLMS). The hazard log shall be
completed for each design and each hazard shall be closed out. Designers can use
Withdrawn - for reference only
the hazard log towards producing the safety argument for design safety assurance in
Section 9.2. Refer SMS-06-PR-1367 for further information on HLMS.
3. Risks shall be analysed to determine:
– the frequency of occurrence of hazardous events, and
– the consequence of impact on persons or the environment, expressed as a

severity level.

4. Risk evaluation shall determine the risk category based on the frequency of
occurrence and the severity level of the consequences.
5. Risk control and management shall be applied where further reduction in the level of
risk cannot be obtained. Only after all reasonably practical engineered controls have
been applied should administrative controls be used.
6. Risk acceptance is described in SMS-06-PR-1365 and shall be based on ALARP
principles, refer Section 6.4.
A summary of the risk assessment steps is shown in Figure 3.

Figure 3 Steps for design risk assessment

© Rail Corporation Page 9 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0
 RailCorp Engineering Procedure — Design
Design safety management EPD 0008

6.4 Demonstrating ALARP

A description of ALARP is contained in SMS-06-PR-1382.
Withdrawn - for reference only
SMS-06-PR-1382 provides information on demonstrating ALARP risk level through a
control such as Good practice or Expert judgement or compliance with a legal
requirement. If any controls are applied, then the Designer should verify and document
that the conditions have been maintained at each subsequent stage of the design and the
documentation should form part of the design record.

Another means to demonstrate ALARP is Cost Benefit Analysis (CBA) which is briefly
described in SMS-06-PR-1382. N.B.: CBA can be a complex undertaking and require
advice from RailCorp’s Chief Economist. The Principal Operational Risk Adviser arranges
for this advice in consultation with affected divisional managers.

If the level of risk is high, then a review of the design in order to reduce risk should be
considered.

Any unacceptable risks shall be eliminated before the design is approved. Identification of
hazards and assessment of risks shall include action to eliminate hazards and where this
is not reasonably practicable, a hierarchy of controls shall be considered within the
design, i.e. implement engineered controls where possible and only rely on procedural
controls where engineered controls are not reasonably practicable. Documented
procedures for implementing those controls during construction and maintenance of the
assets concerned shall be issued as part of design documentation.

6.5 Risk assessment tools

Generally the risk assessment method used is a qualitative risk assessment that ranks
risk in accordance with the RailCorp Safety Risk Criteria and Safety Risk Matrices, refer
SMS-06-PR-1383. Quantitative risk assessment is more time and resource consuming
than a qualitative assessment and is applied if it is justified by the increased confidence
achieved. Risk assessment is carried out by Risk Division.

A description of risk assessment tools is provided in SMS-06-GD-0031 for —

• RailCorp HazID
• Hazard and Operability Study (HAZOP)
• Failure Modes and Effects Analysis (FMEA)
• Failure Modes, Effects and Criticality Analysis (FMECA)
• Interface Hazard Analysis (IHA)
• Operation and Support Hazard Analysis (OSHA)
• Functional Failure Analysis (FFA)
• Fault Tree Analysis (FTA)
• Event Tree Analysis (ETA).

6.6 Design stages

The following lists the typical safety related analysis or activity for each design stage. The
type and timing of the analysis depends on the complexity and nature of the project, for
example, less complex projects may combine the PHA and the detailed analysis.

© Rail Corporation Page 10 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0
 RailCorp Engineering Procedure — Design
Design safety management EPD 0008

Design Stage Activity

Concept PHL - Preliminary Hazard List
Preliminary PHA - Preliminary Hazard Analysis
Withdrawn - for reference only
(Refer SMS-06-SR-0048 and SMS-06-GD-0031)
Detailed Detailed hazard and risk analysis such as —
• SHA - System Hazard Analysis
• IHA - Interface Hazard Analysis
• OSHA - Operation and Support Hazard Analysis
(Refer SMS-06-SR-0048 and SMS-06-GD-0031)
Verification Check risk analysis carried out still applies for the final design.
Validation Check final design addresses all identified risks.
Approval Review for approval the safety argument for design presented
as the Design Safety Report (DSR), refer Section 9.2.
Acceptance Ensure only approved designs are accepted for construction

6.7 Functional safety analysis of software that controls electrical or

electronic systems
Systems such as signalling and electrical that use software for control of safety functions
are subject to additional controls within the RailCorp design environment. Analysis may
be considered for control of safety functions for all new design development tasks, and
for regression analysis whenever there is a requirement to implement design changes.
Similar requirements shall be implemented where the proper operation of a safety system
depends on a human interface.

Functional safety analysis of such systems shall be carried out in accordance with
applicable standards such as EN 50128 and EN 50129. All safety related software shall
be allocated a safety integrity level (SIL). Details are provided in SMS-06-GD-1370.

The results of functional safety analysis for software that controls electrical or electronic
systems shall be documented in a specific report and shall be maintained as part of the
design record for the system or equipment.

7 Application as part of configuration change action

7.1 Managing hazard and risk
Designers, and specialist staff performing hazard and risk analyses, are responsible for
identifying and implementing control measures as part of the design task and for
providing information or updating the relevant documentation before the new or altered
equipment is introduced into service.

Support documentation shall, for example, comprise —

• operating procedures and instructions

• Process Control Plans setting out specific procedures and precautions for
performance of maintenance and construction tasks. These will include details of the
conditions under which tasks can be safely performed, eg isolation, possession, as
well as PPE, tools and other equipment to be used and specialist training/competency
requirements.

7.2 Operational interfaces

Effective risk control measures identified in the design phase that require implementation
by RailCorp divisions other than the divisions that are responsible for design and project
delivery shall be agreed to by all relevant stakeholders

© Rail Corporation Page 11 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0
 RailCorp Engineering Procedure — Design
Design safety management EPD 0008

8 Human factor risks

Assessing human factor risks shall be taken into account during design. Requirements for
Withdrawn - for reference only
assessing human factors risks are contained in SMS-06-SR-0048. Assessment and
reporting of human factor risks shall be in accordance with SMS-06-SR-0034. The
process is described in SMS-06-PR-1339. Plans and reports are managed by the
Change Manager. Risk analyses are carried out by Risk Division.

A human factors work determination form (SMS-06-FM-1404) shall be completed when:

• an operational issue in a system or process requiring human factors support is

identified
• the SCARD impact level is important or significant.
A human factors integration plan (SMS-06-TP-0210) shall be developed and maintained
when the SCARD impact level is significant and optional when the SCARD level is
important.

9 Reports
9.1 Hazard identification and risk assessment
When a risk assessment has been made, the following reports shall be produced by the
Change Manager in conjunction with Risk Division:

• A hazard record sheet template as provided in SMS-06-TP-1387.

• The risk assessment report in the template SMS-06-TP-1386.
Guidance on the above reports is provided in SMS-06-GD-0031.

9.2 Design safety report (DSR)

The design report shall contain a design safety report (DSR). A DSR shall be produced
by the Designer and approved by the Engineer supervising the design on completion of
detailed design.

The purpose of the DSR is to —

• demonstrate that all safety objectives have been addressed by presenting a safety
argument with supporting evidence;
• demonstrate that the safety risks inherent in the change activity meet the safety risk
criteria (ALARP or controls) and associated residual risks are understood in order to
support safety acceptance;
• where appropriate, provide evidence that all outstanding issues are being managed.
Typically, the DSR would cover:
• Assumptions and criteria in the SCARD or the design brief — Confirm that the
assumptions and criteria are still valid in the final design.
• Risks — Verify risks are addressed and the means to address the risks;
— Report on any residual risks and risk waivers.
• Consideration of various stages — risks arising from the design during construction,
implementation and other stages.
• Sign off and verification by checker.
The DSR may be used by the Change Manager when preparing Safety Assurance
Reports.

© Rail Corporation Page 12 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0
 RailCorp Engineering Procedure — Design
Design safety management EPD 0008

10 Responsibilities
10.1 Chief Engineers
Withdrawn - for reference only
Chief Engineers are responsible for —

• Accepting the design safety report (DSR), which forms part of the final design report,
as part of the design acceptance.

10.2 Design Engineers

Design engineers shall, where appropriate —

• Identify risks resulting from the design and which cannot be eliminated and advise the
Change Manager/Project Manager
• Provide input to the hazard and risk analysis
• Verify the initial assumptions affecting risk assessment apply to subsequent stages of
the design
• Validate the final design addresses identified risks
• As part of the design report, produce the safety argument for the design in the DSR
Approving authorities shall —

• Approve the safety argument for the design in the DSR.

10.3 Change Managers

Change Managers are responsible for —

• Reports and assessments relating to hazards and risk, including the SCARD, in
conjunction with relevant Safety Divisions.
• Reports relating to human factor risks, in conjunction with Risk Division.

© Rail Corporation Page 13 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0
 RailCorp Engineering Procedure — Design
Design safety management EPD 0008

Appendix A Typical Designer and Change Manager roles

Withdrawn - for reference only

© Rail Corporation Page 14 of 14

Issued June 2010 UNCONTROLLED WHEN PRINTED Version 2.0