RISK ASSESSMENT GUIDE

Transcription

1 RISK ASSESSMENT GUIDE

2 Version Control Version Editor Date Comment /07/2013 Launch of NSW TrainLink SMS documents 2.0 P Couvret M Jones T Narwal 16/08/2016 Combined a number of guides to create new Risk Assessment Guide (Full explanation in TRIM No: FNSW2016/19-9) Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 2 of 71 Issue Date: 15/08/2016

3 Contents 1 INTRODUCTION AND SCOPE Risk Assessments Risk Assessment Terms Undertaking a Risk Assessment... 6 PART 1 BUSINESS/PROJECT RISK ASSESSMENT RISK ASSESSMENT PROCESS PREPARATION Risk Assessment Sponsor Stakeholders Timeframes Scope of work RISK IDENTIFICATION Establishing the Context Risk Identification Exercise RISK ANALYSIS Business/Project Risk Registers Risks The Risk Cause Relationship Causes Consequences Existing Controls Options for Further Risk Treatment RISK ESTIMATION COST BENEFIT ANALYSIS REPORTING PART 2 SYSTEM SAFETY RISK ASSESSMENT INTRODUCTION AND SCOPE Safety Change Risk Assessment OPERATIONAL AND SAFETY RISK ASSESSMENT PROCESS Preparation Hazard Identification Hazard Analysis Risk Estimation SFAIRP Evaluation Reporting PART 3 ENVIRONMENTAL RISK ASSESSMENT INTRODUCTION Purpose and Scope Background ENVIRONMENTAL RISK MANAGEMENT PROCESS Risk Management Context Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 3 of 71

4 2.2 Risk Identification Risk Identification Checklist Environmental Risk Analysis Risk Identification and Analysis Session Guide Risk Treatment PART 4 - RISK ASSESSMENT TOOLS NSW TRAINLINK HAZID HAZARD AND OPERABILITY (HAZOP) Procedure INTERFACE HAZARD ANALYSIS Procedure Results OPERATING AND SUPPORT HAZARD ANALYSIS Procedure Results FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS Procedure Results FUNCTIONAL FAILURE ANALYSIS Procedure Results RACI Matrix FAULT TREE ANALYSIS Procedure Results EVENT TREE ANALYSIS Procedure Results APPENDIX A CONDUCT A RISK WORKSHOP INTRODUCTION Roles Timeframes Scope of Work Workshop Attendees Location, Facilities and Timing Briefing Note Setup RUNNING THE WORKSHOP Initial Presentation Capturing Hazard and/or Risk Information Workshop Record Workshop Record Review Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 4 of 71 Issue Date: 15/08/2016

5 1 Introduction and Scope This document provides the guidance to undertake effective risk assessment activities in line with the Safety Management System (SMS) requirement. The scope of this guide addresses the following Risk Assessments: Business and Projects System Safety and Work Health Safety (WHS) Environment Risk assessment activities include: Preparation for undertaking Risk Assessment Risk/Hazard identification and Risk Assessment. Note The risk assessment processes and tools defined in this guide require the assistance of SEQR Risk Professionals to deliver outcomes that will enable the organisation to make appropriate risk informed decisions. It is important that Line Managers are aware of the content of this guide and the relationship between this content and the Risk Management (SMS-07-SP- 5213) and Safety and Environment Change Management (SMS-07-SP-5067) procedures. If through the application of these procedures there is a requirement to apply the content of this guide, risk support from the SEQR Business Unit should be sought. This guide is divided into the following four Parts and an Appendix: Part 1 Part 2 Part 3 Part 4 Provides guidance to undertake effective business/project risk assessment activities. Provides guidance to undertake effective risk assessment activities in both the operational and safety change environments. Provides background information and guidance regarding environmental risk management. Provides information about a range of risk assessment tools and techniques, their application, strengths and weaknesses. Parties undertaking risk assessment can select and apply the most appropriate tools and techniques for the situation. 1.1 Risk Assessments Risk Assessments are undertaken primarily to: identify NSW TrainLink overall level of risk exposure to its activities in its operating environments. determine whether there is the potential to reduce risk. inform and enhance the risk based decision making process in NSW TrainLink. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 5 of 71

6 1.2 Risk Assessment Terms A range of terms are used and discussed throughout this guide. The following are key terms and are defined below: Term Cause Consequence Control Hazard Likelihood Risk Safety Risk Definition A condition or cause of an event The nature and magnitude of the harm if a threat is realised A measure that will modify risk A condition that is a potential source of harm Chance of something happening Effect of uncertainty on objectives Combination of the likelihood of a hazard being realised and its consequence 1.3 Undertaking a Risk Assessment The generic elements of a risk assessment are indicated in Figure 1 in the context of the overall risk management process. This approach should be adopted for all risk assessment activities. However, the effort and detail required within each element will differ according to the specific nature and timing of the risk assessment. Figure 1 - Risk Assessment Process as Illustrated in AS/NZS ISO 31000:2009 Note Together Risk Identification, Risk Analysis and Risk Evaluation are the three steps needed to carry out a Risk Assessment. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 6 of 71 Issue Date: 15/08/2016

7 PART 1 Business/Project Risk Assessment 1 Risk Assessment Process This part of the document provides guidance to undertake effective business/project risk assessment activities. It supports Safety and Environment Change Management (SMS-07- SP-5067) and may be applied to business and projects. This part of the guide is applicable to all Line Managers in the operational environment responsible for undertaking risk assessments to: identify NSW TrainLink level of risk exposure to its activities and its working environment determine whether further risk reduction is necessary inform the decision making process in NSW TrainLink. Parties undertaking risk assessment can select and apply the most appropriate tools and techniques for the situation. Preparation Risk Identification Risk Analysis Risk Estimation Reporting Figure 1 - Risk Assessment Elements 2 Preparation It is important that all affected parties understand and appreciate the need for the risk assessment and its scope. The following elements need to be addressed when preparing for a risk assessment: Risk assessment sponsor identification of stakeholders timeframes scope of work that specifically includes a defined context for the risk assessment. 2.1 Risk Assessment Sponsor All risk assessments must have a Risk Assessment Sponsor (a NSW TrainLink Line Manager) with the authority to make risk based decisions, based on the results of the assessment, or with the authority to communicate the results of the assessment to more senior decision makers. As the sponsor they define the risk assessment requirements and receive any risk assessment report or other information that informs future risk-based decision making. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 7 of 71

8 2.2 Stakeholders Stakeholder consultation during the risk assessment process encourages the affected parties buy-in and support. It can also improve the quality of the risk assessment by ensuring that a broad range of viewpoints are included. NSW TrainLink has both internal and external stakeholders - groups of people with a vested interest in a particular area. When planning a risk assessment it is important to identify these groups and gain their input. A risk assessment that does not consider the experience and domain knowledge of relevant stakeholders may not be able to be defended if challenged at a later date. Internal stakeholders are the relevant Directorates and Business Units. NSW TrainLink external stakeholders include but are not limited to: State Government departments and local councils emergency services other transport providers regulators contractors consumer groups the community surrounding the railway in which NSW TrainLink operates. In many cases it will not be possible to consult every single stakeholder. In these cases a judgement will need to be made to identify the major stakeholders and the focus should be on understanding what the primary objectives of this group are. In certain cases it may be appropriate to give stakeholders a more detailed opportunity to express their opinions and concerns. In this instance a structured interview may be conducted, using questions drawn from the Scope of Work, document reviews and a site visit. Note Invariably, stakeholders will include Subject Matter Experts (SMEs). These SMEs need to be consulted during the risk assessment. If a risk assessment workshop is convened (refer to Appendix A Conduct a Risk Workshop), it is important that SMEs are in attendance. 2.3 Timeframes The risk assessment should be carried out to a suitable level of detail and rigour as appropriate to the context of the decision to be made and with respect to any existing time constraints. The timeframe should be agreed between the risk assessment sponsor and the risk practitioner prior to commencing the risk assessment. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 8 of 71 Issue Date: 15/08/2016

9 2.4 Scope of work All risk assessment activities should have a defined Scope of Work agreed by the Risk Assessment Sponsor. This document should include a description of the: objective of the assessment relevant background information scope of the assessment including specific identification of out of scope elements where appropriate deliverables and timescales. 3 Risk Identification The purpose of risk identification in a Risk Management context is to identify as many varied risk types as possible that are associated with achieving the required objectives. The process should include: using information arising from stakeholder consultation risk identification exercise. Note Risk identification workshops are discussed in Appendix A Conduct a Risk Workshop. 3.1 Establishing the Context Initial (Kick-off) Meeting The initial meeting is held between the Risk Assessment Sponsor and the person undertaking the risk assessment (either a NSW TrainLink employee or contractor) to: review the defined Scope of Work and make sure the parties have a common understanding of all attributes of the scope and the context of the assessment. This initial (kick-off) meeting should be documented to assure the Risk Assessment Sponsor that the person doing the risk assessment has interpreted the brief correctly; that stakeholders have been defined; and that other pertinent information raised during the meeting is recorded Site Visit If appropriate or feasible a site visit may be conducted to further understand the context of the assessment. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 9 of 71

10 Document Review The person conducting the risk assessment (the risk assessor ) must review the relevant documents related to the risk assessment. Examples include but are not limited to: business plans program or project plans organisational structures project or design documents operational procedures (e.g. Network Rules) existing related risk information. The objective of the review is to be aware of all factors that could influence the risk assessment findings Internal and External Factors The risk assessor should define the external and internal factors that could impact on the risk assessment. The internal factors include, but are not limited to: culture capabilities existing goals and strategies. The external factors include, but are not limited to the: Business, social, regulatory, competitive, financial and political environments Organisations strengths, weaknesses, opportunities and threats. 3.2 Risk Identification Exercise A workshop is the most commonly used forum for conducting a business/project risk identification exercise as it allows opportunity for a diverse range of stakeholders to share information and opinions. There are a number of techniques that may be used to facilitate this process including; brainstorming, mind maps, Structured What If Technique (SWIFT), and Hazard and Operability studies (HAZOP). A good way of structuring and splitting up a risk assessment is to define a set of key elements. Further information on these techniques and the use of key elements can be found in Part 4 of this guide. There may be occasions where the combination of stakeholder consultation, document review and site visit provides a sufficient range and quality of data required for the overall risk assessment. However, these occasions are likely to be rare and will be relevant only to simple decisions. If the risk assessor is in doubt about whether a workshop is necessary, guidance should be sought from the Head of SEQR or a SEQR Risk Professional. The risk assessor should prepare for and run the workshop in accordance with the guidance in Appendix A Conduct a Risk Assessment Workshop. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 10 of 71 Issue Date: 15/08/2016

11 4 Risk Analysis The primary role of risk analysis is the development of further information for the risk that has been identified. This information includes identifying: causes types of consequences Risk Owner existing controls and control owners risk control effectiveness likelihood rating consequence rating risk rating tasks or options for further risk treatment and task owners. The risk assessor should record this information using a risk register or hazard log spreadsheet. Following the workshop there should be an appropriate level of validation of the initial information captured in the risk register where further data is available and as appropriate to support the level of decision making required. Generally the level of validation required will be commensurate with the level of risk identified and/or the uncertainty expressed within the workshop regarding the information recorded. The outputs of the risk analysis process should be, as a minimum: a summary of key findings, and a validated hazard log. 4.1 Business/Project Risk Registers The generation, continued reference to, and maintenance of risk information grouped in the form of a risk register is central to the risk management process, refer to Manage Risks in the Safety Risk Register (SMS-07-OP-5215). A risk register acts as: the grouping of all risk information relating to; the scope of the specific risk assessment, the risk topic or a specific business unit. an ongoing management tool to ensure that business/project activities are being performed. For business/project risks it is recommended a MS- Excel business/project risk register spreadsheet is used to collate risk information in the risk registers. This is because workshops tend to be highly dynamic and free flowing and the spreadsheet provides a relatively easy format to record information. For some projects a safety hazard log may be sufficient. This is similar to a risk register but does not normally include risk estimation. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 11 of 71

12 4.2 Risks Risks can sometimes be difficult to explain and define. It may be helpful to think of a full description of a risk as: (Something occurs) leading to (impact on objectives), caused by, controlled by For example: NSW TrainLink is introducing a new timetable and the changes could lead to unhappy customers and bad press. This is caused by schedules being changed and customers not being aware of the changes. We have a publicity strategy to tell customers of the changes so that they can prepare. Alternatively in a positive context: NSW TrainLink is introducing a new timetable and the changes could lead to an increased level of customer satisfaction due to the increased number of services being made available. We have a publicity strategy to tell customers of the changes so that they can use the new services if they wish to do so. In a workshop environment the headings within the risk register template are used to prompt for this type of information. 4.3 The Risk Cause Relationship It is highly likely that a risk identified within a business/project risk workshop will have multiple causes. It is important that as many of these causes as possible are captured in order to be able to ensure effective risk treatments are developed. In some cases a review of the risk register will reveal that an item identified as a risk could be a cause of another risk. This is not an unusual situation and in this case a judgement should be made as to whether the nature of the risk warrants the separate risk descriptions or whether they could be combined. There are no hard and fast rules about this judgement. The default position would be to keep the separate entries as this may encourage a more robust risk management approach to be taken. However, care should be taken that tasks or risk treatments are not being duplicated unnecessarily. 4.4 Causes It is important to distinguish between the risk event and its cause. It is highly likely that a risk will have multiple causes. It is important that as many of these causes as possible are captured in order to be able to ensure effective risk treatments are developed. In some cases a review of the risk will reveal that an item identified as a risk could be a cause of another risk. This is not an unusual situation and in this case a judgement should be made as to whether the nature of the risk warrants the separate risk descriptions or whether they could be combined. There are no hard and fast rules about this judgement. The default position would be to keep the separate entries as this may encourage a more robust risk management approach to be taken. However, care should be taken that tasks or risk treatments are not being duplicated unnecessarily. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 12 of 71 Issue Date: 15/08/2016

13 4.5 Consequences Risk consequences are described within the Risk Ranking Table (SMS-07-GD-5212). Not all risk consequence types will be relevant for all risk assessments. The definition of relevant consequences will depend on the level and nature of the risk assessment being undertaken. For example: If a risk assessment is to be undertaken of a change to an operational procedure intended to improve efficiency, the assessment would be focussed on the operational or customer service and safety aspects of the change The Rated Consequence Due to the diverse range and different types of consequences and severity levels that could possibly occur, defining the consequence to be rated in an assessment has a number of dimensions. It is not feasible to attempt to rate every potential severity of every potential type of consequence. In identifying the consequence to be rated within an assessment the following general principles should apply: 1. The most severe credible outcome for each relevant type of consequence should be identified given the controls that are currently in place and the assessment of risk control effectiveness. 2. If more than one type of consequence is possible select the worst severity of all types for rating. If there are significant doubts within the group regarding the validity of this judgement then test the validity by risk ranking a different type of consequence. For further details refer to Risk Ranking Table (SMS-07-GD-5212). Note It is essential that the likelihood rating assessed is the likelihood of the specified consequence occurring. This is NOT the same as the likelihood of the initial event occurring. If any safety or environmental consequence is identified then this should be noted unless it is the rated consequence. In some circumstances it may be necessary to develop a fuller understanding of the potential consequences arising from a specific risk. In these cases defining the credible consequence for risk rating purposes can be complex. Event Tree Analysis (ETA) can be a useful method when making a detailed assessment of a range of potential consequence scenarios that arise from a defined risk. Further information on Event Tree Analysis can be found in Part 4. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 13 of 71

14 4.6 Existing Controls Control review is a significant element of risk analysis. Once it has been confirmed the control is defined correctly, control review should take into consideration the validity, applicability and benefit of the range of controls offered during risk identification. There are generally two types of control: 1. preventative controls - that contribute to the prevention of a risk being realised 2. mitigative controls - that reduce the level of the consequence if the risk is realised. When assessing risk control effectiveness some account must be taken of both the nature and number of the controls that are present and on their actual collective effect on risk. Note Control review is an essential part of the validation of information gained from a risk assessment workshop. 4.7 Options for Further Risk Treatment The risk identification process may identify options for further risk treatments. There are a number of different risk treatment strategies that may be applied within a business/project risk assessment. These strategies are listed in Table 1. Table 1 - Strategies for Risk Treatment Treatment Strategy Risk avoidance and opportunity seeking Change the likelihood Change the consequences Risk and opportunity sharing Risk and opportunity tolerance Action Required Do something new or different Increase the likelihood of the event or Reduce the likelihood of the event through improving the existing prevention controls or adding new prevention control Increase the level of benefits identified or Reduce the negative consequences through improving the existing mitigation controls / or adding new mitigation control Share (part/all) of the risk or opportunity with another party Live with it (as an explicit decision) and monitor Note Risk treatment options identified within a workshop are only initial ideas and further refinement and development will be required at a later date. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 14 of 71 Issue Date: 15/08/2016

15 5 Risk Estimation Risk estimation is: the process for assigning a likelihood to the consequence to be ranked in order to determine a risk rating the process for establishing risk exposures so those groups or projects with the greatest exposure can be identified and/or prioritised for risk treatment an iterative process that may be revisited several times as the risk assessment context changes. There are potentially two approaches to risk estimation - qualitative and quantitative: Qualitative - risk estimation that ranks risk in accordance with the NSW TrainLink Risk Ranking Table. Quantitative - mathematical approaches that are based on specific domains. For example, financial risk modelling may be carried out to determine an organisation exposure to interest rate change or detailed project scheduling models may be used to identify specific risk exposures within project plans. The initial approach to risk estimation will be qualitative and in many cases this level of assessment will suffice for risk management purposes. However, where this approach is not sufficient then a further quantified approach may be used. An instance where additional risk assessment would be required is where a large number of the same category of risks are identified. Regardless of the methodology used to obtain the risk rankings the results of the exercise should be made available to the workshop participants for evaluation and review. 6 Cost Benefit Analysis Cost Benefit Analysis (CBA) provides a measure of the relative economic merit of each proposed risk treatment option over its lifecycle. This economic-based approach considers the options merits from an organisational rather than unit/division perspective. No matter where they occur, the CBA process systematically quantifies and qualifies net costs (capital, recurrent and user) and net safety benefits. In some cases a very simple cost benefit evaluation of a risk treatment option can be carried out within the risk assessment team. However, in many cases the appropriate level of CBA requires a significant effort and analysis of lifecycle costs, for example, when undertaken in support of a major project or initiative. 7 Reporting In some cases the only required output from a Risk Assessment is the development and ongoing management of risk information. However in some cases it may be appropriate to also provide a written risk assessment report that contains a full description of the risk assessment process and results. Should this be the case the report should align with the sections of the Risk Assessment Report. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 15 of 71

16 PART 2 System Safety Risk Assessment 1 Introduction and Scope This Part 2 of this guide provides information to undertake effective system safety risk assessment activities in both the operational and safety change environments, also refer to Risk Management (SMS-07-SP-5213). It supports Safety and Environment Change Management (SMS-07-SP-5067) and may be applied to Work Health and Safety risk assessments (workplace risk management). This part of the guide is applicable to all Line Managers in the operational environment responsible for undertaking risk assessments to: identify NSW TrainLink level of risk exposure to its activities and its working environment determine whether further risk reduction is necessary inform the decision making process in NSW TrainLink. The part covers the generic elements of system safety risk assessment process and provides information about a range of safety risk assessment tools, techniques, their application, strengths and weaknesses. Parties undertaking risk assessment can select and apply the most appropriate tools and techniques for the situation. 1.1 Safety Change Risk Assessment By applying the safety change management process, NSW TrainLink is able to determine the level of safety risk associated with a change. In the majority of cases, the requirement is to reduce the risk to so far as is reasonably practicable (SFAIRP). However, in some cases, other safety criteria, as agreed with Head of SEQR, may be more appropriate. Risk assessment in safety change projects is integral to both the Preliminary Hazard Analysis (PHA) and System Hazard Analysis (SHA) processes defined in Safety and Environment Change Management (SMS-07-SP-5067). The risk assessment process defined in this part of the guide addresses the overarching requirements of both PHA and SHA by considering in detail, the risk assessment process elements and specific tools that can be used. 2 Operational and Safety Risk Assessment Process This section looks at the safety risk assessment process, as outlined in Fig. 2 below. Preparation Hazard Identification Risk Analysis Risk Estimation SFAIRP Evaluation Reporting Figure 2 - Safety Risk Assessment Elements Applicable to Safety Risks only Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 16 of 71 Issue Date: 15/08/2016

17 These steps are described in the following sections: 2.1 Preparation When preparing a risk assessment, make sure all parties understand and appreciate the need for the risk assessment and its scope. Address: risk assessment sponsor stakeholders timeframes scope of work Risk Assessment Sponsor All risk assessments must have a Risk Assessment Sponsor (a NSW TrainLink Manager) with the authority to make decisions about Directorate functions, systems or resources, or to influence decision makers. As sponsors, they define the risk assessment requirements and receive the safety risk assessment report that informs their risk-based decision making. In the operational environment, the sponsor is generally either the current Risk Owner or a Manager in whose division the subject matter of the risk assessment resides. For safety change projects, the sponsor will either be the Project Sponsor or Project Manager Stakeholders Stakeholder consultation during risk assessment: encourages the affected parties buy-in and support improves the quality of the risk assessment deliverable by ensuring that a broad range of relevant information is available. NSW TrainLink has both internal and external stakeholders groups of people with a vested interest in a particular area. When planning a risk assessment, identify the stakeholders and gain their input. A risk assessment that does not consider the experience and domain knowledge of relevant stakeholders may not be able to be defended if challenged at a later date. Internal stakeholders are the relevant Groups and business units. NSW TrainLink external stakeholders include, but are not limited to: Transport for NSW Other State Government departments and local councils Emergency services Transport providers Regulators Contractors Consumer groups. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 17 of 71

18 Note Stakeholders generally include subject-matter experts (SME). SMEs need to be consulted during the risk assessment. If a risk assessment workshop is convened, make sure SMEs are in attendance (refer to Appendix A Conduct a Risk Workshop) Timeframes The Risk Assessment Sponsor will specify the timeframe in which to complete the risk assessment. The timeframe affects the nature and complexity/rigour of the risk assessment. The timeframe must take into account the requirements for safety assurance, particularly independent review, refer to Safety and Environment Change Management (SMS-07-SP-5067). If the Risk Assessment Sponsor specifies a date, they need to be advised of what can be achieved realistically in the timeframe. However, a reduced timeframe should not be considered a reason for delivering a substandard risk assessment Scope of Work All safety risk assessment activities must include a defined Scope of Work. The Risk Assessment Sponsor is responsible for ensuring the independent review is applied, where required, to the Scope of Work. IV provides assurance to both the Risk Assessment Sponsor and those undertaking the risk assessment the proposed approach: is appropriate if followed, will satisfy the requirements of the System Management System (SMS). 2.2 Hazard Identification Hazard identification may include any or all of the following elements: Familiarisation: - Initial (kick-off) meeting - Site visit - Document review. Stakeholder consultation Hazard identification exercise Hazard identification output Familiarisation This section looks at the stages in the familiarisation step. Initial (Kick-Off) Meeting The initial meeting includes the Risk Assessment Sponsor and the party undertaking the risk assessment. The meeting agenda items include: Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 18 of 71 Issue Date: 15/08/2016

19 review the defined Scope of Work discuss all the attributes of the Scope of Work to make sure the parties have a common understanding. Document the initial meeting to assure the Risk Assessment Sponsor that: the party doing the risk assessment has interpreted the brief correctly the stakeholders have been defined other pertinent information raised during the meeting is recorded. Site Visit Where possible, make a site visit to put the nature of the risk assessment into context. A site visit is generally feasible in the operational environment because the risk assessment is addressing a specific aspect of that environment. For change projects, a visit is sometimes not an option, e.g. at the concept phase of a new rolling stock project, the set of concept ideas might the extent of available information. Workers with knowledge of the environment (generally, the risk assessment stakeholders) should participate in the site visit to identify the key features and pertinent concerns. It is recommended that photographs are taken of the site and associated features, so they can be used later as a point of reference. Consider the following factors when planning a site visit: the best time to see the nature of operations and/or activities, e.g. peak traffic flows, access to the site environmental conditions, e.g. do site attributes change with time of day or weather availability of resources with suitable domain/subject-matter knowledge, asset representative potential safety risks associated with the site visit, e.g. is it safe to visit the site and the safety precautions needed. Document Review People conducting risk assessments (risk assessors) must review documents related to the risk assessment. These include, but are not limited to: operational procedures (Network Rules) organisational structures design documents related risk assessments/papers/human factors reports risk-based training needs analyses (RBTNA) plans/maps risk registers and hazard logs timetables/schedules. The objective of the document review is to be aware of all factors that could influence the risk assessment findings. Like a site visit, it is primarily a preparatory exercise but a Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 19 of 71

20 document review often identifies significant information relevant to the risk assessment. This information should be defined as part of the hazard identification output. A review of relevant risk registers and hazard logs can yield useful information to support the risk assessment process. However, do not assume that the information in the registers and hazard logs is either complete or accurate. It is not acceptable to replicate such information without appropriate review and analysis. This is particularly the case with the Safety Risk Register (SRR). Information from the SRR, including hazardous events, causes, controls, respective owners and quantitative risk rankings can be requested from Head of SEQR via the SRR address NSWTrainsSEQR@transport.nsw.gov.au Stakeholder Consultation Stakeholder input is important to gain a complete understanding of the subject matter being assessed. Where the risk assessment includes a hazard identification workshop, prior discussions with stakeholders provide the opportunity to gain insights into the issues that each stakeholder could bring to the workshop. Use this information to structure the workshop and make sure stakeholder buy-in. Where possible, conduct face-to-face stakeholder interviews; in most cases this should be structured, conversational interview. Develop a specific objective for the interview, supported by an appropriate set of open questions that will give stakeholders the opportunity to express their opinions and concerns. The questions should be drawn from the Scope of Work, the document review and the site visit, where applicable. Review other hazard-related data, where it exists, with the stakeholder as part of the consultation. Stakeholders should be able to verify that any issues have been identified, their concerns are being considered and they have the opportunity to raise any other issues. The Risk Assessment Sponsor is responsible for making sure that a record of all stakeholder consultation is kept Hazard Identification Exercise While a workshop is the most commonly-used approach for identifying hazards, sometimes the combination of stakeholder consultation, document review and site visit provides the range and quality of safety data required for the safety risk assessment. Where the Risk Assessment Sponsor has determined that a workshop will provide the best method to identify hazards, It is recommended the workshop facilitator should prepare for and conduct the workshop in accordance with instructions at Appendix A Conduct a Risk Workshop Hazard Identification Output Create and use a record of the hazard identification activities as the key input into the next phase of hazard analysis. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 20 of 71 Issue Date: 15/08/2016

21 2.3 Hazard Analysis The primary role of hazard analysis is the review, analysis and validation of information, which then provides the necessary evidence and support for the risk assessment output. The hazard analysis approach is investigative, aims to determine the facts and put them in context of the scope of the risk assessment. Review and validate the following during hazard analysis: hazards causes consequences existing controls (preventative and mitigative) options for further control/risk reduction. Generally, the hazard analysis process validates which: causes lead to specific hazards preventative controls are valid and align with specific hazards/consequences consequences could arise from hazards mitigative controls are valid and align with specific hazards/consequences options for further control/risk reduction are practicable. Through use of this process, information captured during the hazard identification phase that is either invalid or cannot be substantiated can be disregarded. The outputs of the hazard analysis process, as a minimum, include: a summary of key findings a validated hazard log Hazard Log The creation and maintenance of a hazard log is central to the hazard analysis process. A hazard log: acts as the repository for all hazard-related information relating to the scope of the risk assessment or project can be used to manage and resolve hazard-related issues throughout a project. The person conducting the risk assessment may use the Hazard Identification Workshop Worksheet (local instructions) to capture hazard data Hazards In NSW TrainLink, the term hazard is defined as a condition that is a source of potential harm (e.g. injury or fatality). This means that no harm has actually occurred but there is the potential if the hazard is not controlled adequately. When defining a hazard, it is important to have an appreciation of the system being assessed and the operational context. Operational risk assessments often address both safety and operational issues. A risk assessment conducted at the network level considers hazards at the network level, whereas a risk assessment on a sub-system of a train Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 21 of 71

22 considers only hazards in the context of that sub-system and the environment in which it interacts. As an example, degradation of braking is a hazard that could be attributed to a train: at the brake system level in the train, the hazard associated with the brake control unit may be degradation of braking request signal. At the operations level the hazard may be loss of separation between two trains at this level, degradation of braking is a cause for loss of separation between two trains. The above example illustrates the hazard and cause hierarchy that needs to be managed in both the operational and safety change environments The Hazard Cause Relationship When analysing the output of the hazard identification process, it is important to establish the actual hazard arising from a cause. Consider each cause in turn and identify whether there is a higher-level relationship than can link a range of causes together. Using the above example for a train braking system, there are a number of ways degradation of braking can occur, including component or brake request signal failure. These are causes that collectively support the hazard degradation of braking. As degradation of braking can also be seen as a key relationship between the train and its operating environment, this hazard resides at the interface of the train and the operating environment. Consideration of the interface between systems can be helpful when defining hazards. Although causes can be seen to be lower level hazards, separating causes and hazards enables more effective risk management. Hazard logs that contain a large number of hazards can be difficult to manage. At a system level (e.g. a train) there should be no more than 100 hazards. At the sub-system level, there should be significantly fewer hazards (e.g. 10). Hazard logs that claim to have more hazards are possibly poorly defined Causes Causes must be reviewed in the context of the hazards arising and the controls that mitigate the hazards. Causes are defined in the SRR at the network level. Review the SRR for related causes that might have been overlooked during the hazard identification stage. Determine if the cause, as defined, is valid, e.g. the cause communication failure, could be more specifically defined as radio communication failure or IT network communication failure. Hazard analysis must review each cause and make sure it is correctly defined and aligned with the appropriate hazards in the hazard log. If a post-workshop review exposes a specific cause as not being relevant because it cannot be linked to a hazard or a consequence, then it should be annotated appropriately and deleted. If a cause has a credible consequence but cannot be linked to a hazard, give consideration as to whether it is a hazard in its own right. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 22 of 71 Issue Date: 15/08/2016

23 There may be a range of related causes, depending on the complexity of the risk assessment and the subject matter. Use the Fault Tree Analysis (FTA) to define the relationship Consequences A consequence is defined as the nature and magnitude of harm if a hazard is realised. A consequence can take many forms as it spreads from the hazard to any number of outcomes. The definition of consequences can vary due to the type of risk assessment: during a Preliminary Hazard Analysis (PHA) for a project, it may be sufficient to define a consequence as collision between two trains, or at a later stage in the project (e.g. SHA), the same consequence may be defined as a high speed head-on collision between two trains resulting in multiple fatalities. The hazard analysis process must make sure that consequences are defined accurately and relate to the relevant hazards. Worst Case Credible To achieve a balanced, pragmatic approach to safety risk management, NSW TrainLink uses the worst case credible rather than the worst case approach to safety risk assessment. Worst case credible is defined as the plausible consequence that would cause the most harm. While worst case credible is also applied in the operational environment, the range of other credible consequences is often considered during risk assessment, acknowledging the possibility of exposure to more than one type of consequence and the requirement for a range of mitigation strategies. This is depicted in the SRR which includes the relative potential levels of harm (from minor injury to multiple fatalities) for each consequence of a hazardous event. The task of defining credible consequences can be complex and is often linked to the type of mitigative controls in place for the hazard. Event Tree Analysis (ETA) is a useful method when making a detailed assessment of a range of potential consequence scenarios that arise from a defined hazard. Worst case consequences may be defined during hazard identification. A worst case approach can be counterproductive as considering all manner of consequences (however unlikely or implausible) may take attention from the real issues. Worst case consequences offered during a workshop should be captured as it demonstrates rigour of the process. If worst case consequences are offered during hazard analysis, the sequence of events leading to their realisation is untenable the consequences can be disregarded and annotated with the justification for this action. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 23 of 71

24 Existing Controls Control review is a significant element of hazard analysis and, having confirmed the control is defined correctly, considers the validity, applicability and safety benefit of the range of controls offered during hazard identification. There are generally two types of control: preventative controls - that contribute to the prevention of a hazard being realised mitigative controls - that reduce the impact of the consequence if the hazard is realised. As a Control Owner is assigned to each control defined in the SRR, consideration of the validity and effectiveness of these controls during risk assessment must be done in consultation with the respective Control Owner. A review of controls must take account of the Hierarchy of Controls. The Hierarchy of Controls ranks different control attributes with those considered the most effective at the top. The review of existing controls against the hierarchy of controls helps to establish the overall level of potential risk exposure. For example, if PPE is the only control currently available the exposure level is likely to be significantly greater than if engineered controls were in place. Also note that within the hierarchy of control, administrative controls are not considered to be particularly effective. While there is a range of different interpretations of the hierarchy of control, NSW TrainLink applies the hierarchy outlined in Table 2. Table 2 - NSW TrainLink Hierarchy of Control Hierarchy of Control Elimination Substitution Engineering Controls Administrative Controls Personal Protective Clothing and Equipment (PPE) Action Required Eliminate the hazard through alternative design. Note: The alternative solution should not lead to a less acceptable product or less effective process. Replace the existing arrangements (process or physical) with a less hazardous one. Introduce an engineered solution to physically separate the hazard from the exposed party. Introduce additional procedures/processes to minimise exposure to the hazard. Note: Administrative controls must not be used in place of reasonably practicable engineering controls. Provide PPE to exposed groups. Note: This should only be applied as a last resort where other types of controls are not reasonably practicable. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 24 of 71 Issue Date: 15/08/2016

25 Figure 3 - Hierarchy of Controls Options for Further Control/Risk Reduction The hazard identification process may identify options for further risk reduction including potential new controls or enhancements to existing controls. Each option must be analysed against the current controls defined for each hazard and the potential safety benefit the option could provide. The nature of any proposed control must be considered against the hierarchy of controls to determine if it is appropriate to adopt the control. For example, adding administrative controls to manage a risk already subjected to a range of procedures may not provide any real safety benefit, although in principle it could (in this context human factors analysis may be required to establish the interactions between competing procedures). However, provision of an engineered control that does away with a range of administrative controls could have significant safety benefit. Note When considering human factors implications, refer to Human Factors (SMS- 07-SP-5145). In the safety change environment, the focus must always be on elimination, substitution or the introduction of engineering controls. New hazards that are managed by only administrative controls and PPE should not be tolerated from a safety change project. Note Controls selected for introduction as part of the change process must comprise the most appropriate, reasonably practicable set. This selection requires interaction between engineers, designers, and the end user. For risks already established in the operational environment, there may be little more that can be done in the short term to reduce risk exposure further, leaving administrative controls and PPE as the only options. However, longer term solutions that provide a more effective safety risk management solution should be sought through the SFAIRP Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 25 of 71

26 Determination process; refer to SFAIRP Determination and Demonstration (SMS-07-OP- 5085) for more information. The analysis of options for new controls should be defined clearly and the respective safety benefit of each control determined. In doing this it has to be acknowledged that any particular control may have a range of benefits that contribute to a range of hazards and as such the benefits afforded should not be limited to a single hazard in isolation. 2.4 Risk Estimation Risk estimation within risk assessment is: the process for ranking the consequences of a hazard being realised the process for establishing the specific risk exposure so those with the greatest exposure can be targeted and/or prioritised for risk reduction an iterative process and may be repeated several times, especially in the safety change environment. There are two approaches - qualitative and quantitative: Qualitative - risk estimation that ranks risk in accordance with the NSW TrainLink Safety Risk Criteria and Safety Risk Matrices; this process is defined in the Risk Ranking Tables. Quantitative - a mathematical approach to risk estimation that applies the concept of collective and/or individual risk exposure. Wherever practicable, the preferred approach for risk estimation in NSW TrainLink is qualitative; however, in some cases quantitative assessment is needed for extra detail. In the safety change environment, it is important to estimate the level of risk associated with each hazard when the hazard is identified and at key milestones within the project. For safety change projects, generally every risk must be demonstrated at the point of delivery to have been reduced SFAIRP. Safety change projects often refer to risk estimation in terms of hazard ranking as only the worst case credible consequence is associated with the hazard. In the operational environment, all risks must be assessed and ranked to determine the baseline level of safety risk exposure to enable risk management action to be prioritised. This is achieved through the SFAIRP determination process. If risk reduction options are identified, additional risk estimation is undertaken to determine the level of residual safety risk exposure that could be achieved if the options are implemented; refer to Safety of Operations and SFAIRP Determination and Demonstration (SMS-07-OP-5085). In the operational environment risk estimation is discussed more in terms of consequence, and where appropriate each consequence arising from a single hazard may be ranked. This means that there may be a range of consequence rankings for a hazard Qualitative Risk Estimation Risk is a term often applied incorrectly and in many cases is used interchangeably with hazard. For this reason the term safety risk has been defined in NSW TrainLink as the combination of the likelihood of a hazard being realised and its consequence. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 26 of 71 Issue Date: 15/08/2016

27 Therefore, to measure safety risk it is necessary to rank the likelihood of the defined consequence occurring and its associated severity. If the consequence has been well defined, the severity ranking should be relatively straight forward. However, ranking likelihood can be more problematic from a qualitative perspective. For this reason, when ranking safety risks it is important to first determine the severity of the consequence. Once this is done it is easier to consider the safety risk in terms of only the defined severity of the consequence and assign the likelihood accordingly. For example, if a consequence is defined as fall from platform, its likelihood may be considered quite probable as it does occur on the network. However, if a consequence is fatality arising from fall from platform in front of an oncoming train the likelihood of this is less probable. This example illustrates the importance of accurately defining a consequence in the risk estimation process and the need to clearly define the worst case credible that is being assessed. Qualitative risk estimation is often attempted as part of a hazard identification workshop. This approach is not recommended as it relies on peoples perception of risk. Ranking a risk after hazard identification and when appropriate analysis has been undertaken enables the validated data to support the risk estimation process. In some cases, particularly if the risk assessment considers only a single hazard, risk estimation may not be necessary as the method to achieve a SFAIRP outcome may be clear. Where undertaken, risk estimation is best done by the parties who facilitated the workshop and did the hazard analysis as the necessary information should have been collated during these activities. Where risk reduction options have been considered, the level of risk reduction each provides should be estimated and used to inform the SFAIRP evaluation element of the process; see section SFAIRP evaluation. Once the level of risk has been estimated, the output should be sent to all risk assessment stakeholders for their review. The Risk Assessment Sponsor should make sure that comments are considered and the risk estimate reviewed as appropriate Quantitative Risk Estimation Quantitative risk estimation is a specialist task and should only be undertaken by competent staff. Requests for support in this area should be made to Head of SEQR. NSW TrainLink uses two measures for quantitative risk estimation -collective risk and individual risk. The use of these two measures is discussed in the following sections. Fault Tree Analysis (FTA) and Event Tree Analysis (ETA) are two tools that can be used to support quantitative risk estimation. Collective Risk Collective risk provides a measure of the safety exposure of all groups exposed to a specific hazard. Collective risk is measured in terms of equivalent fatalities per year. The equivalent fatality is an internationally recognised unit for equating injuries with fatalities: 1 Equivalent Fatality = 1 fatality, or 10 major injuries, or 200 minor injuries. Collective risk is used to provide a meaningful comparison across a range of safety outcomes. While the unit of measure is the equivalent fatality per year, this does not mean that the assessed risk would result in that number of actual fatalities. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 27 of 71

28 When using collective risk for risk estimation purposes, it is important to acknowledge which risks are classified as direct risks and which are indirect. This is to make sure that the collective risk measure enables distinction between risks over which NSW TrainLink can or cannot exert direct control. Direct and indirect risks are defined as: Direct - risk associated with the causes of hazardous events over which NSW TrainLink has direct control (e.g. a train mechanical fault leading to derailment) Indirect - risk associated with causes that NSW TrainLink can seek to influence but cannot fully control (e.g. a trespasser struck by a train). Failure to distinguish between direct and indirect risks within risk estimations, especially when using collective risk to compare between different types of risk, can skew risk assessment findings significantly, and result in inappropriate recommendations and risk management prioritisation. Approximately 75% of NSW TrainLink safety risk profile as reflected in the SRR is actually classified as indirect risk. Although indirect risks do require active management, it is important to acknowledge that such risks are significantly more difficult to manage and reduce. However, as direct risks are within NSW TrainLink direct control, focussing safety improvement investment on these is likely to yield a greater real world safety benefit. Individual Risk Individual risk is the probability of a typical person in an exposed group dying during a year due to their exposure to the railway. Two specific groups are generally defined in NSW TrainLink: Workers - trackside staff, train crew and station staff Passengers commuters. For employee groups, individual risk calculations require assumptions about a typical working day, and that employees in the assessed category have an equal exposure to the safety risk. For passengers, calculations are based generally on a typical commuter making ten rail journeys per week. It is not always possible to represent individual risk exposure for some groups (e.g. trespassers and members of the public) as the people concerned and their average exposures are extremely uncertain, as is consideration of the behavioural choices made. Individual risk is generally reported against a standard risk range determined by research undertaken by the UK Health and Safety Executive (see Fig. 4). This research looked at individual risk for specific groups of workers across a range of hazardous industries. This research concluded that (notwithstanding higher rates for specific groups such as deep sea fishermen and helicopter pilots), a probability of a fatality of 1 in 1,000 per annum was the most ordinarily tolerated by substantial groups of workers. The research determined this figure as a reasonable dividing line for what the vast majority of worker groups consider as being a just about tolerable risk in their working life. In considering the public being exposed involuntarily to risk, the research determined an upper tolerability level of 1 in 10,000 fatalities per annum (one tenth of that tolerated for workers) was seen as appropriate. By coincidence, this aligned with the average annual risk of dying in a car accident in the UK. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 28 of 71 Issue Date: 15/08/2016

29 Upper Limit of Tolerability (Employee) 1 in 1,000 (1 x 10-3 ) / annum Upper Limit of Tolerability (Passenger) 1 in 10,000 (1 x 10-4 ) / annum Upper Limit of Tolerability (All) 1 in 1,000,000 (1 x 10-6 ) / annum Figure 4 - Individual Risk Criteria The lower limit of tolerability is the level below which the risk can be considered broadly acceptable, as long as adequate precautions are maintained and reviewed. The research considered that a probability of fatality of one in a million per annum, while not negligible, compared favourably with the risks to which people are routinely exposed and accept as part of everyday life (e.g. being electrocuted in the home). 2.5 SFAIRP Evaluation The purpose of SFAIRP evaluation within safety risk assessment is to ascertain, by applying the ALARP principle as defined in SFAIRP Determination and Demonstration (SMS-07-OP-5085), whether the identified risks can be claimed to have been reduced SFAIRP and in the event that they are not, what actions (if defined) would be required to achieve a SFAIRP situation. The SFAIRP principle has two key elements (refer to SFAIRP Determination and Demonstration (SMS-07-OP-5085)): Reduce risks to the lowest level possible until the point is reached where the cost of introducing further safety measures is grossly disproportionate to the safety benefit that would be achieved. A risk should be tolerated only if it can be demonstrated that there is a clear benefit in doing so, i.e. there is an overarching operational need. The SFAIRP principle must be applied to mitigate all safety risks to which NSW TrainLink is currently, or will be, exposed to as a result of changes in the operational environment. Based on these elements, the SFAIRP principle identifies three categories of risk: Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 29 of 71

30 Unacceptable Tolerable Risks are considered unacceptable regardless of the benefits associated with the activity. A risk that falls into this category must be eliminated or reduced to a level so that it falls into one of the two other categories; or there are exceptional reasons that require the activity or practice (e.g. emergency response to a train collision). Risks that people are generally prepared to tolerate to secure the benefits. Tolerable risks must be properly assessed and controlled to reduce the residual risk SFAIRP. These risks must be reviewed periodically to make sure they remain SFAIRP. Broadly Acceptable Risks are considered sufficiently low and well-controlled. Further risk reduction is required only if reasonably practicable measures are available. Broadly acceptable risks are those that people would regard as insignificant or trivial in their daily lives. SFAIRP Determination and Demonstration (SMS-07-OP-5085) identifies a range of means for assessing what is reasonably practicable: legal requirements contemporary good practice expert judgement Cost Benefit Analysis (CBA). The first three provide a qualitative approach to determining if a control is reasonably practicable to adopt. However, they do not necessarily provide adequate justification for discounting an option; such justification must demonstrate that the option is not reasonably practicable and requires consideration of the boundary of reasonable practicability. In the safety risk management context this requires gross disproportion to be applied Gross Disproportion Evaluation of the practicability of adopting safety risk reduction measures requires the measure s cost to be gauged in the context of its proposed safety benefit. A risk reduction measure can be deemed grossly disproportionate and not reasonably practicable if the measure s total cost (discounted over its lifecycle) is greater than the combination of the safety benefit to be gained and gross disproportion factor; outlined in Fig. 5. Figure 5 - Gross Disproportion Concept Applying gross disproportion requires the risk reduction measure s cost and the safety benefit to be converted to a common unit of measurement for statistical analysis. For the comparison of costs and benefits this measure is financial (i.e. dollars). Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 30 of 71 Issue Date: 15/08/2016

31 Converting the risk reduction measure s safety benefit to a dollar value requires knowledge about the level of harm associated with the safety risk, the reduction in this safety risk the measure would provide and a financial equivalence for the Value of Prevented Fatality (VPF). A risk reduction measure s safety benefit is expressed in terms of equivalent fatalities and must take account of the predicted number of prevented equivalent fatalities over the lifetime of the applied control measure. This means that if one equivalent fatality could be prevented every year for a control measure with a 25 year lifespan, then 25 equivalent fatalities could be prevented during the control s lifespan. VPF is a measure of the costs associated with the loss of a life in a specific environment. These costs refer to attributes arising from a fatality such as emergency response, legal fees and insurance, but do not refer in any way to the value of human life. In essence VPF considers the financial impact to NSW TrainLink due to a fatality, acknowledging that these costs are significant and could be extremely detrimental. The terms gross disproportion and reasonably practicable arise from UK case law and are linked inherently. However, as an explicit value for a gross disproportion factor has not been actually defined in case law, an organisation must interpret what they believe to be appropriate for their organisation. Until an incident results in prosecution of the organisation they will never know if the legal system considers their interpretation of gross disproportion to be satisfactory. Note Contact the Head of SEQR for information about the value for VPF, the factor of gross disproportion, and discount factors for lifecycle costs, as applied to safety risk in NSW TrainLink Cost Benefit Analysis Cost Benefit Analysis (CBA) provides a measure of the relative economic merit of each proposed risk reduction option over its lifecycle. This economic-based approach considers the options merits from an organisational rather than unit/division perspective. No matter where they accrue, the CBA process systematically quantifies and qualifies nett costs (capital, recurrent and user) and nett safety benefits. Note CBA requires a significant effort and analysis of lifecycle costs. For further guidance on this issue contact the Head of SEQR. Requirement for CBA CBA is required if a SFAIRP evaluation requires gross disproportion to be considered. CBA may be required in cases where the safety benefits cannot be discerned readily. CBA is appropriate if the cost of the proposed controls is high, particularly where investment funding may have to be sought to implement the controls. If the cost of proposed controls is low, CBA may be considered inappropriate as the analysis effort can outweigh the value of the approach in decision making. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 31 of 71

32 In the context of safety risk assessment, CBA is used primarily to determine the relationship between the nett cost of the risk reduction measure and the nett safety benefit it offers to support a decision to discount an option, by identifying whether the costs are grossly disproportionate to the safety benefits. However, given the level of uncertainty associated with the CBA process an element of uncertainty must be determined. With this in mind a risk reduction measure under assessment could fall into one of four bands as depicted in Fig. 6. Actions/decisions about the risk reduction measure are made in accordance with where the cost lies on the scale of gross disproportion. Figure 6 - The Effect of Uncertainty on CBA and Reasonable Practicability Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 32 of 71 Issue Date: 15/08/2016

33 If the risk reduction measure (including the element of uncertainty): falls within the grossly disproportionate area the option can be discounted from a safety perspective as not being reasonably practicable costs less than safety benefit to be provided - the measure is reasonably practicable and from safety perspective should be adopted is at the boundary of gross disproportion - the measure may not be reasonably practicable; a supporting qualitative argument is needed to support or discount the option falls within the boundary of gross disproportion - the measure is likely to be reasonably practicable; a decision not to adopt the measure must be supported by a robust qualitative argument. The CBA s numerical output alone cannot be considered as a conclusive argument for or against a risk reduction measure and must be supported by a qualitative argument documented in the Safety Risk Assessment Report. 2.6 Reporting All risk assessments must be formally documented. The Risk Assessment Sponsor must review and endorse safety risk assessment reports. Risk assessments with specific outcomes require independent review. For information regarding which types of risk assessment require an independent review. Note The independent review takes time. This time must be factored into the Risk Assessment program of work. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 33 of 71

34 PART 3 Environmental Risk Assessment 1 Introduction 1.1 Purpose and Scope This Part 3 provides background information and guidance regarding environmental risk management. It s designed to support the environmental risk management model detailed within Risk Management (SMS-07-SP-5213). Part 3 contains the following sections: An introduction to the environmental risk management model used at NSW TrainLink A more detailed discussion of the steps within the environmental risk management process and how it relates to environmental risk management This part of the guide focusses on the management of negative risks (risks with adverse consequences). Opportunities (risks with positive consequences) are a feature of the NSW TrainLink Risk Management framework, and are important to environmental risk management, however they are not directly addressed by this document at this stage. 1.2 Background Environmental risks can arise from the relationship between humans, human activity and the environment. Environmental risks can be grouped into two types, as follows: Risk to the environment, consisting of an organisational activity causing an environmental impact Risk to an organisation from environment-related issues, consisting of business loss through legislative non-compliance or poor reputation through either perceived or actual environmental impacts. Environmental risk management is principally no different from other types of risk management, however, scientific uncertainty, acute and chronic impacts, public perception and a complex chain of effects and causes can contribute to a high level of complexity. The systematic application of effective environmental risk management: Reduces the environmental risk of our activities for our staff, customers, the public, the environment and our assets Better informs staff about environmental risks, their relationship to business and safety risks, and the reasons for controlling and reducing them Helps improve the organisation s environmental performance, and assist NSW TrainLink be resilient to potential adverse environmental impacts Assists the implementation of better risk based decision making and planning processes Identifies opportunities to deliver enhanced performance and capabilities in managing environmental risk. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 34 of 71 Issue Date: 15/08/2016

35 Risk management is in practice an iterative process that assists NSW TrainLink to achieve continual improvement through risk based decisions. 2 Environmental Risk Management Process As NSW TrainLink has adopted Australian Standard ISO Risk Management the management of environment risks covers the following steps. 1. Establish the context 2. Risk Identification 3. Risk Analysis 4. Risk Evaluation 5. Risk Treatment. 2.1 Risk Management Context The context stage defines the basic parameters within which the NSW TrainLink environmental risks must be assessed and managed. Determining the risk management context involves considering NSW TrainLink internal and external environment and the overall purpose of the risk management activity as follows and as presented in Table 3. NSW TrainLink Context: Examining the NSW TrainLink context involves determining those elements of the NSW TrainLink business that can influence the specific risk management process being undertaken. Both internal and external influences need to be considered and may include issues associated with being a State authority, being a public transport organisation, having historically been different organisations with different management processes and NSW TrainLink stated vision and values. Risk Management Context: The goals, objectives, strategies, scope and parameters of the activity, or part of the organisation to which the risk management process is being applied, should be established. This involves defining: Risk Criteria: Objectives and scope Activities and issues covered Composition of the team, roles and allocated resources Required records Extent of external involvement in the study. Determine the criteria against which the risk is to be evaluated including whether at what level risk treatment is required and ensuring it reflects the context defined above. Criteria can come from a number of different sources but in respect to the SMS the criteria is normally defined by the NSW TrainLink Risk Ranking Table (SMS-07-GD-5212). Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 35 of 71

36 Table 3 - Workplace Risk Management Context Example Context Element Example: Workplace Risk Register Development External Context NSW TrainLink as an agency, public subsidiary organisation under RailCorp and part of the Transport for NSW Community expectations of service standards, accessibility, pricing, personal risk exposure and environmental performance Environmental legal and other requirements External stakeholders (local community groups, special interest groups, third party users, etc.) Internal Context NSW TrainLink Policies (Environmental, Risk Management, etc.) Risk Management Context NSW TrainLink Environmental Management System Internal structure, capacity and stakeholders Specific role and function of workplace/activity/etc. Specific risks to be addressed Risk Criteria Use Risk Ranking Table Requirements of the risk management frameworks Risks to be managed within normal business processes including budgeting A: Unacceptable risks and B: Undesirable Risks are Priority Risks All Priority risks to be to have a risk treatment plan All risks progressively reduced to SFAIRP 2.2 Risk Identification Environmental Hazards Determining sources of environmental hazard involves identifying sources of interaction between the organisation and the environment and a range of potential incidents or events that can facilitate this interaction. An event may be a short one-off occurrence (e.g. an explosion or a spill) or it may be an ongoing situation such as an emission or minor leak or degradation from overuse. The identified hazard may also be very broad, such as the environmental impact of the electrical usage across NSW TrainLink, or local, such as the potential for release of hydrocarbon from a defined lubricant drum storage area. It may useful to start by comparing information on all agents, activities and processes associated with the operation and against the list of hazard categories as given in Table 4. Table 4 - Examples of Environmental Interaction and Events Environmental Interaction Energy sources Mechanical Electrical Chemical Incident Plant failure Spill or unintentional release Fire Land clearing Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 36 of 71 Issue Date: 15/08/2016

37 Environmental Interaction Heat and cold Radiation Microbiological Toxicity Noise Materials Light Incident Dredging Incorrect Waste disposal Illegal stockpiling Explosion Flooding Collision Erosion Examples of environmental hazards include: The accidental release of contaminated stormwater High noise levels from train operation A leak of toxic chemicals from a temporary storage container Off specification discharge of process effluent Overspray of weed control chemicals Release of offensive odours from storage tanks Exposure of acid sulphate soils Unapproved removal of protected vegetation Light spill from temporary lighting towers Failure to submit EPL Annual Return on time Chemical leaks from carried freight Hazard Event Category A set of hazard categories have been developed to assist in the identification of the wide range of environmental risks that can be relevant to environmental risk registers. There is no requirement to use the categories but they provide a useful way of subdividing the risk identification session into manageable pieces and could be used to focus attention on identifying all of the hazards associated with a single hazard category before moving onto the next. The hazard categories are presented in Table 5. Table 5 - Hazard Categories Hazard Risk Cause Consequence Failure to adequately protect natural/cultural heritage sites Listed European or Indigenous heritage sites subject to undue impact from operations or maintenance activity Insufficient care taken to avoid impact on listed European or Indigenous heritage sites during operations or maintenance activity Direct physical damage to listed European or Indigenous heritage sites from impact; Licence/regulatory breach Listed European or Indigenous heritage sites subject to unsympathetic upgrades Heritage impact not adequately considered during design, planning or implementation of facility upgrades Indirect physical damage to listed European or Indigenous heritage sites from un-sympathetic upgrades; Licence/regulatory breach Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 37 of 71

38 Hazard Risk Cause Consequence Listed European or Indigenous heritage sites subject to excessive vibration levels Vibration levels from train operation or track equipment in excess of tolerable thresholds for old structures and/or fragile sites Damage to listed European or Indigenous heritage sites from vibration; Licence/regulatory breach Native vegetation subject to potential damage or removal Insufficient care taken to avoid damage or removal of native vegetation Damage or removal of native vegetation; Licence/regulatory breach Illegal dumping of waste on land for which NSW TrainLink is responsible Unscruplulous/opportunistic behaviour by some members of the public Waste products result in environmental damage; Unsightly visual impact from dumped waste Exposure to excessive light Light spills from NSW TrainLink stations and facilities Design/installation/ configuration of lighting; Operation of lighting Loss of amenity to local community; Community concern and complaints Excessive Natural Resource Use and Greenhouse Gas Emissions Excessive electricity usage in stations, sidings, stabling yards, depots, workshops, offices and other buildings. Legacy inefficient lighting and equipment; Poor electricity management practice by staff Electricity usage in excess of greenhouse gas emission obligations Excessive water usage in stations, sidings, stabling yards, depots, workshops, offices and other buildings. Legacy inefficient water infrastructure and equipment; Poor water usage practice by staff Water usage in excess of good practice for sustainability Loss of containment of oil, fuel and hazardous substances Loss of containment of oil, fuel and hazardous materials in depots and workshops. Poor practice in the storage, handling or use of oil, fuel and hazardous materials; Infrastructure in poor state of repair; Environmental damage due to accidental release of fuel, oil or other hazardous material; Licence/regulatory breach Rolling stock in poor state of repair Loss of containment of oil, fuel and hazardous materials in railway corridor. Rolling stock in poor state of repair Environmental damage due to accidental release of fuel, oil or other hazardous material; Licence/regulatory breach Loss of containment of oil, fuel and hazardous materials at stations. Poor practice in the storage, handling or use of oil, fuel and hazardous materials; Infrastructure in poor state of repair; Environmental damage due to accidental release of fuel, oil or other hazardous material; Licence/regulatory breach Rolling stock in poor state of repair Loss of containment of oils, fuels and hazardous materials from coaches. Poor practice in the storage, handling or use of oils, fuels and hazardous materials in coaches; Bus/coach fault Environmental damage due to accidental release of fuel, oil or other hazardous material; Licence/regulatory breach Loss of containment of refrigerant from air conditioning and fire suppression systems. Infrastructure in poor state of repair; Rolling stock in poor state of repair; Bus/coach fault Spills and leaks of refrigerant from air conditioning or fire suppression systems enter the atmosphere; Licence/regulatory breach Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 38 of 71 Issue Date: 15/08/2016

39 Hazard Risk Cause Consequence Loss of containment of sewerage Incorrect use of pesticides Poor practice in the storage, decanting and discharge of sewerage; Infrastructure in poor state of repair Poor practice in the storage, handling and use of pesticides Waste products result in environmental damage; Licence/regulatory breach Spills, leaks or unmanaged spreading of pesticides result in environmental contamination; Licence/regulatory breach Causes The potential causes of the environmental hazard generating the consequence need to be determined. How specific the description of cause needs to be is dependent upon how specific the description of the environment hazard is. Table 6 gives examples of causes. Note A hazard may have one or more potential causes. Table 6 - Examples of Risk Causes Strategic Risk Causes Operational Level Risk Causes Train maintenance Administrative control failure Quarrying Station operation Ballast recycling Pesticide application Vehicle operation and maintenance Project management Construction Cleaning Property management (including buying, selling and leasing) Procurement Contract management Poor communication (awareness, training, understanding of expectations, signage or leadership) Physical impact Excavation Poorly maintained equipment Poor design/not fit for purpose (insufficient capacity, inadequate design standards, initially designed for different duty) Control failure (faulty instruments, old control systems) Mechanical failure (including corrosion) Customer or third party behaviour Hot work Blasting Weed control activities Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 39 of 71

40 Risk Controls Once a hazard has been identified and the related consequences and causes determined, the next step is to determine the controls currently in place. Risk controls can be divided into two types: Cause controls, which prevent the hazard from occurring Outcome controls, which following the hazard occurring, prevent it from resulting in an environmental impact or mitigate its effects. For example, a fuel tank leak hazard may have engineering standards and preventative maintenance as cause controls and the provision of spill kits and bunding as outcome controls. A variety of controls are likely to be in place for each environmental hazard. Table 7 gives examples of controls. Table 7 - Examples of Risk Controls Strategic Risk Controls Operational Level Risk Controls Pollution abatement equipment (Equipment engineering controls Licences/permits Pollution abatement equipment Administrative controls (procedures, manuals, forms) Enterprise wide standards and policies Competency and training Designated lines of authority Management systems and plans Job descriptions, roles and responsibility definitions Communication (awareness, signage and induction) Crash barriers/bollards Work permit system Peer review Equipment maintenance Maintenance regime Testing and calibration Emergency response planning Engineering standards Contract management Auditing Insurance Community relations Process control, process monitoring and alarms Inspection and testing Security Spill kits Compliance testing Consequences The environmental consequences are generated from the assessment of the surrounding environment, the identification of receptors and the potential interaction with the hazard. A set of generic environmental consequences have been developed to illustrate the wide range of possible environmental risks that can be relevant to an activity and are presented in Table 8. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 40 of 71 Issue Date: 15/08/2016

41 Table 8 - Environmental Consequences Environmental Consequences Air Quality Biodiversity (Plants and Animals) Climate Change (Energy Usage) Community Heritage (Indigenous and European) Land and Groundwater (Contamination) Landscape and Visual Noise and Vibration Resource Use and Waste Water Quality Community and reputation Environmental Policy Legal and compliance Description Release of atmospheric pollutants affecting air quality including exhaust emissions and dust, release of ozone depleting chemicals. Loss of native flora and/or fauna, including impacts on threatened species, populations and ecological communities. Release of greenhouse gases, energy usage and energy efficiency issues. Community nuisance and/or other impacts not covered in the other categories such as traffic impacts and electromagnetic frequency concerns. Damage to Indigenous and/or non-indigenous heritage Soil and/or groundwater pollution. Landscape or visual impacts including graffiti and light spill. It also includes erosion and land instability issues. Nuisance noise and vibration. Occupational health issues relating to noise and vibration should be assessed using the Safety Risk Management Framework. Waste disposal, including disposal of hazardous and/or nonhazardous waste. Depletion of water and/or other mineral natural resources. Surface water pollution. Sedimentation impacts from unsealed and unvegetated land. Press and general media reports, community complaints and community outrage, parliamentary impacts. Changes in stakeholder support that impacts the operation of the railway network and overall business (excludes press and general media impact). Impacts can range from developing a poor reputation to the total loss of support. Failure to meet stated environmental policy commitments and environmental objectives and targets. Impacts arising from prosecutions, fines, third party damage liabilities, contractual obligations and class actions. Impacts on operating and environmental licences including loss of licence, regulatory notices, licence restrictions. In assessing the environmental consequences of the hazard it is important to consider: Long-term impacts Acute and chronic impacts Cumulative and synergistic impacts. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 41 of 71

42 2.3 Risk Identification Checklist Table 9 presents examples of environmental hazards, causes, controls and consequences to assist the brainstorming session members in the completion of the hazard identification and risk assessment steps. The examples do not represent every aspect of environmental hazards, causes, controls and consequences and the Session Facilitator must assist the team members identify and consider additional and site specific aspects. Table 9 - General Risk Assessment Checklist (Optional) Example Hazards Example Causes Example Consequences Example Control Applicable regulations? Licensed discharge points Incident reporting Activity approvals Permits Any discharges? Trade waste and sewage Stormwater Vents, stacks and exhausts Dust Odour Periodic (e.g. flooding) Any Dangerous Goods? Permanent or temporary Dangerous Goods stores Refuelling LPG and other gases Any wastes generated? Demolition wastes Construction wastes Routine wastes Illegal dumping Stockpiling Any noise or vibration? Sirens and alarms Administrative control failure Accidental release Blasting Collisions Control failure (faulty instruments, old control systems) Customer or third party behaviour Excavation Failure of primary and /or secondary containment (e.g. bunding) Fire Hot work Incorrect tool usage Mechanical failure (including corrosion) Plant failure Physical impact Poor communication (awareness, training, understanding of expectations, signage or leadership) Poor design/fit for purpose (insufficient capacity, inadequate design standards, initially designed for different duty) Poor site control Poorly maintained equipment Start-Up and Shutdown conditions Air quality (release of air pollutants including exhaust emissions and dust.) Biodiversity loss (impacts on plants and/or animals) Community impact (traffic, fallout or noise) Compliance (prosecutions, fines, third party damage liabilities, contractual obligations and class actions.) Contamination (soil and/or groundwater pollution) Energy (poor energy efficiency or excessive energy use) Erosion and sedimentation (impacts from unsealed land) Heritage (damage to Indigenous and/or non-indigenous heritage) Landscape and Visual (including graffiti and light spill) Natural Resources (depletion of water and/or other natural resources) Noise and vibration Reputation (press and general media Administrative controls (procedures, manuals, forms) Checklists Communication (awareness, understanding of expectations, signage and induction) Competency and training Compliance testing Crash barriers/bollards Engineering standards Equipment maintenance Emergency response Inspection Insurance Personal protection equipment Pollution abatement equipment (e.g. wastewater treatment plants) Process control Process alarms Security and access control Spill kits Testing and calibration Work permit system Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 42 of 71 Issue Date: 15/08/2016

43 Example Hazards Example Causes Example Consequences Example Control Traffic Excavation Machinery Changes to environment? Temporary stockpiling Land clearing Dredging Excavation and erosion Drainage Temp works (e.g. roads) Undermining or material instability Spraying reports, community outrage and parliamentary impacts) Waste Disposal (including reuse, recycling and landfilling of hazardous and/or non-hazardous waste) Water Quality (surface water pollution) Features of environment? Bushfire hazards Watercourses Soil (e.g. acid sulfate) Protected species Wetlands Neighbouring land Existing plants Previous contamination Particular activities? High voltage Third party activities Cleaning (chemicals) Weed control Light spillage Out of hours 2.4 Environmental Risk Analysis Risk Ranking Table The analysis of environmental risks at NSW TrainLink is undertaken using the NSW TrainLink Risk Ranking Table (SMS-07-GD-5212). This tools use the identified consequences of the risk and the likelihood of the risk occurring from the hazard identification session to give a risk ranking. Figure 7 presents a generic risk ranking matrix. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 43 of 71

44 Risk Analysis Matrix Unacceptable Risk Consequence of event Broadly Acceptable Risk Tolerable Risk Undesirable Risk Figure 7 - Generic Risk Ranking Table The risk rankings are broad types which give guidance on: The level of risk that NSW TrainLink is prepared to accept The level of effort that should be applied to the control of the risk The relative importance and priority of environmental risks NSW TrainLink overall environmental risk exposure Risk likelihood is the potential or possibility that a certain risk will occur. The likelihood scale represents an assessment of the chances of the risk occurring within a certain timeframe. As it is not always possible to exactly estimate the probability of a risk occurring within a specified timeframe, likelihood can be rated using one or more of the following approaches: Qualitative Frequency Probability The risk consequence ranking describes the level of effect the risk may have on the environment or NSW TrainLink. The consequence level of a risk is rated by assessing the potential severity of the impact using each the consequence types that the risk can impact. The risk types most likely to be relevant are as follows: Likelihood of event occurring Environmental environmental performance, environmental sustainability and environmental incidents (impact to the environment, ecosystems or heritage) Reputation - Customer confidence, information security, fraud and corruption, media, stakeholder management, sustainability (corporate), legal / compliance / regulatory Regulatory Financial - Financial Gain or Loss in project costs, changes in operating costs, change in revenue, ability to achieve value for money, organisational efficiency, financial penalties etc. Customer Experience and Operational Performance - On-time-running, RSC performance measures (e.g. comfort, cleanliness etc.), asset failure consequences, Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 44 of 71 Issue Date: 15/08/2016

45 capability and staff resourcing, projects efficiency and benefits, Rail Services Contract performance, capability/resourcing, project efficiency and benefits The impact category that has the highest consequence ranking is used in the risk Worst case credible Scenario The use of the ranking table consequence and likelihood scales requires a qualitative or semi-quantification assessment of the consequences identified in the risk assessment stage. Each specific risk is likely to have a number of different possible scenarios that could be placed along the consequence ranking and a corresponding number of positions along the likelihood ranking. That is, the scenario may be a small, intermediate or major incident, each with a specific consequence and likelihood. To better determine the most appropriate risk ranking of the identified risk the team needs to define and discuss a specific representative scenario. The scenario should be valid and creditable to the team a worst case credible scenario. That is it is unlikely that any incidents with an incredible likelihood ranking, one with an occurrence of less than once every thousand years are a useful indication of a hazard for environmental risk management. If there is significant variation in the controls for possible scenarios, or the team cannot agree on a single worst case credible representative scenario, it is good practice for the team to examine both a creditable minor and a creditable major incident. For example, with an identified risk of a release of toxic material from a storage vessel, the risk table could be used to assess the risk ranking of both a minor leak and a major leak. If in this case both of the scenarios are identified as Priority Risks then the corresponding controls should be examined. If they have the same controls then only one scenario need be entered into the risk register. If the scenarios have different controls then the scenario information entered into the risk register should be of sufficient detail such that the subsequent plans will capture the improvement requirements of both scenarios. Representative scenarios and their risk rankings must be recorded in the risk register to enable the reasoning behind the ranking to be traced and to facilitate the review and modification of the risk ranking as circumstances change and improvement plans are completed. All important assumptions and uncertainties should also be recognised and documented. 2.5 Risk Identification and Analysis Session Guide It is normal practice for the risk identification and analysis steps to be undertaken in a dedicated workshop session by a group of participants with detailed knowledge of the area under review, personnel with environmental risk/impact knowledge and a risk management facilitator. The generic brainstorming risk assessment process described here covers most requirements of the SMS. More rigorous and/or quantified risk assessment methods may be required for other activities such as development approval. The brainstorming session is the key step in the risk identification and analysis steps. The purpose of the session is to identify hazards, causes, controls, consequences and corresponding risk rankings associated with a particular activity, change or situation using the knowledge and experience of operators, management, environmental staff, contractors or other relevant personnel. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 45 of 71

46 The effectiveness of the session is largely dependent on planning the session and on getting the right people involved. The session should be a controlled and systematic and involve inclusive and open discussion of the issues pertinent to the scope. The records of the risk identification and assessment sessions should ideally be recorded in real-time and be completed for all sessions to assist in the development of accurate and adequate records of the details identified. Any completed forms or notes produced should be attached as an appendix to the report produced in relation to the session. Preparing for the session also includes sourcing and reviewing relevant information regarding the identified activities and may include: Operations manuals, performance specifications and data-sheets Plant layout drawings, schematics, maps and other visual aids Reports from previous audits, assessments or reviews, site inspections and interviews Related risk information from other corporate risk registers Applicable environmental licences and other permits Related Codes of Practice, company standards and policies Monitoring data, related records Other relevant environmental risk registers and/or relevant Project Hazard Logs Complaints or information from general public correspondence Incident reports relating to the activity or geographic area. Table 10 Hazard Identification and Analysis Workshop Process Step Suggestions and Recommendations 1) Preparation Optimum number of participants will be around 4-6 (max 8) excluding Facilitator Develop context, obtain relevant External Facilitator and/or a scribe can help ensure the process is followed and enables the participants to focus on issues information, and issue briefing note Ensure room and arrangements minimise potential for interruptions prior to session. Recommended maximum session time of 6 hours with regular breaks Briefing note to include background, scope, objectives, attendees and expectations, logistical details (room, times, etc.), chairperson and supporting documentation 2) Session Intro Go over briefing note contents to ensure there are no issues or misunderstanding Go over information in briefing note to Explain emergency and logistical arrangements ensure all have a Detail any ground rules and expectations (e.g. open discussion, no phone clear calls except in emergency, Chair can park issues to prevent session understanding. stalling, treat each other with respect and dignity, all comments remain in the room, etc.) Depending on the participants, an expert in the group can be asked to go over the subject area and/or explain maps, drawings, etc. Go over differences between hazards, risks, causes and controls Use and explain the risk register template being used to record information Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 46 of 71 Issue Date: 15/08/2016

47 RISK IDENTIFICATION 3) Hazards Include a review of the NSW TrainLink and similar workplace risk registers Identify all hazardous events Care needs to be made to ensure the hazard is being identified not the relevant to the cause or consequence and that each is appropriately recorded during the scope. session Can use Hazard Event Category and Environmental Interaction and Events table from the Framework to ensure all areas are adequately covered. Suggestion: Identify all of the interactions and events under a single category in an open discussion. Assess the hazards to determine if there are duplicates, implausible hazards and gain a general agreement or understanding on the hazards. Document the hazards for the category and then for each hazard progress from step 4) to step 6). Similarly a category can be subdivided if needed. 4) Consequences Identify exposed ecosystems, groups, areas and affected parties Identify the consequences associated with each identified hazard Determine applicable consequence types Likely to be more than one consequence type. Useful to review consequences following the identification of controls and the risk scenarios Document consequences (tick boxes on enterprise and workplace risk registers). 5) Causes and Controls Identify the causes and associated controls for hazard. The level of detail of the causes and controls will be relative to the level of detail in the hazard description. Cause controls (preventing the consequence from occurring) and outcome controls (reducing the impact) both need to be identified. RISK ANALYSIS 6) Risk scenarios Need to consider calibrating the group members on their perception of risk Determine the risk level associated with a major and minor incident to determine the risk ranking of the hazard. Ensure all records are retained appropriately. Scenarios need to be worst credible and are recorded in sufficient detail (including assumptions) for review in the future. It is better to document the scenarios and controls of Priority Risk hazards in more detail, as they will be the basis of further assessments and improvement plans in the future. Need to ensure that the latest version of the Risk Ranking Table is consistently being used over session(s) A number of scenarios can be assessed to satisfy concerns from the group. Chair may need to select ranking (and record concerns) if there is significant disagreement. Suggestion: If grouping by hazard category move to next category. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 47 of 71

48 Increasing order of Preference Risk Assessment Guide 7) Priority Risks Priority risks may warrant the placement of immediate and/or temporary controls (barricades, placarding, moratorium of use, etc.), particularly if they haven t previously been identified by the workgroup responsible Priority risks are to be assessed for immediate action. The team should therefore consider the identified priority risks and agree if notification or action is required immediately to ensure the presence of the risk is adequately known and/or controlled. A person from the session should be clearly assigned responsibility for this. 8) Records Draft minutes should be circulated to all participants for feedback Ensure all records are retained appropriately. Minutes of sessions must be retained Minutes will include the name of participants, date and time of session, briefing notes, risk register and any other supporting documents (e.g. copies of incident logs, marked up process flow diagrams, etc.). 2.6 Risk Treatment Risks that cannot be tolerated must be treated. Risk treatment involves identifying the range of options for reducing the risk, assessing these options and the preparation and implementation of Risk Treatment Plans (e.g. Environmental Improvement Plans). Priority risks must be managed and treated as a business priority and the treatment of the higher-ranked risks should be given first priority. However, if lower ranked risks can be treated simply and cheaply, then they should be completed concurrently Risk Treatment Hierarchy Risk treatments should be undertaken in line with the Risk Treatment Hierarchy (Table 11), where the preference is to determine elimination and substitution risk treatments over engineering and administration controls. Table 11 - Risk Treatment Hierarchy Risk Treatment Hierarchy Description Example: Storage tank containing solvent Elimination Remove the hazard Stop using solvent and remove the storage tank Substitution Isolation Engineering controls Administrative controls Replace the hazard for one with lower impact Isolate the hazard from the impact receptor Introduce/improve infrastructure, equipment and/or preventative maintenance Introduce/improve procedures, work instructions, contractual controls, communication methods (e.g. signage), formalised roles & responsibilities and/or training Substitute chlorinated solvent with a lower toxicity white spirit Provide bunding and water treatment facilities for the storage tank Introduce a double shelled storage tank and an integrity testing and maintenance regime Introduce stock reconciliation procedures and provide additional training to staff Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 48 of 71 Issue Date: 15/08/2016

49 Assessing Risk Treatment Options Determining which treatments are most suitable can be completed using more than one of the following methods: Discussions with supervisors, operators and contractors, working with the hazard on a routine basis Discussion with environmental, subject matter experts or other personnel with knowledge and experience of the risk Determining the effectiveness of existing controls on this and similar hazards through review of the risk register, monitoring records, incident records, audit records, anecdotal evidence etc. Completing rail sector or other benchmarking Gathering information and advice from Regulators Reviewing relevant Standards and Codes of Practice Obtaining risk control industry advice. Risk treatment identification can involve a brainstorm type session as per the risk identification stage. It can also involve the same group of people, although the participants should be reviewed and it is expected that there will be some changes in personnel (e.g. the addition of a subject matter expert such as an engineer). Whilst compliance monitoring and measurement is not a risk treatment method, the need for additional monitoring and measurement regimes should be considered at this stage to check the hazards, related risk controls and/or potential environmental impacts are suitably monitored and measured. The selection of the most appropriate risk treatment(s) needs to be based on the SFAIRP principle and good business practice and consider: The potential benefits delivered by the risk treatments Their effectiveness in reducing risk The time required to implement the control measures The cost of implementation (time, resources and money) The impact of control measures on other objectives, including the introduction of new risks or issues that may affect the organisation. Control measures that require detailed planning, a high level of approval and/or large capital expenditure may take a significant amount of time to be implemented. Under these circumstances the risk treatment identification should consider the need for temporary control measures Risk Treatment Plan The management of risk treatment activities must be controlled and will normally be either integrated into normal business planning processes or be covered by a dedicated risk treatment plan. The aim of the risk treatment plan is to provide sufficient information to assist people understand their assigned accountabilities and responsibilities, to provide the Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 49 of 71

50 structure to facilitate the risk reduction and to monitor and manage progress. The following information should be included in a risk treatment plan: A description of the risk treatment target The overall owner or custodian of the risk treatment plan The actions required to fulfil the target The timeframes and deadline for undertaking the actions The status of the actions The owner of each action and the overall Risk Treatment Plan. Approval of risk treatment should be consistent to the level of authority required to implement the change and follow normal business arrangements. That is, document changes must be agreed with Document Custodians and changes to equipment, process or operations agreed with applicable managers. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 50 of 71 Issue Date: 15/08/2016

51 Part 4 - Risk Assessment Tools This Part 4 of the guide describes the application of the following tools: 1. NSW TrainLink HazID 2. Hazard and Operability Study (HAZOP) 3. Interface Hazard Analysis (IHA) 4. Operation and Support Hazard Analysis (OSHA) 5. Failure Modes, Effects and Criticality Analysis (FMECA) 6. Functional Failure Analysis (FFA) 7. Fault Tree Analysis (FTA) 8. Event Tree Analysis (ETA). Note When applying any of the above tools, consideration of human factors also needs to be taken into account, as this is an integral part of system safety. For more information regarding human factors tools to support risk assessment, refer to Human Factors (SMS-07-SP-5145). 1 NSW TrainLink HazID NSW TrainLink HazID can be used for the majority of hazard identification exercises; and is most suited to a workshop environment. It uses the Hazard Identification Workshop Worksheet template, an Excel based spreadsheet, to capture data about the hazard. An overview of the spreadsheet is provided in Fig. 8 and discussed below. Figure 8 - Example of NSW TrainLink HazID Template The template provides a structured approach to identifying and recording hazard identification information. The use of keywords assists hazard identification. A series of keywords to stimulate workshop attendees discussion should be developed before the workshop; e.g.: Collision Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 51 of 71

52 Derailment Operations Rolling stock Equipment Communications Environment Emergencies Fire Security Utilities. Considering each keyword in turn assists discussion and ensures issues/concerns about the subject matter are raised. Ideally, the workshop Facilitator should focus on identifying hazards, causes and consequences (in that order). However, in order to keep the workshop flowing it is sometimes more effective to capture data in whatever order it is identified, thereby using the skills of the workshop Scribe (refer to Appendix A - Conduct a Risk Workshop) to assimilate the information appropriately within the spreadsheet. Unless the workshop attendees are well versed in safety risk assessment techniques, it is unlikely that they will be able to clearly differentiate between hazards, causes and consequences. Indeed, it is often the case that attendees will focus on consequences (i.e. accidents) and that by capturing this information first will enable the workshop to be more productive; as once a consequence has been defined, the question of what could cause it can be asked. Invariably, identified causes will also be a combination of hazards and causes. Noting this, it is often beneficial in the workshop environment not to differentiate between hazards and causes but to capture them all in the cause column. The separation can then be done outside the workshop environment as part of the data cleansing exercise. When defining consequences, it is important to also identify those groups which are exposed to the consequence. Exposed groups could include but should not be limited to the following: passengers public employees contractors. Once a combination of hazards, causes and consequences have been identified, the controls associated with each can be recorded. These are the controls that are currently known to be in place and provide the baseline for when estimating the level of risk. If the risk assessment is for a system that is currently at the design stage, then the controls to be recorded are those that are integral and confirmed within the design. Estimating the level of risk in the workshop environment is not recommended. However, when the risk is estimated it should be done in accordance with Safety Risk Criteria Safety Risk Matrices. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 52 of 71 Issue Date: 15/08/2016

53 Options for further risk reduction can be recorded within the proposed control column. Once these controls are identified, it is possible to estimate the level of residual risk to be afforded if the control were in place. Once again, this activity should be conducted outside of the workshop environment. During the workshop, any comments raised can be entered into the notes column and where further information is required to complete the assessment, actions can be captured against specific individuals in the actions column. The Hazard Identification Workshop Worksheet template also enables the hazard identification process to be divided into a number of stages (called nodes). This is most beneficial when the risk assessment considers a process or a range of different activities that are undertaken. Each step of the process, or each specific activity can be defined as a node. Each node can then be assessed. The benefit of this is that it provides for a more structured and focussed approach to hazard identification, enabling each element to be assessed in turn. However, it has to be acknowledged that this approach can be more time consuming and will not suit all types of hazard identification. The workshop process continues until all keywords have been applied to each of the defined nodes (noting that not all keywords will necessarily be applicable to each node). 2 Hazard and Operability (HAZOP) The Hazard and Operability (HAZOP) study is a well-established, recognised method of safety review that is used as a hazard identification technique in a wide range of industries. HAZOP can be applied in a range of environments but is most appropriate for: identifying hazards associated with the operation of equipment and/or the undertaking of processes exposing hazards and problems that may prevent the safe and efficient operation of the entity being assessed. Note The focus of HAZOP is to identify hazards and operability issues. The HAZOP process does not include the ranking of risks. 2.1 Procedure The HAZOP method involves a structured, systematic and comprehensive examination of either process workflow diagrams or equipment/infrastructure layouts or procedures to identify potential hazards and operability issues. A HAZOP study is undertaken by a multidisciplinary team, completely familiar with the subject being examined, and a Facilitator who should be experienced in applying HAZOP, independent of the examined subject matter and supported by a Scribe who keeps a formal record of discussions and findings. The HAZOP technique can be applied to various environment and project stages from conceptual high level hazard capture (HAZOP Level 1) to detailed sub-system specific hazard capture (HAZOP Level 2). Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 53 of 71

54 HAZOP Level 1 (HAZOP 1) HAZOP 1 is ideal for identifying hazards early in a project or to review operational processes. It can be used to identify: potential hazards or operability issues associated with a system, process or procedure relevant codes and/or standards areas of uncertainty or additional controls that may be required. HAZOP 1 requires the overall system or process to be subdivided into sub systems or nodes that are examined in turn by the application of a series of generic keywords relevant to the operation (see section 1 - NSW TrainLink HazID, in this part of the guide). The study team considers if there are situations or initiating events that may be linked to the applied keywords and considers the full list of relevant keywords in relation to each sub system or node in turn. For each keyword that applies to each node, derived causes, consequences and controls can be defined. If an issue cannot be resolved directly within the study, a member of the team is tasked to provide the relevant information for resolution outside the workshop. The HAZOP Facilitator must follow up these actions. At the end of the study a HAZOP report should be produced that includes: a brief description of the system being examined and the study approach a summary of the major points arising from the study any conclusions and recommendations for further work a copy of the HAZOP worksheets. Note HAZOP Level 1 is very similar to NSW TrainLink HAZID and the same worksheet template can be applied (although not all fields will be populated). HAZOP Level 2 (HAZOP 2) HAZOP 2 is much more detailed and rigorous than HAZOP 1. HAZOP 2 aims to discover how deviations from the design or process intent can occur and whether these deviations can give rise to hazards, hazardous situations or operability problems. Like HAZOP 1 the design or process is divided into nodes. Each node is examined by considering specific parameter associated with the node and applying a series of guidewords and associated deviations. The combination of parameters, guidewords and deviations explore every imaginable way in which the node could deviate from the intended operation. Each deviation is then considered to determine both the possible causes and consequences. Any known controls that mitigate the consequences of the deviation are also noted. HAZOP 2 Terms Parameters are aspects of a continuous process that describe it physically, chemically, or in terms of what is happening, and are classified as specific or general, examples of which are given in Table 12. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 54 of 71 Issue Date: 15/08/2016

55 Table 12 - HAZOP 2 Parameters Specific General Composition Phase Addition Relief Contamination Pressure Corrosion/Erosion Sampling Flow Temperature Instrumentation Service Failure Level Viscosity Maintenance Testing Reaction Transfer Guidewords are used to qualify and quantify the intention of associated parameters to guide and stimulate the brainstorming process and expose deviation. Standard guidewords include: as well as, less, more, no, other than, part of, and reverse. The following is an example of deviations defined by applying guidewords and parameters. Guideword Parameter Deviation No Flow No flow Reverse Flow Reverse flow More/Less Temperature High/Low temperature At the end of the study a HAZOP report should be produced as defined for HAZOP 1. Advantages of HAZOP comprehensive, structured and rigorous identifies causes and modes of failure asks what if questions includes controls/mitigating features applicable to a wide range of systems Disadvantages of HAZOP time consuming tendency for loss of team direction hardware/process oriented identifies many failure events with low consequences single deviation focus no quantification of consequences 3 Interface Hazard Analysis Interface Hazard Analysis (IHA) should be undertaken where operational or organisational issues identify specific interface concerns. An IHA is used to identify the hazards, causes, outcomes and control measures associated with inter-related or inter-dependent systems and/or processes. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 55 of 71

56 IHA focuses specifically on the definition and control of interface hazards. IHA has particular application when: setting up and reviewing Safety Interface Agreements introducing new technology that could impact on multiple systems, such as signalling, rolling stock, communications, or one that impacts on external parties introducing new procedures that impact a range of divisions and stakeholders (both internal and external). 3.1 Procedure The initial process of IHA is similar to NSW TrainLink HazID and uses the same Hazard Identification Workshop Worksheet template to capture data that is then subjected to more detailed analysis as defined in this guide. When conducting IHA it is important that: the parties involved provide a broad representation of the various interfacing aspects each interface in the scope of the assessment is defined clearly at an appropriate boundary and responsibility for the interface determined. Boundaries should be selected to coincide with the logical delineation of sub-systems. Each interface is defined and documented in terms suitable to their function and construction. Interfaces may have a number of characteristics but, depending on the particular interface, will predominantly be one of the following: physical, structural and mechanical technical electrical functional/operational electromagnetic human environmental. Note IHA can be conducted as desktop exercise as well as in a workshop environment. 3.2 Results The IHA output is a listing of all identified hazards, causes and consequences. The IHA should define responsibilities for the various control measures identified and their inter dependencies clearly. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 56 of 71 Issue Date: 15/08/2016

57 4 Operating and Support Hazard Analysis Operating and Support Hazard Analysis (OSHA) is conducted where there is a perceived degree of operator, maintainer or procedural risk to evaluate: potential failures of the system in the operational environment activities for hazards or risks introduced into the system by operational, maintenance and support procedures the adequacy of those procedures to eliminate, control or minimise identified risks. OSHA focuses particularly on human factors matters and should consider the requirements defined in the Human Factors System Procedures. OHSA should always consider normal, degraded and emergency modes of operation. 4.1 Procedure The OSHA process is conducted the same as NSW TrainLink HazID and uses the same Hazard Identification Workshop Worksheet template to capture data. It identifies and evaluates specific hazards that result from implementing operations or tasks performed by persons, and pays particular attention to: planned system configuration facility interfaces planned operating and maintenance environments supporting tools or other equipment, including software operational or task sequence potential for human errors. 4.2 Results The OSHA output includes a list of identified hazards, causes, consequences and the relevant control measures. In addition, the following should also be addressed: activities that occur under hazardous conditions, their time periods, and the actions required to minimise risk during these activities/time periods changes needed to functional or design requirements for system hardware/software, facilities, tooling, or support/test equipment to eliminate or control hazards or reduce associated risks requirements for safety devices and equipment, including personnel safety and life support equipment warnings, cautions and special emergency procedures (e.g. exit, rescue and escape) including those necessitated by the failure of a computer software controlled operation to produce the expected and required safe result or indication requirements for hazardous materials packaging, handling, storage, transportation, maintenance and disposal requirements for safety training and personnel certification effects of non-developmental hardware and software across the interface with other system components or sub systems potentially hazardous system states under operator control. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 57 of 71

58 5 Failure Modes, Effects and Criticality Analysis Failure Modes, Effects and Criticality Analysis (FMECA) is used to examine the particular hazards and failure modes associated with single failures within systems, sub-systems, equipment or components. The FMECA identifies the effects of single component equipment or/and sub system failures on the system s overall functioning, and thereby on the functioning of the railway itself. FMECAs can be used in either the reliability or safety assessment context. In the safety change environment, FMECA is most likely undertaken during a SHA. Note Only personnel experienced in the technique should undertake FMECA. Generally in NSW TrainLink, this experience is associated with systems/ reliability engineers and system safety professionals. Seek SEQR business unit s support if there is a need to undertake FMECA. 5.1 Procedure The FMECA process is defined in the NSW TrainLink Asset Management Methodology (RAMM) - Asset Management Manual. When performing FMECA: use the most up to date system information to prepare the functional analysis and FMECA ensure that the scope is defined clearly ensure the system being analysed is specified adequately in terms of its limits (i.e. the boundary of the system) and each function of the system use the FMECA process as a part of the design process, and feed results into the design keep a record of reference drawings, systems descriptions and other information used in the FMECA prepare a functional block diagram that represents the system and its associated sub systems and/or modules. The system s functions should be stated clearly, including the primary functions for which the system has been designed, and additional secondary functions for which the system is also used or which limit the usage of the system. 5.2 Results FMECA identifies the system s failure modes and provides an indication of the corrective actions required to ensure the system is not unduly vulnerable, from the perspective of safety and/or reliability, to the effects of single component failures. FMECA supplies information critical to system design and configuration. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 58 of 71 Issue Date: 15/08/2016

59 Advantages of FMECA very rigorous and comprehensive enables all system components to be examined systematically identifies the most significant failure events Disadvantages of FMECA very time consuming hardware orientated especially electronic systems can be an overkill for process/mechanical systems generates many insignificant or unimportant failure modes can miss hazards e.g. inter-system, external events can stifle brainstorming or creativity 6 Functional Failure Analysis Functional Failure Analysis (FFA) is used to assess the effects of functional failure of a system in an operational environment. The technique can be applied to any system where specific functions of that system can be defined. In NSW TrainLink, FFA is particularly useful when applied to: Black Box studies - where the system functions are known, based on the systems inputs and outputs, but the specific system design is unclear (particularly applicable where the system comprises software) organisational studies - which define the safety related functions of a specific part of the organisation. 6.1 Procedure To undertake FFA, the set of functions for the system under investigation must be defined first. At the highest level, this can be a simple list of system functions. At a detailed level, the functions might be defined in either a function hierarchy diagram or in specific design representations including but not limited to: mechanical drawings function block or reliability block diagrams system requirements notations software design notations. For organisational studies, functions of the organisation already captured in a RACI matrix may be also subject to FFA. When defining functions, the complete function, not just a specific aspect or contribution to the function, must be defined (e.g. the software contribution is defined but the hardware element has been overlooked). Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 59 of 71

60 For each function, the effects of functional failure are determined by considering three categories of failure: loss of function - considers loss ranging from total loss to partial/periodic and/or intermittent loss function provided when not required - considers all aspects where the function is required only at specific times but is provided at the incorrect time incorrect operation of function - a catch all scenario that considers all other potential failure attributes of the function. Application of the failure categories requires a what if scenario approach to determine all foreseeable failure events. This approach should be supplemented by considering routine and non-routine variations in the operational environment to determine whether the failure effects could vary between environments. Examples to consider include: normal operations - operations within the intended environment abnormal operations - operations outside the intended environment including emergencies failures in related systems - although related systems may be functionally separate, their failure could impact on the operational environment of the system being analysed external factors - including geography and climate. Failure effects can be safety or non-safety in nature. Those that are safety related can be classified by considering the severity of the effect; done by applying the appropriate consequence ranking from either the Level 1 or Level 2 NSW TrainLink safety Risk Matrix. 6.2 Results FFA results need to be captured in an FFA worksheet in the format outlined in Table 13. Table 13 - Example of FFA Worksheet Function Failure Condition Operational Environment Effect Classification Comments FFA is complementary to hazard identification in that the failure condition generally aligns with a hazard. FFA focuses on the consequences of specific failure conditions thus enabling, where required, the severity of such consequences to be ranked. In design situations these rankings can be used to inform the definition of derived safety requirements for the specified system. FFA is not used to explore the causes of functional failure. FFA should be used in combination with other tools such as FTA to determine the causes of functional failure. When considering organisational functions (e.g. a specific Division), those functions with a safety related effect must be investigated further to specifically identify the causes. Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 60 of 71 Issue Date: 15/08/2016

61 6.3 RACI Matrix The RACI matrix is a useful tool for defining specific functions (tasks) and the resources associated with those functions. The responsibilities for each function are defined in accordance with the following, the acronym of which spells RACI: Responsible - the resource who undertakes the function; generally only one resource is defined as responsible Accountable - the resource ultimately accountable for the function being undertaken correctly; there must only be one accountable resource for each function Consulted - those resources whose opinions are sought about the function and with whom there is two-way communication Informed - those resources that need to be told about the function but have no direct input to the undertaking of the function; communication with these resources is one way only (i.e. to the informed resource). RACI is a useful approach to adopt whenever there is a need to define the functions of a specific part of NSW TrainLink and the relationship-specific resources have to those functions. The RACI matrix aids identification of changes in functionality and responsibility; applying FFA to the functions defined within a RACI enables safety related functions to be determined. Table 14 provides an example of using RACI to define responsibilities. Table 14 - Example of Responsibility Definition Using the RACI Matrix Function (Task) Resource A Resource B Resource C Resource D Resource E Resource F Function 1 R A C I Function 2 R A C I Function 3 C I C R A 7 Fault Tree Analysis Fault Tree Analysis (FTA) is used primarily to model the logical interrelationships between events that could combine to give rise to a hazardous situation. The purpose of FTA is to determine the combinations of human and equipment faults and failures that can result in system level failures or undesired hazardous situations. For example, a train fire could occur as a result of various events. FTA can be used qualitatively to define the logical relationship between failure events, and quantitatively to determine the overall frequency or probability of these events and the defined top event. In the safety change environment, FTA is most likely done during System Hazard Analysis (SHA). Note FTA is a complex analysis process and should be undertaken only by personnel experienced in the technique. Seek SEQR Business Unit s support if there is a need to undertake a FTA. Version: 2.0 UNCONTROLLED WHEN PRINTED Approver: Head of SEQR Issue Date: 16/08/2016 Page 61 of 71

62 7.1 Procedure FTA involves the preparation of a logic diagram that traces a series of contributory events through to an undesirable outcome (the top event) such as the realisation of a hazard (a hazardous event). In the context of a hazard being realised, all contributory events would be considered causes of the hazard, either in isolation or in combination with other causes. Note While the top event is generally defined as the specific hazardous event aligned with the realisation of a hazard, it may be defined anywhere within a particular sequence of events from the causes to a specific consequence. The top event is chosen as the one that aligns best with the nature of analysis required. Once the top event is defined, the process continues with each contributing event being scrutinised for its causes until an event with no further contributing cause can be found; this is the base event. The analysis may also end if some of the causes lie outside the domain of the analysis such as in another system which is not part of the review. However, once identified, these causes should be noted separately as further analysis is necessary. Figure 4 provides an illustrative example of a fault tree. A number of proprietary software tools are available to construct fault trees. NSW TrainLink holds multiple user licences for Relex Fault Tree/Event Tree which is available for experienced practitioners. Contact the Principal Operational Risk Adviser for further information. Figure 9 - Illustrative Example of a Fault Tree Approver: Head of SEQR UNCONTROLLED WHEN PRINTED Version: 2.0 Page 62 of 71 Issue Date: 15/08/2016