Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Transcription

1 SYDNEY TRAINS SAFETY MANAGEMENT SYSTEM OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT Purpose Scope Process flow This operating procedure supports SMS-07-SP-3067 Manage Safety Change and establishes the procedure to develop and manage hazard logs. This procedure must be applied to all safety changes assessed as significant or important through the SCARD process. However, the procedure may also be applied to any other activities that require a hazard log to be maintained. Process 7.6 Hazard Log Management Develop a hazard log Maintain the hazard log Participate in interface arrangements for third party hazard logs Baseline and archive hazard logs Figure 1 Process flow for hazard log management UNCONTROLLED COPY WHEN PRINTED Page 1 of 13

2 Procedure Note Guidance on hazard identification tools and techniques is available in SMS-07-GD-3084 Hazard Identification and Safety Risk Assessment. 7.6: Hazard Log Management The hazard log is used for hazard management throughout the safety change lifecycle (refer to SMS-07-OP-3086 Managing Safety Change for details of the lifecycle). The hazard log is an ongoing tool used to manage hazards, supporting SFAIRP demonstration by: logging all identified hazards in the course of the safety change activity recording the identification and development of appropriate controls documenting defined safety requirements providing traceability to supporting evidence recording changes to hazard records or controls along with any justification for the changes. The hazard log is initially populated with hazards identified in the Preliminary Hazard Analysis (PHA) and, as the project progresses, additional hazards may be identified (through a variety of mechanisms) and added to the hazard log. Each hazard must be assessed and the associated risk reduced SFAIRP (refer to SMS-07-OP-3085 SFAIRP Determination and Demonstration) : Develop a hazard log The Change Sponsor is initially responsible for the following procedure. Procedure 1. Nominate a suitably-qualified and experienced Hazard Log Manager (HLM) for the project or safety change to develop and maintain a projectspecific hazard log. 2. Make sure the hazard log is established and maintained correctly to make sure it is complete and up to date for all important and significant changes. 3. Make sure hazards have been adequately managed SFAIRP before closure. 4. Make sure all relevant hazards are closed out or their residual risk endorsed by appropriate authorities prior to entering operation (refer to SMS-07-OP-3087 Conduct Operational Readiness Safety Verification). Sydney Trains UNCONTROLLED COPY WHEN PRINTED Page 2 of 13

3 7.6.1: (continued) The HLM is responsible for the following procedure. Procedure 1. Populate the hazard log with hazards identified in the PHA: enter the hazard description describe the basis of hazard identification (i.e. PHA or design review) assign a hazard owner state the hazard status list the exposed groups identify the hazard causes and potential hazard consequences list the associated hazard controls identified from hazard identification techniques (controls are classified as either design, engineering or procedural). Include the safety requirements and verification and validation activities (evidence would typically be a reference to a test specification, survey results or a control procedure) and closure references state the risk assessment consequence, likelihood and risk ranking. 2. Notify the identified actionee of all relevant actions. Role of the HLM The Change Sponsor must nominate a suitably qualified and experienced Hazard Log Manager (HLM) for the project or safety change. The role includes developing and maintaining a project-specific hazard log. Generally, the Safety Assurance Manager will perform the role of HLM. However, for large projects, another project member may perform the role of HLM, working under the relevant Safety Assurance Manager. This is subject to project-specific considerations such as workload and complexity. The determination is made by the Safety Assurance Manager and detailed in the Safety Change Plan. Guidance on the level of competence of a Safety Assurance Manager is provided in the SMS-07-SP-3067 Manage Safety Change system procedure. Sydney Trains UNCONTROLLED COPY WHEN PRINTED Page 3 of 13

4 7.6.2: Maintain the hazard log The Hazard Log Manager is responsible for the following procedure unless stated otherwise. Procedure 1. Upload relevant evidence from actions and verification and validation activities when received from actionees and SMEs. 2. Update control, action, and hazard status after receipt of relevant supporting documentation and confirmation from the relevant SME or Level 3 Manager. (see Table 1 below for details the standard status levels and provides a brief description of each). 3. Edit changes to the hazard log using the hazard log journal, as required. 4. Set up and chair a Hazard Log Working Group (if required for more significant projects) and make sure appropriate stakeholder reviews prior to closing any hazards. 5. Close the action status once the closure evidence has been provided. 6. Baseline and archive the hazard log at relevant stages in the project lifecycle. Table 1 Hazard status Status Open Cancelled Resolved Verified Closed Transferred Description The Hazard has been identified; controls and activities to close the hazard have not been agreed. The identified issue has been determined not to be a hazard or is covered by another hazard. Sufficient controls have been identified to address the hazard, which have been agreed but not verified and validated (i.e. controls identified that will reduce the risk SFAIRP). All identified controls have been verified as present in the approved design documentation as able to meet the necessary safety requirements, but have not been implemented and validated (i.e. all necessary design phase activities have been completed). All activities and controls required to close the hazard have been completed, including validation and verification activities. Agreement reached between relevant stakeholders to transfer the hazard elsewhere and acceptance received by the recipient. Sydney Trains UNCONTROLLED COPY WHEN PRINTED Page 4 of 13

5 7.6.3: Participate in interface arrangements for third party hazard logs In a number of projects, an interface between Sydney Trains and a third party will be required, with hazard logs provided by a third party supplier (e.g. TPD, ARTC, etc.). The risks presented by the identified system failures, any equipment failure frequency, and Safety Integrity Level requirements must be understood by the third party to make sure the assessed risk is tolerable and reduced SFAIRP (see Figure 2 below). Hazard Log Manager is responsible for the following procedure. Procedure 1. Reduce risk SFAIRP through: attendance of appropriate Sydney Trains personnel at hazard assessment workshops, design reviews by Sydney Trains SMEs and regular reviews of the Third Party and Sydney Trains hazard logs to make sure of continuity. 2. Review the identified hazard on an operational basis with the assessed risk, based on consequence and likelihood, within the operational environment. Use a credible data source (i.e. SRR, incident databases, etc.). 3. Record in the hazard log the potential system failures and assess for the impact on the operational network. 4. Describe the interface management arrangements for the project in the Safety Change Plan including the process for the third party to provide Sydney Trains with the identified system hazards, and a mechanism for accepting and integrating any operational safety requirements back into the design process (see SMS-07-OP-3086 Managing Safety Change). Figure 2 Third party hazard log interfaces Sydney Trains UNCONTROLLED COPY WHEN PRINTED Page 5 of 13

6 7.6.4: Baseline and archive hazard logs Archiving hazard logs make sure they are available in the future as the basis for similar safety changes, so similar or generic hazards can be identified and adequately addressed. The Hazard Log Manager is responsible for the following procedure. Procedure 1. Periodically generate a formal documented release (baseline) of the hazard log. 2. Create a baseline hazard log for each SAR to make sure that an auditable and retrievable log is submitted with the safety assurance document. (Refer to the local Safety Assurance Documentation guide for further details regarding the contents of the Safety Assurance Report and presentation of the safety argument). 3. At the end of the safety change, archive the hazard log so it is securely stored. References SMS-07-OP-3086 Managing Safety Change SMS-07-GD-3084 Hazard Identification and Safety Risk Assessment SMS-07-OP-3085 SFAIRP Determination and Demonstration SMS-07-OP-3087 Conduct Operational Readiness Safety Verification The following document is available on the Risk Division SharePoint site. Safety Change Plan template. Version Control Version Change from previous Date Comment 1.0 First release of Sydney Trains SMS 01/07/2013 Launch of Sydney Trains SMS documents 1.1 Scheduled update of document 18/01/2018 Minor updates generally relating to organizational structural change. Minor changes to clarify process. Sydney Trains UNCONTROLLED COPY WHEN PRINTED Page 6 of 13

7 Appendix A- Hazard Log Management Deploying a diverse hazard identification processes is necessary prior to developing the hazard log and throughout the safety change lifecycle. An effective core process is the Preliminary Hazard Analysis (PHA), which may be supplemented by other processes such as System Hazard Analysis (SHA), Interface Hazard Analysis (IHA), and Human Reliability Analysis (HRA). Identifying hazards, hazard causes and consequences is central to hazard analysis and to demonstrate the effectiveness of the existing and proposed protection systems. As the safety analysis or design evolves, the list of hazards and the controls needed to guard against the identified causes, hazards, and accident sequences are developed. This is an interactive process feeding from and back into the hazard log. The hazard log needs to be transparent and auditable at every stage in the development of the safety change. Its audit trail needs to refer back to the hazard identification activities and reports and any other analyses from which it was generated, and refer forward to the safety systems verification and validation activities. The hazard log needs to reflect the details of the system as built, in particular if this deviates from any intended design functionality. For new designs, the hazard log needs to reflect the currently approved design stage. The hazard log must be viewed as a living entity throughout the safety analysis and design development lifecycle. As the project develops, further hazard identification exercises will be required and the hazard log updated on the basis of their output. Therefore, at any given stage of a project, the hazard log represents the most complete set of reasonably foreseeable hazards. Hazard log process The Safety Change Plan must set out the arrangements in place for hazard log management, including the individual roles responsible for maintaining, reviewing and updating the hazard log and how the information in the hazard log will be managed at completion of the change activity, including authority for hazard closure. As a starting point for the construction of a hazard log, a listing of relevant hazards and associated controls must be identified using various hazard identification techniques outlined in SMS-07-SP Manage Safety Change. Preliminary hazard identification studies must form the initial basis for the hazard log, which must be maintained and continually updated throughout the safety change lifecycle. As the safety analysis proceeds for new design or safety changes, the hazard log must be developed on the basis of iteration with: hazard analysis human factors and task analysis engineering and design validation process subsequent structured hazard identification exercises and design reviews. The method of hazard identification must be identified in the hazard log, with references provided to the sources of all identified hazards or causes. Sydney Trains UNCONTROLLED COPY WHEN PRINTED Page 7 of 13

8 Note A number of generic hazard sources may be utilised to identify relevant project-specific hazards such as previous hazard logs of similar projects, and generic Project Hazard Logs for certain activities and project types. The hazard log must identify and distinguish the protective safety controls (i.e. those that protect against hazard causes or terminate the accident sequence progression) and mitigative safety controls (i.e. those that act to reduce or protect against the consequences of a hazard after such an event has occurred). All hazards must be included in the hazard log; hazards must not be excluded from the hazard log on the basis that their individual frequency is judged to be low, since the impact from a number of low frequency sequences may be significant and require protective controls to be adequately identified. Some hazards may adversely affect other areas outside the project or system boundaries (e.g. domino effects, impacts on services or latent hazards). These hazards should also be identified and managed within the project. The hazard log (and analysis) must cover all planned operating modes and configurations, including commissioning, operation and maintenance phases. The hazard log must include latent hazards potentially occurring during maintenance; the entries for such hazards must include identification of the conditions or additional failures necessary to activate the latent hazard. Hazard description An unambiguous description of each hazard must be provided. A hazard must be considered as a potential source of harm and must be written in such a manner. Examples of hazards are: Incorrect Movement Authority Braking Curve Not Achieved. These hazard descriptions identify the underlying condition on the boundary of the system under consideration that could lead to an accident, rather than the accident itself. The hazard description must be written in a consistent manner that allows similar hazards to be identified and minimise the potential for multiple entries of the same hazard. To make sure there is an audit trail between the hazard identification process and any subsequent safety analysis, each hazard entry in the hazard log must refer to the hazard identification source where the hazard is identified. There may be several diverse identification processes, for example, the PHA during which the hazard was first identified, and subsequent task analysis where the related causes and/or consequences were developed. Sydney Trains UNCONTROLLED COPY WHEN PRINTED Page 8 of 13

9 At any stage, each identified hazard within the hazard log has an assigned Status. In this context, Closed means that the risk is either eliminated or is being managed to SFAIRP. In some instances, it may be necessary to transfer the hazard to another change activity (project), the relevant Sydney Trains division, a third party hazard log, or to the Safety Risk Register. Note Hazards must not be deleted from the hazard log, but identified as Cancelled with justification as to why the hazard is no longer valid. In order for a hazard to be closed, the Hazard Log Manager must make sure that: all hazard actions have been adequately addressed sufficient controls have been adequately defined, validated and confirmed as in place, with adequate evidence provided by the control owner the control owner has accepted the controls along with any necessary ongoing operational and maintenance requirements. To assist in hazard closure, Hazard Log Working Groups are recommended for larger projects to: review closure evidence have the SMEs, Discipline Heads, and other stakeholders agree that the risk is reduced SFAIRP before hazard is closed. For all safety changes, some level of review with the relevant stakeholders must be carried out prior to closing any hazard. The specific arrangements for hazard closure must be detailed in the Safety Change Plan. Risk quantification Quantified estimates of risk are not required in the hazard log. However, the level of risk must be determined using the ERM Framework - Risk Ranking Tables. The ERM Framework - Risk Ranking Tables provide a semi-quantitative measurement. It is used as the means of broadly determining the safety risk acceptability or tolerability of risks identified within the hazard log. It is the primary tool in Sydney Trains to analyse and evaluate risk. The ERM Framework - Risk Ranking Tables have six likelihood categories and six consequence categories. The risk ranking is derived by assigning these categories to particular hazards. The safety risk ranking classifications are described in ERM Framework - Risk Ranking Tables. The risk assessment presented in the hazard log must always reflect the current level of identified risk based on the assessed consequence and likelihood. Once the hazard is closed, the assessed risk represents the residual operational risk to the network. Hazard Causes All identified causes of the hazard (initiators) must be included, together with any necessary conditions for the hazard to occur. Hazard causes may be: Sydney Trains UNCONTROLLED COPY WHEN PRINTED Page 9 of 13

10 engineering failures (electrical, electronic, mechanical, etc.) human failures (errors or violations) design errors (poor design, implementation, commissioning, etc.) external events (natural or man-made). Systematic causes must be defined as completely and precisely as is practicable prior to the performance of detailed hazard and human factors analyses. They should be updated as more details are provided throughout the safety change lifecycle. For example, for human failures, the type of failure may be defined (e.g. human error or violation). The actual action or omission and, where appropriate, the role (e.g. maintainer, guard, etc.) and the operation in which the failure occurs may be identified. For example, a description such as human error would be inadequate where a more complete description such as Maintainer omits to tighten brake disc fasteners following brake servicing is more suitable. Similarly, engineering failures must be defined as far as is practicable. This normally requires the engineered system or sub-system which fails to be clearly identified, together with the relevant failure mode and failure mechanism. Cause details, like hazards and controls, must be written in a consistent manner with the system element preceding the specific cause detail that makes the entry unique (i.e. two separate causes may be shown as): Points incorrectly set due to signaller failure Points incorrectly set due to mechanical failure. Constructing cause descriptions in this manner standardises entries within the hazard log and minimises the risk of a number of different entries for the same cause. This facilitates the identification of: common causes for review controls for the same cause that is relevant to a number of different hazards. Hazard Consequences A qualitative description of the hazard consequences must be included to identify the potential outcome of the identified hazard scenario. This will generally be obtained from the PHA but may be revised as a result of more detailed risk analysis, including any human factors assessments. A range of consequences could result from individual hazards. All identified consequences of the hazard must be included together with any justification for the selection of the consequence category used in the risk assessment, if necessary. The consequence category selected should be based on the worst case credible consequence, although any combination of consequence and likelihood that may give rise to a higher overall risk category must be considered. The groups of individuals affected must also be identified where relevant. Sydney Trains UNCONTROLLED COPY WHEN PRINTED Page 10 of 13

11 Safety Controls Controls can exist on both sides of a hazard in the form of preventative controls and mitigative controls, as represented by the traditional Bow Tie Model shown in Figure 3. The traditional Bow Tie model is symmetrical the hazard is in the centre of the figure. However, in many cases there are significantly more controls on the cause side of the Bow Tie than the consequence side, representing Sydney Trains preference for prevention rather than mitigation. C A U S E S HAZAR D C O N S E Q U E N C E S Controls Figure 3 Bow tie model Note The use of any PPE must be identified as a procedural control as it requires the provision and correct use of equipment to provide an effective control measure. Consideration of controls within the hazard log supports the demonstration of a robust safety argument, which will consider both the number of safety systems and the hierarchy of controls as described in the SMS-07-GD-3084 Hazard Identification and Safety Risk Assessment guide. The Control Owner must be identified as the role that will have the ultimate responsibility for making sure the control is in an operational condition. This may include making sure the control is being correctly maintained and inspected as required or that the administrative procedures are in place, along with any necessary training or supervision. A number of individuals will have responsibility for correctly specifying, designing, and implementing the control, as well as confirming it has been implemented and is effective. Sydney Trains UNCONTROLLED COPY WHEN PRINTED Page 11 of 13

12 At any stage, each identified control has an assigned Status. Table 2 below details the standard status levels and provides a brief description of each. Table 2 Control status Status Open Resolved Confirmed Description Control requirements have been identified, however, a full set of activities to implement the control have not been agreed. A full set of activities to implement the control have been agreed, but one or more have yet to be implemented and validated. All activities to implement the control have been completed, including any required validation and verification activities; evidence has been provided. Verification and validation To make sure the audit trail is complete in the forward direction, planned verification and validation activities must be defined in the hazard log early in the project lifecycle for each of the identified controls. As the activities are completed, evidence must be provided against each of the specific verification and validation activities. Verification and validation evidence would typically be: a reference to a test specification survey results a control procedure. The evidence can be attached as a file or provided as a reference to the closure evidence. The verification and validation status is changed to Confirmed once the closure evidence has been provided, agreed by the relevant SME/Discipline Head. Once the necessary verification and validation activities have been closed, the HLM must update the control status to Confirmed to demonstrate that the controls are in place and confirmed as operationally ready. Actions Specific actions can be identified throughout the safety change lifecycle against: hazards causes controls (both hazard and cause controls). Action descriptions must be complete and have sufficient detail to allow the actionee to address the requirements without further details other than the context against which they were raised (i.e. hazard, cause or control description). The Hazard Log Manager should: notify the identified actionee of all relevant actions upload any relevant closure evidence provided update the action status only after reviewing the closure evidence with the appropriate SME/Level 3 Managers or nominated representatives. Sydney Trains UNCONTROLLED COPY WHEN PRINTED Page 12 of 13

13 The action status can be closed once the closure evidence has been. Generally, the related hazard, cause or control must not be closed until all associated actions have been closed (Note: In the PHL template only the hazard has a status). However, stakeholders can agree to close hazards with outstanding actions. The Safety Assurance Manager must make sure closure evidence is reviewed with relevant SMEs prior revising the action status. At commissioning, all outstanding actions must be included in the Safety Issues Log. Journals As the safety change progresses, the hazard log must be continually updated to reflect the current status of the project. Any changes to the key fields require justification to be provided for the change, which is recorded in the journal along with the details of the change made. The audit trail should demonstrate that the safety change was managed in a controlled manner, and that every effort was made to control hazards and their associated risks SFAIRP. When using the PHL template the worksheet Tab titled Journal should be used to record changes to the hazard log. Sydney Trains UNCONTROLLED COPY WHEN PRINTED Page 13 of 13