The Application of RAMS in Large Scale Complex Railway Projects

RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

PM Safety Consultants Limited

www.pmsafety.co.uk

HAND OUT FOR RAMS SEMINAR

WESTIN PALACE HOTEL MADRID HELD ON 2ND DECEMBER 2004

CONTENTS

SECTION 1: CONTENT OF SEMINAR ..................................................................... 2

SECTION 2: SPEAKER PROFILE. ........................................................................... 3

SECTION 3: PAPER: SUCCESSFUL APPLICATION OF SYSTEMS ASSURANCE

ON LARGE SCALE RAILWAY PROJECTS ............................................................. 4

SECTION 4: EN50126 FLOWCHARTS FOR IMPLEMENTATION OF RAMS AT

DIFFERENT PROJECT STAGES............................................................................ 13

SECTION 5: SOME USEFUL NOTES ON SYSTEMS ASSURANCE

METHODOLOGIES AND REFERENCES ............................................................... 24

SECTION 6: SOME NOTES ON FAULT AND EVENT TREE CONSTRUCTION

AND ANALYSIS ...................................................................................................... 28

SECTION 7: SOME NOTES ON HUMAN FACTORS ............................................. 34

SECTION 8: SOME NOTES ON THE USE OF THE HEART METHOD.................. 39

SECTION 9: SOME NOTES ON FIRE RISK ASSESSMENT.................................. 52

SECTION 10: SOME USEFUL SYSTEMS ASSURANCE REFERENCES ............. 54

The contents of this hand out are provided on an informal for information only basis.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 1 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SECTION 1: CONTENT OF SEMINAR

Definitions of Systems Assurance
[2 minutes]
- Definition of RAMS
- Human Factors
- Fire Safety

Review of Typical Standards (principally EN50126)

[5 minutes]

- EN50126 and the life cycle

- Verification & Validation
- Other standards including UK Line Standards and Group Standards and Yellow Book
- Defence Standards and Military Standards

Systems Assurance Planning (Formats and how to gain approvals)

[8 minutes]

- Typical Formats of Systems Assurance Plans

- Process of gaining approvals

Methodologies such as HAZOP, SIL assessment, QRA, ALARP etc

[10 minutes]

- HAZOP
- Hazard Logs
- Fault Trees
- Event trees
- FMECAs
- SIL Assessments
- HRA
- CCF

Review of Benefits
[5 minutes]

- Strategic Review of major benefits of Systems Assurance

Some examples of projects completed

[5 minutes]

Review of Some Problems and Solutions

[5 minutes]

Questions & Answers

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 2 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SECTION 2: SPEAKER PROFILE.

Mr. Paul Daniel Mann, B.Sc(Hons), C.Eng, M.I.Mech.E, FSaRS.

Mr. Mann is the Managing Director and majority shareholder in PM Safety Consultants Limited
(www.pmsafety.co.uk). PMSC was formed in 1992 and provides consulting support and advice to a wide range
of clients around the world.

Mr. Mann holds a Bachelor of Science degree in Physics from Leeds University and graduated in 1980 and is a
Chartered Engineer via the Institute of Mechanical Engineers and a Fellow of the UK Safety & Reliability Society.

During his time as a consultant advisor he has gained experience in the field of Systems Assurance or RAMS
working in a variety of industries including the Railway, Nuclear, Oil & Gas and Defence sectors both in the UK
and Internationally.

Specifically, Mr. Mann has worked on several major Rolling Stock and Infrastructure projects including:- Class
332 Heathrow Express built by Siemens; the class 373/1 Eurostar built by Alsthom; the High Speed rolling stock
being provided to the Taiwan High Speed Rail project by Kawasaki; C751B rolling stock provided for the Changi
extension in Singapore and SP1900 EMUs provided for West Rail and East Rail in Hong Kong. He has
conducted numerous railway HAZOP studies as both Chairman and Secretary. Mr. Mann also acted as the RAM
analyst for the new proposed Thameslink 2000 project and to Bombardier on their Electrostar reliability
improvement programme.

In terms of infrastructure, Mr. Mann has most recently acted as RAMS coordinator for the Core System of the
Taiwan High Speed Rail project during Concept and Preliminary Design stages and has also managed the
Systems Assurance bid documentation for the C830 Marina Line project in Singapore, now referred to as the
Circle Line. He was also retained as Systems Assurance advisor to NEC of their C760 Communications project
in Singapore. Last year he managed the production of the Safety Case for the implementation of the TETRA
system at railway stations as part of the United Kingdoms Governmental strategic response to the threat of
terrorism in the UK.

He is fully familiar with both emerging European EN50126 RAMS guidance, IEC61508 Application of Safety
Integrity Levels and UK Defence Standards 00-56 and 00-55 and a wide range of RAMS methodologies and
procedures.

PMSC Limited is cooperating with MTP to develop the understanding of RAMS in Spain. We are hoping to raise
the understanding and awareness of RAMS in various industries where benefits can be derived.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 3 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SECTION 3: PAPER: SUCCESSFUL APPLICATION OF SYSTEMS ASSURANCE

ON LARGE SCALE RAILWAY PROJECTS

By
Paul Mann

(Principal Consultant, PMSC Limited,

Suite D Third Floor, Saturn Facilities, 101 Lockhurst Lane, Coventry, CV6 5SF, UK)

Mr. Mann is a graduate in Physics from Leeds University in the United Kingdom and has
worked as a RAMS consultant to the railway industry both in the UK and overseas for the last
ten years. He is currently the Managing Director of PMSC Limited and has successfully
negotiated and completed RAMS contracts for a range of railway contractors and operators
including: Alsthom, Bombardier, Kawasaki Heavy Industries, London Underground, Railtrack
and Siemens.

nd
These notes have been adapted for the RAMS conference in Madrid held on 2 December 2004.

Introduction
As railway systems around the world become more complex, design teams are increasingly under pressure to
deliver design solutions which integrate both technical and Systems Assurance (SA). Systems Assurance as an
approach has been refined over the last decade to provide project managers with a mechanism to achieve
specified Reliability, Availability, Maintainability and Safety (RAMS) objectives. This paper focuses on the
methodology of Systems Assurance but more importantly provides a guide to project managers on SA aspects
that should form part of the design development and decision making process. The paper is biased towards SA
activities undertaken by a principal contractor on a large scale project, however, much of the content would apply
equally well to sub-contractors working for the principal contractor and for the client team.

Unfortunately, all too often human nature is such that accidents or other undesirable events occur and after
investigation are deemed to have been preventable. There has been a recent spate of railway accidents and
incidents around the world, which clearly serves to illustrate the need for an integrated holistic approach to
Systems Assurance at the design stage.

At PMSC we have collected statistics on industrial and transport incidents from around the world as far back as
the year 1782. Our database has some 2258 events, of which 818 are railway incidents. Nearly 60% of railway
accidents on our database have been caused by human errors. Another depressing statistic is that there have
been no fewer than 89 railway incidents since 1842 where 100 passengers or more have been killed.

Some examples of recent major railway accidents from around the world are presented in table 1.

Date Location Number Serious Root Cause Comments

Killed ly
Injured
05/10/19 Paddington, 31 20 Alleged signal Great Western train collided
99 London passed at danger with a Thames train as a
due to driver error result of a SPAD by the
Thames train.
19/09/19 Southall, 7 20 Alleged signal Intercity 125 train collided
99 London passed at danger with a freight train.
02/09/19 Gaisal, India 100 NA Reported as a Head on collision of two
99 signalling failure trains travelling in excess of
100mph.
08/09/19 Near Sainte Foy 12 40 Infrastructure related Collision between lorry and
99 La Grande, train on road crossing.
France
03/06/19 Germany 100 NA Thought to be a Faulty wheelset resulted in
98 faulty wheel high speed derailment of ICE
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 4 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Date Location Number Serious Root Cause Comments

Killed ly
Injured
train.
24/03/19 National Park, 32 85 Thought to be Train derailed at high speed
99 Kenya overspeeding on a on a bend in the Tsavo
tight bend National Park.

Table 1: Some Recent Examples of Railway Accidents From Around the World

Background to Systems Assurance

Essentially, Systems Assurance is the application of management methods and analysis techniques to assure
that a design meets Reliability, Availability, Maintainability and Safety (RAMS) criteria. Hence, Systems
Assurance is often referred to as RAMS Assurance. It should be clearly understood that the intent of RAMS
Assurance is not just to provide analytical techniques as a metric on performance, but more importantly it should
provide a management tool with which to co-ordinate and assure the whole design, ie. a holistic management
systems approach.

Often on projects, due to a lack of understanding, the SA process is demoted to a secondary status in the design
development and considered a paperwork exercise. In the UK, Europe and North America the need for SA has
been mainly driven by legislation. This is evident today to the extent that many invitation to tender specifications
for large scale railway projects make specific reference to standards such as the emerging Euro Norm standard
50126, UK Defence Standards, such as 00-56, and US Military Standards such as 882C and 1629. A typical
Principal Contractor SA team structure, which would be consistent with the requirements of the above standards
for larger railway projects is presented in figure 1. Some of the generic roles and responsibilities of the key
members of the SA team have been described below for information. These are intended for guidance only.

Project Management Client

Team members & Team or
other sub-contractor Regulator
teams
Systems
Assurance Manager
(SAM)
(1 Full Time)

Systems
Integration
Manager (SIM)

Project
Planner
(1 Part Time)
Project
Secretary
(1 Full Time)

Specialist Support
eg. Human Factors
EMC, fire protection
etc (2 Part Time)

Reliability & Maintainability Safety

Availability Project Engineers Project Engineers
Project Engineers (1-2 Full Time) (2-3 Full Time)
(1-2 Full Time)

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 5 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Typical team size: Core team full time = 6-9 persons, Part Time expertise = 3 persons, RAMS co-
ordination team for a principal contractor. (Guidance only.)
Figure 1: Typical Structure of the Co-ordinating SA Team and SA Interfaces for Large Scale Railway Projects

Safety Assurance Manager (SAM)

• Project manage the SA activity within the project and prepare the initial SA Program Plan.
• Provide the single point of contact with the regulator or client on SA activities.
• Ensure that sufficient and competent resources are made available for the SA activity.
• Act as the principal single point of contact for interfaces between Systems Integration and Systems
Assurance.
• Act as the principal single point of contact between the project management team and sub-contractor effort
on matters of SA.
• Act as Hazards and Operability (HAZOP) study chairman during hazards identification studies.

Specialist Support
• Provide specialist support on an ad-hoc basis in the fields of Human Factors, Electromagnetic Compatibility
(EMC), fire protection and toxicity calculations for interior equipment on train etc.

Reliability & Availability Project Engineers

• Conduct Reliability and Availability studies as defined by the SAM.
• Prepare Reliability and Availability reports consistent with the client or regulator requirements and formats.
• Maintain a repository of R&A data sources for use on the project.

Maintainability Project Engineers

• Conduct Maintainability predictions.
• Assist with the definition of Line Replaceable Units (LRU’s) for each of the systems.
• Develop a comprehensive set of functional block diagrams for each system within the project scope.

Safety Project Engineers

• Assist the SAM during the HAZOP activities as HAZOP Secretary.
• Assist with the development of the Safety Assurance studies under the direction of the SAM, including
FMECA, QRA and other similar core SA studies.
• Manage the hazards log.

One of the key activities for the project will be the management of the interface between the SA processes and
the Systems Integration (SI) processes. Systems Integration is essentially the management of interfaces in terms
of systems that interact with each other. It will be beneficial to ensure the following:

• Safety issues associated with interfaces are identified early by level 1 HAZOPs.
• Safety representation at Systems Integration meetings, any safety issues entered into hazards log.
• Systems Integration personnel attend key HAZOPs to take ownership first hand of any interface issues
arising.
• The SAM should be required to close out any design changes that result from the SI process.
• The SIM and SAM should co-operate fully with each other and will hold periodic SI/SA meetings to ensure all
items on the hazards log are being closed.

It should be reiterated at this point that this paper is aimed at a principal contractor co-ordinating the input of
several sub-contractors. Hence, the actual size of the team can be variable dependent on the exact nature of the
project.

Target Levels of Risk

The acceptability of Systems Assurance is best determined against a pre-determined set of risk levels ideally
assigned by the client or regulator at the bidding stage of the project. On modern large scale infrastructure and

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 6 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

rolling stock projects target levels of risk are being set for individuals and critical groups. Typically, the following
criteria might be set:

• Individual risk for railway workers.

• Individual risk for passengers (critical group being commuters).
• Individual risk for members of the public.

In some modern studies targets for so-called Societal Risk are also set. This relates to setting an upper limit on
the frequency per incident of consequences in the following ranges: 1-10 deaths, between 10 and 100 deaths,
and greater than 100 deaths. Historically, this information has been plotted on the so-called F/N curves.

Typical values for individual risk targets used currently in the UK are quoted in table 2.

Risk Group Risk level Frequency Per Annum

Premature Fatality Major Injury

Railway Workers 1.0E-04 1.0E-03

Passengers 1.0E-05 1.0E-04
Members of Public 1.0E-05 1.0E-04

Table 2: Some Example Risk Targets

Risk targets are also set for individual accident sequences. This is based on apportioning the individual and
societal risk targets to generate the so-called risk matrix. This approach is particularly useful in the early stages
of a project (in the absence of any formal numerical Quantified Risk Analysis (QRA) results), as it provides an
indication, all be it judgmental, as to whether control measures should be considered to meet the As Low As
Reasonably Practicable (ALARP) principle.

Ball Park Estimates for the Costs Associated with Systems Assurance

As stated earlier, the key to success in Systems Assurance is having sufficient resources available with
appropriate competence. Table 3 below provides some ball park estimates from recent railway projects as an
indication of typical costs from a range of sizes of projects. The costs associated with Systems Assurance
should take into account not just costs to the project from specialist co-ordinating consultants, but should also
include internal project team member costs and sub-contractor RAMS Assurance costs.

Estimated Value Estimated Value of % of Project Example Projects for

of Project UK £ Systems Assurance Costs Benchmarking
UK £
1 Million 50K 5% Minor infrastructure or rolling stock
modifications
10 Million 300 K 3% A ticketing system
50 Million 500 K 1% A new railway depot
450 Million 2M 0.4% A new rolling stock project
1500 Million 10 M 0.7% First part of a new high speed
railway link
2800 Million 20 M 0.7% New underground railway system
in UK
1000 Million 10 M 1% New underground system overseas

Table 3: Some Example SA Budgets from Previous Projects

Hence, the above estimated data points indicate that for lower value projects, budgets of between 1 and 5% of
total project budget could be realistic. However, for larger scale projects, budgets for Systems Assurance of
between 0.4 and 1% of the total value of the project could be considered as realistic budgetary estimates. It
should be noted that the above costs are offered as guides, not hard and fast rules.

Review of Process and Methods

Figure 2 presents a typical flow chart for the safety aspect of a Systems Assurance or RAMS Assurance project.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 7 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

The SA process commences with the issue early in the life of the project of the Safety Assurance Program Plan
(SAPP). This is a document that will state clearly and unambiguously how the project will manage and
implement Safety Assurance. This document is a key milestone in establishing the resource requirements to
deliver Safety Assurance. It is also a good barometer to measure the commitment to safety of the project
management team. The sub-contractor effort will be optimised early if the SAPP provides them with a clear
guidance on methodologies and apportionment of the risk that applies to their systems or equipment.

Once systems have been defined, the hazards identification stage can commence and provide an early input to
the project safety hazards log. This will, if performed by competent personnel, give an early indication of any
conceptual problems associated with the design and its intrinsic hazard potential. At the appropriate time the
Preliminary Hazards Analysis (PHA) and Failure Mode Effects Analysis (FMEA) can be supplemented by the use
of structured “brainstorming” techniques such as HAZOPs involving team members from the various other
disciplines on the project. However, the timing of the application of these techniques should be optimised to
maximise influence over the design development and minimise the need for reworking due to any changing
nature of the detailed design. The role of the Systems Assurance Manager will be to provide clear advice to the
project management team on the timing of these activities.

The risk ranking of hazard potential is a key factor in understanding whether risks posed by the design (and there
are always residual risks, the risk free design does not exist) are tolerable, and more importantly whether all
reasonably practicable safety measures have been considered by the design teams and sub-contractors. Initially,
it will be the role of the SAPP to provide the frameworks for the judgement of risk and its tolerability or otherwise.
As the project develops, the concept of risk ranking should be clearly understood by all parties prior to the
embarkation on HAZOP or FMECA studies.

The HAZOP studies in particular should be well organised, and ideally independently chaired and secretaried.
Briefing notes to establish the scope of the HAZOP should be issued prior to the actual meetings. Adequate time
should be set aside for the HAZOP, and attendees should clear their diaries thus providing full time commitment
to the brainstorming process (mobile telephones and pagers should be banned). Reporting of the HAZOP should
contain system descriptions together with the hazard sequences identified. Any additional safety measures
considered reasonably practicable to reduce risk should be reported and stored on the hazards log until formally
closed out by the formal project design review process. In my experience, one of the major problems on large
scale projects is that the final stage of formally reviewing proposed design enhancements for safety is rarely
implemented in a systematic manner. More often, at best a piecemeal consideration of design changes that are
perceived as easy to implement is undertaken. At worst, design enhancements considered during the HAZOPs
are simply ignored and buried deep in the paperwork.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 8 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SAFETY ASSURANCE PROGRAM

PLAN

Trains
System
Definition
Infrastructure

Preliminary Hazard Incident & Failure Rate

Preliminary FMEA Analysis Collection HAZOPs

Risk Rank Risk Targets for

Individual Sequences

Consider Additional
Are Risk Targets NO
Control Measures
or the ALARP
Principle Met?

YES

Hazard Log Undertake SSHA,

IHA, O&SHA &
Preliminary
FMECA Studies

Safety Critical Items Risk Rank Risk Targets for

List Individual Sequences

Consider Additional
Are Risk Targets NO
Control Measures
or the ALARP
Principle Met?

YES

Undertake Risk Targets for

Detailed FMECA Individuals & Societal
Risk

Undertake
Detailed QRA

Are Risk Targets NO

or the ALARP Consider Additional
Principle Met? Control Measures -
Undertake CBA

YES

SA OK

Figure 2: Flow Chart for the Safety Activities of Systems Assurance or RAMS
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 9 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Following qualitative consideration of hazard potential, there is a need to develop a quantitative model of the
design. This process is entitled Quantitative Risk Analysis or QRA. Typically, Fault and Event Trees will be
constructed and analysed to identify the cut-sets or events which lead to undesirable consequences. As with the
HAZOP and FMECA, the QRA can be an extremely iterative process unless performed at the right time in the
project. Conventional thinking proposes that the QRA should be performed towards the end of design
development but prior to project design freeze to allow for design enhancements if risk targets cannot be met.
The QRA should normally have as an integral part a consideration of human factors, ie. the potential for operator
error, and events which model system wide Common Cause Failure (CCF) potential. Most modern railway
projects have adopted the Fault Tree + “state of the art” software to facilitate this modelling process. Companies
using this software include Railtrack, London Underground, Singapore Land Transport Authority, Hong Kong
MTRC and Kowloon Canton Railway Corporation (KCRC).

If formal cost benefit analysis is required to demonstrate the ALARP principle, ie. that risks are as low as
reasonably practicable, the QRA provides a good modelling tool to assess the benefits of any risk reducing
measures. Thus comparisons of benefits and costs can be assessed, provided of course there is a clear
statement on what constitutes the value of preventing a fatality (VPF) by a safety measure. Within the UK the
safety culture has allowed a value to be placed upon a life saved as in the region of £ 3,000,000 sterling when
considering multi-fatality events and £ 1,000,000 for events involving a single fatality. Ironically, elsewhere in the
world, for example in the USA, the concept of the value of a life saved is considered tantamount to tacit
acceptance of legal negligence and therefore not invoked. On this issue, it is my belief that more research needs
to be undertaken to standardise a world wide methodology to judge the worth of design enhancements to reduce
risks.

The use of an Independent Safety Assessor (ISA) is becoming standard practice for some larger railway projects
in Europe. The appointment of an ISA can help in securing approvals from regulatory bodies. However, for an
ISA to be most effective, the project must plan for the ISA to be involved in the planning stage of the project as
well as reviewing the results of any analyses during its implementation. The need for an ISA will normally be
client driven, but it is generally considered appropriate for such ISA effort to be directed towards safety critical
systems such as signalling, and systems associated with high consequence hazards such as fire or
derailments/collisions.

As the Safety Assurance process draws to a conclusion, the Safety Assurance Summary Report or Safety Case
provides the regulator with an overview of the work undertaken for the assurance of safety on the project. This
provides the regulator with a “map” to guide their review and acceptance of the overall process.

Similar processes are recommended for RAM management and analysis. Initial integrated RAM Program Plans,
leading to a clear definition of resource requirements and bar chart activities. Delivery of reliability predictions,
maintainability predictions and corrective and preventative maintenance strategies. RAM demonstration plans
should be developed to ensure that there is a plan to demonstrate the predicted RAM values are met in practice.

Review of Key Problem Areas and Solutions

There are a number of problematic issues related to Systems Assurance, but it is clear that sound planning and
the provision of expert resources with the commitment of the design management team early in the project is the
key to successful implementation of Systems Assurance on projects. Some typical problems found on projects
have been highlighted below, maybe you recognise a few of them:

Problem Issue in RAMS Possible Solutions

Inadequate RAMS resources • Good planning early on.
made available late in the • Commitment by the management team and client to SA activities.
project • Client requires draft SA Plan before contract starts.
Safety personnel not • Management training on SA so that they can understand the
integrated into design review benefits to be gained from SA.
process • Clients specifications state SA as a key requirement.
Engineering personnel not • Engineering personnel encouraged to conduct FMECA analysis and
involved in SA process attend Hazards Identification sessions (HAZOPs).
• Ownership of hazards by engineering personnel.
Systems Assurance studies • SA Plan has schedule of activities showing timing and linkage of SA
performed too early resulting activities to key project milestones.
in the requirement for • Concurrent engineering and good communications at the working
extensive reworking as the level between SA analysts and design team.
design develops
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 10 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Problem Issue in RAMS Possible Solutions

Weak interface between • Provision of specific interface meetings between SA and SI
Systems Integration and personnel.
Systems Assurance results in • Safety as an agenda item in SI meetings.
safety issues being missed • Interfaces as an agenda item in SA meetings, for example HAZOPs.
and interfaces not being
clearly understood
Safety risk assessments out • Safety input at the design reviews.
of touch with design issues • Latest drawings used at HAZOP.
Project management lack of • Integration of SA activities into PM meetings and planning process.
commitment to safety due to • Attendance by Project Manager at SA key meetings such as
competing objectives leading HAZOPs.
to a lack of ownership of the • SA Plans contain PM Commitment statements to SA activities.
SA process by design teams • Training for PM in SA activities.
Scarcity of relevant data for • Operators should be encouraged to collect incident and equipment
Quantification of risks and failure rate data. This should be made available to suppliers.
reliability analysis, or over • Data collection schemes between operators, successfully
reliance on generic data implemented by Oil & Gas operators in the North Sea by the
sources provision of a shared data scheme called OREDA 92.
• Suppliers encouraged to collect data on their own systems.
• Approved generic database sources should be advised to designers.
Sub-contractors poorly • SA Plans must contain sections on the management of sub-
controlled in terms of their contractors.
delivery of RAMS studies • Sub-contractors encouraged to employ competent SA personnel
during the bidding phase of the project.
• Failure of a supplier to deliver RAMS studies should be linked to
their payment schedules.
Unclear ambiguous • Expert consultant advice at the planning stages, or independent
specifications and RAMS review by experts if the plans are written in house.
Plans leading to uncertainty • Proper reference to the latest standards eg. EN 50126, Def
Standard 00-56 or Mil Std 882C.
• Use of project standard formats for SA Plans.
Setting unrealistic and • Client must consult with supplier at the contract stage and if supplier
unachievable numerical cannot meet the targets because they are unrealistic, negotiation
RAMS targets should take place on what more realistic targets might be.
• Deterministic studies should be accepted under agreed
circumstances as an alternative means to achieving a numerical risk
target.
Arguments about who pays if • Ongoing dialogue with the client on SA issues.
a RAMS target can not be met • Client sets RAMS Targets at tender stage and supplier must state
but the design meets the how he intends to meet the targets or why he requires a relaxation
engineering specification on the target.
• Client allows for variations to the contract for design improvements
to meet RAMS targets even though design meets deterministic
specification, or client allows supplier to negotiate on RAMS targets.
Loss of goodwill if designers • ALARP interpretations and agreements with suppliers early on in a
are expected to improve project. If design measures are cheap to implement sub-contractor
design at a significant cost to should implement directly at their cost, if more expensive then a
themselves variation to their contract can be agreed with the client.

QRA results come out late in • Firm linkage of SA activities to over all project milestones.
the project after design freeze • An initial concept QRA should be performed early in the design
and therefore are ignored process.
Problematic RAMS Interfaces • Clear unambiguous SA Plans initially agreed with client and
between client, main cascaded down to all sub-contractors.
contractor & sub-contractors • Sub contractors required to develop their own SA Plans prior to
works commencing, acceptance of which is a pre-requisite for
commencement of works.

Table 4: Some Examples of Typical SA Problems and Proposed Solutions

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 11 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

It is for sure that many of you reading this paper may have experienced or recognised at least one or more of
these problems during a project you have been recently involved with. Some readers may unfortunately
recognise several problems similar to the above on projects currently underway.

What are the Benefits of Systems Assurance?

What are the benefits of Systems Assurance? To answer this question we must evaluate the benefits from the
four aspects of Systems Assurance, of Reliability, Availability, Maintainability and Safety.

For safety, the main benefit of applying assurance principles is the delivery of a safe design which can be
transparent to regulators wishing to certify that all reasonably practicable safety risk reducing measures have
been considered. Moreover, for the future operator Systems Assurance provides a “comfort factor” that all
reasonably foreseeable accident potential has been considered and planned for. Thus a future operator has the
comfort that he may be able to minimise exposure to bad public relations and the aversion that members of the
public and authorities have to large scale railway accidents.

In terms of reliability, there are two main benefits from an integrated approach to Systems Assurance. Firstly, if a
design is reliable it will mean that timetables and therefore passenger services can be reliably implemented.
Secondly, reliable equipment reduces total life cycle costs and also ensures that value for money can be
obtained from systems comprising the design.
Availability means that down time can be minimised, thereby perpetuating the concept of dependability of the
facility or service with fare paying passengers.

For Maintainability, Systems Assurance provides a tool with which to ensure that safety risks to maintainers
either on the track or in depots can be minimised. Furthermore, by adopting sound maintainability SA techniques
early in the design process, life cycle costs arising from maintenance activities (preventative and corrective) can
be properly predicted and life cycle costs minimised.

Conclusions
In conclusion, there are several issues that need further debate within the industry forum:

•
st
Systems Assurance has a key role to play in the 21 Century in assuring that as complexity and economic
pressures increase, safety and overall life cycle costs are not compromised.

• At the outset of projects, budgets should be properly considered for the inclusion of Systems Assurance.
Typically, budgets of 1-5% of project value should be set aside for lower value projects and between 0.4 –
1% of project value for larger value projects such as major new railway undertakings or rolling stock fleet
replacement projects.

• More needs to be done to collect world wide data on rail crashes and equipment failures to facilitate future
analysis, thereby maximising the use of operational data in favour of less applicable generic data sources.
This work could also provide an insight into a better definition of what is considered ALARP.

• Systems Assurance must be given a clear role in projects early, with a clear commitment from the project
management team to make adequate and competent resources available to deliver Systems Assurance.

• Provision of clearer unambiguous guidance to project managers on what Systems Assurance techniques to
apply at various stages of projects.

• Proactive participation and interaction of Systems Assurance in the Systems Integration process and Design
Review meetings.

It is hoped that this paper has raised the profile of some of the issues associated with Systems Assurance and its
role within large scale railway infrastructure and rolling stock projects.

In summary, it is proposed that the Systems Assurance Manager must act as the conscience of the Project
Manager to ensure that all reasonably practicable safety measures have been applied to the design and that
overall foreseeable risks are controlled to a level, which can be considered tolerable.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 12 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SECTION 4: EN50126 FLOWCHARTS FOR IMPLEMENTATION OF RAMS AT

DIFFERENT PROJECT STAGES

Some proposed flow charts for the implementation of Systems Assurance or RAMS at
various stages of a typical railway project have been developed. The first flow chart
identifies the various stages in a typical project this is adapted from EN50126. There is a
subsequent flow chart for each project phase.

PMSC has also developed detailed excel spreadsheets which assess in more detail the
RAMS tasks at each stage. In particular, the spreadsheets highlight the deliverables arising
from the various RAMS tasks and the key interactions between RAMS tasks.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 13 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

During initial bidding stage it may be usual to document features in the EMU
Bidding
design being offered as safety features and features to enhance RAM and
Stage
reduce LCC aspects. Some customers such as Singapore LTA also require
(BS)
outline Systems Assurance Planning document at bid phase

As a basis of signing the contract the contracted party has a responsibility to

Sign Contract deliver the required Safety studies as required by UK legislation and customer
with Customer contractual requirements. Usually RAM and LCC is contractual matter whereas
(SC) Safety is legal matter requiring Safety Case in the UK. EN50126 general
European standard also mentions about Safety Case

Concept
At the Concept Design stage it will be necessary to validate the concept design
Design
in terms of RAMS and LCC at the train level. The Hazards analysis would be a
Stage
Preliminary Hazards analysis leading to an outline safety case.
(CD)

Preliminary
The Preliminary Design will provide more detail on the concept and will identify
Design
the sub systems design and analysis of the design down to sub system Line
Stage
Replaceable Unit, LRU level.
(PD)

Detailed
During the detailed design stage much detailed analysis of the train systems
Design
down to major component level (which maybe below LRU level) will be
Stage
undertaken and reported in a Pre-Operational Safety Case
(DD)

During the manufacturing stage RAMS audits will generally be conducted on

Manufacture
suppliers to ensure the quality of the build and manufacturing process and in
Stage
general there will be a closer link between QA and RAMS during this stage to
(MS)
assure build quality.

Testing &
During the testing and commissioning stage systems will be tested and
Commissioning
integrated together iniatially at sub-contractor sites then at the EMU car builder
Stage
site.
(TC)

Any factors identified during trial running to improve RAMS will generally be fed
Trial Running
back to the design via a FRACAS/DRACAS system as part of the RAMS
Stage
demonstration period which can normally run for anywhere between 1 to 3 years
(TR)
depending on contractual conditions.

During revenue service any in service failures will generally be subject to root
Revenue
cause analysis via a FRACAS system to apportion cause of delay. RAMS
Service
deomonstration can sometimes run over into revenue service, although in the
Stage
UK approval of the safety case is required before the train can enter revenue
(RS)
service

During any mid life refurbishment it may be necessary to replace whole systems
EMU Mid Life
with new generation equipment and add new safety systems and generally
Refurbishment
modify the train fleet to acheieve modern standards and Mean Distance Between
Stage
failure targets. In the UK typical targets for EMUs are 40 to 50 thousand miles
(RF)
between failures which result in a two minute or more delay

Safety analysis may be required to demonstrate thatthe materials on the train

EMU Disposal
systems are safe to be disposed of by maitenance people. Although it is also
Stage
possible that disposal may well result in the train being sold off to another
(DI)
operating company or broken up for spares.

Typical Project Phases for the Provision of a Fleet of EMUs

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 14 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Concept
Design
Stage
(CD)

Review of UK Clause by Clause

railway / rolling review of the
stock legislation and contract for RAMS
Network Rail group LCC content
standards (CD1)
(CD2)

Outline Systems Outline RAM Outline LCC Customer

Applicable safety
Safety Assurance Assurance Assurance Contract
standards and
Programme and Programme and Programme and Requirements
Legislation (CD2)
Plan (CD3) Plan (CD9) Plan (CD17) (CD17)

Customer
Customer
Approval/ No
Approval
RSAB approval

Yes

Preliminary Systems
Collect concept
Hazards Level 1 Train level Functional
Maintenance level cost data
Assessment inc. HAZOP or Analysis inc
Concept (CD12) (CD17)
risk ranking and checklist approach allocation of
SCIL if required (CD4) function (CD10)
(CD4)
Define Human RAM
Factor Principles Apportionment of
Identify Human Develop
and identify or Targets (50% System level RAM
Interfaces with the Preliminary LCC
system (CD5) develop relevant allocation criteria (CD13)
standards and cost model (CD18)
contingency)
guidelines (CD5) (CD11)

Identification of
Human Spares
Performance Train Level provisioning
Issues relating to Functional concept and level
similar / existing FMECA (CD14) of repair concept
systems (CD5) (CD18)

Use IEC 61508

Concept level Concept RAM
guidelines or
Software SIL concepts and
contract SIL
allocation Overview
requirements
(CD6) Prediction against
(CD6)
targets (CD15)

Concept level RAM and LCC

QRA (CD7) Fault & Event Tree
Modelling for major Case to meet
(Quantification hazards eg. fire, Customer
maybe be optional derailment, collision Requirements
at this stage) (CD16)

Concept Safety
Validate Concept Design with
Case (CSC)
Customer via Design Review
(CD8)
Process, Safety Case should be
reviewed and accepted by
RSAB

Move to
Preliminary
Design Stage if
acceptable

Concept Design Typical RAMS/LCC Activities

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 15 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Preliminary
Design
Stage
(PD)

Modify Systems Modify RAM Modify LCC Customer

Applicable Safety
Safety Assurance Assurance Assurance Contract
standards and
Programme and Programme and Programme and Requirements
Legislation (PD1)
Plan (PD1) Plan (PD13) Plan (PD22) (PD22)

Customer
Approval/ Customer
No No
RSAB Approval?
approval? Preliminary operations task Preliminary maintenance task
analysis and human error and error analysis (PD14)
Yes analysis(PD2) Yes

Sub system Preliminary Prelimninary

Software SIL Maintenance of
HAZOPs including Design Systems Allocation of
assignment input LCC cost model
Risk Ranking Functional function to
to HAZOP (PD2) (PD23)
(PD2) Analysis (PD14) hardware and
software (PD14)

Operational Trade-off Studies Preliminary spares

Operational Identify RAM Stock Out
Operational Data using preliminary provisioning
Strategy - usually requirements Risk,
HAZOP at Train (if available) RAM models estimates and
requires customer (PD15) (PD24)
level (PD3) (PD3) (PD15) level of repair
input (PD3)
(PD24)

Interfaces HAZOP Interface RAM Criteria

at Sub system managment Plan (PD16)
level (PD4) (PD4)

Risk Ranking Maintainability

Preliminary Process of Concept (PD17)
NO Design Hazards Frequency and
Log (PD5) Consequences
(PD5) Sub system
FMECA and RAM
Predictions (cf
against targets
Safety Critical (50%) contingency
Items List (PD6) (PD18 and PD19)

Human Error
Quantification RAM Design
(HEART) (PD7) Assessment
Preliminary (PD20)
Fault & Event
Design QRA Trees (Fault
using Failure rate Tree+) (PD7)
data (PD7)
Common Mode RAM and LCC
Failure (Partial Case to meet
Beta Factor) Customer
(PD7) Requirements
(PD21)
Deterministic
Safety
Safety Studies
Target Met ALARP Fire Testing
EMI, Fire analysis
? Assessment to BS6853,
and Ergonomics of
(PD8) Cab design and BS476 Part
6 and Part 7 Validate Preliminary Design with
other train areas Customer via Design Review
(as appropriate) (PD10)
Preliminary Process, Safety Case to be
(PD10) reviewed by RSAB
Design Safety
YES
Case (PSR)
(PD9)

Move to Detailed
Preliminary Design Typical RAMS/LCC Activities Design Stage, if
acceptable

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 16 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Detailed
Design
Stage
(DD)

Modify Systems Modify RAM Modify LCC Customer

Applicable
Safety Assurance Assurance Assurance Contract
standards and
Programme Plan Programme Plan Programme Plan Requirements
Legislation (DD1)
(DD1) (DD13) (DD23) (DD23)

No

Customer
Approval/ No Customer
RSAB approval Approval Detailed maintenance
Detailed operations task
task and human error
and human error
analysis (DD14)
Yes analysis(DD2) Yes

Detailed Design Preliminary Detailed allocation

Software SIL Maintenance of
Level 2 Sub system Design Systems of function to
assignment input LCC cost model
HAZOPs including Functional hardware and
to HAZOP (DD2) (DD24)
Risk Ranking(DD2) Analysis (DD14) software (DD14)

Operational Trade-off Studies Detailed spares Stock

Operational Operational Confirm RAM provisioning
Strategy - usually using preliminary Out
HAZOP at Train Data (DD3) requirements estimates and
requires customer RAM models Risk
level (DD3) (DD15) level of repair
input (DD3) (DD15) (DD25)
(Dd25)

Interfaces HAZOP Interface Confirm RAM

at Sub system Managment Plan Criteria (DD16)
level (DD4) (DD4)

Confirm
Risk Ranking Maintainability
Detailed Design Concept (DD17)
Process of
NO Hazards Log
Frequency and
(DD5)
Consequences Detailed
component level
Sub system Reliability Centred
FMECA and RAM Maintenance (if
Predictions (20% required) (DD19)
Safety Critical
contingency)
Items List (DD6)
(DD18 and DD20)
Human Error
Quantification (eg RAM Detailed
HEART) (DD7) Design
Assessment &
Detailed Design Fault & Event Reliability Critical
QRA using Failure Trees (eg. Fault Items List (DD21)
rate data (DD7) Tree +) (DD7)
Common Mode RAM and LCC
Failure (eg. Partial Case to meet
Beta factor) (DD7) Customer
Requirements
Deterministic (DD22)
Safety Studies
Safety ALARP EMI, Fire analysis Fire Testing
Target Met Assessment and Ergonomics of to BS6853,
? (DD8) Cab design and BS476 Part
other train areas 6 and Part 7 Validate Detailed Design with
(as appropriate) DD10 Customer via Design Review
(DD10, DD11 and Process, Safety Case to be
Pre-Operational DD12) reviewed by RSAB.
YES Safety Case
(POSR) (DD9)

Move to
Manufacturing
Stage, if
acceptable
Detailed Design Typical RAMS/LCC Activities
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 17 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Manufacture
Stage
(MS)

Oversee
Safety Audit of implementation of Maintenance of
Manufacture RAM during LCC cost model
process and manufacturing (MS8)
suppliers (MS1) process (MS5)

Identify and
Environmental
Report Failures ,
Stress Screening
review for safety
(MS6)
significance (MS2)
Validation of
spares Stock
provisioning Out
estimates and Risk
Develop level of repair (MS9)
Non maintenance and (MS9)
compliances ? troubleshooting
guide (MS7)

YES

Review failures for

RAMS/LCC
implications (MS2)

NO
Guidance on
definition of RAMS/LCC
significant failures significant?
(MS2)

YES NO

Implement
Perform Root
corrective action
Cause analysis
(Design Change RAM/LCC Case
(MS3)
Request) (MS3) (MS10)

Update/Review
Re-visit RAMS
Pre-Operational
analysis for design
Safety Case
modification (MS3)
(MS4)
Validate Manufacturing Stage
with Customer via RAMS/LCC
auditing Process, Safety Case
to be reviewed by RSAB

Move to Testing &

Commissioning
Stage, if
acceptable

Manufacturing Stage Typical RAMS/LCC Activities

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 18 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Testing &
Commissioning
Stage
(TC)

Validate Human Validate System

Level RAMS Maintenance of
Performance
Acceptanc e LCC cost model
(TC8)
Criteria (TC1) (TC8)

Develop and Develop and Develop Test

conduct user conduct System Test Demonstrations
interface evaluation Definitions (TC1) at supplier and
usability tests trials train level (TC2)
(TC8) (TC8)

Carry out testing

Implement System meet Continue Testing and
corrective Human (TC3) demonstrations
No (TC3)
actions Performance
(TC8) Requirements?

System meet
No RAMS Criteria
?

Yes

Implement Perform Root

corrective action Cause analysis for
(Design Change test demo failure
Request) (TC4) (TC4)

Yes

Update/Review
Re-visit RAMS Pre-Operational
analysis for design Safety Case and
modification (TC5) any RAM LCC
Case (TC6)
Verify
Troubleshooting
Guide (TC7)

Validate Testing and

Commissioning Stage with
Customer via Test Witnessing
Process, Safety Case to be
reviewed by RSAB

Move to Trial
Running Stage if
acceptable

Testing & Commissioning Stage Typical RAMS/LCC Activities

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 19 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Trial Running
Stage
(TR)

Validate System
Define Terms of
Level RAMS Maintenance of
reference for the
Acceptance LCC cost model
Failure Review
Criteria via Demo (TR8)
Board (TR2)
Plan (TR1)

Develop and DRACAS/

implement Human FRACAS System
Error reporting to report failures in
scheme (TR3) service (TR3)

Failure RAMS
significant?

Yes

Implement Perform Root

corrective action Cause analysis for
(Design Change test demo failure
Request) (TR4) (TR4)

No

Re-visit RAMS
analysis for design
modification
(TR5)

Update/Review
Re-visit
Pre-Operational
Maintenance
Safety Case and
Instructions if
any RAM LCC
required (TR6)
Case (TR7)

Validate Trial Running Stage

with Customer via DRACAS
programme and Warrenty
period

Move to Revenue
Service Stage, if
acceptable

Trial Running Stage Typical RAMS/LCC Activities

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 20 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Revenue
Service
Stage
(RS)

RAMS/LCC Activities during

Revenue Service will be the
continual trend monitoring of
RAMS performance eg reliability
growth modelling

Revenue Service Stage Typical RAMS/LCC Activities

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 21 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

E M U M id L ife
R e f u r b is h m e n t
S ta g e
(R F )

R A M S /L C C A c tiv it ie s w ill b e
s im ila r to th o s e in P D a n d D D
s ta g e s o f in it ia l D e s ig n

M id -L ife R e fu r b is h m e n t S ta g e T y p ic a l R A M S /L C C A c tiv itie s

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 22 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

E M U D is p o s a l
S ta g e
(D I)

R A M S /L C C A c tiv it ie s w ill b e
d e p e n d e n t o n th e m e a n s o f
d is p o s a l

D is p o s a l S ta g e T y p ic a l R A M S /L C C A c tiv itie s

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 23 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SECTION 5: SOME USEFUL NOTES ON SYSTEMS ASSURANCE

METHODOLOGIES AND REFERENCES

This section presents some useful notes and flow charts for the use of various Systems
Assurance Methodologies:

A) DEVELOPMENT OF A SYSTEMS ASSURANCE PLAN, SAP

At the commencement of a typical rail project It is proposed that a SAP be developed as a high
level document presenting the programme of Systems Assurance work and how this meets the
customer of regulator requirements. The SAP would provide a header document from which the
more detailed Systems Safety Engineering Plans and the RAM Plans would be developed. The
RAM plan would also detail the RAM requirements. The typical outline contents of the SAP are
proposed as follows:-

SECTION TITLE DESCRIPTION

1.0 INTRODUCTION Provides an overall introduction with purpose
and scope and sets out the objectives of
Systems Assurance Activities. It also identifies
any guiding standards and references, which in
this case will be those depicted in any customer
specification or regulatory requirements.
2.0 PROJECT DESCRIPTION Sets out the overall project descriptions and the
technology involved.
3.0 ORGANSATION Sets out the organisational roles and
responsibility for RAMS and how this related to
the main project team organisation.
4.0 SYSTEMS ASSURANCE Sets out the high level assurance activities and
ACTIVITIES how these will ensure that the ITT requirements
and any requirements defined by guiding
standards are to be met. Key review points and
SA deliverables are also identified.
5.0 SYSTEMS ASSURANCE The key timing of the SA activities and
PROGRAMME deliverables are presented.
6.0 SYSTEMS ASSURANCE The SAP presents a discussion on the SA
CRITERIA AND TARGETS targets and criteria to demonstrate that they are
understood and that the methods being adopted
are fit for purpose in terms of judging whether
the targets can be met.
7.0 CONTROL OF SUB This element of the SAP documents how any
CONTRACTORS subcontractors are to be controlled in terms of
their input to SA activities.
8.0 REFERENCES List of references quoted by the SAP
9.0 ACROYNMS List of project Acronyms
Proposed Typical Contents of Systems Assurance Plan

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 24 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

B) SYSTEMS SAFETY ASSURANCE PLAN

The detailed Systems Safety Engineering Plan will document the overall approach and
methodologies to be adopted in the systems safety work both at systems level and at sub
systems level. The typical outline contents of the SSEP are proposed as follows:

SECTION TITLE DESCRIPTION

1.0 INTRODUCTION Provides an overall introduction with purpose
and scope and sets out the objectives of
Systems Safety Engineering Activities. It also
identifies any guiding standards and references.
2.0 PROJECT DESCRIPTION Sets out the overall project descriptions and the
technology involved but provides more detail on
the specific safety features being provided in the
design.
3.0 ORGANSATION Sets out the organisational roles and
responsibility for Safety Engineering and how
this related to the main project team
organisation. A section on competency of
safety resources would also normally be
provided.
4.0 SYSTEMS SAFETY Sets out the detailed systems safety
ENGINEERING ACTIVITIES engineering activities and how these will ensure
that the ITT requirements and any requirements
defined by guiding standards are to be met.
Key review points and Systems Safety
Engineering deliverables are also identified.
The key activities are envisaged as:-

HAZOP and Risk Ranking

Safety Review Group
Safety Design Reviews
Safety Critical Items List
Consideration of Software Safety (if any)
FMECA
Fault Tree Analysis (including Human Error and
Common Cause Failure as appropriate) and
encompassing the ALARP argument.
And finally a Safety Summary Document to
summarise why the infrastructure change will be
safe.
5.0 SYSTEMS ASSURANCE The key timing of the Systems Safety
PROGRAMME Engineering activities and deliverables are
presented.
6.0 SYSTEMS ASSURANCE The SSEP presents a discussion on the Safety
CRITERIA AND TARGETS related targets and criteria to demonstrate that
they are understood in the context of the
engineering solutions being proposed.
7.0 CONTROL OF SUB This element of the SSEP documents how any
CONTRACTORS subcontractors are to be controlled in terms of
their input to the safety engineering process.
8.0 REFERENCES List of references quoted by the SSEP
9.0 ACROYNMS List of Acronyms
APPENDIX DETAILED This appendix will provide more detail on the
A METHODOLOGIES actual detail methodology for conducting the
analytical techniques such as Fault Tree
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 25 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SECTION TITLE DESCRIPTION

analysis, Common Cause Failure analysis And
the Human Factors analysis. It may also
provide further detail on how the HAZOPs will
be run in terms of the HAZOP keywords being
proposed.
Proposed Typical Contents of Systems Safety Engineering Plan

C) RELIABILITY, AVAILABILITY & MAINTAINABILITY ASSURANCE PLANS (RAMAP)

The RAM Plan will document how the various RAM analyses will be conducted and what the
RAM requirements are on the system design and the sub systems. The typical contents of
the RAMAP are as follows:-

SECTION TITLE DESCRIPTION

1.0 INTRODUCTION
The section describes the purpose and scope of
the plan providing appropriate references to the
customer specification and applicable
standards, for WCML the applicable RAM
standard has been specified as EN50126. The
background for the current issue of the plan will
also be described.
2.0 PROJECT DESCRIPTION Sets out the overall project descriptions and the
technology involved and presents more detail
on the specific design features which enhance
Reliability, Availability and Maintainability and
thus optimise the Life Cycle Costs of the
infrastructure change.
3.0 ORGANSATION Sets out the organisational roles and
responsibility for RAM and how this is related to
the main project team organisation. The Human
Factors input will clearly need to be shown in
relation to the other project organisational
activities. It will be essential to demonstrate in
the organisational roles and responsibility that
there are mechanisms in place to be able to
resolve any conflicts between RAM
requirements and Safety Requirements in the
context of providing a design, which meets the
ITT requirements. This prevents over
engineering of the system to meet specific
requirements in isolation.

4.0 RAM ASSURANCE Sets out the detailed RAM Assurance activities
ACTIVITIES and how these will ensure that the ITT
requirements and any requirements defined by
guiding standards are to be met. Key review
points and RAM deliverables are also identified.
The key activities are envisaged as:-

List RAM Requirements

System Functional analysis
RAM Target apportionment if required
FMECA from RAM perspective including
reliability prediction for each failure mode and
maintainability prediction for each failure mode.
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 26 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SECTION TITLE DESCRIPTION

RAM Trade-off studies, these will require the
development of Fault Tree analysis for the
systems being assessed to be able to try out
different configurations of system and thus trade
off one configuration against another.
RAM Case Document
5.0 RAM ASSURANCE The key timing of the RAM activities and
PROGRAMME deliverables are presented. The programme will
also indicate any interaction between Safety
Engineering related tasks and RAM related
tasks the principal interaction expected to be
within the FMECA activity.

6.0 RAM ASSURANCE The RAMAP presents a discussion on the RAM

CRITERIA AND TARGETS related targets and criteria to demonstrate that
they are understood in the context of the
engineering solutions being proposed.

7.0 CONTROL OF SUB This element of the RAMAP documents how

CONTRACTORS any subcontractors are to be controlled in terms
of their input to the RAM engineering process.
8.0 REFERENCES List of references quoted by the RAMAP
9.0 ACROYNMS List of Acronyms
Proposed Typical Contents of RAMAP

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 27 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SECTION 6: SOME NOTES ON FAULT AND EVENT TREE CONSTRUCTION

AND ANALYSIS

6.1 Event Trees

Event trees diagrammatically illustrate a sequence of events modelling accident scenarios.

An example event tree has been presented below (see Figure 6.1). The “nodes” along the
top of the event tree represent questions with a YES or NO answer, the convention being the
downward branch representing the “ NO” answer and the horizontal branch, representing the
“ YES” answer. This can also be termed as failure or success, respectively.

Outcome 5 in figure 6.1 derived using the following Boolean expression

Outcome 5 Frequency = Union of the success terms for the event TOP with failure of system
X and success of system Y and system OP. The Boolean expression for this is written as
Outcome 5= TOP . X . Y’ . OP’

Please note that the dash next to the terms Y and OP indicates that these are success terms
rather than failure terms. Success terms are referred to as PATH sets whilst failure terms
are referred to as PATH sets. It should also be noted that sometimes instead of using
dashes to represent PATH sets a small bar will be placed ontop of the symbol to represent
success.

The Frequency of Outcome 5 is then derived as follows:-

Frequency of Outcome 5 in the event Tree = Frequency of TOP event multiplied by the
Probability that event X fails multiplied by the probability that event Y is successful multiplied
by the probability that event OP is successful this is shown mathematically below:-

Frequency of Outcome 5 = F (TOP) x P(x) x (1-P(Y)) x (1-P(OP))

It should be noted that the Event Trees are normally designed such that the success branch
will produce the least consequences and the failure branch to produce the most
consequences.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 28 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

T o p E ve n t , e i t h e r A fa i l s o r S y s t e m X W o rk s ? S y s t e m Y w o rk s ? O p e r a t o r t a k e s a vo i d i n g Consequence F re q u e n c y
B a n d C fa i l s a c t io n ?

w = 1 . 1 0 e -5 Q = 1 . 0 0 e -3 Q = 1 . 0 0 e -1 Q = 5 . 0 0 e -1

S ucc es s
O u tc o m e _ 1 4 . 9 5 e -6
S uc cess
F a ilu re
O u tc o m e _ 2 4 . 9 5 e -6
S ucc es s
S ucc es s
O u tc o m e _ 3 5 . 5 0 e -7
F a ilu re
F a ilu re
O u tc o m e _ 4 5 . 5 0 e -7
F a ilu re
S ucc es s
O u tc o m e _ 5 4 . 9 5 e -9
S uc cess
F a ilu re
O u tc o m e _ 6 4 . 9 5 e -9
F a ilu re
S ucc es s
O u tc o m e _ 7 5 . 5 1 e -1 0
F a ilu re
F a ilu re
O u tc o m e _ 8 5 . 5 1 e -1 0

Figure 6.1: Generic Event Tree Structure Illustrating the typical event tree format

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 29 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

6.2 Fault Trees

Fault trees are generally used when constructing a quantified risk assessment to
quantify the hazards identified in the HAZOP and Hazards Log, to more accurately
determine safety critical hazards and to assure that the (As Low As Reasonably
Praqcticable, ALARP) principle has been satisfied in relation to the residual risk. The
Fault Tree will generally identify equipment or software components that indicatively
affect the hazards risk, thereby providing a tool for analysing the total effect of failure
rates and Mean Time To Repair (MTTR) of components and their relationship to
hazard consequences and in summary their effect on the top event.

The table 6.1 below presents an indication of the typical symbols and their meanings,
to be used in fault trees presented in a typical risk assessments

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 30 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Basic Event Switch

The circle The house
describes a event is used
basic event as a switch to
that requires no include or
further eliminate parts
development. of the fault tree.
Frequency and mode of failure of items Effectively True or False to those parts in
so identified are derived from empirical the system. If a house event is AND’ed
data. It should be noted that if failures with a part of a tree it has the effect on
are revealed the Fault Tree + RATE including the other branch of the tree, if it
model will be utilised requiring the failure is OR’ed then the other branch is
rate of the component and the repair effectively discounted or switched off.
rate. If failures are un-revealed then the
Fault Tree + DORMANT model shall be
adopted requiring the failure rate and the
testing interval of the component. It
should be further noted that each of the
components modelled in the QRA will be
given a coding name which represents
their component type and failure
mechanism, this will be agreed prior to
the QRA development by the event
nomenclature table.
Basic Event Inhibit Gate
Indicates a sub Describes a
tree exists, but relationship
the sub tree was between one
evaluated fault and
separately and another. The
the quantitative input event
results inserted as a basic fault event directly produces the output event if the
indicated condition is satisfied.
Basic Event AND Gate
The diamond Describes the
describes a fault logical
event that is operation
considered whereby the
basic in a given existence of all
fault tree. The input events is
possible causes required to
of the event are not developed because produce the output event. If the inputs
the event is of insufficient consequence are event A and event B then the solution
or the necessary information is at the AND gate is the product of event A
unavailable. It is possible that such and event B i.e. Both must fail for the
events might be included for information gate to be satisfied.
but not actually explicitly modeled as part
of the numerical analysis.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 31 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Combination OR Gate
Event OR gates
The rectangle define the
identifies an situation
event that whereby the
results from the output event
combination of will exists if one
basic events or more of the input events exists. If the
through the input logic gates inputs are event A and event B then the
solution at the OR gate is that either
event A or event B can fail. Additionally,
voting gates (which utilise the OR symbol
will be used to represent areas where
failure of combinations such as one out
of two or two out of three or three out of
four failures can occur.
Transferred NOT Gate
O Event NOT gates
U The triangles define the
T are used as situation
transfer whereby the
IN symbols. A line logical state of
from the apex an event is
of the triangle indicates a transfer in, a reversed. The use of NOT gates will be
line transfer out. Transfers in can be limited, but their existence needs to be
used to avoid unnecessary duplication of highlighted for completeness.
large sections of fault trees that might
appear in several places – for example
fault trees modelling failure of electrical
supplies might be used in several places
in the overall QRA model.

Table 6.1 Typical List of Fault Tree Symbols

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 32 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Top Event,
either A fails or
B and C fails
IE

TOP1
w=1.10e-5

Failure of Failure of
component A component A
and B (Dormant
model)
IE IE

GATE1 EVENT_A

r=1e-007 tau=730

Failure of Failure of
component B component C
(Generic Model) (Dormant failure
model)
IE IE

EVENT_B EVENT_C

MODEL1:r=1e-006 tau=8760 r=1e-005 tau=730

Figure 6.2 An Example Simplistic Fault Tree

The above fault tree (figure 6.2) represents a simplistic tree where the
failures, which satisfy the top event are either Component A fails or
Component B and C fail. Hence, we say that the minimum Cut Sets are A
and BC, i.e. there are 2 minimum Cut-sets one of a single order i.e. A and
one of order two i.e. BC, this illustrates that a failure of A will directly lead to
the top event, or that a failure of both B and C would lead to the top event.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 33 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SECTION 7: SOME NOTES ON HUMAN FACTORS

This section describes the PMSC vision of how Human Factors can be applied to
modern railway systems. However, we are pragmatic in our application of human
factors as we realise that the Human Factors input needs to be considered in the
context of the overall design application.

Human Factors/Ergonomics is the study to optimise the safety, efficiency and comfort
of people in their working environments. The aim is to maximize the capabilities, and
minimize the limitations of the people within the system.

Human Factors studies can be applied to any industry in which humans interact with
equipment and with each other, and to all stages of system life cycle from design and
implementation, commissioning to operation, maintenance and decommissioning.
Human Factors not only applies to working environments, but also to the passenger
environment in transportation systems.

A wide range of services are offered, including the following:

- Task Analysis
- Human Error Analysis
- Workplace and Workstation Design and Assessment
- Environmental Assessment
- Control and Instrumentation Design and Assessment
- Graphical User Interface Design
- Communications Analysis
- Training Needs Analysis and Training Program Development
- Procedures Design
- Workload Analysis and Manning Assessment
- Emergency Planning
- Safety Management and Organizational Studies
- Training (both general and specific) in the area of Human Factors
- Barrier Free Design

7.1 TASK ANALYSIS

Task Analysis is the identification of the requirements of the job tasks, in order to
match the demands of the system with the characteristics and capabilities of the
operator. This type of study can be used in the assessment of the adequacy of
existing designs, and can form the basis of new designs.

The following are a number of issues that task analysis can be used to address:

• Allocation of Functions between people and machines, and between people

and other people
• Staffing and Job Organisation
• Interface Design
• Skills and Knowledge Acquisition
• Performance Verification

7.2 HUMAN ERROR ANALYSIS

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 34 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Human Error Analysis can be used to demonstrate the robustness of the system
against inappropriate human performance. Potential errors, the causes, and
potential consequences are defined for each task or task step. Existing systems can
be assessed for the adequacy of error prevention, or error recovery mechanisms.
For new designs, mechanisms for error prevention and recovery can be defined.

Having identified and qualitatively analysed potential human errors, it is possible to

stop at that point and endeavour to reduce the possibility of occurrence. In certain
circumstances, it is useful to quantify the likelihood of these errors in order to perform
a cost benefit analysis i.e. if the likelihood of the error is high and the consequences
are severe then it is beneficial to take remedial actions to alleviate the situation.
Human Reliability Assessment methods are used to perform the quantification. The
Human Reliability Assessment can be performed solely on the human interaction
aspects of the system or it can be combined with equipment reliability as part of an
overall safety assessment.

7.3 WORKPLACE AND WORKSTATION LAYOUT

Human Factors guidelines, developed from human performance data and past
experience within industry, can be used to assess the adequacy of either existing
designs, or to propose new workplace designs. Anthropometric data (data which
describes typical body dimensions) can be applied to ensure that appropriate access
space is provided for both operations and maintenance activities within the work
area, to ensure all equipment can be reached and manipulated as intended. Human
Factors principles such as functional grouping, importance of equipment, sequence
and frequency of use are applied to achieve optimum workstation designs.

7.4 ENVIRONMENTAL ASSESSMENT

Environment, in this case, refers to the working environment and addresses the
issues of lighting, noise and temperature. Data exists which specifies optimum
lighting levels for specific types of tasks. Areas where there are potential noise
sources can be identified and appropriate methods of noise prevention, reduction or
protection will be recommended. Acceptable temperatures for different work areas
are a function of the level of activity to be carried out in that area and the amount of
clothing that will be worn. Data tables exist which allow the analyst to define the
appropriate temperature level and then the means of achieving that level can be
recommended.

7.5 CONTROL AND INSTRUMENTATION DESIGN

Detailed control and instrumentation design and assessment can be performed by

using the information obtained in the task analysis and by applying relevant Human
Factors guidelines. The most appropriate type of display or control is selected
according to its function, relating to the needs of the operator.

When the controls and displays are selected, the design details are specified or
assessed for adequacy by using the Human Factors guidelines that address size,
colour, labelling and direction of movement.

7.6 GRAPHICAL USER INTERFACE (GUI) DESIGN

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 35 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

The tasks to be carried out using a computer control system are defined in
consultation with the client/users. A task analysis of each task can then completed to
identify control and display requirements, in terms of information the user needs to
perform the necessary actions, and the feedback which is required to indicate
success or otherwise of these actions. Future system users have the opportunity to
participate in the design process from start to finish to ensure that their requirements
are met.

Any constraints and limitations in terms of the technology or the users requirements
will be identified at this stage. If an assessment is being carried out of an existing
system, or a new system is being installed to replace the existing system, the analyst
will define the positive and negative attributes. Information is elicited from
users/future users about the features they wish to retain and those that are
problematic.

The following aspects are addressed using the information obtained from the task
analysis and the application of ergonomics guidelines:

display structure
system navigation
content
layout of information on the screen
the use of colour
the use of symbols
the presentation of data
potential operator error and any other relevant aspects of design.

Sketches of the screen displays and a representation of the display structure are
usually presented to the client as a first step in the process, so that they may be
reviewed by the users in hard copy before being created on the computer screen.
The completed designs undergo usability testing to ensure that the system meets
user requirements in terms of comprehension of display content, suitability of layout,
appropriateness of user interaction, efficiency and accuracy of navigability, and
general usability for the tasks to be carried out. Recommendations resulting from
these exercises are then incorporated into the design.

7.7 COMMUNICATIONS ANALYSIS

The purpose of a communications analysis is to analyse the points in the task where
communication is required with other personnel or groups of personnel, either within
or external to the immediate work area. The analysis identifies when the
communication is needed, the origin in terms of the person and their location, the
destination in terms of the person and their location and the means of
communication. Any relevant performance shaping factors are examined for their
implications. The results of this assessment can feed into the operating procedures
to ensure that all necessary communications are carried out in an efficient and timely
fashion and can also feed into the design process to ensure that adequate means of
communication are provided for safe operation.

7.8 PROCEDURES DESIGN

The detailed task analysis can be used as an input to the procedural documentation,
ensuring that the content is complete, thorough and relevant. Human Factors
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 36 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

guidelines also exist to assist the procedure writer in the format and presentation of
the material to encourage optimum performance by the user. This applies not only to
operating instructions in industrial settings but also to the design and development of
any instructional material.

7.9 TRAINING NEEDS ANALYSIS

Training Needs Analysis can be used either to develop a training program where one
does not exist or to verify that the existing training program is adequate for the tasks
to be performed. Task Analysis is used to identify the content of the training program
in terms of the tasks that the operators will need to be trained to complete and how
they are carried out. The skills, knowledge and abilities necessary to carry out the
tasks can then be defined.

From the above information a training program can be developed to suit the needs of
the organisation. Decisions can be made as to the best training methods e.g. tasks
that are best suited to classroom training, and those which can only be taught
successfully through on-the-job training, and appropriate presentation methods will
be recommended. Once the training course is developed, it should be tested for its
effectiveness, and the feedback incorporated into the design of the training program.

7.10 HUMAN FACTORS TRAINING COURSES

Training courses can be provided that will introduce Human Factors in a general
sense to increase worker, designer or manager awareness of the importance of
these considerations. In addition, specific courses, relating to certain areas within
the study of Human Factors, can be administered to encourage the use of Human
Factors techniques within an organization or project. The training courses will be
modified to suit the needs of the specific client.

7.11 EMERGENCY PLANNING

Human Factors guidelines exist for the specification of the width of walkways and the
design of stairways and signs to provide the optimum design of escape route for
evacuation. More recently however, studies of human behaviour in threatening
situations have provided valuable information for the design of evacuation systems.
This information impacts upon the location of the escape route, the roles and
responsibilities of those within the command structure, the design of information
systems and the emergency procedures themselves. Identification of the relevant
behavioural phenomena and their impact upon evacuation success will allow the
Human Factors Analyst to assist in the development of effective evacuation systems
and the development of emergency plans and training.

7.12 WORKLOAD ANALYSIS AND MANNING ASSESSMENT

Once more the task analysis can be used as the basis for this technique. The
objective of this analysis is to decide upon the appropriate manning levels (or to
assess the existing workload of the staff) and to iron out the peaks and troughs. This
may be completed in one or more of several ways:

- reallocating the tasks between workers

- reallocating the tasks to different times of the day
- adjusting staffing levels
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 37 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

- automating parts of the process

- making other design changes.

7.13 BARRIER FREE DESIGN OR DESIGN FOR THE DISABLED

Attempts are being made to provide a safe, comfortable and accessible work place
for members of the population who have a disability or are seniors, particularly as the
population in general is aging and there are increasing numbers of disabled and
seniors within the workforce. Barrier free design has expanded beyond the
consideration of the work environment to include passenger and leisure
environments. Standards and guidelines are applied to design and assessment
situations to ensure acceptability, and cover such issues as:

• physical access
• reach distances
• slope/ramp and handrail design
• washroom design
• width of passageways
• width and operation of doorways
• table and chair/bench design
• information design
• control design (e.g. door handle design, soap dispenser design etc.)
• colour coding, and other relevant issues depending upon the design context.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 38 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SECTION 8: SOME NOTES ON THE USE OF THE HEART METHOD

The Human Error and Reduction Technique was developed by Jerry Williams in the
1980’s to help assessors develop a systematic framework to derive human error
rates for application in probabilistic analysis. This section presents some useful
notes to assist in its application.

At PMSC we are regularly asked to incorporate human errors into an overall systems
analysis. In order to quantify any human errors we have used the Human Error and
Reduction Technique, HEART.

The formal reference for this methodology is as follows:-

A Data-Based Method for Assessing and Reducing Human Error to Improve

Operational Performance, J.C. Williams, June 1988 This part of appendix A presents
the detailed tables necessary for the application of the HEART methodology.

Figure 7.1 presents a flow chart for the HEART process and Tables 7.1 and 7.2
present the List of Generic Task Types and Performance Shaping factor multipliers
for each Error Producing Condition.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 39 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Definition of the Human Task to be

modelled (this may come from a task
analysis or from basic operating
procedures)

Assign appropriate base probability

Generic Task A 5.5 E-1

(range 0.35 - 0.97)

Select most applicable "Generic Generic Task B 2.6 E-1

Task" from HEART (range 0.14 - 0.42)

Generic Task C 1.6 E-1

(range 0.12 - 0.28)

Generic Task D 9 E-2

(range 0.06 - 0.13)

Generic Task E 2 E-2

(range 0.007 - 0.045)

Generic Task F 3 E-3

(range 0.0008 - 0.007)
Review HEART Performance
Select between 3 to 4of the Shaping factors(1 to 38) Generic Task G 4 E-4
most applicable (range 0.00008 - 0.009)
Performance Shaping
factors Generic Task H 2 E-5
(range 0.000006 - 0.0009)

Generic Task M 3E-2

(range 0.008 - 0.11)

Modify the base probablility using the

PSF multipliers. See Spreadsheet
Calculator

Document reason for

choice and F%
% applicability
Submit event probability into QRA
Fault or Event Trees

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 40 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Proposed Nominal
Letter GENERIC TASK Human Unreliability 5th –
95th Percentile Bounds
A Totally unfamiliar, performed at speed with no real 0.55
idea of likely consequences. (0.35-0.97)
B Shift or restore system to a new or original state on a 0.26
single attempt without supervision or procedures (0.14-0.42)
C Complex task requiring high level of comprehension 0.16
and skill. (0.12-0.28)
D Fairly simple task performed rapidly or given scant 0.09
Attention (0.06-0.13)
E Routine, highly—practiced, rapid task involving 0.02
relatively (0.007-0.045)
low level of skill
F Restore or shift a system to original or new state 0.003
following procedures, with some checking (0.0008-0.007)
G Completely familiar, well— designed, highly 0.0004
practised, routine task occurring several times per (0.00008-0.009)
hour, performed to highest possible standards by
highly—motivated, highly— trained and experienced
person, totally aware of implications of failure, with
time to correct potential error, but without the benefit
of significant job aids
H Respond correctly to system command even when 0.00002
there is an augmented or automated supervisory (0.000006-0.0009)
system providing accurate interpretation of system
state
M Miscellaneous task for which no description can be 0.03
found (Nominal 5th to 95th percentile data spreads (0.008-0.11)
were chosen on the basis of experience available
suggesting log normality

Table 8.1: List of HEART Generic Task Types

Maximum predicted
nominal amount by which
unreliability might change
Number Error—producing Condition
going from ‘good’
conditions to ‘bad’

1 Unfamiliarity with a situation which is potentially x 17

important but which only occurs infrequently or
which is novel
2 A shortage of time available for error detection and x 11
correction
3 A low signal—noise ratio x 10
4 A means of suppressing or over—riding information x9
or features which is too easily accessible
5 No means of conveying spatial and functional x8
information to operators in a form which they can

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 41 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Maximum predicted
nominal amount by which
unreliability might change
Number Error—producing Condition
going from ‘good’
conditions to ‘bad’

readily assimilate
6 A mismatch between an operator’s model of the x8
world and that imagined by a designer
7 No obvious means of reversing an unintended x8
action
8 A channel capacity overload, particularly one x6
caused by simultaneous presentation of non—
redundant information
9 A need to unlearn a technique and apply one which x6
requires the application of an opposing philosophy.
10 The need to transfer specific knowledge from x 5.5
task to task without loss
11 Ambiguity in the required performance standards x5
12 A mismatch between perceived and real risk x4
13 Poor, ambiguous or ill— matched system feedback x4
14 No clear direct and timely confirmation of an x4
intended action from the portion of the system over
which control is to be exerted
15 Operator inexperience (e.g. a newly—qualified x3
tradesman, but not an “expert”)
16 An impoverished quality of information conveyed by x3
procedures and person/person interaction
17 Little or no independent checking or testing of output x3
18 A conflict between immediate and long—term x 2.5
objectives
19 No diversity of information input for veracity checks x 2.5
20 A mismatch between the educational achievement x2
level of an individual and the requirements of the
task
21 An incentive to use other more dangerous x2
procedures
22 Little opportunity to exercise mind and body outside x 1.8
the immediate confines of a job
23 Unreliable instrumentation (enough that it is noticed) x 1.6
24 A need for absolute judgements which are beyond x 1.6
the capabilities or experience of an operator
25 Unclear allocation of function and responsibility x 1.6
26 No obvious way to keep track of progress during an x 1.4
activity
27 A danger that finite physical capabilities will be x 1.4
exceeded
28 Little or no intrinsic meaning in a task x 1.4
29 High—level emotional stress x 1.3
30 Evidence of ill—health amongst operatives, x 1.2
especially fever
31 Low workforce morale x 1.2
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 42 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Maximum predicted
nominal amount by which
unreliability might change
Number Error—producing Condition
going from ‘good’
conditions to ‘bad’

32 Inconsistency of meaning of displays and x 1.2

procedures
33 A poor or hostile environment (below 75% of health x 1.15
or life— threatening severity)
34 Prolonged inactivity or highly repetitious cycling of x 1.1 (for first half hour)
low mental workload tasks x 1.05 (for each hour
thereafter)
35 Disruption of normal work— sleep cycles x 1.1
36 Task pacing caused by the intervention of others x 1.06
37 Additional team members over and above those x 1.03 (per additional
necessary to perform task normally and man)
satisfactorily
38 Age of personnel performing perceptual tasks x 1.02

Table 8.2: List of Error Producing Conditions and Their Probability Multipliers

Error-Producing
Number Remedial Method
Condition
1 Unfamiliarity (x 17) Train operators to be aware of infrequently—
occurring conditions, simulate such situations, and
teach an understanding of the consequences
2 Time Shortage (x 11) Management must be aware that shortage of time is
likely to impair the reliability of decisions, both their
own and their staff’s — and try to ensure that
sensitive decisions are not taken against the clock.
3 Low S/N Ratio (x 10) Strenuous efforts must be made to ensure that such
(when really poor) ratios do not fall to unreasonably low levels
4 Features Over-ride If the consequence of placing a system in an
Allowed inappropriate state is potentially damaging, suitable
(x 9) inter—locking and inhibition must be provided,
together with any suitable time—outs to return
features to their appropriate quiescent state
5 Spatial and Functional Such incompatibilities should not occur — sufficient is
Incompatibility (x 8) now known about human engineering for population
stereotypes that the problem need not arise to any
extent
— where doubt exists advice should be obtained from
trained Ergonomists, who will either know exactly
how to arrange a design for spatial or functional
compatibility, or how to run an appropriate
experiment to find out what is required
6 Model Mismatch (x 8) Designers of systems and equipment aren’t always
right
— operators sometimes not only often have better
ideas but possess views about how a system should
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 43 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Error-Producing
Number Remedial Method
Condition
function which are contrary to those of system
designers — under pressure, particularly, operators
will revert to their own perceptions of how a system
should function, often with undesirable consequences
— to protect against such mismatches systems
designers must try to find out what their users’
expectations are, and then design these
characteristics into the system, omitting their own
prejudices, as they do so
7 Irreversibility (x 8) Obvious means should be provided to ensure that
errors can be reversed easily, for preference by
means of reversing the actions which created the
error in the first place.
8 Channel Overload (x 6) It should never be necessary to monitor more than
one information channel at any one time — single
events should not occur at more than three per
second.
9 Technique Unlearning The greatest possible care should be exercised when
(x.6) new techniques are being considered to achieve the
same outcome — they should not involve adoption of
opposing philosophies.
10 Knowledge Transfer (x Reliance should not be placed on operators’
5.5) transferring their previous knowledge without loss of
precision and meaning — if such perfect transfer is
required suitable job aids must be made available for
reference.
11 Performance Ambiguity The required performance standards must be tested
(x 5) for comprehensibility on the user population to ensure
that is there no ambiguity.
12 Misperception of Risk It must not be assumed that a user’s perception of
(x 4) risk is the same as the actual level — if necessary a
check should be made to ascertain where any
mismatch might exist and what its extent is.
13 Poor Feedback (x 4) A task analysis will show the points at which
feedback must be available to operators
— Ergonomists can advise on the best form of
feedback if doubts should arise — what one is
looking for is complete system transparency
14 Delayed/Incomplete System response times should never exceed four
Feedback (x 4) seconds and there must always be sufficient
information to enable operators to step confidently on
to the next part of a task — if doubt exists the
feedback is incomplete.
15 Inexperience (x 3) Personnel criteria should contain specified
experience parameters thought relevant to the task
— chances must not be taken for the sake of
expediency.
16 Impoverished Procedures should be human— engineered and
Information tested for operability — it should be assumed when
(x 3) personnel are required to communicate with each
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 44 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Error-Producing
Number Remedial Method
Condition
other that very considerable information loss will
occur — procedures must not rely on accurate verbal
transmission of information for success.
17 Inadequate Checking When high reliability is paramount, independent
(x 3) checks on accuracy should be made, by people and
systems that do not have any vested interest in the
success or failure of an individual —blame should not
attach to any inadequacies found at this level
18 Objectives Conflict (x Objectives should be tested by management for
2.5) mutual compatibility, and where potential conflicts are
identified these should either be resolved to make
them harmonious or made prominent so that a
comprehensive management control programme can
be created to reconcile such conflicts as they arise, in
a rational fashion.
19 No Diversity (x 2.5) It should not be assumed that operators will rely
totally on a single information source for confirmation
of accuracy, and enquiries should be made to
ascertain what additional sources are referred to, so
that these are not denied operators, and, if possible,
are enhanced.
20 Educational Mismatch The job profile should identify any potential mismatch
(x 2) of recruits against requirements — educational
standards should be made explicit; there should be
no ambiguity
21 Dangerous Incentives It is intuitively obvious that people work for rewards of
(x 2) various natures — if the reward for doing something
quickly is greater than the reward for doing it
accurately, or the reward for omitting an action is
greater than the reward for performing it we should
not be surprised if that is, in the main, what happens
— the reward system must be evaluated carefully,
therefore, to ensure that the desired behaviour is
emitted, rather than that which might be construed as
being appropriate simply because facets of the task
are seen to conform to a partial criterion — if in
doubt, seek advice from Management Scientists
and/or Psychologists
22 Lack of Exercise (x 1.8) Frequent rest breaks should be designed into the job,
and the system made tolerant to personnel taking
breaks as the need arises — tuition should be given
in techniques for maintaining high levels of arousal,
such as postural change, personal ventilation and
recognition of fatigue symptoms — encouragement
should be given to engage in appropriate mild forms
of physical exercise and relaxation and stress control
—On—the—job refresher training should be given
and frequent exercises to maintain and enhance
levels of competence and awareness of technical
progress innovation given.
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 45 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Error-Producing
Number Remedial Method
Condition
23 Unreliable Instruments Regrettably it is a fact that when instrumentation is
(x 1.6) found to be unreliable operators will cease to trust its
indications to the extent of ignoring valid information
and preferring to believe their own interpretations,
despite overwhelming evidence to the contrary — if
instrumentation is thought likely to be unreliable it
should be withdrawn from service, and more reliable
instrumentation substituted
— no doubts should exist about its suitability.
24 Absolute Judgements Operators must not be placed in the position of
Required having to make judgements about the meaning of
(x 1.6) data which are outside their span of apprehension or
experience
— a task analysis will reveal when such conditions
are likely to arise, and management must plan for
such contingencies, by recognising the
circumstances and taking full responsibility for actions
which might be taken on their behalf — “brain-
storming” and problem—solving workshops are
helpful to identify some of the most bizarre situations
in which staff and management can find themselves
— it is likely that discussion of these ‘grey areas’ of
organisational behaviour will reinforce mutual
respect, and anticipate future conflict and/or issues of
culpability at a time of zero threat.
25 Unclear Allocation of As with the area above, doubt must not exist about
Function responsibilities — whilst they can, and should, be
(x 1.6) stated on paper, joint preparation of a functional
specification will remove doubts and anxieties, and
lead to the development of healthy attitudes towards
the system design concepts—Organisational
Development Specialists and/or Behavioural
Scientists should be involved in facilitating the
preparation of a satisfactory working protocol.
26 Progress Tracking Various job aids must be supplied in order to ensure
Lack (x 1.4) that operators do not get out of step with the task in
hand — these can range from checklists through
mimics to electronic monitoring of progress against
targets —if such aids are introduced they must be
piloted to ensure that they are compatible with user
needs and that there is an incentive to use them
—Ergonomists can advise on these job design
aspects
27 Physical Capabilities It should be self-evident that tasks must not exceed
(x 1.4) the operators’ capabilities
—Reference to Human Factors Standards will ensure
that these capabilities are not exceeded.
28 Low Meaning (x 1.4) Meaning can be built into a job by preparing job
descriptions with the staff concerned, showing them
the significance of their contribution to corporate
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 46 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Error-Producing
Number Remedial Method
Condition
objectives, designing variety into their duties by
arranging for job features such as task rotation to
enhance system awareness, and holding periodic
reviews of working practices to ensure that symptoms
of alienation are not manifesting themselves
— Behavioural Scientists can advise on suitable
precautions.
29 Emotional Stress (x Management and medical staff must be vigilant to
1.3) recognise the onset of emotional problems which can
manifest themselves via symptoms such as
excessive absence, persistent lateness, obsessive
behaviour, lack of cooperation and exceptional
fatigue — personal stress control training
programmes could be considered, and potentially
stressful decision—making circumstances identified
so that the conditions can be modified to limit
occurrence of extreme generalised stress.
30 Ill-health (x 1.2) Until it is pointed out, it is not apparent that ill—
health can have such deleterious effects on
performance — often the effects of, say, a cold or ‘flu
do not manifest themselves until well into a shift — by
now it should be obvious that operators and
managers who are ill should not attempt to undertake
work requiring reliability, and out of respect for others,
for integrity and peace of they should stay away,
recovered — a medical awareness programme would
be helpful.
31 Low Morale (x 1.2) Apart from the more obvious ways of attempting to
secure high morale by way of financial reward, for
example, other methods involving participation, trust
and mutual respect, often hold out at least as much
promise
— Building up morale is a painstaking process, which
involves a little luck and great sensitivity —
employees must be given reason to believe in their
employer and themselves — this can be
accomplished by a battery of activities, such as joint
preparation of work plans and objectives, maximal
delegation of authority, reward for effort and results,
provision of subsidised fringe benefits, firmness of
resolve and openness — it is not achieved to any
great extent by appeals to workforces to stick by
management — the respect necessary to make
morale rise is earned not enforced — a sensitive,
caring management, would be unlikely to encounter
such problems
32 Inconsistency Displays Even if the conventions adopted for display layout
(x 1.2) and procedure design are not human—engineered
for ease of use, they must be consistent within
themselves e.g. if a display is showing an increasing
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 47 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Error-Producing
Number Remedial Method
Condition
value even though in an analogue sense the portion
shown is decreasing, this convention must be
adhered to throughout
— Even though such a principle is wrong” (for
preference such an approach would not be
encouraged, of course)
33 Poor Environment (x It should be self—evident that a poor environment is
1.15) likely to impair performance
— by and large this should not occur nowadays with
the introduction of legislation to control environments
—to minimise any deleterious effects Work
Physiologists, Ergonomists and/or Architects should
be consulted for details of appropriate parameters.
34 Low Loading (x 1.1) 1st Prolonged inactivity or highly repetitious cycling of
½ hour low mental workload tasks must be avoided —
(x 1.05) each hour generally when signal frequency falls below two per
thereafter minute or involves little or no variability, vigilance
performance will degrade — to combat such effects
the introduction of artificial signals has been found to
be helpful, and job enrichment (with the introduction
of different, more varied tasks) has been found to
minimise boredom, and better hold attention
— Rather than combat these effects, it is better to
ensure that such conditions do not arise in the first
place i.e. observation tasks demanding high human
reliability should never require sessions of longer
than one hour’s concentration and tasks involving
very low signal frequency should not be designed —
if possible such tasks should be automated.
35 Sleep Cycle Disruption Only extreme sleep deprivation will cause
(x 1.1) performance degradation — our major interest,
therefore, is in keeping small amounts of deprivation
to a minimum —this can be achieved by keeping
operators on a “stable” shift system such that there
are no radical changes to either the pattern or the
time of day over which such changes occur — the
frequency with which changeovers occur should be
as low as can reasonably be achieved — advice
should be sought from Work Physiologists.
36 Task Pacing (x 1.06) Although all work ultimately involves some element of
pacing, the unwitting or deliberate introduction of
pacing will lead to a slight reduction in reliability —this
can be avoided by checking work systems to ensure
that there is sufficient ‘buffering’ such that operators
are not subject to undue pressure and can work at
their own preferred pace — the one which best
matches their capability.
37 Supernumeraries (x Where possible, limit gatherings of staff at
1.03) workplaces to those necessary to perform tasks
satisfactorily.
A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,
www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 48 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Error-Producing
Number Remedial Method
Condition
38 Age (x 1.02) Monitor perceptual capabilities of personnel required
to perform task demanding high acuity and accurate
information processing.

Table 8.3 List of Possible remedial Methods for Error Producing Conditions

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 49 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

The first stage of the HEART process is to identify with the systems the possible
sources of human error.

Once identified on the human error probability can be modified by the factors
representing the various performance shaping factors using the Table

The second stage is to calculate the assessed affect of human error to the system,
illustrated in the example below.

Step 1: Identify the Generic Task in the system for the operator (A-M in table 7.1)

F = 0.003 (operators work in shift formations, some validation)

Identify Error-Producing Conditions (EPC) from table 7.2 and obtain engineers
assessment of its contribution effect, to calculate Assessed affect.

Step 2: Conduct assessment

Total HEART
Engineers Assessed
Factor affect (Table Assessed affect
proportion to affect
7.11.4)
Inexperience [15] x3 0.4 (3-1) x 0.4 + 1 =1.8
Opposite technique [9] x6 1.0 (6-1) x 1.0 + 1 = 6.0
Risk Misperception [12] x4 0.8 (4-1) x 0.8 + 1 = 3.4
Conflict of Objectives X 2.5 0.8 (2.5-1) x 0.8 + 1 =
[18] 2.2
Low Morale [31] x 1.2 0.6 (1.2-1) x 0.6 + 1
=1.12

Assessed nominal likelihood of failure

Generic Task x Assessed Factor 1...x Assessed Factor n= Assessed Nominal
Likelihood of Failure

0.003 x 1.8 x 6.0 x 3.4 x 2.2 x 1.12 = 0.27

It should be noted that probability of failure could never exceed 1.0, if by

multiplication it does the failure is assumed to be 1.0.
N
Modified Pr obability = Base × ∏ Fi
i =0

Fi = [(Fmax i − 1) × F % + 1]
Fmax I = max factor

F% = % applicability relative contributions(these are based on engineering

judgement)

Factor % Contribution made to unreliability

modification
Opposite Technique 41
Misperception of risk 24
Conflict of objectives 15
Inexperience 12
Low Morale 8

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 50 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Step 3: Prioritise Reducing Measures

The third stage is to form conclusions with these results and prioritise reducing
methods. Table 7.3 provides techniques to be implemented to reduce human error.
In the example opposite technique has the highest contribution of 41%, thus the
greatest priority. The suggested remedial:

[9] The greatest possible care should be exercised when new techniques are
being considered to achieve the same outcome — they should not involve adoption
of opposing philosophies.

The final stage is to implement the remedial advice.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 51 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SECTION 9: SOME NOTES ON FIRE RISK ASSESSMENT

It is vital that any new railway project has an adequate and fully integrated fire safety
concept. The project should consider a fire safety study to provide an overall
assessment of the fire risks and examine the impact on the railway. The study should
enable the railway systems to be optimised and configured to achieve a set of overall
fire safety objectives. PMSC has undertaken a similar study already see project 90.

The fire safety objectives should primarily achieve an acceptable level of fire safety
(risk from fire) for passengers, staff, emergency services personnel and any other
legitimate occupants of the rail network.

As a first step the fire safety study would require an overall system assessment of the
level of fire safety proposed to examine fire safety approaches and identify any
weaknesses or opportunities for application of alternative strategies, which may be
more suitable.

This systems approach to fire safety should consider the interactions among various
system components that can create mitigating conditions not evident when
examining the performance of individual components.

Once the overall fire safety has been examined on a system wide level, individual
sub-systems or components should be examined in detail to optimise their
configuration in relation to maintaining the overall fire safety objectives while meeting
other system objectives.

The basic principle of fire safety should be that if a fire does not occur in the first
place then there is no impact on the fire safety objectives. However, practically it is
often difficult to prevent ignition while still having an operational system. Thus fire
prevention measures can only be implemented where they do not significantly impact
the fundamental design/operational requirements of the system.

There are three ways in which a fire may be prevented as follows:

• Controlling ignition (heat/energy) sources

• Controlling the available fuels
• Controlling interactions between ignition sources and fuel

There are two ways in which an ignition source may be controlled, by eliminating the
ignition source, or by controlling the potential ignition source such that its heat /
energy output is not sufficient to cause ignition. Similarly, there are two strategies
that can be adopted to prevent fire ignition by eliminating the fuel, or controlling its
ignitability.

Suppression of a fire is another method of managing the impact of the fire.

Suppression can be undertaken either manually or automatically by various fire
suppression systems. The most common form of an automatic fire suppression
system is a fire sprinkler system. However given that the railway will use electricity
as its energy source, an automatic sprinkler system is likely to be inappropriate. Thus
automatic gaseous suppression systems could be used.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 52 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Manual suppression systems require the fire to be detected, communicated, action to

be decided, and a response to the site of the fire together with sufficient suppressant
been applied. While there are a lot of dependencies, manual suppression can be
quite effective, particularly if early detection and notification is provided.

In addition to manual fire suppression facilities, fire hydrants can be provided in

tunnels and underground stations to enable manual suppression of large fires by the
fire brigade and rescue services.

Evacuation of passengers and staff in the case of fire should also be considered
within the fire safety concept. There are usually many different scenarios that could
occur with regard to railway fires (i.e. open track, tunnel, within a train, within wayside
equipment or buildings). Hence, a comprehensive assessment should be made of
the credible scenarios and mitigation features, and emergency planning should be
employed as necessary. Since there are many interdependencies associated with
railway fire conditions, and subsequent evacuation, it is usually necessary to use
computer-based simulations and analysis tools to adequately assess the likely
outcomes of the scenarios.

Other key aspects of providing an acceptable level of overall fire safety are:

• Selection of materials to minimise the growth and spread of fire,

smoke, and toxic gases (i.e. materials used in the construction of the
railway should be selected and tested to recognised international
standards)
• Provision of automatic detection within major fuel loads (i.e.
electrification sub-stations)
• Provision of communication systems to all public areas
• Provision of emergency walkways in tunnels if necessary
• Provision of pressurised emergency exits to permit evacuation from
tunnels if necessary
• Tunnel emergency evacuation fans if necessary

PMSC has the capability to organise and coordinate fire testing of materials for
toxicity and spread of flame according to recognised British Standards BS6853 and
BS 476.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 53 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

SECTION 10: SOME USEFUL SYSTEMS ASSURANCE REFERENCES

Topic Area International Standards/Data Sources

FMECA • Military Standard 1629
• IEC Publication 812‘Analysis Techniques for System Reliability -
Procedure for Failure Mode and Effects Criticality’.
HAZOP • MIL-STD-882B: ‘System Safety Management’,

• prENV50126: ‘Railway Applications – The Specification and

Demonstration of Dependability, Reliability, Availability,
Maintainability and Safety (RAMS)’

• DEF STAN 00-58’Hazop Studies on Systems Containing

Programmable Electronics’

• “Hazop and Hazan” by T Kletz (UK) Institution of Chemical

Engineers 3rd Edition 1992.

• Railtrack Yellow Book

FTA and ETA • NUREG-0492 ‘Fault Tree Handbook’ D F Hassel, N H Roberts, W E

Vesely, and F F Goldberg US Nuclear Regulatory Commission

• Reliability and Risk Assessment by J.D Andrews and TR Moss

ISBN 0-470-23345-1, Chapter 7 Fault Tree Analysis.

• Combined FTA/ETA modeling tool is Fault Tree +

(Currently version 9)

Reliability Analysis • IEC 61508 - Functional Safety: Safety-Related Systems Part 2 and 6
(includes analysis
and demonstration) • MIL-STD-785B: ‘Reliability Program for Systems and equipment
Development and Production

• MIL-STD-756: ‘ Reliability Modeling and Prediction’

• MIL-STD-2173: ‘ Reliability Centred Maintenance

• MIL-HDBK-217F: ‘Reliability Prediction of Electronic equipment’,

• DEF STAN 00-40: ‘Reliability and Maintainability Parts 1-8’,

• DEF STAN 00-43: ‘Reliability and Maintainability Assurance Activity’.

• International Electrotechnical Commissions Standard – 60300 –

Dependability Management

• International Electrotechnical Commission Standard – 60571, Part 3

– Electronic Equipment Used on Rail Vehicles, Components,
Programmable Electronic Equipment and Electronic System
Reliability

• International Electrotechnical Commissions Standard 60605,

Equipment Reliability Testing

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 54 of 55
 The Application of RAMS in Large Scale Complex Railway Projects
RAMS Seminar at Palace Hotel, Madrid, Spain, 2nd December 2004

Topic Area International Standards/Data Sources

• BS Euro Norm 50126, 1999, Railway Applications – The

Specification and Demonstration of Reliability, Availability,
Maintainability and Safety (RAMS)

• Euro Norm 50129, 1998, Railway Applications – Safety Related

electronic systems for Signalling.

• MIL-STD-471A – Military Standard Maintainability Verification /

Demonstration / Evaluation.

Software SIL • IEC 61508 Parts 3 and Parts 6, Functional Safety of

Analysis Electrical/Electronic/Programmable Electronic Safety-related systems
Part 3 : Software Requirements, Part 6 : Guideleines on the
applications of parts 2 and 3.

• RIA 23, BRB/LU LTD/RIA Technical Specification Number 23 1991,

Safety Related Software For Railway Signalling – Consultative
document. (this has now been largely superceeded by the
requirements as set out in IEC 61508)

• prEN 50128, Draft European Standard, Railway Applications –

Software For Railway Control and Protection Systems.
Human Factors • Human Reliability Assessors Guide Book
• A Guide to Task Analysis
• NUREG 1278 Swaine & Guttmann
• Papers by Williams on HEART

Fire Analysis • BS6853 1999, Code of Practice for Fire Precautions in the design
and construction of passenger carrying trains
• BS476, Fire tests on Buildings Materials and Structures, Part 6
Method of Test for Fire Propagation for Products
• BS476, Fire tests on Buildings Materials and Structures, Part 7
Method of Test to determine the classification of the surface spread
of flame of products
• NFPA 130, Standards for Fixed Guideway Transit and Passenger
Rail Systems 2000 Edition.

A Seminar Presentation By Paul Mann of PM Safety Consultants Limited UK,

www.pmsafety.co.uk Copyright vested solely in PMSC Limited UK. Page No 55 of 55