Appendix 2-H

APPENDIX 2-H: EMERGENCY AND SAFETY PLANS

California High-Speed Rail Authority April 2020

San Jose to Merced Project Section Draft Project EIR/EIS
 CALIFORNIA HIGH-SPEED RAIL PROGRAM

SAFETY AND SECURITY

MANAGEMENT PLAN
Revision 2

Prepared by: 06/30/2016

John Cockle, RDP System Safety Manager Date

Reviewed by: 06/30/2016

Lurae Stuart, RDP System Security Manager Date

Reviewed by: 06/30/2016

Victor Salazar, CHSRA Safety Security Manager Date

Approved by: 06/30/2016

Jon Tapping,CHSRA Director Risk Management Date

Released by: 8/22/16

Jeff Morales, Chief Executive Officer Date

Document Sections/Pages Affected Data of Document

Rev 0 Initial Draft 02/14/2013
Rev 1 Revised to reflect new hazard management principles 03/04/2014
and processes, new Authority organizational structure,
and new construction requirements for safety and
security
Rev 2 Revised section on handling of D/B Contractor 06/30/2016
Certification Package submittals, and Safety/Security
Roles and Responsibilities for the RDP
TABLE OF CONTENTS
1.0 Mana gem ent Comm itmen t And Philoso phy 1
1.1 Safet y and Securi ty Poli cy Statement
1.2 Bac kgr oun d 11
1.3 Pur pos e of the SSMP 2
1.4 APPLICABILITY AND SCOPE OF SSMP 2
1.4.1 Pro ject Desc ripti on 2
1.4.2 Phased Implementation 3

1.4.3 SSMP Scope 3

1.5 SSMP Goals and Objectives 4

1.5.1 Goals 4
1.5.2 Objectives 4
1.6 SSMP Review and Upda tes 5

1.7 SSMP Applicability to Third Parties 5

1.8 System Safety Prog ram Plan and System Sec ur ity Plan 5
2.0 Integration OF SAFETY AND SECURITY INTO THECHSRP DEVELOPMENT PROCESS 6
2.1 SAFETY AND SECURITY ACTIVITIS 6
2.2 Proc edur es and Resou rce s 7

2.2.1 Procedures 7
2.2.2 Reso ur ce s 8

2.3 INTERFACING WITH MANAGEMENT 8

3.0 Safety and Security Re s ponsi bili ties 9

3.1 Role s and Re s pons ibi litie s 9

3.2 Authori ty Orga niza tion 10

3.2.1 Authority Chief Executive Officer 10

3.2.2 Authori ty Director of Risk Managem ent 11
3.2.3 Autho rity Safet y an d Sec ur ity Manager 11
3.3 Rail Del ivery Partn er Org an iza tio n 11

3.3.1 ROP System Safety Manager 11

3.3.2 RDP System Security Manager 12
3.3.3 ROP Const ructio n Safety Office 12

3.3.4 Oth er RDPManag e rs 13

3.4 CONTRACT/PROCUREMENT SAFETY AND SECURITY 13
3.5 Committee Structure 13

3.5.1 Safet y an d Secur it y Execu tive Committee 13

3.5.2 Safet y an d Secu rity Pro gra m Committee 14
3.5.3 Safet y an d Secu rity Work ing Grou p (SSWG) 15

3.5.4 Fire and Life Safety and Security Committees (FLSSC) 15

3.5.5 Cha nge Control 16

3.5.6 Rail Act iv atio n Committee (RAC) 16

3.5.7 System Integration Testing Committee (SITC) 16
3.6 Safety and Security Responsibilities Matrix 16

4.0 Haza rd Man age ment 18

4.1 Ove rv iew 18

4.2 Risk-Based Safety Hazard Management 18
4.2.1 Application of Risk-Based Hazard Management – Common Safety Method 19
4.2.2 SYSTEM DEFINITION 21
4.2.3 Hazard Identification and Classification 22
4.2.4 Risk Analysis 23
4.2.4.1 APPLICATION OF CODESOF PRACTICE 25
4.2.4.2 Use of a Reference System 25
4.2.4.3 Explicit Risk Estimation 26
4.2.5 Risk Estimation Process and Risk acceptance Criteria 27
4.2.6 As Low AS Reasonably PRACTICABLE (ALARP PRINCIPLE) 32
4.2.7 Hazard Analysis Processes and Documentation, Verification and Validation 32
4.3 Security Risk Assessment Process 34
4.3.1 Assets 36
4.3.1.1 IDENTIFICATION 36
4.3.1.2 Criticality Determination 36
4.3.2 Identification of Threats 36
4.3.3 Scenario Analysis 38
4.3.4 Identification OF Vulnerabilities 39
4.3.5 Determining Likelihood 40
4.3.6 Determining the Consequence 41
4.3.7 Security Risk Criticality Matrix 42
4.3.8 Countermeasure Development 43
4.3.9 Residual Risk 44
4.3.10 Reporting 44
4.4 VERIFICATION AND VALIDATION DOCUMENTATION 45
5.0 Development Of Safety And Security Design Criteria 46
5.1 PreventionthroughDesign 46
5.2 Design Criteria 47
5.3 Design Reviews 48
5.4 Deviations and Changes 48
6 0 OPERATIONS AND MAINTENANCE 50
6.1 OPERATIONS AND MAINTENANCE REQUIREMENTS 50
6.2 Operational Plans, Rules and Procedures 51
6.3 Training Program 51
64 Emergency Preparedness 52
7.0 Safety And Security Certification Program 53
7.1 OVERVIEW 53
7.2 Program Goals and Objectives 54
7.3 Responsibilities 54
74 Safety and Security Certification Process 54
7.4.1 Certifiable Elements 55
7.4.2 Certifiable Items Lists 56
7.4.3 Tracking of Hazards and Vulnerabilities 57
7.4.4 Certification of Final Design and Construction 58
7.4.5 Testing Phase Certification 59
7.4.6 Startup Phase Certification 59
7.4.7 Open Items List 60
7.4.8 Conditional Certification 60
8.0 Construction Safety And Security 61
8.1 Overview 61
8.2 Program Elements 61
8.2.1 Safety and Security Management Plan 61
8.2.2 Site-Specific Plans 62
8.2,3 Construction Safety and Security Management 62
8.2,4 Stop Work Order 62
8.3 Construction Risk Management 62
9.0 State Safety Oversight Regulations 64
9.1 Applicability 64
10.0 Coordination With Federal Railroad Administration 65
10.1 Activities 65
10.2 Implementation 66
10.3 Coordination Process 66
11.0 Department Of Homeland Security Coordination 67
Figures
Figure 3-1 CHSRP Organization for Safety and Security Activities 10
Figure 4-1 The Common Safety Method Process 20
Figure 4-2 Security Risk Assessment Process 35
Figure 4-3 Security Risk Worksheet Example 45
Figure7-1 CEHL (Sample) 57
Figure 7-2 Certificate of Conformance (Sample) 59

Table s

Table 2-1 Project Safety and Security Activities Matrix 7

Table 3-1 Safety and Security Responsibilities Matrix 16
Table 4-1 Hazard Severity Categories 29
Table 4-2 Hazard Frequency Categories 30
Table 4-3 Risk Assessment Matrix 31
Table 4-4 Risk Acceptance Matrix 31
Table 4-6 Threat Category Examples 37
Table 4-7 General Crime Categories and Examples 37
Table 4-3 Threat or Attack Types Examples 37
Table 4-9 Threat Rating Matrix (Intent X Capability) 38
Table 4-10 Threat Rating and Definitions 38
Table 4-11 Vulnerability Levels and Description 40
Table4-12LikelihoodDeterminationMatrix(ThreatxVulnerability) 41
Table 4-13 Likelihood Rating and Definitions 41
Table 4-14 Consequence Ratings and Assessment Criteria 42
Table 4-15 Security Risk Criticality Matrix (Likelihood X Consequence) 43
Table 4-16 Security Risk Index 43

App end ice s

Appendix A – California High-Speed Rail Authority Organizational Chart

APPENDIX B – CHSRP CONSTRUCTION SAFETY PROGRAM REQUIREMENTS
Appendix C – Technical memorandum 500.01 Safety and Security Policy Statement
Appendix D – Technical Memorandum 500.02 Safety and Security Executive Committee Charter
Appendix E – Technical Memorandum 500.03 Safety and Security Program Committee Charter
Appendix F - Technical Memorandum 500.04 Fire and Life-Safety and Security Program
Appendix G - Hazard Analysis Descriptions
ACRONYMS AND ABBREVIATIONS

Acronym or
Definition
Abbreviation

ARHRAM Adjacent Railroad Hazard Risk Assessment Model

Authority California High-Speed Rail Authority

CFR Code of Federal Regulations

CHSR California High-Speed Rail

CHSRP California High-Speed Rail Program

CIL Certifiable Items List

CPUC California Public Utilities Commission

DHS Department of Homeland Security

DOORS Dynamic Object Oriented Requirements Management System (V & V database)

EMT Engineering Management Team

FD Final Design Phase

FLSSC Fire/Life Safety and Security Committee

FMEA Failure Mode Effects Analysis

FRA Federal Railroad Administration

FTA Federal Transit Administration

FTAn Fault Tree Analysis

ICS Initial Construction Segment

OHA Operating Hazard Analysis

PCM Project Construction Management

PE Preliminary Engineering Phase

PHA Preliminary Hazard Analysis

PMO Program Management Oversight

PMP Project Management Plan

PTEPP Passenger Train Emergency Preparedness Plan

QC Quality Control

RAC Rail Activation Committee

RAP Rail Activation Plan

RC Regional Consultant

RDP Rail Delivery Partner

SITC System Integration Testing Committee

SONO Statement of No Objection

SSCP Safety and Security Certification Plan

SSEC Safety and Security Executive Committee

SPP Security Program Plan

SSPP System Safety Program Plan

SHEA Software Hazard Effects Analysis

SiSHA Site-Specific Hazard Analysis

SiSTVA Site-Specific Threat and Vulnerability Assessment

SSHASP Site-Specific Health and Safety Plan

SSI Sensitive Security Information

SSMP Safety and Security Management Plan

SSPC Safety and Security Program Committee

SSSP Site-Specific Security Plan

SSWG Safety and Security Working Group

TSA Transportation Security Administration

TVA Threat and Vulnerability Assessment

V&V Verification and Validation

REFERENCE DOCUMENTS
The following documents are referenced in this SSMP:
• 49 CFR Parts 200-299, Federal Railroad Administration regulations
• 49 CFR Part 633, Federal Transit Administration Project Management Oversight
• 49 CFR Part 659, Federal Transit Administration State Safety Oversight
• ANZI Z590.3-2011 Prevention through Design, 01/23/2012
• California Code of Regulations Title 8 Construction Safety Orders
• Standard Practice for System Safety. 5/11/2012
Department of Defense Military Standard 882E
• European Railway Agency Common Safety Method on Risk Evaluation and Assessment, Official
Journal of the European Union, 29.4.2009, Regulation 352/2009/EC
• European Railway Agency Guide for the Application of the CSM Regulation, ERA/GUI/01-
2008/SAF, Version 1.1. page 26
• FRA Collision Hazard Analysis Guide: Commuter and Intercity Passenger Rail Service, October
2007
• FTA Handbook for Transit Safety and Security Certification, 11 /2002
• FTA document Hazard Analysis Guidelines for Transit Projects, 01/2000.
• FTA document Public Transportation System Security and Emergency Preparedness Planning
Guide, 01/2003.
• FTA Circular 5800,1 Safety and Security Management Guidance for Major Capital Projects, dated
8/1/07
• Federal Transit Administration manual Transit Safety Management and Performance
Measurement, FTA Office of Safety and Security, 2011
• ISO 31000 Risk Management Standard
1.0 MANAGEMENT COMMITMENT AND PHILOSOPHY

1.1 Safety and Security Policy Statement

Safety and Security Policy Statement

It is the policy of the California High-Speed Rail Authority (Authority) to perform work on
the California High-Speed Train System (CHSTS) in a manner that ensures the safety
and security of passengers, employees, contractors, emergency responders, and the
public. The application of system safety and security comprises a fundamental hazard
and vulnerability management process that incorporates the characteristics of planning,
design, construction, testing, operational readiness, and subsequent operation of the
high-speed rail system. Safety and security are priority considerations in the planning
and execution of all work activities on the CHSTS.
All trains, facilities, systems and operational processes must be designed, constructed,
and implemented in a manner that promotes the safety and security of persons and
property. The design, construction testing, and start-up of the CHSTS will comply with
applicable safety and security laws, regulations, requirements and railroad industry
practices. The Authority will maintain or improve upon the public transit and railroad
industry standards for safety and security. Through the Reliability, Availability,
Maintainability, and Safety (RAMS) Program a standard of safety will be established that
is as safe as or safer than conventional U.S. railroad operations and in conformance with
the best practices and standards for safety in the international high-speed rail industry. The
design, construction, testing, and start-up of the CHSTS will be accomplished in
compliance with this standard.
The Authority is committed to providing a safe and secure travel and work environment.
Therefore, safety, accident prevention, and security breach prevention must be
incorporated into the performance of every employee task. All Authority, Program
Management Team, and contractor personnel, subcontractors and employees are
charged with the responsibility for ensuring the safety and security of passengers,
employees, contractors, emergency responders, and the public who come in contact
with the CHSTS. Each individual and organization is responsible for hazard and
vulnerability management, for applying the processes that are designed to ensure safety
and security, and for maintaining established safety and security standards, consistent
with their position and organizational function. Through a cooperative team effort and
the systemic application of safety and security principles, the CHSTS will be designed,
constructed, tested, and placed into service in a safe and secure manner.

12-5-12
Jeffrey Mofales, CEO Date
California High-Speed Rail Authority

1.2 Background
The Federal Railroad Administration (FRA) requires that the California High-Speed Rail Authority (Authority)
implement safety and security principles and processes throughout the development and operation of the
California High-Speed Rail Program (CHSRP). Absent federal regulations that govern the completion of
major capital projects, FRA looks to the Federal Transit Administration (FTA) regulations for guidance.
Federal Transit Administration (FTA) regulations found at 49 CFR Part 633 requires the development of a
Project Management Plan (PMP) for every major capital transit project. As described in FTA Circular 5800.1
Safety and Security Management Guidance for Major Capital Projects, (dated 8/1/07) a Safety and Security
Management Plan (SSMP) is the element of the PMP that manages project safety and security activities,
responsibilities, and verification processes throughout the project life cycle. This document fulfills the FRA
requirement for managing safety and security in the development and operation of the CHSRP.
The SSMP does not carry over into revenue operations, but will lead to development of a System Safety
Program Plan (SSPP),Security Program Plan (SPP) and Emergency Preparedness Plan (EMP) to govern
safety and security for the operating system prior to the start of revenue service. The FRA is in the process
of promulgating regulations that require the application of a System Safety Program Plan to inter-city
passenger railroad operations.

1.3 Purpose of the SSMP

The SSMP formalizes the management principles and strategies for determining safety and security risk
acceptance throughout the CHSRP life cycle, from the design phase through the start of revenue service,
and is applied to each segment undertaken in turn. The SSMP defines the process for identifying,
evaluating, and resolving safety hazards and security vulnerabilities associated with future railroad
operations of the System prior to the start of revenue service. This process helps to ensure the achievement
of the highest practical level of operational safety and security for the riding public, the employees, and
anyone coming into contact with the CHSRP.

The purpose of the SSMP is to define the safety and security activities of the CHSRP and methods for
identifying, evaluating, and resolving potential safety hazards and security vulnerabilities. It establishes
responsibility and accountability for safety and security during the preliminary engineering, final design,
construction, testing, and start-up phases of CHSRP development. Specifically, the SSMP does the
following:

• Establishes the Authority's commitment and philosophy to achieve the highest practical
level of safety and security for the Authority’s staff, Rail Delivery Partner (RDP) staff,
contractors, emergency responders, and members of the public that come into contact
with the CHSRP
• Establishes processes for managing safety and security activities intended to minimize
risk of injury and property damage, and to maximize the safety and security for the
CHSRP passengers, employees, and the public
• Integrates the safety and security functions and activities throughout the CHSRP and
its organizational structure
• Defines the safety and security responsibilities between the Authority and CHSRP
design, construction, and start-up teams
• Defines the process for the documentation and certification of safety and security
activities
• Evaluates project phases and activities to ensure continued development and
advancement of safety and security principles
• Establishes the framework for construction safety and security

1.4 Applicability and Scope of SSMP

The SSMP is applicable to all phases of CHSRP development, from preliminary engineering through final
design, construction, testing and the start of revenue service. The SSMP encompasses all equipment,
infrastructure, operating and maintenance plans and procedures associated with the CHSRP.

1.4.1 Project Description

The CHSRP will construct a state-of-the-art, statewide, high-speed performance passenger railroad based
on operating practices and designs of existing high-speed rail networks in Europe and Asia which have had
extraordinary performance and safety records. The CHSRP will require certification by federal and other
regulatory agencies which have indicated they are open to approaches which provide equivalent or better
safety than existing rail regulations in the United States. The Authority's eventual goal is to develop a
system of more than 800 route miles that provides high-speed rail service between the major metropolitan
centers of the San Francisco Bay Area and Sacramento in the north, through the Central Valley, to Los
Angeles, Anaheim, Irvine and San Diego in the south.
The CHSRP trains will operate at speeds up to 220 mph within its dedicated or shared-use corridors where
the CHSRP has sole use of a track, and up to 110 mph in shared-use conditions where there is joint use of
tracks with other rail carriers. No hazardous materials will be transported or permitted to be transported on
Authority trains or by others on Authority dedicated tracks.
The service will use high-speed steel-wheel on steel-rail technology which has been service-proven in Asia
and Europe and provides a high level of service in terms of safety, comfort, and reliability. The system will
operate on a mostly dedicated, fully grade-separated standard gage track with electric trains powered
through the use of an overhead contact system (OCS). The right-of-way will make use of tunneling and
elevated structures to achieve an ideal alignment and profile. Automotive, animal, other railroad and non-
railroad equipment crossings will be accomplished by means of an underpass or overpass.
The system will include an Automatic Train Control (ATC) system based on designs for similar high-speed
environments in Europe and Asia, modified only where necessary to meet regulatory requirements and
functional and performance needs specific to the CHSRP. The ATC system will cover all functions of a
train control system including both safety critical and non-safety critical operations and will incorporate
Positive Train Control in compliance with 49 CFR Part 236. A hazard detection system will be applied
throughout the CHSRP where supported by hazard analysis to alert the operating control center of natural
events such as seismic activity, excessive wind speeds, high water levels, and excessive ambient
temperature levels that trigger a system response; and other events such as vehicle or rail car intrusion,
and trespassers.
1.4.2 Phased Implementation
Although Preliminary Engineering Phase activities will occur simultaneously for the entire system, the Final
Design and Construction Phase activities will be developed in phases according to geographic segments,
due to the size of the eventual system. The Initial Construction Segment (ICS) has been designated as a
point north of Madera to a point north of Bakersfield. Subsequent segments will extend north and south
from the ICS.
The Initial Operating Segment (IOS) will encompass several construction segments, with high-speed
operations planned between San Jose in the north and a point north of Bakersfield in the south. The SSMP
has been developed with processes that will ensure conformance to system safety goals and requirements
throughout the life-cycle of the CHSRP and while various segments are under different development phases
simultaneously.
1.4.3 SSMP Scope
This SSMP encompasses the following equipment, facilities, plans, and procedures as they relate to the
System.

• System-Wide Elements – includes the passenger vehicles, train control and signaling,
voice and data communications, closed-circuit television cameras and recorders,
overhead contact system, traction power substations, track, and auxiliary vehicles and
equipment
• Fixed Facilities - includes rail stations; pedestrian overpasses and underpasses;
highway overpasses and underpasses; aerial and other elevated structures; below-
grade structures and tunnels; operations and maintenance facilities including storage
yards, shops, and sidings; administrative facilities; and the Central Control Facility
• Safety and Security Plans and Procedures – includes items such as Safety and
Security Certification Plan (SSCP), safety and security related Design Criteria,
Passenger Train Emergency Preparedness Plan (PTEPP), SSPP, SPP and EMP.
• Procedures and Instructions – includes items such as; hazard management,
operations and maintenance plans procedures, rulebooks and manuals; and training
programs for operating, maintenance and management employees, employee
qualifications, contractor training, and emergency responder training.
1.5 SSMP Goals and Objectives
1.5.1 Goals
The goals of the SSMP are as follows:

• Ensure that the system initiated into revenue service is safe and secure for
passengers, employees, emergency response personnel, and the general public
through a formal program of safety and security certification
• Ensure that the design, acquisition, construction, fabrication, installation, and testing
of critical elements of CHSRP development will be verified for conformance with the
established safety and security requirements and validated for achieving an effective
level of safety and security
• Ensure that a mechanism is in place for the resolution of any restriction to full safety
and security certification
• Establish a Construction Safety and Security Program that provides appropriate
safeguards against injuries to employees and the public, damage to property and the
environment, as well as minimizes security breaches, during all CHSRP work activities
• Achieve a level of risk that is acceptable to the Authority through a systematic approach
to hazard and threat/vulnerabilities management

1.5.2 Objectives
The SSMP goals will be achieved by meeting the following objectives:
• Identifying, evaluating, resolving, and documenting safety hazards and security
vulnerabilities at the earliest possible phase of CHSRP development, applying the
Prevention through Design principle where possible
• Establishing specific safety and security requirements for the CHSRP based on
applicable safety and security regulations, codes, standards, guidelines, and
recognized best practices both domestically and internationally where applicable
• Certifying that all CHSRP facilities, systems, and equipment have been designed, built,
procured, installed, inspected, and tested in accordance with the safely and security
requirements found in design criteria and specifications
• Implementing CHSRP construction safety and security programs in conformance with
established construction safety and security requirements and complying with the
California Occupational Safety and Health Administrative safety regulations for
construction projects
• Establishing a program For the completion of training of personnel who will respond to
emergencies, including CHSRP personnel and emergency responders, on the CHSRP
emergency procedures, equipment, and operations
• Establishing and documenting the qualifications and training programs for all personnel
who will operate and maintain the CHSRP in revenue service
• Conducting and documenting emergency exercises and drills prior to the start of
revenue service
• Documenting safety, security, and emergency rules and procedures for CHSRP
employees, staff, and contractors in the form of rulebooks, standard operating
procedures, emergency operating procedures, and other documents
• Maintaining a process to manage and track open safety and security issues resulting
from design deviations, change orders, and non-conformances from inception through
closure and acceptance
 • Documenting final Safety and Security Certification for the CHSRP segment under
consideration by means of a Final Safety and Security Certification Report to the FRA
prior to placing that segment into revenue service
• Ensuring coordination with the Federal Railroad Administration, California Public
Utilities Commission, the Transportation Security Administration, the Office of the State
Fire Marshal, and other external agencies as applicable

1.6 SSMP Review and Updates

The SSMP will be reviewed at least annually, whenever the Program Management Plan or other reference
documents are modified, and following any SSMP audit to ensure the safety and security management
program remains current and applicable. If revised, the SSMP will be re-issued to all SSMP recipients.
The SSMP will be updated to reflect changes in the CHSRP, the Authority’s organizational makeup, or the
safety and security management program requirements. The review and update process will be the
responsibility of the Authority with the oversight and coordination of the Authority’s System Safety Manager.

The Federal Railroad Administration is developing regulations for inter-city passenger rail system safety
programs, to be codified under 49 CFR, Part 270. This SSMP is written to be in conformance with proposed
regulations for 49 CFR, Part 270 and will support the project management requirements of a System Safety
Program Plan.

1.7 SSMP Applicability to Third Parties

The safety and security requirements for third party assets (adjacent infrastructure or operations, shared-
use corridors, utility interfaces, etc.) will be developed following the safety and security management
program of the applicable third party but in conformance to the processes and requirements of this SSMP.
Safety and security certification of third party elements shall conform to the Safety and Security Certification
Program requirements of the third party and Section 7 of this SSMP.

1.8 System Safety Program Plan and System Security Plan

A System Safety Program Plan (SSPP) will be developed prior to the start of revenue operations. The
SSPP will comply with all FRA and other applicable regulatory requirements, and will be appropriate in
scope and content to manage the transition the CHSRP safety program from a project to an operating
system.

A System Security Program Plan (SPP) will also be developed prior to the start of revenue operations. The
SPP will comply with all Department of Homeland Security (DHS) and other applicable regulatory
requirements, and will be appropriate in scope and content to manage the transition the CHSRP security
program from a project to an operating system
2.0 INTEGRATION OF SAFETY AND SECURITY INTO THE CHSRP
DEVELOPMENT PROCESS

2.1 Safety and Security Activities

This section describes the safety and security activities that have been or will be performed during the major
phases of the project. A list of the basic activities and the desired milestone goals are presented in Table
2-1. The California High-Speed Rail Program has Four phases:

• Preliminary Engineering
• Final Design
• Construction
• Testing and Startup of Revenue Operations

Although Preliminary Engineering Phase activities will occur simultaneously for the entire system, the Final
Design and Construction Phase activities will be developed in phases according to geographic segments,
due to the size of the eventual system. The SSMP has been developed with processes that will ensure
conformance to system safety goals and requirements throughout the life-cycle of the CHSRP and while
various segments are under different development phases simultaneously.

Within each phase of the CHSRP, activities are identified to determine the safety and security-related
certification activities expected to be accomplished at each project milestone. The California High-Speed
Rail Authority will apply a detailed and thorough safety and security certification program. The safety and
security certification program, as described in Section 7.4 of this SSMP, will ensure that the project achieves
all safety and security requirements in design criteria and specifications and that the safety and security
contents of the plans, procedures, and training materials are systematically reviewed and revised as
required.

Leading up to and through the Preliminary Engineering phase of the project, the safety and security
activities encompass the following:

• Develop the SSMP, including a process for achieving safety and security certification,
to meet all FRA requirements for a safety and security management plan in a major
capital project, in conformance with the FTA’s Circular 5800.1 Safety and Security
Management guidance for Major Capital Projects.
• Develop a list of safety-critical and security-critical elements and items for the CHSRP
Preliminary Hazard Analyses (PHA) and Threat and Vulnerability Assessment (TVA).
• Specify safety and security certification requirements, in conformance with the process
identified in the CHSRP Verification and Validation Management Plan, in contract
documents. Safety and security certification requirements will be part of the scope of
work for the design/build contractors during the Final Design and Construction phases
of the project.
• Implement a hazard and certification tracking system.
• Perform a PHA and a TVA to identify certifiable elements and hazards/vulnerabilities
requiring mitigation. Identify hazard/vulnerability mitigation from the PHA and TVA to
be incorporated into preliminary and final designs. Perform additional analysis as
required.
• Develop design criteria conformance checklists, known as Critical Items Lists (CIL).
The tracking system will be an integrated subset of the Verification and Validation
program applied throughout the CHSRP.
Table 2-1 Project Safety and Security Activities Matrix
Project Phase
Task Testing
Safety and Security Task Prelim. Final
No. Construction and
Engr. Design
Startup
1 Develop and update the Safety and Security Management √ => => =>
Plan (SSMP)

2 Identify Certifiable Elements and Items √ => => =>

3 Specify Safety and Security Certification Requirements into √ => => =>
Contract Documents

4 Implement Certification Tracking System √ => => =>

5 Conduct Preliminary Hazard Analysis (PHA) and Threat and √ => => =>
Vulnerability Assessment (TVA) and Resolve Unacceptable
Hazards and Vulnerabilities

6 Develop Design Criteria Conformance Checklists √ =>

7 Conduct Independent Safety and Security Audits √ => =>

8 Verify Design Criteria Conformance Checklists and Issue √ =>

Certificates

9 Develop Construction Specification Conformance Checklists √ =>

10 Develop Safety-Related Testing Conformance Checklists √ =>

11 Verify Specification Conformance Checklists √ =>

12 Verify Safety-Related Testing Conformance Checklists √

13 Verify Operations and Maintenance Manuals Conformance √ =>

14 Complete Contractor Training √ =>

15 Complete Rules and Procedures and Issue Certificates √ =>

16 Complete Operations Training and Issue Certificates √

17 Complete Emergency Services Training √

18 Complete Emergency Response Exercises √

19 Issue Phase Safety/Security Certificate of Conformance √

20 Issue Final Safety/Security Certification Report √

Note: √ = Task activity initiated

=> = Task activity updated

2.2 Procedures and Resources

2.2.1 Procedures
A CHSRP Project Management Plan (PMP) for the system has been prepared. The PMP establishes the
framework for managing and administering all activities related to implementation of the system and
provides guidance for the coordination of activities. The PMP identifies that the RDP is responsible for
developing the basic design requirements of the high-speed rail system, ensuring that common approaches
for the environmental and outreach work are used through the entire alignment, preparing and helping
execute bid and procurement processes for design, construction, maintenance, and operations, and
managing the work of or coordinating with a variety of other consultants to the Authority, notably the
Regional Consultants (RC).

A major component of the PMP is this Safety and Security Management Plan, describing processes for
identifying and managing hazards and vulnerabilities associated with the CHSRP. It is the responsibility of
the Authority to ensure that the management of identified safety hazards and security threats and
vulnerabilities is effective and integrated throughout the design, construction, testing, and startup phases
of the CHSRP.

The verification and validation process will be applied throughout the CHSRP for the purpose of tracking
and verifying that critical elements are incorporated into all project phases. Critical elements include safety-
critical and security-critical elements as identified though the hazard management processes identified in
this SSMP.

2.2.2 Resources

The Chief Executive Officer authorizes the SSMP, ensuring that it is applied throughout the CHSRP. The
Risk Manager administers and oversees the implementation of the SSMP. The Authority will provide
additional safety and security management resources for executing the system safety and security activities
during the Preliminary Engineering phase. Further resources and responsibilities will be identified as the
system progresses into later phases, culminating in startup and commissioning.

The budget and schedule for implementation of the SSMP is revised each year and is held with the Risk
Manager. This assures that the requirements of the SSMP are executed by the Authority, supported by the
RDP, during the Preliminary Engineering phase and in subsequent phases of the project. This includes,
but is not limited to, the performance of safety analyses and security assessments at the appropriate phases
of the project; implementation of a Safety and Security Certification Program beginning at Preliminary
Engineering and continuing through each subsequent phase of the project; a process to ensure that safety
issues and security concerns are addressed and tracked to resolution; and construction safety oversight
activities as appropriate to the Construction phases and contracts under way at the time.

2.3 Interfacing with Management

The California High-Speed Rail Authority Chief Executive Officer, through the Authority Director of Risk
Management, has the ultimate decision-making authority for safety and security issues and is responsible
for communication of safety and security issues to the Authority Board of Directors. The Authority Director
of Risk Management will oversee the overall implementation of the safety and security program and will
report the progress and challenges in its implementation to the Safety and Security Program Committee.
The Safety and Security Program Committee will communicate the safety and security issues to the
Authority executive management through reports to the Safety and Security Executive Committee,

Successful implementation of the SSMP will also require significant interaction between various members
of the Authority, the Rail Delivery Partner, Contractors, Regional Consultants, Engineering/Construction
Managers, and Emergency Response Agencies. These interactions will occur during regularly scheduled
meetings of the Safety and Security Program Committee (SSPC) and Safety and Security Executive
Committee (SSEC) that focus on the safety and security aspects of the system.
3.0 SAFETY AND SECURITY RESPONSIBILITIES

3.1 Roles and Responsibilities

The California High-Speed Rail Authority (Authority) is responsible for developing a high-speed train system
in California in a safe and secure manner, ensuring that all trains, facilities, systems and operational
processes are designed, constructed, and implemented in a manner that promotes the safety and security
of persons and property. The Authority has the ultimate authority and responsibility for the implementation
of the Safety and Security Management Plan (SSMP) for this system. The Authority is tasked to prepare a
plan and design for the system, conduct environmental studies and obtain necessary permits, and
undertake the construction and operation of a high-speed train passenger network in California.
The Authority Safety and Security Manager, under the direction of the Authority Director of Risk
Management, administers and oversees the implementation and activities of the Safety and Security
Program. See Risk, Safety and Security Organizational Chart in Appendix A. The Authority’s primary
vehicle for oversight of the safety and security activities is a tiered organization of safety and security
committees (explained in detail in Section 3.3).
The Federal Railroad Administration (FRA) is the lead agency for the Federal Environmental Impact
Statement. The FRA is also the primary regulatory agency responsible for approving and certifying the
system safety and security aspects of the CHSRP. At the state level, the California Office of the State Fire
Marshal has regulatory authority over the fire and life safety aspects of the occupied structures, including
right-of-way access/egress facilities
The Authority has contracted with WSP | Parsons Brinckerhoff (PB) as the Rail Delivery Partner (RDP),
and five Regional Consultant (RC) teams to conduct the preliminary engineering on specific segments of
the line and provide overall Program Management for the CHSRP.
The RDP is responsible for the management of the preliminary design of the high-speed train system,
including ensuring that system safety and security is applied consistently and effectively for the entire
CHSRP alignment and across all phases of the project.

The RDP Safety and Security Managers will support the Authority Safety and Security Manager in the
application of safety and security in all aspects and phases of the project coordinating with the Program
Deputy Directors, Discipline Managers, and Regional Managers. This support will ensure that other
individual project staff members perform in accordance with the SSMP in establishing and overseeing the
safety and security management tasks. The RDP’s primary vehicle for input to and support of the safety
and security activities is the Safety and Security Program Committee (explained in detail in Section 3.3.2).
Staff members assigned to the CHSRP by the Authority, RDP, contractors, consultants, emergency
response agencies, FRA and CPUC are responsible for ensuring that the design, construction, installation,
and testing of all safety-critical and security-critical system elements of the system are evaluated for
conformance with the safety and security requirements and verified for operational readiness before
completing each phase of the project.
Refer to Figure 3-1 for the CHSRP organizational chart for safety and security activities. This SSMP shall
be updated to reflect any significant changes in the organizational structure or definition of responsibilities
with respect to safety and security in the CHSRP.
Figure 3-1 CHSRP Organization for Safety and Security Activities

3.2 Authority Organization

The Authority has a nine-member policy board and a core staff, supported by contract with private
consulting firms (the RDP, Regional Consultants and other specialty firms) to carry out the project's system
safety and security programs, environmental studies, project planning and engineering work under the
supervision and guidance of Authority staff. The Authority’s Director of Risk Management is responsible
for safety and security activities, reporting directly to the Chief Executive Officer.

The project organization will remain in place throughout the CHSRP development process; however, the
composition of the project organization may be revised to respond appropriately to the changing project
needs as the project proceeds through from the preliminary engineering phase through to the start of
revenue service. The Authority project organization during the initial project phases comprises the Authority
and RDP staff supplemented by Regional Consultant staff. In each phase, the Authority will use the
assistance of the RDP to manage project-related activities, as well as further assistance from professional
engineering and other project management consulting firms.

The current California High-Speed Rail Authority organization is shown in Appendix A.

3.2.1 Authority Chief Executive Officer

The Authority Chief Executive Officer oversees and directs the management of all Authority staff and the
Rail Delivery Partner. The day-to-day management of the development activities for the California High-
Speed Rail Program is the functional responsibility of the Authority Program Director under the direction of
the Authority Chief Executive Officer. The Authority Chief Executive Officer ensures that Authority
resources are allocated to meet the SSMP goals and objectives, and is ultimately responsible for execution
of the Safety and Security Management Plan through the Authority Director of Risk Management and the
Authority Safety and Security Manager. The Authority Chief Executive Officer chairs the SSEC and reports
to the Authority Board of Directors.

3.2.2 Authority Director of Risk Management

The Authority Director of Risk Management reports directly to the Authority Chief Executive Officer and is
responsible for identifying, managing and tracking risks and risk mitigation/contingencies, and all
responsibilities related to safety and security management on the project, His duties also include
maintaining the risk management tool and documentation information, leading risk identification sessions
for the project, monitoring prime contractor risk management efforts, and participating in risk management
activities for risks that cross project boundaries or are beyond the project’s control. He chairs the SSPC
and directs active management of all safety and security efforts for the project and reports activities from
the SSPC to the SSEC.
3.2.3 Authority Safety and Security Manager

The Authority Safety and Security Manager is responsible for the management of all safety and security
activities associated with the development and implementation of the CHSRP. The Authority Safety and
Security Manager is a member of the SSPC, SSEC and SSWG, and advises the Authority on policy
decisions with regard to safety and security. The Authority Safety and Security Manager reports directly to
the Authority Director of Risk Management and coordinates safety activities with the RDP Safety and
Security Managers.

The Authority Safety and Security Manager has the authority and responsibility for, but is not limited to the
following:

• Ensuring that the SSMP requirements and processes are being implemented and that
SSMP goals and objectives are being achieved
• Oversight of the RDP safety and security activities
• Developing corrective action plans (CAPs) that result from accident/incident
investigations, hazard analyses, certification of Certifiable Items List (CIL), and safety
and security reviews and audits; and tracking corrective actions through closeout to
ensure that alt identified deficiencies are adequately mitigated or controlled
• Providing oversight for the Contractors’ job site safety and programs
• Reviewing and supporting Authority decision for Contractor's safety submittals
• Investigating accidents and incidents on behalf of the Authority
• Reporting unacceptable hazardous conditions to executive management as soon as
possible
• Fulfill the role of Chair for the Fire and Life-Safety and Security Statewide Committees

3.3 Rail Delivery Partner Organization

The Authority has engaged a Rail Delivery Partner (RDP) to assist with the management of the delivery of
the California High-Speed Rail System. As an integrated member of the Authority’s staff the RDP provides
technical expertise, advice and support to the Authority with regards to safety and security.
3.3.1 RDP System Safety Manager

The RDP System Safety Manager will support the Authority Safety and Security Manager in the
implementation and completion of all safety activities associated with the development of the CHSRP. The
RDP System Safety Manager will coordinate safety activities within the RDP and sits on the SSWG, SSPC,
SSEC, and Fire and Life-Safety and Security Committees as requested. The RDP System Safety
Manager’s role on the Committees is to ensure that safety is not compromised by other priorities of the
design and construction teams.
The RDP System Safety Manager has the responsibility for, but is not limited to, the following;

• Performing hazard management of CHSRP elements and design criteria to determine

any potential hazards that may be created by system development, expansion or
modification, and supporting the development of mitigating and controlling factors to
address such hazards
• Participating in the project design reviews, including overseeing and administering
formal safety and security certification programs
• Working with RDP engineering, operations and maintenance staff to ensure that the
system is being designed to safety and security criteria
• Fulfilling the role of Coordinator for the SSPC, the SSWG the Fire and Life-Safety and
Security Statewide and Regional Committees
• Supporting Authority outreach efforts to local, regional and State emergency response
agencies
• Performing other safety-related activities as requested by the Authority

3.3.2 RDP System Security Manager

The RDP System Security Manager will support the Authority Safety and Security Manager in the
implementation and completion of all security activities associated with the development of the CHSRP.
The RDP System Security Manager will coordinate security activities within the RDP and sit on the SSPC,
SSWG, SSEC, and Fire and Life-Safety and Security Committees as requested. The RDP Security
Manager’s role on the Committees is to ensure that security requirements are not compromised by other
priorities of the design and construction teams.

The RDP System Security Manager has the responsibility for, but is not limited to, the following:

• Performing threat and vulnerability assessments of CHSRP operating environments

and design criteria to determine any potential vulnerabilities that may be created by
system development, expansion or modification, and supporting the development of
mitigating and controlling factors to address such vulnerabilities
• Participating in the project design reviews, including overseeing and administering
formal safety and security certification programs
• Working with RDP engineering, operations and maintenance staff to ensure that the
system is being designed to safety and security criteria
• Fulfilling the role of Coordinator for the SSEC
• Supporting Authority outreach efforts to local, regional and State emergency response
agencies and law enforcement agencies
• Performing other security-related activities as requested by the Authority

3.3.3 RDP Construction Safety Officer

The RDP Construction Safety Officer will support the Authority Construction Manager and Safety and
Security Manager in the implementation and completion of all safety activities associated with the
construction of the CHSRP.

The RDP Construction Safety Officer has the responsibility for, but is not limited to, the following:

• Oversight of the Project Construction Management (PCM) teams for safety and
security activities
• Field audits and inspections of construction activities on behalf of the Authority
• Accident investigation and follow-up
• Development of field safety rules and procedures for Authority and RDP staff
 • Training to support Authority and RDP field safety rules and procedures
• Safety Management System data collection, analysis, and documentation

3.3.4 Other RDP Managers

The managers of the following disciplines will be responsible for implementing the SSMP requirements and
process in their respective areas, participating in the SSPC and for supporting the Authority Safety and
Security Manager as required:

• Engineering, including Infrastructure and Systems

• Operation and Maintenance
• Rolling Stock
• Integration and Regulatory Approvals
• Project Risk
• Contracts and Procurement
• Verification and Validation

3.4 Contract/Procurement Safety and Security

The complexity of the CHSRP necessitates varied approaches to design and constructions for Project
elements such as infrastructure, rolling stock, track, and systems. All procurements for project elements,
regardless of the procurement type, will contain safety and security requirements that support the safety
and security program of the HSR. All contractors will be required to manage their programs consistent with
the hazard management approach and certification contained within the Authority’s SSMP and other safety
and security requirements, such as the Design Criteria Manual Chapter 32.

3.5 Committee Structure

Chapter 2 of the PMP describes the function of various project committees. In addition, safety and security
committees listed below will be established to facilitate review of issues and to provide a forum for
discussion and resolution.
3.5.1 Safety and Security Executive Committee

The Safety and Security Executive Committee (SSEC) and Its members will ensure that the CHSRP is
designed, built, and implemented in a safe and secure manner. The SSEC will address safety and security
issues that are Authority policy considerations, require Authority approval, require Authority direction for
resolution of a dispute, or constitute final acceptance of safety and security certification.

The duties and responsibilities of the SSEC are as follows:

• Provide guidance to and approval of policy decisions with respect to safety and security
• Provide a forum for safety and security discussions among Authority Executive
Management, discipline leads, and RDP Management
• Authorize the establishment of the SSPC
• Review and approve regular reports of safety and security activities from the SSPC
• Resolve safety and security issues that cannot be resolved at the SSPC level
• Review and accept a final Safety and Security Certification Report prior to the startup
of revenue operations

The SSEC comprises the following persons:

• Chief Executive Officer (Chair)

• Director of Risk Management and Project Controls (Vice-Chair)
 • Regional Directors (Northern California, Central Valley, Southern California)

• Chief Program Manager, Rail Operations and Maintenance

• Chief Counsel
• Chief Engineer

• Program Director, Program Delivery

• Chief Administrative Officer

• Safety & Security Risk Manager (advisory role)

• System Safety Manager (advisory role)

• System Security Manager (Committee Coordinator - advisory role)

• Construction Safety and Security Manager (advisory role)

The Chairperson of the SSEC is the Chief Executive Officer or a designated Authority executive
management representative. If a designated member of the SSEC is unable to attend a SSEC meeting,
they must assign an appropriate representative.

The SSEC Charter, Technical Memorandum 500.02, can be found in Appendix C of this SSMP.

3.5.2 Safety and Security Program Committee

Working at the project delivery level, the Safety and Security Program Committee (SSPC) will ensure that
the CHSRP is designed, built, and implemented in a safe and secure manner. The SSPC will achieve this
goal by providing oversight of the application of the SSMP through all phases of the CHSRP development
and to act as a conduit to informing and assuring Authority executive management (through the SSEC) of
safety and security issues affecting the project.

The SSPC will address safety and security issues which are directed to it by the SSEC, require project
delivery level resolution, require elevation to the SSEC for Authority direction for resolution, or constitute
preliminary review and SONO of Safety and Security Certification.

The duties and responsibilities of the SSPC are as follows:

• Approve the initial version of the SSMP and subsequent updates

• Oversee the application of the SSMP through all CHSRP development phases

• Tracking of identified hazards or vulnerabilities listed on the programmatic Certified

Items List
• Provide regular reports of safety and security activities to the SSEC
• Forward to the SSEC for resolution any safety and security issues that cannot be
resolved at the SSPC level
• Review Safety and Security Certification Packages and a Final Certification
Verification Report for each project phase
• Forward a final Safety and Security Certification Report to SSEC for Authority
acceptance at the completion of significant project milestones or phases and prior to
the startup of revenue service
• Provide a forum for safety and security discussions among Authority/RDP staff
members and a conduit for safety and security issues requiring policy decisions to the
Authority’s Executive management through the SSEC

The SSPC is made up of the following persons:

• Director of Risk Management and Project Controls (Chair)

• Safety and Security Risk Manager (Vice-Chair)

 • System Safety Manager (Committee Coordinator)
• System Security Manager
• Construction Safety and Security Manager
• Director of Operations and Maintenance
• Deputy Director Operations & Maintenance
• Director of Engineering
• Director of Construction Support
• Director of Network Integration
• Rail Systems Manager
• Rolling Stock Manager
• Deputy Regional Directors (Northern California, Central Valley, Southern California)
• Director of Environmental Services
• Director of Real Property

If a designated member of the SSPC is unable to attend a SSPC meeting, they must assign an appropriate
representative.

The SSPC Charter, Technical Memorandum 500.03, can be found in Appendix D of this SSMP.

3.5.3 Safety and Security Working Group (SSWG)

The Safety and Security Working Group (SSWG) is the technical group created to assist in application of
hazard assessment methodology, evaluation of safety and security design criteria and other technical safety
and security requirements. The group consists of safety and security, operations and project delivery staff.
Technical safety and security issues are evaluated within the group prior to being forwarded to the SSPC
and SSEC.

3.5.4 Fire and Life Safety and Security Committees (FLSSC)

The Fire and Life Safety and Security Committees (FLSSC) will be composed of representatives from fire,
police and local building code agencies assigned to two levels of standing committees: a Statewide FLSSC
and several regional FLSSC working on a local level. The CHSRP formed the FLSSC during the
Preliminary Engineering phase of the project. The purpose of the FLSSC is to provide outreach to local
and regional emergency response agencies for issues that are critical to fire and life safety and security, to
acquire input and concurrence from the state and local authorities having jurisdiction over the proposed
designs to meet code requirements, and to ensure compliance with state and local fire code standards or
fire/life safety hazard mitigation measures during the design phase. As the project moves into the Testing
and Startup Phase the FLSSC will review operating plans and procedures, results of after-action reviews
following major emergency response incidents or exercises, and training programs for content
appropriateness and effectiveness.

The Statewide FLSSC will focus on systemic, high-level, fire/life safety and security issues, including federal
and state codes or requirements impacting the regional efforts. A goal of the Statewide FLSSC is to obtain
concurrence from Federal and State authorities with respect to fire and life safety and security concerns.
The Statewide FLSSC will include a representative from each regional FLSSC as well as representatives
from Federal and State agencies such as the California Office of the State Fire Marshal, California Highway
Patrol, California Office of Emergency Services, CPUC, FRA, and DHS. The Statewide FLSSC will be
chaired by the System Safety Manager. Meetings will be held regularly in Sacramento with agendas,
minutes, and other support materials supplied by the committee chair. Minutes and action items from the
meetings will be conveyed to the regional FLSSCs and to the Safety and Security Program Committee for
their consideration
 Regional FLSSCs will focus on the CHSRP characteristics specific to their corridor segments (type/length
of underground and elevated structures, access methods, terminals, etc.) to provide input with respect to
local building codes or requirements that are in line with the emergency response characteristics and
capabilities of the local agencies. A goal of the regional FLSSC is to obtain concurrence from local
authorities with respect to the proposed designs and the code requirements of the State and Federal
authorities having jurisdiction. The regional FLSSC will be composed of appropriate representatives (e.g.,
Fire Marshal, Police Chief) from local emergency response agencies (fire, police, EMT) and will be chaired
by the System Safety and Security Managers or designees. Meetings will be held regularly at a location
local to the regional corridor, with agendas, minutes, and other support materials supplied by the committee
co-chairs. Minutes and action items from the meetings will be conveyed to the system FLSSC and to the
Safety and Security Program Committee for their consideration. One representative from each regional
FLSSC will be asked to participate in the system FLSSC. Consistent membership is critical to success.
Each regional representative must be the same representative attending to System FLSSC matters and
reporting results to their specific Regional Committee.

The FLSSC Charter, Technical Memorandum 500.04, can be found in Appendix E of this SSMP.

3.5.5 Change Control

There are two committees devoted to change control at CHSRA. The first committee, the Change Control
Committee (CCC) manages scope, costs and schedule. Another committee or process is being developed
to ensure technical changes are tracked and managed.

3.5.6 Rail Activation Committee (RAC)

During construction, a multi-disciplinary rail activation committee will be formed to ensure all elements for
rail activation are being managed, including meeting FRA regulatory requirements, safety and security
certification and other program requirements. This committee will coordinate planning and process
development efforts for the operational testing of the system and eventual startup of revenue service.

3.5.7 System Integration Testing Committee (SITC)

Typically a System Integration Testing Committee (SITC) will coordinate the development of an integrated
testing program as a sub-committee to the RAC. If required, the SITC will plan for the effective and efficient
testing of subsystems, and then the overall system, including ensuring that as testing progresses
mitigations are taken to ensure the safety of the tests. The maturity of the various subsystems will be taken
into account prior to full development and assurance that the systems are proven safe. The SITC will be
multi-disciplinary in scope and will be established during the latter stages of the Construction Phase.

3.6 Safety and Security Responsibilities Matrix

The requirements, authority, and activities for safety and security will be integrated into the overall project
management. At each stage of project advancement, there will be a process in place to ensure that the
appropriate parties are aware of their safety and security responsibility associated with the project activity.
The Safety and Security Responsibility Matrix (Table 3-1) lists the activities to be performed and assigns
the responsibilities from the Preliminary Engineering phase through system Start-up phase.

Table 3-1 Safety and Security Responsibilities Matrix

Preliminary Engineering Final Design Construction Testing and Startup
Key Safety and Security
Program Elements
SS PC EC CM CN SS PC EC CM CN SS PC EC CM CN SS PC EC CM CN

System Requirements P O A - - - - - - - - - - - - - - - - -

Programmatic Hazard P O A - - - - - - - - - - - - - - - - -
Analysis
Site-Specific Hazard P O A - - s - - O P S - - O P S - - O P
Analysis
Design Variance - - - - - s - - O P S - - O P S - - O P
Requests / Analysis
Risk Acceptance P O A - - p O A - - P O A - - P O A - -
Design Criteria P O - - - P O - - - p O - - - p O - -

s -
Certifiable Items Lists
(CIL)
P - - - - s - - O p s - - O p - O p

Safety and Security - -

Certification Reports - - - - - - - O p - - - O p - - O p
including. CIL

SONO of Safety and -

Security Certification - - - - - O p - s s O p - s s O p S S
Reports

Certification of Safety - -
and Security of Project - - - - p s A - - p s A - p s A - -
Phase

P = Primary S = Supporting A = Approval O = Oversight/Audit

4.0 HAZARD MANAGEMENT

4.1 Overview
A hazard is an intentional or unintentional condition or circumstance that has the potential to cause injury,
illness, death, damage or loss of equipment or property, or severe environmental damage. Safety hazards
(unintentional) or security hazards (intentional) both require management to identify and reduce the risk to
the Authority

A risk assessment process for the management of safety and security hazards will be used for the CHSRP.
The purpose of the process is as follows:

• Identify and evaluate the effects of hazardous conditions on passengers, CHSRP

personnel, CHSRP infrastructure and equipment in order to apply mitigation measures
that allow the Authority to achieve an acceptable level of risk.
• Define and evaluate mitigation measures to eliminate or control the identified safety
and security hazards.
• Document the development and incorporation of safety and security measures on a
Certifiable Items List (CIL) during System development and implementation,
demonstrating how an acceptable level of safety and security is to be achieved.

The development of the safety hazard analyses and security risk assessments will be coordinated with the
appropriate engineering disciplines for the identification of applicable hazards and recommended control
measures. Supporting documentation will be submitted to the SSPC for review. The SSPC will elevate the
reports to the Authority, through the SSEC, as appropriate to the processes described in Section 3.4.

Hazard management processes will be applied to the development of the System throughout the entire
System life cycle. As the System enters Final Design, the design/build contractors will review and update
the CIL for the geographic section under consideration, and work with the Authority to perform or support
other analyses as warranted by local or site-specific conditions or designs. Any deviations to the Design
Criteria will follow the procedures outlined in section 5.4. Other hazards may be identified during the normal
course of work on the development of the CHSRP, including such activities as design reviews, construction
inspection and testing, and start-up and integrated testing. Additional hazards or vulnerabilities identified
during these activities will also require a hazard analysis or vulnerability assessment to be performed.

The SSPC will be responsible for reviewing and approving all hazard analyses and vulnerability
assessments to ensure that significant safety hazards and security threats and vulnerabilities are identified
and that the proposed countermeasures adequately resolve the issues. The SSPC will monitor the status
of the identified hazards and vulnerabilities from initial identification through final resolution and closure.
Sensitive security issues will be tracked on a separate log per the CHSRP SSI Program.

4.2 Risk-Based Safety Hazard Management

Risk-based safety hazard management addresses hazards to the system based upon the amount of risk,
both the severity and frequency, posed by the hazard. Hazards that represent higher levels of risk will
receive higher levels of resources and analysis.

The risk-based hazard management process is the overall iterative process that comprises:

• System definition
• Hazard identification
• Risk analysis
• Accepting residual risk after the application of measures of mitigation
• Verification and validation of implemented hazard management elements
Risk-based hazard management shall be the responsibility of the Authority or its designated representative,
but subject to review by an Independent Safety Assessment body (ISA). Risk-based hazard management
will begin at the system level and flow-down to sub-system or site-specific levels as appropriate to capture
relevant information and sufficient detail to provide appropriate input to the hazard analysis process.
4.2.1 Application of Risk-Based Hazard Management - Common Safety Method

Risk-based hazard management shall be applied to a new system or sub-system and to significant safety-
related technical, operational, or organizational changes to the CHSRP using a process called Common
Safety Method (CSM). The CSM applied to the CHSRP is based upon the process identified in the
European Commission Regulation No. 352/2009 and described in the UK Office of Rail Regulation’s (ORR)
Guidance on the Application of the Common Safety Method (CSM) on Risk Evaluation and Assessment,
December 2012. The main phases of the CSM process are illustrated in Figure 4-1. Note that the
significant change referenced in Figure 4-1 also implies application to new systems or sub-systems.
Figure 4-1 The Common Safety Method Process
To determine the significance of a new system, sub-system, or change, the following six criteria should be
examined:
• Failure consequence: most reasonable credible mishap scenario in the event of failure
of the system under assessment, taking into account the existence of safety barriers
outside the system
• Novelty used in implementing the change: this concerns both what is innovative in the
railway sector, and what is new just for the organization implementing the change
• Complexity of the change
• Monitoring: the inability to monitor the implemented change throughout the system
life-cycle and take appropriate interventions
• Reversibility: the inability to revert to the system before the change
• Additionally: assessment of the significance of the change taking into account all
recent safety-related modifications to the system under assessment and which were
not judged as significant
Guidance on determining significance can be found in SSMP Appendix G ORR Guidance on the Application
of the CSM, Annex 1, December 2012.
Technical changes are changes to structural and functional railway sub-systems. Technical changes
should also be reviewed to determine whether they introduce changes to the operation of the railway sub­
system under consideration.
Examples of operational changes include the following:
• Changes to the operation of the CHSRP as a whole
• Changes to the operation of a structural CHSRP sub-system
• Changes to the operating rules of the CHSRP
Changes to the operation of a CHSRP sub-system may be caused by technical changes to that sub-system.
In this case, the technical change and its effect on the operation of the CHSRP sub-system, and any
changes to the operation or operating rules of the CHSRP, should be assessed together. For example, a
change in the wayside signaling may result in increased line capacity. The technical change (new wayside
signals) should be assessed together with the operational change (added trains to the line). However,
changes to the operation or operating rules of the CHSRP can be introduced without a related technical
change. The CSM should be used to assess whether these safety-related changes are significant or not. If
they are significant, the CSM should be applied to these changes.
Technical changes to a sub-system can also introduce changes to the operating rules of the railway system.
Changes to the operating rules of the CHSRP should be considered together with the technical change,
the change to the operation of the affected CHSRP sub-system, and any change to the operation of the
CHSRP as a whole.
Organizational changes are changes to the organization of an actor or entity within the CHSRP which could
impact on the safety of the CHSRP. The “actor” could be any organization (Authority, contractor, sub­
contractor, etc.) that directly affects the safety of the CHSRP. Guidance on organizational changes can be
found in SSMP Appendix G ORR Guidance on the Application of the CSM, Annex 4, December 2012.
4.2.2 System Definition

The CSM process starts with the system definition. This provides the key details of the new system or the
system that is being changed - its purpose, functions, interfaces and the existing safety measures that apply
to it. In most cases, the hazards which need to be analyzed will exist at the boundary of the system with its
environment. The definition is not static and during iterations of the risk management process, it should be
reviewed and updated with the additional safety requirements that are identified by the risk analysis. It,
therefore, describes the condition (or expected condition) of the system before the change, during the
change, and after the change.

The system definition shall address at least the following issues:

• System objective, (e.g., intended purpose)

• System functions and elements, where relevant (e.g., human, technical and
operational elements)
• System boundary including other interacting systems
• Physical (i.e., interacting systems) and functional (i.e., functional input and output)
interfaces
• System environment (e.g., energy and thermal flow, shocks, vibrations,
electromagnetic interference, operational use)
• Existing mitigation measures and definition of the safety requirements identified by the
hazard risk assessment process
• Assumptions that shall determine the limits for the hazard risk assessment

The system definition needs to cover not only normal mode of operations but also degraded or emergency
mode.

Consideration of interfaces should not be restricted to physical parameters, such as interfaces between
wheel and rail. It should include human interfaces, for example the user-machine interface between the
locomotive engineer and displays in the cabs of rail vehicles. It should also include interfaces with non-
railway installations and organizations, for example, the interface with underground utilities.

Operational procedures and rules, and staff competence should be considered as part of the system
environment in addition to the more usual issues such as weather, electromagnetic interference, local
conditions such as lighting levels, etc. The system definition is complete and sufficient if it describes the
system elements, boundaries and interfaces, as well as what the system does.

The description can effectively serve as a model of the system and should cover structural issues (how the
system is constructed or made up) and operational issues (what it does, and how it behaves normally and
in failure modes). The existing safety measures, which may change as the risk assessment process
progresses, can be added after the structural and operational parts of the model are complete.

The Hazard Assessor may not know all the environmental or operational conditions in which the altered or
new system will operate. In these circumstances, they should make assumptions on the basis of the
intended or most likely environment. These assumptions will determine the initial limits of use of the system
and should be recorded. When the system is put into use, the Hazard Assessor (who may be different to
the original proposer) should review the assumptions and analyze any differences with the intended
environmental and operational conditions.
4.2.3 Hazard Identification and Classification
The Authority shall systematically identify, using wide-ranging expertise from a competent team, all
reasonably foreseeable hazards for the whole system under assessment, its functions where appropriate,
and its interfaces. Scope of hazards shall be limited to those hazards that directly or indirectly affect the
safety of passengers, employees, rolling stock, and facilities of the CHSRP. All identified hazards shall be
registered in the CIL.

The purpose of the hazard identification is to identify all reasonably foreseeable hazards which are then
analyzed further in the next steps.

The hazard identification should be systematic and structured, which means taking into account factors
such as the following:

•The boundary of the system and its interactions with the environment
 • The system’s modes of operation (i.e., normal/degraded/emergency)
• The system life cycle including maintenance
• The circumstances of operation (e.g., proximity to freight-only line, tunnel, bridge, etc.)
• Human factors
• Environmental conditions
• Relevant and foreseeable system failure modes

Relevant tools for hazard identification include structured brainstorming, checklists, task analysis,
operations analysis, preliminary hazard analysis, and failure modes and effects analysis. Whichever
technique is used, it is important to have the right mixture of experience and competence while maintaining
impartiality and objectivity. Correct hazard identification will underpin the whole risk assessment process
and give assurance that the risks will be managed in the project.

Preliminary Hazard Analysis (PHA) shall be performed in order to identify an initial risk index for hazard
classification and to form a basis for risk acceptance. Development of the PHA involves identifying the
severity of consequence and frequency of occurrence before the application of mitigation measures, using
the risk estimation process and risk acceptance criteria identified in Section 4.2.5.

Development of the PHA will allow classification of the hazard as broadly acceptable or not. Based on
expert judgment, hazards associated with a broadly acceptable risk need not be analyzed further but shall
be registered in the CIL. In this context, 'broadly acceptable’ applies to those hazards where the risk is
essentially insignificant or negligible. Their acceptable classification shall be justified in order to allow
acceptance by the Authority.

The level of detail of the hazard identification depends on the system that is being assessed and needs to
be sufficient to ensure that relevant safety measures can be identified. If it can be successfully
demonstrated that a hazard can be controlled by application of one of the three risk assessment principles
identified in the CSM, following high-level hazard identification, then no further hazard identification is
necessary. If it is not possible to have sufficient confidence at this stage, then further analysis of the causes
of these high level hazards is undertaken to identify relevant measures to control the risks arising. The risk
assessment process continues until it can be shown that the overall system risk is controlled by one or
more of the risk assessment principles.

Hazard identification is still necessary for those systems/sub-systems/changes where the hazards are
controlled by the application of codes of practice or by comparison to reference systems. Hazard
identification in these cases will serve to check that all the identified hazards are being controlled by relevant
codes of practice or by adopting the safety measures for an appropriate in-use system. This will also
support mutual recognition and transparency. The hazard identification can then be limited to verification
of the relevance of the codes of practice or reference systems, if these completely control the hazards, and
identification of any deviations from them. If there are no deviations, the hazard identification may be
considered complete.

During the hazard identification, mitigation measures may be identified as well. Potential mitigation
measures shall be registered in the CIL.

The hazard identification only needs to be carried out at a level of detail necessary to identify frequency
and severity of the hazard, plus potential mitigations. Development of sub-system analysis may be
necessary until a sufficient level of detail is reached for the identification of hazards.

4.2.4 Risk Analysis

The risk acceptability of the system under analysis shall be established by following this hierarchy of CSM
Risk Acceptance Principles:

1. The application of codes of practice (Section 4.2.4.1)

2. A comparison with reference systems (Section 4.2.4.2)
3, Explicit risk estimation (Section 4.2.4.3)
More than one of these risk acceptance principles may be applied in concert. The Hazard Assessor shall
demonstrate in the risk evaluation that the selected risk acceptance principle is adequately applied. The
Hazard Assessor shall also ensure that the selected risk acceptance principles are used consistently. The
Authority is ultimately responsible for approving the risk evaluation efforts of the Hazard Assessor and
accepting the residual risk associated with the identified hazard or vulnerability.
Whenever a code of practice or a reference system is used to control the risk, the hazard identification must
also include the following:
• The verification of the relevance of the code of practices or of the reference system
• The identification of the deviations from the code of practices or from the reference
system

The application of CSM Risk Acceptance Principles shall identify possible mitigation measures that make
the risk(s) of the system under assessment acceptable. Among these mitigation measures, the ones
selected to control the risk(s) shall become the safety requirements to be fulfilled by the system.
Compliance with these safety requirements shall be demonstrated in accordance with the Verification and
Validation and Safety and Security Certification Program requirements identified in Chapter 7 of this SSMP.
Mitigation measures shall be applied in accordance with the Prevention through Design principle as detailed
in Section 5.1. The Prevention through Design principle includes the following elements in order of
precedence:
1. Avoidance
2. Elimination
3. Substitution
4. Engineering Controls
5. Warnings
6. Administrative Controls such as Operations and Maintenance Procedures
7. Personal Protective Equipment and Guards
Unacceptable risk will be reduced to an acceptable level before design acceptance. Undesirable risk must
be reduced where reasonably practicable, and an Authority decision is required to accept the residual risk
of the hazard or dispose of the system. The hazards will be reviewed by the SSPC, with recommendation
made to the SSEC for decision. Acceptance of the level of risk or disposal of the system will be provided
by the Authority through the SSEC. Tolerable risk can be tolerated and accepted with adequate controls,
although risk-reducing mitigations must be applied where reasonably practicable. The iterative risk
assessment process can be considered as completed when it is demonstrated that all safety requirements
are fulfilled and no additional reasonably foreseeable hazards have to be considered.
As a criterion, risks resulting from hazards may be classified as acceptable when the risk is so small that it
is not reasonable to implement any additional safety measure. The expert judgment shall take into account
that the contribution of all the broadly acceptable risks does not exceed a defined proportion of the overall
risk.
individual hazards can be closed out by the application of one of the three principles, but it is likely that for
most major projects a combination of the three principles will be used. Any risk assessment conducted
under the CSM should always be proportionate to the extent of the risk being assessed. The CSM has
been introduced to ensure that levels of safety are maintained or improved when and where necessary and
reasonably practicable. Applying one or more of the three risk acceptance principles correctly for all
identified hazards means that the risk has been reduced to an acceptable level. No further evidence is
required to show that the residual risk is acceptable.
4.2.4.1 Application of Codes of Practice
The Authority shall analyze whether one or several hazards are appropriately covered by the application of
relevant codes of practice.

The codes of practice shall satisfy at least the following requirements:

• Be widely acknowledged in the passenger rail industry. If this is not the case, the
codes of practice will have to be justified and be acceptable to the Authority.
• Be relevant for the control of the considered hazards in the system under assessment.
• Be publicly available.
If one or more hazards are controlled by codes of practice fulfilling the requirements of points above, then
the risks associated with these hazards shall be considered as acceptable. This means that these risks
need not be analyzed further, however the use of the codes of practice shall be registered in the CIL as
safety requirements for the relevant hazards.

The PHA form developed during the hazard identification phase shall be completed with the term
“acceptable” in the Resolution column. It will not be necessary to identify a final risk index.

Standards and rules that are widely accepted in the passenger rail sector include the following:

• Federal Railroad Administration regulations found in 49 CFR, Parts 200-299

• Federal Transit Administration regulations
• AREMA Standards for track
• California Public Utilities Commission General Orders
• TSIs or other mandatory European standards and norms
• Standards issued by the American National Standards Institute (ANSI)

This list is not exhaustive. It is also possible to use standards or codes of practice from other sectors (for
example aviation, maritime, etc.) but these have to be justified and be acceptable to the ISA.

Deviations from codes of practice are possible where the Hazard Assessor can demonstrate that at least
the same level of safety will be achieved. Mandatory standards such as FRA regulations often include a
process for deviating from them. Most non-mandatory standards do not have a process for deviating from
them. If one or more conditions of the code of practice are not fulfilled, the Hazard Assessor may have to
conduct explicit risk estimation on those hazards where the code of practice is not relevant for the control
of the hazards in the system under assessment. Alternatively, other codes of practice or reference systems
could be used. Where an alternative approach is not fully compliant with a code of practice, the Hazard
Assessor shall demonstrate that the alternative approach taken leads to at least the same level of safety.

If the risk for a particular hazard cannot be made acceptable by the application of codes of practice,
additional mitigation measures shall be identified applying one of the two other risk acceptance principles.

When all hazards are controlled by codes of practice, the hazard management process may be limited to
the following:

• The hazard identification and classification in accordance with Section 4.2.3

• The registration of the use of the codes of practice in the CIL
• The documentation of the hazard management process in accordance with Section
4.2.7

4.2.4.2 Use of a Reference System

The Authority, with the support of other involved actors, shall analyze whether one or more hazards are
covered by a similar system that could be taken as a reference system. Reference systems can be used
to derive the safety requirements for the new or changed system.
A reference system shall satisfy at least the following requirements:

• It has already been proven in-use to have an acceptable safety level and would still
qualify for approval by the regulatory body having jurisdiction.

• It is accepted by the body having regulatory authority over its application to CHSRP
(e.g., FRA, CPUC, Office of State Fire Marshal, etc.).

• It is used under similar functional, operational, and environmental conditions and has
similar interfaces as the system under consideration for CHSRP.
For technical changes, it is unlikely that evidence of in-service history alone can prove that a high integrity
system has an acceptable safety level, given the low failure rates required of such systems. Evidence that
sufficient safety engineering principles have been applied in the development of the reference system will
need to be confirmed for each application of it.

If a reference system fulfills the requirements listed above, then for the system underassessment the risks
associated with the hazards covered by the reference system shall be considered as acceptable.

If the system under assessment deviates from the reference system, the risk evaluation shall demonstrate
that the system under assessment reaches at least the same safety level as the reference system. The
risks associated with the hazards covered by the reference system shall, in that case, be considered as
acceptable.

If the same safety level as the reference system cannot be demonstrated, additional mitigation measures
shall be identified for the deviations, applying one of the two other risk acceptance principles.

The safety requirements for the hazards covered by the reference system may be derived from the safety
analyses or from an evaluation of safety records of the reference system. These safety requirements shall
be registered in the CIL as safety requirements for the relevant hazards.

The PHA form developed during the hazard identification phase shall be completed with the term
‘acceptable” in the Resolution column. It will not be necessary to identify a final risk index.

When hazards are accepted by use of a reference system, the hazard management process may be limited
to the following:

• The hazard identification and classification in accordance with section 4.2.3

• The registration of the use of the reference system in the CIL

• The documentation of the hazard management process in accordance with Section

4.2.7

4.2.4.3 Explicit Risk Estimation

Explicit risk estimation is an assessment of the risks associated with hazard(s), where risk is defined as a
combination of the likelihood (or frequency of occurrence) and the consequence (or severity) of a hazard.
Explicit risk estimation can be used where:

• The Authority is unable to address the hazards identified in the hazard identification
stage of the CSM via a code of practice or comparison with a reference system;
• Deviations are necessary from codes of practice or reference systems; or

• The Authority needs to analyze the hazards and evaluate design principles or safety
measures.

The estimation can be qualitative, semi-quantitative, or quantitative. The choice will be determined by
factors such as availability of, and confidence in, quantitative data; the depth of analyses should be
proportionate to the potential risks. Any risk assessment should follow a systematic and structured process.
Qualitative hazard assessment shall be performed by technical experts with sufficient experience and
qualifications relevant to the hazard under consideration.
The acceptability of the estimated risks shall be evaluated using the risk acceptance criteria identified in
Section 4.2.5. The acceptability of the risk may be evaluated either individually for each associated hazard
or globally for the combination of all hazards considered in the explicit risk estimation.

If the estimated risk is not acceptable, additional mitigation measures shall be identified and implemented
in order to reduce the residual risk to an acceptable level. The ALARP Principle (As Low as Reasonably
Practicable) shall be applied to compare the cost and feasibility of applying additional mitigation measures
against the benefit gained from reduced residual risk.

When hazards are accepted by use of explicit risk estimation, the hazard management process may be
limited to the following:

• The hazard identification and classification in accordance with section 4.2.3

• Completion of the PHA process by registering the risk index in the Residual Risk Index
(Projected) column of the PHA form
• The registration of the use of the explicit risk estimation and the mitigation measures
in the CIL; and
• The documentation of the hazard management process in accordance with Section
4.2.7.

When the risk associated with one or a combination of several hazards is considered as acceptable, the
identified mitigation measures shall be registered in the CIL.

Where hazards arise from failures of technical systems not covered by codes of practice or the use of a
reference system, the following risk acceptance criterion shall apply for the design of the technical system:

• For technical systems where a functional failure has credible direct potential for a
catastrophic consequence, the associated risk does not have to be reduced further if
the failure rate of that system is less than or equal to 10-9 failures per operating hour.

The explicit risk estimation and evaluation shall satisfy at least the following requirements:

• The methods used for explicit risk estimation shall reflect correctly the system under
assessment and its parameters (including all operational modes).
• The results shall be sufficiently accurate to serve as robust decision support, i.e., minor
changes in input assumptions or prerequisites shall not result in significantly different
requirements.

4.2.5 Risk Estimation Process and Risk Acceptance Criteria

The risk assessment process for significant hazards is as follows:

1. Identify the hazardous event(s) that have the potential to cause injury or death to passengers,
employees, or members of the public who are directly or indirectly exposed to the technical, operational,
or organizational change being considered.
2. Identify the precursors (i.e., the component, sub-system or system failures, physical effects, human
error failures or operational conditions) that can result in the occurrence of each hazardous event.
3. Identify the control measures that are in place to control or limit the occurrence of each precursor that
cannot be eliminated.
4. Estimate the frequency at which each hazardous event can occur.
5. Estimate the consequences (most reasonable credible mishap) in terms of injuries and fatalities,
environmental impact, monetary loss, or reputational damage that could occur for the different
outcomes that may follow the occurrence of a hazardous event.
6. Estimate the overall risk associated with the hazardous event.
7. Identify additional mitigations or control measures that, if applied, would ensure that residual risk is
reduced so far as is reasonably practicable.
8. Provide clear and comprehensive documentary evidence of the methodologies, assumptions, data,
judgments, and interpretations used in the development of the risk assessment and the analysis of its
results. Particularly where the assessment is quantitative and where different safety measures need
to be assessed, the results may also need to be accompanied by sensitivity and uncertainty analysis.
The severity category and frequency of occurrence of the potential mishap(s) for each hazard across all
system modes are estimated using the definitions in Table 4-1 and Table 4-2 respectively.
Table 4-1 Hazard Severity Categories
Hazard
Definition
Category

Could result in one or more of the following:

• Multiple fatalities or equivalent fatalities

• Irreversible significant environmental impact
1 • Monetary loss equal to or exceeding $10M
o Severe damage or total loss of rolling stock
Catastrophic o Severe damage to infrastructure or other severe system loss causing
all or a significant portion of the system to be unavailable for normal
service for more than 72 hours
• Reputational damage of national impact

Could result in one or more of the following:

• A single fatality or multiple major injuries or occupational illnesses

• Reversible significant environmental impact
2
• Monetary loss equal to or exceeding $1M but less than S10M
Critical o Major but repairable damage to rolling stock
o Major damage to infrastructure or other major system loss, repairable
within 72 hours to allow normal service
• Reputational damage of statewide impact

Could result in one or more of the following:

• A major injury or occupational illness, or multiple minor injuries

• Reversible moderate environmental impact
3 • Monetary loss equal to or exceeding $100K but less than $1M
Marginal o Minor repairable damage to railcars
o Minor damage to infrastructure or other minor system loss, repairable
within 24 hours to allow normal service
• Reputational damage of local area impact

Could result in one or more of the following:

• A minor injury or occupational illness

4 • Minimal environmental impact
• Monetary loss less than $100K
Negligible
o Minimal infrastructure damage or system loss affecting normal service
for less than 12 hours
• Reputational damage of limited or little impact

To determine the appropriate severity category as defined in Table 4-1 for a given hazard at a given point
in time, identify the potential for death or injury, environmental impact, monetary loss, or reputational
damage in a most reasonable credible mishap scenario. A given hazard may have the potential to affect
one or all of these areas. An equivalent fatality may be expressed as 10 major injuries (those requiring
hospitalization) or 100 minor injuries (those not requiring hospitalization).

Hazard frequency is defined as the likelihood that a specific hazard will occur during the planned life-cycle
of the system element, subsystem, or component, recognizing that these life-cycles will vary depending
upon the item under consideration. Hazard frequency can be described subjectively in potential
occurrences per unit of time (Mean Time to Hazardous Event – MTTHE), events, population, items, or
activity, and shall be ranked as shown in Table 4-2.
Table 4-2 Hazard Frequency Categories
Qualitative Quantitative Context
Description Level Qualitative Definition Description for the (Probability of
System Occurrence)
Frequent A Likely to occur frequently in
an individual item or the
System; may be MTTHE < 2 months p > 10-1
continuously experienced in
fleet/inventory.

Probable B Likely to occur several times

in the life of an individual
2 months < MTTHE
item or the System; will 10-1 > p> 10-2
< 1 year
occur frequently in
fleet/inventory.

Occasional C Likely to occur sometime in

the life of an individual item
1 year < MTTHE <
or the System; will occur 10'2 > p > 10'3
10 years
several times in
fleet/inventory.

Remote D Unlikely but possible to

occur in the life of an
individual item or the 10 years < MTTHE
10-3 > p > 10-6
System; unlikely but can be < 100 years
expected to occur in
fleet/inventory.

Highly Unlikely E So unlikely that it can be

assumed occurrence may
not be experienced in the
life of an individual item or MTTHE > 100 years 10-6 > p
the System; unlikely but
possible to occur in
fleet/inventory.
Eliminated F Incapable of occurrence.
This level is used when
potential hazards are n/a p=0
identified and later
eliminated.
Note - Frequency level F is used to document cases where the hazard is no longer present. No amount of doctrine,
training, warning, caution, or Personal Protective Equipment (PPE) can move a mishap frequency to level F.

The frequency of the hazard can be determined qualitatively based on the relative frequency of expected
occurrence, or quantitatively (using failure rates or accident/incident statistical data). Quantitative
determination is generally preferable, but in the absence of applicable quantitative data the use of
qualitative estimation is necessary and appropriate. Table 4-2 identifies both a qualitative definition and a
qualitative description of the system using MTTHE, based upon a railway operation 20 hours per day, 7
days per week.

Hazard severity categories (1 through 4) and hazard frequency categories (A through E) are combined in
the Risk Assessment Matrix (Table 4-3) to produce a risk index for each identified hazard. The Risk
Acceptance Matrix (Table 4-4) identifies required actions to reduce risk based on the risk rating. The
Authority will accept the residual risk through the Safety and Security Executive Committee process (where
appropriate) through direct approval of individual risk acceptance decisions for hazard risks categorized as
Undesirable. Hazard risks categorized as Acceptable do not require direct SSEC approval, however review
of the risk assessment process will fulfill the Authority's responsibility to accept the residual risk.

Table 4-3 Risk Assessment Matrix

1 2 3 4
Frequency \ Severity
Catastrophic Critical Marginal Negligible
1A 3A
(A) Frequent 2A
4A

1B
(B) Probable 2B 3B 4B

1C
(C) Occasional 2C 3C 4C
4D
(D) Remote 1D 2D 3D

3E
(E) Highly unlikely 1E 2E 4E

(F) Eliminated

Table 4-4 Risk Acceptance Matrix

Hazard Risk Index Risk Rating Action Required
1A, 1B, 1C, 2A, 2B, 3A Risk must be reduced and
Unaceptbl managed
Risk is acceptable only where
further risk reduction is
1D, 2C, 2D, 3B, 4A Undesirable impracticable. Authority decision
at the SSEC level is required to
accept residual risk.
Apply mitigations where
reasonably practicable. Risk can
be tolerated and accepted with
1E, 2E, 3C, 3D, 4B Tolerable
adequate controls. Authority
review at the SSPC level is
required to accept residual risk.
3E, 4C, 4D, 4E Acceptable No further risk reduction required
Eliminated None
4.2.6 As Low as Reasonably Practicable (ALARP Principle)
The ALARP Principle shall be applied as necessary to assess the cost/benefit of applying additional
measures of mitigation in order to achieve residual risk that is as low as reasonably practicable. ALARP
calculations can be qualitative, semi-quantitative, or quantitative depending on the level of risk and the
amount of data available to the assessor. Qualitative analysis is entirely appropriate for assessment of
risks that are found in standard industry practice or common experiences. Hazards deemed appropriate
for more quantitative analysis will require development of more comprehensive analysis to provide the
required level of data. Criteria for applying a detailed, quantitative cost/benefit analysis includes high risks
that must be mitigated and accepted, highly-controversial risks, risks with a potentially high impact to the
System or project under consideration.

The ALARP principle considers the fact that infinite time, effort and money could be spent on the attempt
of reducing a risk to zero, but doing so is usually not practical. The principle is not simply a quantitative
measure of benefit against detriment; it is more accurately a best common practice of judgment of the
balance of risk and societal benefit. ALARP does not represent zero risk.

For a risk to be ALARP it must be possible to demonstrate that the cost involved in reducing the risk further
would be grossly disproportionate to the benefit gained; that is the greater the risk, the more resources that
should be spent in reducing it, and the greater the bias on the side of safety. The costs could marginally
outweigh the benefits and yet the measure could still be reasonably practicable to introduce in order to
reduce risk.

The disproportion factors (DF) in Table 4-5 shall be applied to the ALARP process according to the amount
of risk. DFs that may be considered gross vary from upwards of 1 depending on a number of factors
including the magnitude of the consequences and the frequency of realizing those consequences, i.e., the
greater the risk, the greater the DF.

Table 4-5 Disproportion Factors for Risk

Risk Rating DF
Unacceptable 10
Undesirable 8
Tolerable 5
Acceptable 1
When using a cost/benefit analysis, convert both the additional mitigation(s) and the risk (so far as it is
being reduced) to a common set of units (dollars) for the purpose of making a comparison. A hazard is
considered ALARP using a cost/benefit analysis when cost divided by the benefit is greater than the DF.

Other issues to consider when performing a cost/benefit analysis include the sensitivity of key inputs
(frequency/seventy of the hazardous event), animalization (average costs and average benefits), and
discounting the value of future benefits.

4.2.7 Hazard Analysis Processes and Documentation, Verification and Validation

A variety of hazard analysis processes are available for proper risk estimation and mitigation development,
based upon the characteristics of the system or subsystem under consideration. The types of analyses
that may be required for the development of the CHSRP are described below.

• Preliminary Hazard Analysis (PHA) is typically the initial hazard analysis technique
used during the system or subsystem design phase. PHA is used to identify safety
critical areas within the system and roughly evaluate hazards. PHA establishes the
basis for the safety criteria in design, equipment, and performance specifications.
• Site-Specific Hazard Analysis (SiSHA) is an expansion of the PHA, conducted as the
general design criteria and system requirements are applied to specific system and
subsystem elements. An example would be a SiSHA for an elevated structure
spanning the SR-99 highway in Fresno, applying the safety-critical criteria found in the
 Design Criteria to the specific characteristics and site conditions of this structure.
SiSHA is generally performed during the Final Design, Construction, and
Testing/Startup Phases. The primary output of the SiSHA is the identification and
evaluation of hazards and mitigations that are specific to the system element under
consideration.
• Failure Modes and Effects Analysis (FMEA) is an inductive analysis used to identify
equipment failures. It evaluates a system or subsystem to identify possible failures of
each individual component in the system. The results or effects of the subsystem and
component failures are then classified according to severity.
• Fault Tree Analysis (FTAn) is representative of the deductive process. The purpose
of the Fault Tree Analysis is to provide a concise and orderly description of the various
combinations of possible occurrences within the system that can result in an undesired
event. This is the most rigorous of the hazard identification processes and analyses
and is typically performed for the most complex systems.
• Interface Hazard Analysis (IHA) is performed to identify design hazards in components
and subsystems of a major system as they relate to other components or subsystems.
IHA determines the functional relationships between the systems, subsystems,
processes, components and equipment based solely on safety considerations and also
identifies all elements in which a functional failure could result in a hazardous condition
or accidental loss.
• Operating Hazard Analysis (OHA) is performed to determine all applicable operational
safety requirements for personnel, procedures, and equipment throughout all phases
of the system life cycle. Engineering data, procedures, and instructions developed
from other safety analyses, the engineering design, and initial test programs are used
to support this analysis.
• Software Hazard Analysis (SHA) will be used to evaluate software design, related
software, and hardware documentation for safety-critical software-controlled functions.
The analysis will review software and hardware failures that could cause the system to
operate in a hazardous manner.
• Adjacent Railroad Hazard Risk Assessment Model (ARHRAM) will be used to assess
the hazards associated with freight railroad right-of-ways directly adjacent to the
CHSRP right-of-way This is a semi-quantitative assessment process that relies on
input from technical experts to assess site-specific characteristics of the adjacent
railway.
• Adjacent Roadway Vehicle Hazard Risk Assessment Model will be used to assess
hazards associated with roadway vehicles traveling directly adjacent to the CHSRP
right-of-way. This is a semi-quantitative assessment process that relies on input from
technical experts to assess site-specific characteristics of the adjacent roadway.

The detailed process for completing each of these analysis types, including the appropriate forms, is
identified in SSMP Appendix G. Appropriate support documentation used in the development of risk
assessment will be identified or referenced in detail as part of each analysis process, including, but not
limited to, the following:

• System description including modes of operation and tasks

• Schematics, drawing, block diagrams, lists of assemblies, parts and components
addressed within each subsystem and system
• Documented reliability and safety data including failure rate data obtained from service
use in identical or manifestly similar equipment in similar environment
• Documented reliability and safety data obtained from formal test results, conducted in
similar applications
 • Documented reliability and safety data obtained from formal analyses, conducted for
equipment in similar applications
• Hazard management requires monitoring and documentation throughout the project
life cycle. Verification and validation activities shall fulfill the requirements of the Safety
and Security Certification Program, as described in Section 7 of this SSMP.

4.3 Security Risk Assessment Process

Planning in advance of day-to-day passenger rail crimes, terrorist acts, or other security incidents is
essential to providing CHST passengers and employees with a safe and secure environment. A breach in
security may result in serious injuries or death, destruction of property and facilities, and/or the inability to
continue CHSRP operations to the region.

Adopting a methodology that involves periodic assessment is consistent with the requirement of the system
security lifecycle and ISO 31000 Risk Management standard.

In order to ensure that the Authority has considered security risks, such as crime or acts of terrorism, it is
crucial to apply a methodological approach and process to security risk management. The risk assessment
process that will be used (and as illustrated in Figure 4-2) includes the following:

• Identify the key assets

• Identify the threats
• Identify the vulnerabilities
• Identify the likelihood
• Identify the consequence/impact
• Assign the initial risk index as the basis for future risk decision criteria
• Identify potential mitigation measures/countermeasures
• Determine residual risk after implementation of countermeasures
Figure 4-2 Security Risk Assessment Process

To evaluate the susceptibility to potential threats and to design corrective actions that can reduce or mitigate
the risk of serious consequences from a security incident, a Threat and Vulnerability Assessment (TVA) will
be initiated during the preliminary phases of the CHSRP. The assessment will be reviewed and updated
at each subsequent phase.

The TVA process will identify the likelihood of specific threats that may endanger railroad assets (people,
property, and information); the potential vulnerabilities associated with the design of the CHSRP; and
mitigation efforts that can be designed into the CHSRP to reduce the risk and to minimize the consequences
of identified potential criminal and terrorism activities. It will also identify future security training needs of
transit personnel and the necessity for security procedures. The Security Risk Assessment will be protected
under Sensitive Security Information (SSI) and shared only with those persons with a need to know.
4.3.1 Assets

4.3.1.1 Identification
Assets are defined as people and property. System assets include the following:

• People – passengers, employees, visitors, contractors, vendors, surrounding

communities, and others who come into contact with the transit system
• Property – fixed infrastructure, rolling stock, software
• Information – plans, procedures, network information, passwords and access codes

Assets associated with the CHSRP will be identified during the TVA process and included as a listing in the
Threat and Vulnerability Assessment Report.

4.3.1.2 Criticality Determination

Assets will be prioritized in terms of criticality. Most weight will be given to those assets that present the
greatest threat to life safety or service disruption. In making this determination, consideration will be given
to the following:

• Impact on CHSRP passengers, employees, and first responders

• Impact on CHSRP operations
• Economic value of the asset, including current and replacement value
• Intrinsic value of the asset to a potential adversary
• Asset location relative to other critical assets

4.3.2 Identification of Threats

Threats are defined as deliberate actions intended to cause injury or death to people or damage or loss of
critical assets. The threats (or attack types) to the CHSRP will generally be the same as those faced by
other public transportation networks. Threat is the com bination of both intent and capability of a threat actor
or threat source to realize a threat or attack against an asset. It is possible to separately analyze the intent
and the capability but this type of analysis requires specific information and intelligence about specific threat
actors.

As part of the security risk management system it is important to understand target attractiveness. Target
attractiveness varies depending upon threat actor motivations and goals, but in general the following criteria
are useful in determining the potential for target selection:

• Potential for public impact, damaging the society and ecosystem as a whole
• Lack of target protection and does the target follow predictable patterns
• Potential for mass casualties
• Potential for global significance or visibility to either the threat actor or the target
• Target permanently or frequently available
• Potential for major political or economic impact
• PotentiaI for economic gain
• Ease of accessibility
• Perceived “iconic” status

Determination of security threat is always evolving and requires analysis to be based on the past
performance of threat actors, both successful and attempted. Historical data (from reliable open source
information) of manifested threat events across national and international transit systems provides accurate
data to enable security threats to the CHSRP assets and systems to be established.
A series of tables illustrate examples of threat categories (Table 4-6), crime categories (Table 4-7), and
threat types (Table 4-8).

Table 4-6 Threat Category Examples

Threat Category Sources

Criminal Petty crime
Organized crime
Current/former staff
Terrorism Domestic extremist groups
Transnational extremist groups
Single-issue groups

Hostile State Military

State-sponsored hostile actors

Table 4-7 General Crime Categories and Examples

Threat Category Crime Types within Category

Crimes against Persons Assault, homicide, robbery, theft

Crimes against Property Arson, cargo theft, vandalism, burglary

Other Crimes committed on Transit Property Organized crime presence – infiltrating rail system,
using rail system to move contraband, drugs,
prostitution, fare evasion, trespass

Table 4-8 Threat or Attack Types Examples

Threat Type Types within Category

Explosives Military explosive, improvised explosive device (IED), vehicle-borne
improvised explosive device (VBIED), personnel-borne improvised explosive
device (PBIED)

Chemical Toxic industrial chemicals, and poisons

Arson Incendiary Devices

Small Arms Attack Use of standard firearms and other weapons

Standoff Attack Weapons with high-energy explosives that are designed to hit and penetrate
heavily protected objects from a distance.

Cyber Attack Viruses, Worms and Trojan Horses

Hoax Call or Device Intentional false alarm or threat

As stated previously, threat is based upon the combination of intent and capability. Table 4-9 provides the
threat rating matrix and Table 4-10 provides the threat ratings and their descriptions.
Table 4-9 Threat Rating Matrix (Intent x Capability)
CAPABILITY

Similar exploit Operational Some evidence No evidence of No evidence and

INTENT has been used capability that operational operational even feasibility
confirmed by capability exists; capability but unconfirmed
credible evidence not confirmed feasibility
confirmed
Very High High
Tactic has been used
in the past and a Very High Medium Low

similar attack may be

planned

Tactic has been used

before and it is
credible that it is Very High High High Medium Low
being considered for
further use

Tactic has not been High

used before but is High Medium Medium Low
under consideration

Tactic has not been Low Very Low

used before but it Medium Medium Medium
may be under
consideration

Tactic has not been Low

used before and is
not known to be
Low Low Very Low
VeryLow
under consideration

Table 4-10 Threat Rating and Definitions

Threat Rating Threat Rating Definition
VERY HIGH Significant and proven threat present based upon
demonstrated intent and demonstrated capability

HIGH Threat present based upon stated/demonstrated intent with

demonstrated capability.

MEDIUM Medium level threat exists based upon either strong intent
or some degree of stated/demonstrated capability.

LOW General threat exists and should be monitored - no proven

intent or demonstrated capability

VERY LOW General threat may exist with intent and capability
feasibility unconfirmed

For purposes of the CHST System, threat of terrorist activity will be based on information provided by
DHS/TSA and other credible sources. For other threats, including crime and quality of life incidental threats,
the Security Risk Assessment will review crime data provided by law enforcement in the adjacent areas,
and open source data of criminal threats for other rail systems.

4.3.3 Scenario Analysis

Scenarios are the outcome of pairing specific assets with specific threats. An explosive device at a rail
station provides a scenario that can be evaluated to identify the vulnerabilities that may make the rail station,
an identified asset, susceptible to an attack. Scenario development also identifies impacts of threats on
critical assets and promotes mitigation strategies and capability needs. The scenarios are intended to
represent credible, real-world events and, as such, will be derived primarily from other operating systems’
experiences, FTA and TSA resource documents, and local crime report information.

4.3.4 Identification of Vulnerabilities

Vulnerability is defined as any weakness, flaw or condition that allows and/or can be exploited, for the
successful realization of a potential threat against the CHSRP. In general, vulnerability conditions allow
access to an asset in order to be attacked. As the threat environment is ever changing, vulnerabilities to
different threats and attack methods may also change, which requires updated review of the threats,
vulnerabilities and the consequences. However, by addressing known vulnerabilities and therefore limiting
the associated consequences of a potential threat, the likelihood of having to make significant changes is
reduced for future updates.

Vulnerability conditions can be classified into two different types, physical, and procedural. A physical
vulnerability condition is an actual physical deficiency, flaw, or absence of physical measures designed to
deter, detect, delay, and/or respond against a breach or unauthorized access to an asset. A procedural
vulnerability condition relates to the existence, implementation, legality, and oversight of policies and
procedures, which are designed to deter, detect, delay, or respond against a breach or unauthorized access
to an asset.

Successful execution of an attack type is dependent upon the presence of either a physical vulnerability, or
a procedural vulnerability, or both. By identifying the physical and procedural conditions that contribute to
a certain threat type and attack method, it is possible to start developing general mitigation strategies to
address the vulnerability and therefore reduce the likelihood and/or consequences of a successful attack.

In a new project, the assumption is that the system is completely without mitigations measures, but takes
into account typical operating features and assets. Any countermeasures that might impact a perceived
vulnerability will be recommended for implementation into the design and construction. Assessments
performed on existing systems look for the weaknesses in an existing design or system.

Table 4-11 details the vulnerability levels used as part of the vulnerability determination.
Table 4-11 Vulnerability Levels and Description
Vulnerability Assessment Criteria
Level
Very High • Non-existent advanced physical and procedural mitigation measures
• Inadequate existing mitigation measures: and will likely fail to deter, detect, delay,
or respond to a security risk
• No security awareness culture present
• No business or operations contingencies to manage security events and recover.
Severe disruptions are likely
High • Some physical and procedural mitigation measures, but ineffective at deterring,
detecting, delaying, or responding to advanced security risks
• More than 50% of existing mitigation measures are likely to fail to deter, detect,
delay, or respond to a basic security risk
• No security exercises performed or planned
• Few contingencies/plans are in place for business and operations recovery.
Significant disruptions likely
Moderate • 50% of advanced physical and procedural mitigation measures are effective with
remaining measures likely to fail to deter, detect, delay, or respond to a security risk
• Existing mitigation measures are capable of deterring, detecting, delaying, and
responding to basic security risks
• Exercise program exists and exercises are performed for select areas
• Basic security awareness culture
• Contingencies/plans are in place across most but not ah key areas of business and
operations, but require improvement. Some disruptions are likely
Low • 50% - 80% of advanced physical and procedural mitigation measures are effective
but some improvements are required
• Existing mitigation measures are capable of deterring, detecting, delaying, and
responding to basic security risks
• Procedures and evidence (records) of audit and review of existing security
measures
• Exercise program exists and exercises are performed for select areas
• Cultivation of security awareness culture is a primary objective of management
• Business and operations contingencies plans are in place for all key areas to
manage security events and recover
Very Low • 80% or higher effectiveness of advanced physical and procedural mitigation
measures to deter, detect, delay, and respond to security risks and are sustainable
• Procedures and evidence (records) of audit and review of existing controls
• Exercise program exists and exercises are performed for select areas
• Security awareness culture is integrated into all business activities
• Comprehensive contingency plans in place across entire business and operations
to manage most identified disruptions

4.3.5 Determining Likelihood

Likelihood is the combination of threat and vulnerability. Table 4-12 describes the combination of the threat
and vulnerability to create the likelihood rating and index.
Table 4-12 Likelihood Determination Matrix (Threat x Vulnerability)

Vulnerability
Threat
Very High High Moderate Low Very Low

Almost Certain Almost Certain

Very High Highly Likely Likely Likely

Almost Certain
High Highly Likely Likely Possible
HighlyLke
Possible
Medium Highly Likely Likely Likely Possible

Possible Remote
Low Likely Likely Possible

Possible Possible Remote

Very Low Possible Remote

The likelihood is based upon the definitions in Table 4-13.

Table 4-13 Likelihood Rating and Definitions

Likelihood Likelihood
Rating
Characteristics
Almost Certain
A Vulnerability exists and threat is proven and demonstrated. Threat realization can
be expected to occur during the system's operational phases

Highly Likely Vulnerability exists and threat is proven although may not be demonstrated. Threat
B realization may be expected during system's operational phases

Some vulnerability exists and threat has some resource, experience, and skill,
Likely
though may not be demonstrated. Threat realization may occur during the system’s
C
operational phases
Possible
D Limited vulnerability exists and threat may be under resourced and may lack
experience and skill, should not occur during the system's operational phases

Remote Limited vulnerability exists or threat has not been proven or demonstrated, not
E expected during the system's operational phases

4.3.6 Determining the Consequence

Consequence is the assessed impact and severity of a successful threat against an asset, the system, or
network. Consequence is measured by the level of impact on primary areas of people, equipment or service
and finances. Reputational impacts can also be assessed. Examples of consequences include injuries to
the public or to CHSRP personnel, loss of equipment causing financial losses, and disruption to CHSRP
operations. Reputational damage occurs when the system is considered unsafe or dangerous, impacting
ridership, and funding. Severity categories are defined to provide a qualitative measure of the result of a
security breach and are summarized in Table 4-14.
Table 4-14 Consequence Ratings and Assessment Criteria

CHARACTERISTICS

Rating Equipment or
People Financial Reputational
Services
Total loss of Estimated loss in Ongoing international,
Several deaths equipment or excess of $5 national media coverage,
Catastrophic and/or system interruption million severe reputational
1 numerous requiring months to damage, government
severe injuries repair intervention,
Weeks - Months
Significant loss of Estimated loss Prolonged national and
Low number of equipment or from the incident local media, serious
Critical deaths (less system interruption, expected to range reputational damage,
2 than 3) and/or requiring weeks to from $500,000 to sustained government
severe injuries repair $5 million involvement, Days-
Weeks
Loss of equipment Estimated loss Adverse national and
Possible
or system from the incident local media coverage,
Moderate severe injury or
interruption, expected to range reputational damage,
3 several minor
requiring seven or from $50,000 to government involvement
injuries
less days to repair $499,999
Minor loss of Estimated loss Local media coverage
Possible minor equipment, no from the incident and some reputational
Minor
injuries or system interruption, expected to be damage
4
illness less than 24 hours minor, $1000 to
to repair $49,999
Minor damage to Estimated loss No adverse media
equipment, no less than $1000 coverage or reputational
Negligible No injuries or
system interruption, damage
5 illness
no immediate repair
necessary

4,3.7 Security Risk Criticality Matrix

The consequence, or severity, of a threat and the likelihood of occurrence will be combined into a risk level
criticality matrix. The consequences will be assessed both in terms of severity of impact and probability of
occurrence for a given threat. The criticality matrix organizes the resulting consequences into categories
of high, serious, and low. The matrix will help to prioritize risk to focus available resources on the most
serious threats requiring resolution while effectively managing the available resources. The Security
Criticality Matrix is shown in Table 4-15.
Table 4-15 Security Risk Criticality Matrix (Likelihood X Consequence)

Likelihood
Consequence Almost Highly
Severity Certain Likely Likely Possible Remote
A B C D E
High
Very High1A Very High High Moderate
Catastrophic – 1
1B 1C 1D 1E
Very High High High Moderate Moderate
Critical – 2 2A 2B 2C 2D 2E
High High Moderate Moderate Low 3E
Moderate – 3
3A 3B 3C 3D
Moderate Moderate Moderate Low 4D Very Low 4E
Minor – 4
4A 4B 4C Very Low 5D
Low 5A Low Very Low 5E
Negligible – 5
5B Low 5C
Source Adapted from FTA's Public Transportation System Security and Emergency Preparedness
Planning Guide

Once the risk rating is determined for each security risk to each identified asset, then the risk index at Table
4-16 can be used to determine and prioritize the resources and financial justification for risk treatment.

Table 4-16 Security Risk Index

Risk index Risk Rating Action Required

Risk must be immediately mitigated
1A, 1B, 2A VERY HIGH
and constantly monitored
Risk must be treated and monitored,
1C, 1D, 2B, 2C, 3A, 3B HIGH Authority decision at the SSEC level is
required to accept risk.
Risk should be managed and reduction
1E, 2D, 2E, 3C, 3D, 4A, 4B, 4C MODERATE strategies implemented. Authority
decision at the SSPC level is required

3E, 4D, 5A, 5B, 5C LOW Risk may be accepted after a risk
review by the SSWG
4E, 5D, 5E VERY LOW Risk would normally not be treated
Source: Adapted from FTA's Public Transportation System Security and Emergency Preparedness
Planning Guide

4.3.8 Countermeasure Development

After determination of the risk, countermeasures or corrective actions are developed that can mitigate or
eliminate the risk. Effective countermeasures can either be design or procedural or a combination.
Examples of design or engineered countermeasures include the following:

• Installing physical barriers designed to reduce the asset's vulnerability to unauthorized

access, explosive, or other incendiary attacks

• Installing integrated intrusion detection and alarm systems throughout key facilities

• Installing chemical, biological, radiological and/or nuclear detection devices at facility

and station locations

Procedural or Administrative countermeasures include the following:

 • Increasing the frequency of security patrols at key asset locations
• Increasing security-related training to improve the abilities of employees to identify
suspicious packages or activities
• Conducting emergency exercises and drills involving security-related scenarios
• Developing working groups and information exchange committees with local law
enforcement and emergency response agencies.

During the development of countermeasures, consideration will be given not only to the initial costs of
procurement and implementation, but also to the associated maintenance costs and expected level of
effectiveness at eliminating or controlling the threat and/or vulnerability. Cases where conditions may be
exacerbated, such as special events, will be taken into account. During these conditions, ridership is likely
to be greater than normal and may impact the effectiveness of the countermeasure.

4.3.9 Residual Risk

Residual risk refers to the risk remaining after application of the countermeasures. If the residual risk has
not been reduced to an acceptable level, additional countermeasures or mitigation strategies must be
considered.

4.3.10 Reporting
The assessment details are captured in worksheets or tables which define the major elements of specific
scenarios. An example of a TVA worksheet is depicted in Figure 4-3.
Figure 4-3 Security Risk Worksheet Example

4.4 Verification and Validation Documentation

Each identified safety hazard and security risk will be managed to resolution through the hazard
management methodology and documented in the Dynamic Object Oriented Requirements Management
System (DOORS) database system adopted by the CHSRP. The V&V methodology and documentation
requirements are described in the CHSRP Verification and Validation Management Plan.
5.0 DEVELOPMENT OF SAFETY AND SECURITY DESIGN CRITERIA

5.1 Prevention through Design

Hazards can be resolved by deciding to either assume the risk associated with the hazard or to eliminate
or control the hazard. The Prevention through Design principle, as identified in ANZI Z590.3-2011
Prevention through Design, incorporates safety and security considerations into the early design of a
system element so as to avoid, eliminate, or mitigate hazard risk to a level as low as reasonably practicable.
The following order of precedence shall be applied when incorporating safety considerations into design:

1. Avoidance. Develop concepts of operations, basis of design, or general system requirements to avoid
the introduction of hazards to the system.
2. Elimination. Design, redesign or retrofit to eliminate (i.e., design out) the hazards through design
selection. This strategy generally applies to acquisition of new equipment or expansion of existing
systems; however, it can also be applied to any change in equipment or individual subsystems.
3. Substitution for Minimum Risk. If an identified hazard cannot be eliminated, reduce the associated risk
to an acceptable level. This may be accomplished, for example, through the use of fail-safe devices
and principles in design, the incorporation of high-reliability systems and components and use of
redundancy in hardware and software design.
4. Engineering Controls. Hazards that cannot be eliminated or controlled through design selection will be
controlled to an acceptable level through the use of fixed, automatic or other protective safety design
features or devices. This could result in the hazards being reduced to an acceptable risk level. Safety
devices may be part of the system, subsystem or equipment. Examples of safety devices include
interlock switches, protective enclosures and safety pins. Care must be taken to ascertain that the
operation of the safety device reduces the loss or risk and does not introduce an additional hazard.
Safety devices will also permit the system to continue to operate in a limited manner. Provisions will be
made for periodic functional checks of safety devices.
5. Provide Warning Devices. When neither design nor safety devices can effectively eliminate nor will
control an identified hazard, devices shall be used to delect the hazardous condition and generate an
adequate warning signal to provide for personnel remedial action. Warning signals and their application
will be designed to minimize the probability of incorrect personnel reaction to the signals and will be
standardized within like types or systems. Warning signals and their application should also be
designed to minimize the likelihood of false alarms that could lead to creation of secondary hazardous
conditions.
6. Administrative Controls. Where it is not possible to eliminate or adequately control a hazard through
design selection or use of safety and warning devices, procedures and training will be used to control
the hazard. Special equipment operating procedures can be implemented to reduce the probability of
a hazardous event and a training program can be conducted. The level of training required will be based
on the complexity of the task and minimum trainee qualifications contained in training requirements
specified for the subject system element and subsystem. Precautionary notations in manuals will be
standardized. Safety critical tasks, duties and activities related to the system element and subsystem
will require certification of personnel proficiency. However, without specific written approval, no
warning, caution or other form of written advisory will be used as the only risk reduction method for
unacceptable and undesirable hazards.
7. Personal Protective Equipment and Guards: Where no other higher-level alternative mitigations are
possible, the use of personal protective equipment or the installation of guards will be used to mitigate
the hazard. Personal protective equipment and guards may be used to supplement other higher-level
mitigations, but when they are the only mitigation applied they are to be used only when no other
alternatives exist.
5.2 Design Criteria
Design criteria are developed from the engineering experience of the design team obtained from numerous
other rail projects, as well as the following sources:

• Formal hazard analyses, including Preliminary Hazard Analysis

• Threat and Vulnerability Assessments
• Federal Railroad Administration regulations found in Code of Federal Regulations Title
49, Parts 200-299
• California Public Utilities Commission (CPUC) General Orders
• California Building Code
• California State Fire Marshal's Office direction and recommendations
• Local building codes and Fire Marshal recommendations
• National Fire Protection Association (NFPA)
• American Public Transportation Association (APTA)
• American Railway Engineering and Maintenance-of-Way Association (AREMA)
• Underwriters Laboratories (UL)
• Safety and security recommendations of the Department of Homeland Security (DHS),
Transportation Security Administration (TSA), and the Federal Transit Administration
(FTA)
• Other industry or technical standards

CHSRP will conduct PHAs and TVAs during the Preliminary Engineering phase to aid in defining safety
and security design criteria.

Design criteria are developed to address system safety and security requirements applicable to the entire
system. System safety and security requirements for each specific design element will be incorporated into
a Design Manual chapter entitled CHSRP Design Criteria with reference to corresponding design criteria
for specific engineering elements (e.g., clearances, structures, seismic criteria, etc.).

The processes described in the CHSRP Verification and Validation Management Plan (VVMP) will ensure
that the design criteria and the basis of design report will incorporate safety and security requirements into
the system design.

The following documents have been prepared by the RDP in order to achieve the system’s design criteria’s
objectives:

• Basis of Design Report

• Risk Management Plan and Hazard Log
• System Requirements
• Infrastructure Maintenance Plan
• Technical Memoranda
• Design Criteria
• Standard Drawings
• Standard Specifications

A consistent approach will be utilized within all the engineering efforts and will assist the CHSRP Regional
Consultant teams in preparation of their designs.
The Basis of Design Report defines the key CHSRP performance requirements. This document serves as
the guiding force in establishing the design criteria and development of design standards. The key audience
for the Basis of Design Report is the Authority, the Program Manager, the Regional Project Managers, and
the Section Designers. The purpose of the report is to guide the Engineering Management Team during
the development of engineering criteria and provide the required performance levels for the CHSRP.

A Risk Management Plan and Hazard Log will be developed outlining methodologies to ensure that a
consistent approach to risk assessment and cost are applied throughout the CHSRP. The plan will address
both system safety risk and project delivery risk, and include a Program level risk register that will be
regularly updated and maintained.

The CHSRP System Requirements provides a common platform for which similar Code of Federal
Regulations, CPUC General Orders, and European Union Technical Specifications for Interoperability, as
well as other industry best practice and standards, can be collectively presented and assessed at a detailed
technical level. In addition to guiding and supporting specific technical guidance at the subsystem level,
the CHSRP System Requirements structure is used to demonstrate how the performance objectives of the
CHSRP are to be achieved.

Technical Memoranda have been prepared to describe detailed analysis of specific technical topics, and to
provide guidance to the Regional Consultants in the development of Preliminary Engineering to support
feasibility, environmental, and procurement efforts. Technical Memoranda are provided as information to
Final Design teams, but are not considered mandatory requirements.

The Infrastructure Maintenance Plan is a base document outlining how the CHSRP will be maintained. This
document sets forth the requirements for maintenance facilities for rolling stock and the railway
infrastructure, as well as the approximate location and size of supporting facilities.

Design Criteria have been prepared that is intended to serve as the design requirements for a possible
Design/Build consortium. The Design Criteria identifies and specifies required elements and considerations
to ensure a safe and reliable operating railway for the CHSRP. The Design Criteria will be supported by
Standard Drawings and Standard Specifications as required.
5.3 Design Reviews
CHSRP drawings and specifications will be reviewed informally during development and formally during
preliminary and firal design. The purpose of these reviews will be to verify conformance with all of the
projects design criteria. These reviews are performed by the corresponding RDP discipline design
personnel, their design supervisors, applicable oversight agencies, representatives from the Regional
Consultants, and the RDP System Safety and Security staff.

Design reviews will be scheduled and coordinated so as to permit ample opportunity for comments. After
satisfactory resolution of comments, the specifications are “sealed" by professional engineers from the
design team and issued for use.

5,4 Deviations and Changes

For any instances that arise requiring a possible deviation from the safety-critical or security critical design
criteria (i.e., physical constraints identified within the system’s corridor conflicting with baseline
requirements), the RDP and the associated segment Regional Consultant during Preliminary Engineering
(and RDP and Design/Build Contractor during Final Design) will be required to explore all reasonable
alternatives to provide a design that conforms to the requirements of the existing criteria. If a reasonable
alternative cannot be developed, the requesting party will submit a Design Variance Request (DVR) to the
RDP, whose members include safety and security personnel and representatives of the required
engineering disciplines. The requesting party will be responsible for identifying and resolving any hazards
or vulnerabilities related to any deviations.

Any deviations to the Design Criteria developed by the RDP or design/build contractors will require a site-
specific assessment for each deviation to ensure that the same level of safety and security is achieved as
would have occurred had the Design Criteria been followed. A formal PHA or TVA may be required to
support the safety and security assessment of Design Criteria deviations. If the change request is approved,
the findings and recommendations will be incorporated into the Final Design engineering and construction
plans and the Final Design Certifiable Items Lists and Safety and Security Certification Package will be
updated to reflect the change.

During the life cycle of the project, the SSPC may also confront design issues that require additional hazard
analysis or vulnerabilities assessment, the outcome of which may result in requests for design changes.
Such requests will be processed through the Design Variance Request process.

The RDP is responsible for monitoring all requests for design variances from compliance with the Design
Criteria or Design Standards documents, including statutory and regulatory requirements and requirements
specified in any contract. The Design Variance Request process is described in more detail in Design
Variance Guidelines R2.
6.0 OPERATIONS AND MAINTENANCE

6.1 Operations and Maintenance Requirements

The Authority's Operations and Maintenance Team, supported by the Safety and Security Team, will be
responsible for developing system operations and maintenance requirements that support the safe and
efficient operation of the California High-Speed Rail Program. Principal activities during the development
of the CHSRP include the following:

Provide ongoing operations input to the Engineering Management Team and Regional Engineering
teams in the development of system design elements
Review and comment on engineering design elements to ensure responsiveness to operations’
functional requirements
Coordinate with FRA on development of CHSRP rules and procedures and their relationship to
current regulations and new regulations that will emerge from the CHSRP. Key categories include:
• Code of Federal Regulations (CFR) regulatory issues

• Rail System Operating Rules and Procedures

• Employee Safety Rules and Procedures

• Standard Operating Procedures

• Emergency Action Operations Plans and Procedures

• Infrastructure /Systems maintenance and inspection procedures

• Rolling Stock maintenance and inspection procedures

Coordinate with railroads, operating agencies/rail service providers and stakeholders as required
Personnel staffing requirements for the operation and maintenance of the in-service CHSRP will be
established and described in the CHSRP Training and Personnel Qualification Plan, to be developed prior
to the startup of revenue operations.

Development of the CHSRP Operations and Maintenance Plan for any system or subsystem component
will begin during Construction Phase. Position titles, responsibilities, qualifications, and training
requirements will be identified consistent with other high-speed rail operating systems using similar
technologies and operating characteristics. The magnitude of the in-service CHSRP (trains operated,
vehicles in service, track and OCS systems to maintain) will determine staffing levels for operators,
maintainers, and supervisors.

Additionally, the CHSRP Infrastructure Maintenance Requirements Plan (IMRP) establishes and describes
how infrastructure maintenance will be planned and implemented including methods utilized and resources
required. The IMRP specifies the CHSRP requirements necessary to meet passenger and public safety
levels that meet or exceed FRA Class 6 Regulatory Safety Standards, consistent with FRA’s High-Speed
Passenger Rail Safety Strategy. IMRP requirements wilt be incorporated into the system Design Criteria
during the Preliminary Engineering phase of the CHSRP.
6.2 Operational Plans, Rules and Procedures
The following documents will be developed or revised for the CHSRP during the Project Construction
Phase, in preparation for Testing and Startup:

• Concept of Operations • Passenger Train Emergency Preparedness

Plan
• Code of Operating Rules
• Air Brake Operating Instructions
• Rolling Stock Maintenance Plan
• Electrical Operating Instructions
• Infrastructure Maintenance Requirements Plan
• Emergency Operating Procedures
• Training and Personnel Qualification Plan
• Timetable Special Instructions
• Service/Operating Plan
• On-Track Safety Rules
• Command and Control Facilities Plan
• System Safety Program Plan (SSPP)
• On-Board Operating Plan
• System Security Program Plan (SPP)
• Passenger Station Operating Plan
• Emergency Preparedness Plan

6.3 Training Program

The Authority intends to hire one or more concessionaires to provide rail operations and maintenance
services. The Authority will be responsible for ensuring that the concessionaire(s) assign qualified O&M
personnel to the CHSRP who are trained to perform pre-revenue and revenue operations. Instruction in
safe methods of operation, safety requirements, security awareness and emergency response procedures
will be included in manuals, handbooks, and other documentation developed for the training and
certification of operations and maintenance personnel. Training plans, which include in-house classroom
training and on-the-job training and testing, will be developed based on the individual characteristics of the
equipment or CHSRP locations.

The future CHSRP Operators, Instructors and Field Supervisors will undergo familiarization training on all
operational equipment, rules, plans and procedures. The future Central Control Operations Staff (including
Superintendents, Supervisors, and Train Dispatchers) will require extensive training and qualification on
the train control system, in addition to operating rules and procedures, and safety and security procedures.

Positions which will require detailed job descriptions and training programs prior to entering the Testing
Phase of the CHSRP include, but are not limited to the following:

• Superintendents

• Operations Supervisors

• Train and Engine Service Employees

• Control Center Supervisors

• Control Center Train Dispatchers

• Equipment Maintenance Employees

• Signal and Communications Employees

• Maintenance of Way Employees

• Power and OCS Employees

Contractors and suppliers providing equipment and facilities for the CHSRP will be responsible for
developing training plans, training manuals, and conducting training courses for applicable CHSRP
Operations and Maintenance staff. Contractors will be required to develop and implement programs to
train appropriate CHSRP personnel in the operation and maintenance of each piece of equipment or
systems provided in conformance with the CHSRP Training and Personnel Qualification Plan.

6.4 Emergency Preparedness

A Passenger Train Emergency Preparedness Plan (PTEPP) will be developed prior to the start of the
Testing Phase of the CHSRP to prepare for emergency incidents that may occur during testing. The PTEPP
will be further developed and carried over into the start of revenue service. The PTEPP will contain
emergency preparedness requirements and procedures for the Operations and Equipment Maintenance
disciplines, in compliance with 49 CFR, Part 239. The PTEPP will identify requirements for a program of
training (including instructional programs, emergency preparedness drills and tabletop exercises) of railroad
operating and maintenance personnel and emergency responders. The goal of the PTEPP is to verify and
validate the following:

• Adequacy of emergency plans and procedures

• Readiness of railroad operating and maintenance personnel to perform under
emergency conditions
• Effective coordination between railroad operations and emergency response agencies:
police, fire, and emergency medical services
• Familiarization of fire, police, and emergency medical services personnel with the
physical and operating characteristics of CHSRP operations and inherent hazards

After-action reviews will be conducted following any major emergency response event or exercise prior to
the start of revenue operations. A report of the findings will be provided to the SSPC and SSEC. Action
items will be tracked by the SSPC to completion. Outcomes may include recommendations for revisions
to the PTEPP, operating rules or procedures, equipment or infrastructure changes, or emergency responder
procedures, and changes to training plans and training programs pertaining to emergency response and
personnel.

Fire/Life Safety and Security Committees will be active at both a regional and State level as described in
Section 3.5.3 of this SSMP to provide a vehicle for clear, consistent communication with emergency
responders.
7.0 SAFETY AND SECURITY CERTIFICATION PROGRAM

7.1 Overview
The California High-Speed Rail Authority is ultimately responsible for ensuring that all safety-critical and
security-critical elements of the CMSRP are designed, constructed, tested, and made operationally ready
in a safe and secure manner. The Safety and Security Certification Program (SSCP) describes the
responsibilities and processes required to demonstrate that the CHSRP is safe and secure, in conformance
to the FTA Handbook for Transit Safety and Security Certification and other FRA Regulations as applicable.
The Safety and Security Certification Program applies to all phases of the development of the CHSRP, from
preliminary engineering to the start of revenue operations, for each segment designed and built for the
system. FRA approval to operate will be achieved through final safety and security certification prior to the
start of revenue service.

The SSCP scope encompasses safety and security certification of the facilities, systems and equipment,
safety-related procedures, training programs, and hazard and vulnerability resolution activities and
operational readiness for the project. Specifically, safety and security certification focuses on conformance
to the requirements found in the following areas:

• Hazard and Vulnerability Resolution

• Design Criteria
• Construction Specification
• Safety-Related Testing
• Operations and Maintenance Manuals
• Rules and Procedures
Certification will be performed in phases, both geographically and chronically, by contract package once
the Project moves beyond the Preliminary Engineering Phase. Certification of latter-phase contract
packages may consist of one or more certifiable elements defined in Section 7.4.1. The exceptions to this
are the system wide activities such as procedures, training, emergency drills and integration testing and
start-up which will be certified for the complete system.

Certification occurs at the beginning of each project phase, and is required for advancing system elements
into the next phase. For example, the Final Design of a bridge structure must be certified to meet all safety
and security design criteria prior to construction, and then must be certified to have been built in
conformance to those safety and security design criteria before being placed into operation. This process
assures the Authority that CHSRP elements are safe and secure as they move through each successive
phase of the System development.

Certification Items that are not completed prior to moving to the next phase are placed on an Open Items
List and tracked to completion. The Open Items List process is described in Section 7.4.7.

A Certificate of Conformance is issued after completion of a Project phase for each certifiable element. The
Certificate of Conformance required for the various elements necessitates the performance of a variety of
safety and security assessment activities. The activities may be performed either independently, or
integrated with other tasks such as acceptance testing or quality control measures. Regardless of whether
the activities are performed independently or integrated with others, adequate system safety, security, and
fire/life safety activity records must be developed and maintained as evidentiary support for the Certificate
of Conformance,

The verification and validation (V&V) database program will be used to manage the demonstration of
objective evidence that satisfies the safety and security requirements during Final Design and Construction
or Implementation. The process to develop the Safety and Security Certificate of Conformance will be
supported by the requirements management database program used by the larger V&V process but
requires distinctly different output documents.
7.2 Program Goals and Objectives
The goals of the Safety and Security Certification Program are to verify that identified safety and security
requirements have been met in the preliminary engineering, final design, and construction phases and to
provide evidence that the CHSRP is safe and secure for revenue service.

The objectives of the Safety and Security Certification Program are to document the following;

• Safety and security design criteria are reflected in contract documents

• Facilities and equipment have been designed, constructed, manufactured, inspected,
installed, and tested in accordance with safety and security requirements
• Operations and maintenance procedures and rules have been developed and
implemented to ensure safe operations
• Training documents have been developed for the training of operating and emergency
response personnel
• Transportation and maintenance personnel have been trained and qualified

• Emergency response agency personnel have been prepared to respond to emergency

situations in or along the CHSRP corridor
• Safety and security systems integration tests have been conducted

• All safety and security related issues have been addressed, resolved and documented

7.3 Responsibilities
The Authority Safety and Security Manager, with the assistance of the RDP System Safety Manager and
RDP System Security Manager, will have overall responsibility for the administration of the Safety and
Security Certification Program through the oversight of the SSPC and SSEC.

The SSPC will be responsible for tracking the progress of safety and security certification through regular
review and update of the Program-level CIL and PHA/TVA maintained by the RDP Safety Manager and
RDP Security Manager.

FRA approval to operate will be achieved through final safety and security certification prior to the start of
revenue service.

7.4 Safety and Security Certification Process

The CHSRP safety and security certification process will be divided in the following distinct stages and
steps.

• Stage 1: Environmental Review / Preliminary Engineering

• Stage 2: Design / Build Contracts

Step 1 : Final Design
Step 2: Construction
Step 3: Testing/Acceptance

• Stage 3: Final Integration, Testing and Certification

During the preliminary engineering phase Preliminary Hazard Analysis (PHA) or Site-specific Hazard
Analysis (SiSHA) will be performed by the RDP System Safety Manager. Hazards are identified by various
means such as historical data, generic hazard checklists, conceptual design, already developed design
criteria, scenario development and the subjective judgment of a hazard management team during formal
brainstorming workshop sessions. The hazard analysis is then performed on the identified hazards. The
principal means of identifying security-related design criteria are Threat and Vulnerability Assessments
(TVA) conducted by the RDP System Security Manager in collaboration with the other RDP discipline
technical experts. Other analyses, including site-specific threat and vulnerability assessments (SiSTVA)
are conducted as necessary. The adopted mitigation measures from the PHA and TVA provide input to
design criteria or other project requirements. The mitigation measures identified in SiSHA and SiSTVA are
contract specific and are tracked for resolution in the specific Design/Build (D/B) contract. Chapter 4 of this
SSMP describes the Authority’s Hazard Management Program.

Once all design/build contracts have been successfully completed and certified, the CHSRP as a whole
system will be integrated, tested and certified under supervision of the Authority.
7.4.1 Certifiable Elements

The Project has defined CHSRP Certifiable Elements for safety and security certification. Samples of sub-
elements are listed under the Certifiable Elements.

• Trainway
-Track
-Trench Structures
-Tunnel/Underground
-Aerial Structures
-Retaining Structures
Alignment
-
-Access/egress facilities
-Barriers and Warnings
-Utilities
-Adjacent Hazardous Facilities/Conditions
• Rolling Stock
-Carbody
-Couplers
-Doors, door controls
-Trucks and suspension
-
Braking
-Operator Cab and Controls
-Communications Equipment
-Lighting
- HVAC
-Fire/Flammability/Smoke Emissions
• Station(s)
-Elevators/Escalators
-Station structure
-Stand-by generators
Platforms
-
Concourse
-
-Lighting
-Access/egress facilities
• Support Facilities
-Storage/setup Yards
Vehicle
- Maintenance Facilities
-Track maintenance facilities
-Operations Control Center
• Traction Power
-Traction Power Substations
-Switching Stations
-
Overhead Catenary System
• Ventilation
-Emergency Ventilation System
-Ventilation Structure
• Communications
-Radio
-Closed Circuit TV
-
Emergency Telephone
-Emergency Trip Station
-Fire Telephone
-Public Address System
• Signals and Train Control
-Mainline Controls and Indications
-Grade Crossing Warning Devices
-Track Signals
-Signal Indications
-Train Protection
-
Interlocking Circuits/Equipment
• Test Plans
-Acceptance Test
-Integrated Tests
-Pre-revenue Tests
• Training and Certification

• Plans and Procedures

-Safety and Security Plans
-Operation and Maintenance Plans (SOPs and EOPs)
-Manuals and Rulebooks
Emergency
- Response and Management
• Drills and Exercises

PHATVA are completed by the Authority for hazards associated with the Certifiable Elements, assessing
the extent of the hazards and threats/vulnerabilities and identifying potential mitigations to reduce the
residual risk to an acceptable level. The sub-element listing will be modified and expanded as project
develop, as additional hazard analyses are performed, and as new or modified hazards am identified.
Hazard identification can be performed by the Authority, the RDP, or Design/Build Contractors but all
hazards must be tracked through the one central CHSRP tracking system.

7.4.2 Certifiable Items Lists

The Authority has developed a Certifiable Items List (CIL) which includes mitigations derived from the
Program-level PHA and TVA. The CIL is managed through the V&V DOORS database management
system by the Authority and Contractors through all Project phases to ensure that the safety and security
hazards identified are mitigated consistently throughout the project tife cycle. The Final Design and
Construction Contractors shall update and revise the CIL according to their project scope, as new or revised
hazards as are determined through site-specific PHA or TVA associated with their design activities.

The additional CILs identified during each project phase or contract package will carry over into subsequent
project phases or contract packages.

CILs that are specific to safety and security requirements will be distinctly identified as such and tracked
and submitted independently.

7.4.3 Tracking of Hazards and Vulnerabilities

The program-level and project-specific CILs will be managed using the DOORS database, allowing for
consistency and completeness across all Project phases. The CIL identifies the major elements of the
CHSRP that are to be proven to be safe and secure prior to the startup of revenue service and acts as a
guide for the certification process throughout project life cycle. The safety and security related portions of
the CIL will be developed by the RDP System Safety and Security Managers in collaboration with the other
discipline technical experts and presented to the SSPC for review. The CIL will be updated and expanded
following the completion of analyses during the various phases of the development of the CHSRP. A
sample CIL is depicted in Figure 7-1. Regular updates of the CIL will be presented to the SSPC and
included in the quarterly reports to the SSEC.

Figure 7-1 CIL (Sample)

Note – Figure 7-1 is a sample representation only. Refer to current CIL for identified hazards and required mitigations.
7.4.4 Certification of Final Design and Construction
The Contractors are responsible for completing and updating the CILs applicable to their specific project
scope during both the Final Design and Construction Phases. The Contractors shall identify in the
resolution section of the CILs objective evidence that demonstrates compliance with the required safety-
critical or security-critical requirements. Objective evidence may consist of any output from the design or
construction processes that allows for clear and unequivocal verification that the requirements of the design
criteria are satisfied. Examples include item-specific references on signed/approved drawings, reports,
design variance requests, or other official documents signed/certified by the Contractor. Emails, directive
letters, or meeting minutes are examples of documents that are not to be considered as objective evidence.

Requests for variance from the requirements identified in the CILs shall be handled through the process
identified in Section 5.4 and shall include a site-specific assessment for each deviation to ensure that the
same level of safety and security is achieved as would have occurred had the Design Criteria been followed.
Certification items that are not completed prior to moving to the next phase shall be managed according to
the Open Items process outlined in section 7.4.6.

Completed CILs for a particular element or infrastructure component, along with associated supporting
material, shall be compiled in a Certificate of Conformance Package by the Contractors and submitted to
the Authority for review and SONO, prior to moving to the next project phase, at Final Design and
Construction. Certificate of Conformance Packages shall consist of a Certificate of Conformance specific
to the project element, all completed CILs, and all supporting documentation such as design element
descriptions, hazard analysis, drawings, specification, design variances, field reports and photographs.

Completed Certificate of Conformance Packages (Final Design or Construction) for a substantial grouping
of contract elements shall be submitted to the Authority through the SSEC for certification that all safety
and security requirements have been successfully completed and that the System is ready for revenue
service.

A sample Certificate of Conformance is depicted on Figure 7-2.

Figure 7-2 Certifícate of Conformance (Sample)

7.4.5 Testing Phase Certification

The safety-critical and security-critical items for systems identified during the Final Design and Construction
Phases shall be carried over into the Testing Phase. The CILs shall be expanded to include a Testing
section upon completion of the Final Design phase of a particular CHSRP element In addition, the
relationships between systems and subsystems shall be analyzed for systems integration requirements as
identified in a Systems Integration Test Plan, and CILs for integrated testing shall be developed to prove
the integration of associated systems. Safety and security certification of the Testing phase shall be
completed in conformance with the process described in Section 7.4.3.

The Systems Contractor(s) shall be responsible for any additional analyses that are required (PHA, TVA,
FMEA, IHA, SHEA, FTAn and OHA as appropriate), as the safety-critical or security-critical testing criteria
are developed and applied to specific CHSRP system or subsystem elements. The Systems Contractor(s)
shall be responsible for developing and completing the CILs that apply to their scope of work during the
Testing Phase. The system(s) contractor must identify in the resolution section of the CILs objective
evidence that demonstrates compliance with testing requirements that are identified as safety-critical or
security-critical. Requests for variance from the requirements identified in the CILs shall be handled through
the process identified in Section 5.4.

7.4.6 Startup Phase Certification

The safety-critical and security-critical items for operational readiness of the CHSRP identified during the
Final Design, Construction and Testing Phases shall be carried over into the Startup phase. The CILs shall
be expanded to include a Startup section as the CHSRP is prepared for the start of revenue operations.
Certifiable startup items include but are not limited to operation plans, emergency preparedness plans,
training programs, timetables and rulebooks. Safety and security certification of the Startup phase shall be
completed in conformance with the process described in Section 7,4.3.

The O&M contractor(s) shall be responsible for completing the CILs that apply to their scope of work prior
to the start of revenue service. The O&M contractor(s) must identify in the resolution section of the CILs
objective evidence that demonstrates compliance with requirements for the start of revenue operations that
are identified as safety-critical or security-critical. The O&M contractor(s) shall be responsible for any
additional analyses that are required (PHA, TVA, FMEA, IHA, SHEA, FTAn and OHA as appropriate), as
the safety-critical or security-critical criteria for startup are applied to specific CMSRP, subsystem or
operational elements. Requests for variance from the requirements identified in the Certifiable Items Lists
shall be handled through the process identified in Section 5.4.

7.4.7 Open Items List

Certifiable Items that cannot be closed prior to the start of the next project phase shall be placed on an
Open Items List for tracking purposes. The Open Items List shall describe the Certifiable Item that cannot
be certified at that time, the reason the item cannot be certified, the responsible party for the Open Item,
the status of the item (open or closed), the date of opening or closure, and the person verifying that the
requirements of the Certifiable Item have been satisfied and that the Open Item has been closed.

The Open Items Lists for Final Design and Construction elements are managed by the D/B Contractors and
shall be included in Safety and Security Certification Package submittals to the Authority. Once these
Safety and Security Certification Packages are accepted by the Authority the D/B Contractor’s Open items
Lists shall be added to the larger programmatic Open Items List and managed by the Authority. The
programmatic Open Items List shall be maintained by the Authority Safely and Security Manager and
periodically reviewed by the SSPC for progress and completeness.

7.4.8 Conditional Certification

A Contractor desiring to advance their work to the next Project phase may request Conditional Certification
Permit from the Authority for certifiable items placed on the Open items List. The Authority’s approval of
Conditional Certification may include temporary restrictions or conditions that must be followed until the
Certifiable Item is fully certified and removed from the Open Items List. The restrictions or conditions will
be documented on the CIL and Open Items List. The request for Conditional Certification will include
additional hazard analysi|s applied by the Contractor as appropriate. The request for Conditional
Certification shall be presented to the SSPC for review and SONO. The request for Conditional Certification
shall describe all conditions or restrictions associated with the conditional use of the Certifiable Item,
including an expiration date. Revisions to the Conditional Certification, including extension of the expiration
date, shall require further review and SONO by the SSPC.
8.0 CONSTRUCTION SAFETY AND SECURITY

8.1 Overview
The purpose of the construction safety and security program is to define the minimum health, safety and
security requirements to which all participating CHSRP staff, Contractors and subcontractors shall adhere
to in fulfilling the Authority’s commitment to ensuring a safe and secure construction project. This
commitment includes the prevention of job-related injuries and illnesses for the workers engaged in project
construction activities, as well as providing safe and secure conditions during construction of the project for
the members of the public, who live, work or travel near to the project work areas.

All applicable codes and regulations must be followed by employees engaged in construction activities,
including but not limited to the following:

• California Code of Regulations Title 8 Construction Safety Orders

• Federal Railroad Administration regulations as found at 49 CFR 214, 219, 225, 228,
236
• CPUC General Orders
• Other applicable federal and state OSHA regulations

Contractors shall be required to develop a program-level Safety and Security Management Plan (SSMP)
specific to their scope of work, as well as Site-Specific Health and Safety Plans (SSHASP) and a Site-
Specific Security Plans (SSSP) that identify the local conditions and requirements peculiar to the site and
work to be performed, in compliance with the above regulations.

Contractors are responsible for ensuring the compliance of their employees and subcontractor’s with their
SSMP, SSHASP and SSSP.

8.2 Program Elements

The Contractor shall be responsible for all aspects of safety and security at the project work site, as required
through the standard contract provisions. The CHSRP Construction Safety and Security Program
(Appendix B) describes the basic programmatic requirements for construction safety and security,
compliance to which is required through the CHSRP construction contract documents.

8.2.1 Safety and Security Management Plan

The Contractor's SSMP will identify:

• Roles, responsibilities, qualifications and organizational structure of their safety and

security team
• Processes to manage the SSHASP and SSPP
• Safety and security hazard management consistent with the Authority's hazard
management plan,
• A program for ensuring compliance to the Contractor's SSMP,
• training,
• Safety and security communications plans and processes,
• Processes for coordination with adjacent third-party requirements (including adjacent
railroads and roadways),
• Emergency response plans and procedures,
• Hazardous materials handling and communications,
• Public safety requirements, and other safety and security elements as identified in the
Contractor's corporate safety and security program.
The SSMP will be submitted to the Authority for review and Statement of No Objection (SONO).

8.2.2 Site-Specific Plans

The Contractor will be required to develop and implement SSHASPs and SSSPs specific to its contract
scope of work on the CHSRP, in conformance with the CHSRP Construction Safety and Security Program
contract requirements. A site-specific Job Hazard Assessment (JHA) and TVA will be performed by the
Contractor to determine the safety or security processes, equipment utilized, and personnel assignments
to be provided by the Contractor at each project work site.

8.2.3 Construction Safety and Security Management

The RDP Construction Safety Manager and Project Construction Management team will be responsible for
the management oversight of the entire construction safety and security program. The RDP Construction
Safety Manager and Project Construction Management team will verify contractor compliance with the
safety and security requirements of the approved SSMP, SSHASPs, SSSPs, and other safety/security
related contract provisions and applicable regulations throughout the construction, testing and start-up
phases of the CHSRP. The RDP Construction Safety Manager and Project Construction Management
team will audit Contractor activities and results will be reported to the Authority's Safety and Security
Manager.

8.2.4 Stop Work Order

The CHSRP construction management plan will establish procedures regarding control of nonconforming
work and stop work orders. In the event that a failure to meet safety and/or security requirements results in
imminent danger to workers or the general public or property, a Stop Work Order will be issued by the
CHSRP Construction Manager.

The CHSRP stop-work procedure shall apply to all construction activities. The stop-work procedure will be
used only where imminent danger situations exist. An "imminent danger" is any condition or practice that
could reasonably be expected to cause death or serious physical harm immediately or before the danger
can be eliminated by normal means.

Stop-work orders will be in effect until the issuing authority determines that the problem(s) is resolved and
the work area(s) is brought to satisfactory conformance with health, safety and security requirements.

8.3 Construction Risk Management

The CHSRP is committed to identifying and managing construction safety hazards and security
vulnerabilities as subdivisions within the general issue of project risk. Risk in this context includes those
events that, if they do occur, could impact safety, security, the environment, CHSP System’s interests or
the interests of third parties, including property owners and municipalities.

Risk Management is utilized by the CHSRP as a decision support tool, specifically identifying areas of high
risks, which are reviewed to ensure that all reasonable practicable measures are taken to mitigate them.
Risk Control measures shall be identified for all risks to the System. These include financial and schedule
risks as well as property, safety and security risks.

For the construction phase, prior to finalization of the contract documents, surveys to identify any unique
hazards, threats, or vulnerabilities that may exist for the particular construction elements will be conducted
and actions to mitigate these hazards or vulnerabilities will be included in the Special Provisions of the
specific contract package.

During construction, each contractor shall cooperate with CHSRP staff and other interested parties in
providing information needed in connection with risk management of its contract works. The contractor will
prepare and submit to the RDP Risk Manager a Risk Management Plan for review and acceptance. The
Risk Management Plan shall be based upon the CHSRP Program Risk Management Plan and shall include
a means of monitoring progress in the reduction of the overall number and impact of risks through the use
of a Risk Register which shall be in a format acceptable to the RDP Risk Manager. Safety hazards and
security vulnerabilities shall be identified as risks, and will be included as special categories in the Risk
Register.

During the contract each contractor's Risk Register shall be updated monthly and submitted to the RDP in
hard copy and electronic formats. The risks identified by the contractor shall be integrated into the CHSRP
Risk Register.

The Contractor’s Risk Management process shall ensure that as far as is reasonably practicable:

• All risks are identified;

• Judgments are made as to risk importance;
• Risk exposure is reduced to acceptable levels;
• Risk control measures are assessed against cost benefit as appropriate; and
• Control measures are reviewed and managed until close out.

For the top “critical” risks from the Risk Register each contractor shall provide a narrative for each Critical
risk identified in this category section and the mitigation plan proposed. Safety hazards and security
vulnerabilities will be treated as separate categories of risk, and will be classified as Critical depending on
specific site conditions.
9.0 STATE SAFETY OVERSIGHT REGULATIONS

9.1 Applicability
The California High-Speed Rail Program does not fall under the Federal Transit Administration applicability
regulations for State Safety Oversight, described in 49 CFR 659. As such, this section does not apply. The
Federal Railroad Administration has authority for oversight of safety regulations.
10.0 COORDINATION WITH FEDERAL RAILROAD ADMINISTRATION

10.1 Activities
The California High-Speed Rail Program will design and construct a railroad system that is regulated by the
Federal Railroad Administration. FRA regulation is by directive under the United States Department of
Transportation.

Effective on the date the railroad begins revenue operations, the following generally applicable federal
railroad safety regulations from Title 49, Code of Federal Regulations, and any amendments thereto are
made applicable to the CHSRP, except where the CHSRP is granted relief through an FRA waiver.

• Part 207, Railroad Police Officers

• Part 209, Railroad Safety Enforcement Procedures

• Part 210, Railroad Noise Emission Compliance Regulations

• Part 211, Rules of Practice

• Part 212, State Safety Participation Regulations

• Part 213, Track Safety Standards

• Part 214, Railroad Workplace Safety

• Part 215, Freight Car Safety Standards

• Part 216, Special Notice and Emergency Order Procedures

• Part 217, Railroad Operating Rules

• Part 218, Railroad Operating Practices

• Part 219, Control of Alcohol and Drug Use

• Part 220, Railroad Communications

• Part 221, Rear End Marking Device

• Part 222, Use of Locomotive Horns at Public highway-Rail Grade Crossings

• Part 225, Railroad Accidents / Incidents: Reports, Classification and Investigations

• Part 227, Occupational Noise Exposure

• Part 228, Hours of Service of Railroad Employees

• Part 229, Railroad Locomotive Safety Standards

• Part 231, Railroad Safety Appliance Standards

• Part 232, Brake System Safety Standards

• Part 233, Signal Systems Reporting Requirements

• Part 235, Instructions Governing Applications for Approval of a Discontinuance

• Part 236 Signal and Train Control Systems, Devices, and Appliances

• Part 237, Bridge Safety Standards

• Part 238, Passenger Equipment Safety Standards

• Part 239, Passenger Train Emergency Preparedness

• Part 240, Qualification and Certification of Locomotive Engineers

• Part 242, Passenger Train System Safety Plans

• Part 270, System Safety Program (under development)

The CHSRP will submit to the FRA any plans, programs, and procedures that affect the safe operation of
the system, or which are required to demonstrate compliance with the applicable regulations.
Throughout Preliminary Engineering and Final Design phases the CHSRP will communicate with the FRA
to ensure that the FRA is current on the status of operations and engineering design requirements as they
are developed. CHSRP will maintain regular contact with FRA during development of operating rules,
training of maintenance and operating personnel and development of operating practices prior to the start
of revenue service.

As detailed in Section 7 of this SSMP, the CHSRP will manage a safety and security certification program
to record and demonstrate that all safety and security requirements for the project are identified and
integrated into the final system.

10.2 Implementation
The CHSRP, through the Rail Delivery Partner, will maintain communications with the FRA representatives
throughout the Planning, Preliminary Engineering, Final Design, Construction, and Testing and Start-up
phases.

10.3 Coordination Process

Interface and coordination with FRA will be conducted through the RDP. The RDP will designate those
persons authorized to interface with agents of the FRA to ensure that information and decisions
communicated between CHSRP and FRA are consistent, correct and authorized.

The FRA will provide guidance to the RDP with regard to applicable regulations, documents that will require
formal submission and approval, and how any variances may be processed.
11.0 DEPARTMENT OF HOMELAND SECURITY COORDINATION
The Transportation Security Administration has authority over all transportation modes and requires that
security risk be assessed and managed. During design and construction the Authority will coordinate with
TSA and other federal, state and local law enforcement and security jurisdictions to ensure security is
considered in design and construction. The Authority will develop a Security Program Plan (SPP) prior to
revenue operation. The SPP will fulfill DHS/TSA requirements for an operating railroad, which include
development of an SPP, and designating a primary and alternate Security Coordinator and providing TSA
with names and contact information for 24 hour/7 days per week availability. The Security Coordinator will
have a direct reporting relationship to the Authority Chief Executive Officer regarding matters of security.

The Authority has established liaison with the TSA Mass Transit and Rail Department through the RDP
System Security Manager who reports directly to the project operations manager. This liaison has been
established to ensure all DHS/TSA requirements will be met once the project is complete, and to stay
current with all security concerns, threats, best practices and developing security regulations that affect rail
security.
APPENDIX A – CALIFORNIA HIGH-SPEED RAIL AUTHORITY ORGANIZATIONAL CHART
CALIFORNIA HIGH SPEED RAIL AUTHORITY RISK, SAFETY AND SECURITY OFFICE
APPENDIX B – CHSRP CONSTRUCTION SAFETY PROGRAM REQUIREMENTS

1.0CHSRP CONSTRUCTION SAFETY AND SECURITY PROGRAM

1.1 Safety and Security Program Objectives

The Safety and Security Program objectives are as follows:
a. Prevent personal injuries and property damage or loss;
b. Provide safe and secure work environment for employees, contractors, passengers,
emergency responders, third parties, and the public at large;
c. To convey the CHSRP Safety and Security Policy Statement to all contractors and
subcontractors;
d. To ensure compliance with the stated objectives and requirements contained in the CHSRP
Safety and Security Policy Statement, the Contractor's SSHASP, the Contractor’s SSSP,
Contract provisions, applicable Laws, and Industry consensus standards;
e. To identify general requirements for the Contractors' workplace safety and security programs;
and
f. To identify a process for the Authority approval or acceptance of the of the safety and security
submittals as appropriate.

1.2 Construction Safety and Security

1.2.1 Contractor Responsibilities
The Contractor is responsible for ensuring safety and security at all of its work sites, including the activities
of Subcontractors. Safety and security management and enforcement for each contract shall be
administered by employees (direct hire) of the Contractor. This responsibility shall not be delegated nor
contracted out to Subcontractors, suppliers, consultant service/company, or any other persons/agency
without written approval from the Authority. The effectiveness of the Contractor’s safety and security efforts
depends upon active participation, cooperation, and compliance by the Contractor’s and Subcontractors’
project managers, superintendents, supervisors, and other employees.
The Contractor shall:
a. Plan and execute all Work to prevent personal injury and property damage or loss, and ensure
public safety, security of all people and assets;
b. Comply with Laws, applicable industry consensus standards; and the Authority and Contractor
policies, procedures, and requirements;
c. Define, implement, and maintain a program for prompt identification and correction of hazards
and unhealthy practices and conditions;
d. Define, implement, and maintain a program for prompt notification and investigation of all
incidents of injury, damage, or near-miss incidents to determine causes and take necessary
corrective action to prevent re-occurrence;
e. Define, implement and maintain a system of prompt identification, notification, investigation,
and correction of security breaches and incidents;
f. Develop, establish, and conduct a safety and security training program for all employees
assigned to the Project;
g. Ensure proper tools, equipment, and processes are available for use as required for the work
at hand, and are used according to the manufacturer’s guidelines;
h. Maintain an accurate record of data utilizing the Authority’s integrated Safety Management
System for all identified hazards, near-misses, and accidents and incidents resulting in death,
personal injury, occupational disease, or damage or loss to property, materials, supplies, or
equipment;
i. Plan and execute all Work in compliance with the stated objectives and requirements
contained in the CHSRP Safety and Security Policy Statement (contained in the CHSRP
SSMP in Book IV, Part D.5); the Contractor’s SSHASP and SSSP; Contract provisions;
applicable federal, State, and local laws and regulations; and industry consensus standards;
j. Ensure all Subcontractors, suppliers, etc. are provided with a copy of the CHSRP Safety and
Security Policy Statement, and the Contractor’s SSHASP and SSSP, and are properly
informed of their obligations with regards to compliance;
k. Complete safety and security certification requirements as identified in Section 1.2.1;
I. Obtain permits required by the California Division of Occupational Safety. Permits shall be
kept on file at the Site;
m. Designate a Safety and Security Manager responsible to ensure the proper implementation
of the SSHASP and SSSP and a team of Field Safety Representatives appropriate to the
scope of the Project and work to be performed. The Contractor shall demonstrate that their
representatives nave sufficient knowledge and experience to perform the required duties;
i. Minimum qualifications for the Safety and Security Manager include:

Ten
• years of heavy civil construction safety experience;
•Certification as a Construction Health and Safety Technician, Certified Safety Professional, or
Certified Safety/Security Director - Rail;
•OSHA 30-hour Construction Training card; and
•One year of FRA Roadway Worker Protection qualification per 49 CFR Part 213;
•The Contractor may propose combinations of the above qualifications that demonstrate
sufficient competency for the Safety and Security Manager position;

ii. Minimum qualifications for the Field Safety Representatives include:

•
Three years of heavy civil construction safety experience;
•OSHA 30-hour Construction Training card; and
• First Aid/CPR;

n. Define, implement, and maintain a SSMP for the administration of the SSHASP(s), SSSP(s),
and the Safety and Security Team including roles/responsibilities, reporting, and work plan
approach; and
o. Contractor shall develop a plan for the use of heavy equipment that, when used, might encroach
or otherwise intrude into third party operating space (public or adjacent railway). The plan
must address how third party approval for potential encroachment will be achieved and how
any safety requirements by third party will be communicated to the operators and responsible
parties of the heavy equipment. Third party approvals shall be made available to the Authority
for review upon request.

1.2.2 Contractor Deliverables

The Contractor shall submit the following:

a. A SSMP in accordance with the “Safety and Security Management Plan" clause
(Section 1.2.3);

b. A SSHASP(s) in accordance with the “Construction Site-Specific Health and Safety Plan
Elements" clause (Section 1.2.4);

c. SSSP(s) in accordance with the “Site-Specific Security Plan Elements" clause (Section 1.2.5);

d. A Safety and Security Certification Plan in accordance with Section 7 Safety and Security
Certification Program;

e. Site-Specific Hazard Analysis (SiSHA) Reports and Site-Specific Threat/Vulnerability

Assessment (SiSTVA) Reports, and an updated Certifiable Elements and Hazards Log, in
support of the Contractor’s Safety and Security Certification Plan. A SONO of new or revised
SiSHAs and SiSTVAs is required prior to commencement of Construction phase activities;

f. A monthly report utilizing the Authority’s Integrated Safety Management System of safety
performance including a narrative summary of safety activities, hazard identification and
mitigation, incidents of injury or property damage incurred, injury rates, incident investigation
results, corrective action plans, reports of near-miss incidents, a summary of communication
and training efforts, a summary of field audits/observations for safety, a summary of Job
Hazard Analyses completed, and other activities as identified by the Contractor; and

g. A monthly report of security performance, including incidents of trespass or security breach,

incident investigation results, corrective action plans, a narrative summary of security
activities, and other items as identified by the Contractor. The report shall be submitted to the
Authority by close of the 5th business day of the following month.

1.2.3 Safety and Security Management Plan

The Contractor shall submit a SSMP to the Authority for review and SONO within 60 days following NTP.
The SSMP will identify the qualification and organizational structure of the Safety and Security Team, and
the processes that the Team will employ to manage the SSHASP(s) and SSSP(s). The SSMP shall:
a. Describe a process for managing hazards or incident of injury or damage through
identification, reporting, and correction or abatement or mitigation, including descriptions for
processes and applicability of Job Hazard Analyses (JHA) for each job assignment within the
scope of the contract for which a person may be exposed to incidents of injury or illness. JHAs
previously performed by the Contractor will be acceptable for use in determining preventive
measures if the scope and functionality of the jobs under review are justifiably the same. The
previously-performed JHAs, however, must address the specific characteristics of each site
and tasks performed within the Project scope. JHAs shall be kept on the Site and made
available to the Authority upon request;
b. Describe procedures for work site safety audits and inspections, including assignment of
responsibility, frequency, documentation method, and actions following various audit results;
c. Describe the program for Safety and Security Program training employees of the Contractor,
Sub-contractors, the Authority, and other applicable third parties. The training program
description shall include safety and security program training requirements and
documentation including training curriculum, frequencies of and method of delivery for
training, training records, a method for identifying and certifying qualified employees, and lists
of qualified/competent persons for specific tasks;
d. Describe an employee communication program that identifies individual responsibilities for all
employees, schedules for specific communication techniques, and a process for recording
and tracking communication program performance. The employee communication program
shall include job briefing procedures/requirements, HazComm, employee safety and security
committees, Project safety and security committees, and notification process for employees
and the Authority of incidents or hazards when identified;
e. Describe a process for identifying applicable health and safety rules and regulations
applicable to the tasks to be performed on the Project including all local, State, and federal
occupational safety and health regulations, including but not limited to California Code of
Regulations Title 8 Construction Safety Orders, FRA regulations 49 C.F.R. Parts 200-299,
California MUTCD, the Contractor’s corporate safety plan, and the CHSRP Safety and
Security Policy Statement. Rules and procedures shall address Site-specific work activities
and conditions including:
i. Safeguards for the protection of all workers, pedestrians, and the public from excavations,
construction equipment, obstructions, and other dangers. Safeguards may include fencing,
adequate railings, guard rails, temporary walks, barricades, warning signs, directional signs,
overhead protection, planking, decking, danger lights, and other suitable safeguards;
ii. Personal protective equipment requirements for all work site hazards and conditions, including
equipment issuance/availability procedures;
iii. Mobile equipment operation procedures and training program, including qualification process and
requirements, and performance observation/evaluation requirements;
iv. Fall protection and scaffolding procedures, including minimum fall protection equipment
requirements, a process for training workers, and performance observation/evaluation
requirements;
 v. Motor vehicle operation program, Including rules and procedures for specific equipment to be used
at the work site (including industrial lift trucks), operator screening and qualification process and
requirements, and performance observation/evaluation requirements;
vi. Roadway worker protection (on-track safety) for the Authority ROW in compliance with FRA
regulations contained in 49 C.F.R. Part 214;
vii. Hazardous Materials handling and storage plan specific to each work site, including a plan for
cataloguing Material Safety Data Sheets and submitting same to the Authority, and for
communicating Material Safety Data Sheet information to employees;
viii. Lockout/lagout programs for all applicable energy sources, including electrical, hydraulic, and
kinetic; and
ix. Fire prevention and suppression, including procedures for identification of hazards that could lead
to fire, procedures for local fire suppression and notification to authorities, inspection processes,
and a detailed training and exercise program;
f. Identify, develop, and implement a program for coordinating roadway worker protection
activities and compliance with adjacent railroads. All contractors working in the shared corridor
will meet frequently with the responsible representatives of the operating railway and
coordinate activities to minimize risks and hazards to Contractor personnel, and to avoid
hazards or disruptions to the operation of the railway;
g. Describe a process for managing security of Authority properties within the Contractor's Scope
of Work. Security program elements shall include at a minimum:
i. Identification of threats and vulnerabilities, reporting, and controls or mitigation. Include process
description and applicability of Threat and Vulnerabilities Assessments (TVAs) for each job location
within the scope of the contract. Process should include how the processes would adapt in the
face of imminent threat or change of security conditions;
ii. Description of how the planned deployment of security measures such as fencing, guards, lighting
will be evaluated for initial effectiveness;
iii. Description of an audit and inspection plan to review security measures and ensure that controls
are being managed effectively; and
iv. Description of the internal and external (Authority and local law enforcement) reporting structure
and process for security incidents, including thresholds for reporting including at a minimum:
•Description of a program for reporting Security incidents. Incident reports for graffiti, vandalism,
and trespass to be submitted to the Authority within 48 hours. Incident reports for any
significant damage or conditions observed, and any injuries to employees, subcontractors or
others will be submitted to the Authority immediately. Security reports submitted weekly to
include:, daily security logs noting deployment of security personnel, any significant weather
conditions, site locations covered, incident notifications or threats, any noted security
equipment conditions (cut fence, broken lights). Copies of an reports from local agencies who
respond to incidents on the Authority’s property under Contractor control;
• Description of how the background check process will appropriately screen for internal threats
to the security of the project Include a description of any code of conduct and expectations for
employee behavior, and procedures for internal and external notification when personnel
security is violated;
•Description of how the access control to project sites will be applied to ensure the security and
control of all project sites including procedures for authorizing new employees or visitors, and
procedures for monitoring access control performance;
•Description of the security awareness employee training program, content and schedule
including record keeping of training completion;
•Description of the process for ensuring all subcontractors on site adhere to the Contractor’s
SSMP requirements; and
•A process for recommending enhancements to the Authority's security elements;
h. Identify, develop, and implement an Emergency Response Plan for management of
emergency situations associated with, but not limited to, the following: injury to an employee
or member of the public; fire; flood; earthquake; property damage and damage to various
utilities (such as, electrical, gas, sewage, water, telephone, or public roadways); public
demonstrations; sabotage or threats of sabotage; other security incidents or threats,
Hazardous Materials encountered; toxic spills; explosions; vehicular accidents; and confined
space rescues. The Emergency Response Plan shall include the following items, at minimum:
i. Identification of the person responsible for handling an emergency;
ii. Establishment of teams for handling each type of emergency;
iii. identification of the person responsible for making emergency call (preferably the ranking
Supervisor present);
iv. The requirement to conspicuously post a list of emergency phone numbers, along with information
to be transmitted. Include with the emergency phone numbers, the number of the Authority's
representative to be contacted (request telephone number and name of the Authority contact
person or persons);
v. Site identification and signage for emergency responders;
vi. Trench and confined space rescue plan or tunnel evacuation plan, as applicable;
vii. The procedure for contacting the Authority Representative when an incident requiring emergency
response occurs; and
viii. Scene management for the emergency response including procedures for ensuring the safety of
employees and emergency responders, safeguarding the scene from unwanted entry, and handling
on-scene media;
i. Identify, develop, and implement a HAZWOPER Plan for the control of hazardous substances
in compliance with California Code of Regulations, Title 8, Section 5192;
j. Identify, develop, and implement a program for ensuring public safety at work sites and
avoiding damage to public property. The public shall be considered as any persons and
property not employed or owned by the Contractor or its Subcontractors. The program shall
address site-specific work activities and conditions including:
i. Identification of potential hazards to the public;
ii. Erection and proper upkeep at all times of all necessary safeguards for the protection of the public,
including pedestrian and vehicle traffic, and the assignment of trained and competent flaggers
whose sole duties shall consist of directing the movement of public traffic through or around the
Work site;
iii. Posting of signs warning against the hazards created by construction or warranty service activities;
iv. Elimination of unnecessary noise, obstructions, and other annoyances to nearby residents and
businesses;
v. Procedures and competency training for employees assigned to public safety and public property
protection; and
vi. Designated work zones – Work outside of the designated work zones shalI be performed only when
specifically stated in writing from the Authority Representative;
k. Identify, develop, and implement a program for Temporary Traffic Control. Temporary Traffic
Control Plans will be developed in compliance with the requirements of the current
California MUTCD. The Contractor shall apply to the jurisdictional authority for approval of the
plan and for a permit or permits to work in the public ROW. In cases where there is more than
one jurisdictional authority, a separate Temporary Traffic Control Plan will be developed for
each jurisdictional authority, as required. The Temporary Traffic Control Plan shall include:
 i. Drawings showing proposed traffic control devices including temporary signage and temporary
pavement markings and striping;
ii. Different traffic diversion patterns and methods of control. Include for each phase detailed
schedules for performance of work and include proposed traffic control devices;
iii. Requirements for flagger training and qualifications, assignment, and supervision;
iv. Notification plans for vehicular, bicycle, and pedestrian traffic detours including notifications of
business owners, residents, and property owners in the vicinity of traffic and parking disruptions;
v. Any other requirement of the authority having jurisdiction; and

l. Other safety and security elements as identified in the Contractor’s corporate safety and
security program.

1.2.4 Construction Site-Specific Health and Safety Plan Elements

The safety processes, equipment utilized, and personnel assignments to be provided by the Contractor
at each individual work site may differ based upon a site-specific JHA performed by the Contractor.
A SSHASP shall be developed for each distinct and unique work site. The SSHASP will be appropriate to
the Project development, phasing, and tasks at hand. It may be submitted incrementally as work is designed
and plans are approved for construction and will be revised as the Project evolves. A SONO of new or
revised SSHASPs is required prior to the commencement of new work activities. Each SSHASP shall:

a. Be specific to the relevant work site conditions and Project phases for the Work;

b. Be kept on site and made available to alt employees, authorized visitors, and the Authority
upon request;

c. Include the Contractor's safety and security policy statement;

d. Conform to applicable workplace safety regulations including California Code of Regulations

Title 8 Construction Safety Orders, FRA regulations as found at 49 C.F.R. Parts 214, 219,
225, 228, and 236; California Public Utilities Commission General Orders; Federal and State
OSHA regulations;

e. Identify roles and responsibilities of all employees for the Contractor and Subcontractors with
respect to safety;

f. Identify the reporting and inter-action processes of the Contractor’s Safety team with the rest
of the Project work force (including Subcontractors and the Authority), and with third parties
such as emergency responders, utilities, and adjacent railroad operators;

g. Include a detailed description of site-specific hazards and mitigations. A daily JHA shall be
conducted and a plan developed to alter mitigations as daily conditions change;

h. Include a detailed description of site-specific workplace health and safety rules and
procedures that conform to all regulatory requirements described in the SSMP;

i. Include a detailed HAZWOPER Plan to be kept on site, available to ah employees, authorized

visitors, and the Authority upon request;

j. Roadway worker protection for adjacent railroad ROWs – Employees of any CRE working in
these locations shall be trained by the Contractor to ensure they become fully familiar with
railway operations, procedures, rules, and safety requirements;

k. Include a detailed plan for work site first-aid resources and a training program for employees;
I. Include a detailed Emergency Response Plan. The Emergency Response Plan shall be
updated when conditions or procedures change. The Emergency Response Plan will be kept
on site;
m. Include a detailed program for ensuring public safety at work sites and avoiding damage to
public property, specific to each phase of the work;
n. Include a detailed Temporary Traffic Control Plan for each phase of the work; and
o. Include other elements that conform to the Contractor’s corporate health and safety plan.

1.2.5 Site-Specific Security Plan Elements

Security at construction sites is to ensure all personnel working at the site, the Authority's assets and
property, and the surrounding communities, are protected from trespassers, vandalism, theft,
encroachment and other intentional criminal activity. In compliance with these provisions, the Contractor
shall develop a SSSP which shall address crime and security- related conditions specific to the
conditions and configuration of the individual work sites. This includes protection of properly, materials,
tools, equipment, and personal property of workers at specific sites. The SSSP will be appropriate to the
Project development, phasing, and tasks at hand. The SSSP may be submitted incrementally as work is
designed and plans are approved for construction, and will be revised as the Project evolves. A SONO of
new or revised SSSPs is required prior to commencement of new work activities. The types of security to
be provided by the Contractor at each site may differ based upon a site-specific security assessment
performed by the Contractor.

The SSSP shall include:

a. Safety and security policy statement;

b. Threat and vulnerability assessment process, including how the process will be informed of
threat conditions and how specific mitigations or controls will be applied to those potential
threats of the construction areas;
c. Identification of the makeup, reporting structure, and inter-action processes of the Contractor’s
Project Management Team, including the Contractor’s Security Management Team, with the
rest of the Project work force (including Subcontractors and the Authority) and with third
parties such as local law enforcement agencies;
d. Identification of security roles and responsibilities of all employees for the Contractor and
Subcontractors;
e. Protection plan of public and property, materials, equipment, and tools based on the outcome
of the security assessment through appropriate security applications such as fencing, access
control, locks, alarms, intrusion detection, lighting, security guards, and any other security
requirements that may be applicable;
f. A description of how access to individual worksites will control who and how employees
access the specific sites, how other authorized persons are identified for each work site, and
procedures for monitoring site specific access control performance;
g. Coordination program with local law enforcement for incident reporting, and other security-
related conditions or events;
h. Procedures for providing site specific security information for inclusion into the Contractor’s
required project reporting requirements; and

i. Other elements that conform to the Contractor’s corporate security plan or the SSMP.

1.2.6 Non-Compliance
The Contractor shall take all necessary corrective actions to avoid the issuance of a stop work order on
identification of a safety or security noncompliance. If the Contractor fails or refuses to take corrective action
promptly, the Authority may issue an order stopping all or part of the Work until satisfactory corrective
action has been taken. The Contractor shall not base any claim or request for equitable adjustment for
additional time or money on any stop order issued under these circumstances. The Contractor shall be
responsible for its Subcontractors' compliance with this clause.
 Appendix C

Safety & Security Policy

Statement

TM 500.01
 California High-Speed Train System

TECHNICAL MEMORANDUM
Safety and Security Policy Statement
TM 500.01

Prepared by: 26 October 12

John Cockle System Safety Date

Checked by: 01 November 12

Jack/Sheehan, Safety & Security Manager Date

Approved by: 07 November 12

Joseph Metzler, Operations Manager Date

Released by:
Blent Felker,PE, Program Director Date
11-28-12
Reviewed by: 07 NOV 12
Michael D Lewis, PE.
Project Management Oversight Date

Reviewed by:
Jon Tapping, Risk Manager. Authority Date
11-16-12

Accepted by:
Jeffrey Morales, CEO, Authority 12-7-12 Date

Revision Date Description

0 26 Oct 12 Initial Release

Note: Signatures apply for the latest technical memorandum revision as noted above.

Prepared by PARSONS BRINCKERHOFF

for the California High-Speed Rail Authority

This document has been prepared by Parsons Brinckerhoff for the
California High-Speed Rail Authority and for application to the California
High-Speed Train System. Any use of this document for purposes other
than this System, or the specific portion of the System stated in the
document, shall be at the sole risk of the user, and without liability to PB
for any losses or injuries arising from such use.
TABLE OF CONTENTS

TABLE OF CONTENTS I

ABSTRACT 1

1.0 INTRODUCTION 2

1.1 Purp os e of Tec hn ica l Memora ndu m 2

1.2 Gen er al Info rm atio n 2

2.0 DEFINITION OF TECHNICAL TOPIC 2

2.1 Safe ty an d Sec ur ity Polic y Statem ent 2

3.0 SUMMARY AND RECOMMENDATIONS 3

3.1 Rec ommen da tion s 3

APPENDIX A 4
ABSTRACT

This memorandum is intended to establish the Safety and Security Policy for the California High-
Speed Train System (CHSTS) that will be used as a confirmation of the California High-Speed
Rail Authority's (Authority) commitment to plan, design, construct, test and prepare for operating
a high-speed train system that operates with a primary focus on safety and security.
1.0 INTRODUCTION
The California High-Speed Rail Authority (Authority) is responsible for certifying the planning,
design, construction, testing, and placement into revenue service a safe and secure high-speed
train system. The Safety and Security Policy Statement is a high-level confirmation of the
Authority’s commitment to safety and security.
1.1 Purpose of Technical Memorandum
The purpose of this technical memorandum is to provide a vehicle for the authorization of the
Safety and Security Policy Statement by the Authority.
1.2 General Information
Absent federal regulations that govern the completion of major capital projects, the Federal
Railroad Administration looks to the Federal Transit Administration (FTA) regulations for
guidance. FTA regulations found at 49 CFR 633 requires the development of a Project
Management Plan (PMP) for every major capital transit project As described in FTA Circular
5800.1 Safety and Security Management Guidance for Major Capital Projects, (dated 8/1/07) a
Safety and Security Management Plan (SSMP) is the element of the PMP that manages project
safety and security activities, responsibilities, and verification processes throughout the project
life cycle.
A critical (and required) element of the SSMP, as described in FTA Circular 5800.1, is the Safety
and Security Policy Statement.

2.0 DEFINITION OF TECHNICAL TOPIC

2.1 Safety and Security Policy Statement
It is the policy of the Authority to perform work on the California High-Speed Train System
(CHSTS) in a manner that ensures the safety and security of passengers, employees,
contractors, emergency responders, and the public. The application of system safety and
security comprises a fundamental hazard and vulnerability management process that
incorporates the characteristics of planning, design, construction, testing, operational readiness,
and subsequent operation of the high-speed rail system Safety and security are priority
considerations in the planning and execution of all work activities on the CHSTS.
All trains, facilities, systems and operational processes must be designed, constructed, and
implemented in a manner that promotes the safety and security of persons and property. The
design, construction, testing, and start-up of the CHSTS will comply with applicable safety and
security laws, regulations, requirements and railroad industry practices. The Authority will
maintain or improve upon the public transit and railroad industry standards for safety and security.
Through the Reliability, Availability, Maintainability, and Safety (RAMS) Program a standard of
safety will be established that is as safe as or safer than conventional U.S. railroad operations
and in conformance with the best practices and standards for safety in the international high-
speed rail industry. The design, construction, testing, and start-up of the CHSTS will be
accomplished in compliance with this standard.
The Authority is committed to providing a safe and secure travel and work environment.
Therefore, safety, accident prevention, and security breach prevention must be incorporated into
the performance of every employee task. All Authority, Program Management Team, and
contractor personnel, subcontractors and employees are charged with the responsibility for
ensuring the safety and security of passengers, employees, contractors, emergency responders,
and the public who come in contact with the CHSTS. Each individual and organization is
responsible for hazard and vulnerability management, for applying the processes that are
designed to ensure safety and security, and for maintaining established safety and security
standards, consistent with their position and organizational function. Through a cooperative team
 effort and the systemic application of safety and security principles, the CHSTS will be designed,
constructed, tested, and placed into service in a safe and secure manner.

3.0 SUMMARY AND RECOMMENDATIONS

3.1 Recommendations
It is recommended that the Authority approve and authorize this Safety and Security Policy
Statement.
It is recommended that the Program Management Team implements this Safety and Security
Policy Statement across all facets of the CHSTS, initially including it in the Safety and Security
Management Plan, and subsequently in the System Safety Program Plan and the Security and
Emergency Preparedness Plan.
It is recommended that the Safety and Security Policy Statement be included in all construction
safety and security contract requirements.
It is recommended that the Authority’s CEO signature be affixed to all versions of the Safety and
Security Policy statement when published in other documents. See Appendix A.
APPENDIX A

Safety and Security Policy Statement

It is the policy of the California High-Speed Rail Authority (Authority) to perform work on
the California High-Speed Train System (CHSTS) in a manner that ensures the safety
and security of passengers, employees, contractors, emergency responders, and the
public. The application of system safety and security comprises a fundamental hazard
and vulnerability management process that incorporates the characteristics of planning,
design, construction, testing, operational readiness, and subsequent operation of the
high-speed rail system. Safety and security are priority considerations in the planning
and execution of all work activities on the CHSTS.
All trains, facilities, systems and operational processes must be designed, constructed,
and implemented in a manner that promotes the safety and security of persons and
property. The design, construction, testing, and start-up of the CHSTS will comply with
applicable safety and security laws, regulations, requirements and railroad industry
practices. The Authority will maintain or improve upon the public transit and railroad
industry standards for safety and security. Through the Reliability, Availability,
Maintainability, and Safety (RAMS) Program a standard of safety will be established that
is as safe as or safer than conventional U.S. railroad operations and in conformance with
the best practices and standards for safety in the international high-speed rail industry. The
design, construction, testing, and start-up of the CHSTS will be accomplished in
compliance with this standard.
The Authority is committed to providing a safe and secure travel and work environment.
Therefore, safety, accident prevention, and security breach prevention must be
incorporated into the performance of every employee task. All Authority, Program
Management Team, and contractor personnel, subcontractors and employees are
charged with the responsibility for ensuring the safety and security of passengers,
employees, contractors, emergency responders, and the public who come in contact
with the CHSTS. Each individual and organization is responsible for hazard and
vulnerability management, for applying the processes that are designed to ensure safety
and security, and for maintaining established safety and security standards, consistent
with their position and organizational function. Through a cooperative team effort and
the systemic application of safety and security principles, the CHSTS will be designed,
constructed, tested, and placed into service in a safe and secure manner

12-5-12

Jeffrey Mofales, CEO Date

California High-Speed Rail Authority
 Appendix D

Safety & Security

Executive Committee
Charter

TM 500.02
 California High-Speed Rail System

TECHNICAL MEMORANDUM
Safety and Security Executive Committee Charter
TM 500.02
Prepared by: 06 APR 2016
Lurae Stuart, System Security Date

Checked by: 06 APR 2016

John Cookie, System Security Date

28/4/16
Approved by:
Victor Salazar, Safety and Security Risk Manager Date

Released by: 4/28/16

Jon Tapping, Director of Risk Management Date

Accepted by:
Jeffrey Morales, CEO, Authority 5-3-16
Date

Revision Date Description

0 19 Sep 12 Initial Release
1 19 Oct 15 Annual Review
2 06 APR 2016 Update for Integrated Authority/RDP Organization

Note: Signatures apply for the latest technical memorandum revision as noted above.
TABLE OF CONTENTS
TABLE OF CONTENTS I

ABSTRACT 1

1.0 INTRODUCTION 2

1.1 Purpose of Technical Memorandum 2

1.2 General Information 2

2.0 DEFINITION OF TECHNICAL TOPIC 2

2.1 SSEC Goal and Purpose 2

2.2 Authority 2

2.3 Scope 2

2.4 Duties and Responsibilities 2

2.5 Membership 3

2.6 Meetings 3
ABSTRACT

The California High-Speed Rail Authority (Authority) is responsible for planning, designing, constructing,
testing and preparing for revenue operations a high-speed rail system that is safe and secure. This
responsibility is confirmed in the Safety and Security Policy Statement

The Safety and Security Executive Committee (SSEC) allows the Authority to participate in the
application of safety and security principles and processes to the California High-Speed Rail System.

This memo is intended to establish the SSEC for the California High-Speed Rail System (CHSRS) in
support of the Safety and Security Management Plan.
1.0 INTRODUCTION
The California High-Speed Rail Authority (Authority) is responsible for planning, designing,
constructing, testing and preparing for revenue operations a high-speed rail system that is safe
and secure. The Safety and Security Executive Committee (SSEC) allows the Authority to
participate in the application of safety and security principles and processes to the California
High-Speed Rail System (CHSRS).
1.1 Pur pose of Techn ica l Memor andu m
The purpose of this technical memorandum is to define the scope, duties and responsibilities of
the SSEC, identify committee membership and the members’ respective responsibilities, and the
process by which safety and security-related issues are addressed through the SSEC.

1.2 Gene ra l Inf orma tion

Absent federal regulations of its own that govern the completion of major capital projects, the
Federal Railroad Administration (FRA) looks to the Federal Transit Administration (FTA)
regulations for guidance. FTA regulations as stipulated at 49 CFR 633 require the development of
a Project Management Plan (PMP) for every major capital transit project As described in FTA
Circular 5800.1 Safety and Security Management Guidance for Major Capital Projects, a Safety
and Security Management Plan (SSMP) is the element of the PMP that details the processes for
managing project safety and security activities, responsibilities, and verification processes
throughout the project life-cycle.
A required element of the SSMP, as also described in FTA Circular 5800.1, is a description of
committees identified to support the SSMP. The Committees may carry over to revenue
operations through inclusion in the System Safety Program Plan and Security and Emergency
Preparedness Plan. This SSEC Charter is designed to satisfy the requirement with respect to the
SSEC.

2.0 DEFINITION OF TECHNICAL TOPIC

2.1 SSEC Goal and Purpose
The SSEC and its members will ensure that the CHSRS is designed, built, and implemented in a
safe and secure manner. The SSEC will achieve this goal by providing oversight of the
application of the SSMP through all phases of the CHSRS development and to act as a condult to
informing and assuring Authority executive management of safety and security issues affecting
the CHSRS.

2.2 AUTHORITY
The authority for the SSEC is established in the SSMP. The SSEC Charter will be modified as
necessary as the development of the CHSRS progresses.

2.3 SCOPE

The SSEC will address safety and security issues which:

• Are Authority policy considerations;
• Require Authority approval;
• Require Authority direction for resolution of a dispute; or,
• Constitute final acceptance of Safety and Security Certification.

2.4 Dutie s and Resp onsi bil itie s

The duties and responsibilities of the SSEC are as follows:
• Approve revisions/updates to the SSMP
 • Oversee the application of the SSMP through all CHSRS development phases
• Authorize the establishment of the Safety and Security Program Committee (SSPC).
comprised of representatives from the Authority and the Rail Delivery Partner (RDP)
• Review and approve regular reports of safety and security activities from the SSPC
• Review and discussion of field safety and security activities, incidents, trends, and future
developments
• Resolve safety and security issues that cannot be resolved at the SSPC level
• Review Safety and Security Certification (SSC) Certificates of Conformance and accept final
Certification Verification Report to certify that the System is safe and secure for revenue
operation
• Provide a forum for safety and security discussions among Authority and RDP Executive
Management

2.5 Membership
Voting members of the SSEC include the following persons:
o Chief Executive Officer (Chair)
o Director of Risk Management and Project Controls (Vice-Chair)
o Regional Directors (Northern California, Central Valley, Southern California)
o Chief Program Manager, Rail Operations and Maintenance
o Chief Counsel
o Program Director, Program Delivery
o Chief Administrative Officer
o Chief Engineer
Advisory members include:
o Safety & Security Risk Manager
o System Safety Manager
o System Security Manager (Committee Coordinator)
o Construction Safety and Security Manager

The Chairperson of the SSEC is the Authority Executive Director or a designated Authority
executive management representative. If a designated member of the SSEC is unable to attend a
SSEC meeting, they must assign an appropriate representative.

2.6 Meetings
The SSEC will meet at least quarterly at a regular time and location determined at the previous
meeting. The Chairperson (or designee) will conduct the meeting according to the published
agenda. The meeting may be postponed or rescheduled by the Chairperson due to the availability
of the membership.
The RDP System Security Manager will act as Coordinator and will be responsible to notify all
SSEC members of the time, date, location, and agenda in advance of the meeting. The
Coordinator will also distribute any support material pertinent to the meeting.
To validate meetings and the business conducted therein, a quorum of members must be present
at the meeting. Decisions will also be decided by a quorum of the members. Regular committee
members may designate alternate representatives. A quorum is a simple majority of the
membership.
Special meetings may be called on an exceptional basis at the direction of the Chair or designee
to discuss matters of urgency. In these cases, the Coordinator will notify all members in writing of
the date, time, place and purpose of the meeting at least 48 hours in advance if possible.
The Coordinator will ensure a record is kept of all proceedings of the Committee and maintain an
action items matrix showing resolutions and pending items. The Chairperson will designate a
person responsible for follow up of the action items as required.
The Coordinator will post meeting minutes, action items matrix, and supporting material
accessible to all SSEC members within two weeks following each meeting. Meeting minutes, an
action items matrix, and supporting forms shall be retained by the SSEC Coordinator in
accordance with the Authority's Record Retention Policy.
 Appendix E

Safety & Security Program

Committee Charter

TM 500.03
 California High-Speed Rail System

TECHNICAL MEMORANDUM
Safety and Security Program Committee Charter
TM 500.03

Prepared by: 06 APR 2016

John Cockle, System Safety Date

Checked by: 06 APR 2016

Lurae Stuart, Security Manager Date

Approved by:
Victor Salazar, Safety and Security Manager
06/04/16
Date

Released by: 4/20/16 Date

Jon Tapping, Director of Risk Management

Revision Date Description

0 26 OCT 2012 Initial Release
1 26 JUL 2013 Update for SSPC Membership
2 12 OCT 2015 Update for CHSRA and RDP Organization Changes
3 06 APR 2016 Update for Intearated Authority/RDP Organization

Note: Signatures apply for the latest technical memorandum revision as noted above.
TABLE OF CONTENTS
TABLE OF CONTENTS I

ABSTRACT 1

1.0 INTRODUCTION 2

1.1 Purpose of Technical Memorandum 2

1.2 General Information 2

2.0 DEFINITION OF TECHNICAL TOPIC 2

2.1 SSPC Goal and Purpose 2

2.2 Authority 2

2.3 Scope 2

2.4 Duties and Responsibilities 2

2.5 Membership 3

2.6 Meetings 3
ABSTRACT

The California High-Speed Rail Authority is responsible for planning, designing, constructing, testing and
preparing for operating a high-speed train system that is safe and secure. This responsibility is confirmed
in the Safety and Security Policy Statement.

The Safety and Security Executive Committee allows the Authority to participate in the application of safety
and security principles and processes to the development of the California High-Speed Rail System through
the Safety and Security Program Committee, which operates at the project level.

This memo is intended to establish the Safety and Security Program Committee for the CHSRS in support
of the Safety and Security Management Plan.
 1.0 INTRODUCTION
The California High-Speed Rail Authority (Authority) is responsible for planning, designing,
constructing, testing and preparing for revenue operations of a high-speed train system that is safe
and secure. Under the direction of the Authority, the Rail Delivery Partner (RDP) is responsible for
working with the Authority to develop, Implement, and manage the safety and security initiatives
that are described in the Safety and Security Management Plan (SSMP).
The Safety and Security Program Committee (SSPC) allows the CHSRA/RDP to implement the
SSMP throughout the California High-Speed Rail System (CHSRS).
1.1 Purp ose of Tech nic al Memor andu m
The purpose of this technical memorandum is to define the scope, duties and responsibilities of the
SSPC, identify committee membership and the members’ respective responsibilities, and the
process by which safety and security-related issues are addressed through the SSPC.

1.2 Genera l Inf orma tion

Absent federal regulations that govern the completion of major capital projects, the Federal
Railroad Administration looks to the Federal Transit Administration (FTA) regulations for guidance.
FTA regulations as stipulated at 49 CFR 633 require the development of a Project Management
Plan (PMP) for every major capital transit project As described in FTA Circular 5800.1 Safety and
Security Management Guidance for Major Capital Projects, a Safety and Security Management
Plan (SSMP) is the element of the PMP that details the processes for managing project safety and
security activities, responsibilities, and verification processes throughout the project life-cycle.
A required element of the SSMP, as also described in FTA Circular 5800.1, is a description of
committees identified to support the SSMP. The Committees may carry over to revenue operations
through inclusion in the System Safety Program Plan and Security and Emergency Preparedness
Plan. This SSPC Charter is designed to satisfy the requirement with respect to the Safety and
Security Program Committee.

2.0 DEFINITION OF TECHNICAL TOPIC

2.1 SSPC Goal and Pur pose

The SSPC and its members will ensure that the CHSRS is designed, built, and implemented in a
safe and secure manner at the project level. The SSPC will achieve this goal by providing oversight
of the application of the SSMP through all phases of CHSRS development and to act as a conduit
to informing and assuring Authority executive management (through the SSEC) of safety and
security issues affecting the CHSRS.

2.2 Aut hor ity

The authority for the Safety and Security Program Committee is established in the Safety and
Security Management Plan (SSMP). The SSPC Charter will be modified as necessary as CHSRS
development progresses.
2.3 Scope
The SSPC will address safety and security Issues which:
• Are directed it by the SSEC;
• Are appropriate for or require resolution at the Program level;
• Require elevation to the SSEC for Authority direction for resolution; or,
• Constitute preliminary review and acceptance of Safety and Security Certification
2.4 Duti es and Resp onsi bil itie s

The duties and responsibilities of the SSPC are as follows:

• Recommend to the SSEC the initial version of the SSMP and subsequent updates
 • Oversee the application of the SSMP through all CHSRS development phases
• Review and forwarding to the SSEC with recommendation for approval of Preliminary Hazard
Analyses and Threat/Vulnerability Assessments as they are developed or updated
• Tracking of identified hazards or vulnerabilities through the hazard/vulnerability tracking
database
• Review and discussion of field safety and security activities, incidents, trends, and future
developments
• Provide regular reports of safety and security activities or issues to the SSEC
• Forward to the SSEC for resolution any safety and security issues that cannot be resolved at
the SSPC level
• Review of Safety and Security Certification (SSC) Certificates of Conformance and a Final
Certification Verification Report
• Forward SSC Certificates of Conformance and a final Certification Verification Report with
recommendation to the SSEC for Authority acceptance
• Provide a forum for safety and security discussions among CHSRA/RDP staff members and
a conduit for safety and security issues to the Authority through the SSEC

2.5 Membership
The SSPC comprises the following persons:
o Director of Risk Management and Project Controls (Chair)
o Safety and Security Risk Manager (Vice-Chair)
o System Safety Manager (Committee Coordinator)
o System Security Manager
o Construction Safety and Security Manager
o Director of Operations and Maintenance
o Deputy Director Operations & Maintenance
o Director of Engineering
o Director of Construction Support
o Director of Network Integration
o Rail Engineering Manager
o Trainset Project Manager
o Regional Directors of Projects (Northern, Central, Southern)
o Director of Environmental Services
o Director of Real Property
o Legal Services

Designated members of the SSPC are responsible for assigning an appropriate representative if
they are unable to attend a SSPC meeting.

2.6 Meetings
The SSPC will meet at least monthly at a regular time and location. The Chairperson (or designee)
will conduct the meeting according to the published agenda. The meeting may be postponed or
rescheduled by the Chairperson due to the availability of the membership.
The Coordinator will be responsible for notifying all SSPC members of the time, date, location, and
agenda in advance of the meeting. The Coordinator will also distribute any support material
pertinent to the meeting.
To validate meetings and the business conducted therein, a quorum of members must be present
at the meeting. Decisions will also be decided by a quorum of the members. Regular committee
members may designate alternate representatives. A quorum is a simple majority of the
membership.
Special meetings may be called on an exceptional basis at the direction of the Chairperson or
his/her designated representative to discuss matters of urgency. In these cases, the Coordinator
will notify all members in writing of the date, time, place and purpose of the meeting at least 48
hours in advance if possible.
The Coordinator will record all proceedings of the Committee and maintain an action items matrix
showing resolutions and pending items. The Chairperson will designate a person responsible for
follow up of the action items as required.
The Coordinator will distribute meeting minutes, an action items matrix, and supporting forms to all
SSPC members via e-mail within one week following each meeting. Members have one week to
advise the Coordinator of any inaccuracies. A copy of meeting minutes, an action Items matrix,
and supporting forms shall be retained by the Coordinator in accordance with the Authority’s
Record Retention Policy.
 Appendix F

Fire & Life Safety and

Security Program

TM 500.04
 California High-Speed Train System

TECHNICAL MEMORANDUM

Fire and Life Safety and Security Program

TM 500.04

Prepared by: 26 October 12

John Cockle, System Safety Date

Checked by: 01 November 12

Jack Sheehan, Safety Security Manager Date

Approved by: 07 November 12

Joseph Metzler, Operations Manager Date

Released by: 11-28-12

Brent Felker, PE, Program Director Date

Reviewed by:
Michael D. Lewis, PE, 01 Nov 12
Date
Project Management Oversight

Reviewed by:
Jon Tapping, Risk Manager, Authority 11-16-12
Date

Accepted by: 12-5-12

Jeffrey Morales, CEO, Authority Date

Revision Date Description

0 26 Oct 2012 Initial Release, R0

Note: Signatures apply for the latest technical memorandum revision as noted above.

Prepared by
PARSONS
BRINCKERHOFF
for the California High-Speed Rail Authority
This document has been prepared by Parsons Brinckerhoff for the
California High-Speed Rail Authority and for application to the California
High-Speed Train System. Any use of this document for purposes other
than this System, or the specific portion of the System stated in the
document, shall be at the sole risk of the user, and without liability to PB
for any losses or injuries arising from such use.
TABLE OF CONTENTS

ABSTRACT 1

1.0 PURPOSE 2

2.0 BACKGROUND 2

3.0 FIRE AND LIFE SAFETY AND SECURITY PROGRAM 2

3.1 Purpose 2

3.2 Scope 3
3.2.1 Statewide FLSSC 3
3.2.2 REGIONAL FLSSC 3

3.3 Fire and Life Safety and Security Report 4

4.0 POLICY RECOMMENDATION. 4

ABSTRACT
This Technical Memorandum (TM) establishes the Fire and Life Safety and Security Program,
including the establishment of Regional and System Fire and Life Safety and Security
Committees.
1.0 PURPOSE
The purpose of this Technical Memorandum (TM) is to establish the approach the California High-
Speed Rail Authority (Authority) will take with respect to fire and life safety and security issues in
the development and implementation of the California High-Speed Train System (CHSTS), and to
provide a medium for the authorization of the Fire and Life Safety and Security Committees.

2.0 BACKGROUND
The identification of design criteria that specifically addresses fire and life safety issues is a critical
component of the development and operation of passenger rail transit systems. Involving
emergency response agencies (both systemically and locally) in the development of fire and life
safety design criteria and operating practices assures the Authority and the passenger railroad
operator that emergency response infrastructure, equipment and procedures are designed,
constructed/installed, and implemented to an acceptable level of safety.

Security has been added to the traditional fire and life safety scope in order to bring together all
local emergency response agencies into one forum. This strategy allows the Authority to capitalize
on commonalities among emergency response agencies as a force multiplier, increasing lines of
communication while maximizing CHSTS resources.

Absent federal regulations that govern the completion of major capital projects for railroad
systems, the Federal Railroad Administration looks to the Federal Transit Administration (FTA)
regulations for guidance. FTA regulations as stipulated at 49 CFR 633 require the development of
a Project Management Plan (PMP) for every major capital transit project. As described in FTA
Circular 5800.1 Safefy and Security Management Guidance for Major Capital Projects, a Safety
and Security Management Plan (SSMP) is the element of the PMP that details the processes for
managing project safety and security activities, responsibilities, and verification processes
throughout the project life-cycle.

A required element of the SSMP, as also described in FTA Circular 5800.1, is a description of
committees identified to support the SSMP. The Committees may carry over to revenue
operations through inclusion in the System Safety Program Plan and Security and Emergency
Preparedness Plan. This Fire and Life Safety and Security Program is designed to satisfy the
requirement with respect to the Fire and Life Safety and Security Committees.

3.0 FIRE AND LIFE SAFETY AND SECURITY PROGRAM

3.1 Purpose
The purpose of the Fire and Life Safety and Security (FLSS) Program is to assure that fire and life
safety and security considerations are integrated into the CHSTS design criteria, programs,
procedures, and communications to the maximum extent possible.

Fire and Life Safety and Security Committees (FLSSC) will be established for the purpose of
engaging emergency response agencies, at both state and regional levels, to acquire their input
with regard to CHSTS designs that mitigate identified hazards. The FLSSC are essential to
fostering a professional, friendly, collaborative relationship with the local emergency response
agencies, helping to facilitate final permit approval and issuance of Certificates of Occupancy for
successful implementation of revenue service. The goal of these committees is to provide a forum
for emergency response agencies to provide input and feedback to the Authority concerning fire
and life safety and security issues in a formal and consistent manner.
3.2 Scope

The scope of the FLSSC during the Planning, Preliminary Engineering and Final Design project
phases will focus on infrastructure and systems design requirements. For the CHSTS, security is
added to the traditional fire and life safety scope in order to bring together all local emergency
response agencies to one forum. Operational procedures, emergency response procedures, and
training requirements and exercises will be considered by the FLSSC during the Construction and
Testing/Startup project phases.

Security will remain an integral part of the FLSS Program during the Planning, Preliminary
Engineering and Final Design project phases. Separate Security Committees may be established
when considered appropriate by the Authority.

Two approaches are executed for the Fire and Life Safety and Security Committees: Regional
Committees and a Statewide Committee to address state-level issues.

The Authority’s safety and security managers will have primary responsibility for administering the
FLSS Program including interactions with local, regional, and statewide emergency response
agencies, and holding chairperson positions within the various FLSS committees.

3.2.1 Statewide FLSSC

The one Statewide FLSSC will focus on systemic, high-level, fire and life safety and security
issues including Federal and State codes or requirements impacting the regional efforts. A goal of
the Statewide FLSSC is to obtain concurrence from federal and state authorities with respect to
fire and life safety and security concerns.

The Statewide FLSSC will include representatives from state and federal agencies such as the
Office of the State Fire Marshal, California Highway Patrol, Office of Emergency Services, the
California Emergency Management Agency, CPUC, FRA, and DHS as well as a representative
from each Regional FLSSC. The Statewide FLSSC will be chaired by the Authority’s Safety and
Security Manager(s). Meetings will be held regularly in Sacramento with agendas, minutes, and
other support materials supplied by the committee Chair. Minutes and action items from the
meetings will be conveyed to the Regional FLSSC's and to the Safety and Security Program
Committee for their consideration. It is anticipated that these Statewide FLSSC meetings will be
held quarterly.

3.2.2 Regional FLSSC

Each Regional FLSSC will focus on the CHSTS characteristics specific to their corridor segments
(type/length of underground and elevated structures, access methods, terminals, etc.) to provide
input with respect to local building codes or requirements that are in line with the emergency
response characteristics and capabilities of the local agencies. A goal of the Regional FLSSC is to
obtain concurrence from local emergency response agencies with respect to the proposed designs
and the code requirements of the state and federal authorities having jurisdiction.

The Regional FLSSC will be comprised of appropriate representatives (e.g., Fire Marshal) from
local emergency response agencies (fire, police, emergency medical response) and will be chaired
by the Authority’s Safety and Security Managers), and include the Authority’s Regional Director
for the region. Meetings will be held regularly at a location local to the regional corridor, with
agendas, minutes, and other support materials supplied by the committee Chair. Minutes and
action items from the meetings will be conveyed to the Statewide FLSSC and to the Safety and
Security Program Committee for their consideration. It is anticipated that these Regional FLSSC
meetings will be held bi-monthly, alternating with the Statewide FLSSC.

One representative from each Regional FLSSC will be asked to participate in the Statewide
FLSSC. Consistent representation is critical to success. Each Regional representative must be the
same representative attending to Statewide FLSSC matters and reporting results to their specific
Regional Committee.
3.3 Fire and Life Safety and Security Report
The input gathered through the FLSSC will support the development of Preliminary Hazard
Analysis, Threat and Vulnerabilities Assessments, and other analyses as required and in
conformance with the CHSTS Safety and Security Management Plan. The results of these
analyses will be used to develop safety and security design criteria and operational procedures, all
of which will be assured through the Verification & Validation process. A Fire and Life Safety and
Security Report will be developed to describe the system-level strategies, mitigations, and
processes implemented to achieve an acceptable level of fire and life safety. The Fire and Life
Safety and Security Report will be updated as conditions change or as new information is acquired
through the FLSSC.

4.0 POLICY RECOMMENDATION

It is recommended that Authority implement a Fire and Life Safety and Security Program for the
CHSTS by appending this Technical Memorandum to the CHSTS Safety and Security
Management Plan (SSMP). It is also recommended that this Technical Memorandum is appended
to both the System Safety Program Plan (SSPP) and Security and Emergency Preparedness Plan
(SEPP) when they are developed prior to the initiation of revenue service.
it is recommended that Regional FLSSCs be established in the Initial Construction Segment
between Fresno and Bakersfield. It is also recommended that the Statewide FLSSC be
established in Sacramento, California. All committees should be established as soon as possible
in order to integrate FLSS input to the development of design criteria.
This Policy will be modified as design and construction progresses to fit the specific needs of the
immediate phase of the project segments.
 Appendix G

Hazard Analysis
Descriptions
Preliminary Hazard Analysis (PHA)
The primary output of the PHA is the early identification and evaluation of hazards and mitigations on a
high-level systems requirement basis. The following instructions are used in the development of the
Preliminary Hazard Analysis:

PURPOSE The purpose of the PHA is to provide an early assessment of the

hazards associated with a design or concept.
PROCEDURE The PHA identifies critical areas, hazards and criteria being used
and considers: hazardous events, components, interfaces,
environmental constraints, and operating, maintenance and
emergency procedures.
When possible, the corrective action should identify the
approach(s) to be taken: design change, procedures, and special
training and personnel qualifications.
RESULTS The PHA will provide for verification that corrective or preventive
measures or procedures are taken in safety reviews,
modification of specifications, and generation of methods and
procedures to eliminate, minimize or control hazards and provide
inputs to the interface hazard analysis, operating hazard analysis
and failure mode and effects analysis.
DOCUMENTATION Document the analysis to show compliance with the specified
safety and operational requirements, and provide for the tracking
of actions and verifying effectiveness. A PHA Report will be
developed where appropriate to document the analysis process
for specific subsystem hazards.
Sample PHA

Note – This is a sample representation only Refer to current PHA for identified hazards and controlling measures.

INSTRUCTIONS FOR COMPLETING THE PHA FORM:

• In System, enter the nomenclature of the applicable system element (e.g. Infrastructure, Train Control,
Communications, Rolling Stock, etc).
• In Subsystem, enter the nomenclature of the subsystem as broken out from the system and which includes
the item or hazard undergoing PHA.
• In PHA No., enter the PHA number for the subsystem element. This coding will be sequentially numbered by
each Contractor for each subsystem and will be utilized for all related analysis.
• In Rev. No., enter the revision number of the PHA to indicate the latest status.
• In Prepared by _ Date _, the preparer will sign and enter the date of issue or revision of the analysis.
• In Reviewed by _ Date _, the reviewer will enter the date of review.
• In Approved by _ Date_, enter the date of approval by the SSPC or SSEC as appropriate.
• In No., enter the reference number which uniquely identifies the high-speed rail system element and any
identifiable element subsystem and item being analyzed.
• In System Mode, enter state of the system when the failure mode or hazardous condition occurs.
• In HAZARD DESCRIPTION, describe an immediate condition which could lead to an accident involving
potential injury, death or equipment damage.
• In POTENTIAL CAUSE, enter the most likely primary and secondary causes that can potentially contribute to
the presence of the hazard.
• In EFFECT ON SUBSYSTEM / SYSTEM, describe the effect that the hazardous condition may have on the
system element or its element subsystem in terms of safety (e.g. delay, inconvenience, injury, damage, fatality,
etc.)
• In HAZARD RISK INDEX, enter a combination of the qualitative measure of the worst potential consequence
resulting from the hazard, and its probability of occurrence (e.g., IA, MB, etc.), under the following conditions:
o In INITIAL, enter the designation for hazard risk index estimated prior to implementation of the
controlling measures, considering the condition of the subsystem element if no measures of
mitigation were applied.
o In RESIDUAL (PROJECTED), enter the designation for hazard risk index estimated following the
adoption/implementation of the proposed controlling measures. This may result in reduction of either
the probability of occurrence or the severity of the hazard, or both.
• In POTENTIAL CONTROLLING MEASURES AND REMARKS, describe the proposed measures of mitigation
that can be applied to prevent or reduce the severity and probability of the hazard under analysis.
• In RESOLUTION / RESOLUTION, describe changes made or steps taken relative to design and/or
procedures, training, etc., to eliminate or control the hazard. The identified reference should be as specific as
possible for verification purposes.
• In REMARKS, identify the date that the hazard was initially analyzed, any subsequent analysis, and other
items that support or describe the analysis process.
Site-Specific Hazard Analysis (SiSHA)
The SiSHA is conducted as the general design criteria and system requirements are applied to specific
system and subsystem elements within a defined geographic area. The standard SiSHA segment will be
one mile in length, but can be shorter if specialized conditions require. SiSHA is systemic in that it includes
ALL hazards and mitigations that are found within the segment under consideration, analyzing the
relationship between the various hazards and mitigations. SiSHA is performed when the final alignment Is
identified during the Preliminary Engineering Phase and in advance of the Final Design, Construction, and
Testing/Startup Phases. The primary output of the SiSHA is a validation of the PHA mitigations in relation
to the segment under consideration, and the identification and evaluation of hazards and mitigations that
are specific to the segment under consideration.
The instructions and format for completing the SiSHA form are the same as for the PHA form.
Failure Mode and Effects Analysis (FMEA)
PURPOSE The purpose of the FMEA is to determine the results or effects
of item failures on a system operation and to classify each
potential failure according to its risk index (severity and
frequency of occurrence). The goal is to provide an early
identification of failures with unacceptable and undesirable risks
so that they can be eliminated or minimized through appropriate
actions at the earliest possible time.
PROCEDURE Variations in design complexity and available data will generally
dictate the analysis approach to be used. There are two primary
approaches for accomplishing an FMEA, the hardware approach
and the functional approach.
The hardware approach is normally used when hardware items
can be uniquely identified from schematics, drawings, and other
engineering and design data. The hardware approach is
normally utilized in a parts-level up fashion (bottom-up
approach), by listing individual hardware items and analyzing the
effect of their possible failure modes on the entire system and its
subsystems.
The functional approach is normally used when hardware items
cannot be uniquely identified or when system complexity
requires analysis from the initial indenture level downward
through succeeding indenture levels (top-down approach). The
functional approach recognizes that every item is designed to
perform a number of functions that can be classified as outputs.
The outputs are listed and their failure modes analyzed.
The FMEA may be performed as a hardware analysis, a
functional analysis, or a combination analysis depending on the
design detail available.
The FMEA will examine the system element by element, to
evaluate the system for safety hazards and ultimately to assess
risk. Each identified failure mode will be assigned a severity
classification. A probability of occurrence will also be assigned in
accordance with MIL-STD-882E The resulting risk index will be
utilized during design to establish priorities for corrective actions.
The FMEA will be reviewed on a continuous basis to verify that
design modifications do not add hazards to the system.
To perform a FMEA, the following process should be
implemented:
• Identify all major system components, functions, and
processes
• Determine consequences of interest
• Determine the potential failure modes of interest
• Specify effects of failures of system
• Identify safety provisions to control hazards and failures
• Identify detection methods for failures
• Establish overall significance of each failure
RESULTS The FMEA will provide information to evaluate identified hazards,
identify safety critical areas and provide inputs to safety design
criteria and procedures with provisions and alternatives to
eliminate or control all unacceptable and undesirable hazards
based on their combination of severity and probability of
occurrence, and to identify critical items.
DOCUMENTATION Document the analysis to show compliance with specified
system safety requirements and to track the corrective action.
Fault Tree Analysis (FTAn)
PURPOSE The Fault Tree Analysis (FTAn) is a deductive procedure used
to determine the various combinations of hardware and software
failures and human errors that could cause undesired events
(referred to as top events) at the system level. The FTAn has
much use because of its ability to distinguish between those
events that must occur (represented by an AND gate) and those
that simply can occur (represented by an OR gate) in order for
the top event to occur. The analysis thus helps to identify
potential causes of system failures before the failures actually
occur. The deductive analysis begins with a general conclusion,
then attempts to determine the specific causes of the conclusion
by constructing a logic diagram called a fault tree. After
completing an FTAn, efforts can be directed to improve system
safety.
PROCEDURE The FTAn will be conducted on unresolved, undesirable, or
unacceptable hazards identified in other safety analyses.
Following procedure will be used to do a comprehensive FTAn:
1. Define the undesirable/unacceptable hazard, and write
down the top level event.
2. Using technical information and professional
judgments, determine the possible reasons for the top
level event to occur. These are level two elements
because they fall just below the top level event in the
tree.
3. Continue to break down each element with additional
gates to lower levels. Consider the relationships
between elements to help decide proper selection of
the logic gate.
4. Finalize and review the complete diagram. The chain
can only be terminated in a basic fault: human,
hardware software.
5. If possible, evaluate the probability of occurrence for
each of the lowest level elements and calculate the
statistical probabilities from the bottom up.

RESULTS The information charted on a fault tree provides a qualitative

analysis by demonstrating how specific events will affect an
outcome. If probability data is known for these events, then the
FTAn can also provide quantitative information to further
evaluate the likelihood of achieving the top event. Once
developed, the fault areas that are responsible for yielding an
undesired event can be further evaluated.

DOCUMENTATION Document the analysis to show compliance with specified

system safety requirements and to track the corrective action.
Interface Hazard Analysis (IHA)
PURPOSE The IHA identifies and assesses existing or potential hazards
between subsystems and systems and their effect on overall
System safety and operations. The emphasis is on interfaces.
Through the early identification of existing or potential hazards,
corrective action(s) can be taken to eliminate or control
unacceptable and undesirable hazards, based on the
combination of their hazard severity and probability of
occurrence.

PROCEDURE The IHA Is conducted on the critical interrelationships of each

subsystem and system to determine the cause and effect of
possible independent, dependent and simultaneous failures that
could present a hazardous condition, including failures of safety
devices. When the IHA Indicates a potential problem. It is made
known to the responsible engineer in order to initiate a design
review. The IHA will be reviewed on a continuous basis to verify
that design modifications do not add hazards to the system.
RESULTS The IHA provides for the identification and correction of possible
hazards associated with subsystem and system failures. The
IHA provides inputs to design reviews, maintainability, reliability
and system safety and system operations.
DOCUMENTATION Document the analysis to show compliance with specified
system safety requirements and to track the corrective action.
Operating Hazard Analysis (OHA)
PURPOSE The purpose of the OHA is to identify and analyze hazards
associated with personnel and procedures during production,
installation, testing, training, operations, maintenance and
emergencies.
PROCEDURE The OHA will be conducted on all tasks and human actions,
including acts of omission and commission, by persons
interacting with the system, subsystems and assemblies at any
level. When the OHA indicates a potential safety hazard, it will
be made known to the responsible engineer, in order to initiate a
design review or a system safety working group action item. The
OHA will be reviewed on a continuous basis to provide for design
modifications, procedures, testing, etc., that do not create
hazardous conditions.
RESULTS The OHA will provide for corrective or preventive measures to be
taken to minimize the possibility that any human error or
procedure will result in injury or system damage. The OHA will
provide inputs for recommendations for changes or
improvements in design or procedures to improve efficiency and
safety, development of warning and caution notes to be included
in manuals and procedures, and the requirement of special
training of personnel who will carry out the operation and
maintenance of the system.

DOCUMENTATION Document the analysis to show compliance with specified

system safety and operational requirements.
Software Hazard Effects Analysis (SHEA)
PURPOSE The Software Hazard Effects Analysis (SHEA) is a software design
evaluation and validation tool used to identify errors generated from
incorrect or inadequate specifications of software functions. A software fault
causing a resultant harmful system function is a software hazard.
Software faults can be described in three forms:
• Error generated through coding the software
• Faults due to incorrect software specifications implemented by the
function developer
• Faults due to hardware failures that affect changes in coding
software
A software hazard can be any of four types:
• An undesired signal causing an unwanted event
• An undesired signal causing an out-of-sequence event in the
response
• An undesired signal preventing the occurrence of a necessary
action or response
• An undesired signal causing an event to be out of tolerance
The SHEA concentrates on potential safety problem areas in the software.
The purpose of the SHEA is to provide an early study of the software design
for possible hazards and to initiate appropriate actions to eliminate/ control
hazards.
PROCEDURE The initial step in the analysis is to identify the safety critical areas of the
system and their functional paths. These paths may contain hardware as
well as software elements. Focus the analysis on the software functions
within each system functional flow path. Whether the coded instructions are
stored in software or firmware, analysis of the system in question for
hazardous occurrences should Include an analysis of the stored coded
instructions.
The SHEA will be conducted on identified software fault conditions, and will
proceed from a qualitative to a quantitative analysis as the design develops.
When the SHEA indicates a potential problem, it will be made known to the
responsible engineer in order to initiate proper action. The SHEA will be
reviewed on a continuous basis to verify that software design modifications
do not add hazards to the system.
The SHEA should be developed in conjunction with FMEA.
RESULTS The SHEA will provide information to evaluate identified software related
hazards, identify safety critical areas in software design and provide inputs
to safety design criteria and procedures. The latter will include provisions
and alternatives to eliminate or control all unacceptable and undesirable
software related hazards based on their combination of severity and
probability of occurrence, and to identify critical items.
DOCUMENTATION Document the analysis to show compliance with the specified system safety
requirements and to track the corrective action.