system safety standard for new or altered assets › system › files › media › asa...en...

Technical Note - TN 037: 2015

© State of NSW through Transport for NSW of 1

S

For queries regarding this document [email protected]

www.asa.transport.nsw.gov.au

Technical Note - TN 037: 2015 Issued date: 24 June 2015

Effective date: 24 June 2015

Subject: Update to TS 20001 System Safety Standard for New or Altered Assets

This technical note is issued by the Asset Standards Authority to notify the change to Section 6.6,

related to accountability for engaging independent safety assessor (ISA), in TS 20001 Systems

Safety Standard for New or Altered Assets, V1.0.

Replace paragraph 3 in Section 6.6 AEO relationships with the following:

For changes assessed as 'safety significant' the responsible Principal Authorised Engineering

Organisation is required to develop the operational safety argument for integration of the change

into the rail network. An independent assessment of the operational safety argument shall be

conducted by a competent independent safety assessor. TfNSW determines whether to appoint

the independent safety assessor either by itself or direct the Principal Authorised Engineering

Organisation to appoint the ISA.

Authorisation:

Technical content prepared by

Checked and approved by

Interdisciplinary coordination checked by

Authorised for release

Signature

Name Richard Adams Andy Tankard Andy Tankard Ken Kwan

Position Manager Safety and Risk Assurance

Principal Manager Safety Quality Environment and Risk

Principal Manager Safety Quality Environment and Risk

A/Principal Manager Network Standards and Services

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6

mailto:[email protected]

http://www.asa.transport.nsw.gov.au/

TS 20001: 2013

Management standard

System Safety Standard for New or Altered Assets

Version 1.0 Issued Date: 24 June 2013 Effective Date: 1 July 2013 Important Warning This document is one of a set of standards developed solely and specifically for use on the rail network owned or managed by the NSW Government and its agencies. It is not suitable for any other purpose. You must not use or adapt it or rely upon it in any way unless you are authorised in writing to do so by a relevant NSW Government agency. If this document forms part of a contract with, or is a condition of approval by, a NSW Government agency, use of the document is subject to the terms of the contract or approval. This document may not be current. Current standards are available for download from the Asset Standards Authority website at www.asa.transport.nsw.gov.au.

© State of NSW through Transport for NSW Page 1 of 30

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6

http://www.asa.transport.nsw.gov.au/

TS 20001: 2013 System Safety Standard for New or Altered Assets

Version 1.0 Effective Date: 1 July 2013


Standard Approval Owner: Manager Safety and Risk Assurance Authorised by: Principal Manager Safety, Risk, Quality and Environment Approved by: Director ASA Document Control Version Summary of Change 1.0 First Issue For queries regarding this document

[email protected] www.asa.transport.nsw.gov.au

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




Preface

The Asset Standards Authority (ASA) develops controls, maintains and publishes standards and

documentation for transport assets for New South Wales. The ASA's publications include the

network and asset standards for NSW Rail Assets, the requirements for condition, performance

and maintenance reporting of assets, requirements for network safety assurance and safety-

related processes for human factors integration, as well as configuration control processes.

This System Safety Standard for New or Altered Assets has been developed by the Asset

Standards Authority establishment team and aims to provide requirements for safety

engineering and assurance activities that must be conducted when delivering a new or altered

asset to TfNSW.

This document is a first issue, and is issued by the ASA without cancellation or replacement of

any other Transport for NSW document.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




Table of contents

1. Introduction .......................................................................................................................................5

2. Purpose ..............................................................................................................................................5

2.1 Scope..................................................................................................................................................5 2.2 Application.........................................................................................................................................6

3. Reference documents.......................................................................................................................6

4. Terms and definitions.......................................................................................................................7

5. System safety governance...............................................................................................................9

6. System safety context ......................................................................................................................9

6.1 Safety impact assessment ...............................................................................................................9 6.2 Consider operational context ..........................................................................................................9 6.3 Acceptance of new or altered assets..............................................................................................9 6.4 Safety risk criteria ...........................................................................................................................11 6.5 Competence.....................................................................................................................................11 6.6 AEO relationships ...........................................................................................................................12

7. AEO system safety requirements..................................................................................................13

7.1 Change life cycle .............................................................................................................................13 7.2 System safety planning ..................................................................................................................13 7.3 Safety risk management.................................................................................................................14 7.4 System Hazard analysis .................................................................................................................15 7.5 Interfaces .........................................................................................................................................18 7.6 Human factors integration .............................................................................................................18 7.7 Operational readiness.....................................................................................................................19 7.8 Management of change ..................................................................................................................20 7.9 Safety functions implemented by software..................................................................................20 7.10 Defects recording and corrective action system.........................................................................21

8. Safety assurance documentation requirements..........................................................................22

8.1 System safety planning ..................................................................................................................22 8.2 Assurance gateways.......................................................................................................................22 8.3 Risk summary report ......................................................................................................................25 8.4 Operational safety argument .........................................................................................................25 8.5 Independent safety assessment and due diligence ....................................................................27 8.6 Changes to accreditation ...............................................................................................................28 8.7 Configuration management committee acceptance....................................................................29

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




1. Introduction

Under the Rail Safety (Adoption of National Law) Act 2012 and the Work Health and Safety Act

2011, Transport for New South Wales (TfNSW) and rail transport operators have duties to

ensure so far as is reasonably practicable (SFAIRP) the safety of the rail network and its

operations.

To achieve these duties the following must be carried out whenever new assets are introduced

to the railway network, or existing assets are modified, upgraded or removed:

identify, assess and manage the safety risks associated with the new or altered system or

assets when operating as an integrated part of the network, as well as during the

integration of the assets or modification into the network

make sure the associated safety risks have been reduced to a level that is tolerable and

As Low As Reasonably Practicable (ALARP)

be able to provide sufficient evidence and argument that the new or altered system or

asset is suitable and sufficient to support safe operations, and that in developing and

integrating the asset into the railway network, safety has been ensured SFAIRP

The accountability for conducting these activities and providing assurance evidence rests with

the Authorised Engineering Organisations (AEOs) delivering the new or altered system or asset.

2. Purpose

This System Safety Standard for New or Altered Assets describes the requirements placed

upon Authorised Engineering Organisations to deliver safe changes to the network. It also

provides the requirements for appropriate supporting assurance that enables Transport for New

South Wales and rail transport operators to meet their duties under legislation.

The requirements are intended to make sure that the operators and TfNSW can meet their

specific duties under the legislation to ensure the safety of the railway SFAIRP by relying on the

assurance and evidence provided by the AEOs and the acceptance by the configuration

management committee (CMC).

2.1 Scope

This standard sets out the requirements for system safety engineering and assurance activities

to be conducted in support of the introduction of new or altered assets on to the rail network.

This includes the following:

the requirements against which Authorised Engineering Organisations must manage the

integration of safety into new and altered assets and the delivery of safety assurance

supporting these changes to the railway network

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




requirements that enable the safety and risk acceptance of new or altered assets into the

rail network by the CMC through the provision of suitable and sufficient safety assurance

and risk assessment.

The standard supports the overall TfNSW process for safety acceptance but does not define

that process. The TfNSW safety management system defines the safety acceptance process.

This standard sets requirements for AEOs that ensure they are compliant with the acceptance

process.

The standard is also consistent with the requirements of the TfNSW safety management system

with respect to safety change management. and safety risk management.

The requirements in this standard are not criteria that an organisation must meet to be

authorised as an AEO, they are the requirements that should be followed by an AEO once

authorised. There are related criteria for authorisation identified in the document AEO

Authorisation Requirements.

2.2 Application

This standard applies to all changes that affect railway network assets or systems. It applies to

all Authorised Engineering Organisations, their suppliers and other organisations involved in

defining, designing, implementing, commissioning or integrating into the operating network new

or altered assets or systems, or the decommissioning and disposal of assets. It also applies to

changes to assets of provision of new assets by maintenance organisations authorised as an

AEO.

This Standard aligns with the AEO Guide to Engineering Management by following the life cycle

defined and developing details of the requirements for system safety management and

assurance.

3. Reference documents

The following standards and documents are relevant to the content of this standard:

International Standards

EN 50126:1999 Railway Applications – The specification and demonstration of Reliability,

Availability, Maintainability and Safety (RAMS)

EN 50128:2011 Railway Applications – Communication, signalling and processing systems –

Software for railway control and protection systems

EN 50129:2003 – Railway Applications - Australian Standard – Communication, signalling and

processing systems –Safety related electronic systems for signalling

European Common Safety Method – Commission Regulation (EC) 352/2009, 24 April 2009

ISO/IEC 61508 - Functional Safety of Electrical/Electronic/Programmable Electronic Safety-

related Systems (E/E/PE, or E/E/PES). Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




Australian Standards

AS 4292.1-2006 – Australian Standard – Railway safety management Part 1: General

requirements

TfNSW Standards

Safety Change Management Standard 20-ST-006

Safety Risk Management Procedure 30-PR-097

Safety Assurance Standard 40-ST-003

Safety Engineering Assurance Procedure 40-PR-004

Human Factors Standard 60-ST-017

ASA Documents

AEO Guide to Engineering Management 2158904

TfNSW Configuration Management Plan 2420365

NSW Legislation

NSW Rail Safety (Adoption of National Law) Regulations

NSW Work Health and Safety Act 2011 No.10

Rail Safety (Adoption of National Law) Act 2012

4. Terms and definitions

The following definitions apply in this document:

AEO Authorised Engineering Organisation

ALARP as low as reasonably practicable

as low as reasonably practicable for a safety risk to be ALARP it shall be possible to

demonstrate that the cost involved in reducing the risk further would be grossly disproportionate

to the benefit gained. In order for a risk to be accepted it shall be demonstrated to have been

reduced to a level justified as ALARP and shall be tolerable. Hence the term 'tolerable and

ALARP' is used throughout this document.

ASA Asset Standards Authority

Authorised Engineering Organisation a supplier of a defined engineering service or product

that has been assessed and granted AEO status by TfNSW

CMC configuration management committee

development and implementation the life cycle phases from feasibility to entry to operation in

the context of the introduction of new or altered assets to the rail network

FMECA failure mode, effect and criticality analysis Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




HAZOP hazards and operability study

independent safety assessment a series of assessment and audit activities of the safety

management, safety engineering and safety assurance activities, processes and deliverables

conducted by a suitably qualified and experienced team.

ISA independent safety assessor

new or altered assets the changes made to the rail network other than those as a result of

maintenance activities, including decommissioning and removal of assets from the rail network.

Maintenance activities are considered those made by AEOs with authorisation for maintenance

activities and conducted under that authorisation scope.

operational safety argument a structured documented safety argument providing explicit

assurance of the safety of a system within its intended operational environment

operator for the purposes of this document means the rail transport operator or rolling stock

operator

PHA preliminary hazard analysis

PMO project management office

PPD Planning and Programs Division of Transport for New South Wales

project management office the organisation managing procurement of the change

RIM rail infrastructure manager

RSO rolling stock operator

SMS safety management system

SFAIRP so far as is reasonably practicable

so far as is reasonably practicable to achieve the best possible safety outcomes, to the

extent that is 'reasonably practicable', source: National Rail Safety Regulator – Meaning of Duty

to Ensure Safety So Far As is Reasonably Practicable. In this document SFAIRP refers to the

legal duty to manage safety whereas ALARP refers to the management of safety risk to the

lowest reasonably practicable level.

system safety the concurrent application of a systems based approach to safety engineering

and of a risk management strategy covering the identification and analysis of hazards and the

elimination, control or management of those hazards throughout the life cycle of a system or

asset

TfNSW Transport for New South Wales

TPD Transport Projects Division of Transport for New South Wales

validation the process of ensuring that the final product conforms to defined client requirements

verification the process carried out to ensure that the output of a design stage, or stages,

meets the design stage input requirements

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




5. System safety governance

The TfNSW configuration management committee (CMC) is the safety and risk acceptance

authority for the rail network. The requirements in this document must be followed in order to

gain TfNSW CMC acceptance of a new or altered asset to enable it to enter operation on the

rail network.

Where a number of Authorised Engineering Organisations (AEOs) or organisations are involved

in a change, all are required to comply with this standard under the direction of the nominated

principal AEO that has accountability for delivering appropriate safety assurance with the

change that is integrated into the network.

6. System safety context

6.1 Safety impact assessment

TfNSW's Planning and Programs Division (PPD) will undertake an assessment of the safety

impact of introducing new or altered assets to the rail network prior to awarding contracts to

AEOs or other organisations for development and/or implementation of the proposed change.

The principal AEO will be advised of the assessment outcome. This impact assessment is

required and defined by the TfNSW safety management system document, Safety Change

Management Standard (20-ST-006).

The assessment will consider the complexity, novelty and failure consequences of the change.

There will be two potential levels of change; Safety Significant or Minor. Throughout this

standard, requirements are identified as applicable to either or both levels of change.

Typically a safety significant change will include but not be limited to the introduction of new

rolling stock, extensions to the network, changes to the signalling system, and introduction of

systems novel to the NSW rail network.

6.2 Consider operational context

Authorised Engineering Organisations and organisations involved in introducing new or altered

assets to the network must recognise that the asset or system will be part of an operating

system including interfaces to passengers, operating staff, the general public and other workers.

It is therefore essential that the application of this standard includes consideration of the asset

or system in its operating context and not just as a physical system.

6.3 Acceptance of new or altered assets

In order for both TfNSW as a Rail Infrastructure Manager (RIM), and the rail operator, to satisfy

their duties under the Rail Safety (Adoption of National Law) Act 2012 and the Work Health

Safety Act 2011, they must do everything SFAIRP to ensure the safety of the railway network.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




When a change is made to the network through the introduction of new or altered assets,

TfNSW and the operator must jointly assure themselves that the development and

implementation of the change has identified and managed safety risk to tolerable and ALARP.

They must also assure themselves that everything SFAIRP has been done in developing and

integrating the asset into the railway network to ensure the safety of the network for the

operational life of the asset. The TfNSW acceptance process considers the safety assurance

provided in support of the proposed change and, for significant changes, seeks appropriate due

diligence through professional independent safety assessment.

The acceptance body of any proposed change within TfNSW is the CMC. The CMC reviews

and accepts any configuration change to the rail network before the change may affect the

operating railway. In making this acceptance the CMC confirms that all safety risks are reduced

tolerable and ALARP, and are tolerable for operation within the network. Note, for lower risk

changes the configuration management committee may delegate acceptance to an appropriate

configuration control board (CCB).

6.3.1 Acceptance of safety significant changes

In order to enable the CMC to accept a safety significant change, the principal Authorised

Engineering Organisation shall provide the following to the configuration management

committee for consideration:

a system safety plan

an operational safety argument

an independent safety assessment

A system safety plan details the tasks and activities that support the development of a safe

system, the identification and management of safety risks to SFAIRP, and provides suitable and

sufficient assurance of the safety of the system. This system safety plan is submitted to the

configuration management committee for noting prior to the end of the 'system requirements

and concept phase', and at other revisions of the plan.

The operational safety argument shall include the following:

demonstration that suitable and sufficient safety management activities have been

conducted to assure the safety of the change

demonstration that safety has been ensured SFAIRP, including demonstration that the

reliability, availability and maintainability of the new or altered asset has been ensured to

be sufficient

explicit description and assessment of all residual safety risks that TfNSW or the operator

will be exposed to during the operating life of the asset, including demonstration that all

safety criteria have been met, and that all safety risks are reduced tolerable and ALARP.

The owner of each risk shall be identified.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




An independent safety assessment of the safety management of the change and of the safety

case shall demonstrate support of the validity of the safety argument.

Safety significant changes will generally require an Authorised Engineering Organisation to gain

acceptance at intermediate key gateways of the change. The project governance and

assurance plan to be developed by Transport Projects Division, Planning and Programs

Division or an Authorised Engineering Organisation, if appointed and agreed by the

configuration management committee, alongside the System Requirement Specification, will set

out the acceptance arrangements and the delegated authority for acceptance at each

intermediate project gateway. This should be in accordance with the TfNSW Railway Asset

Configuration Management Plan.

6.3.2 Acceptance of minor changes

In order to enable the CMC to accept a minor change, the principal Authorised Engineering

Organisation shall provide the configuration management committee or delegated configuration

control board with a risk summary report that includes the following:

a description of the key residual safety risks that TfNSW or the operator will be exposed

to during the operating life of the asset

evidence of appropriate independent validation during the development and

implementation of the change

6.4 Safety risk criteria

The outcomes of safety risk assessments shall be expressed using the criteria of the owner of

the risk in the rail operational environment.

The owner of the risk will generally be the rail operator, in which case residual safety risks shall

be reported against the operator’s published risk matrix. In some cases the risks will be owned

by TfNSW, in which case the residual risks shall be expressed in terms of the TfNSW risk

matrix.

In order to establish the owner of the safety risk in rail operations, the organisation undertaking

the safety risk assessment shall engage all relevant stakeholders, subject matter experts, and

external expertise.

When using TfNSW’s or an operator’s risk matrix, the organisation conducting the safety risk

assessment shall take account of the means of demonstrating ALARP within the safety

management system associated with the risk matrix.

6.5 Competence

Organisations which develop and implement changes require competent staff to exercise

sound, professional judgements and successfully apply a systems approach to the

management of safety significant change.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




Competent safety management staff should meet the following criteria:

demonstrated experience in the technical, operational or organisational field which the

person is assessing

demonstrated experience and knowledge of application of the various methods and tools

used in both system safety, and reliability, availability and maintainability management,

including the capability to interpret safety risk assessment results and make appropriate

recommendations for managing and controlling the safety risks. Safety management

tools might include preliminary hazard analysis (PHA), hazard and operability study

(HAZOP), fault and event tree analysis, hazard log management, FMECA and goal

structuring notation.

For human factors resources staff should have demonstrated experience, knowledge and

qualification in human factors integration in high reliability high risk environments, for example in

safety related rail, nuclear or aviation environments.

The competence of the system safety resources used should be demonstrated within the

operational safety argument for safety significant changes.

6.6 AEO relationships

The strategy for developing the network within TfNSW sits with its Planning and Programs

Division. The project management office (PMO) generally coordinates the introduction of new or

altered assets to the rail network. When TfNSW has agreed to make a change to the rail

network, the Transport Projects Division or project management office (PMO) will define the

requirements, and engage Authorised Engineering Organisations that are capable and

competent of delivering the change.

The Authorised Engineering Organisation structure will vary according to factors such as the

complexity of the change, commercial optimisation, and the relative capabilities of the

Authorised Engineering Organisation. Generally either a single Authorised Engineering

Organisation will be appointed, or a principal Authorised Engineering Organisation which

manages the roles and activities of suppliers and other contributing organisations.

For changes assessed as 'safety significant' the responsible Principal Authorised Engineering

Organisation is required to develop the operational safety argument for integration of the

change into the rail network. The Principal Authorised Engineering Organisation shall appoint a

competent independent safety assessor (ISA) to conduct an independent assessment of the

operational safety argument.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




For changes assessed as 'minor' the Principal Authorised Engineering Organisation shall lead

the safety risk assessment and deliver the assessment of residual safety risks to the

configuration management committee when acceptance of the new or altered assets is

required. The Principal Authorised Engineering Organisation shall ensure that appropriate

independent validation of safety related activities is conducted at key points in the development

and implementation life cycle.

7. AEO system safety requirements

7.1 Change life cycle

System safety activities shall be conducted in accordance with an appropriate life cycle. The

key objective of system safety is to ensure the integration of safety in operation into the design,

construction, implementation and commissioning of a change. This can only be achieved if

system safety activities are aligned to the engineering life cycle. The alignment also provides

progressive assurance, so there can be confidence that safety in operation has been integrated

into the system SFAIRP at each stage of the life cycle.

A principal AEO shall plan and implement a program of system safety activities which are

aligned with the engineering life cycle defined in AEO Guide to Engineering Management. The

program shall be proportional to the level of risk, ensure that operational safety is integrated into

the designed and delivered system and provide suitable and sufficient assurance of the

operational safety of the system.

7.2 System safety planning

System safety activities shall be planned so that they support the development of a suitably safe

system and provide the assurance needed to demonstrate the safety of the system. Planning of

safety activities also supports the application of robust safety management processes to the

development and implementation of the new or altered asset.

The planning should define how the hazard identification and management activities support the

development of the system through the identification, implementation, verification and validation

of safety requirements. It shall ensure that the system safety activities are aligned with the 'V'

life cycle so that system safety is properly integrated into the system engineering.

The planning process should also identify how human factors will be addressed by the

engineering of the system, and the human factors activities to be undertaken.

It is essential that the planning process addresses stakeholder consultation and reviews, that is,

how key stakeholders review and accept that the system is suitably safe at key milestones in

the life cycle. The planning process shall also identify the documentation and evidence that will

be prepared to assure the safety of the new or altered asset once operational.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




7.3 Safety risk management

The key objectives of system safety are:

to integrate safety into the design and development of new or altered assets such that the

delivered systems are safe SFAIRP

to deliver documented assurance supported by evidence demonstrating the safety of the

delivered system

At the core of meeting both these objectives is safety risk management.

Authorised Engineering Organisations and suppliers shall implement a level of safety risk

management appropriate to the risks associated with the change.

For 'safety significant' changes a full program of safety risk management aligned with the

engineering life cycle shall be undertaken.

For 'minor' changes, safety risks shall be identified and fully managed. The safety risk

management process implemented by AEOs shall address the full intended operational life of

the new or altered asset or system.

The outcome of safety risk management is evidence that all safety risks are managed to

tolerable and ALARP.

Authorised Engineering Organisations shall employ suitable and sufficient hazard identification

and analysis techniques, and demonstrate this in the safety argument, risk summary report, or

other safety assurance documentation. All analysis results shall be documented and referred to

as evidence.

7.3.1 Hazard Identification

All reasonably foreseeable hazards shall be identified for both 'safety significant' and 'minor'

changes.

The principal AEO shall systematically and continually identify all reasonably foreseeable

hazards for the entire system under consideration, including all its functions and interfaces

across its full intended life.

Appropriate structured and systematic methodologies should be used, and shall incorporate

input from subject matter experts.

Hazard identification shall consider the following:

the scope and boundary of the system and its operational interfaces

all system modes of operation including degraded modes

all potential locations where the system will be operated

the potential for human error, including operator, maintainer, passenger or member of the

public Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




interfaces, both internal and external

the environmental conditions

all foreseeable failure modes for the system at the module, sub-system and system level,

and their impact on safety

previous performance of the asset

other potential factors that are safety relevant to the system under consideration

All identified hazards shall be entered into the hazard log for management and assessment.

7.3.2 Hazard Log

A hazard log is a central repository of identified hazards that facilitates their management. The

hazard log also enables the transfer of safety risk to the operating environment of the new or

altered asset. Once transferred, the risks will be entered into the operational risk register of the

appropriate organisation for ongoing management through the operational life.

The principal Authorised Engineering Organisation shall develop and implement a suitable and

sufficient hazard management system that includes a hazard log.

The details of the hazard management system shall be documented in the system safety plan

for safety significant changes.

The principal Authorised Engineering Organisation shall ensure that all identified hazards are

entered into the hazard log and managed appropriately within the log.

The hazard log shall be the primary artefact for providing traceability within the safety risk

management process and assurance of the effective management of safety risk. It should

include traceability to all supporting evidence including verification and validation evidence

related to each safety requirement.

The hazard log shall be updated and maintained through the entire life cycle to make sure that it

accurately reflects safety risk management activities. The entire life cycle includes design,

development, implementation, commissioning and entry to operation phases.

Where subordinate Authorised Engineering Organisations or suppliers are required to manage

hazards, the principal Authorised Engineering Organisation shall develop a suitable and

sufficient methodology for management of hazards at each level of the system and sub-

systems, so that there is a clear demonstration that all safety risks in the top level hazard log

are managed to tolerable and ALARP.

7.4 System Hazard analysis

7.4.1 Causal analysis

In order to assign and demonstrate appropriate hazard control to tolerable and ALARP levels, it

is necessary to understand all the ways that hazards can be caused.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




The potential causes of hazards shall be identified.

A systematic process of identifying the causes shall be undertaken.

Identified causes shall be entered into the hazard log and linked to the hazard.

7.4.2 Safety risk assessment

The Authorised Engineering Organisation shall conduct an assessment of the safety risk for

each identified hazard against the appropriate risk criteria. This shall include assessing the

severity of the consequences if the risk occurs, and the likelihood of that consequence

occurring.

When assessing the consequences, the worst-case credible consequence shall be used for the

risk assessment.

Related topic:

Safety risk criteria section 6.4

The Authorised Engineering Organisation shall consider appropriate safety controls for each

safety risk so that the safety risk is reduced to tolerable and ALARP.

When evaluating the suitability of controls, the hierarchy of controls shall be applied so that

safety risk or hazards are eliminated by design where this is reasonably practicable.

Where a hazard cannot be eliminated it shall be controlled to tolerable and ALARP, with

engineered controls preferred to administrative controls.

Where administrative controls are relied upon, this shall be done in conjunction with the

operator, to establish the feasibility and reasonable practicability of the control, and to make

sure that there is not an over-reliance on administrative means for reducing the risk.

The principal AEO shall set up governance arrangements for the review and closure of

identified safety risks and hazards. These arrangements should involve appropriate

stakeholders and subject matter experts in the review and closure of hazards.

The setting of the governance arrangements shall be cognisant of where the ownership of the

safety risk will reside in operation, and the acceptability of the residual risk to that ultimate

owner.

For 'safety significant' changes the operational safety argument shall demonstrate the

effectiveness of the hazard and safety risk management process.

7.4.3 Safety requirements and evidence

Safety requirements arise from a number of sources including legislation, requirements placed

on an Authorised Engineering Organisation, and the hazard identification and analysis process.

The principal AEO shall a have a process for identifying and managing safety requirements

throughout the asset life cycle including safety requirements which shall be derived from the

hazard analysis. Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




Deriving safety requirements from the hazard analysis and incorporating them into the system

design is a key link between safety and engineering processes. The safety and hazard analysis

work shall be programmed in alignment with the engineering activities to ensure that resulting

safety requirements are integrated into the design enabling a design solution to be reached that

is safe SFAIRP.

Through the hazard analysis or apportionment of risk criteria, an integrity target shall be

assigned to each safety requirement.

The system for identifying and managing safety requirements through the asset life cycle shall

be capable of maintaining records to show traceability between each safety requirement and its

source. The risk controls arising from the safety risk management process should be treated as

safety requirements.

The Authorised Engineering Organisation shall provide complete and objective evidence that

each safety requirement and its integrity target has been met, either in the operational safety

argument for 'safety significant' changes, or the risk summary report for 'minor' changes.

The quantity and quality of the evidence that each safety requirement has been met shall be

commensurate with the degree of safety risk reduction resulting from the safety requirement.

For controls that provide significant risk reduction, or a control that is the single or principle

control against a high consequence hazard, diverse evidence of meeting the safety requirement

shall be provided, so that the safety argument is not compromised by uncertainty or errors in

individual pieces of evidence. It is preferential not to rely on single-point controls.

7.4.4 Safety risks in commissioning

Where system testing is to be conducted on the operational railway, it is necessary to assure

the safety of the network during testing. The Authorised Engineering Organisation responsible

for testing and commissioning shall conduct hazard identification and safety risk assessment for

all commissioning activities that may affect the integrity or operation of the rail network.

The hazards identified as possibly affecting the integrity or operation of the rail network during

testing and commissioning shall be documented and managed within a hazard log, and shown

to be managed to tolerable and ALARP.

Prior to commencing testing activities, acceptance of the test program shall be obtained from

the configuration management committee.

In order to facilitate acceptance of the test program by the CMC or delegated configuration

control board, the Authorised Engineering Organisation responsible for commissioning shall

present a commissioning safety report to the CMC. The report shall provide evidence that all

safety risks associated with commissioning have been identified and managed to tolerable and

ALARP.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




Before presenting a commissioning safety report to the CMC or CCB, the principal Authorised

Engineering Organisation shall have gained input from stakeholders, and demonstrated that key

stakeholders and risk owners support the testing activities based on the assurance provided.

7.4.5 De-commissioning

Any de-commissioning activity shall be treated as a change to the network, and system safety

applied in the same way as a new or altered asset.

7.5 Interfaces

Poorly managed interfaces are a common source of safety risk. The principal AEO shall

demonstrate its approach for managing interfaces and document it in the system safety plan for

'safety significant' changes.

An Authorised Engineering Organisation's approach for managing interfaces shall include

external and internal system interfaces and include identification and management of safety

risks associated with integration of sub-systems into the overall system.

The principal Authorised Engineering Organisation shall ensure that all safety risks at interfaces

are identified and managed appropriately.

The principal Authorised Engineering Organisation shall demonstrate that safety at the interface

is ensured SFAIRP and that safety risks associated with interfaces are identified and managed

to tolerable and ALARP.

Authorised Engineering Organisations shall demonstrate that all possible activities and actions

to ensure the safety of interfaces have been undertaken SFAIRP.

Safety requirements associated with the interfaces shall be identified, documented and

implemented. The network architecture provides details of interfaces within the network and,

where available, should be used as a source of information when managing the safety of

interfaces.

Authorised Engineering Organisations shall demonstrate that the safety of interfaces have been

managed right through to entry to operation, as well as in operational controls and maintenance

requirements for the operational life of the asset or system.

There shall be appropriate evidence of a 'handshake' across each interface.

Where subordinate Authorised Engineering Organisations or suppliers require information to

meet a particular safety requirement, the principal Authorised Engineering Organisation shall

identify and provide the necessary information to allow interfaces between sub-systems or

elements of the system to be safely implemented and demonstrated to be safe.

7.6 Human factors integration

Human factors shall be integrated into the design and development process of new or altered

assets in order to minimise safety risk from the possibility of human error by: Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




ensuring human characteristics are accounted for in the design or re-design of new and

existing systems and equipment

identifying the issues which may cause or contribute to human errors

conducting activities and applying controls to reduce likelihood and consequences

The integration of human factors offers other additional benefits such as saving time and

money. By considering human factors in system design before development, construction,

maintenance or disposal, the need to redesign at a later stage is reduced, and reliability

improved by supporting systems to be error tolerant, and easy to use and maintain.

For all changes, the principal AEO shall implement human factors integration by performing the

following:

establish a human factors issues register or ensure the issues are tracked in another

appropriate register

conduct a preliminary human factors analysis to identify issues

document the identified human factors issues in the appropriate register

update and manage the appropriate register throughout the project

7.7 Operational readiness

A key element of assuring the operational safety of a new or altered asset is the demonstration

that the operator is ready to operate the asset within the operational environment.

The principal AEO is accountable for assuring operational readiness. The operator and

maintainer will conduct operational readiness activities to ready their network for the new or

altered asset. They will ensure adequate resources, training and procedures are in place for

safe operation.

The principal AEO shall work closely with the operator and maintainer to make sure that the

operator and maintainer fully understand what is required for the new or altered asset or system

to be operated. The AEO also needs to understand the requirements of the operator and

maintainer in terms of information and evidence to support their operational readiness activities.

The AEO shall engage with all relevant stakeholders to gain assurance that the operator and

maintainer are operationally ready for the new or altered system to enter operations within the

network.

The AEO shall provide evidence of this operational readiness, either in the operational safety

argument for 'safety significant' changes, or in the risk summary report for 'minor' changes.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




7.8 Management of change

Within any project there will be changes from time to time that can potentially impact safety. It is

important that such changes are managed appropriately and that their impact on safety is

understood. Such changes may occur once the design is predominantly complete and

implementation is in progress. It may be necessary to change the design to address specific

implementation issues. It is important to control change so that the assurance of the designed

system remains valid.

The principal Authorised Engineering Organisation shall establish and maintain a change

control system so that the impact of any planned or unplanned change is identified and

assessed for its impact on safety.

Where the impact assessment finds it necessary, remedial action shall be taken to ensure the

safety of the system.

7.9 Safety functions implemented by software

Software is used in many rail systems to implement safety functional requirements. Where an

Authorised Engineering Organisation is designing or supplying a system that may involve

software implementing safety related functions, these functions need to be appropriately

managed and assured.

In order to manage and assure the safety of systems that involve software, the Principal

Authorised Engineering Organisation shall allocate a safety integrity level (SIL) to each safety-

related function.

During the verification and validation stages, the Authorised Engineering Organisation shall

demonstrate that the SIL for each safety-related function has been achieved by suitable means.

The Asset Standards Authority recommends that Authorised Engineering Organisations adopt

the approach defined in EN 50128:2011 Railway applications. Communication, signalling and

processing systems. Software for railway control and protection systems .

7.9.1 Safety integrity levels

Safety integrity levels (0 to 4) to be used are defined in EN 50128:2011 Railway Applications –

Communication, signalling and processing systems – Software for railway control and protection

systems and EN 50129:2003 – Railway Applications - Australian Standard – Communication,

signalling and processing systems –Safety related electronic systems for signalling.

7.9.2 Safety integrity level allocation

Initial safety integrity level (SIL) allocation shall be made during the system requirements and

concept phase of a project to understand the SILs that key systems may need to achieve. This

supports the planning of engineering and safety assurance activities.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




A SIL allocation shall occur early in the preliminary design phase. As the detailed requirements

are derived, SIL targets should be assigned to each safety function. A preliminary hazard

analysis (PHA) or similar hazard identification and risk analysis is required as a precursor to the

SIL allocation process.

7.9.3 Assurance of safety integrity level compliance

Throughout the critical design phase, and during the inspection and test, and commissioning

phases, the software development process shall be validated as complying with the required

target SIL.

Appropriate assurance shall be provided to support the validation of safety integrity level

compliance.

For safety functions with SIL ratings of SIL 1 to SIL 4, the collation of evidence used to assure

compliance with the SIL shall be started as early as possible in the project life cycle.

The organisation responsible for the software development, or having the software developed

for integration into the overall system, shall provide the assurance of safety integrity level.

Where a commercial off the shelf system implements safety functions in software, a suitable

and sufficient argument shall be developed to provide assurance that these functions are

implemented to the necessary level of integrity.

The principal Authorised Engineering Organisation shall ensure that suitable due diligence of

the assurance of functions implemented by commercial software is undertaken to support the

operational safety argument to be presented to the configuration management committee for

acceptance.

7.10 Defects recording and corrective action system

The principal Authorised Engineering Organisation shall operate a process for identifying

defects or failures including human errors, and assessing the impact on safety.

Where the impact assessment finds it necessary, remedial action shall be taken to ensure the

safety of the system.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




8. Safety assurance documentation requirements

8.1 System safety planning

8.1.1 Planning for safety significant changes

For 'safety significant' changes, the principal Authorised Engineering Organisation responsible

for that change shall prepare a system safety plan prior to commencing any design activities

related to the new or altered asset. The plan should be regularly reviewed to ensure it is current

and accurate. It is recommended that the plan is formally reviewed at least every six months.

For long life cycle changes, it is recommended that the plan is updated at each life cycle

gateway, to detail the system safety activities for the forthcoming phases.

The system safety plan shall fulfil the following requirements:

set out the safety management arrangements for the design, development,

implementation and commissioning of the new or altered asset or system

describe the system safety activities to be undertaken and schedule these so that the

outcomes of the safety activities is incorporated into the design

describe the documentation and evidence to be produced, and the timing in the life cycle

for delivery of that evidence

be auditable so that an independent safety assessor can readily assess and assure that

the planned activities are conducted

The system safety plan shall be submitted to the configuration management committee for

noting prior to design activities commencing.

8.1.2 Planning for minor changes

For 'minor' changes, the principal Authorised Engineering Organisation shall include in its

engineering management plan, the safety risk management activities that will be conducted and

the safety management arrangements for the introduction of the new or altered assets into the

rail network.

8.2 Assurance gateways

The Asset Standards Authority management standard AEO Authorisation Requirements states

the following mandatory requirement:

"The AEO shall demonstrate engineering assurance progressively

based on stage gateway reviews "

As safety assurance is integrated with engineering assurance, this AEO requirement means

that AEOs shall continually demonstrate safety assurance for each staged gateway review.

The AEO Guide to Engineering Management describes the TfNSW system life cycle model and

sets out the life cycle baseline gateways. Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




Figure 1 shows the safety acceptance requirements within the configuration management

committee process. It identifies the submissions to be made at each project gateway.

The acceptance authority at each delegated governance gateway is as defined in the

Assurance and Governance Plan prepared by Transport Projects Division or the PMO, and

agreed by the configuration management committee alongside the System Requirement

Specification.

The principal Authorised Engineering Organisation is accountable for providing suitable and

sufficient assurance at each gateway. It is also accountable for ensuring that all relevant

stakeholders acknowledge the presented assurance as being 'suitable and sufficient' to provide

the necessary level of confidence that the final new or altered asset will be safe to be accepted

into operation in the network.

At each gateway, an agreement shall be reached with all stakeholders that for that point in the

system development where all reasonably practicable activities and actions have been

conducted to ensure safety.

All associated safety risks shall have been identified and managed so there is a high degree of

confidence that the final residual risk can be demonstrated to have been reduced to tolerable

and ALARP.

The principal Authorised Engineering Organisation shall not allow progress through a gateway

unless sufficient evidence exists and is presented to support this position, and that the

delegated acceptance authority accepts the presented assurance.

For 'safety significant' changes, an independent safety assessor shall provide a summary report

at the preliminary design review, a design independent safety assurance report at the critical

design review, and a final safety assessment report at final acceptance. Each report should

support the claim that all necessary assurance activities are complete or in progress, and that

there is a high degree of confidence that the new or altered asset will be able to be

demonstrated to be sufficiently safe.

Any issues or concerns regarding the confidence that the new or altered asset will be able to be

demonstrated to be sufficiently safe shall be identified in the relevant independent safety

assessment report.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




CMC Control Gate

CMC Control Gate

Pre

limin

ary

Des

ign

Cri

tica

l De

sig

nF

abri

ca

tio

n /

Ma

nu

fact

ure

Co

nst

ruct

ion

/ In

sta

llati

on

Pro

ject

Exe

cuti

on

/ D

ev

elo

pm

ent

Delegated Governance Gateway



Delegated body accepts based on Assurance and Governance Plan



Delivery of Reference Design

Structured Design Safety Argument

Assurance evidence against Assurance and

Governance Plan

Evidence Critical Design is SFAIRP

Evidence of Independent

Verification and Findngs

Independent Safety Assessor Design

Report

Safety Significant Changes Minor Changes

By ISA By Principal AEO By Principal AEO By Principal AEO By Principal AEO

Delivery of Critical Design

Pro

ject

Exe

cu

tio

n /

Pro

du

cti

on

Insp

ecti

on

an

d T

est

Co

mm

issi

on

ing Structured Safety Argument


Governance Plan

Risk Summary Report

Evidence of Independent

Verification and Findngs

Independent Safety Assessor Report

CMC accepts asset into operation including accepting safety risk on behalf of transport Cluster

CMC agrees delegation of maintenance to Sydney Trains CCB

By ISA By Principal AEO By Principal AEO By Principal AEO By Principal AEO

CM

C m

ay r

equ

est

Au

dit o

r pr

oje

ct s

pec

ific

surv

eilla

nce

act

iviti

es b

y A

SA

TP

D /

PM

O M

oni

tors

AE

O’s

per

form

ance

, del

iver

able

s an

d a

ssur

anc

e

CMC delegates gateway governance based on Assurance and Governance Plan

CMC accepts specified system as appropriate and SFAIRP as baseline for later acceptance

Safety Significant Changes Minor Changes

Evidence Reference Design

is SFAIRP

Independent Safety Assessor Summary Report (for Safety

Significant Changes)

By Principal AEOBy Principal AEO


Governance Plan

By Principal AEO

Evidence Testing / Commissioning Risks SFAIRP

(limited to risks to rail network)

By Principal AEO

Evidence Testing / Commissioning is

appropriate to demonstrate safety

of asset

By Principal AEO

Figure 1 – Configuration management committee acceptance process

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




8.2.1 Critical Design Gateway

The end of the critical design phase is a key assurance gateway. At this point, design is

complete so it can be demonstrated that all identified safety risks that could not be eliminated by

design, have controls identified that manage the safety risk to tolerable and ALARP levels, and

that each of the engineered controls have been incorporated in the design. Where

administrative controls are used to achieve ALARP, the controls shall have been agreed with

the operator and maintainer by this stage.

As entry to operation approaches, the principal Authorised Engineering Organisation shall

engage with the operator and maintainer to ensure operational readiness.

Related topic:

Operational readiness , section 7.7

For 'safety significant' changes a design safety assurance report (SAR) shall be prepared and

accepted by the CMC or delegated configuration control board before this gateway can be

passed. The design safety assurance report should be supported at the CMC or CCB by an

independent safety assessor (ISA).

The content of the design safety assurance report shall be as for the operational safety

argument but adapted to this stage of the life cycle.

Related topic:

Operational safety argument, section 8.4

8.3 Risk summary report

For 'minor' changes the principal Authorised Engineering Organisation shall prepare a risk

summary report to support submission to the configuration management committee for

acceptance of the new or altered asset into service.

The risk summary report is a brief document and shall include the following:

justification that all reasonably foreseeable safety risks in the operational environment

have been identified and managed

a statement justifying that all risks identified have been managed to tolerable and ALARP

explicit descriptions of all residual safety risks for operation and maintenance, identifying

ownership of those residual risks

8.4 Operational safety argument

For 'safety significant' changes, the principal Authorised Engineering Organisation shall deliver

an operational safety argument, which demonstrates the safety of the delivered system in

operation within the rail network.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




The operational safety argument shall:

be a structured argument based on a suitable technique for structuring safety arguments,

for example, goal structuring notation (GSN)

clearly define the scope of operations for which safety is demonstrated, and clearly define

the operational limitations of the delivered system

demonstrate that sound safety management and quality management principles have

been applied throughout the design, development, implementation and commissioning of

the new or altered asset

demonstrate that all reasonably foreseeable safety risks in operation have been identified

and managed to tolerable and ALARP including evidence that the hierarchy of controls

has been applied

explicitly describe all residual safety risks for operation, and identify ownership of those

residual risks

demonstrate that interfaces between all sub-systems have been appropriately managed,

and that safety risks at the interfaces have been identified and appropriately managed

demonstrate that human factors have been considered in the design and development of

the system, so that the potential for human error has been minimised SFAIRP, and the

new or altered asset is suitably operable and maintainable

demonstrate that safety risks associated with integration into the operating rail network,

maintenance and disposal have been identified and appropriately managed

demonstrate that appropriate stakeholder management and input has been conducted to

give confidence that all stakeholders requirements will be met

demonstrate sufficient liaison with the operator has been conducted so that the operator

is operationally ready to enter the system into operation

demonstrate with supporting evidence that appropriate safety requirements have been

defined in order to adequately control the identified safety risks

demonstrate that all safety requirements have been verified and validated with reference

to supporting evidence

demonstrate that a corrective action process has been applied throughout the design,

implementation and commissioning life cycle

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




8.5 Independent safety assessment and due diligence

It is the role of Authorised Engineering Organisations to provide suitable and sufficient

assurance with the new or altered assets being developed for the rail network that it will be

sufficiently safe in operation. In line with good practice, any assurance should be subject to

professional critical review to ensure its validity. Similarly, the safety management activities and

processes applied to a change to the rail network shall be subject to safety assessment.

The acceptance of assets into operation by the configuration management committee requires

the assurance to be validated by a professional critical review to ensure its validity.

8.5.1 Safety Significant Changes

For 'safety significant' changes, the requirement for a professional critical review is met by the

appointment of an ISA. It is the principal Authorised Engineering Organisation's responsibility to

appoint the assessor and to assure the competence and independence of the assessor.

It is essential that the independent safety assessment process is a through life cycle approach

which monitors safety management, safety engineering and safety assurance, and intervenes

as soon as issues are identified. It is not acceptable to limit the independent safety assessment

to an assessment of safety documents, nor to delay reviews too close to hold points that can

compromise the review due to financial or timescale pressures.

The ISA shall provide an assessment plan and deliver an assessment report on each occasion

that a submission is made to the configuration management committee for acceptance. The ISA

shall provide a summary report at preliminary design review, a design independent safety

assurance report at critical design review, and a final safety assessment report at final

acceptance. Each report should support the claim that necessary assurance activities are

complete or in progress and that there is a high degree of confidence that the new or altered

asset will be able to be demonstrated to be sufficiently safe.

For particularly high risk or safety significant changes, the Asset Standards Authority may

decide to conduct additional targeted surveillance activities of the Authorised Engineering

Organisation's and assessor's activities. Where this is the case the Authorised Engineering

Organisation and assessor shall co-operate fully with the Asset Standards Authority.

8.5.2 Minor safety changes

The requirement for validation of the assurance for 'minor' changes shall be met by the principal

Authorised Engineering Organisation, incorporating independent validation into the safety

management of the change. This may be an internal function, provided requirements for

independence are met.

Related topic:

Independence of assessment, section 8.5.3

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




The independent validation function shall be applied to the safety management arrangements,

the derivation, verification and validation of safety requirements, and the safety risk

management process and documentation.

8.5.3 Independence of assessment

The Authorised Engineering Organisation is accountable for ensuring that the safety

assessment undertaken is independent. To be regarded as independent, the assessment body

may not become involved as direct or indirect representatives in the design, manufacture,

construction, marketing, operation or maintenance of the system under consideration.

The assessment body shall carry out the assessment with the greatest possible professional

integrity.

The assessment body must be free of any pressure or incentive, which could affect its

judgement or the results of its assessments, in particular from persons or groups of persons

affected by the assessments.

The assessment function can be internal or external, provided that all the conditions for

independence can be demonstrated. For an internal assessment function, it would be expected

that the function is managerially separate from the delivery and assurance function up to

executive level in the organisation.

8.6 Changes to accreditation

Under the Rail Safety (Adoption of National Law) Act 2012, an accredited Rail Transport

Operator must request a variation to its accreditation if it "proposes to vary the scope and nature

of the railway operations in respect of which the applicant is accredited". Consequently the

introduction of some new or altered assets to the network will also require a change to the

operator's accreditation. In NSW this may require a change to one or more of the following

accreditations:

NSW Trains

Sydney Trains

TfNSW

TfNSW will advise the principal Authorised Engineering Organisation if a change to one or more

of the above accreditations is required for the change to be implemented. Where a change to an

accreditation is required, the principal Authorised Engineering Organisation is accountable to

deliver suitable and sufficient safe assurance to obtain the accreditation change from the Office

of the National Rail Safety Regulator (ONRSR). The principal Authorised Engineering

Organisation is also accountable for working with each accredited organisation to ensure that

the impact on each accreditation is appropriately co-ordinated.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




8.7 Configuration management committee acceptance

The TfNSW configuration management committee (CMC) is the asset acceptance authority for

TfNSW. In accepting assets, the CMC is accountable for the acceptance of residual safety risk

on to the rail network.

The CMC oversees all safety acceptance of new or altered assets, but may delegate the safety

acceptance role to an appropriate configuration control board (CCB) at all or some project

gateways. This delegation will be dependent upon the risk associated with the change. The

CMC will accept the System Requirement Specification for a change as a baseline for later

acceptance of designs and entry to operation of the asset. At the stage of acceptance of the

System Requirements Specification the PMO will also present to the CMC the following:

o a safety impact assessment of the change based upon complexity, novelty and failure

consequence, that determines whether the change 'safety significant' or 'minor'

o an assurance and governance plan that sets out the project governance arrangements and

outline assurance arrangements. This will include the proposed delegated acceptance

authorities at each project gateway.

o assurance that the system specified in the System Requirements Specification is the optimal

specification with respect to risk of all types and therefore that it is the option that will ensure

safety SFAIRP

The configuration committee when accepting the system requirement specification will delegate

specific CCBs as acceptance authorities at each project gateway or will retain the acceptance

role at all or some project gateways.

All changes to the configuration of the rail network, whether minor or significant, shall be

accepted by the CMC or a delegated CCB prior to entering operations. This acceptance may be

conditional upon outstanding issues and the completion of any defects liability period. The

principal Authorised Engineering Organisation is accountable for presenting the new or altered

asset to the CMC or a delegated CCB with all supporting assurance and evidence of

stakeholder 'buy-in' to the asset.

The structured safety argument or risk summary report should be presented to the CMC for

acceptance well in advance of the asset entering operation (around two months prior is

recommended). The assurance document shall clearly identify outstanding issues and describe

how they will be managed to closure prior to entry into operation or during the early operational

life. The CMC may then accept the asset conditional upon the close out of the issues. Closure

may be considered at subsequent CMC meetings. This approach avoids safety assurance

documentation and issues delaying introduction of assets into service and allows time for

barriers to entering service to be resolved in a timely manner.

Where testing will be conducted on the operational rail network, acceptance of the testing safety

report by the CMC is required before testing may commence.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6




For 'safety significant' changes the following acceptances shall be obtained from the CMC:

acceptance of design safety assurance report before implementation may commence

acceptance of operational safety argument before the new or altered asset may enter

operation or be integrated into the network if it may impact the integrity of the existing

network

For 'minor' changes the following acceptances shall be obtained from the CMC:

acceptance of the safety risk summary report before the new or altered asset may enter

operation or be integrated into the network if it may impact the integrity of the existing

network

Whilst the configuration management committee has the authority

to reject a proposed change, the intent is that by the time a change

is presented to the committee, all appropriate assurance and

supporting evidence is in place and all key stakeholders have

accepted and agreed that the asset may enter service or pass

through the gateway. When presenting an asset and its supporting

assurance and evidence to the configuration management

committee, the principal Authorised Engineering Organisation is

accountable for having all agreements and acceptances with key

stakeholders and the operator and maintainer in place, and to

evidence these acceptances and agreements to the configuration

management committee.

Sup

erse

ded

by T

MU

MD

200

01 S

T v1

.0, 2

0/12

/201

6