Delivering a Safety Justification and Navigating Closure of Dependencies (from an Earthing and Bonding Perspective)
Document
type: Technical Paper
Author:
Sarah Dale BEng CEng MIET
Publication
Date: 02/12/2021
-
Abstract
The earthing and bonding (E&B) on the Elizabeth Line is everywhere, consequently it is extensive and highly integrated, it is essential as a primary safety system to prevent electrocution and fire. Development of the E&B Safety Justification was time consuming and involved creation of a spreadsheet of reference documentation (circa 2000+ items listed).
The majority of the Safety Justifications (SJs) were written by the Engineering Safety Management Team (ESM), however, just two weren’t – those for Earthing and Bonding (E&B) and Electromagnetic Compatibility (EMC) were written and delivered by the Chief Engineer’s Group (CEG) respective Heads of Discipline (HoDs). This paper covers both the delivery of an SJ and closure of dependencies from the perspective of the CEG HoD E&B plus support team. We also discuss lessons learnt about the process and the possible concept for a future project of assurance leading delivery.
As the SJs are written for the final state, ahead of actually achieving it, each SJ is accompanied by a list of dependencies (items that are outstanding). An intricate process of closing these dependencies evolved through the lead up to Entry into Trial Running (EiTR) with both Safety Justification Engineering Judgement (StEJ) panels and the SJ Joint Dependency Closure Workshop (SJJDCW) running, leading to some overlap. In this paper we also discuss the importance of integration, proper records, interface management, tracking of outstanding items and good practice for getting approval at StEJ and SJJDCW.
-
Read the full document
Introduction to Elizabeth Line Earthing and Bonding
The Central Operating Section (COS) of the Elizabeth Line comprises 42 single track kilometres of new railway, running between Westbourne Park on the Great Western Main Line, Pudding Mill Lane on the Greater Anglia Route, and Abbey Wood on the North Kent Line.
The earthing and bonding (E&B) on the Elizabeth Line is everywhere, it is extensive and highly integrated. The E&B is essential as a primary safety system to prevent electrocution and fire. To further complicate matters, it has been installed by all system and individual site contractors plus third parties rather than one single contractor. In summary, the E&B system includes:
- Traction Earth Wire (42km+, one per road)
- Aerial Earth Wire (60km+, two per road in tunnel, one per road surface)
- Running Rails (84km+)
- Traction Spider Plates (several hundred)
- Traction Earth Bars (several hundred)
- Station / Shaft / Portal (SSP) Earth Rings (one per site, minimum)
- Earth Electrodes/Earth Mats at Feeding Stations, SSP’s, depot etc (30+)
- SSP and system Earth Bars (many hundreds)
- Traction Cross-bonds between rails, aerial and traction earth wires (every 250- 500m per road)
- HV and LV Equipotential Bonding (many kilometres)
- All the equipment earths connected to the spider plates / earth bars (thousands)
- Functional and safety earthing (hundreds)
- Tunnel Cable Management system, fire main and walkway (42km+ each system)
The E&B core elements and contractual arrangements are detailed in Figure 1 (Cxxx designates the Crossrail Ltd (CRL) Contract number for the section of the works, C6xx denotes a system (e.g. Signalling) contractor, other numbers are site specific):
Figure 1. Elizabeth Line E&B Core Elements and Contractual Arrangements
A general arrangement overview of the E&B for the Elizabeth Line in a geographical, per site context, is provided in Figure 2.
Figure 2. Elizabeth Line E&B General Arrangement (Geographical per site)
Introduction to Safety Justifications
A Safety Justification (SJ) document demonstrates that there are robust processes and procedures in place for the safe design, installation, testing and commissioning for operation of the Elizabeth Line; significantly, it provides evidence (or references to evidence documents) to demonstrate that the risk arising from the system described in the SJ is acceptably safe for operation and maintenance by Rail for London (Infrastructure) (RFLI) and London Underground (LU).
The Elizabeth Line is covered by a suite of SJs, each forming part of the safety evidence described in the CRL Engineering System Safety Management Plan that provides the safety assurance required prior to the railway entering operational service. Each SJ is produced in accordance with the Crossrail Format and Process for Overall Safety Justifications.
The CRL project is guided by a number of Strategic Engineering Justifications (SEJ) which reference the Railway Level Hazards and lists the detailed system specific sub-railway level hazards that the SJ must prove have been thoroughly addressed. The safety requirements identified in the SEJ were derived from a number of sources:
- Statutory legislation
- Compliance with Technical Specifications for Interoperability
- Compliance with European and British Standards
The aim of the SJ is to provide the detailed traceability of safety evidence produced by CRL and / or Contractors to mitigate the railway level hazards and detailed system specific sub-railway level hazards in the SEJ. The SJ provides evidence of compliance related to:
- Statutory legislation
- Technical Specifications for Interoperability
- European and British Standards
- Closure of Railway Level and system specific sub-railway level hazards
- The use of a robust and systematic Engineering Safety Management process throughout the life of the project
- Acceptable safety of the specific (to the SJ) system for revenue service operation and maintenance by RFLI and LU (and any caveats)
- Correct definition of System requirements and Derived Safety
- Achievement of the Safety Requirements identified in the SEJ
- Development of the detailed design in accordance with any applicable strategies and Works Information documentation
- Approval of relevant documentation by the Chief Engineers Group (CEG)
- Correct definition of interface requirements
- Closure of interface hazards by third party railways
- Implementation and completion of inspections, witnessing, testing, commissioning and validation
- Definition of operation and maintenance boundaries
- Formal audits carried out throughout the development lifecycle by CRL, the Assessment Body (AsBo), the Notified Body and Contractors (as applicable on a system / site basis)
- Confirmation by the AsBo that the system is compliant with the Common Safety Method for risk evaluation and assessment Regulations process
- Maintenance Integration Reviews have considered the system and identified any maintenance issues
- All O&M related actions identified in the Project Wide Hazard Record to control residual risks have been captured in the Safety Issue Files and transferred to the future maintainers.
- Hazards from Network Rail (NR) On-Network works have been controlled in accordance with the NR Assurance regime and assessed by NR AsBo.
Figure 3 shows the levels of safety review for COS Railway Systems. This demonstrates the (typically six) layers of independent review applied and evidenced within a SJ.
Figure 3. Levels of Assurance Reviews for COS Railway Systems
Writing Safety Justifications
The majority of the SJs for the Elizabeth Line were written by the Engineering Safety Management (ESM) Team however, just two were not – those for Earthing and Bonding and Electromagnetic Compatibility were written and delivered by the CEG respective Heads of Discipline (HoDs) assisted by their teams.
Focusing on the E&B HoD and team, the initial steps involved in writing the first revision of the E&B COS SJ were as follows:
- Familiarisation with the SJ standard format and what content was needed
- Familiarisation with the E&B SEJ and with the six railway hazards plus consequent twelve E&B related sub-railway level hazards
- Obtaining the alignment matrix of the SEJ Railway level hazards to the Project Wide Hazard Record and other evidence (produced by the ESM team)
The E&B system is the foundation of all other systems, hence the E&B COS SJ is one of a few key SJs which the rest of the SJs rely on and reference to, hence, it was critical to produce a clear well developed document from the start.
Development of the E&B SJ was time consuming and involved several iterations to arrive at a reasonably good first draft, it took three people – the E&B HoD (providing a lot of the technical input as the only person with continuity on Crossrail over many years), a Principal Engineer (acting as editor, progress monitor, researcher and problem resolver) plus a Graduate Engineer (researcher and reference finder). As the team built the first draft, two (lauded) innovations came about:
- The creation of a spreadsheet, divided by site/system to record every E&B reference document – over 2000 documents are listed
- The use of a tabulated format with per item numbering to set out the evidence for safety against each of the twelve sub-railway level hazards for each case listed in the SEJ
The innovations primarily came about through a need to present large volumes of evidence and / or evidence references in a user and / or reader friendly manner, in a way that was easy for the authors to create – it resulted in success for all parties.
The first formal draft of the document was successful and became the first issue with very minor updates. Revision 1 of the E&B COS SJ was issued in September 2020, receiving only minor comments from LU and RFLI and obtained the support of the AsBo. It passed through the Railways Approval Board – Crossrail with minimal comments and was endorsed at the first attempt.
As the SJs are written for the final state, ahead of actually achieving it, each SJ is accompanied by a list of dependencies (caveats / items that are outstanding). At this stage, the E&B team had identified 25 dependencies (with a total of 591 items involved) – and were also trying to expedite closure of as many items as possible. Closure of dependencies for E&B proved to be intricate and time consuming, as the E&B system did not have a single contractor, did not have a dedicated ESM for the discipline and had such a lot of items to close.
The team built an E&B engineering dependency tracker spreadsheet (separate to, and different but similar to the SJ Master Tracker Spreadsheet maintained by the ESM team) which identified every single minor and major E&B item linked to the 25 dependencies, and each item was assigned a unique, relevant reference number linked to the dependency it related to. Information recorded included description of the item, current status, action needed to close the item, evidence reference numbers, identification of which site / system (and/or person) was responsible for closure of the item and active status (open/closed). The spreadsheet was also later developed further to include a separate sheet of statistical tracking analysis for reporting purposes.
The dependent items were reviewed weekly – both holistically and systematically; SSP and system teams were contacted and progress monitoring added to certain meetings. The E&B Team did everything possible to aid closure of items, holding extra meetings, liaising with the Chief Engineer, NR, Docklands Light Railway, LU and RFLI as needed. In one case, it was necessary to do some research on an item that was over two years old with no one left on the project with detailed background knowledge of the item – in this case the E&B Team were able to find sufficient records and track down the remaining people with some knowledge of the item, to convene a meeting to prove that the item could be safely closed.
As CRL approached the major project milestone of Entry into Trial Running (EiTR), the project was very busy with concurrent activities:
- Updating the SJs with open dependencies to show progress before EiTR
- Closing open dependencies with completed evidence at the Safety Justification Joint Dependency Closure Workshop (SJJDCW)
- Holding Structured Engineering Judgement (StEJ) panels to mitigate dependencies for EiTR
The E&B Team worked to update the E&B COS SJ revision 1 into revision 2, and at the same time continued working with all the other teams to get as many items and dependencies closed as possible. It became apparent that not all the dependencies could be closed before EiTR – in some cases it was clear that:
- The particular dependency did not need to be closed before EiTR
- Some evidence was available but the dependency could not be fully closed.
In the first case, dependencies were taken to StEJ panels (comprising of CRL’s Chief Engineer or one of the Deputy Chief Engineers as chairperson, plus RFLI, Transport for London (TfL) and LU engineering heads) for discussion and ratification that the risks of not completing the dependency before EiTR were low (or none applied) and closing the dependency could be deferred until after EiTR.
In the second case, the dependencies were also taken to StEJ, with each sub-item that could not be immediately closed identified, with reasons as to why it couldn’t be closed, and what mitigations were in place (if needed) to allow the item to be safely completed after EiTR. In this case, this led to split dependencies – for example Dependency EB1 became EB1A and EB1B, with the A part of the dependency becoming the items that were either closed or could be closed prior to EiTR, and the B part becoming those items that would be closed after EiTR. StEJ reviewed the risks associated with each item and provided a recorded judgement of agreed / not agreed or any other safety amendments deemed necessary to mitigate items not being closed before EiTR.
To close a dependency once all evidence was available (for example, approved documents available, closed punchworks etc), the evidence and safety justification was entered into the ESM maintained Master SJ Dependency tracker; and then discussed at the SJJDCW meeting – comprising members of CRL, RFLI, LU and others as needed (plus independent auditors from the AsBo on occasion). The SJJDCW could close the dependency (either wholly or for a specific stage only as applicable) or ask for additional evidence / actions as needed to satisfy themselves.
The roles and responsibilities of the StEJ panel and SJJDCW were clearly defined and set out in terms of reference [1], [2]. There did remain some debate over how StEJ and SJJDCW interacted with regard to exact responsibilities / authorisation that had to be resolved on occasions that led to clarifications being sought, plus holding additional break out meetings to agree resolutions. Over time, the processes and procedures evolved – changing slightly, becoming better understood and managed. Diagram 4 demonstrates the EiTR working process flow between StEJ and SJJCW.
Figure 4. StEJ / SJJDCW EiTR Working Process Flow
In the last weeks before EiTR, intensive rounds of StEJ panels and SJJCDW meetings were held to close / mitigate as many dependencies as possible prior to EiTR. The E&B team were pleased to finish their part just in time before EiTR, with all the evidence in place and accepted, all the records up to date. Revision 2 of the E&B COS SJ was also well received with minor comments from RFLI and endorsed with no comments from Railways Approval Board – Crossrail.
Post-EiTR, the E&B team held a thorough review and took stock of the remaining items. A new version of the E&B Engineering SJ Dependencies tracker was built, covering just those items remaining open. Items were clarified, and in some cases further split out to identify items on a per site and / or per deliverable document basis and / or per future stage basis – for example the requirement to provide LV electrical models for each station was listed per site per model (with some sites having as many as four models) rather than just per site. An improved logging system was introduced as part of the further split out to allow easy sorting and identification of work stages to allow for production of different statistics / increased functionality for ease of use. A review of all the outstanding observations / punchworks was also carried out, and a number of new E&B related items identified and added to those already being traced.
The team are presently preparing revision 3 of the SJ ready to start the next cycle of the process as noted above for Entry into Trial Operations (EiTO).
The E&B team will continue to monitor and close dependencies in the lead up to EiTO, liaising with all reporting and other parties. Where feasible, the E&B team will continue to assist other parties to get dependencies closed – by providing guidance, technical advice, giving assistance and information – for example proactively working with Canary Wharf and Bond Street stations by reviewing draft assurance documentation ahead of the formal submission. In the case of Canary Wharf station the team are reviewing and commenting on the proposed index and structure for the final E&B Acceptance certificate to reduce workload on both sides – by reviewing the index / structure first, it can be checked the proposed content covers everything necessary, and Canary Wharf station can be sure that they are not producing superfluous assurance / evidence.
Lessons Learned So Far
- It is essential to have agreed Terms of Reference (or equivalent) [1], [2], before starting such a complex process. During the lead up to EiTR there was some discussion about what StEJ had the authority to agree / close, and how that interfaced with what SJJDCW were doing / had authority to do. All parties involved – which in CRL’s case is quite complex as the handover is to two infrastructure managers which are both different subsidiaries of TfL, plus interfaces to Dockland Light Rail, TfL directly and NR – had to discuss, refine and agree the terms of reference.
- There is a learning curve for all those involved – whether from the ESM team, the CEG team, the StEJ and SJJCW panels; even though similar activities have been held in the past, they need to be adapted and / or re-learnt for the evolving situation. It may be necessary to update the processes, and indeed CRL carried this out during the lead up to EiTR, with two changes:
-
- updating the Terms of Reference for StEJ and
- adding in an extra record form on a per dependency basis to record in detail the risks / issues for each dependency that was bought to STEJ for a decision, and what the StEJ verdict was.
The new record form was on top of and in addition to the Minutes of Meeting – which had been used as the sole record until Jan / Feb 2021. The additional StEJ forms were introduced about one month before EiTR, which did lead to additional workload in a very short space of time.
- Clarity of language and accurate information is imperative – the issues have to be defined clearly, risks identified and mitigations set out in such a way as they are unambiguous and can be understood by all parties (whether or not they were a subject matter expert).
- Very clearly defined dependencies, risks and site observations are easier to close when evidence becomes available. For example, a site observation of the same issue on multiple sites can not be closed out when one site is incomplete, whereas multiple site observations of the same issue on a per site basis would enable progressive closure as each site is complete.
On the other hand, if this was done with the E&B SJ dependencies, there would have been 550+ (at the start) items (of which many were very minor – e.g. missing permanent identification labels) which would have meant that the SJ would have failed its first submission to the Railways Approval Board (Crossrail) (as it had been expressed that more than 15-20 open dependencies would not be acceptable), in this case, grouping like items into a single dependency made sense, e.g. one of the E&B dependencies was all the open site observations impacting earthing and bonding (120+ items at the start), however, that has meant that this dependency has had to remain open (even now with ~40 items that are not yet closed) as the CRL site remedial works and Bond Street station works continue.
In this particular case, the team have progressively closed sections of the dependency, with a status taken just before EiTR, all closed observations were listed and mitigations were presented for all open site observations. All this was agreed at StEJ and recorded in the master SJ tracker which led to acceptance by SJJDCW for closure for EiTR.
Again, clarity of language is important, with the team identifying post-EiTR some instances where certain sections of text and the dependencies could have been worded better to ease later closure. This progressive closure of the dependency and mitigations for open items will be repeated prior to EiTO.
- When preparing for StEJ and requesting a StEJ judgement, setting out the dependency, issues, mitigations and risks clearly, including what decision is required from StEJ, ensures all panel members can understand the issue quickly and enables easier decisions for the panel.
- When closing a dependency and recording the evidence for its closure, it is essential to focus first on the safety, i.e. why it is safe to close the dependency, and then list additional supporting evidence (if any).
- Early definition of interfaces – both physical, electrical and documentation production is essential for later clarity of which party is responsible for what, and consistency of approach by all. For example, when the E&B team carried out an overview prior to writing the SJ, it became apparent that records at the E&B interface points – particularly between the SSP’s and routeway systems – were inconsistent and lacking in detail; this led to additional work for CRL with a set of interface drawings commissioned that took several months work including additional site survey work to produce.
- Early consistent definition of required deliverables from the Contactors would reduce problems at later (handover) stages of the project. This should include defining minimal contents and expected standards, possibly even setting a fixed format and contents list would greatly speed up assurance time.
- It is good practice to identify, record, monitor and track outstanding items to ensure no surprises at the later stages of project completion.
- When dealing with a large document (the E&B SJ is 200+ pages, 80000+ words and includes 10 appendices), it would be wise to maintain separate files for the main body of the text and each appendix to save time, avoid saving issues and formatting errors; enabling auto-save is essential to save the absent minded author!
Can Assurance Lead Delivery?
At present, CRL (and most other projects) are set up such that assurance is reactive, with the CEG team carrying out the following activities over the years wholly dictated by the delivery programme:
- Design and interface review
- Installation inspections
- Verification and Validation Assurance Plans
- Reviewing and assuring document such as:
- Interim / Partial / Complete Assurance Certification
- Installation Release Notices
- Other mandatory deliverables to allow stage gate completion
- Witnessing Testing and Commissioning
Each and every hand over from CRL to the Infrastructure Managers means a lot of work for the CEG, with masses of formal documentation that needs to be reviewed and assured before stations / systems are handed over – and this is done repetitively for different stages – for example, for first tests, system tests, single train tests, dynamic running, EiTR, now EiTO and in the future for Entry into Revenue Service.
There have been times where CEG have noticed weaknesses in the assurance documentation and extra items have had to be requested – this is mainly dealt with via issuing Chief Engineers Communication. There have also been occasions where formal assurance documentation has been delivered very late compared to planned date, and in the example of station formal handover, has necessitated CEG solely focussing on clearing the assurance for the station in time for the handover deadline to the detriment of all other works with the team.
As the E&B team were completing the first pass of the E&B SJ, the team observed that the first draft document could have been written sometime prior, maybe even as many as five years earlier. Theoretically, the document could have been written as soon as design was complete, however, every seasoned engineer will acknowledge there is always a delta of change between detailed design and the reality of installation, so writing the SJ that early would not have been sensible as there would be too much change.
As CRL approached physical completion and single / dynamic testing could have been a good time to write a first draft of the SJ, at which point the document could have been used to clearly identify all the needed deliverables to enable the dependencies to be closed, and as such, used to guide and focus the works / formal record documents.
Taking this concept further, it might be possible on a future project to tailor delivery of the whole project around assurance, meaning that the requirement for assurance and what a CEG team need to complete the assurance is focussed on as part of delivery. This could lead to significant improvements in identifying and clarifying deliverable documentation requirements early in the project. With this identified, workload for the assurance team can be better assessed and allowed for within the programme, the ideal would be to provide a smooth even workload for the assurance team with no last minute crises.
Acknowledgements
Malcolm Anderson, Head of Discipline Earthing and Bonding, Chief Engineers Group, Crossrail Ltd
References
[1] Crossrail Ltd Technical Directorate – Terms of Reference – Structured Engineering Judgement (Phase 2). Document Number: CRL1-XRL-O-MRC-CR001-50119 Revision 1.3
[2] Transport for London – RFLI – Rail for London (Infrastructure) Ltd – Safety Justification Joint Dependency Closure Workshop – Terms of Reference. Document Number: RFLI-GEN-SM-TOR-0002 Revision 2.0
-
Authors
-
Acknowledgements
Malcolm Anderson, Crossrail