System Safety for Complex Projects – The Crossrail Approach
Document
type: Technical Paper
Author:
Hayat Zerkani PhD BSc CEng MIET
Publication
Date: 10/05/2023
-
Abstract
This Technical Paper sets out the details of the System Safety approach used by the Crossrail Project and describes some of the solutions employed to resolve the key challenges faced during the lifecycle of the project.
-
Read the full document
1 Introduction and Industry Context
Crossrail is the new high frequency railway for London and the South east enabling passengers to travel from Reading and Heathrow to Shenfield and Abbey Wood. It links Heathrow Airport, the West End shopping district and the financial districts in the City of London and Canary Wharf and provides transport interchanges to the London Underground and Docklands Light Railway networks. Crossrail Ltd (CRL) was established in 2001 to deliver this new railway now known as the Elizabeth line. The Central Operating Section (COS) is the new railway section that connects the existing Great Western and Great Eastern main lines via new twin tunnels under central London.
Under the Safety and Interoperability legislative framework, CRL had to comply with the EU Interoperability Directive [2008/57/EC] and associated Railways (Interoperability) Regulations 2011 (RIR 2011) as amended following the UK exiting the EU. One of the core requirements of RIR 2011 was that no structural or vehicle subsystem can be put into use on or as part of the rail system in Great Britain unless the Office of Rail and Road (ORR) has provided an interoperability authorisation for the placing into service (APIS) of that subsystem. CRL, being the Project Entity under these regulations, obtained APIS from ORR in May 2022.
CRL had also to comply with the Safety Directive [2004/49/EC], and associated Railways and Other Guided Transport Systems (Safety) Regulations 2006 and the Common Safety Method (CSM) for risk evaluation and assessment (CSM RA) [Regulation (EU) 402/2013)], as amended following EU Exit.
This document describes the system safety management approach employed by CRL, with a focus on the new COS section railway, and how this met the safety relevant legal obligations.
2 Background
Crossrail is a complex project of interrelated contracts and works. The complexity and scale of Crossrail raised significant challenges in relation to system safety. Elements of the railway (stations, shafts, and portals) and systems (communications, signalling, platform screen doors, tunnel ventilation, route control centre, track, and power) were delivered via many different Tier 1 contracts, each with their own timeline. Therefore, it was necessary for Crossrail to establish robust processes to manage safety consistently through all contracts. Furthermore, CRL had to assure itself, and the future Infrastructure Managers (IMs), Rail for London Infrastructure (RFLI) and London Underground (LU), that the elements and railway systems delivered were safe, were safely integrated including the fringes with Network Rail (NR), and were operated and maintained safely.
To achieve the above CRL:
- Established a System Safety Plan for the whole project lifecycle compliant with CSM regulations
- Established engineering safety management processes and safety forums, for example System Integration Review Panel (SIRP), Maintenance Integration Review Panel (MIRP) and Hazard Review Panel (HRP)
- Appointed competent resources to carry out the activities of the Safety Plan and appointed relevant assessment bodies: Approved Body (ApBo), Designated Body (DeBo) and Assessment Body (AsBo) in accordance with Railway regulations
- Implemented a Project Wide Hazard Record (PWHR) database for all contractors – this is an industry first
- Produced Safety Justifications for the integrated elements, railway systems and the integrated COS railway.
The above was delivered in accordance with legislation to enable the IMs to operate the railway – first for Trial Running, then for Trial Operations and finally for Revenue Service based on the assured railway.
Each of these points are discussed further in the following sections.
3 Crossrail Approach to System Safety Management
3.1 Planning
3.1.1 System Safety Plan
CRL put in place its Engineering Safety Management – System Safety Plan (ESM SSP) [3] in 2010. The ESM SSP was included in the contract for all the Tier 1 design and build contractors for all the major railway elements – stations, shafts & portals (SS&P) and systems. Over the project lifetime, CRL has updated its ESM SSP and provided guidance and training to the contractors based on those updates. The guidance and training were delivered along with a series of ESM Forums, with the AsBo in attendance, which were operated in the manner of surgeries for resolving application issues and informing the additional guidance documentation. CRL SSP was substantially the basis upon which the contractors have produced their evidence of safety and compliance.
3.1.2 Staged Progression and CRL Safety Plan Addenda
Whilst the original project intent was for the completed railway to be handed over to the IM in a single stage, a more progressive handover approach was determined to be more realistic and practical. This approach provisioned for the routeway to be handed over first, enabling Trial Running to commence whilst the stations were completed and handed over. It should be noted that the Class 345 trains were already authorised and in revenue service. Following Trial Running and confirmed integration of routeway and train, the addition of most of the stations enabled the COS to progress through Trial Operations and into Revenue Service. End State for the COS was marked with the completion of Bond Street station and auto reverse functionality. The handover stages were defined as follows:
- Ready for Trial Running (referred to as Entry into Trial Running or EiTR) –routeway and shafts and portals only
- Ready for Trial Operations (EiTO) – with the stations added to the routeway. The stations were incomplete but allowing safe evacuation of staff in case of emergencies
- Ready for Revenue Service (EiRS) – excluding Bond Street Station in revenue service
- End State – Bond Street Station complete, and Auto Reverse implemented (also known as Stage 5 and CRL Close out in CRL Project planning)
The progressive handover approach necessitated some additional planning which was suitably detailed in further plan addenda.
Figure 1 – Safety Planning
Each Plan Addendum addressed the following scope items:
- Readiness activities required for each stage
- Definition of the safe state for stations at EiTR/EiTO/EiRS (During EiTR and EITO, where stations were incomplete, as a minimum providing a safe evacuation route for staff working on the railway)
- Development of the Safety Justifications to support the integrated COS justification for EiTR/EiTO/EiRS; collectively these make the safety argument for the intermediate stages of delivery. This is in addition to the modified risk management arrangements for those systems with deferred and reduced functionality at EiTR/EiTO/EiRS that require additional risk identification activities.
- Detailing of the route to APIS
- Notification to the AsBo and ApBo in the event of change to the already established evidence for safety and compliance.
3.1.3 ESM Reference Manual
The ESM Reference Manual[2] listed the documents, plans, processes and procedures which described the Engineering Safety Management (ESM) system for the central section of the Crossrail Project. The principal documents were the CRL System Safety Plan[3] and the System Safety Plan Implementation Strategy[4] which together outline the policy, strategy, and responsibilities for assuring effective Engineering Safety Management throughout the project delivery.
The supporting processes and procedures covered:
- Processes for the management of hazards and risk assessment:
-
- Guidelines and Etiquette for Undertaking HAZID and HAZOP Workshops[8]. This was essential and was widely applied to ensure consistency in this key project activity. This has been applied over the complete project development lifecycle
- Engineering Safety Management – Hazard Management Procedure[18]
- Project Wide Hazard Record Process[11]
- Technical Note on the use of Project Wide Hazard Review (PHWR) in Engineering Safety Management (ESM)[14]
- Crossrail Common Safety Methods Hazard Assessment Process[6]. This is the key document overlaying the requirements of the CSM RA onto the sound ESM foundation
- Crossrail Process and Format for Comparative Risk Assessments[22]
- Crossrail Hazard Review Panel Terms of Reference[9]
- Crossrail Process and Format for Overall Safety Justifications[10]
- Processes for the management of delivery to ensure alignment of all Tier 1 contractors:
-
- Volume 2B – General Requirements – Part 32 Contractors Engineering Safety Management Requirements[5]
- Crossrail Delivery Contracts Standard Engineering Safety Management Requirements Specification[13]
- Crossrail Process and Format for Product Breakdown Structures for Systems[21]
- Crossrail Design & Build Contract Assurance Stage Gate Engineering Safety Management Review Process[24]
- Crossrail Process and Format for Engineering Safety Justifications for Systems[19]
- Crossrail Review and Approval of Contract Engineering Safety Management Deliverables[12]
- Crossrail Delivery Contracts Engineering Safety Management Surveillance and Audit Process[23]
- Processes for management of competencies
The ESM Reference Manual was assessed by the AsBo and then used as a basis for audits confirming adoption and comprehensive implementation by CRL and its Tier 1 contractors.
3.2 Supporting System Safety Management Processes
3.2.1 System Integration Review Panel (SIRP)
The objective of SIRP[25] workshops was to demonstrate that the integrated technical functionality provided the required operational functionality – in line with the approved Operations Concepts which covered stations, route control centre, traction power etc. SIRP workshops were conducted for all Railway Systems based on sampling of targeted use case scenarios. The use cases were developed for multiple systems throughout Crossrail. The results were reviewed and agreed by CRL Heads of Discipline, RFLI Operators, MTR Crossrail operators, LU operators and NR operators.
The SIRP workshops identified several operational issues that would potentially have affected safe operation of the Railway. These were in the main closed out as part of the post Final Design Overview (FDO) engineering verification, with any open issues described in the relevant supporting Element/System Safety Justification and managed to closure.
3.2.2 Maintenance Integration Review Panel (MIRP)
The objective of the MIRP[26] workshops was to test the alignment and integration of the collective designs with maintenance boundaries, concepts, access, resource, and logistics constraints, including assessment of maintenance plans, support tools, spares and training and interfaces between Infrastructure Managers.
Dedicated MIRP workshops were held to demonstrate that the integrated technical functionality could be maintained, in a given operational window, to allow the ongoing safe operation. Several maintenance issues affecting safety were identified during the MIRP workshops. In the main these were closed out as part of the post FDO engineering verification; with any open issues described in the relevant supporting Element/System Safety Justification and managed to closure.
3.2.3 Hazard Review Panel (HRP)
The objective of the Hazard Review Panel (HRP) meetings was to facilitate the transfer of residual safety risks in the form of Maintenance and Operational actions. The HRP was established for the controlled management of hazards that could not be fully mitigated by design and as such required the future users to establish operational and/or maintenance controls. CRL governed the HRP meetings in accordance with the CRL Hazard Review Panel Terms of Reference[9]. The risk control actions transferred to the IMs/Operators were recorded in Safety Issue Files (SIFs) within the PWHR.
3.2.4 Railway Assurance Board – Crossrail (RAB-C)
The IM and CRL established a Rail Assurance Board Crossrail (RAB-C) which, during the Project phase up to handover, provided two key roles:
- CRL System Review Panel (SRP) for acceptance of all Central Operating Section (COS) assets.
- IM’s SRP responsible for independently assuring that the IM is organisationally competent to put the accepted assets ‘into use’.
In both roles RAB-C made sure that interfaces with other duty holders have been adequately considered in the design of the infrastructure and the operations and maintenance arrangements. RAB-C was the key enabler for a decision under Article 16 of CSM, to allow a Declaration of Control of Risk (DoCoR) to be signed by the Technical Director of Crossrail, as part of CRL’s application for authorisation. Subsequent panels were formed after EiTR but these were governed by the IM.
3.3 System Safety Resources
3.3.1 System Safety Organisation
The overarching responsibility for system safety management sat within the CRL Technical Directorate under the direction of the System Safety & Interoperability (SS&I) team. The SS&I team managed PWHR, produced the Elements/Systems integrated Safety Justifications and the integrated COS Safety Justification, as well as carrying out several other ESM/CSM and Interoperability activities amongst which was overseeing all contractors’ ESM/CSM activities and reviewing their deliverables. This ensured consistency of the ESM/CSM activities throughout the whole Project and contracts.
3.3.2 Competency
CSM RA compliant project delivery is achieved both by having a suitably detailed safety plan and supporting set of procedures, but also having an implementation team competent in application of the procedures. The SS&I team produced the ESM/CSM Competency Guidelines[6] which detail the process by which the SSI team assessed the competence of Safety and Interoperability Engineers for undertaking their roles. The application of the process made sure that safety competence of the individuals within the CRL central team and that of the Tier 1 contractors was maintained. Application of the procedure was subject to review by the AsBo.
3.3.3 Independent Safety Assessment
Given that the change was determined to be significant, it was a mandatory requirement of the CSM RA Regulation (Article 6(1)) that an AsBo carry out an independent assessment of the suitability of both the application of the risk management process and its results.
CRL appointed an AsBo meeting the requirements stated in Annex II of the Regulation. The remit was agreed, this included making sure that the scope of assessment of the providers of the train AsBo, the IM AsBo, and other railway systems independent safety assessors (ISAs) did not overlap. The provision of infrastructure AsBo, train AsBo, IM AsBo and contractor’s ISAs for high integrity systems such as Signalling, Platform Screen Doors and Tunnel ventilation removed the need of an overarching CRL ISA.
The System Definition (SD), and supporting element SDs, evolved during the progression of the Project.
CRL provided its plan[3], and subsequently updates of that plan, in order for the AsBo to establish and maintain its own Assessment Plan. The plans were mutually agreed.
In accordance with section 5 of the Regulation CRL made available all necessary evidence primarily through the following routes:
- Provision for co-located working (full time up to 2019)
- Regular liaison meetings
- Participation in the ESM forums that were key to establishing alignment between all Tier 1 contractors early in their engagement
- Continuing direct engagement with Tier 1 contractors as necessary
- Open invitations to Hazard Identification, Hazard Review panel meetings, safety review panel (RAB-C), and later the RFLI CAP – TSRP
- Access also extended to relevant engineering panels such as SIRP, MIRP, FDO etc.
- Invitation to applicable progress review meetings with DfT and ORR
- Invitation to CRL Project delivery briefings at a corporate and working level
- All documentation filed into the document management system (eB), with online access open to the AsBo
- PWHR maintained in an online DOORS database with open access for the AsBo
- Progression of Assessment and Audit Finding Records
The AsBo provided monthly progress reports in accordance with the contract with CRL. This provided a high-level view of progression of the assessment. It also served as a route for escalation of concerns. CRL and AsBo maintained, and regularly aligned their milestones and delivery Projects.
The AsBo provided progressive support in line with progression of the Project primarily through issue of:
- Assessment Records, Audit Reports and Audit Finding Records
- Letters of Status and Support
- Staged Safety Assessment Reports (SAR)
- SAR Addenda
The engagement was completed in a final issue of the sections of the SAR covering final conclusion and index to the complete SAR build (9 parts and versions index).
3.4 Hazard Identification, Management and Project Wide Hazard Record
3.4.1 Railway Level Hazard Structure (RLHS), Strategic Engineering Justifications (SEJs) and Alignment Matrix
As part of the overall safety justification for the COS, CRL developed the Railway Level Hazard Structure (RLHS)[27] to identify the railway level hazards and derive the railway level safety requirements. These would then ensure, using CSM RA, that not only the element level safety requirements had been satisfied, but also those for the complete railway. In doing so, it provided a demonstration of acceptability of risk in a compliant manner.
The railway level hazard identification was performed as three one-day workshops supported by relevant disciplines including Heads of Discipline and witnessed by the AsBo. RSSB and London Underground risk models were used as inputs into the workshops and the resultant RLHS was a large an amalgam of these inputs which have a very strong pedigree. The workshops were carried out after the Tier 1 contracts had been let but remained effective in confirming that the original set of requirements defined in those contracts should lead to an acceptably safe railway when fully integrated. The AsBo assessed and supported the approach.
The safety requirements identified in the RLHS were developed and described at high level in a set of twelve Strategic Engineering Justifications (SEJs). The SEJs articulated the safety requirements for the specific aspect of the project and described at high level the Risk Acceptance Principles applied for mitigating each hazard. This process also verified that the mitigations necessary were already established within the various strategic design documents produced at the earlier stage of the project, for example, that the necessary mitigations for fire and evacuation hazards were already communicated to the necessary parts of the Crossrail Project through developed fire strategy documents.
The framework of the risk management process was based on the analysis and evaluation of hazards using one or more of the following risk acceptance principles[1]:
- Application of codes of practice (COP)
- Comparison with similar systems (reference systems – SRS)
- Explicit risk estimation (ERE)
The SEJs identified in each case which of the above risk acceptance principles have been applied.
There were 12 Strategic Engineering Justifications covering key topics:
- Fire, Evacuation and Ventilation
- Electromagnetic Compatibility
- Earthing and Bonding
- Tunnel Drainage and Flood Protection
- Alarms and Security
- Cyber Security
- Lighting
- Platform Train Interface
- Civil Design
- Access and Maintenance
- Station Crowding/Sizing
- Train Collision and Derailment
The evidence that the Safety Requirements (SRs) identified in the RLHS and recorded in SEJs have been met is presented by CRL in the Alignment Matrix (AM)[30]. The evidence in the AM provides traceability to evidence for each requirement in one of three ways:
- A link to the Crossrail Project Functional Requirements (CPFR)
- A link to the Derived Safety Requirements (DSR) in the PWHR
- Identification of specific evidence that provides the compliance with the SR
The purpose of the Alignment Matrix is to demonstrate that:
- All railway-level hazards have been controlled
- Safety requirements defined in the SEJs can be traced to requirements allocated to contractors
- The contract-level safety requirements have been implemented and verified
The Alignment Matrix contains the full set of railway-level hazards and requirements for the final configuration of the railway to support the argument made in the element-level and COS-level SJs that safety requirements are sufficient and have been implemented for the final configuration of the railway. Figure 2 illustrates the link between RLHS, SEJs and Alignment Matrix.
Figure 2 – RLHS, SEJs and Alignment Matrix
3.4.2 Hazard Identification and Risk Management
The Framework Design Contractors (FDC) and Tier 1 Design and Build (D&B) contractors produced System Safety Plans and System Definitions for their scope to facilitate Hazard Identification. The contractors have undertaken numerous Hazard identifications (HAZIDs) and Hazard and Operability studies (HAZOPs). The output of these studies resulted in hazard log reports and a dedicated PWHR module for each work package. All identified hazards were recorded and managed in the PWHR (see section 3.4.5 for details).
Hazard identification and hazard management, being the basis of CSM and considering contractors collectively, took months (and in some cases years!) to complete and more months to define the safety requirements, agree risk acceptance principles, and transfer of risk control actions. In hindsight, particularly for stations, CRL could have provided more structure for hazard identification for a generic station and for the contractor to add the specifics of the applicable station.
3.4.2 Hazard Identification and Management for Interim Stages
Additional Hazard Records were established for the management of transitional risks (for example Bond Street Station which was incomplete at EiRS). They were operated in parallel with the end state Hazard Record – the PWHR. The governance and application rules of interim hazard management were those of the PWHR. This includes operating the Hazard Review Panel (HRP) for proposed transfer of interim operational and maintenance risk control actions (RCA) identified as necessary to ensure risk was managed to an acceptable level.
3.4.3 Management of Hazards across Interfaces
CRL contractors have managed their interfaces in accordance with CRL Procedure for Interface Management[29]. Each contractor identified interfaces with other contracts, and each interface had a lead contractor responsible for the interface definition and for providing assurance for the interface. To manage and control the risks associated with these interfaces, contractors have produced and maintained the Interface Requirements Specifications (IRSs) and Interface Control Documents (ICDs). Specific management was used in areas of special complexity where multiple contracts come together.
In accordance with the Hazard Management Procedure[18] a number of Interface Hazard Analysis workshops were undertaken to identify and manage hazards across interfaces. Where necessary hazards and/or risk control actions deemed to be outside the contracts scope, were transferred to the appropriate responsible party.
All transferred hazards and/or risk control actions were dynamically mapped from one contract PWHR to another. Evidence against each was provided by the respective contractor who has accepted the hazard or risk control action.
3.4.4 Project Wide Hazard Record
The Project Wide Hazard Record (PWHR) was the key management tool used to record and track the hazards identified during the Crossrail Project. PWHR was a live database, maintained in the Dynamic Object Orientated Requirements Management System (DOORS), which provided the central control and electronic reference for the traceability of the hazard management activities for the Crossrail Project. The PWHR was maintained throughout the life of the project to provide a record of all the Crossrail design, operational and maintenance safety hazards identified and the progress on resolving safety risks associated with these identified hazards. CDM hazards which affected the operational railway were also recorded in PWHR.
The principle applied was that all reasonably foreseeable hazards identified were recorded, reviewed, accepted, referenced, mitigated (generation of Risk Control Actions RCAs and identification of IM control actions to be transferred via the Hazard Review Panel (HRP) Process), resolved and ultimately closed out or transferred to another stakeholder (or contractor) to deal with as detailed in the PWHR Process[11].
The PWHR contained much of the evidence for compliance with the CSM RA Regulation and did this in an effective and efficient manner. Hazards had closure recorded as compliance to codes of practice. It had also been necessary to undertake an Explicit Risk Estimation (ERE) to support the evidence of closure of several hazards. All design changes issued under project management instructions (PMIs) were reviewed and assessed by the respective ESM representative and any new associated hazard added to PWHR.
The PWHR was also the basis for the conduct of Hazard Review Panels (HRP) meetings. The risk control actions to be transferred to the IMs/Operators were recorded in Safety Issue Files (SIFs) within the PWHR.
As described above it is evident that the PWHR was the repository for the hazard and risk management activities that are core to satisfaction of the CSM RA Regulation. The AsBo witnessed application of the CRL Hazard Identification meetings. The AsBo was provided with online access to the PWHR and observed the effective operation of the HRP meetings satisfying itself concerning the rigour and effectiveness of application of hazard management procedures.
3.4.6 CRL Risk Model
Crossrail has developed the Crossrail Risk Model (CRM). The CRM estimated the individual risk for high consequence / low frequency hazards (such as train derailment). The CRM quantified risk by identifying contributing accident sequences by applying fault tree analysis and event tree analysis. The CRM was based on industry recognised risk models (the mainline railway RSSB Safety Risk Model and the London Underground QRA) and has been modified for the specifics of the Elizabeth line operation[28].
The model provided a structured means for considering any proposed options for mitigating risk. The model was a structured representation of the following seven hazards that potentially could lead to injuries and/or fatalities:
- Collision between trains
- Derailment
- Train fire
- Station fire
- Platform Train Interface
- Train held in section (hot/humid conditions on train, detrainments etc.)
- Flooding
CRL used the risk model to:
- Provide a design risk baseline against which changes to the design basis or operating concept can be evaluated
- Provide a means for assessing risk reduction associated with implementing proposed control measures
- Influence and assess the implications of detailed risk assessments to be undertaken by the suppliers of key systems
- Identify the risk to the railway system from human errors; thus, allowing dominant human errors to be targeted for specific task analysis and mitigation
The CRM considered risk to workforce, passengers/customers and members of the public.
The CRM showed that CRL railway was better in terms of individual risk compared to other UK railways.
The CRM was transferred to the IM for its future use when assessing the risk of changes to the railway.
3.5 Safety Justifications and Dependencies
3.5.1 Safety justifications
CRL developed integrated Safety Justifications for each Element of the COS (Stations, Shafts and Portals) and for each railway system (Track, Platform Screen Doors, Tunnel ventilation, Signalling, Power, Route Control Centre and Communications and Control) as well as specific Safety Justifications (covering the fringes with Network Rail, Civils, Train-Signalling integration, Earthing & Bonding and Electromagnetic Compatibility). While Safety Justifications were not mandated in the CSM RA Regulation, they were an expected part of completion of any engineering safety process and comprise the evidence required by Annex 1, Section 5.1-5.2 of CSM Regulation.
As part of the progressive delivery and assurance of the railway, the SJs were initially compiled for EiTR, and then updated, as more functionalities became available, for the following stages EiTO and EiRS and finally completed for End State.
The input to the integrated SJs were the contractors’ Engineering Safety Justifications (ESJs) which were in turn updates to the Design Engineering Safety Justifications (DESJs) produced at the Final Design Overview (FDO) stage. Some of these ESJs were themselves built on product safety cases.
See Figure 3 for the hierarchy of Safety Justifications and the build up to the integrated COS Safety Justification.
Figure 3: COS Safety Justifications and other Deliverables
3.5.2 Dependencies and Risk Statement Summary
The safety arguments in the integrated COS SJ and Element/Railway systems SJs have been accepted by the relevant system review panels, at each key milestone, with a manageable level of dependencies. This allowed the Project to de-risk on-time delivery and focus on dependencies.
CRL created a process for controlling unresolved dependencies by:
- Understanding the technical scope limitations, associated risk and identifying any associated Operational Restrictions and Interim maintenance arrangements to mitigate the risk.
- Tracking closure rate. The status of the underlying safety dependencies is provided by the Safety Dependencies Master Tracker.
Dependencies were closed or mitigated in the tracker via two mechanisms:
- Safety Justification Joint Dependency Closeout Workshop (SJJDCW); and
- Structured Engineering Judgement (St.EJ) Panel
To achieve this, CRL provided the status of the dependencies and their acceptability in terms of safety risk in the form of the Risk Statement Summary at each key milestone. The Risk Statement Summary for each milestone was presented to the relevant Safety Review Panel.
3.6 Safe Integration
The CRL requirements for safe integration were based on RSSB Guidance on the CSM RA and were met through demonstration of:
- Safe integration of the COS into the SMS of COS duty holders
- Safe integration of the COS with adjacent parts of the network
- Safe integration of the COS with the trains operating over it and safe integration of the COS with the vehicle characteristics defined in TSIs and national rules
- Safe integration between elements that compose the COS network
- Safe integration between the components composing an element
All the above were demonstrated in the relevant CRL Safety Justifications (see Figure 3).
4 CRL System Safety in Numbers
To make the Integrated argument for the COS (see Figure 4):
- 40 Safety Justifications were produced by CRL – most of these were subject of at least 3 iterations up to formal acceptance so 120 at least formalised and accepted SJs!
- 48 Engineering Safety Justifications produced by the contractors, reviewed and accepted by CRL – also with many iterations
- 15 Product safe cases reviewed and accepted by CRL
- Over 6000 hazards identified and managed in PWHR
- Over 4000 Derived Safety Requirements identified and managed
- Over 3500 Risk Control Actions agreed with the IM
- 50 plus risk assessments carried out by CRL and many risk assessments completed by the contractors under their risk management
- Over 600 dependencies managed to closure.
The deliverables above were reviewed/updated at EiTR, EiTO and EIRS.
Figure 4: Build Up of the Integrated COS SJ
5 Lessons Learned and Recommendations for Future Projects
There have been many lessons learned during a process that has taken several years to complete, however some of the key ones, along with recommendations for future projects are as follows.
- Adopting a progressive engineering and safety assurance approach: With a Project as complicated as Crossrail, with multiple contracts and complex interfaces, there was never going to be an ideal time to run a process that aimed to review and assure the complete scope. The lesson was learnt that progressive safety assurance is required. Choose a time, put a line in the sand and identify all the acceptable dependencies that allow moving to the next milestone and to then close these out through controlled processes. The introduction of different stages (e.g., FDO, EiTR, EiTO, EiRS and Close out) helped taking the CRL Project to completion in a controlled manner.
- Imposing a strict management process: The volume of safety issues that were raised because the functionality of element/systems was not complete, at a given milestone, was not fully appreciated until a significant number of reviews had been held. It became clear that it was a significant task, requiring dedicated resources, to manage the maintenance and close out of the safety issues (dependencies tracker, see section 3.5.2). A robust mechanism was required and even though this evolved as the process was implemented it proved to be very effective. The recommendation would be to not underestimate the number of issues that a task of this size will reveal and to have a system in place that is appropriate to manage a significant number of issues ‘live’, that constantly require secure access and updates by several different parties, often at the same time. It needs to be robust, have the necessary controls in place with regards to close out of issues and, with frequent updates required and reporting statistics to be extracted; the more automated it can be, the better.
- Consistency of safety management approach through all contracts: For a complex project with different contractors, consistency of ESM/CSM processes across all contractors is of prime importance. Having strong processes that the whole Project abided to, a single Hazard Record for the whole Project, and a central CRL team overseeing and reviewing all contractors’ deliverables was essential. Each contractor worked as a Project Entity for CRL, it was then for CRL to integrate beyond that secured within the obligations defined in those contracts.
- Progressive review process: Safety documentation was one of the biggest parts of the documentation mountain that CRL had to climb. The management of its structure and the hierarchy shown in Figure 3 and Figure 4 and progressive acceptance of plans first then safety justifications with dependencies by the relevant panels allowed the Project to progress from one stage to the next culminating in authorisation by ORR. In some cases, the review included 6 levels namely Contract internal review, ISA, CRL internal review, AsBo, RFLI and System Review Panel. It was felt, at times, that there were too many reviewers and that the review process was disjointed. Integration of comments by a single stakeholder representative (for a given submission) should limit number of comments.
- Impact of Covid and complete focus on deliverables: CRLs’ organisational response to the Covid pandemic saw a shift from working at an office to working at home, and for some tasks this proved very beneficial as it allowed for concentrated working on document delivery and flexible timing of peer reviews within teams. one of the success stories was the ability of the project team to adapt and evolve to make more use of remote working. That was achieved because the established secured relationships up to 2019.
- One team, one goal: CRL team shared the same goal and there was a strong communication of the goal at each milestone through weekly team meetings, team conferences etc, always challenging the silo mentality. Numerous interworking workshops were facilitated using a common set of effective tools such as PWHR, Dependency Tracker, Outstanding Work List, etc., which enabled remote working. There was a strong Project focus and early and effective escalation. Building trust with all stakeholders was not initially easy but was finally managed through open and honest working relationship.
6 Conclusion
Demonstrating System Safety, CSM RA compliance and acceptability of risk for a Project the size and complexity of Crossrail was a huge undertaking. CRL is one of the pioneers for the application of CSM RA to a large and complex project in the UK and the world. CSM RA provided an approach that was embraced by CRL but was an overlay onto a robust and established ESM regime.
Furthermore, using progressive assurance with strong management control processes, making sure that all involved abide to the same processes for consistency, always focusing on what to deliver when and working collaboratively proved invaluable to manage the Crossrail project to its completion, meeting its legal obligations and being authorised for passenger service.
7 References
[1] Common Safety Method for Risk Evaluation and Assessment (CSM-REA) Regulation EU 402/2013, as it has effect in domestic law following amendments made by Rail Safety (Amendment etc.) (EU Exit) Regulations 2019.
[2] Crossrail Engineering Safety Management Reference Manual, CRL1-XRL-O8-GML-CR001-50001
[3] Engineering Safety Management System Safety Plan, CRL1-XRL-O7-GST-CR001-00001
[4] System Safety Plan Implementation Strategy, CRL1-XRL-O8-STP-CR001-50007
[5] Volume 2B – General Requirements – Part 32 Contractors Engineering Safety Management Requirements, CRL1-XRL-O8-XWI-CRG03-50002
[6] Engineering Safety Management Competency Assessment – Guidelines, CR-XRL-O8-GUI-CR001-50001, Rev 1.0
[7] Integration Engineering Safety Management – Competency Routemap – CRL1-XRL-O8-GPS-CR001-50036
[8] Guidelines and Etiquette for Undertaking HAZID and HAZOP Workshops, CRL1-XRL-O8-GPS-CR001-50010
[9] Crossrail Hazard Review Panel Terms of Reference, CRL1-XRL-O8-GPS-CR001-50009
[10] Crossrail Format and Process for Overall Safety Justifications, CRL1-XRL-O8-GPS-CR001-50012
[11] Project Wide Hazard Record Process, CRL1-XRL-O8-GPS-CR001-50013
[12] Crossrail Review and Approval of Contract Engineering Safety Management Deliverables, CRL1-XRL-O8-GPS-CR001-50015
[13] Crossrail Delivery Contracts Standard Engineering Safety Management Requirements Specification, CRL1-XRL-O8-GPD-CRG03-50001
[14] Technical Note on the use of Project Wide Hazard Review (PHWR) in Engineering Safety Management (ESM), CRL1-XRL-O8-GPS-CR001-50024
[15] Requirements for the Creation, Format and Provision of a Design Engineering Safety Justification (DESJ), CRL1-XRL-O8-GPS-CR001-50025
[16] Crossrail Common Safety Methods Hazard Assessment Process, CRL1-XRL-O8-GPS-CR001-50003
[17] Crossrail Notified National Technical Rules Guidance on Stakeholder Consultation, CRL1-XRL-O8-GUI-CR001-50002
[18] Engineering Safety Hazard Management Procedure, CRL1-XRL-O8-GPD-CR001-50002
[19] Crossrail Format and Process for Engineering Safety Justifications for Systems, CRL1-XRL-O8-GPS-CR001-50004
[20] Design & Build Contract Assurance Design Gate Engineering Safety Management Review Process, CRL1-XRL-O8-GPS-CR001-50014
[21] Crossrail Process and Format for Product Breakdown Structures for Systems, CRL1-XRL-O8-GPS-CR001-50002
[22] Crossrail Process and Format for Comparative Risk Assessments, CRL1-XRL-O8-GPS-CR001-50007
[23] Crossrail Delivery Contracts Engineering Safety Management Surveillance and Audit Process, CRL1-XRL-O8-GPS-CR001-50006
[24] Crossrail Design & Build Contract Assurance Stage Gate Engineering Safety Management Review Process, CRL1-XRL-O8-GPS-CR001-50014
[25] Crossrail Systems Integration Review Panel (SIRP) Terms of Reference & Management Procedure, CRL1-XRL-O8-GPS-CR001-50016
[26] Maintenance Integration Review Panel (MIRP) – Workshop Guidelines, CRL1-XRL-O8-GUI-CR001-50011
[27] CRL Railway-Level Hazard Structure Report, CRL1-XRL-O8-RGN-CR001-50156
[28] Crossrail Safety Risk Model, CRL1-XRL-O8-RGN-CR001-50512
[29] Procedure for Interface Management, CRL1-XRL-O8-GPD-CR001-50001
[30] Alignment of Safety Evidence to Key Hazards Railway Level, CRL1-XRL-O8-XMO-CR001-50002
-
Document Links
-
Authors
Hayat Zerkani PhD BSc CEng MIET - Crossrail Ltd
Hayat Zerkani is the Head of System Safety & Interoperability at Crossrail. She is responsible for delivering System Safety Assurance and Interoperability compliance for the Elizabeth Line Central Operating Section. Hayat gained her PhD from Sheffield University in Control Engineering. She has been in the railway industry for 23 years, initially in consultancy with Mott MacDonald and Praxis working in projects worldwide then in Transport for London for the last 18 years. She has been seconded to Crossrail since May 2016.