A comparison of engineering processes related to safety between the offshore and railway sectors

Transcription

1 DEGREE PROJECT IN MECHANICAL ENGINEERING, SECOND CYCLE, 30 CREDITS STOCKHOLM, SWEDEN 2016 A comparison of engineering processes related to safety between the offshore and railway sectors MORTEN JARVIS WESTERGÅRD KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ENGINEERING SCIENCES

2 Preface This is a Master of Science thesis in Naval Architecture, course code SD271X. It is conducted at the KTH Centre of Naval Architecture in collaboration with KTH Industrial Economics and Management. 1

3 Abstract After a period of high activity within the offshore sector in Norway, they now experience a decrease in activity. At the same time, the railway sector is experiencing high activity and new investments. This leads to a shift in the need of engineering expertise. A relevant area of expertise is the designand engineering processes related to safety. This is a study of such processes in the two industries, based on a comparison of the relevant industry standards, and supported by impressions collected in interviews. The purpose of this study is to investigate into the agility of transfer of safety engineers from the offshore industry and into the railway industry. The study shows that the principles of safety engineering are built on the same grounds. There is however a difference in management approach, and in the use of certain tools and methods. The offshore industry has a more developed quantitative approach, while the railway industry relies more solely on qualitative methods. The offshore industry seems to be more narrow and specialized in their approaches, while the railway industry rely on a broader concept of safety engineering. The study shows that safety engineers are not very dependent of deep technical knowledge, but they need to be able to control the processes in a manner that utilize the knowledge of other experts, to analyse the systems under consideration. Even if the technical skills might not be crucial, it seems evident that being able to communicate on the premises of the industry is vital. This seems like an area relevant for specific training, for new safety engineers entering the railway industry. Railway RAMS 1 management has been implemented during the last decade, where quantitative methods are gradually being introduced. Safety engineering has historically been based on the experience of the engineers in the railway industry. The new approach, with an increased focus on reliability and availability, can be a good chance for offshore engineers to bring their expertise to use within a new field of engineering. Even if the overall concept of the industry applications is somewhat different, this study shows that the structure and working methods are similar enough for an agile transfer between the industries. 1 Reliability, Availability, Maintainability, Safety 2

4 Acknowledgements I wish to give my gratitude to those who have contributed to this thesis. I am very grateful for the collaboration between the departments of Naval Architecture and Industrial Economics and Management. This had not been possible without the willingness from Anders Rosén, Pernilla Ulfvengren and Bo Karlson. I would give my thanks to Bjørn Axel Gran at Safetec Nordic AS, for proposing an interesting and relevant task. It gave me the opportunity to specialise into a subject highlighting my specialisation within management at the Master Programme in Naval Architecture. Discussions throughout this project has been invaluable. A special thanks also goes to Pernilla Ulfvengren and Matthew Stogsdill from the Department of Industrial Management and Economics. You have been beyond helpful in the supervision of my work, and given the thesis the right academic layout. Last but not least I would like to thank Anders Rosén for his open minded guidance with a thesis a bit on the border of pure Naval Architecture. 3

5 Contents 1 Introduction Background Objectives Research questions Limitations Safety Engineering At A Glance Introduction of the theoretical background of the study Basic Terms of safety engineering Some important safety engineering concepts RAMS Barriers Common cause failures Management of safety Management of functional safety in the offshore industry Management of railway RAMS Measuring and evaluation of risk Verification, Validation and Assessment The Risk Analysis Process Hazard Identification Causal Analysis Accident Scenarios Accident models Relevant methods for analysis of technical systems Applications in the industries About the industry applications Offshore technology and safety applications Offshore technical system Offshore hazards Use of safety barrier concept Development leading to new challenges in the offshore industry Railway technology and safety applications Technical system Hazards and use of barrier concept Development leading to new challenges Method of comparison Introduction to the method Comparison of the standards Interviews Delimitations

6 5 Results of comparison Comparison of items from the generic industry standards About the standards Management of safety Life cycle design phase Verification, validation and assessment Measuring risk Competence requirements Documentation Impressions from the industries Industry applications Risk analysis Implementations of the standards Competence Documentation Communication and information flow Transfer of competence Trends Discussion Overall considerations Comparison of standards Impressions from interviews Other Further work Conclusion 51 A Introduction to industry practices 52 A.1 About the standards B Offshore 54 B.1 Management of functional safety B.1.1 Connection between functional safety and overall quantitative risk analysis B.1.2 Responsibilities B.1.3 Follow-up B.2 Design phase of the life cycle B.3 Barriers and safety functions B.3.1 SIS design and engineering B.4 Measuring risk B.5 Verification, Validation and Assessment B.6 Competence B.7 Documentation B.8 Definition of safe state C Railway 65 C.1 Factors influencing RAMS C.2 Design phase of the system life cycle C.2.1 Concept C.2.2 System definition and application conditions C.2.3 Risk analysis C.2.4 System requirements C.2.5 Apportionment of system requirements C.2.6 Design and implementation C.3 Measuring risk

7 C.4 Verification, Validation and Assessment C.5 Competence C.6 Documentation D Question sheet from interviews 72 6

8 Abbreviations and definitions JBV - Jernbaneverket (Norwegian government s agency for railway services) NOG - Norsk Olje & Gass (Norwegian oil & gas association) Ptil - Petroleumstilsynet (Petroleum Safety Authority Norway) RAMS - Reliability, Availability, Maintainability, Safety (acronym) SIL - Safety Integrity Level SIS - Safety Instrumented System SJT - Statens Jernbanetilsyn (Norwegian Railway Authority) 7

9 Chapter 1 Introduction 1.1 Background The need for safety is necessary in all technical systems. A safe system is a system where the risks for hazards are controlled or eliminated, to obtain a level of risk that is considered safe. Safety engineering is about using engineering and the scientific methods to ensure that technical systems are designed to avoid failures in connection with potential hazardous events. It is an interdisciplinary field, where the safety engineer needs to be able to gather knowledge from other specialists in order to identify hazards, develop effective measures for them, and make safe operations possible. While a safety engineer cannot be an expert in all engineering fields within a technical system, he or she should be able to address the safety issues of these fields - in order to control or eliminate the relevant hazards (Spellmann, 2004). Safety engineering is predominantly about managing risk. The term risk is ambiguous, but in engineering it is in most cases linked to uncertainties about future events or activities, and the possible negative consequences of them. The risk management process is a vital part to construct a safe and reliable system. A successful risk management process should neither be underestimated as a positive contributor for the overall business performance of an engineering project. Increased design life and reduced life cycle costs are some positive effects of a successful risk management process (Verma, 2010). According to Verma (2010) the following factors are some of the contributors to why risk engineering is of importance in a modern technical system; Increased product complexity. Accelerated growth of technology. Public awareness and customer requirements. Modern safety and liability laws. Competition in the market. Past system failures. The cost of failure, damage and warranty. Safety measures are most effective when implemented in an early design phase of a system. This is where the costs for changes are smallest, and the possibilities for changes biggest. Figure 1.1 shows this relationship between the cost of change and the ability to make changes. 8

10 Figure 1.1: The relationship between cost of changes related to ability to make changes A.W. Hooker The Norwegian offshore oil and gas industry has developed an extensive knowledge of risk assessment and prevention of accidents through design. Production within confined spaces forces the use of effective safety barrier systems within the design. This also includes prevention of human errors through design of work places. A central tool in the design of inherent safety measures is the quantitative risk analysis. The industry has developed a community of technical experts with extensive knowledge of safety barrier systems. This is a result of the heavy investments, and commitment to safety in the offshore industry over the last decades (Kjellén, 2007). RAMS 1 engineering in the railway industry is closely connected to the goal of the railway system (i.e providing a defined safe level of railway traffic within a certain time) (Cenelec, 2006). Risk analyses in the railway industry raised more attention during the 1990 s. This was driven by organizational changes and increased technical complexity in the railway operations (Rausand, 2011, p.532). European safety directives are mainly driven by the increased commitment to the ERTMS 2 and the collaboration with the rest of the European continent. In Norway, Jernbaneverket 3 (JBV) are increasingly putting its commitments into RAMS management, which drives forward the focus on the RAM parameters in line with safety. After a period of high activity within the offshore sector, they now experience a decrease in activity. At the same time, the railway sector is experiencing high activity and new investments. This leads to a shift in the need of engineering expertise. A proposed strategy is to readjust personnel from the offshore to the railway sector. The success of such a strategy depends upon the agility of the transfer between the sectors. A relevant area of expertise is the design- and engineering processes related to risk and safety. How well do the Safety Management Systems compare? Are the industry specific design processes related to risk and safety comparable? The aim of the analysis is to answer questions like these. The analysis will provide a basis for the comparison of competence requirements between the sectors. However, it is outside the scope of this work to provide the competence analysis itself. 1 Reliability, Availability, Maintainability and Safety 2 European Rail Traffic Management System 3 Norwegian government s agency for railway services 9

11 1.2 Objectives The aim of this study is to deliver a comparison analysis of the safety engineering principles of the railway and offshore sectors. The study will more specifically provide; 1. A background on safety engineering. 2. A brief summary of the safety engineering applications within the railway and offshore industries. 3. A comparison of; (a) the industry standards of the generic applications of safety engineering, (b) the practices and impressions through a series of interviews with specialists Research questions The following main research questions will provide as a base for the study. Are the engineering processes related to safety comparable within the two industries? How does the industry applications of safety engineering affect the approach to technical safety? What are the strengths and weaknesses of an offshore safety engineer moving into the railway industry? 1.3 Limitations This is a thesis in collaboration with the Norwegian company Safetec Nordic AS (Safetec). The analysis is performed with the focus on the Norwegian offshore and railway industries. This requires the use of standards, theory and other data collection taking base in the Norwegian industry. The analysis aims at being as generic in its claims as possible, however it is inevitable to avoid the influence of this company and its partners providing background material for this study. The study focus on the generic picture of the safety processes. This is based on the choice of industry standards studied, provided by Safetec. Even if this study focuses on the generic applications of EN (Cenelec, 2006) and IEC (IEC, 2010), it is worth mentioning that these standards are closely related to several other safety specific standards with applications within both industries. The study can be exemplified with a toolbox. The intention is to present the tools and in which context they are used, but not necessarily state explicitly how they are used. This is anchored in the background of the study, and the possible use of it from a human resources perspective. Much of this study is based on an interview process. The participants were chosen according to convenience through Safetec. This was done because of the need of in-depth expertise within the field. Safetec could provide this by making some employees available for the study. The data collected from the interview process does not intend to make any generalized scientific claims, but they will highlight important issues to support the comparison study. Based on the range of the interviews, they act more as anecdotal evidence, (i.e brief accounts of individual perceptions of the subject). This means that the influence of personal opinions cannot be neglected. However, the views presented in this study is made as general as possible by cross-checking the opinions of the interviewees. 10

12 Chapter 2 Safety Engineering At A Glance 2.1 Introduction of the theoretical background of the study This chapter will be devoted to the theoretical background of the safety engineering concepts presented in this study. Concepts from the generic safety standards of IEC and EN forms this baseline. The chapter will also include a further explanation of the risk analysis process, as it is a cornerstone of the risk assessment inherent in safety engineering. The chapter will also briefly account for relevant concepts, and the theory behind the comparison of the industry applications. To provide a base for understanding, and to prevent confusion related to other meanings of the terms, the following section provides definitions of some of the basic terms the thesis will deal with. Terms like risk and safety are ambiguous and hugely varies in relation to the context they are used in. Risk can have a positive meaning (as in economics), but in risk engineering it is strictly connected to unwanted outcomes from hazardous events. This theory chapter is as mentioned based on a background study of the industry standards of IEC and EN The background study is in its entirety given in appendix A-C. A reference is made to the appendices for a separated view on the industry practices. 2.2 Basic Terms of safety engineering Some of the terms related to risk and safety engineering are commonly used in everyday conversation. It can therefore be useful to define some basic terms, so that the reader and writer share the same perception of the words in this context. The definitions are inspired or cited directly from Rausand (2011). A major accident is by Jersin (2003) defined as a suddenly unwanted event satisfying one of the following criteria; Five or more casualties. Material damages of 30 million NOK (based on currency value 2003). Great environmental damages. Major accident prevention is central in most authority regulations regarding safety. Besides having tremendous impacts on humans on a personal level, it often causes great socio-economical consequences. However, for those concerned a life can never be justified against economical or environmental losses. This makes the safety of persons the main concern in safety engineering across all industries. 11

13 A Hazard can be defined as a source of danger that may cause harm to an asset (Rausand, 2011, p.66). The connection to the release of energy or the exposure to dangerous materials springs easily to mind, but it also relates to other potential causes of harm such as degradation of materials, stability problems or simply the lack of safety culture. An initiating event can disturb the normal operation of a system, and can further lead to an hazardous events, that if not controlled, may lead to some undesired consequence. Risk is the probability for an unwanted event with the potential to cause harm. Safety is defined as a state where the risk has been reduced to a level that is as low as reasonably practicable (ALARP) and where the remaining risk is generally accepted (Rausand, 2011, p.61). An Accident is an unplanned event with an undesirable outcome. A sequence of events from a initiating event to an end event are called an accident scenario. RAMS is an acronym of the parameters reliability, availability, maintenance and safety. Safety integrity is the likelihood of a system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time (Cenelec, 2006). Equipment under control (EUC) is a definition of a part of a technical system. It makes it possible to distinguish between different parts of the system from a safety point of view. A failure can be defined as the termination of a required function, and a failure mode as the effect by which a failure is observed on a failed item. A failure mode describes how the failure happen and the impact it has on the operation. 2.3 Some important safety engineering concepts This section provides a brief description of some important concepts central within safety engineering. They are presented here to give a theoretical basis before they are presented within their applications. The extraction of these elements is also a suggestion of their importance within the subject RAMS Introduction to RAMS This summary of RAMS is based on the work of Stapelberg (2009). The concept of RAMS in the field of safety engineering is driven by modern applications demanding near 100% availability. Both the public and regulatory views of safety have changed, and the tolerance for accidents in modern applications are decreasing (Bagia, 2012). In the design and construction of large engineering systems, the engineering integrity is an important attribute. Increasing complexity due to both technology and integration of many systems leads to a need for the determination of the design integrity of the system. The integrity relates to the reliability, availability, maintainability and safety of the system. The RAMS methodology is a logically structured approach to determine the integrity of engineering design. While general engineering design focuses on the achievement of the design criteria, the RAMS methodology typically focuses on what to assure if the design criteria are not met (Stapelberg, 2009). This is done through a focus on design analysis and reviews of the engineering design, with the goal of reaching a desired engineering integrity. To understand what the RAMS attributes, i.e. the engineering integrity of the system implies, it is worth looking at the definition of these four topics according to Stapelberg (2009). 12

14 Reliability is the probability of successful operation or performance of systems and their related equipment, with minimum risk of loss or disaster, or of system failure. Reliability is closely connected to the effects of failures of the system, and this is a naturally part of the analyses when designing with reliability in mind. Availability is that aspect of system reliability that takes equipment maintainability into account. Reviewing the availability of the design concerns with looking at the consequences of unsuccessful operation or performance of the integrated systems and the critical requirements necessary to restore operation or performance to design expectations. Maintainability relates to the downtime of the systems. Designing for maintainability requires an evaluation of the accessibility and repairability of the inherent systems and their related equipment in the event of failure, as well as of integrated systems shut-down procedures during planned maintenance. Safety can according to Stapelberg (2009) be divided into three categories related to the three main assets, i.e persons, equipment and the environment. To avoid including several definitions of safety, a reference to the definition from Rausand (2011) is made; Safety is a state where the risk has been reduced to a level that is as low as reasonably practicable (ALARP), and where the remaining risk is generally accepted. Measuring RAMS The empirical understanding of the RAMS parameters can be linked up to different aspects of probability theory and statistical techniques. To give a quantitative measure of the parameters, one is dependent of obtaining data from past experience or observations. You can interpret reliability as the probability for performing successfully. The assessment of it can be related to data of the success or failure of the intended function of systems or equipment. Such a measure is typically connected with an estimate of the significance of the data obtained, i.e. the confidence level of the results - which depends upon the amount of data obtained for the estimate. Availability and maintainability is based upon time-dependent phenomena with a probability distribution ranging from zero to one (Stapelberg, 2009). Availability (mostly related to systems) is a measure of total performance effectiveness. It deals with the two separate events of failure and repair. A Monte Carlo simulation can be employed based on the time-to-failure and time-to-repair distributions, which often takes the form of Weibull and Poisson for time-to-failure, and a log-normal for time-to-repair. Maintainability (mostly related to equipment) is a measure of effectiveness of performance during the period of restoration to service. It deals with the same difficulty as reliability, i.e. only relying on one random variable leading to one type of event. The trustworthiness of it is hence relying much on the confidence level of the data. The difficulty in obtaining quantitative measures of these concepts is that the available data for the different parameters can be difficult to obtain. The complexity of integrated systems also leads to difficulties gathering reliable statistical data. When quantitative measures are hard to provide, it is necessary with another approach to determine the engineering design integrity. Qualitative methods brings in another approach in the determination of it. This implies for a introduction of qualitative concepts, where uncertainty and incompleteness stands central. In the context of engineering design, uncertainty can arise from complex integration of systems, while incompleteness considers results obtained against those that are only possible. Thus it can be said that both quantitative and qualitative measures are important when doing a consideration of the RAMS parameters of a system. 13

15 Designing for RAMS The safety analysis process is considered to be covered in an earlier part of the thesis. This section is therefore devoted to the concepts of reliability, availability and maintainability. The reliability of a system is related to the ability to perform within the required performance levels. The reliability can consist of several performance variables. These variables should typically be specified with prescribed levels of performance. The design solution with the highest safety margin with respect to these performance levels, will hence be the the most reliable design. Reliability needs to be considered at several levels and in different phases of the design process. When designing on a systems level in the preliminary phase, one needs to look on the assemblies of components - focusing on eliminating weak links (Stapelberg, 2009). Later on in the detailed design phase, when requirements at component-level are identified, one can evaluate the implications of this on the assembly-level. This means a collective evaluation of the components after assembly. Availability in design relates to the item s capability of being used over a certain time. In other words, it relates to the usage of the system or equipment over a specified period of time. A system component is available as long as it is able to perform within specification requirements in a certain period of time. The concept relates to reliability and maintainability in terms of mean time estimates between failures (MTBF), mean downtime (MDT) or mean time to repair (MTTR). Maintainability is defined as the probability that a failed item can be restored to an operational effective condition within a given period of time. Designing for maintainability implies taking operational requirements into consideration for failures of the system. MTTR is also a measure relevant for this concept as it is for the availability. What distinguish it from availability is that it looks at the restoration process of failed equipment, and not solely on the performance as is the case when considering the availability Barriers A feature in a technical system that is introduced to abrupt a specified harmful event sequence is often called a safety barrier. These barriers have various forms of occurrence and intention. One distinction is the one between proactive and reactive barriers exemplified in Figure 2.7. A proactive barrier aims at preventing, while a reactive barrier aims at reducing the effects of an hazardous event. An important attribute of a safety barrier is that it should act independently of other barriers. This means that it should obtain its function regardless of the failure of another barrier. More important, it should be unaffected by the condition that caused the other barrier to fail. Rausand (2011) presents several other names used about this concept. Names that appears a number of times in this study are, safety functions/systems, safety critical functions/systems and, layers of protection. Other also includes names such as, countermeasures, defence measures, lines of defence, and safeguards. Safety functions and safety systems appears a number of times in this study. They are used more specifically in relation to functional safety as presented in the offshore applications. The outlines of 14

16 a safety instrumented system is presented in the next subsection. The layers of protection becomes relevant in connection with a LOPA analysis, but is basically the same as a safety barrier. This becomes evident in section about LOPA. Safety Instrumented System (SIS) A certain kind of active safety barrier system is the safety instrumented system. It consist of input elements, e.g. in form of sensors that connects to logic solvers to interpret the acquired information from the sensors. The logic solver is in turn connected to the actuating elements which performs the safety function itself. This actuating element can typically be a valve (e.g in the process industry), or a similar mechanical element. A schematic presentation can be viewed in Figure 2.1. Relevant industry examples are dynamic positioning systems (DP) for floating offshore structures and automatic train stop (ATS) for railway systems. Figure 2.1: SIS model as described in Rausand, 2011, p.372. A SIS has a designated function, which aims at controlling a hazardous system, i.e. a deviation in the equipment under control (EUC). The deviations can be of high (e.g. dynamic positioning or low demand (e.g. automatic train stop). This mode of operation has an influence when evaluating the reliability of the SIS. The IEC standards are specifically devoted to such systems Common cause failures The failures of system components can not always be distinguished as independent events. When one component failure affects the possibility of another component failure, they are said to be dependent. Dependencies can be of the sort that the status of one component is affected by the status of another. This is the case for spare components that are designed into the system to take over if the main component fails (i.e. redundant systems). External factors such as environmental impact can also cause several components to fail simultaneously. A common cause failure (CCF) is said to be the simultaneous failure of two or more components from a shared cause. The root cause is the most basic cause, which if prevented will stop the failure from happen. Besides the root cause, a number of factors such as same design, location, maintenance etc., may contribute to a CCF event (Rausand, 2011). Common cause failures can say something about weak points in the system. A disadvantageous feature of CCF events is that the failure of several components at the same time might lead to a rapid escalation of an accident scenario. The cause of a single independent failure might be mitigated by other system functions, but when enough components fails at the same time it might be difficult to keep control of the situation. 15

17 2.4 Management of safety Management of functional safety in the offshore industry The standards enforced in the offshore industry, IEC and IEC 61511, have a strong focus on functional safety and safety instrumented systems (SIS). A safety instrumented system is an active system, that functional safety relies upon. IEC (2016) summarises the meaning of functional safety in two bullets; Functional safety is the part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. Functional safety is the detection of a potentially dangerous condition resulting in the activation of a protective or corrective device or mechanism to prevent hazardous events arising or providing mitigation to reduce the fight consequence of the hazardous event. (IEC, 2016) The objective of the management of functional safety is to ensure that the safety integrity level is the cornerstone of the entire life cycle. The implementation of it in the design phase is hence a crucial activity. Risk assessment is a vital part of developing functional safety requirements. Through hazard analysis, the required safety functions can be identified, and the risk quantification yields the safety integrity requirements (RockwellAutomation, 2016). The functional safety is a major contributor to the overall safety, but there are other aspects the contribute to build the total risk reducing picture. Besides the SIS, both other safety related technology systems and external risk reduction facilities contributes to the total risk reduction. Design phase related to SIS IEC takes base in the life cycle of the SIS. Even if the IEC standards focuses on E/E/PE-systems, the framework is similar to other safety related systems, and the overall project safety life cycle. A typical description of the early life cycle phases of an offshore project can according to IEC (2002, app. E) be divided into, Investment studies The feasibility Phase The Concept Phase The Pre-execution Phase (PDO-phase) Investment project execution Detail engineering and construction phase The Final commissioning and start-up phase The SIS life cycle activities can be put into context with these overall life cycle phases. The risk analysis and safety barrier design (protection layer) reaches from the concept phase into the detail engineering phase. An as built report is typically established and used as an living document even after the design phase of the life cycle. The safety barrier design starts in the pre-execution phase and concludes with a safety barrier specification in the detail engineering phase. The safety integrity level (SIL) of each safety function is an important part of the specification. The general safety requirement specification document is developed during this phase. The design and engineering of the SIS is also conducted at this stage of the life cycle. 16

18 The SIS design phase consist of the upper five boxes according to the overall safety life cycle presented in Figure 2.2. The different phases are defined by its input, output and verification activities. Figure 2.2: Overall safety life cycle with the design phase as the upper five boxes. IEC (2010) Management of railway RAMS Management of safety in the railway industry relates to the management of the RAMS parameters as a whole. There is a certain separation between the RAM parameters and Safety, but in general they are managed together in a railway system. RAMS management takes base in controlling the factors influencing RAMS requirements. These factors are given by Figure 5 in EN The RAMS parameters are closely linked together, and including parameters like reliability, availabil- 17

19 ity and maintainability. They can be useful when categorizing the requirements and specifications connected to faults and findings of the system. The parameters are by EN linked together like in Figure 2.3. By using what can be interpret as a broader concept of safety engineering, the concept of RAMS might make it easier to address the risk issue more specific. Classifying a risk as an availability problem rather than a direct safety problem can be a way to handle the issue more efficiently, by utilizing the best suited parameters of the system to obtain the requested risk level (Winther, 2012). Figure 2.3: The RAMS-parameters inter-linked as in EN (Cenelec, 2006). This can be shown with an example from (QGEN50126). Suppose we have a train approved for operation, but there are still some errors existing. The error can be categorized as an reliability issue, which not necessarily is a safety problem. However, the availability issue it causes might still affect the railway RAMS and its requirements. Looking at the connection between reliability and maintainability, it might be possible to increase the maintenance to compensate for the reliability issue. This could lead to the effect that the RAMS requirements still gets fulfilled. The management of railway RAMS in projects has a close connection to other general project components. The life cycle layout covers a general framework for the overall project execution, which also includes the RAMS activities. This is evident in the life cycle process described underneath, which highlights RAMS tasks related to a design phase description. The life cycle is in general a framework for the management of all aspects related to a railway system, and the RAMS tasks fits in as one of the component of this management system. Design phase of RAMS activities The life cycle design phase is divided into parts, where EN puts RAMS related tasks into context with general project tasks. The layout of the design phase can be evaluated in Figure 2.4. The following sections presents shortly the scope of each phase and the relating RAMS tasks. Each life cycle phase is presented in terms of its objectives, requirements, deliverables and to activities related to the corresponding verification and validation activities. A description of the general project phase as described in EN 50126, together with a list of RAMS-related tasks are presented below. 18

20 Figure 2.4: Design phase according to EN Concept The concept phase aims at establishing the scope and purpose of the railway project. A management structure should be formed in order to be able to realize the project. Feasibility studies and financial analysis are important measures to support the foundation of the project. RAMS-related tasks in this phase covers; Review of previously achieved RAMS performance. Consider RAMS implications of project. Review safety policy and safety targets. System definition and application conditions The system definition includes the elements that defines the system, together with interfaces and constraints regarding boundaries of the system. A block diagram is typically used to describe the 19

21 system definition. The system mission profile indicates the application of the system in order to cover the need it is intended to. RAMS-related tasks in this phase covers; Review past experience data. Establish safety plan. Identify influence on safety of existing infrastructure constraints. Risk analysis A part of the project solely dedicated to RAMS activities is the risk analysis. The main risk analysis include identification of hazards, risks, events leading to hazards, and establish process for ongoing risk management. This analysis process might need to be covered at several phases of the project. The hazard log is an example of a living document related to the risk assessment, that must be maintained through the entire life cycle of the system. System requirements A requirement analysis is performed, i.e. determining the needs and conditions for all stakeholder requirements in the project. The system demonstration gives a rough example to show the feasibility of the product. The overall acceptance criteria, i.e. the deliverables needed to deliver the required system, must also be stated in this phase. The organisation and quality management should be established together with a validation plan and change control procedure. RAMS-related tasks in this phase covers ; Define overall RAMS requirements. Define overall RAMS acceptance criteria. Establish RAMS programme and management. Apportionment of system requirements This phase should specify sub-systems and component requirements and define its acceptance criteria. RAMS-related tasks in this phase covers ; Establish sub-system safety requirements and acceptance criteria. Update system safety plan. Design and implementation After the system has been clearly defined in the earlier stages of the project, this phase should cover the execution of the planning for the design and development of the system. It also includes performing verification and validation processes. RAMS-related tasks in this phase covers; Implement RAMS programme. Assessment/verification/validation of; 20

22 Risk analysis. RAM parameters. Prepare generic safety case. 2.5 Measuring and evaluation of risk The intention with a risk assessment is to provide input into a decision-making process. This decision may relate to the introduction of new technology or new applications of a system, especially related to the safety of it. Important steps in the process consist of defining what to measure and how to evaluate it. The measurement and evaluation of risk will in the end determine what information we can extract from the risk analysis process. Risk is somewhat the unit that is to be handled, and a measure of it can indicate the performance of the applied safety management and technology. Measuring risk is not a straight forward process. There exist no tangible measuring device, e.g. like when measuring the concentration of lactate in a clinical exercise test. To be able to do this, it is necessary to provide a quantity (i.e. an indicator) that can say something about the level of risk. Note the distinction between a risk indicator (saying something about future events) and a safety performance indicator (saying something about past events). The safety of people is as mentioned earlier the highest priority in a safety engineering process. Risk to people can according to Rausand (2011) be divided into two main categories, i.e individual risk and group risk. Individual risk is related to the statistical life of a person that has some specified relationship to a hazard, or an especially critical position in relation to a technical system. This could for example be a train driver. Group risk (often called societal risk), considers the risk for a group as a whole (for instance the passengers of a train). Potential loss of lives is a commonly used measure of group risk. This measure does not distinguish between one major accident, and many small accidents with the same loss of lives. The risk acceptance criteria is a measure used to compare the outcome of a risk analysis. It can be defined in both a quantitative and qualitative way. Example of a qualitative criteria is the ALARP principle, while quantitative criteria are often given in different probability rates. Safety integrity is by Rausand (2011, p.380) defined as; the probability of a safety related system satisfactory performing the required safety functions under all the stated conditions within a specified period of time. The safety integrity is by IEC defined in four levels of probability of failure on demand (PFD) and the probability of dangerous failures per hour (PFH). Together with the quantitative measures of PFD and PHD, qualitative requirements are also set out to align with them. They relate to qualitative requirements for system design and life-cycle phases and activities. Together they determine at which SIL a safety system finds itself at. 2.6 Verification, Validation and Assessment Activities related to verification, validation and assessment of safety can be interpreted somewhat different between organizations within the industries. It can therefore be convenient to clarify this, in order to understand the roles related to such activities in the offshore industry. The ISO and the Petroleum State Authority have their interpretation, while IEC has a different approach. Figure 2.5 from NOG (2004) clarifies these interpretations. However, this comparison is mainly based on IEC 61508/61511 compared to EN 50126, so IEC s definition will be used further in this analysis. Verification implies independent checks in relation to each phase of the life cycle phase. The activities related to verification of the safety system aims at demonstrating that the deliverables meets the 21

23 Figure 2.5: Interpretations of verification, validation and assessment according to IEC and ISO. (NOG, 2004). requirement and objective of the system. The verification plan should include the following items based on the recommendation in NOG (2004) and IEC (2002); Items to be verified. Procedures to be used for the verification. When the verification should take place. The responsible for the verification including their independence. The requirements that the verification should be done against. How non-conformities and deviations should be handled. Validation is by IEC and defined quite similar to verification. The difference lies in that validation is more connected to the overall confirmation of the system over several phases in the life cycle. Related to the design phase specifically, a SIS requirement validation is to be performed after the design phase. The design should be checked against the Safety Requirement Specification. This is a validation after all the sub-phases of the design phase is accomplished. A similar validation is done after the installation and completion of the system. Functional safety assessment (FSA) is the activity of performing independent audits at predefined stages during the life cycle. The level of dependability for the assessment personnel is stated in IEC (2010, p.52), and does in practice mean that the personnel performing it should not be of the ones designing what is to be assessed. The extent of the FSA are connected to size and complexity, duration, SIL, consequences and standardisation of design features used. IEC states two stages where the FSA should be performed during the design phase; 1. After the hazard identification and risk assessment has been performed, and the safety requirement specification established. 22

24 2. After the safety instrumented systems (SIS) has been designed. It is the functional safety assessment that is ensuring the quality of the safety requirement specification (SRS). The SRS is a document established in the design phase of a system and maintained thorough its life cycle. It is hence an important and central evidence to evaluate in a FSA process. 2.7 The Risk Analysis Process Safety engineering deals with the challenge of foreseeing and discovering what that might go wrong with a technical system in the future, so that actions can be taken to prevent or mitigate the potential hazards and consequences of an unwanted event. The core activity of the work done in a safety engineering process is the risk analysis. An important key in safety engineering is that all analysis should be made in relation to some decision-making. Unless the analysis and decision-making are linked, the analysis just stands as some separate less productive work. Risk management is the continuous process of identifying, evaluating and implementing measures to ensure that risks are controlled in a manner that assure the safety of assets, e.g. people, material or the environment. An overview of the relations between these tasks can be viewed in Figure 2.6. Figure 2.6: Risk management overview. Source: Adapted from Rausand (2011). The risk analysis process is about investigating what can interrupt the normal operation of a technical system. It aims at identifying hazards which can initiate accident scenarios with the potential of release of energy, which in turn can lead to severe consequences involving casualties, environmental impacts or material damage. The wanted outcome of a risk analysis is to establish a risk picture, i.e. the possible hazardous events and the relating consequences and probabilities of them to happening. The bow-tie diagram (see Figure 2.7) illustrates the risk picture and the chronological process of analysing risks in a technical system (going left to right in the diagram). It represents the connection between initiating events, their causes (i.e. hazardous events) and ultimately their consequences. In between these elements the safety barriers designated to each hazardous event are illustrated on 23

25 the event line. A complete route from an initiating event to the consequences in the end illustrates an accident scenario. Figure 2.7: bow tie diagram. Source: Adapted from Rausand (2011) Hazard Identification The first step in a risk analysis is to identify possible hazards and hazardous events that is of relevance to the system. Hazards should be described in a manner that their form, quantity and occurrence are obvious. Conditions leading to occurrence of the identified hazards should also be in focus, so actions can be taken to prevent them from happening. There are various approaches to hazard identification. One approach is to identify failure modes through a Failure Modes, Effects and Criticality Analysis (FMECA) and assess the effects of the failure modes on the system. The process is performed by going component by component to identify the failure modes of defined system nodes, and the resulting effects on the complete system. An Hazard and Operability Study (HAZOP) is a brainstorming process performed by a group of selected professionals who aims at detecting possible system deviations, which may prevent the system from performing its required functions. The process is performed in meetings where guide-words are used as beacons to identify possible deviations in the system. What these methods have in common is that they work as a framework for the identification of hazards. However, the real power of the work lies in the knowledge and dedication of the expert group. The group should consist of experts from different disciplines so that they cover the necessary knowledge about design, operation and maintenance of the system. The HAZOP leader should have extensive knowledge about the risk analysis process, but also be familiar with the technical aspects of the system. The experience of a HAZOP leader is crucial, and he or she should have a separated role to be able focus on leading the group towards the objectives of the meeting. 24

26 2.7.2 Causal Analysis The objective of a causal analysis is to connect the hazardous events with the causes behind them. This provides a base for saying something about the possibility for the occurrence of an hazardous event, i.e. its frequency. To efficiently evaluate every hazardous event, a description of cause-categories and sub-categories should be established. The causes and effects of an event can typically be structured in a fish-bone diagram. Establishing this diagram has a value in itself by increasing knowledge about the extent of the system, and its causes for failures. When progressing in the causal analysis it can be useful to make use of logic diagrams and other graphical tools. Some of these tools are described in section Accident Scenarios When the hazard(s) have been identified and their frequencies determined, it is time to sum up the work, i.e. establishing the risk picture and consequence spectrum. An accident scenario can be seen as a pathway from a hazard to an asset via a hazardous event. When the sequence of events has been established, options for safety barriers can be taken into consideration. This is to stop or mitigate the undesired consequences from happening. An event tree representation is one of the most common ways of developing accident scenarios, and to analyse the effects of influence from barriers or actions taken along the way. Consequence modelling is about quantifying the effects of end events, to see what kind of impact they may have on the assets. It can be beneficial to be able to categorize the end events, or determine mode of transmission to the assets, which a modelling technique like this will be capable of Accident models Rausand (2011) states that Accident models are simplified representations of accidents that have already occurred or might occur in real life. The simplest models takes base in pure technical failures. Modern and advanced accident models includes both individual (human), societal, organisational and environmental factors in addition to the technology side of it. There are a vast number of different types of accident models linked to different causal factors. The two most prominent for this study is the energy and barrier models and event sequence models. Characteristics of these types of models will be presented briefly in this section. Analysis approaches like LOPA, event tree and fault tree will be described further in section The energy and barrier models focuses on dangerous energy, and how it can be separated from the assets it has the potential to hurt. They have a simple basic idea based around the three elements listed below, and how the pathways between them influence their relationships. These elements are; Energy sources Barriers Assets A barrier analysis is closely connected to such a modelling scheme, identifying the effects of safety measures included in the models. These kind of analyses includes; Energy flow and barrier analysis (EFBA) Layer of protection analysis (LOPA) Barrier and operational risk analysis (BORA) 25

27 The event sequence models describes accidents as a sequence of detached events happening in a particular order. These models are characterized by their simplistic graphical representations and includes analysis like the event tree and fault tree. The LOPA analysis is also relevant to these kind of models Relevant methods for analysis of technical systems This section will present a number of central analysis methods and graphical tools, which are often referred to as common or recommended practices in the analysis of safety aspects of technical systems. They represent different approaches to producing system brake down structures, so that system nodes and the relationship between them can be analysed. FMECA The failure modes, effects and criticality analysis (FMECA) is a systematic approach for the failure analysis of a technical system. The method has a simplistic approach carried out by investigating failure modes and the causes and effects of them on the system. The method is highly relevant in pure safety risk analysis as well as in reliability analysis, which is its original application (Rausand, 2011). An FMECA can typically be arranged according to a FMECA worksheet with the following main content; Description of unit (including function and operational mode). Description of failure (failure mode, cause and detection of failure). Effect of failure (on sub-systems and their function). Risk picture (frequency, severity, detectability, RPN, risk reducing measure). Central in the FMECA is the system breakdown structure, which divide the system into sub-systems and components. Central in this work is also the descriptions of system functions, operational modes and interrelations between systems. The FMECA is typically performed on component level (i.e. items at the lowest level), but is also applicable on sub-system level (Rausand, 2011). The FMECA is typically performed by a study team, hence depending on the experience of the team performing it. It gives a comprehensive review of the system, and is adaptable with respect to the depth of different system parts. As its focus is on single faults, the method is weak in finding common cause failures. Layer of protection analysis (LOPA) Layer of protection analysis (LOPA) is a semi-quantitative method for deciding whether existing safety barriers are adequate, or if additional barriers needs to be implemented. It is typically used for allocation of SIL requirements to safety instrumented functions. LOPA is an analysis of individual accident scenarios. The semi-quantitative analysis usually only address the probability failure demands in their order of magnitude. The analysis will address whether the risk of an accident scenario is acceptable or not, by analysing the risk reduction possible by the independent protection layers(i.e.safety barriers working independent of the initiating event or actions by other barriers). If the LOPA tells that additional risk reduction is needed, the SIL connected to the new protection layer can be determined directly from the risk reduction the LOPA suggests. 26

28 Fault tree analysis A fault tree diagram describes a top event (what, when and where), and the relation between it and a set of basic events. It is a binary tool where the events either do occur or not. The relationships between the events are typically represented by logic AND- and OR-gates. An example can be viewed in Figure 2.8. Figure 2.8: A simple example of a fault tree diagram. Source: Adapted from Rausand (2011). 27

29 Event tree The event tree, as in Figure 2.9, is a typical way to describe the development of an accident scenario. Going from an initiating hazardous event, a number of following events describes how the system will react. The sequence will turn out in a number of end events, describing the whole range of identified outcomes, based on the outcome of each intermediate event. The intermediate events represents a statement of a situation that might occur in the system. A well designed system has identified suitable barriers at each critical event in order to stop and mitigate the accident scenario from developing. The split in the event tree at each critical event represents a true or false statement. Knowing the probability of the outcome of each intermediate event, the probability for each accident scenario, i.e. the pathway through the event tree, is known. The statement of the event is as a rule always defined as a negative statement, i.e. the component fails. Figure 2.9: A simple example of an event tree diagram. Source: Adapted from Rausand (2011). Bayesian network A Bayesian network is a graphical description of risk influencing factors (RIF) that affects the system, which may turn out in a hazardous event. The main objective of a Bayesian network is to describe the relationship between factors of different types and how they their networks influences the hazardous event. The network is build up by nodes and relations between them indicates the direct influences. The nodes describes a state or a condition. A technical system can e.g. be influenced by organisational, technical and human factors represented by the nodes. See Figure 2.10 for a simplistic example. The nodes can represent a numerous type of variables from a numerical quantity to a hypothesis. It can also be represented by a random variable with a distribution. The value of the random variable is called the state of the factor it is representing. The more states a random variable can take, the more complex the computation will be. A Bayesian network can work in the same way as a fault tree, but is more flexible. It does not rely on binary representations solely, and is better suited for probability updating. A fault tree can be translated into a Bayesian network, but the transformation does not necessarily work in the other 28

30 Figure 2.10: A simple example of a Bayesian network. Source: Adapted from Rausand (2011). direction. The Bayesian network is also better suited for adductive reasoning (i.e going from observation to theory seeking the simplest and most likely explanation (Wikipedia, 2016a)), and handling of uncertainty. This makes it a more powerful tool for the design and evaluation of safety measures (Khakzad, 2011). 29

31 Chapter 3 Applications in the industries 3.1 About the industry applications This chapter will provide a brief overview of some of the technology present in the two industries and try to address the applications of safety engineering. The risk assessment process is addressed thoroughly in other chapters of this study. The main objective here is to look closer into some of the technology and concepts which are important to understand in a safety context. A brief description of hazards and other safety related challenges will also be presented. 3.2 Offshore technology and safety applications Offshore oil and gas production has the potential to cause severe damages to the environment and to operational personnel. Large quantities of energy in confined spaces handled at remote locations, with challenging evacuation possibilities, are the reality in the offshore industry (Kjellén, 2007). Transport from shore to facilities, production in close connection to living quarters, and the significant weather impact, are other specific challenges related to the safety of the industry. The development of risk and safety management have been closely related to major accidents within the industry. Risk assessments in the offshore oil and gas industry were first used in the Norwegian sector of the North Sea after the Bravo blow-out at the Ekofisk Field in 1977 and the capsizing of the semi-submersible platform Alexander Kielland in 1980 (Rausand, 2011, p. 526). The offshore industry has since then been an important contributor to risk assessment theory Offshore technical system Offshore oil and gas systems can according to PetroWiki (2015) be divided into three main areas relating to the operations that is; drilling, production, and disposal. Drilling involves exploration works including moving of rigs between locations, within relatively short periods of time. Drilling often involves a larger amount of vessels operating than a steady production situation, which has major implications to the emergency procedures. 30

32 A production situation tends to be a more steady state environment. The offshore oil and gas production have many similarities with the process industry onshore. What differs is that the process is somehow simpler, and consist mainly of the separation of oil and gas from water and unwanted particles. Pipelines sub seas are the most common practice when it comes to transportation of crude oil and gas from offshore installations to onshore facilities - if the field is not too remote. Pipelines are an expensive part of offshore infrastructure, but is often the safest and most economical way of transporting oil and gas to shore. A pipeline dramatically increase the geographical scope of an offshore facility, and safety concerns related to seismic risks, corrosion and interference with other marine activities are obvious concerns (NRA, 1994) Offshore hazards The process of extracting oil and gas under high pressure involves hazards related to fire and explosion, with major accident potential. The control of the process hazards is therefore the major concern in the offshore industry. Another important aspect related to major-accident prevention is the offshore structure stability and the risk for capsizing, maybe most famously exemplified by the Alexander Kielland Accident in A list of typical offshore-related major accidents are given in Table 3.1. Table 3.1: Examples of offshore major accidents. Source: given by Table 1 in Wintle (2008) Major hazard Hydrocarbon (HC) leaks Fire and explosion (as aconsequence of HC leak) Dropped objects Structural collapse of topsides or topside equipment Failure of evacuation, escape and rescue (EER) systems Human factors (eg. In managament, operations or maintenance) Consequence Shut down, loss of production, fire and/or explosion, asphyxiaton. Reduced safety of personnel, damage to equipment, loss of production, structural failure, collapse, escalation. Rupture of vessels and pipework leading to HC leaks etc., endangering personnel. Damage to safety critical systems. Damage to safety critical systems, pipe rupture, HC leaks, loss of escape and rescue capability and routes. Risk to safety of personnel following an event. Increased risk of other major hazards. Besides the hazards related to major-accidents, the occupational hazards related to the workplace is a major contributor to the risk picture offshore. Vinnem (2007) mentions persons being hit or crushed by moving objects and helicopter accidents related to both transportation and maintenance offshore, as the most prominent causes of fatalities. Looking at the Norwegian Continental Shelf, occupational accidents have happen regularly over the years, while the last fatal accident related to the release of hydrocarbon happened in 1985 (Vinnem, 2007). Sutton (2014) summarises the following list of offshore safety issues, which have the potential of causing severe accidents offshore; Congestion Escape in an emergency Ignition sources Persons on board Extreme weather Blow-outs Hydrogen sulphide Dropped objects 31

33 Helicopter operations Ship collisions An offshore platform is a congested facility, hence leading to problems with escaping easily from hazardous areas, and in an event of ignition it is difficult to isolate the source. The workers on an offshore platform need to both work and live on the facility, making them exposed to potential hazards at all times when on duty. The remote location of an offshore platform naturally leads to traffic to the facility, where both helicopter operations and the presence of ships are potential hazards. The offshore environment can be harsh, making the weather a prominent source of danger with capsizing of the platform as probably the most severe case of accident. Danger in form of large waves have also lead to fatal outcomes, as recent as in December 2015 at COSLInnovator on the Troll-field in the North Sea. One of the more recent, and in fact one of the worst offshore disasters of all time, is the Deepwater Horizon accident. The disaster exemplifies the potential catastrophic environmental effects of an offshore oil and gas accident. Fire and explosions (fed by hydrocarbons from the well) made the rig sink after 36 hours. This resulted in the loss of 11 lives. The uncontrolled flow of hydrocarbons through the wellbore and malfunctioning blow-out preventer continued for 87 days causing the worst oil spill in offshore history (BP, 2010). A total of 3.19 million barrel equivalents of oil leaked into the Gulf of Mexico leading to severe damages to the ecosystem. Over 1000 miles of shore between Texas and Florida were impacted (OceanPortal, 2016) Use of safety barrier concept Ptil (2013) points out that the correct interpretations of the terms of safety barriers, elements and functions are important for the understanding of the regulatory framework connected to the management and the requirements of them. They state that; A safety barrier is a technical, operational or organisational element that shall reduce the possibility for the occurrence of specific failures, hazards and accidents. A safety barrier element is a technical, operational or organisational measure or solution included in the realisation of a safety barrier function. A safety barrier function refers to the task of the safety barrier, i.e. prevent an ignition, reduce the fire load, or secure an allowable evacuation. One of the requirements related to safety barrier elements is that they should be able to connect to certain performance requirements, which should be possible to verify. Measures which are not possible to put verifiable requirements on is thus not safety barrier elements. Measures related to safety culture can be an example of this Development leading to new challenges in the offshore industry The future of the offshore oil and gas industry is filled with challenges. Finding new and unexplored reservoirs leads to new challenges and risks. Remote areas and complex reservoirs makes the future production more complicated. Explorations in sensitive areas also expands the risks that needs to be assessed and managed (DNV-GL, 2015). The most highlighted future challenges is related to deep-water exploring. It brings increasing complexity and tighter couplings to the system, leading to increasing risks and concerns for safety (Drillscience, 2012). In other words, it makes it more difficult to foresee and predicts future events, and the degree to which we cannot stop an impending disaster once it starts. Increasing depth keeps pushing the demands, moving temperature and pressure frontiers. These conditions makes the well control more 32

34 complicated, and will also lead to longer response times. This will affect different safety systems (e.g. blow-out prevention equipment). On the other side of future challenges you find the ageing process of offshore installations. This is highly relevant on the Norwegian Continental Shelf where several fixed platforms are reaching their design life. Many of these platforms experience life extensions, which includes certain processes and criteria to keep the safety integrity at a required level (Wintle, 2008). 3.3 Railway technology and safety applications The railway system is, by the nature of its function, a system that is closely connected with the community. It operates close to people and is part of the logistics chain. Safety and reliability are two attributes that are central for the system and its desired function. The goal of the railway system is to offer safe and reliable transportation of people and goods. Railway safety has always been of interest for the public, but the active risk assessment in the industry is relatively young (Rausand, 2011, p.532). Safety has always been a major driver for the railway industry, but the holistic application of RAMS is relatively new in Norway. The booklet Slik fungerer jernbanen JBV (2012) is recommended for a comprehensive guide on how the railway system in Norway works Technical system The railway system comprises of five main elements. They can be divided into electro-technical and infrastructural sub-systems. Electro-technical systems signalling Telecommunication Power supply Infrastructural systems Superstructure Substructure The quality of the railway system is naturally dependent on all its components, including track standard, the performance of the rolling stock and last but not least the quality of the electro-technical architecture. The signalling system ensures a safe train operation and an optimized utilization of the capacity of the railway, by providing a train control function (Froidh, 2011). The signalling system will be further explained in the next section. The telecommunication system ensures necessary communication for the train operation and all technical architecture related to it. The mobile GSM-R network is an essential part of it, providing full coverage of the railway network, also including tunnels. Related to the signalling system, it provides communication of the centralized traffic control, making it possible to remotely operate the signalling system. Most railways relies on electrical power supply. This implies a need for a continuous power supply along the line, usually provided through a overhead line connecting the electrical feeder stations with 33

35 the trains. The contact wire is constructed in a zig-zag pattern to allow for an even wear and to maintain good dynamic characteristics. The electrical architecture is constantly watched by an automatic protection relay to avoid failures and electrical shorting. The substructure is the foundation providing a stable platform for the superstructure (i.e. track, sleepers and connectors), to obtain the required track performance. The geo-technical properties such as ballast, drainage and frost are also important elements in the safety considerations for the railway. Signalling system The signalling system is the sub system which has the strictest safety requirements. It is a fail-safe system, where the signals shows stop if a failure is detected (which implies for train stop as well). The most important task of the signalling system is to ensure a safe train operation. Apart from that it makes the maximum capacity of the railway possible to utilize. To support and supplement the main control system, both automatic train control (ATC) and centralized train control (CTC) are used to enhance the control and safety of the system. The consequence of the railway being a track-bound system makes it necessary with a train control function, permitting the crossing or passing of trains on the same line simultaneously. This means that every train movement needs to be controlled and planned. The supervision and control of this is the main task of the signalling system. The principle of the train control system is that the track is organised into so called blocks, where the dispatching of trains is entirely controlled by the signalling system. The blocks are adapted to fit the traffic conditions, meaning shorter blocks close to stations, and longer at undisturbed lines. A traditional signalling system consists physically of optical signals, track circuits and manual switches along the track - allowing for several levels of the control of the trains moving through the blocks. In addition you have automatic control systems reacting if the driver of the train omits any errors in the train operation. Signals are sent through balises along the track, transmitting information regarding allowable speeds, and whether the train can move into a new block. The future sees an increased collaboration across borderlines, with the introduction of the European Rail Traffic Management System (ERTMS) as a central element. This is a system were basically optical signals are substituted by a system on board the trains giving all information needed regarding train control. The introduction of this new system needs to happen gradually, making it possible to operate the old system integrated with the new one Hazards and use of barrier concept Train operation and capacity are two important concepts putting restrictions to the safety and availability of the railway product. These will briefly be put into context in this section. An important safety barrier principle is the principle that no single fault should cause an accident. This is an important principle ensuring that the safety barriers provides the necessary depth in defence for the safety of the system. The capacity of a railway line depends on a number of elements. The number of tracks and the signalling system are elements of the infrastructure which are dimensioning, along with the performance of the rolling stock and the train service provided by the operators. Traffic control and production planning is essential for the train operation. The nature of a trackbound transport system leads to a need of a train control function to allow for an effective and safe train operation. It is the signalling system that provides this function to the railway. The vehicles (i.e the trains) being track-bound obviously puts some restrictions on the train operation and the capacity. The necessity of trains moving on the same lines in both directions makes avoidance 34

36 of collisions the most prominent safety issue. This is reflected in the top events stated by JBV, where avoidance of collisions is one of the main events to avoid and control. A recent accident exemplifying a front to front collision is the Bad Aibling Accident in Germany. A total of 150 passengers were involved in the single track accident where 12 people died and 24 were seriously injured. The preliminary conclusions points towards seriously human error at several levels. A train dispatcher (a responsible person giving trains allowance to enter a rail block) is accused of giving incorrect orders, and after realizing the error also doing wrong in the emergency procedure (Wikipedia, 2016b). SJT (2014) defines a safety barrier as an technical, operational, organisational or other planned measure with the intention to interrupt an identified undesirable event sequence. The single-fault principle is a central concept applied in the Norwegian railway industry. This implies that a single fault in the system shall not lead to an accident. The concept is closely tied to independence between barriers and the use of redundant systems. According to SJT (2014) the lack of systematic thinking and deficient clarity of safety barriers are tendencies reported in connection with the deficient use of them. Jernbaneverket (JBV) takes basis in a set of defined top events when doing hazard identification in the risk analysis of a railway system. The top events are connected to basic events, as a main structure for the hazard identification. Other categorizations are also possible, but the top events stated in Table 3.2 are the ones given in the Safety Handbook of JBV. Table 3.2: The stated top events for use in risk assessment. Source: Adapted from Erichsen (2015). Top events Derailment Collisions train-train Collision train-object Fire Passangers harmed at platform Persons harmed at transition point Persons harmed at track Covers the following single events Failure of rolling stock, superstructure, substructure, landslide, overspeed, derailment of dangerous goods Collision train against train or other rolling stock Collision of different objects on open track or in tunnels: landslide, animals, larger rocks, buffer stops, road vehicles accidently on track Fire in train, along the track, in tunnel equipment, and other with importance for passengers and personal Passengers harmed boarding or disembarking at straight or curved platforms, crossing of track to mid platform. Also includes persons falling out of doors in speed or harmed in the train. In collision with trains or road vehicles at transition points Persons hit by train along the track, or in contact with power supply system Development leading to new challenges The future of railway systems propose several new challenges to handle. Higher demands regarding the quality of the product, and increased cooperation across borderlines are two important drivers for 35

37 future development projects. The integration between new and old technology, and the interference of new and old lines are some of the obstacles. The European Rail Traffic System (ERTMS) is the new European signal system with one of the main objectives to ensure a fast and efficient train operation across borders in Europe. The basic idea is that the optical signals along the railway line is replaced by systems on board the trains, containing all relevant information, like line permissions and speeds. Another development area is high speed train operations. This puts new demands to all railway subsystems. When the speed increases to levels above 250 kph it introduces stricter demands to infrastructural elements like; the pathway of the line (i.e. curvature and incline) stability of substructure power supply (more power and better transmission) signal system etc. When looking from a construction point of view, the upgrading and new-building along old lines can lead to conflicts between construction work and the operation of trains. An important safety aspect is to ensure that the integration between new and old infrastructure are seamless. In this context it is important to keep track of the system boundaries and what safety challenges they propose to each other. 36

38 Chapter 4 Method of comparison 4.1 Introduction to the method This chapter will describe the method of comparison and steps used to address the research questions. The intention is to describe the general structure of the comparison study and give explanation of the different parts specifically. The structure of the argumentation follows from a item-by-item argumentation according to Walk (1998). The introductory chapters puts a theoretical framework for the comparison. The standards of EN an IEC 61508, for the generic safety processes, forms the theoretical background. Being the regulatory framework, they have low practical use. With this in mind, the guidelines and handbooks from JBV and NOG were used as support to help the understanding of the implementations of the standards within the industries. Chapter 2 is devoted to a generalised view of the theory. For a separated and comprehensive view on the industry standards, see Appendix A-C. The comparison study is two-folded. The first part relates to the study of the industry standards. A summation of the item-by-item comparison of the standards can be viewed in Chapter 5. The second part is a series of interviews conducted to tie the standards closer to the practical use of them. They were done with specialists out in the field, to support and better position the actual practices within the industries. An account of the impressions from these interviews can be seen in Chapter 6. The study aims at weighting the industries in an equal way, but a certain direction is made from the offshore industry towards the railway industry, due to the background for the study. A set of items were chosen to allow for a comparison of what is considered as some of the most prominent aspects of the safety engineering processes. The items from the standards and interviews will be slightly different. They are to a certain extent overlapping, while some items will try to compliment each other. This is done to form a wider presentation of the different aspects of safety engineering in the industries. The following sub sections will further describe the content for the comparison analysis. The structure of this method chapter is inspired by Rudestam and Newton (2007). 4.2 Comparison of the standards A set of items is used to compare the applications of the industries. They are chosen, because of their central position within the subject. The items have a span when it comes to both form and function (e.g. measures, requirements, documentation, management systems, roles and technical functions). The least common multiple is that they are all present in some of the standards. This can be taken as a sign of the relevance they have when describing the generic processes related to safety. The following items are highlighted based on the reasons mentioned above; 37

39 Safety management (process). Design phase of the system life cycle. Measuring risk. Competence requirements. Verification, validations and assessment roles. Documentation. The safety management process is intended to highlight the type of approach to safety engineering the industries are utilizing, i.e. the focus on different aspects of the field of safety engineering. The system life cycle puts up a framework for engineering processes related to safety. It is the focus of this study to look at the design phase. This item is seen as important for the structure of the safety processes, and hence important to evaluate. This item is closely related to the management process, so they will stand in close relation to each other. Risk is the measured unit in the context of safety engineering. How risk is measured is therefore of importance to what information we get out from a risk analysis. This item will try to explain how risk is quantified and evaluated. Competence requirements are essential to secure that the persons performing safety related activities have the sufficient background, supporting the responsibility they are given. An engineer working with the safety of a technical system will need to have competence both when it comes to safety management processes and technical attributes of the system. Verification, validation and assessment are groups of tasks in the safety life cycle process. The roles connected to them are central in the safety life cycle, but the interpretation and definition of them can be somewhat different. To have a clear vision of how they are used is seen as important to understand the different activities in relation to each other. The documentation related to all reporting during the life cycle phase is comprehensive, and is believed to be an important factor to the work burden associated to the safety management. It is therefore of interest to compare and see the extent of the documentation process. It might also be interesting to highlight some of the most prominent safety documents to see how the information is carried on in the organisations. 4.3 Interviews The interviews aims at investigating the industries beyond the concepts of the regulatory frameworks. This includes looking into the practical engineering work of the industries, to see the connection between theory and practice of the industry applications. The interviews will highlight the hands-on experience from specialists out in the field. The intention with this is to better position the use of the regulative standards, and to give a view of what is considered important aspects related to actual work practices. This is done by letting the specialists speak quite freely around certain topics which is connected back to the standards and background theory of this analysis. Participants Two sets of interviews were performed. The main interviews were conducted with advisory engineers within Safetec, together with some external specialists. They are all relatively young (under 35 of age), and their experience varied between two and seven years of working with safety engineering. The other set of interviews were performed with engineers on a management level within the railway industry, who had done the transfer from the offshore to the railway industry. They are senior specialists with 38

40 experience from a management level from both industries. They were chosen to weight up for the relatively young group of main interviewees. Procedures A standard question sheet forms the framework of the interviews (See Appendix D). They were followed to the greatest extent possible, but the format of the interviews do not allow for a very strict interview process. The interviewees were allowed to answer quite freely, but the interview circulates around the standard questions. The questions were grouped according to the following; Industry specifics Risk analysis Implementations of the standards Competence Documentation Communication and information flow Transfer of competence Taking notes with paper and pen were the preferred recording method. This was to make the interviewees talks as free as possible. It was also stated prior to the interviews that the presentation of them were anonymously. All the data collected were analysed in a spreadsheet format. The information were grouped into sections in a matrix, to align the impressions for all the interviewees. 4.4 Delimitations The study has an anecdotal approach, hence missing some features to make it fully generalizable. The small and selected group of specialists will make personal meanings influencing the data inevitable. The participants were chosen according to convenience through Safetec. This was done because of the need of in-depth expertise within the field, and Safetec could provide this by making some employees available for the study. The method is however considered to support the qualitative investigation of this study. The format of the interviews were semi-structured. A set of predefined questions formed the basis of the interview, but the execution of the interviews were done in way to provide the participants to speak quite freely. This was done to utilize the knowledge of the specialists, based on their superior practical experience compared to the author. The predefined questions were sent in advance to the participants in order for them to be able to prepare. It should be noted that the interviews have a tendency to focus most on railway applications. This has to some extent to do with the participants background and current working area, but it is also the authors perception that such a direction is most useful looking to the scope of the study. Since the study aims at highlighting the transfer from offshore to railway, it is most interesting to look at the end destination of the comparison. 39

41 Chapter 5 Results of comparison 5.1 Comparison of items from the generic industry standards The following is a comparison of items from the generic standards of EN (railway) and IEC (offshore). These can be considered as the basis for the generic approaches implemented in the two industries. The standards are closely linked together, and EN can be seen as a customization of IEC (Sivertsen, 2014). This chapter describes the direct point-by-point comparison of the two industry standards. This is done on the basis of the comparison items described in section 4.2. For a comprehensive and separate view of the industry applications, see appendices A-C About the standards EN has a focus on the organisational features of safety engineering. It has a system-oriented risk-based approach (Vollan, 2015). This means that safety is considered based on the tolerable risk of a given system. It focuses on the necessary activities in the life cycle phase needed in order to obtain functional safety and reliability. This is done by implementing proactive measures such as risk analysis, safety evidence and effective design techniques. IEC also uses a risk based approach - to achieve functional safety of the safety instrumented systems. It emphasizes the focus on SIS design in relation to SIL and failure rates, i.e. a more quantitative approach. It is a generic standard common in several industries Management of safety The offshore industry takes base in what is described as management of functional safety, whereas railway rely on the implementation of RAMS management. These are the general approaches laying the foundation for the safety engineering processes in the industries. Both industries structure their safety management systems around the system life cycle. The railway RAMS management process should enable the control of RAMS specific factors. EN presents a comprehensive lists of factors, which might influence the railway application. The management activities of IEC focuses on the activities needed so that the functional safety requirements are met. These activities should support the identification, design and maintenance of SIL requirements connected to the safety instrumented systems. 40

42 Even if the standard IEC focuses on SIS systems, the safety management should include all safety related systems including other technologies. The standard sets up a framework which can be applied on safety systems based on other technologies as well, because of its generic design. It is stated by IEC that a concise plan should be established in order to address key safety activities related to: Ensure that the competency of engineers that work with safety system is adequate Ensure that access control to the safety system is in place, e.g. through passwords or/and keys. Ensure that management of change procedures are available and applied. The Railway RAMS process should according to EN support; Definition of RAMS requirements. Assessment and control of threats to RAMS. Planning and implementation of RAMS tasks. Achievement of compliance with RAMS requirements. Ongoing monitoring, during life cycle, of compliance. EN addresses the RAM and Safety specific tasks closer to the overall system life cycle, whereas IEC has a more narrow approach. This is evident even within the safety management where the functional safety approach has a clear focus on E/E/PE safety instrumented systems. It appears that EN has a bigger focus on the organisational aspects of safety management, while IEC focuses more on technical safety in its approach to the generic processes. This is evident due to the emphasis of SIS applications in the standard Life cycle design phase The management of safety circles around the system life cycle in both industry standards. IEC takes base in the life cycle of safety instrumented system, while EN has a bit more generic approach connecting RAMS activities to the general project activities. The steps of the design life cycle, presented in Figure 5.1 is build on a similar ground (in both standards. This includes going from concept and system definition, via hazard and risk analysis to creation of requirements and final planning and implementation. Even if IEC focuses on the life cycle of safety instrumented system, it correlates well with the EN life cycle. Looking closer on the tasks linked to each phase, one can see that IEC is a bit narrower and more specific with its focus on SIS. It has also a closer connection to SIL related tasks. The activities of EN covers broader, showed in the comprehensive and complete list of RAMS activities is listed, in relation to overall project tasks. See Figure 9 of EN It also seems that past experience is emphasized greater in this standard looking at the tasks of the earlier phases of the life cycle. 41

43 Figure 5.1: The overall activities in the design life cycle phase of the IEC and EN Source: Adapted from IEC and EN Verification, validation and assessment Both industry standards take base in a typical V-model, see Figure C.4. The activities related to verification, validation and assessment seems to be build on the same basis. Verifications are done between each activity. One can see it as a check between each phase vertically in the V-model. Validation activities are similar, but covers over several phases. Validation is connected to the system acceptance and checks against the stated requirements of the system. It can be worth mentioning that the main safety validation is done after the completion of the design and manufacturing phase. This is mentioned since this study mainly focuses on the design phase. Assessments are done from third part investigators separated from the project. The roles and tasks are better specified in IEC for the offshore industry. It also seems to have a narrower approach. Assessment and validation activities are interpret somewhat different between IEC and ISO. ISO standards are not evaluated here, but a reference is made due to ISO standards prominence across several industries. ISO interprets validation in the same way that IEC interprets assessment, like described above. Both IEC and EN keeps to the IEC definition, so the interpretations of the railway and offshore industries should be the same. 42

44 5.1.5 Measuring risk The safety integrity level is prominent in both standards. Railway focuses on the organisational factors and the importance of documentation to reach the required SIL. Offshore seems to put more effort into the quantitative side of it, especially focusing on the probability failure data (PFD) for the safety functions. However, it is emphasized that the minimum SIL-requirements are only a part of the compliance with IEC (NOG, 2004). EN does not explicitly state the safety integrity level in relation to the failure predictabilities of the railway systems. However, it refers directly to the generic correlation to failure probabilities stated in IEC In general one can say that EN focuses more on process based compliance with an qualitative approach. IEC has on the other side a clear quantitative approach Competence requirements The generic competence requirements are by the industry standards to a great extent the same, but the competence of the specific technology in each industry is present. This has much to do with them being stated in a general form, and the generic level of these standards. Requirements regarding competence are reaffirmed in the system realisation process stated in EN The education and training, together with engineering competence, are central items in the management process connected to the system realisation. It is stated that all personnel with responsibilities within the RAMS management process shall be competent to discharge those responsibilities. A closer description to safety engineering experience or technical background is not given. IEC states that personnel working within the safety life cycle should have the appropriate competence within the technical system including understanding of potential consequences, safety engineering methods and knowledge of safety regulatory requirements. Functional safety assessment, i.e a third party verification, is an activity that requires highly skilled personnel. This is to reveal possible flaws and omissions in the system. To do so, the team needs experience within the assessment process and a diversity in competence (NOG, 2004). The competence requirements related to this role is emphasized in both industry standards Documentation The industries have both their specific documents, ensuring that the processes are documented in a way to support the assessment of the work performed. They also works as storage and distribution of information relevant for other parts of the project and its surroundings. The five key documents according to EN (Winther, 2012) is, The Safety plan The Hazard log Risk analysis Safety requirements Safety case 43

45 The following key documents is extracted from IEC 61508; Overall safety plan Safety requirement specification (SRS) Safety Analysis Report Safety validation plan IEC and EN both point out some documents as living documents. They are used actively throughout the life cycle of the system. The Safety Requirement Specification (IEC 61508) is used as a base in the design phases, but also for follow-up later in the life cycle. It covers requirements to all safety functions, functional and operational conditions and constraints. EN highlights the use of the Hazard Log as a living document. It roots together the safety requirements and risk analysis with the listed hazards existing for the application. As can be noted, these documents have a somewhat different content. What they have in common is that they are maintained during the entire life cycle of the systems. This emphasizes that they are documents relevant for maintaining updated information regarding safety. Hence they are important for the distribution of safety information. The safety case is exclusive in its appearance for the railway application. It acts as a proof that the railway product is considered safe. It relates both to the technical safety of a product, as well as the quality management and safety management. 5.2 Impressions from the industries The intention with this section is to present the views of the interviewed specialists within the two fields. The focus is directed against railway applications, so the degree of offshore applications are not weighted equally. It will present the specialist s view on a selection of topics, which are considered central to safety engineering. The topics gives a practical view on the industry applications and a connection to the theory presented in Chapter Industry applications The railway system is explained as having a linear event sequence, with few degrees of freedom. The technology is not considered to contain very advanced aspects in consideration to RAMS activities. However, it is mentioned that some kind of basic understanding of railway technology is preferable. The single fault principle (Norwegian: enkeltfeilprinsippet ) has a strong position within railway safety. It seems like this is a well anchored principle within the industry, putting an important focus on defence in depth within the safety applications. Based on the experience from engineers with a background from both industries, it is clear that offshore installations are considered a bit more complex to work with, including more intricate event sequences to analyse from a safety point of view. Common cause failures are in this context a concept that is emphasized within the offshore industry. The interpretation of RAMS seems to be somewhat unclear. RAMS is often used about safety, and it is unsure whether the processes of RAMS differs from a more pure safety process. The understanding of the RAMS concept is considered as a potential obstacle by moving from offshore safety to railway safety, but it also seems like this is a present confusion within the the railway industry. The safety management system (Norwegian: Styringssystemet ) of JBV is very central in the follow-up of the RAMS-process. It is build on the basis of EN 50126, and if it is followed step by step, you are sure to be within of the recommendations of the standards. This is mentioned important so that you stay within the SIL requirements. 44

46 The typical role of a RAMS-engineer is based around the establishment and follow up of the RAMSplan, i.e. the overall planning of RAMS activities including when and where in the process the different analyses are to be performed. The role of an offshore engineer circles around the same tasks, but a distinction is the stronger commitment into the validation of SIL requirements. This is related to the bigger focus on quantitative methods and the evaluation of them. The railway safety engineer is on the other side more devoted to the assurance of organisational safety related measures in his or her work. Whereas the signalling system seems to be the most safety critical system in the railway industry, the process safety seems to be the most prominent part of offshore safety. The offshore industry has compared to the railway industry far bigger potential for environmental damages. It is still worth mentioning that humans are the most important amongst the assets Risk analysis Qualitative methods dominates in railway, partially because of quantitative methods having low value due to insufficient data. Quantitative methods have on the other side a strong position within the offshore industry. This is due to the fact that forums and databases provides a good basis for a quantitative approach. Comprehensive amounts of data, such as failure rates etc., are available through providers such as PDS industry books, SINTEF and TUV. This has resulted in reliable probabilistic models being developed in the industry over the years. Risk analysis in the railway industry is to a great extent based around brainstorming in group meetings. The defined top events are the foundation of the hazard identification process, with the RAMS management system (JBV-styringssystem) as a framework. The EU-regulation for common safety methods for risk assessment (CSM-RA) is implemented in this system. The process is felt somewhat rigid, with few creative inputs outside the frame of the top events. Due to the fact that the railway industry to a great extent relies on qualitative methods, the focus is noticeable on the process - and the documentation of it. JBV handbooks dictates the methods of choice for analysing railway applications. There are two handbooks - one for safety and one for RAMS. The OLF (ed. note: NOG) guidelines are doing the same purpose in the offshore industry. These guidelines are extensively used within the offshore industry. It includes recommended practices and methods for performing risk analysis, and is a comprehensive but concise guide to the IEC and standards. LOPA (Layer of protection analysis) is mentioned as a prominent risk analysis approach in the offshore industry. A typical task for the offshore safety engineer is to evaluate and assess the data used for verification against SIL requirements. In this context, it is important to look on the sources of the data. Generic data can be very conservative, while on the other side supplier data tends to be a bit optimistic. The assessment of the data used for different safety functions is therefore important for sufficient integrity, to reach SIL requirements Implementations of the standards Common for specialists from both fields is that the standards are not explicitly present in their daily work. The general impression is that they dictate the methods used in a detailed, but coarse form. However, the presence of them as foundations for the guidelines and safety management systems are obvious amongst the interviewees. The use of NOG (2004) is heavily emphasized as a guide to recommended practices in relation to IEC and offshore applications. The railway safety engineers have a similar relatonship to the safety and RAMS handbooks of JBV. 45

47 5.2.4 Competence The formal competence requirements are experienced as strict for both industries. They are formulated quite general, but set requirements to both technical skills and experience with safety engineering. It is mentioned that the railway industry have very strict rules regarding competence, but the enforcement of them is looser because of lack of qualified personnel. This results in adjustments in the compliance, that is important to document. The technical complexity is experienced as high in the offshore industry, but it does not put restrictions on ability to perform typical tasks such as SIL verifications. It is clear that there is no problem working as a safety engineer without deep technical competence in either of the industries. The role of the safety engineer is more based around utilizing the knowledge of the different technical specialists in the process. However, a technical background is preferred as it ease the work, and perhaps also increases the quality of the workload done by the safety engineer. In railway applications it is mentioned that knowledge and understanding of the technology can be a factor which might raise your integrity as a RAMS-engineer among specialists from other fields. What is also pointed out is the importance of documenting the formal competence of the study team participating in RAMS activities. This is important in relation to the SIL requirements Documentation The RAMS-documentation in the railway industry is in general felt to be quite extensive, and there is a perception that a lot of the documentation process is driven by compliance, and not of practical use for the project execution. There is a lot of standard mandatory information which makes the essential part harder to grasp. A more referred and brief approach would be preferable, without all of the extensive mandatory content wrapped around. The hazard log is mentioned as an important living document throughout the project life cycle, and is felt important for the information sharing and safety awareness. The counterpart in the offshore industry, which are also considered to be a living document, is the Safety Requirement Specification - even if it is more a tool for the design phase than for the operational phase Communication and information flow Looking at the overall responsibility in typical railway construction projects, the RAMS-leader together with the project leader communicates RAMS-related information to other relevant parts of the projects. Communication is experienced as a great challenge in larger projects, which affects the effective communication of safety-related material. The hazard log is also here mentioned as an important tool to ensure the flow of safety information throughout the organisation. The use of 3D-models also contributes to safety awareness, especially to parts of the organisation somewhat distant to the RAMSprocess. The measures coming out of the risk analysis process are seen as the most important to pass on. It often happens that the scope of different RAMS-teams overlaps for different railway sub-systems. It seems to be a common practice that teams cooperates and share information from their own analyses if they cover others scopes as well. This culture for sharing limits to casual occasions, and it is not the impression that this is put into system. An own mode of speech is mentioned as a communication challenge within the railway industry. The historical aspect (of the industry) is mentioned as a possible reason for it being felt a bit niche when coming from the outside. The work force being dominated by people with long experience might also be a contributor to the mode of speech. The experience in general is that it can take some time to adapt to the technical terms of the railway subject. This might be emphasized by younger professionals entering the industry. 46

48 5.2.7 Transfer of competence The general impression given is that an offshore background does not put any restrictions for working with safety processes in the railway industry. This is anchored in the common ways of performing safety analysis in both industries. It relates to the structure with study teams of technical experts lead by a safety engineers. The essence for the safety engineer is to be experienced with the process in order to get the most out of the technical specialists when analysing the technical systems. A challenge pointed out is that offshore safety engineers might not be familiar with the RAMS concept and the accompanying standards. This view was partly contradicted by another statement saying that the concept of RAMS and safety was not particularly settled in the railway industry, and that the terms were used a bit about each other. It is clear that the offshore industry has developed some advantageous practices it is worth pointing out. The culture for sharing of safety related information is well established between organisations in the industries. This is based around forums for sharing of information like failure rates and standardised systems that has been analysed. The well established use of a quantitative approach have resulted in a widespread and developed range of probalistic models within the offshore industy. A reason for this being much more developed than in the railway industry relates back to the access to reliable data Trends Some general trends are presented as they were pointed out during the interviews. They highlight some aspects about future development and the connection between the industries from a safety point of view. An increased commitment to railway development is leading to railway experiencing the same focus on efficiency as offshore do in Norway. The RAMS implementation is seen as a part of this. At the moment the implementation is not fully incorporated, but it is pushed forward by large projects and high investments making the advantages of RAMS more prominent. The rapid expansion in railway activity also put pressure on the devoted organisations. The urgent rush for new personnel with a vast of backgrounds, mixed with an incorporated and experienced current work force can be a challenge to join together. The cultural differences related to safety is one challenge pointed out. The two parties might have different ways of looking on the safety processes. This is due to the mix between the old ways of looking at safety put up against the new RAMS process. Bigger organisations and larger projects also launches communication challenges, which also might effect the efficient communication of safety related information. An anticipation is that safety engineering in the railway industry will adapt to the principles of offshore safety engineering. This implies for a more specialized approach with increased focus on quantitative analysis in the RAMS process. The motivation for a thoroughly commitment have been higher in offshore due to privatisation and a general stronger competition in the industry. Railway suffer a bit from being state owned due to the fact that the offshore industry has been stealing focus from all other industries during the decades of oil boom in Norway. This includes both commitment from state authorities and the attractiveness of the industry amongst employees. 47

49 Chapter 6 Discussion 6.1 Overall considerations Safety engineering is a field for the generalist. You need to be able to understand the impacts of various fields of engineering from a system points of view in order to identify and handle issues from a safety point of use. The specific safety engineering methods applied independent of industry applications is the cornerstone of their experience. It can be argued that the RAMS-approach of EN for the railway industry is in fact closely related to the functional safety approach of IEC EN also applies functional safety in their standards, but the specialisation and level of detail seems to be different. The author has a background in the programme of Vehicle Engineering with a Master in Naval Architecture. It is the impression of the author that the engineering methods and especially the probabilistic theory are well known blocks in the background of an Naval Architect. Naval Architecture ( engineering discipline dealing with the engineering design process, shipbuilding, maintenance, and operation of marine vessels and structures ) is a multi-disciplinary field of engineering emphasizing engineering design process in a systems way of thinking. Based on this study, this aligns well with the working methods of a safety engineer. The impression is that the knowledge and competence related to such methods is anchored in the education of Naval Architects and offshore engineers. 6.2 Comparison of standards The difference in management approach between the industries is apparent. What is clear is that these variations are on a high level, and that the basic working methods on a more practical level seems similar. The concept of RAMS and functional safety is apparently connected on some level. Naturally, functional safety is also used within the railway industry. But what these different approaches to safety shows, is that there seems to be a difference in the level of detail, and how wide they cover in the subject of safety engineering. Looking on the structures, it is clear that the work is organised in similar ways one the base of the system life cycle. This connects further to the roles of verification, validation and assessment of safety activities. Both industries evaluate their safety according to the Safety Integrity Level, but in railway they emphasize the process more than the performance of safety systems, which is the focus in offshore. This transfers to some extent into the documentation. While EN focuses in the process for conformity with the standards, IEC target the verification against the SIL requirements in a more specific way. 48

50 6.3 Impressions from interviews What is clear is that the offshore industry relies much more on a quantitative approach to safety engineering than the railway industry. The implementation of RAMS and the introduction of more qualitative approaches, can be a good opportunity for offshore safety engineers to use their skills within an area of focus in the railway industry. Due to the focus on qualitative processes in the railway industry, the need for experienced engineers seems evident. The increased effort into quantitative methods may however be a good reason for a reduced threshold for making use of offshore safety engineers in railway applications. When looking closer at the culture in the industries, it is the perception that the railway safety culture seems to be influenced by an older perception of safety engineering. The impression is that it might be a bit of resistance against implementing new safety methods, i.e. the RAMS methodology. Experience within the industry seems to be quite influential. It also became visible during the interviews that the railway mode of speech is a process it takes some time to adapt to. Looking at the offshore industry, it seems evident that there is a well established culture for working in both directions, by having an eager to learn from past events and also being innovative when it comes to developing offshore safety routines. There is a feeling that the Norwegian offshore industry takes pride in being best in class. Offshore safety engineers might not be familiar with the RAMS concept and the associated standards, and particularly not how they are implemented by the authorities. This was a view presented by a safety engineer in the railway industry, with past experience from offshore. It express a concern about the agility of a transfer between the sectors. Even if the overall concept of the industry applications is somewhat different, this study shows that the similar structure and working methods are similar enough for an agile transfer between the industries. 6.4 Other The study shows that safety engineers are not very dependent of deep technical knowledge, but they need to be able to control the processes in a manner that utilize the knowledge of other experts to analyse the systems under consideration. On the other side it seems beneficial to have some deeper technical knowledge in order to understand the challenges of threats and hazards thoroughly - especially in a design phase of a project. What was mentioned during the interviews was the own mode of speech present in the railway industry. This might be a relevant factor for the safety engineer entering a new industry. Even if the technical skills might not be crucial, it seems evident that being able to communicate on the premises of the industry is vital. It is noticeable that a linear system like railway does not use quantitative analysis in the same way as in more complex system offshore. What this comes from is not investigated, but it is clear that the effort of organising a collaboration for information sharing is much more developed in the offshore industry than in the railway industry. The commitment from state authorities seems to emphasize this fact. 6.5 Further work This thesis represents a generic view on the engineering processes related to safety in the railway and offshore sectors, taking base in EN and IEC For a more comprehensive or specialized study of the industry applications, it would be beneficial to include the standards in the sub structure of the analysed standards. Based on the outcome of this comparison analysis it would be interesting to investigate further into; 49

51 The reasons why there is a clear difference in the qualitative and quantitative approaches of the industries. The reasons for the different levels of details, i.e why the railway application seems to be somewhat more general than the offshore applications. A more comprehensive study of the practical implications of management approaches, i.e RAMS management versus management of functional safety affects the overall safety. 50

52 Chapter 7 Conclusion This conclusion summarises the most essential part of the discussion in Chapter 6. It is concluded that the typical safety engineer working as a leader of safety activities will be able to work with the same processes within both fields of engineering. Even if the overall concept of the industry applications is somewhat different, this study shows that the similar structure and working methods are similar enough for an agile transfer between the industries. The study shows that safety engineers are not very dependent of deep technical knowledge, but they need to be able to control the processes in a manner that utilize the knowledge of other experts to analyse the systems under consideration. Even if the technical skills might not be crucial, it seems evident that being able to communicate on the premises of the industry is vital. Understanding the technical issues in a safety related view, and get familiar with the industry s mode of speech, could be an area of training for safety engineers entering the railway industry. What is clear is that the offshore industry relies much more to a quantitative approach to safety engineering than the railway industry. The implementation of RAMS and the introduction of more qualitative approaches, can be a good opportunity for offshore safety engineers to use their skills within an area of focus in the railway industry. 51

53 Appendix A Introduction to industry practices A.1 About the standards The practices related to safety engineering, are to a great extent dictated by the approaches in the relevant industry standards. This is evident due to their presence as references in the authority regulations, which states the requirements upon the safety of the technical systems. It can therefore be reasonable to take base in these standards when evaluating the approaches to safety engineering within the industries. The two standards in focus is the; IEC standard for Functional safety of electrical/electronic programmable electronic safetyrelated systems. EN standard for Railway applications - The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS). The titles reveals the main intention of the standards. IEC acts as a generic basis for recommendations regarding functional safety, and acts as a basis for this in the offshore industry. EN is devoted to the control of the RAMS parameters of the railway system. Another standard closely related to offshore applications is the IEC When it is mentioned it more specifically refer to the standard IEC : Framework, definitions, system, hardware and software requirements. This standards is not the focus of this study, but it is mentioned as it will sometimes be referred to in relation to functional safety in the process industry (e.g. the offshore oil and gas industry). Technical systems nowadays has a inevitable incorporation of electrical and/electronic programmable (E/E/PE) elements. Such elements are increasingly used to perform safety functions, as well as in other types of system functions (IEC, 2010). The IEC standards takes base in E/E/PE-systems, but the management of safety should naturally consider all types of safety related system incorporated. The generic approaches of the IEC standards can therefore be used as a framework for other technologies besides E/E/PE-systems as well IEC (2010). Guidelines from Norwegian Oil and Gas Association (NOG, 2004) and the work of Winther, 2012 have been used as help to simplify the understanding of the industry standards. Recommendations from DNV have also been used to some extent to get a overview over the practices in the offshore industry. The intention with the appendices is to point out the core of the practices within the industries. It will highlight the target areas for the two industries, to see what is the highest priority for the respective 52

54 sectors. It also aims the interpretation of the key concepts, which is highlighted as the set of items in the next section. All items are not necessarily highlighted in the same extent, but the intention has been to focus on the areas which seems most prominent based on the evaluation made of the standards. It should also be mentioned that much of the information presented in appendix B and C are replicated in a more general way in Chapter 2 of the main report. These appendices represents a more divided presentatin of the background theory for the industries, based on the IEC (offshore) and EN (railway) standards. 53

55 Appendix B Offshore B.1 Management of functional safety IEC have a strong focus on functional safety and safety instrumented systems (SIS). A safety instrumented system is an active system, that functional safety relies upon. IEC (2016) summarises the meaning of functional safety in two bullets Functional safety is the part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. Functional safety is the detection of a potentially dangerous condition resulting in the activation of a protective or corrective device or mechanism to prevent hazardous events arising or providing mitigation to reduce the fight consequence of the hazardous event. The objective of the management of functional safety is to ensure that the safety integrity level is the cornerstone of the entire life cycle. The implementation of it in the design phase is hence a crucial activity. Risk assessment is a vital part of developing functional safety requirements. Through hazard analysis the required safety functions can be identified, and the risk quantification yields the safety integrity requirements (RockwellAutomation, 2016). The functional safety is a major contributor to the overall safety, but there are other aspects the contribute to build the total risk reducing picture. Besides the SIS, both other safety related technology systems and external risk reduction facilities contributes to the total risk reduction. B.1.1 Connection between functional safety and overall quantitative risk analysis The functional safety, which is addressed in IEC 61508, is only a part of the overall risk picture. In modern technical systems they are for sure essential, but without an overall quantitative risk analysis (QRA), they can soon be vulnerable to other risks outside of their intended scope. When focusing on the safety functions of the SIS and the evaluation according to the SIL, it might be a consequence that other external risks do not get explicitly addressed. It is the scope of the QRA to address such external risks outside the scope of the safety barriers in the SIS. NOG, 2004 states some effects that needs to be taken into consideration when using IEC explicitly. Examples of risks that may affect the SIS, may according to NOG, 2004, App. C4 be such ones as Unintended activation (trip) of safety functions causing additional risks. 54

56 The safety function does not work as intended due to factors outside the IEC analysis, even with the intended activation. Addition of new hazards because of unintended side effects of the safety functions. Combined effects of systems outside the EUC and its control system. Common cause failures due to the application of common equipment items. B.1.2 Responsibilities The responsibility for safety in each life cycle phase should be clearly identified. Designated personnel, or positions, with sufficient authority should be implemented in order to satisfy this. Additionally it should be a position for the overall responsibility for the SIS. Its main task is to ensure that the safety performance of the system is in accordance with the SIS Safety Requirement Specification (SRS). According to NOG (2004) the following items relevant for the design phase should be included in such a position; Ensure that the competency of engineers that work with safety system is adequate. Ensure that access control to the safety system is in place, e.g. through passwords or/and keys. Ensure that management of change procedures are available and applied. B.1.3 Follow-up The overall safety responsible should establish a concise plan in order to address the key safety activities, as listed above, into the organisation. Such a plan should be a living document actively used throughout the whole safety life cycle. In order to keep track of the work related to the safety instrumented systems, procedures for the follow-up of important activities should be implemented. This should include activities such as Hazard identification and risk assessment Verification Validation Functional Safety Assessment The assessment process should be formed so that a judgement of the safety integrity level can be done. The procedure to ensure this should also require an assessment team that has the expertise within the technical and operational applications for the particular installation. The above listed activities, i.e. verification, validation and functional safety assessment, will be described more extensively in a later section. B.2 Design phase of the life cycle IEC takes base in the life cycle of the SIS. Even if the IEC standards focuses on E/E/PE-systems, the framework is similar to other safety related systems, and the overall project safety life cycle. A typical description of the early life cycle phases of an offshore project can according to IEC be divided into, Investment studies The feasibility Phase 55

57 The Concept Phase The Pre-execution Phase (PDO-phase) Investment project execution Detail engineering and construction phase The Final commissioning and start-up phase The SIS life cycle activities can be put into context with these overall life cycle phases. The risk analysis and safety barrier design (protection layer) reaches from the concept phase into the detail engineering phase. An as built report is typically established and used as an living document even after the design phase of the life cycle. The safety barrier design starts in the pre-execution phase and concludes with a safety barrier specification in the detail engineering phase. The safety integrity level (SIL) of each safety function is an important part of the specification. The more general safety requirement specification document is developed during this phase. The design and engineering of the SIS is also conducted at this stage of the life cycle. The SIS design phase consist of the upper five boxes according to the overall safety life cycle presented in Figure B.1. The different phases are defined by its input, output and verification activities. 56

58 Figure B.1: Overall safety life cycle with the design phase as the upper five boxes. Source: Adapted from IEC B.3 Barriers and safety functions A common way to distinguish between safety functions is to divide between local and global safety functions. A set of generic safety functions are pre-analysed in order to ease the work load of the risk analysis, and make more room for the analysis of the specific safety functions. The global safety functions is a set of generic functions which aims at hazardous events like fire and gas detection. Emergency shut-downs and isolation of ignition sources exemplifies such safety functions. The local safety functions aims at the protection of specific process equipment, e.g. a process shut-down (PSD). The definition of Equipment under control (EUC) is a basis for the further risk analysis process. EUC 57

59 defines the delimited area for which a safety barrier is intended to operate, i.e. stop or mitigate an hazardous event. For offshore practices this can be a piece of machinery or equipment, a part of the installation, or the entire offshore facility. A distinction is made between EUC for global and local safety functions. They are much related to the definition of local and global safety functions themselves. An EUC for a global safety function could therefore be exemplified by an area with firewall boundaries. An EUC for a local safety function could be a piece of machinery, e.g. with specific valves around the machinery itself as a boundary for the EUC. When using generic data it is important to analyse deviations from the generic case, that is relevant to the system. It is not sure that all hazardous events and connected safety functions are covered in the standards or from additional information from state authorities. Safety functions not included may lead to a functional deviations in the system, which needs to be addressed through the risk analysis according to IEC It could also be that specific conditions demands a different level of integrity to fulfil the SIL requirements. Such integrity deviations needs to be analysed in connection with the overall risk level managed in a QRA. 58

60 B.3.1 SIS design and engineering The activities related to SIS design and engineering, i.e. the realisation, is the last part of the design phase, prior to the installation phase. A safety instrumented system (SIS) consists of three individual sub-systems, i.e. field sensors, a logic solver and actuating elements (see the separate section on SIS). The design of the SIS is stated in the Safety Requirement Specification, established in the initial safety planning of the system (see section B.7). It is important that requirements regarding reliability is addressed in the design phase. Human factors related to operability, maintainability and testability also needs to be considered in the design, in order to minimize the consequences and likelihood of human failures. Another important attribute is that the system shall be designed so that a safe state always is remained until a reset of the system is initiated. All components that might affect the SIS negatively shall be taken into consideration, even if they are not directly safety related. When the SIS consists of components with difference SIL s, it shall always conform with the highest SIL requirement. B.4 Measuring risk The core of the measurement requirements related to IEC is the quantitative and qualitative measures defining the safety integrity level (SIL). The application of SIL requirements comes into the picture after a risk analysis process is performed, and the acquired safety functions are allocated. The SIL requirements apply for the entire safety function, i.e. the sensors, logic solvers and the actuating elements. This means that the quantitative requirements such as probability of failure on demand (PFD), must be used as verification for the safety function as a whole. NOG (2004) puts forward a list of standard safety functions with the corresponding minimum SIL requirements. The minimum SIL requirements are meant to assure that a high performance level is obtained. They are set equal to or better than the requirements from the state authorities. By having a standard set of safety functions and corresponding SIL requirements, it makes it possible to have a bigger focus on possible safety deviations. These deviations will need to be handled thoroughly by approaches stated for risk analysis in IEC There are a three folded set of requirements involved in the fulfilment of a certain SIL, i.e. qualitative and quantitative requirements, together with a requirement regarding which techniques and measures that should be used in order to avoid systematic faults. The quantitative requirements states the failure probability allowed for the safety function. It is expressed either as probability of failure on demand (PFD), or the probability of dangerous failures per hour (PDH). The qualitative requirements concerns the subsystems of the safety functions, and their impact on the safety integrity. More specifically, it deals with the hardware fault tolerance (HFT) and safe failure fraction (SFF) stated in IEC Table 2 and Table 3. These concepts deals with a system s ability to continue operating despite of a system component failure. A system designed with fault-tolerance has implemented redundancy of components in order to deal with the failure of a single component (Nørvåg, 2000). HFT is the maximum number of hardware faults that will not lead to a dangerous failure (Pepperl+Fuchs, 2008), while the SFF is the fraction of safe failures which will not cause a fault to the safety function. The IEC also states recommendations regarding measures and techniques, which are also graded to the different safety integrity levels. The intention is to avoid and control systematic faults, for both hardware and software, which have been introduced in the development process. 59

61 B.5 Verification, Validation and Assessment Activities related to verification, validation and assessment of safety can be interpret somewhat different between organisations within the industry. It can therefore be convenient to clarify this, in order to understand the roles related to such activities. The ISO and the Petroleum State Authority have their interpretation, while IEC has a bit of a different approach. Figure B.2 from NOG (2004) clarifies these interpretations. However, this comparison is mainly based on IEC 61508/61511 compared to EN 50126, so IEC s definition will be used further in this analysis. Figure B.2: Interpretations of verification, validation and assessment according to IEC and ISO. Source: Adapted from NOG (2004) Verification implies independent checks in relation to each phase of the life cycle phase. The activities related to verification of the safety system aims at demonstrating that the deliverables meets the requirement and objective of the system. The verification plan should include the following items based on the recommendation in NOG (2004) and IEC 61511; Items to be verified Procedures to be used for the verification When the verification should take place The responsible for the verification including their independence The requirements that the verification should be done against 60

62 How non-conformities and deviations should be handled Validation is by IEC defined quite similar to verification. The difference lies in that validation is more connected to the overall confirmation of the system over several phases in the life cycle. Related to the design phase specifically, a SIS requirement validation is to be performed after the design phase. The design should be checked against the Safety Requirement Specification. This is a validation after all the sub-phases of the design phase is accomplished. A similar validation is done after the installation and completion of the system. Functional safety assessment is the activity of performing independent audits at predefined stages during the life cycle. The level of independence for the assessment personnel is stated in IEC (2010, p.52), and does in practice mean that the personnel performing it should not be of the ones designing it. The extent of the FSA are connected to size and complexity, duration, SIL, consequences and standardisation of design features used. IEC states two stages where the FSA should be performed during the design phase; 1. After the hazard identification and risk assessment has been performed, and the safety requirement specification established, 2. After the safety instrumented systems (SIS) has been designed. It is the functional safety assessment which is ensuring the quality of the Safety Requirement specification. B.6 Competence Personnel that are intended to work within the processes within the safety life cycle shall be competent according to the requirements from PSA and IEC This implies the following points of consideration when it comes to competence within the organisation around the safety management (NOG, 2004). It includes; engineering knowledge appropriate to the: process application, technology in use, sensor and final elements (related to SIS), safety engineering knowledge (process safety analysis, safety integrity of the parts in the SIS, consequences of undesirable events), knowledge of safety regulatory requirements, management skills and leadership roles adequate to roles in the safety management system. The appropriateness of competence needs to be considered in relation to the particular application. Factors related to; greater consequences, novelty of design, and safety integrity level, will require more rigorous specification of competence. 61

63 B.7 Documentation This section presents what is seen as the key documents stated by NOG (2004) based on IEC and regarding the safety engineering processes in the design phase of safety instrumented systems in the Norwegian offshore industry. IEC (19.2.9) particular states information that needs to be documented, i.e.; Results from risk assessment process. Equipment used in connection to the SIS and the associated safety requirements. The organisation for the maintaining of functional safety. The procedures necessary for the follow-up of functional safety. Test and validation results. Modification information to the SIS. Information about the design and implementation. This information is normally structured in an overall safety plan. This plan should specifically address all activities related to verification, validation and assessment. In addition, accompanying procedures for the activities should be stated in order to have a more accurate description of each one. The overall safety plan is normally connected to a quality assurance plan in relation to the overall project plan. Figure B.3: Overview of the outlined main documents according to NOG (2004). Source: Adapted from NOG (2004) Safety requirement specification (SRS) describes the specifications for the overall functional safety including all safety instrumented systems. Besides specifying requirements to the subsystems and 62

64 system components, it should provide information about the operational conditions. A SRS for a system could also be organised per system, i.e. per SIS in relation to a particular safety function. SRS is a living document that shall be used as a base in the design process. Follow-up in later stages of the SIS life cycle is also required. IEC (10.3) provides a list of requirement for the SIS, but NOG (2004) states that the list is not absolute, i.e all requirements may not be suitable for all types of SIS. According to NOG (2004, app. E), a proposed structure and content of the SRS could arranged according to the requirements related to; Functional conditions, e.g. capacities and response times. Integrity, such as PFD and SIL. Operational conditions and constraints. SRS is an evolving process throughout the whole system life cycle. This imply that all required information not necessarily will be available from the start. The SRS can be structured both per system, or as an overall SRS for all safety functions. All vendors of equipment shall show compliance with the SRS of the safety system to obtain regulatory approval. This is done in a so called Safety Analysis Report (SAR). All equipment suppliers usually presents the required safety related information in a SAR format. This cause for an integration towards a SAR that apply for the entire system. The content should reflect the requirement in the SRS, and could typically include; System and operational description including topology and block diagrams. Failure data, i.e. failure rates, PFD calculations etc. Maintenance data including repair time, diagnostic coverage, time intervals between testing etc. Common cause failures. Behaviour of system when a fault occurs. Information related to the SAR is useful in the detail engineering phase (see section B.2) for early-on checking against the SRS. The final SAR of the system is compiled at the end of the design phase. Further follow-up regarding SAR information is then done in the SRS. A verification plan should be established in order to define the frames around the verification activities for each phase of the project. The aim of the verification is to check whether the deliverables for each phase meets the requirements and objectives for given inputs at each phase. According to NOG (2004), such a plan should include; Items to be verified. Procedures related to the verification. When the verification activities should take place. Responsible persons. Information and specification of the requirements that is to be met in the. verification activities. How deviations and non-conformities should be verified. Another important planning document is the overall safety validation plan. NOG (2004) states that testing is often the best way to validate a safety instrumented system. The scopes and procedures of testing therefore needs to be properly planned and documented in order to design tests that are reproducible. Such a validation plan shall include two types of documents, i.e. A SIS validation plan and test procedures as described in the box below. 63

65 The plan shall define: The SIS validation and the verification activities; At which time the activities will take place; The procedures to be used for verification; The responsible part for these activities; a separate person, or a separate organisation, and the required level of independence; References from the validation activity to relevant test procedures. The test procedure shall contain: Description of test set-up; Environmental requirements; Test strategy; Who shall perform the tests, and the required presence of assessors; Test steps necessary to verify all safety requirements listed; Test steps necessary to verify correct operation during various modes of operation and/or abnormal conditions; Defined fail / pass criteria for the various tests. (NOG, 2004) Testing is considered to be the best verification/validation method for a safety instrumented system (NOG, 2004). The accompanying documentation is therefore vital. A test should be thoroughly stated, and a step-by-step procedure should preferable exist to ensure reproducible test results. The factory acceptance test aims at testing the software applications, and especially the logic solver, related to SIS functions. The requirements to be tested against should be found in the SRS fault conditions. It is of special interest to test that the software applications does not execute any undesirable operations. The documentation of the FAT test should include TEST CASES cases, results and an evaluation of the objectives including whether the criteria have been met. This test is especially outlined in NOG (2004). B.8 Definition of safe state The definition of safe state is connected to every safety function of the system. It can hence be related to a safe state such of a specific process, or to a safe state of the entire installation. NOG (2004) suggests that the safe state should be defined into the SRS. A clear definition of the safe state of a process shall be identified for each safety instrumented function. The response time to bring the process into a safe state should also be included. Any actions necessary to bring the process into safe state in case of faults related to the SIS should be specified as well. Besides the safety instrumented functions, there are other measures used to put the system into a safe state, e.g. manual trips and other compensating measures. One design difference pointed out by NOG (2004) is the distinction between energized and de-energized safe states. A normally-energized safety function will upon loss of power or signal automatically put the system into a safe state, i.e. a NE safe state. A de-energized safe state is required in situations when e.g. a spurious activation is especially critical. 64

66 Appendix C Railway Management of RAMS RAMS management is defined by a holistic approach to the reliability, availability, maintainability and safety of a system. It is rooted in a systems engineering way of thinking, considering requirements for all RAMS-parameters of the system. The RAMS process aims at selecting a design that balance the value improvement against the cost of the failure reduction for the system as a whole (Breemer et al., 2009). RAMS management takes base in controlling the factors influencing RAMS requirements. The management of railway RAMS in projects has a close connection to other general project components. The life cycle layout covers a general framework for the overall project execution, which also includes the RAMS activities. This is evident in the life cycle process described underneath, which highlights RAMS tasks related to a design phase description. The life cycle is in general a framework for the management of all aspects related to a railway system, and the RAMS tasks fits in as one of the component of this management system. The EN standard for railway applications takes base in the concept of RAMS. The RAMS parameters are closely linked together, and including parameters like reliability, availability and maintainability can be useful when categorising the requirements and specifications connected to faults and findings of the system. The parameters are by EN linked together like in Figure C.1. By using what can be interpret as a broader concept of safety engineering, the concept of RAMS might make it easier to address the risk issue more specific. Classifying a risk as an availability problem rather than a direct safety problem can be a way to handle the issue more efficient, by utilizing the best suited parameters of the system to obtain the requested risk level (Winther, 2012). Figure C.1: The RAMS-parameters inter-linked as in Cenelec (2006). Source: Adapted from EN

67 The connection between the RAMS parameters as in Figure C.1 can be shown with an example from Winther (2012). Suppose we have a train approved for operation, but there are still some error existing. The error can be categorized as an reliability issue, which not necessarily is a safety problem. However, the availability issue it causes might still affect the railway RAMS and its requirements. Looking at the connection between reliability and maintainability, it might be possible to increase the maintenance to compensate for the reliability issue. This could lead to the effect that the RAMS requirements still gets fulfilled. C.1 Factors influencing RAMS Figure C.2 shows an overview the categorisation of factors influencing railway RAMS, according to Figure 5 in EN Figure C.2 is a generic overview of the categorisation used in EN A reference to EN is made for a more comprehensive breakdown structure. Figure C.2: Generic factors as described in EN50126 Source: Cenelec (2006). The factors have potential effects that needs to be considered in relation to the system under consideration. The factors needs to be evaluated in relation to their relevance for the system EN [4.3.3]. C.2 Design phase of the system life cycle The life cycle design phase are divided into parts, where EN puts RAMS related task into context with general project tasks. The layout of the design phase can be evaluated in Figure C.3. Each life cycle is presented in terms of its objectives, requirements, deliverables and activities related to verification and validation. A description of the general project phase as described in EN 50126, together with a list of RAMS-related tasks are presented below. 66