iESM 2013 Integrated System Assurance Approach for Railway
Design, Construction and Operations
Nelson Ng
General Manager – Safety & Quality
MTR Corporation
11 April 2013
Page 2 MTR Corporation 4/17/2013
Business Overview of MTR
We carry 4.9 million
passengers every
weekday in Hong Kong
Page 3 MTR Corporation 4/17/2013
Business Overview of MTR Heavy Rail 12 routes 68 stops 36 KM length
Light Rail 17routes
Bus 11 lines
84 stations 182 KM length
Page 5 MTR Corporation 4/17/2013
Guangzhou-Shenzhen-Hong Kong
Express Rail Link
West Island Line
South Island Line (East)
Shatin to
Central Link
Kwun Tong Line
Extension
Business Overview of MTR
Page 6 MTR Corporation 4/17/2013
Metro Trains
Melbourne
Shenzhen
Metro
Longhua Line
Hangzhou
Metro Line 1
Beijing Metro Line 4
MTR
Stockholm
LOROL
Our Vision
“We aim to be a leading multi-national company that connects and grows communities with caring service”
Page 7 MTR Corporation 4/17/2013
Corporate Safety Governance Framework
Page 7 2013/4/17
Safety Management Framework
Page 8 MTR Corporation 4/17/2013 Page 8 MTR Corporation 4/17/2013
Our Safety performance is amongst the very best in the world
Safety
0
5
10
15
20
25
30
35
40
As MTR As SA SA* Eu Eu Eu Eu Eu NA Eu NA
2000-2009
2001-2010
Source : CoMET 2000-2010 Data
Only metros with data are listed (* 2009 result)As - Asian Metros NA - North American Metros
Eu - European Metros SA - South American Metros
Total Fatalities / Billion Passenger Journeys
Better
2 Safety Aspirations
To be amongst
the very best in
safety
performance
globally
To be the safest
mode of public
transport in every
place where we
operate
Page 9 MTR Corporation 4/17/2013 9
Size of risk
High Risk
Low Risk
R1
R3
R2
R4
ALARP Principle
As Low As Reasonably Practicable
Hong Kong Safety & Health Regulations
Mass Transit Railway Ordinance Cap. 556 and
Operating Agreement
Factory & Industrial Undertakings Ordinance (occupational safety & health)
No local prescriptive railway safety standards
Adopt UK and other international safety and risk management principles and good practices
Driving for Continuous Improvement
4/17/2013 Page 10 MTR Corporation
Corporate Safety Management Model
“Risk Management” & “System Assurance” are
fundamental elements of our SMS to drive
continuous improvement
Page 11 MTR Corporation 4/17/2013
Day-1
Operation
MTR System Assurance Framework
Project
Phase
Operations
Phase
Operating
Maintenance
Interfacing Works
New Railway Lines
Asset Modification
Asset Replacement
Reducing Risks to
ALARP
Identify & Evaluate Risks
Register Risk
Update and review
Implement Controls
RISK
CONTROL
Propose controls
Building & Maintaining
Fit-for-purpose Assets
ASSET
LIFECYCLE
Design
Construction
Handover to Operations
Commissioning
Page 12 MTR Corporation 4/17/2013
Organization
En
terp
rise
Ris
k M
an
ag
em
en
t (ER
M)
Key Processes
MTR System Assurance Process
Day-1
Operation
Project
Phase
Operational
Phase
Operating
Maintenance
Interfacing Works
New Railway Lines
Asset Modification
Asset Replacement
Risk Control
Operations
System
Assurance
Project
System
Assurance
Risk Control
Performance
Precursor
Monitoring
Maintenance
Control of SCI
Operations
System Safety
Assurance
(OSSA)
Risk Identification
(R1 to R4)
Risk Review
CBA Operational
Control of SCO
Risk
Scenarios
Review
Risk Identification & Control (ASRISK)
System Reliability Modelling
Software & Integrity
Assurance
Technical Safety
Assurance
Value Assessment
V1 to V4
Design Control
SCS
Operations System Assurance
Integrated SA
HAZOP
RCM PHL Risk
Assessment
Independent Safety
Assessment
Independent
Safety
Assessment
System
Safety
Report
RAM
Demo.,
DRACAS
System Assurance Plan & Specification
SA / RAMS Analysis (HAZOP, PHA, FMECA, FTA, ETA,
QRA, DSA, CCF, SIL, MRA, DSC,
Human Factors, PHL)
Design
Control
(SCS)
V&V, Audits
EMC,
Software
Hazard close
out &
Transfer
Page 13 MTR Corporation 4/17/2013
Corporate-wide Risk Knowledgebase
Over 3,000 Risk Records, ~60 Precusors and ~600 Safety Critical items (SCI)
Used by Operations, New Projects and C&R Works
Page 14 MTR Corporation 4/17/2013
Project System Assurance Framework
(Life Cycle)
Operation /
Maintenance Construction
/ Installation
Definition /
Specification
Revenue
Service
Design
Completion
Particular
Specifications
Contract
Award
Trial
Running Tendering T & C Design
System
Validation
Requirement analysis
and specification
Project Hazard Log
Safety Analysis (if needed)
Validation and Verification
System Safety Report
Operations
Hazard Log
Page 15 MTR Corporation 4/17/2013
Reference hazard log sent to
contractor for review
Contractor to:
- review the reference hazard log
- conduct hazard identification
exercises e.g. HAZOP, PHA, etc.
Contractor to prepare the contract
specific hazard log
Contract Specific
Hazard Log
System Assurance (SA)
Team to conduct risk
assessments on specific
issues, as raised by
designers, construction
team, or Operations
Contractor to
review the
hazard log at
various
project phases
Risk Identification
(Project Phase)
Page 16 MTR Corporation 4/17/2013
High Level
Hazard Records
Bottom-up
Approach
Top-down
Approach
Risk Identification (Project Phase)
Project Specific
Issues
• Interface with operating railway
• Software cut-in
• Unattended Train Operation
4/17/2013 Page 17 MTR Corporation
Top Events
(Major Hazards)
Collision Derailment Fire External
Factors Others….
Risk Identification (Project Phase)
4/17/2013 Page 18 MTR Corporation
Derailment
Others
D1. Signalling Passing at Danger under
RM mode
D2. Tunnel structure failure (e.g. concrete
spalling from ceiling)
D3. Differential settlement of WIL stations
C1. Defective switch or crossing
C2. Undetected broken rail
C3. Broken clips or mounting failure
C4. Track twist
C5. Incorret track profile
C6. Materials left or object fallen from OLE
on track
C7. Equipment installation (including OLE,
TECS, trackside auxiliary, ...etc.)
inside tunnel infringe KE
Tracks
B1. ATP Wrong Side Failure cause train
overspeeding
B2. Wrong Side Failure of speed indication
B3. ATP failure to detect correct point
position
B4. Point moves when train berthing above
the point
Signalling
A1. Suspension system failure
A2. Bogie structure failure
A3. Broken axle
A4. Underframe equipment drops onto track –
xxx equipment failure A5. Wheel failure (e.g. excessive wear beyond limit)
A6. Braking system fails to reduce train speed
Trains
E1. Advertising panel detached
from wall
E2. PSD detached
E3. Equipment installation at
platform infringe KE
Station
Page 19 MTR Corporation 4/17/2013
Interfacing Works Risk Management
Works at SHW
Uptrack Temporary
Refuge Siding
Admiralty
Sheung Wan
Works at SHW
Downtrack New
Temporary Refuge
Siding
Page 20 MTR Corporation 4/17/2013
Project System Assurance
System Safety Report
• Overview of the operational safety of the new railway system prior to handover to
Operations
• Outline the operational safety management tasks undertaken at project phase and
planned downstream for future operations
• Provide a summary of the key operational safety issues, that complement the risks to
be transferred to Operating Railway
New Railway Project
System Safety Report
Section 1
Introduction
Section 2
System
Description
Section 3
Safety
Management
System
Section 4
Operations
Assessment
Section 5
Hazard
Identification
& Control
Section 6
Deterministic
Safety
Assessment
Section 7
Conclusions
Appendices
New Railway Project
System Safety Report
Section 1
Introduction
Section 2
System
Description
Section 3
Safety
Management
System
Section 4
Operations
Assessment
Section 5
Hazard
Identification
& Control
Section 6
Deterministic
Safety
Assessment
Section 7
Conclusions
Appendices
New Railway Project
System Safety Report
Section 1
Introduction
Section 2
System
Description
Section 3
Safety
Management
System
Section 4
Operations
Assessment
Section 5
Hazard
Identification
& Control
Section 6
Deterministic
Safety
Assessment
Section 7
Conclusions
Appendices
New Railway Project
System Safety Report
Page 21 MTR Corporation 4/17/2013
Operations System Assurance
5 million people a day
99.9 % train reliability
Any changes could have
an effect on its people,
organisation, procedure
and equipment and
overall system
performance
People
Organisation Procedure
Equipment/
Environment
Page 22 MTR Corporation 4/17/2013
Inte
gra
ted
Syste
m A
ssu
ran
ce
Fra
me
wo
rk
Te
ch
nic
al S
afe
ty A
ssu
ran
ce
Fra
me
wo
rk
So
ftw
are
Assu
ran
ce
Fra
me
wo
rk
Inte
gri
ty A
ssu
ran
ce
Fra
me
wo
rk
New
Bu
sin
ess S
afe
ty A
ssu
ran
ce
Fra
me
wo
rk
Assure assets are
able to perform to the required
Reliability, Availability, Maintainability and Safety requirements
Management and Engineering Assurance Tasks
Risk Management, Independent Check, QRA, FMECA, RAM analysis, Interface requirement, Reliability Centered Maintenance, Cost Benefit Analysis, software V-model, technical audit
Operations Assurance Process
Page 23 MTR Corporation 4/17/2013
Independent Check
Safety Alert from other Railways
Quantitative Risk Assessment
Incident Review
Technical Investigation
Review on International Standard
Fit-To-Test and Fit-To-Run Certification
Technical Safety Assurance Technical Safety Assurance
To assure a safe railway operation
Tasks for
assuring safety
of O&M activities
and modification
of asset
involving
Safety Critical
System
Tasks for seeking
continuous safety
improvement
Operating
Railway
Benchmarkin
g
Page 24 MTR Corporation 4/17/2013
Integrated System Assurance
Handover
Tender/
Design Const. T&C DLP Concept/ Funding
Project Risk
Appraisal
Formulation of SA
Program Plan
Implementation of SA tasks in SA
Program Plan
Prj.
Stage
• Life cycle SA - from concept stage through to
handover and future O&M
• Tailoring SA activities – based on risk of
individual project
To assure seamless transition with the introduction of new assets
and modifications of existing assets
Page 25 MTR Corporation 4/17/2013
Software Assurance
To assure critical software changes are properly done for Safety / Service Critical Systems, e.g.
Signalling / AFC
Page 26 MTR Corporation 4/17/2013
Integrity Assurance
• Technical Audits
• System Reliability Monitoring
• Asset Condition Surveys
URL -- No. of ≥ 2 min Delays vs Probability of Escalating to ≥ 5-min Delays
KTL (2011Q2-2012Q1)
ISL (2011Q2-2012Q1) TWL (2011Q2-2012Q1)
TKL (2011Q2-2012Q1)
KTL (2012Q2)
TWL (2012Q2)
ISL (2012Q2)
TKL (2012Q2)
0
10
20
30
40
50
60
0.00 0.10 0.20 0.30 0.40 0.50 0.60
Probability of Escalating to 5-min Delay
No.
of
>=
2 m
ins
dela
ys p
er m
onth
1000:1 PAR
1500:1 PAR
Better
Worse
500:1 PAR
To assure assets are fit for the
purpose after years of service
Page 27 MTR Corporation 4/17/2013
Managing Safety Critical Systems and Tasks
• Competent design staff
• Design and functions
verified and validated
• Independent design
checks
• Technical audit
e.g. Train Wheel & Axle, Emergency Brake
and Door System, Signalling ATP /
interlocking system
Safety Critical Systems (SCS)
Safety Critical Item (SCI)
e.g. Train underframe equipment,
door control unit, Escalator safety
switches, Platform Screen Door
detection relays (600 items)
Safety Critical Operations (SCO)
• Maintenance by certified
staff
• Safety Independent Check
• Full maintenance records
• Period audits
• Incoming goods inspection
control
e.g. Door Isolation, Train Manual Mode operation, Manual operations of points, operation of tunnel emergency ventilation
• Operations by qualified
staff
• Safety Independent Check
• Full log book/ records of
actions and system
affected
• Periodic review/audits
Maintenance Control Design Control Operational Control
Page 28 MTR Corporation 4/17/2013
Systematic Review of SCI
FTA
ETA
QRA
PHA
HAZOP
HAZOP
Evolution of Safety Toolkits
•Frequency of
•Equipment failure •Consequence •Event •frequency per
•year •(A) •(B) •(C) •(D)
•0.26 •0.11 •0.93 •4.54E-02
•Y •Minimal •4.54E-02 •1.34E-02
•From FTA •1.44E-02 •Y •Minimal •1.34E-02
•Y •1.03E-03
•N •1.03E-03
•N •1.30E-01
•Minimal •1.15E-01 •N
•1.15E-01
•Train Collision
Risk Model
(Scenarios)
OSSA
(Operations System Safety Assessment)
System Diagram
Operational Flow Diagram
Fire
extinguishable
?
Decide
detrainment
option
Train stalled in a Tunnel
Report incident & summon assistance
Make PA to inform & calm down pax
Acknowledge
incident
Hold other trains at stn in affected sections
Summons FSD &
emergency services
Try to put
out the fire
CC
Tcap
Tcap of other trains
N
Follow
Non-emergency
Detrainment
Procedure
Y
Observe fire
symptoms
(CCTV) &
assess
situation
PAX inform
Tcap of incident
thru PAD
PAX on
incident
train
Acknowledge
incident &
inform TC
Inform pax to use
fire extinguisher
PAX ask for help thru PAD
Declares
major incident
end
side
Multiple
Acknowledge
incidentTC1
Saloon on
fire?
N
Y
Communicate with TC
# All call to other
trains/stns
TC2
Acknowledge incident & inform TC
Acknowledge incident
PAX on other trains
Page 29 MTR Corporation 4/17/2013
Risk Tree and Safety Critical Items/Precursor Trend
High Consequence
Risks
High Frequency
Risks
Major Risk Scenarios
ASRISK
Risk Tree
Root Cause
Derailment
Staff Behaviour
Track Failure
Train Failure
Object on / near track
Signalling Coupler Brake Pantograph Bogie
Derailment due to XX
rail (Rx)
Derailment due to structural damage of
bogie frame (Rx)
Derailment due to XX
unloading (Rx)
Derailment due to damage of
coil sxxs (Ry)
Coil Spring
(Safety
Critical Item)
Page 30 MTR Corporation 4/17/2013
Operations System Safety Assessment (OSSA) • A new tool to review
adequacy and
robustness of key
control measures for
high consequence
scenarios
• Review existing,
rejected and potential
controls
• Use traffic light to focus
on strengths &
weaknesses
• Provide an increased
level of assurance that
risk controls are
reducing risk ALARP
PTI
Design
Existing processes
Maintenance
Existing process
Operations
Existing processes
PTI
Trapped and
dragged Hit by train
Fall through platform gap
Train moves with PSD
open
Trapped between
PSD / train
Fall through platform gap
Major Risk Scenario
High
consequence
scenarios
“Identify Critical controls”
Overview of
Strengths and
weaknesses
The management
processes for
critical controls
Page 31 MTR Corporation 4/17/2013 4/17/2013 MTR Corporation
Accident Reports
(Staff / Contractor)
Incident / Investigation
Reports
Hazard & Near Miss
Reporting
Behavioural Safety
Observation (BAPP)
Change Management
Job Hazards
Incident Review /
Safety Process
Integrating Human Factors with SMS
Process
Equipment
&
Environment
People
Risk Register (ASRISK)
Human Performance
Issues &
Control Measures
Human Factors Wheel (Error Traps Analysis)
People
Organisation Procedure
Equipment/
Environment
Human Factors
Reports
Human Factors
Issue Register
Human Factor
Studies
Human Factors Process
Recommendations
Design
Ergonomics
Workload
PSF
Root Cause
Page 32 MTR Corporation 4/17/2013
Integrating all Risks under
Enterprise Risk Management
(ERM) Framework
E3
(medium
)
E4(low
)
Executive C
ommittee
&
Divisional D
irectors
E2(high)
Board
&
Executive C
ommittee
E1
(very high)
E3
(medium
)
E4(low
)
Executive C
ommittee
&
Divisional D
irectors
E2(high)
Board
&
Executive C
ommittee
E1
(very high)
All D
epartment H
eads
All D
epartment H
eads
&
&
Managers
Managers
The Board (Annually)
Enterprise Risk Committee (3 monthly)
Business Units (Hong Kong, Mainland China and Overseas)
Executive Committee (6 monthly)
Enterprise Risks Top 30
Top 10 + hot spots
Divisional Risks Business
Risks
Project
Risks
Railway
Operation
s
Safety
Risks
E1, E2, E3, E4
$
Legal/
Regulatory
Political/
Reputation
Business
Performance
Financial
Safety Railway Operations Safety Risk is an integral part of Enterprise Risk Management
Page 33 MTR Corporation 4/17/2013
Systematic Review of SCI Competence Management of Railway System
Safety and Reliability Specialist
Page 34 MTR Corporation 4/17/2013
Enhancing Platform/Train Interface Safety
Reducing
Platform Gap
Minimising Train/Platform
Screen Door Gap
and Detecting Trapping
Bridging the
Gaps
Standardisation
Trial of different
types of gap fillers
Additional Platform
Emergency Plungers
Enhanced monitoring
at platform
Page 35 MTR Corporation 4/17/2013
Building Better and consistent HMI
1
2
3 4 5 6 7
8 10 1
1 13
9 14 12
Different Trains
Different Cab HMI
Standardised HMI
- Grouping / Color / Logic
Human
Factors
Page 36 MTR Corporation 4/17/2013
Operating a Safety Critical Task
FAO ?
Environmental
System
Controller
Traffic
Controller
Independent
Verification
Passengers will evacuate
towards LOF. I will switch on
modes KOT 23,LOF 22…
Mode Table
Checked
OK !
Fully
Integrated
Decision Support
System
Press press Confirm
Button to operate
selected modes
Computer-aided
Decision Support
(standalone)
Prompting by Decision Support
System
Human
Factors
Page 37 MTR Corporation 4/17/2013
Integrated System Assurance Approach
Integrated & holistic
People
Organisation Procedure
Equipment/
Environment
ASSET
LIFECYCLE
Design
Construction
Handover to Operations
Commissioning
Asset Lifecycle
Identify & Evaluate Risks
Register Risk
Update and review
Implement Controls
RISK
CONTROL
Propose controls
Systematic