iESM 2013 Integrated System Assurance Approach for Railway

Design, Construction and Operations

Nelson Ng

General Manager – Safety & Quality

MTR Corporation

11 April 2013

Page 2 MTR Corporation 4/17/2013

Business Overview of MTR

We carry 4.9 million

passengers every

weekday in Hong Kong

Page 3 MTR Corporation 4/17/2013

Business Overview of MTR Heavy Rail 12 routes 68 stops 36 KM length

Light Rail 17routes

Bus 11 lines

84 stations 182 KM length

Page 4 MTR Corporation 4/17/2013

Our rush hours… …

4/17/2013 Page 4 MTR Corporation

Page 5 MTR Corporation 4/17/2013

Guangzhou-Shenzhen-Hong Kong

Express Rail Link

West Island Line

South Island Line (East)

Shatin to

Central Link

Kwun Tong Line

Extension

Business Overview of MTR

Page 6 MTR Corporation 4/17/2013

Metro Trains

Melbourne

Shenzhen

Metro

Longhua Line

Hangzhou

Metro Line 1

Beijing Metro Line 4

MTR

Stockholm

LOROL

Our Vision

“We aim to be a leading multi-national company that connects and grows communities with caring service”

Page 7 MTR Corporation 4/17/2013

Corporate Safety Governance Framework

Page 7 2013/4/17

Safety Management Framework

Page 8 MTR Corporation 4/17/2013 Page 8 MTR Corporation 4/17/2013

Our Safety performance is amongst the very best in the world

Safety

0

5

10

15

20

25

30

35

40

As MTR As SA SA* Eu Eu Eu Eu Eu NA Eu NA

2000-2009

2001-2010

Source : CoMET 2000-2010 Data

Only metros with data are listed (* 2009 result)As - Asian Metros NA - North American Metros

Eu - European Metros SA - South American Metros

Total Fatalities / Billion Passenger Journeys

Better

2 Safety Aspirations

To be amongst

the very best in

safety

performance

globally

To be the safest

mode of public

transport in every

place where we

operate

Page 9 MTR Corporation 4/17/2013 9

Size of risk

High Risk

Low Risk

R1

R3

R2

R4

ALARP Principle

As Low As Reasonably Practicable

Hong Kong Safety & Health Regulations

Mass Transit Railway Ordinance Cap. 556 and

Operating Agreement

Factory & Industrial Undertakings Ordinance (occupational safety & health)

No local prescriptive railway safety standards

Adopt UK and other international safety and risk management principles and good practices

Driving for Continuous Improvement

4/17/2013 Page 10 MTR Corporation

Corporate Safety Management Model

“Risk Management” & “System Assurance” are

fundamental elements of our SMS to drive

continuous improvement

Page 11 MTR Corporation 4/17/2013

Day-1

Operation

MTR System Assurance Framework

Project

Phase

Operations

Phase

Operating

Maintenance

Interfacing Works

New Railway Lines

Asset Modification

Asset Replacement

Reducing Risks to

ALARP

Identify & Evaluate Risks

Register Risk

Update and review

Implement Controls

RISK

CONTROL

Propose controls

Building & Maintaining

Fit-for-purpose Assets

ASSET

LIFECYCLE

Design

Construction

Handover to Operations

Commissioning

Page 12 MTR Corporation 4/17/2013

Organization

En

terp

rise

Ris

k M

an

ag

em

en

t (ER

M)

Key Processes

MTR System Assurance Process

Day-1

Operation

Project

Phase

Operational

Phase

Operating

Maintenance

Interfacing Works

New Railway Lines

Asset Modification

Asset Replacement

Risk Control

Operations

System

Assurance

Project

System

Assurance

Risk Control

Performance

Precursor

Monitoring

Maintenance

Control of SCI

Operations

System Safety

Assurance

(OSSA)

Risk Identification

(R1 to R4)

Risk Review

CBA Operational

Control of SCO

Risk

Scenarios

Review

Risk Identification & Control (ASRISK)

System Reliability Modelling

Software & Integrity

Assurance

Technical Safety

Assurance

Value Assessment

V1 to V4

Design Control

SCS

Operations System Assurance

Integrated SA

HAZOP

RCM PHL Risk

Assessment

Independent Safety

Assessment

Independent

Safety

Assessment

System

Safety

Report

RAM

Demo.,

DRACAS

System Assurance Plan & Specification

SA / RAMS Analysis (HAZOP, PHA, FMECA, FTA, ETA,

QRA, DSA, CCF, SIL, MRA, DSC,

Human Factors, PHL)

Design

Control

(SCS)

V&V, Audits

EMC,

Software

Hazard close

out &

Transfer

Page 13 MTR Corporation 4/17/2013

Corporate-wide Risk Knowledgebase

Over 3,000 Risk Records, ~60 Precusors and ~600 Safety Critical items (SCI)

Used by Operations, New Projects and C&R Works

Page 14 MTR Corporation 4/17/2013

Project System Assurance Framework

(Life Cycle)

Operation /

Maintenance Construction

/ Installation

Definition /

Specification

Revenue

Service

Design

Completion

Particular

Specifications

Contract

Award

Trial

Running Tendering T & C Design

System

Validation

Requirement analysis

and specification

Project Hazard Log

Safety Analysis (if needed)

Validation and Verification

System Safety Report

Operations

Hazard Log

Page 15 MTR Corporation 4/17/2013

Reference hazard log sent to

contractor for review

Contractor to:

- review the reference hazard log

- conduct hazard identification

exercises e.g. HAZOP, PHA, etc.

Contractor to prepare the contract

specific hazard log

Contract Specific

Hazard Log

System Assurance (SA)

Team to conduct risk

assessments on specific

issues, as raised by

designers, construction

team, or Operations

Contractor to

review the

hazard log at

various

project phases

Risk Identification

(Project Phase)

Page 16 MTR Corporation 4/17/2013

High Level

Hazard Records

Bottom-up

Approach

Top-down

Approach

Risk Identification (Project Phase)

Project Specific

Issues

• Interface with operating railway

• Software cut-in

• Unattended Train Operation

4/17/2013 Page 17 MTR Corporation

Top Events

(Major Hazards)

Collision Derailment Fire External

Factors Others….

Risk Identification (Project Phase)

4/17/2013 Page 18 MTR Corporation

Derailment

Others

D1. Signalling Passing at Danger under

RM mode

D2. Tunnel structure failure (e.g. concrete

spalling from ceiling)

D3. Differential settlement of WIL stations

C1. Defective switch or crossing

C2. Undetected broken rail

C3. Broken clips or mounting failure

C4. Track twist

C5. Incorret track profile

C6. Materials left or object fallen from OLE

on track

C7. Equipment installation (including OLE,

TECS, trackside auxiliary, ...etc.)

inside tunnel infringe KE

Tracks

B1. ATP Wrong Side Failure cause train

overspeeding

B2. Wrong Side Failure of speed indication

B3. ATP failure to detect correct point

position

B4. Point moves when train berthing above

the point

Signalling

A1. Suspension system failure

A2. Bogie structure failure

A3. Broken axle

A4. Underframe equipment drops onto track –

xxx equipment failure A5. Wheel failure (e.g. excessive wear beyond limit)

A6. Braking system fails to reduce train speed

Trains

E1. Advertising panel detached

from wall

E2. PSD detached

E3. Equipment installation at

platform infringe KE

Station

Page 19 MTR Corporation 4/17/2013

Interfacing Works Risk Management

Works at SHW

Uptrack Temporary

Refuge Siding

Admiralty

Sheung Wan

Works at SHW

Downtrack New

Temporary Refuge

Siding

Page 20 MTR Corporation 4/17/2013

Project System Assurance

System Safety Report

• Overview of the operational safety of the new railway system prior to handover to

Operations

• Outline the operational safety management tasks undertaken at project phase and

planned downstream for future operations

• Provide a summary of the key operational safety issues, that complement the risks to

be transferred to Operating Railway

New Railway Project

System Safety Report

Section 1

Introduction

Section 2

System

Description

Section 3

Safety

Management

System

Section 4

Operations

Assessment

Section 5

Hazard

Identification

& Control

Section 6

Deterministic

Safety

Assessment

Section 7

Conclusions

Appendices

New Railway Project

System Safety Report

Section 1

Introduction

Section 2

System

Description

Section 3

Safety

Management

System

Section 4

Operations

Assessment

Section 5

Hazard

Identification

& Control

Section 6

Deterministic

Safety

Assessment

Section 7

Conclusions

Appendices

New Railway Project

System Safety Report

Section 1

Introduction

Section 2

System

Description

Section 3

Safety

Management

System

Section 4

Operations

Assessment

Section 5

Hazard

Identification

& Control

Section 6

Deterministic

Safety

Assessment

Section 7

Conclusions

Appendices

New Railway Project

System Safety Report

Page 21 MTR Corporation 4/17/2013

Operations System Assurance

5 million people a day

99.9 % train reliability

Any changes could have

an effect on its people,

organisation, procedure

and equipment and

overall system

performance

People

Organisation Procedure

Equipment/

Environment

Page 22 MTR Corporation 4/17/2013

Inte

gra

ted

Syste

m A

ssu

ran

ce

Fra

me

wo

rk

Te

ch

nic

al S

afe

ty A

ssu

ran

ce

Fra

me

wo

rk

So

ftw

are

Assu

ran

ce

Fra

me

wo

rk

Inte

gri

ty A

ssu

ran

ce

Fra

me

wo

rk

New

Bu

sin

ess S

afe

ty A

ssu

ran

ce

Fra

me

wo

rk

Assure assets are

able to perform to the required

Reliability, Availability, Maintainability and Safety requirements

Management and Engineering Assurance Tasks

Risk Management, Independent Check, QRA, FMECA, RAM analysis, Interface requirement, Reliability Centered Maintenance, Cost Benefit Analysis, software V-model, technical audit

Operations Assurance Process

Page 23 MTR Corporation 4/17/2013

Independent Check

Safety Alert from other Railways

Quantitative Risk Assessment

Incident Review

Technical Investigation

Review on International Standard

Fit-To-Test and Fit-To-Run Certification

Technical Safety Assurance Technical Safety Assurance

To assure a safe railway operation

Tasks for

assuring safety

of O&M activities

and modification

of asset

involving

Safety Critical

System

Tasks for seeking

continuous safety

improvement

Operating

Railway

Benchmarkin

g

Page 24 MTR Corporation 4/17/2013

Integrated System Assurance

Handover

Tender/

Design Const. T&C DLP Concept/ Funding

Project Risk

Appraisal

Formulation of SA

Program Plan

Implementation of SA tasks in SA

Program Plan

Prj.

Stage

• Life cycle SA - from concept stage through to

handover and future O&M

• Tailoring SA activities – based on risk of

individual project

To assure seamless transition with the introduction of new assets

and modifications of existing assets

Page 25 MTR Corporation 4/17/2013

Software Assurance

To assure critical software changes are properly done for Safety / Service Critical Systems, e.g.

Signalling / AFC

Page 26 MTR Corporation 4/17/2013

Integrity Assurance

• Technical Audits

• System Reliability Monitoring

• Asset Condition Surveys

URL -- No. of ≥ 2 min Delays vs Probability of Escalating to ≥ 5-min Delays

KTL (2011Q2-2012Q1)

ISL (2011Q2-2012Q1) TWL (2011Q2-2012Q1)

TKL (2011Q2-2012Q1)

KTL (2012Q2)

TWL (2012Q2)

ISL (2012Q2)

TKL (2012Q2)

0

10

20

30

40

50

60

0.00 0.10 0.20 0.30 0.40 0.50 0.60

Probability of Escalating to 5-min Delay

No.

of

>=

2 m

ins

dela

ys p

er m

onth

1000:1 PAR

1500:1 PAR

Better

Worse

500:1 PAR

To assure assets are fit for the

purpose after years of service

Page 27 MTR Corporation 4/17/2013

Managing Safety Critical Systems and Tasks

• Competent design staff

• Design and functions

verified and validated

• Independent design

checks

• Technical audit

e.g. Train Wheel & Axle, Emergency Brake

and Door System, Signalling ATP /

interlocking system

Safety Critical Systems (SCS)

Safety Critical Item (SCI)

e.g. Train underframe equipment,

door control unit, Escalator safety

switches, Platform Screen Door

detection relays (600 items)

Safety Critical Operations (SCO)

• Maintenance by certified

staff

• Safety Independent Check

• Full maintenance records

• Period audits

• Incoming goods inspection

control

e.g. Door Isolation, Train Manual Mode operation, Manual operations of points, operation of tunnel emergency ventilation

• Operations by qualified

staff

• Safety Independent Check

• Full log book/ records of

actions and system

affected

• Periodic review/audits

Maintenance Control Design Control Operational Control

Page 28 MTR Corporation 4/17/2013

Systematic Review of SCI

FTA

ETA

QRA

PHA

HAZOP

HAZOP

Evolution of Safety Toolkits

•Frequency of

•Equipment failure •Consequence •Event •frequency per

•year •(A) •(B) •(C) •(D)

•0.26 •0.11 •0.93 •4.54E-02

•Y •Minimal •4.54E-02 •1.34E-02

•From FTA •1.44E-02 •Y •Minimal •1.34E-02

•Y •1.03E-03

•N •1.03E-03

•N •1.30E-01

•Minimal •1.15E-01 •N

•1.15E-01

•Train Collision

Risk Model

(Scenarios)

OSSA

(Operations System Safety Assessment)

System Diagram

Operational Flow Diagram

Fire

extinguishable

?

Decide

detrainment

option

Train stalled in a Tunnel

Report incident & summon assistance

Make PA to inform & calm down pax

Acknowledge

incident

Hold other trains at stn in affected sections

Summons FSD &

emergency services

Try to put

out the fire

CC

Tcap

Tcap of other trains

N

Follow

Non-emergency

Detrainment

Procedure

Y

Observe fire

symptoms

(CCTV) &

assess

situation

PAX inform

Tcap of incident

thru PAD

PAX on

incident

train

Acknowledge

incident &

inform TC

Inform pax to use

fire extinguisher

PAX ask for help thru PAD

Declares

major incident

end

side

Multiple

Acknowledge

incidentTC1

Saloon on

fire?

N

Y

Communicate with TC

# All call to other

trains/stns

TC2

Acknowledge incident & inform TC

Acknowledge incident

PAX on other trains

Page 29 MTR Corporation 4/17/2013

Risk Tree and Safety Critical Items/Precursor Trend

High Consequence

Risks

High Frequency

Risks

Major Risk Scenarios

ASRISK

Risk Tree

Root Cause

Derailment

Staff Behaviour

Track Failure

Train Failure

Object on / near track

Signalling Coupler Brake Pantograph Bogie

Derailment due to XX

rail (Rx)

Derailment due to structural damage of

bogie frame (Rx)

Derailment due to XX

unloading (Rx)

Derailment due to damage of

coil sxxs (Ry)

Coil Spring

(Safety

Critical Item)

Page 30 MTR Corporation 4/17/2013

Operations System Safety Assessment (OSSA) • A new tool to review

adequacy and

robustness of key

control measures for

high consequence

scenarios

• Review existing,

rejected and potential

controls

• Use traffic light to focus

on strengths &

weaknesses

• Provide an increased

level of assurance that

risk controls are

reducing risk ALARP

PTI

Design

Existing processes

Maintenance

Existing process

Operations

Existing processes

PTI

Trapped and

dragged Hit by train

Fall through platform gap

Train moves with PSD

open

Trapped between

PSD / train

Fall through platform gap

Major Risk Scenario

High

consequence

scenarios

“Identify Critical controls”

Overview of

Strengths and

weaknesses

The management

processes for

critical controls

Page 31 MTR Corporation 4/17/2013 4/17/2013 MTR Corporation

Accident Reports

(Staff / Contractor)

Incident / Investigation

Reports

Hazard & Near Miss

Reporting

Behavioural Safety

Observation (BAPP)

Change Management

Job Hazards

Incident Review /

Safety Process

Integrating Human Factors with SMS

Process

Equipment

&

Environment

People

Risk Register (ASRISK)

Human Performance

Issues &

Control Measures

Human Factors Wheel (Error Traps Analysis)

People

Organisation Procedure

Equipment/

Environment

Human Factors

Reports

Human Factors

Issue Register

Human Factor

Studies

Human Factors Process

Recommendations

Design

Ergonomics

Workload

PSF

Root Cause

Page 32 MTR Corporation 4/17/2013

Integrating all Risks under

Enterprise Risk Management

(ERM) Framework

E3

(medium

)

E4(low

)

Executive C

ommittee

&

Divisional D

irectors

E2(high)

Board

&

Executive C

ommittee

E1

(very high)

E3

(medium

)

E4(low

)

Executive C

ommittee

&

Divisional D

irectors

E2(high)

Board

&

Executive C

ommittee

E1

(very high)

All D

epartment H

eads

All D

epartment H

eads

&

&

Managers

Managers

The Board (Annually)

Enterprise Risk Committee (3 monthly)

Business Units (Hong Kong, Mainland China and Overseas)

Executive Committee (6 monthly)

Enterprise Risks Top 30

Top 10 + hot spots

Divisional Risks Business

Risks

Project

Risks

Railway

Operation

s

Safety

Risks

E1, E2, E3, E4

$

Legal/

Regulatory

Political/

Reputation

Business

Performance

Financial

Safety Railway Operations Safety Risk is an integral part of Enterprise Risk Management

Page 33 MTR Corporation 4/17/2013

Systematic Review of SCI Competence Management of Railway System

Safety and Reliability Specialist

Page 34 MTR Corporation 4/17/2013

Enhancing Platform/Train Interface Safety

Reducing

Platform Gap

Minimising Train/Platform

Screen Door Gap

and Detecting Trapping

Bridging the

Gaps

Standardisation

Trial of different

types of gap fillers

Additional Platform

Emergency Plungers

Enhanced monitoring

at platform

Page 35 MTR Corporation 4/17/2013

Building Better and consistent HMI

1

2

3 4 5 6 7

8 10 1

1 13

9 14 12

Different Trains

Different Cab HMI

Standardised HMI

- Grouping / Color / Logic

Human

Factors

Page 36 MTR Corporation 4/17/2013

Operating a Safety Critical Task

FAO ?

Environmental

System

Controller

Traffic

Controller

Independent

Verification

Passengers will evacuate

towards LOF. I will switch on

modes KOT 23,LOF 22…

Mode Table

Checked

OK !

Fully

Integrated

Decision Support

System

Press press Confirm

Button to operate

selected modes

Computer-aided

Decision Support

(standalone)

Prompting by Decision Support

System

Human

Factors

Page 37 MTR Corporation 4/17/2013

Integrated System Assurance Approach

Integrated & holistic

People

Organisation Procedure

Equipment/

Environment

ASSET

LIFECYCLE

Design

Construction

Handover to Operations

Commissioning

Asset Lifecycle

Identify & Evaluate Risks

Register Risk

Update and review

Implement Controls

RISK

CONTROL

Propose controls

Systematic

Page 38 MTR Corporation 4/17/2013

Thank you

Have a safe journey