Technical Note - TN 037: 2015
© State of NSW through Transport for NSW Page 1 of 1
S
For queries regarding this document [email protected]
www.asa.transport.nsw.gov.au
Technical Note - TN 037: 2015 Issued date: 24 June 2015
Effective date: 24 June 2015
Subject: Update to TS 20001 System Safety Standard for New or Altered Assets
This technical note is issued by the Asset Standards Authority to notify the change to Section 6.6,
related to accountability for engaging independent safety assessor (ISA), in TS 20001 Systems
Safety Standard for New or Altered Assets, V1.0.
Replace paragraph 3 in Section 6.6 AEO relationships with the following:
For changes assessed as 'safety significant' the responsible Principal Authorised Engineering
Organisation is required to develop the operational safety argument for integration of the change
into the rail network. An independent assessment of the operational safety argument shall be
conducted by a competent independent safety assessor. TfNSW determines whether to appoint
the independent safety assessor either by itself or direct the Principal Authorised Engineering
Organisation to appoint the ISA.
Authorisation:
Technical content prepared by
Checked and approved by
Interdisciplinary coordination checked by
Authorised for release
Signature
Name Richard Adams Andy Tankard Andy Tankard Ken Kwan
Position Manager Safety and Risk Assurance
Principal Manager Safety Quality Environment and Risk
Principal Manager Safety Quality Environment and Risk
A/Principal Manager Network Standards and Services
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013
Management standard
System Safety Standard for New or Altered Assets
Version 1.0 Issued Date: 24 June 2013 Effective Date: 1 July 2013 Important Warning This document is one of a set of standards developed solely and specifically for use on the rail network owned or managed by the NSW Government and its agencies. It is not suitable for any other purpose. You must not use or adapt it or rely upon it in any way unless you are authorised in writing to do so by a relevant NSW Government agency. If this document forms part of a contract with, or is a condition of approval by, a NSW Government agency, use of the document is subject to the terms of the contract or approval. This document may not be current. Current standards are available for download from the Asset Standards Authority website at www.asa.transport.nsw.gov.au.
© State of NSW through Transport for NSW Page 1 of 30
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 2 of 30
Standard Approval Owner: Manager Safety and Risk Assurance Authorised by: Principal Manager Safety, Risk, Quality and Environment Approved by: Director ASA Document Control Version Summary of Change 1.0 First Issue For queries regarding this document
[email protected] www.asa.transport.nsw.gov.au
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 3 of 30
Preface
The Asset Standards Authority (ASA) develops controls, maintains and publishes standards and
documentation for transport assets for New South Wales. The ASA's publications include the
network and asset standards for NSW Rail Assets, the requirements for condition, performance
and maintenance reporting of assets, requirements for network safety assurance and safety-
related processes for human factors integration, as well as configuration control processes.
This System Safety Standard for New or Altered Assets has been developed by the Asset
Standards Authority establishment team and aims to provide requirements for safety
engineering and assurance activities that must be conducted when delivering a new or altered
asset to TfNSW.
This document is a first issue, and is issued by the ASA without cancellation or replacement of
any other Transport for NSW document.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 4 of 30
Table of contents
1. Introduction .......................................................................................................................................5
2. Purpose ..............................................................................................................................................5
2.1 Scope..................................................................................................................................................5 2.2 Application.........................................................................................................................................6
3. Reference documents.......................................................................................................................6
4. Terms and definitions.......................................................................................................................7
5. System safety governance...............................................................................................................9
6. System safety context ......................................................................................................................9
6.1 Safety impact assessment ...............................................................................................................9 6.2 Consider operational context ..........................................................................................................9 6.3 Acceptance of new or altered assets..............................................................................................9 6.4 Safety risk criteria ...........................................................................................................................11 6.5 Competence.....................................................................................................................................11 6.6 AEO relationships ...........................................................................................................................12
7. AEO system safety requirements..................................................................................................13
7.1 Change life cycle .............................................................................................................................13 7.2 System safety planning ..................................................................................................................13 7.3 Safety risk management.................................................................................................................14 7.4 System Hazard analysis .................................................................................................................15 7.5 Interfaces .........................................................................................................................................18 7.6 Human factors integration .............................................................................................................18 7.7 Operational readiness.....................................................................................................................19 7.8 Management of change ..................................................................................................................20 7.9 Safety functions implemented by software..................................................................................20 7.10 Defects recording and corrective action system.........................................................................21
8. Safety assurance documentation requirements..........................................................................22
8.1 System safety planning ..................................................................................................................22 8.2 Assurance gateways.......................................................................................................................22 8.3 Risk summary report ......................................................................................................................25 8.4 Operational safety argument .........................................................................................................25 8.5 Independent safety assessment and due diligence ....................................................................27 8.6 Changes to accreditation ...............................................................................................................28 8.7 Configuration management committee acceptance....................................................................29
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 5 of 30
1. Introduction
Under the Rail Safety (Adoption of National Law) Act 2012 and the Work Health and Safety Act
2011, Transport for New South Wales (TfNSW) and rail transport operators have duties to
ensure so far as is reasonably practicable (SFAIRP) the safety of the rail network and its
operations.
To achieve these duties the following must be carried out whenever new assets are introduced
to the railway network, or existing assets are modified, upgraded or removed:
identify, assess and manage the safety risks associated with the new or altered system or
assets when operating as an integrated part of the network, as well as during the
integration of the assets or modification into the network
make sure the associated safety risks have been reduced to a level that is tolerable and
As Low As Reasonably Practicable (ALARP)
be able to provide sufficient evidence and argument that the new or altered system or
asset is suitable and sufficient to support safe operations, and that in developing and
integrating the asset into the railway network, safety has been ensured SFAIRP
The accountability for conducting these activities and providing assurance evidence rests with
the Authorised Engineering Organisations (AEOs) delivering the new or altered system or asset.
2. Purpose
This System Safety Standard for New or Altered Assets describes the requirements placed
upon Authorised Engineering Organisations to deliver safe changes to the network. It also
provides the requirements for appropriate supporting assurance that enables Transport for New
South Wales and rail transport operators to meet their duties under legislation.
The requirements are intended to make sure that the operators and TfNSW can meet their
specific duties under the legislation to ensure the safety of the railway SFAIRP by relying on the
assurance and evidence provided by the AEOs and the acceptance by the configuration
management committee (CMC).
2.1 Scope
This standard sets out the requirements for system safety engineering and assurance activities
to be conducted in support of the introduction of new or altered assets on to the rail network.
This includes the following:
the requirements against which Authorised Engineering Organisations must manage the
integration of safety into new and altered assets and the delivery of safety assurance
supporting these changes to the railway network
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 6 of 30
requirements that enable the safety and risk acceptance of new or altered assets into the
rail network by the CMC through the provision of suitable and sufficient safety assurance
and risk assessment.
The standard supports the overall TfNSW process for safety acceptance but does not define
that process. The TfNSW safety management system defines the safety acceptance process.
This standard sets requirements for AEOs that ensure they are compliant with the acceptance
process.
The standard is also consistent with the requirements of the TfNSW safety management system
with respect to safety change management. and safety risk management.
The requirements in this standard are not criteria that an organisation must meet to be
authorised as an AEO, they are the requirements that should be followed by an AEO once
authorised. There are related criteria for authorisation identified in the document AEO
Authorisation Requirements.
2.2 Application
This standard applies to all changes that affect railway network assets or systems. It applies to
all Authorised Engineering Organisations, their suppliers and other organisations involved in
defining, designing, implementing, commissioning or integrating into the operating network new
or altered assets or systems, or the decommissioning and disposal of assets. It also applies to
changes to assets of provision of new assets by maintenance organisations authorised as an
AEO.
This Standard aligns with the AEO Guide to Engineering Management by following the life cycle
defined and developing details of the requirements for system safety management and
assurance.
3. Reference documents
The following standards and documents are relevant to the content of this standard:
International Standards
EN 50126:1999 Railway Applications – The specification and demonstration of Reliability,
Availability, Maintainability and Safety (RAMS)
EN 50128:2011 Railway Applications – Communication, signalling and processing systems –
Software for railway control and protection systems
EN 50129:2003 – Railway Applications - Australian Standard – Communication, signalling and
processing systems –Safety related electronic systems for signalling
European Common Safety Method – Commission Regulation (EC) 352/2009, 24 April 2009
ISO/IEC 61508 - Functional Safety of Electrical/Electronic/Programmable Electronic Safety-
related Systems (E/E/PE, or E/E/PES). Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 7 of 30
Australian Standards
AS 4292.1-2006 – Australian Standard – Railway safety management Part 1: General
requirements
TfNSW Standards
Safety Change Management Standard 20-ST-006
Safety Risk Management Procedure 30-PR-097
Safety Assurance Standard 40-ST-003
Safety Engineering Assurance Procedure 40-PR-004
Human Factors Standard 60-ST-017
ASA Documents
AEO Guide to Engineering Management 2158904
TfNSW Configuration Management Plan 2420365
NSW Legislation
NSW Rail Safety (Adoption of National Law) Regulations
NSW Work Health and Safety Act 2011 No.10
Rail Safety (Adoption of National Law) Act 2012
4. Terms and definitions
The following definitions apply in this document:
AEO Authorised Engineering Organisation
ALARP as low as reasonably practicable
as low as reasonably practicable for a safety risk to be ALARP it shall be possible to
demonstrate that the cost involved in reducing the risk further would be grossly disproportionate
to the benefit gained. In order for a risk to be accepted it shall be demonstrated to have been
reduced to a level justified as ALARP and shall be tolerable. Hence the term 'tolerable and
ALARP' is used throughout this document.
ASA Asset Standards Authority
Authorised Engineering Organisation a supplier of a defined engineering service or product
that has been assessed and granted AEO status by TfNSW
CMC configuration management committee
development and implementation the life cycle phases from feasibility to entry to operation in
the context of the introduction of new or altered assets to the rail network
FMECA failure mode, effect and criticality analysis Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 8 of 30
HAZOP hazards and operability study
independent safety assessment a series of assessment and audit activities of the safety
management, safety engineering and safety assurance activities, processes and deliverables
conducted by a suitably qualified and experienced team.
ISA independent safety assessor
new or altered assets the changes made to the rail network other than those as a result of
maintenance activities, including decommissioning and removal of assets from the rail network.
Maintenance activities are considered those made by AEOs with authorisation for maintenance
activities and conducted under that authorisation scope.
operational safety argument a structured documented safety argument providing explicit
assurance of the safety of a system within its intended operational environment
operator for the purposes of this document means the rail transport operator or rolling stock
operator
PHA preliminary hazard analysis
PMO project management office
PPD Planning and Programs Division of Transport for New South Wales
project management office the organisation managing procurement of the change
RIM rail infrastructure manager
RSO rolling stock operator
SMS safety management system
SFAIRP so far as is reasonably practicable
so far as is reasonably practicable to achieve the best possible safety outcomes, to the
extent that is 'reasonably practicable', source: National Rail Safety Regulator – Meaning of Duty
to Ensure Safety So Far As is Reasonably Practicable. In this document SFAIRP refers to the
legal duty to manage safety whereas ALARP refers to the management of safety risk to the
lowest reasonably practicable level.
system safety the concurrent application of a systems based approach to safety engineering
and of a risk management strategy covering the identification and analysis of hazards and the
elimination, control or management of those hazards throughout the life cycle of a system or
asset
TfNSW Transport for New South Wales
TPD Transport Projects Division of Transport for New South Wales
validation the process of ensuring that the final product conforms to defined client requirements
verification the process carried out to ensure that the output of a design stage, or stages,
meets the design stage input requirements
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 9 of 30
5. System safety governance
The TfNSW configuration management committee (CMC) is the safety and risk acceptance
authority for the rail network. The requirements in this document must be followed in order to
gain TfNSW CMC acceptance of a new or altered asset to enable it to enter operation on the
rail network.
Where a number of Authorised Engineering Organisations (AEOs) or organisations are involved
in a change, all are required to comply with this standard under the direction of the nominated
principal AEO that has accountability for delivering appropriate safety assurance with the
change that is integrated into the network.
6. System safety context
6.1 Safety impact assessment
TfNSW's Planning and Programs Division (PPD) will undertake an assessment of the safety
impact of introducing new or altered assets to the rail network prior to awarding contracts to
AEOs or other organisations for development and/or implementation of the proposed change.
The principal AEO will be advised of the assessment outcome. This impact assessment is
required and defined by the TfNSW safety management system document, Safety Change
Management Standard (20-ST-006).
The assessment will consider the complexity, novelty and failure consequences of the change.
There will be two potential levels of change; Safety Significant or Minor. Throughout this
standard, requirements are identified as applicable to either or both levels of change.
Typically a safety significant change will include but not be limited to the introduction of new
rolling stock, extensions to the network, changes to the signalling system, and introduction of
systems novel to the NSW rail network.
6.2 Consider operational context
Authorised Engineering Organisations and organisations involved in introducing new or altered
assets to the network must recognise that the asset or system will be part of an operating
system including interfaces to passengers, operating staff, the general public and other workers.
It is therefore essential that the application of this standard includes consideration of the asset
or system in its operating context and not just as a physical system.
6.3 Acceptance of new or altered assets
In order for both TfNSW as a Rail Infrastructure Manager (RIM), and the rail operator, to satisfy
their duties under the Rail Safety (Adoption of National Law) Act 2012 and the Work Health
Safety Act 2011, they must do everything SFAIRP to ensure the safety of the railway network.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 10 of 30
When a change is made to the network through the introduction of new or altered assets,
TfNSW and the operator must jointly assure themselves that the development and
implementation of the change has identified and managed safety risk to tolerable and ALARP.
They must also assure themselves that everything SFAIRP has been done in developing and
integrating the asset into the railway network to ensure the safety of the network for the
operational life of the asset. The TfNSW acceptance process considers the safety assurance
provided in support of the proposed change and, for significant changes, seeks appropriate due
diligence through professional independent safety assessment.
The acceptance body of any proposed change within TfNSW is the CMC. The CMC reviews
and accepts any configuration change to the rail network before the change may affect the
operating railway. In making this acceptance the CMC confirms that all safety risks are reduced
tolerable and ALARP, and are tolerable for operation within the network. Note, for lower risk
changes the configuration management committee may delegate acceptance to an appropriate
configuration control board (CCB).
6.3.1 Acceptance of safety significant changes
In order to enable the CMC to accept a safety significant change, the principal Authorised
Engineering Organisation shall provide the following to the configuration management
committee for consideration:
a system safety plan
an operational safety argument
an independent safety assessment
A system safety plan details the tasks and activities that support the development of a safe
system, the identification and management of safety risks to SFAIRP, and provides suitable and
sufficient assurance of the safety of the system. This system safety plan is submitted to the
configuration management committee for noting prior to the end of the 'system requirements
and concept phase', and at other revisions of the plan.
The operational safety argument shall include the following:
demonstration that suitable and sufficient safety management activities have been
conducted to assure the safety of the change
demonstration that safety has been ensured SFAIRP, including demonstration that the
reliability, availability and maintainability of the new or altered asset has been ensured to
be sufficient
explicit description and assessment of all residual safety risks that TfNSW or the operator
will be exposed to during the operating life of the asset, including demonstration that all
safety criteria have been met, and that all safety risks are reduced tolerable and ALARP.
The owner of each risk shall be identified.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 11 of 30
An independent safety assessment of the safety management of the change and of the safety
case shall demonstrate support of the validity of the safety argument.
Safety significant changes will generally require an Authorised Engineering Organisation to gain
acceptance at intermediate key gateways of the change. The project governance and
assurance plan to be developed by Transport Projects Division, Planning and Programs
Division or an Authorised Engineering Organisation, if appointed and agreed by the
configuration management committee, alongside the System Requirement Specification, will set
out the acceptance arrangements and the delegated authority for acceptance at each
intermediate project gateway. This should be in accordance with the TfNSW Railway Asset
Configuration Management Plan.
6.3.2 Acceptance of minor changes
In order to enable the CMC to accept a minor change, the principal Authorised Engineering
Organisation shall provide the configuration management committee or delegated configuration
control board with a risk summary report that includes the following:
a description of the key residual safety risks that TfNSW or the operator will be exposed
to during the operating life of the asset
evidence of appropriate independent validation during the development and
implementation of the change
6.4 Safety risk criteria
The outcomes of safety risk assessments shall be expressed using the criteria of the owner of
the risk in the rail operational environment.
The owner of the risk will generally be the rail operator, in which case residual safety risks shall
be reported against the operator’s published risk matrix. In some cases the risks will be owned
by TfNSW, in which case the residual risks shall be expressed in terms of the TfNSW risk
matrix.
In order to establish the owner of the safety risk in rail operations, the organisation undertaking
the safety risk assessment shall engage all relevant stakeholders, subject matter experts, and
external expertise.
When using TfNSW’s or an operator’s risk matrix, the organisation conducting the safety risk
assessment shall take account of the means of demonstrating ALARP within the safety
management system associated with the risk matrix.
6.5 Competence
Organisations which develop and implement changes require competent staff to exercise
sound, professional judgements and successfully apply a systems approach to the
management of safety significant change.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 12 of 30
Competent safety management staff should meet the following criteria:
demonstrated experience in the technical, operational or organisational field which the
person is assessing
demonstrated experience and knowledge of application of the various methods and tools
used in both system safety, and reliability, availability and maintainability management,
including the capability to interpret safety risk assessment results and make appropriate
recommendations for managing and controlling the safety risks. Safety management
tools might include preliminary hazard analysis (PHA), hazard and operability study
(HAZOP), fault and event tree analysis, hazard log management, FMECA and goal
structuring notation.
For human factors resources staff should have demonstrated experience, knowledge and
qualification in human factors integration in high reliability high risk environments, for example in
safety related rail, nuclear or aviation environments.
The competence of the system safety resources used should be demonstrated within the
operational safety argument for safety significant changes.
6.6 AEO relationships
The strategy for developing the network within TfNSW sits with its Planning and Programs
Division. The project management office (PMO) generally coordinates the introduction of new or
altered assets to the rail network. When TfNSW has agreed to make a change to the rail
network, the Transport Projects Division or project management office (PMO) will define the
requirements, and engage Authorised Engineering Organisations that are capable and
competent of delivering the change.
The Authorised Engineering Organisation structure will vary according to factors such as the
complexity of the change, commercial optimisation, and the relative capabilities of the
Authorised Engineering Organisation. Generally either a single Authorised Engineering
Organisation will be appointed, or a principal Authorised Engineering Organisation which
manages the roles and activities of suppliers and other contributing organisations.
For changes assessed as 'safety significant' the responsible Principal Authorised Engineering
Organisation is required to develop the operational safety argument for integration of the
change into the rail network. The Principal Authorised Engineering Organisation shall appoint a
competent independent safety assessor (ISA) to conduct an independent assessment of the
operational safety argument.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 13 of 30
For changes assessed as 'minor' the Principal Authorised Engineering Organisation shall lead
the safety risk assessment and deliver the assessment of residual safety risks to the
configuration management committee when acceptance of the new or altered assets is
required. The Principal Authorised Engineering Organisation shall ensure that appropriate
independent validation of safety related activities is conducted at key points in the development
and implementation life cycle.
7. AEO system safety requirements
7.1 Change life cycle
System safety activities shall be conducted in accordance with an appropriate life cycle. The
key objective of system safety is to ensure the integration of safety in operation into the design,
construction, implementation and commissioning of a change. This can only be achieved if
system safety activities are aligned to the engineering life cycle. The alignment also provides
progressive assurance, so there can be confidence that safety in operation has been integrated
into the system SFAIRP at each stage of the life cycle.
A principal AEO shall plan and implement a program of system safety activities which are
aligned with the engineering life cycle defined in AEO Guide to Engineering Management. The
program shall be proportional to the level of risk, ensure that operational safety is integrated into
the designed and delivered system and provide suitable and sufficient assurance of the
operational safety of the system.
7.2 System safety planning
System safety activities shall be planned so that they support the development of a suitably safe
system and provide the assurance needed to demonstrate the safety of the system. Planning of
safety activities also supports the application of robust safety management processes to the
development and implementation of the new or altered asset.
The planning should define how the hazard identification and management activities support the
development of the system through the identification, implementation, verification and validation
of safety requirements. It shall ensure that the system safety activities are aligned with the 'V'
life cycle so that system safety is properly integrated into the system engineering.
The planning process should also identify how human factors will be addressed by the
engineering of the system, and the human factors activities to be undertaken.
It is essential that the planning process addresses stakeholder consultation and reviews, that is,
how key stakeholders review and accept that the system is suitably safe at key milestones in
the life cycle. The planning process shall also identify the documentation and evidence that will
be prepared to assure the safety of the new or altered asset once operational.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 14 of 30
7.3 Safety risk management
The key objectives of system safety are:
to integrate safety into the design and development of new or altered assets such that the
delivered systems are safe SFAIRP
to deliver documented assurance supported by evidence demonstrating the safety of the
delivered system
At the core of meeting both these objectives is safety risk management.
Authorised Engineering Organisations and suppliers shall implement a level of safety risk
management appropriate to the risks associated with the change.
For 'safety significant' changes a full program of safety risk management aligned with the
engineering life cycle shall be undertaken.
For 'minor' changes, safety risks shall be identified and fully managed. The safety risk
management process implemented by AEOs shall address the full intended operational life of
the new or altered asset or system.
The outcome of safety risk management is evidence that all safety risks are managed to
tolerable and ALARP.
Authorised Engineering Organisations shall employ suitable and sufficient hazard identification
and analysis techniques, and demonstrate this in the safety argument, risk summary report, or
other safety assurance documentation. All analysis results shall be documented and referred to
as evidence.
7.3.1 Hazard Identification
All reasonably foreseeable hazards shall be identified for both 'safety significant' and 'minor'
changes.
The principal AEO shall systematically and continually identify all reasonably foreseeable
hazards for the entire system under consideration, including all its functions and interfaces
across its full intended life.
Appropriate structured and systematic methodologies should be used, and shall incorporate
input from subject matter experts.
Hazard identification shall consider the following:
the scope and boundary of the system and its operational interfaces
all system modes of operation including degraded modes
all potential locations where the system will be operated
the potential for human error, including operator, maintainer, passenger or member of the
public Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 15 of 30
interfaces, both internal and external
the environmental conditions
all foreseeable failure modes for the system at the module, sub-system and system level,
and their impact on safety
previous performance of the asset
other potential factors that are safety relevant to the system under consideration
All identified hazards shall be entered into the hazard log for management and assessment.
7.3.2 Hazard Log
A hazard log is a central repository of identified hazards that facilitates their management. The
hazard log also enables the transfer of safety risk to the operating environment of the new or
altered asset. Once transferred, the risks will be entered into the operational risk register of the
appropriate organisation for ongoing management through the operational life.
The principal Authorised Engineering Organisation shall develop and implement a suitable and
sufficient hazard management system that includes a hazard log.
The details of the hazard management system shall be documented in the system safety plan
for safety significant changes.
The principal Authorised Engineering Organisation shall ensure that all identified hazards are
entered into the hazard log and managed appropriately within the log.
The hazard log shall be the primary artefact for providing traceability within the safety risk
management process and assurance of the effective management of safety risk. It should
include traceability to all supporting evidence including verification and validation evidence
related to each safety requirement.
The hazard log shall be updated and maintained through the entire life cycle to make sure that it
accurately reflects safety risk management activities. The entire life cycle includes design,
development, implementation, commissioning and entry to operation phases.
Where subordinate Authorised Engineering Organisations or suppliers are required to manage
hazards, the principal Authorised Engineering Organisation shall develop a suitable and
sufficient methodology for management of hazards at each level of the system and sub-
systems, so that there is a clear demonstration that all safety risks in the top level hazard log
are managed to tolerable and ALARP.
7.4 System Hazard analysis
7.4.1 Causal analysis
In order to assign and demonstrate appropriate hazard control to tolerable and ALARP levels, it
is necessary to understand all the ways that hazards can be caused.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 16 of 30
The potential causes of hazards shall be identified.
A systematic process of identifying the causes shall be undertaken.
Identified causes shall be entered into the hazard log and linked to the hazard.
7.4.2 Safety risk assessment
The Authorised Engineering Organisation shall conduct an assessment of the safety risk for
each identified hazard against the appropriate risk criteria. This shall include assessing the
severity of the consequences if the risk occurs, and the likelihood of that consequence
occurring.
When assessing the consequences, the worst-case credible consequence shall be used for the
risk assessment.
Related topic:
Safety risk criteria section 6.4
The Authorised Engineering Organisation shall consider appropriate safety controls for each
safety risk so that the safety risk is reduced to tolerable and ALARP.
When evaluating the suitability of controls, the hierarchy of controls shall be applied so that
safety risk or hazards are eliminated by design where this is reasonably practicable.
Where a hazard cannot be eliminated it shall be controlled to tolerable and ALARP, with
engineered controls preferred to administrative controls.
Where administrative controls are relied upon, this shall be done in conjunction with the
operator, to establish the feasibility and reasonable practicability of the control, and to make
sure that there is not an over-reliance on administrative means for reducing the risk.
The principal AEO shall set up governance arrangements for the review and closure of
identified safety risks and hazards. These arrangements should involve appropriate
stakeholders and subject matter experts in the review and closure of hazards.
The setting of the governance arrangements shall be cognisant of where the ownership of the
safety risk will reside in operation, and the acceptability of the residual risk to that ultimate
owner.
For 'safety significant' changes the operational safety argument shall demonstrate the
effectiveness of the hazard and safety risk management process.
7.4.3 Safety requirements and evidence
Safety requirements arise from a number of sources including legislation, requirements placed
on an Authorised Engineering Organisation, and the hazard identification and analysis process.
The principal AEO shall a have a process for identifying and managing safety requirements
throughout the asset life cycle including safety requirements which shall be derived from the
hazard analysis. Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 17 of 30
Deriving safety requirements from the hazard analysis and incorporating them into the system
design is a key link between safety and engineering processes. The safety and hazard analysis
work shall be programmed in alignment with the engineering activities to ensure that resulting
safety requirements are integrated into the design enabling a design solution to be reached that
is safe SFAIRP.
Through the hazard analysis or apportionment of risk criteria, an integrity target shall be
assigned to each safety requirement.
The system for identifying and managing safety requirements through the asset life cycle shall
be capable of maintaining records to show traceability between each safety requirement and its
source. The risk controls arising from the safety risk management process should be treated as
safety requirements.
The Authorised Engineering Organisation shall provide complete and objective evidence that
each safety requirement and its integrity target has been met, either in the operational safety
argument for 'safety significant' changes, or the risk summary report for 'minor' changes.
The quantity and quality of the evidence that each safety requirement has been met shall be
commensurate with the degree of safety risk reduction resulting from the safety requirement.
For controls that provide significant risk reduction, or a control that is the single or principle
control against a high consequence hazard, diverse evidence of meeting the safety requirement
shall be provided, so that the safety argument is not compromised by uncertainty or errors in
individual pieces of evidence. It is preferential not to rely on single-point controls.
7.4.4 Safety risks in commissioning
Where system testing is to be conducted on the operational railway, it is necessary to assure
the safety of the network during testing. The Authorised Engineering Organisation responsible
for testing and commissioning shall conduct hazard identification and safety risk assessment for
all commissioning activities that may affect the integrity or operation of the rail network.
The hazards identified as possibly affecting the integrity or operation of the rail network during
testing and commissioning shall be documented and managed within a hazard log, and shown
to be managed to tolerable and ALARP.
Prior to commencing testing activities, acceptance of the test program shall be obtained from
the configuration management committee.
In order to facilitate acceptance of the test program by the CMC or delegated configuration
control board, the Authorised Engineering Organisation responsible for commissioning shall
present a commissioning safety report to the CMC. The report shall provide evidence that all
safety risks associated with commissioning have been identified and managed to tolerable and
ALARP.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 18 of 30
Before presenting a commissioning safety report to the CMC or CCB, the principal Authorised
Engineering Organisation shall have gained input from stakeholders, and demonstrated that key
stakeholders and risk owners support the testing activities based on the assurance provided.
7.4.5 De-commissioning
Any de-commissioning activity shall be treated as a change to the network, and system safety
applied in the same way as a new or altered asset.
7.5 Interfaces
Poorly managed interfaces are a common source of safety risk. The principal AEO shall
demonstrate its approach for managing interfaces and document it in the system safety plan for
'safety significant' changes.
An Authorised Engineering Organisation's approach for managing interfaces shall include
external and internal system interfaces and include identification and management of safety
risks associated with integration of sub-systems into the overall system.
The principal Authorised Engineering Organisation shall ensure that all safety risks at interfaces
are identified and managed appropriately.
The principal Authorised Engineering Organisation shall demonstrate that safety at the interface
is ensured SFAIRP and that safety risks associated with interfaces are identified and managed
to tolerable and ALARP.
Authorised Engineering Organisations shall demonstrate that all possible activities and actions
to ensure the safety of interfaces have been undertaken SFAIRP.
Safety requirements associated with the interfaces shall be identified, documented and
implemented. The network architecture provides details of interfaces within the network and,
where available, should be used as a source of information when managing the safety of
interfaces.
Authorised Engineering Organisations shall demonstrate that the safety of interfaces have been
managed right through to entry to operation, as well as in operational controls and maintenance
requirements for the operational life of the asset or system.
There shall be appropriate evidence of a 'handshake' across each interface.
Where subordinate Authorised Engineering Organisations or suppliers require information to
meet a particular safety requirement, the principal Authorised Engineering Organisation shall
identify and provide the necessary information to allow interfaces between sub-systems or
elements of the system to be safely implemented and demonstrated to be safe.
7.6 Human factors integration
Human factors shall be integrated into the design and development process of new or altered
assets in order to minimise safety risk from the possibility of human error by: Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 19 of 30
ensuring human characteristics are accounted for in the design or re-design of new and
existing systems and equipment
identifying the issues which may cause or contribute to human errors
conducting activities and applying controls to reduce likelihood and consequences
The integration of human factors offers other additional benefits such as saving time and
money. By considering human factors in system design before development, construction,
maintenance or disposal, the need to redesign at a later stage is reduced, and reliability
improved by supporting systems to be error tolerant, and easy to use and maintain.
For all changes, the principal AEO shall implement human factors integration by performing the
following:
establish a human factors issues register or ensure the issues are tracked in another
appropriate register
conduct a preliminary human factors analysis to identify issues
document the identified human factors issues in the appropriate register
update and manage the appropriate register throughout the project
7.7 Operational readiness
A key element of assuring the operational safety of a new or altered asset is the demonstration
that the operator is ready to operate the asset within the operational environment.
The principal AEO is accountable for assuring operational readiness. The operator and
maintainer will conduct operational readiness activities to ready their network for the new or
altered asset. They will ensure adequate resources, training and procedures are in place for
safe operation.
The principal AEO shall work closely with the operator and maintainer to make sure that the
operator and maintainer fully understand what is required for the new or altered asset or system
to be operated. The AEO also needs to understand the requirements of the operator and
maintainer in terms of information and evidence to support their operational readiness activities.
The AEO shall engage with all relevant stakeholders to gain assurance that the operator and
maintainer are operationally ready for the new or altered system to enter operations within the
network.
The AEO shall provide evidence of this operational readiness, either in the operational safety
argument for 'safety significant' changes, or in the risk summary report for 'minor' changes.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 20 of 30
7.8 Management of change
Within any project there will be changes from time to time that can potentially impact safety. It is
important that such changes are managed appropriately and that their impact on safety is
understood. Such changes may occur once the design is predominantly complete and
implementation is in progress. It may be necessary to change the design to address specific
implementation issues. It is important to control change so that the assurance of the designed
system remains valid.
The principal Authorised Engineering Organisation shall establish and maintain a change
control system so that the impact of any planned or unplanned change is identified and
assessed for its impact on safety.
Where the impact assessment finds it necessary, remedial action shall be taken to ensure the
safety of the system.
7.9 Safety functions implemented by software
Software is used in many rail systems to implement safety functional requirements. Where an
Authorised Engineering Organisation is designing or supplying a system that may involve
software implementing safety related functions, these functions need to be appropriately
managed and assured.
In order to manage and assure the safety of systems that involve software, the Principal
Authorised Engineering Organisation shall allocate a safety integrity level (SIL) to each safety-
related function.
During the verification and validation stages, the Authorised Engineering Organisation shall
demonstrate that the SIL for each safety-related function has been achieved by suitable means.
The Asset Standards Authority recommends that Authorised Engineering Organisations adopt
the approach defined in EN 50128:2011 Railway applications. Communication, signalling and
processing systems. Software for railway control and protection systems .
7.9.1 Safety integrity levels
Safety integrity levels (0 to 4) to be used are defined in EN 50128:2011 Railway Applications –
Communication, signalling and processing systems – Software for railway control and protection
systems and EN 50129:2003 – Railway Applications - Australian Standard – Communication,
signalling and processing systems –Safety related electronic systems for signalling.
7.9.2 Safety integrity level allocation
Initial safety integrity level (SIL) allocation shall be made during the system requirements and
concept phase of a project to understand the SILs that key systems may need to achieve. This
supports the planning of engineering and safety assurance activities.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 21 of 30
A SIL allocation shall occur early in the preliminary design phase. As the detailed requirements
are derived, SIL targets should be assigned to each safety function. A preliminary hazard
analysis (PHA) or similar hazard identification and risk analysis is required as a precursor to the
SIL allocation process.
7.9.3 Assurance of safety integrity level compliance
Throughout the critical design phase, and during the inspection and test, and commissioning
phases, the software development process shall be validated as complying with the required
target SIL.
Appropriate assurance shall be provided to support the validation of safety integrity level
compliance.
For safety functions with SIL ratings of SIL 1 to SIL 4, the collation of evidence used to assure
compliance with the SIL shall be started as early as possible in the project life cycle.
The organisation responsible for the software development, or having the software developed
for integration into the overall system, shall provide the assurance of safety integrity level.
Where a commercial off the shelf system implements safety functions in software, a suitable
and sufficient argument shall be developed to provide assurance that these functions are
implemented to the necessary level of integrity.
The principal Authorised Engineering Organisation shall ensure that suitable due diligence of
the assurance of functions implemented by commercial software is undertaken to support the
operational safety argument to be presented to the configuration management committee for
acceptance.
7.10 Defects recording and corrective action system
The principal Authorised Engineering Organisation shall operate a process for identifying
defects or failures including human errors, and assessing the impact on safety.
Where the impact assessment finds it necessary, remedial action shall be taken to ensure the
safety of the system.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 22 of 30
8. Safety assurance documentation requirements
8.1 System safety planning
8.1.1 Planning for safety significant changes
For 'safety significant' changes, the principal Authorised Engineering Organisation responsible
for that change shall prepare a system safety plan prior to commencing any design activities
related to the new or altered asset. The plan should be regularly reviewed to ensure it is current
and accurate. It is recommended that the plan is formally reviewed at least every six months.
For long life cycle changes, it is recommended that the plan is updated at each life cycle
gateway, to detail the system safety activities for the forthcoming phases.
The system safety plan shall fulfil the following requirements:
set out the safety management arrangements for the design, development,
implementation and commissioning of the new or altered asset or system
describe the system safety activities to be undertaken and schedule these so that the
outcomes of the safety activities is incorporated into the design
describe the documentation and evidence to be produced, and the timing in the life cycle
for delivery of that evidence
be auditable so that an independent safety assessor can readily assess and assure that
the planned activities are conducted
The system safety plan shall be submitted to the configuration management committee for
noting prior to design activities commencing.
8.1.2 Planning for minor changes
For 'minor' changes, the principal Authorised Engineering Organisation shall include in its
engineering management plan, the safety risk management activities that will be conducted and
the safety management arrangements for the introduction of the new or altered assets into the
rail network.
8.2 Assurance gateways
The Asset Standards Authority management standard AEO Authorisation Requirements states
the following mandatory requirement:
"The AEO shall demonstrate engineering assurance progressively
based on stage gateway reviews "
As safety assurance is integrated with engineering assurance, this AEO requirement means
that AEOs shall continually demonstrate safety assurance for each staged gateway review.
The AEO Guide to Engineering Management describes the TfNSW system life cycle model and
sets out the life cycle baseline gateways. Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 23 of 30
Figure 1 shows the safety acceptance requirements within the configuration management
committee process. It identifies the submissions to be made at each project gateway.
The acceptance authority at each delegated governance gateway is as defined in the
Assurance and Governance Plan prepared by Transport Projects Division or the PMO, and
agreed by the configuration management committee alongside the System Requirement
Specification.
The principal Authorised Engineering Organisation is accountable for providing suitable and
sufficient assurance at each gateway. It is also accountable for ensuring that all relevant
stakeholders acknowledge the presented assurance as being 'suitable and sufficient' to provide
the necessary level of confidence that the final new or altered asset will be safe to be accepted
into operation in the network.
At each gateway, an agreement shall be reached with all stakeholders that for that point in the
system development where all reasonably practicable activities and actions have been
conducted to ensure safety.
All associated safety risks shall have been identified and managed so there is a high degree of
confidence that the final residual risk can be demonstrated to have been reduced to tolerable
and ALARP.
The principal Authorised Engineering Organisation shall not allow progress through a gateway
unless sufficient evidence exists and is presented to support this position, and that the
delegated acceptance authority accepts the presented assurance.
For 'safety significant' changes, an independent safety assessor shall provide a summary report
at the preliminary design review, a design independent safety assurance report at the critical
design review, and a final safety assessment report at final acceptance. Each report should
support the claim that all necessary assurance activities are complete or in progress, and that
there is a high degree of confidence that the new or altered asset will be able to be
demonstrated to be sufficiently safe.
Any issues or concerns regarding the confidence that the new or altered asset will be able to be
demonstrated to be sufficiently safe shall be identified in the relevant independent safety
assessment report.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 24 of 30
CMC Control Gate
CMC Control Gate
Pre
limin
ary
Des
ign
Cri
tica
l De
sig
nF
abri
ca
tio
n /
Ma
nu
fact
ure
Co
nst
ruct
ion
/ In
sta
llati
on
Pro
ject
Exe
cuti
on
/ D
ev
elo
pm
ent
Delegated Governance Gateway
Delegated Governance Gateway
Delegated Governance Gateway
Delegated body accepts based on Assurance and Governance Plan
Delegated body accepts based on Assurance and Governance Plan
Delegated body accepts based on Assurance and Governance Plan
Delivery of Reference Design
Structured Design Safety Argument
Assurance evidence against Assurance and
Governance Plan
Evidence Critical Design is SFAIRP
Evidence of Independent
Verification and Findngs
Independent Safety Assessor Design
Report
Safety Significant Changes Minor Changes
By ISA By Principal AEO By Principal AEO By Principal AEO By Principal AEO
Delivery of Critical Design
Pro
ject
Exe
cu
tio
n /
Pro
du
cti
on
Insp
ecti
on
an
d T
est
Co
mm
issi
on
ing Structured Safety Argument
Assurance evidence against Assurance and
Governance Plan
Risk Summary Report
Evidence of Independent
Verification and Findngs
Independent Safety Assessor Report
CMC accepts asset into operation including accepting safety risk on behalf of transport Cluster
CMC agrees delegation of maintenance to Sydney Trains CCB
By ISA By Principal AEO By Principal AEO By Principal AEO By Principal AEO
CM
C m
ay r
equ
est
Au
dit o
r pr
oje
ct s
pec
ific
surv
eilla
nce
act
iviti
es b
y A
SA
TP
D /
PM
O M
oni
tors
AE
O’s
per
form
ance
, del
iver
able
s an
d a
ssur
anc
e
CMC delegates gateway governance based on Assurance and Governance Plan
CMC accepts specified system as appropriate and SFAIRP as baseline for later acceptance
Safety Significant Changes Minor Changes
Evidence Reference Design
is SFAIRP
Independent Safety Assessor Summary Report (for Safety
Significant Changes)
By Principal AEOBy Principal AEO
Assurance evidence against Assurance and
Governance Plan
By Principal AEO
Evidence Testing / Commissioning Risks SFAIRP
(limited to risks to rail network)
By Principal AEO
Evidence Testing / Commissioning is
appropriate to demonstrate safety
of asset
By Principal AEO
Figure 1 – Configuration management committee acceptance process
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 25 of 30
8.2.1 Critical Design Gateway
The end of the critical design phase is a key assurance gateway. At this point, design is
complete so it can be demonstrated that all identified safety risks that could not be eliminated by
design, have controls identified that manage the safety risk to tolerable and ALARP levels, and
that each of the engineered controls have been incorporated in the design. Where
administrative controls are used to achieve ALARP, the controls shall have been agreed with
the operator and maintainer by this stage.
As entry to operation approaches, the principal Authorised Engineering Organisation shall
engage with the operator and maintainer to ensure operational readiness.
Related topic:
Operational readiness , section 7.7
For 'safety significant' changes a design safety assurance report (SAR) shall be prepared and
accepted by the CMC or delegated configuration control board before this gateway can be
passed. The design safety assurance report should be supported at the CMC or CCB by an
independent safety assessor (ISA).
The content of the design safety assurance report shall be as for the operational safety
argument but adapted to this stage of the life cycle.
Related topic:
Operational safety argument, section 8.4
8.3 Risk summary report
For 'minor' changes the principal Authorised Engineering Organisation shall prepare a risk
summary report to support submission to the configuration management committee for
acceptance of the new or altered asset into service.
The risk summary report is a brief document and shall include the following:
justification that all reasonably foreseeable safety risks in the operational environment
have been identified and managed
a statement justifying that all risks identified have been managed to tolerable and ALARP
explicit descriptions of all residual safety risks for operation and maintenance, identifying
ownership of those residual risks
8.4 Operational safety argument
For 'safety significant' changes, the principal Authorised Engineering Organisation shall deliver
an operational safety argument, which demonstrates the safety of the delivered system in
operation within the rail network.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 26 of 30
The operational safety argument shall:
be a structured argument based on a suitable technique for structuring safety arguments,
for example, goal structuring notation (GSN)
clearly define the scope of operations for which safety is demonstrated, and clearly define
the operational limitations of the delivered system
demonstrate that sound safety management and quality management principles have
been applied throughout the design, development, implementation and commissioning of
the new or altered asset
demonstrate that all reasonably foreseeable safety risks in operation have been identified
and managed to tolerable and ALARP including evidence that the hierarchy of controls
has been applied
explicitly describe all residual safety risks for operation, and identify ownership of those
residual risks
demonstrate that interfaces between all sub-systems have been appropriately managed,
and that safety risks at the interfaces have been identified and appropriately managed
demonstrate that human factors have been considered in the design and development of
the system, so that the potential for human error has been minimised SFAIRP, and the
new or altered asset is suitably operable and maintainable
demonstrate that safety risks associated with integration into the operating rail network,
maintenance and disposal have been identified and appropriately managed
demonstrate that appropriate stakeholder management and input has been conducted to
give confidence that all stakeholders requirements will be met
demonstrate sufficient liaison with the operator has been conducted so that the operator
is operationally ready to enter the system into operation
demonstrate with supporting evidence that appropriate safety requirements have been
defined in order to adequately control the identified safety risks
demonstrate that all safety requirements have been verified and validated with reference
to supporting evidence
demonstrate that a corrective action process has been applied throughout the design,
implementation and commissioning life cycle
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 27 of 30
8.5 Independent safety assessment and due diligence
It is the role of Authorised Engineering Organisations to provide suitable and sufficient
assurance with the new or altered assets being developed for the rail network that it will be
sufficiently safe in operation. In line with good practice, any assurance should be subject to
professional critical review to ensure its validity. Similarly, the safety management activities and
processes applied to a change to the rail network shall be subject to safety assessment.
The acceptance of assets into operation by the configuration management committee requires
the assurance to be validated by a professional critical review to ensure its validity.
8.5.1 Safety Significant Changes
For 'safety significant' changes, the requirement for a professional critical review is met by the
appointment of an ISA. It is the principal Authorised Engineering Organisation's responsibility to
appoint the assessor and to assure the competence and independence of the assessor.
It is essential that the independent safety assessment process is a through life cycle approach
which monitors safety management, safety engineering and safety assurance, and intervenes
as soon as issues are identified. It is not acceptable to limit the independent safety assessment
to an assessment of safety documents, nor to delay reviews too close to hold points that can
compromise the review due to financial or timescale pressures.
The ISA shall provide an assessment plan and deliver an assessment report on each occasion
that a submission is made to the configuration management committee for acceptance. The ISA
shall provide a summary report at preliminary design review, a design independent safety
assurance report at critical design review, and a final safety assessment report at final
acceptance. Each report should support the claim that necessary assurance activities are
complete or in progress and that there is a high degree of confidence that the new or altered
asset will be able to be demonstrated to be sufficiently safe.
For particularly high risk or safety significant changes, the Asset Standards Authority may
decide to conduct additional targeted surveillance activities of the Authorised Engineering
Organisation's and assessor's activities. Where this is the case the Authorised Engineering
Organisation and assessor shall co-operate fully with the Asset Standards Authority.
8.5.2 Minor safety changes
The requirement for validation of the assurance for 'minor' changes shall be met by the principal
Authorised Engineering Organisation, incorporating independent validation into the safety
management of the change. This may be an internal function, provided requirements for
independence are met.
Related topic:
Independence of assessment, section 8.5.3
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 28 of 30
The independent validation function shall be applied to the safety management arrangements,
the derivation, verification and validation of safety requirements, and the safety risk
management process and documentation.
8.5.3 Independence of assessment
The Authorised Engineering Organisation is accountable for ensuring that the safety
assessment undertaken is independent. To be regarded as independent, the assessment body
may not become involved as direct or indirect representatives in the design, manufacture,
construction, marketing, operation or maintenance of the system under consideration.
The assessment body shall carry out the assessment with the greatest possible professional
integrity.
The assessment body must be free of any pressure or incentive, which could affect its
judgement or the results of its assessments, in particular from persons or groups of persons
affected by the assessments.
The assessment function can be internal or external, provided that all the conditions for
independence can be demonstrated. For an internal assessment function, it would be expected
that the function is managerially separate from the delivery and assurance function up to
executive level in the organisation.
8.6 Changes to accreditation
Under the Rail Safety (Adoption of National Law) Act 2012, an accredited Rail Transport
Operator must request a variation to its accreditation if it "proposes to vary the scope and nature
of the railway operations in respect of which the applicant is accredited". Consequently the
introduction of some new or altered assets to the network will also require a change to the
operator's accreditation. In NSW this may require a change to one or more of the following
accreditations:
NSW Trains
Sydney Trains
TfNSW
TfNSW will advise the principal Authorised Engineering Organisation if a change to one or more
of the above accreditations is required for the change to be implemented. Where a change to an
accreditation is required, the principal Authorised Engineering Organisation is accountable to
deliver suitable and sufficient safe assurance to obtain the accreditation change from the Office
of the National Rail Safety Regulator (ONRSR). The principal Authorised Engineering
Organisation is also accountable for working with each accredited organisation to ensure that
the impact on each accreditation is appropriately co-ordinated.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 29 of 30
8.7 Configuration management committee acceptance
The TfNSW configuration management committee (CMC) is the asset acceptance authority for
TfNSW. In accepting assets, the CMC is accountable for the acceptance of residual safety risk
on to the rail network.
The CMC oversees all safety acceptance of new or altered assets, but may delegate the safety
acceptance role to an appropriate configuration control board (CCB) at all or some project
gateways. This delegation will be dependent upon the risk associated with the change. The
CMC will accept the System Requirement Specification for a change as a baseline for later
acceptance of designs and entry to operation of the asset. At the stage of acceptance of the
System Requirements Specification the PMO will also present to the CMC the following:
o a safety impact assessment of the change based upon complexity, novelty and failure
consequence, that determines whether the change 'safety significant' or 'minor'
o an assurance and governance plan that sets out the project governance arrangements and
outline assurance arrangements. This will include the proposed delegated acceptance
authorities at each project gateway.
o assurance that the system specified in the System Requirements Specification is the optimal
specification with respect to risk of all types and therefore that it is the option that will ensure
safety SFAIRP
The configuration committee when accepting the system requirement specification will delegate
specific CCBs as acceptance authorities at each project gateway or will retain the acceptance
role at all or some project gateways.
All changes to the configuration of the rail network, whether minor or significant, shall be
accepted by the CMC or a delegated CCB prior to entering operations. This acceptance may be
conditional upon outstanding issues and the completion of any defects liability period. The
principal Authorised Engineering Organisation is accountable for presenting the new or altered
asset to the CMC or a delegated CCB with all supporting assurance and evidence of
stakeholder 'buy-in' to the asset.
The structured safety argument or risk summary report should be presented to the CMC for
acceptance well in advance of the asset entering operation (around two months prior is
recommended). The assurance document shall clearly identify outstanding issues and describe
how they will be managed to closure prior to entry into operation or during the early operational
life. The CMC may then accept the asset conditional upon the close out of the issues. Closure
may be considered at subsequent CMC meetings. This approach avoids safety assurance
documentation and issues delaying introduction of assets into service and allows time for
barriers to entering service to be resolved in a timely manner.
Where testing will be conducted on the operational rail network, acceptance of the testing safety
report by the CMC is required before testing may commence.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6
TS 20001: 2013 System Safety Standard for New or Altered Assets
Version 1.0 Effective Date: 1 July 2013
© State of NSW through Transport for NSW Page 30 of 30
For 'safety significant' changes the following acceptances shall be obtained from the CMC:
acceptance of design safety assurance report before implementation may commence
acceptance of operational safety argument before the new or altered asset may enter
operation or be integrated into the network if it may impact the integrity of the existing
network
For 'minor' changes the following acceptances shall be obtained from the CMC:
acceptance of the safety risk summary report before the new or altered asset may enter
operation or be integrated into the network if it may impact the integrity of the existing
network
Whilst the configuration management committee has the authority
to reject a proposed change, the intent is that by the time a change
is presented to the committee, all appropriate assurance and
supporting evidence is in place and all key stakeholders have
accepted and agreed that the asset may enter service or pass
through the gateway. When presenting an asset and its supporting
assurance and evidence to the configuration management
committee, the principal Authorised Engineering Organisation is
accountable for having all agreements and acceptances with key
stakeholders and the operator and maintainer in place, and to
evidence these acceptances and agreements to the configuration
management committee.
Sup
erse
ded
by T
MU
MD
200
01 S
T v1
.0, 2
0/12
/201
6