Systems Engineering and Systems Safety Engineering - A case study · 2019. 12. 10. · q CENELEC...
Transcript of Systems Engineering and Systems Safety Engineering - A case study · 2019. 12. 10. · q CENELEC...
Rob Davis & Paul Cheeseman
Technical Programme Delivery
International Engineering Safety Management
Systems Engineering and Systems Safety Engineering - A case study
Contents
• System Safety and Systems Engineering
• Case Study ESM roll out in Railways
• An introduction to iESM Handbook
– Aims
– What is in it?
Synergies & Differences
• Safety is an important emergent property
• Many similarities if done well – Formal process (eg requirements), competent people
etc
– A reliable working railway is usually a safe railway
• Some things are different or in conflict? – Failsafe or working?
– Deliver what we have time for or to a standard
– Formal acceptance?
What we have in common
• Getting projects to do anything
• Getting projects to do enough
• Getting projects to do it early enough
• Getting projects to use it to make early decisions
• Getting projects to do it right
• Helping the decision makers understand it
So ……. What can we learn ….
Drivers for Change - 1992
q Restructuring of the UK rail industry
q Accelerated rate of technological change
q Changes in legislation and regulation
q Advances in best practice • including emergence of CENELEC railway
application standards
Requirements in 1992 - UK Law
Health and Safety at Work etc Act 1974
s Management of Health & Safety at Work Regulations 1999
s Construction (Design & Management) Regs 1995
s Railways (Safety Critical Work) Regs 1994
s Railways (Safety Case) Regulations 1994
s Health & Safety Regulations 1992
Transport and Works Act 1992
s Railway and Other Transport Systems (Approval of Works, Plant and Equipment) Regs 1994
Requirements - Good Practice - 1992
q Engineering Council Code of Practice
q Hazards Forum Guidance for Engineers
q IEC 61508
q CENELEC Safety standards for railway applications
• EN 50126, Railway Applications: The Specification and Demonstration of Reliability, Availability, Maintainability and Safety
• prEN 50128, Railway Applications: Software for Railway Control and Protection Systems
• ENV 50129, Railway Applications: Safety Related Electronic Systems for Signalling
Requirements - 1992 - Business Objectives
q Formal process to do things right
q Minimise lifecycle costs
q Identifying issues early
Later requirements:
q Separate fundamentals from guidance
q Encouraging consistency and re-use
q Scaling with problem
“YB0” – early 1990’s
Network SouthEast
Signalling and Telecomms
“YB0” – early 1990’s Network SouthEast
Signalling and
Telecomms
“YB0” – early 1990’s
Network SouthEast
Signalling and Telecomms
YB1 -1996 UK Railtrack EE&CS
“YB0” – early 1990’s Network SouthEast
Signalling and
Telecomms
“YB0” – early 1990’s
Network SouthEast
Signalling and Telecomms
YB1 -1996 UK Railtrack EE&CS
YB2 -1997 UK Railtrack
“YB0” – early 1990’s Network SouthEast
Signalling and
Telecomms YB1 -1996 Railtrack
Electrical
Engineering
and Control Systems
YB2 -
1997 Railtrack
“YB0” – early 1990’s
Network SouthEast
Signalling and Telecomms
YB1 -1996 UK Railtrack EE&CS
YB2 -1997 UK Railtrack
YB3 -2000 UK Rail Industry
“YB0” – early 1990’s Network SouthEast
Signalling and
Telecomms YB1 -1996 Railtrack
Electrical
Engineering
and Control Systems
YB2 -
1997 Railtrack
“YB0” – early 1990’s
Network SouthEast
Signalling and Telecomms
YB1 -1996 UK Railtrack EE&CS
YB2 -1997 UK Railtrack
YB3 -2000 UK Rail Industry
YB4 -2005 Generic
“YB0” – early 1990’s Network SouthEast
Signalling and
Telecomms YB1 -1996 Railtrack
Electrical
Engineering
and Control Systems
YB2 -
1997 Railtrack
“YB0” – early 1990’s
Network SouthEast
Signalling and Telecomms
YB1 -1996 UK Railtrack EE&CS
YB2 -1997 UK Railtrack
YB3 -2000 UK Rail Industry
YB4 -2005 Generic
International Emerging
Good Practice
ESM - History “YB0” – early 1990’s Network SouthEast Signalling and Telecomms
YB1 -1996 Railtrack Electrical Engineering and Control Systems
YB2 -1997 Railtrack
YB3 -2000 Rail Industry
YB4 -2005 Generic
“YB0” – early 1990’s Network SouthEast Signalling and Telecomms
YB1 -1996 UK Railtrack EE&CS
YB2 -1997 UK Railtrack
YB3 -2000 UK Rail Industry
YB4 -2005 Generic
iESM -2013 International Handbook on Engineering Safety Management
International Emerging Good Practice
So what have we learnt so far?
• A sound theoretical basis is essential
– Something that really works
– Logical underpinning
• A strong commitment is essential
– Senior management
– Contractual
So what have we learnt so far? 2
• Problems blamed unfairly?
– It creates a paperwork mountain
– It will delay the project
– It is a new requirement
– It is not necessary
– It needs to be independent of the project
– It is out of date …..
So what have we learnt so far? 3
• Accessibility is important
– Appearance – It looks important
– Complex and scientific Plain English, but…
– Free Handbooks available on my desk
– Training
• Management & Practitioner & exam
– Correctly pitched principles/fundamentals
• that are so obvious no one can argue against them – even the boss or Project Manager!
So what have we learnt so far? 4
• Steering Group of Practitioners
– Practitioners are better than representatives
– Willingness to contribute
– Informed by experience
– Will to do things right
– Ambassadors to the cause
So what have we learnt so far? 5
• Good Practice vs Standards
• Advisory vs Mandatory
• Help not just requirements
• Informed by real users
• Boldly go where no one has gone before ….
• Then go there again …….
………. And don’t be talked in to withdrawing it!!
International ESM
• So over to Paul to say how we’ve done it this time ……….
iESM - Who is producing it?
• Dr Rob Davis – the originator of the risk-based safety engineering process in rail as part of the BR NSE quality system later published as “Yellow Book”. Established Yellow Book and the YB Steering Group (YBSG) and now chair of iESM WG.
• Paul Cheeseman – part of the BR team and the last chair of YBSG.
• Bruce Elliot – editor of the Yellow Book content throughout 1991 -2007 and iESM 2012-13
© TPD 2013
Guidance Development • Drafting by TPD as part of its R&D programme
incorporating: – Experience from EN50126/8/9 Standards
– UK Yellow Book
– Experience of system assurance, acceptance & ISA: • UK
• Mainland Europe
• Asia
• Australia
• Review by iESM Working Group of practitioners
iESM Working Group • Act as authority for iESM and
develop/support the creation of associated supporting materials);
• Facilitate the efficient and effective application of iESM;
• Promote and facilitate the exchange of ideas for good practice that are found in the world railway community and other relevant industries;
• Sponsored by MTR Corporation, Hong Kong.
© TPD 2012
iESM - Structure
Layer 1: Principles and Process
Volume 1
Layer 2: Methods, tools and techniques
Volume 2(Projects)
Further volumes to be
announced
Layer 3: Specialized Guidance
Application notes as required
Volume 0
iESM is more than a Handbook
www.intesm.org Website
iESM Overview
Training [1 day]
iESM ISA Training
[1 & 2 day]
iESM for Hazard Management
Training [1 day]
iESM
Application Notes
iESM User Group iESM Refresher /
Conversion [half day]
iESM Handbook
Volumes 0, 1, 2
Register of
Practitioners
iESM Working Group
More ….
Resources Training
iESM - What’s in? Emerging good practice
• Common Safety Methods for Risk Assessment have been mandated on parts of the railway by European Directives
• Recent EN50128 with focus on roles and competence
• New CENELEC EN50126 incorporating the former EN50128/9/155
• Guidance from RSSB UK “Taking Safe Decisions”
• Increasing use of“Cross Acceptance” fast track
• Increasing awareness and demand for a risk-based approach internationally especially in emerging economies
CENELEC Changes
EN50126:201x – The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS) Part 1 Generic RAMS process Part 2: Systems Approach to Safety Part 4: Functional Safety –EEP Electronic Systems Part 5: Software
EN50126 EN50128 EN50129 EN50155 and more
iESM - What’s out?
• Bias towards any one legal system or regulatory framework (e.g. requirement to reduce risk ALARP)
• Known deficiencies and poor practice e.g. using risk matrices as a sole method for risk acceptance
• Templates, checklists, techniques etc to layer 3
• Explicit consideration of maintenance activities – (temporary)
• English spellings!
iESM - Overview #1 DEFINITION
Planning safety activities
Defining the scope
Determining safety obligations,
targets and objectives
To RISK ASSESSMENT
RISK ANALYSIS
Identifying hazards
Applying standards
Comparing with a reference system
Estimating risk explicitly
EstimatingRisk
To RISK EVALUATION AND CONTROL
1. Estimating risk by applying standards
• The standard shall at least satisfy following requirements: – be widely acknowledged in railway domain. If not
the case, the standard will have to be justified; – be relevant for control of considered hazards in
system under assessment; – be publicly available for all who want to use it.
IEEE1474 – thank you
Standards - example
• Station lighting – dazzle / distraction to drivers
© TPD 2013
2. Estimating risk by comparing with a reference system
• A Reference System shall at least satisfy following:
– it has already been proven in-use to have an acceptable safety level and would still qualify for acceptance where change is to be introduced;
– it has similar functions and interfaces as system under assessment;
– it is used under similar operational conditions as system under assessment;
– it is used under similar environmental conditions as system under assessment.
Reference system - example
• Mind the gap
© TPD 2013
3. Estimating risk by explicit risk estimation
• The need for the use of an explicit risk estimation could typically arise:
– when the system under assessment is entirely new, OR
– where there are deviations from a Standard or a Reference System, OR
– when the chosen design strategy does not allow the usage of a Standard or similar Reference System because e.g. of a wish to produce a more cost effective design that has not been tried before
iESM Overview #2
RISK CONTROL
Preparing a cross acceptance argument
Setting safety requirements
Compiling evidence of safety
No
Obtaining approval
Evaluating risk
Monitoring risk
Implementing and validating control measures
Is risk acceptable?
Is evidence adequate?
Yes
Yes
No
FROM RISK ANALYSIS
Conflicting Safety Requirements
© TPD 2013
iESM & CENELEC
© TPD 2013
iESM Definition
iESM Risk Control
Re-application of iESM
iESM Risk Analysis
iESM - Technical Support Processes
• Managing hazards
• Independent assessment
• Configuration management & records
iESM - Team Support Processes
• Managing safety responsibilities
• Promoting a good safety culture
• Building & managing competence
• Working with suppliers
• Communicating and co-ordinating
iESM - Business benefits
• Identifying risks early – Integrate with financial approval
• Encouraging consistency and re-use
• Integrating diverse approaches
• Scaling with the problem – an integrated approach
• Empowering project managers and supporting users through a common approach and common “language”
$
Time
Incurred
Committed
iESM - Summary
• Is advisory, not mandatory; • Provides good practice guidance and will continue to
reflect emerging good practice; • Is applicable in an international market; • Supports use of CENELEC standards and Common
Safety Methods (CSM) for risk assessment, with practical, cost-effective advice;
• Assists in discharging legal & professional obligations; • Is guided by an international Working Group of
practitioners and supporters.
www.intesm.org
..and finally
“There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction.“
John F. Kennedy
Training Status
• Newly trained 25
• Conversion/Refresher trained 25
• Training bookings 35
• Practical Course – ready for booking
Competence
• Up to date Domain knowledge – empirical & scientific
• Experience of application
• Drive and motivation to achieve the goals and to strive for betterment/excellence
• The ability to perform the requisite tasks efficiently and to minimise wastage of physical and virtual resources
• Ability to adapt to changing circumstances and demands by creating new know-how to get the job done
• Education & Training
• Experience levels
• Improvement
Competence Categories
• iESM Aware
• iESM Certified
• iESM Practitioner
• iESM Expert Practitioner
Competence Management Group
• To develop and oversee the competence management and iESM Competence management & registration arrangements for iESM
Competence Management Group
• On behalf of iESM WG:
– iESM Working Group Chairman
– iESM Working Group Member from a Railway Client organisation
– iESM Working Group Member from a Supplier organisation
– iESM Secretariat
iESM Competence
• Current & Up to date
• Different levels – to allow competence progression
• Register to be available via Website
Future Developments - Guidance
• Hazard checklists
• Document Outlines
• Tools & Techniques
• Maintenance
• ISA
• HF
• Specific More detailed guidance eg Hazard Id
Future Developments - Training
• ISA Course
• Specific activity based courses eg Hazard Id & Establishing a Hazard Log
A final thought
Absolute safety is not achievable in the real world and therefore success relies on two fundamentals:
1) good processes, and 2) good people;
such that when there is a problem or failure in one, the railway can be sustained by the other.