Appendix 1

Appendix 1 – Safety case, safety system and risk management

A.   Safety case guidelines: Railways Act 2005 (Railways Act)

1.   Introduction

The following guidelines are to assist rail participants in the preparation and management of safety cases and safety systems and to clarify the requirements of the Railways Act.

2.   Requirements of the Railways Act

Part 2 Safety, subpart 1 covers the duties of rail participants and other persons.

Section 7(1) requires that a rail participant must take all practicable steps on its part to ensure that none of the rail activities for which it is responsible causes, or is likely to cause, the death of, or serious injury to, individuals.

Section 10 requires that rail operators and access providers must hold licences.

Section 15(3) allows some discretion for this in that the Director may, on the conditions that the Director considers appropriate, exempt a person from holding a licence if all the rail activities of that person are covered under:

1. The licence of another licence holder.
2. The approved safety case of that other licence holder.

In this respect all licence holders will be required to have a safety system, with an overarching safety case approved by the Director, which will cover all of the rail activities of all rail participants for whom they are responsible. This also includes safety system coverage of all the interface or inter-operability issues that the licence holder has with other licence holders.

Section 21(2)(a) requires that the licence holder has a safety liaison officer who is authorised to act as the licence holder's primary contact with Land Transport NZ in relation to the licence. Section 21(5)(b) requires that the safety liaison officer's contact details must be provided.

Part 2 Safety, subpart 3 of the Railways Act covers safety cases, safety systems, and improvement plans.

Section 29(1) requires that a proposed safety case must accompany an application by a rail participant for a licence.

This approach differs from the previous regime in which a licence was granted on the basis of a rail participant's entire safety system.

Section 29(2)(b) requires that the safety case is derived from, and is consistent with, the rail participant's safety system.

Section 30 describes what a safety case must contain.

3.   General comment on safety case

A safety case is the means of demonstrating that an activity or operation will be safe and without undue risks to people or property and that the rail participant has taken all practicable steps to ensure this. The safety case will describe the operations and will include a summary that contains the core of safety arguments with clear references to supporting information. This information may include quality or safety manuals, plans, instructions, legislative requirements, procedures, codes, standards, technical reports, research and development reports and other aspects of the safety system.

It will also be subject to periodic review by the rail participant and the Director to ensure that safety arguments and standards are consistent with current expectations and best practice.

Safety cases which are pitched at too high a level and do not provide a clear linkage between the key risks and the specifications and procedures which control them, are unlikely to be acceptable. Conversely, safety cases are not required to duplicate the detailed content of copious individual company procedures or industry wide standards as this will cause them to become unmanageably large. The level of detail provided should provide an overview of how each key risk is effectively controlled, cross-referencing relevant industry and company standards or procedures (or groups of standards/procedures) as appropriate.

Section 30 describes what a safety case must contain.

Section 31 covers matters to be taken into account by the Director in considering the proposed safety case.

Section 32 covers approval of the safety case and subsection (7) allows the following:

• ‘Despite anything in this section, a rail participant may submit its safety system instead of its safety case to the Director if it considers that its safety system meets the requirements set out in section 30.’

The degree of explanation provided in the safety case should be in line with the scope of the operations undertaken and the extent of the risks. For smaller operations this may well mean that the existing safety system is appropriate to be used as the safety case, provided it adequately covers everything required under section 30 – particularly the management of risk.

The safety case will evolve as the activities to be undertaken, the way they are undertaken or the safety arguments that demonstrate the risk profile is acceptable, change. For example, the risk profile of an operation changes if the number of services is greatly increased or if the operator wishes to increase axle loads or speeds on the track. Another example would be if passenger services were to be run on track that was previously only used for freight.

An application to vary the approved safety case may be required prior to any changes being implemented where those changes are materially different. In that case an executive summary would be useful to provide signposting to where material changes have been made to the safety case since the last approval. The application should describe the plans and arrangements made to modify plant, equipment, infrastructure, procedures, staffing or staff training to bring the changes into effect.

4.   Contents of safety case

Licence applicants are to prepare a safety case to be approved by the Director. Once approved the safety case remains a living document that is to be reviewed and updated as necessary with continuous improvement of safety in mind.

Reference to section 30(1) of the Railways Act shows that a safety case must contain a statement or description, as appropriate, of the following:

Note

Each subsection is listed with commentary on what is expected to meet the requirements.

1. The rail activities of the rail participant, including details of the extent and geographical location of those rail activities.

Applicants should ensure that all rail related activities are described. As appropriate for rail operators or access providers, this should include, but is not limited to, comment on the nature of the operation, the type of motive power, rolling stock and other equipment used, track network and assets employed, train control, signalling and communications systems. A geographical route map or depiction of the railway operation would be a useful aid to enhancing the statement or description. Comment should also be provided about other rail participants that are contracted to provide services to the licence applicant that cover rail activities for which the applicant is responsible. This must include description of those persons seeking exemption under section 15(3) that will be covered by the applicant's licence.

2. The safety policy and objectives of the rail participant and of how that policy and those objectives will be implemented or given effect.

The safety policy needs to be a concise and easily understood description of the safety beliefs and goals of the organisation that has the involvement and buy-in of all employees and contractors. The statement describing how this policy will be implemented or given effect, needs to show how the policy is deployed through publication, staff training and awareness and management commitment.

3. The management and organisational arrangements that the rail participant will establish in order to promote the safety of its rail activities.

A description of the rail participant's safety system and how it is put into effect should be provided. Key safety related policies and practices documentation should be clearly signposted with references to other supporting documentation as necessary to adequately describe the basis for the complete safety system.

Management structure, positions, scope, responsibilities, delegations and contractual arrangements need to be described to show that all safety aspects of the rail activities are owned by someone and that there are no gaps in coverage. It is particularly important that management of change is described, when personnel and/or structure are changed, to show that all risks are covered in those situations.

A safety system is a crucial element of a rail participant's quality management system. It is defined in the Railways Act, part 1 Preliminary Provisions, section 4 as:

• ‘safety system, in relation to a rail participant, means a written record of all the rail participant's management and operational policies and practices that relate to the safe conduct of its rail activities; and includes the rail participant's operational and training manuals.’

The safety system may be in hardcopy written material or it may be in electronic form or it may contain some form of audio-visual material such as videos.

A satisfactory document control system must be in place, to ensure that only current versions of the safety system are in use, and this should be described in the safety case.

Useful guidelines and the means for the development of a comprehensive safety system are provided by standards such as AS/NZS ISO 9000:2000 Quality management systems (and the earlier 1994 versions of ISO 9001, 9002), AS 4292 Railway safety management , or this document.

4. The management systems that the rail participant has in place to:
   1. identify and assess the safety risks arising from its rail activities
   2. develop and implement safety risk control measures.

The safety case must describe the methodology applied by the rail participant for risk assessment and risk control and how these are covered in the safety system. Reference to standards applied and how they are used within the business should be provided.

5. The safety risks arising from the rail activities of the rail participant and details of the measures to be in place to mitigate those risks.

The safety case needs to demonstrate that the rail participant has undertaken adequate risk assessment for all operations and has identified the measures which need to be taken to control risks to safety of people and property. The rail participant must show that systems are in place to ensure that those measures will be implemented and maintained. The safety case needs to explain: what the key risks are and how they are assessed, what the rail participant does to manage them, who does it and how and when they do it; how the rail participant knows it is done and how corrective action is taken, and why this is sufficient. This requirement is similar to the hazard management requirements of the HSE Act but specifically relates to the unique risks associated with rail activities.

More detail on risk management is provided in section C of this appendix.

6. The process for ensuring that inter-operability arrangements between the rail participant and other rail participants enhance rail safety.

Applicants (or licence holders) must show that all processes are defined and managed to ensure the safe management of the various rail activities, particularly where there is interaction between themselves and other rail participants. For example processes for ensuring the safe operation of another rail participant's rolling stock on the applicant's track. This would include ensuring the vehicles are built to compatible standards (for example with continuous air braking), that the staff operating them are trained in the applicable operating rules and that responsibilities for safety are clear and unambiguous.

It is extremely important to ensure that standards are maintained and responsibilities are clear when managing contracted suppliers (as other rail participants). The applicant (or licence holder) has principal accountability for safety of all the activities for which the licence will, or does, apply.

7. The arrangements that are in place ensure that:
   1. assets and equipment used are, in safety terms, fit for their purpose
   2. safety critical tasks and activities are clearly identified
   3. rail personnel carrying out safety-critical tasks and activities have received appropriate training and instruction
   4. the competence of rail personnel carrying out safety-critical tasks and activities has been appropriately tested
   5. working practices and procedures are fit for their purpose.

As already noted, the safety case may consist of a summary that contains the core of safety arguments with clear references to supporting information. This information may include quality or safety manuals, plans, instructions, legislative requirements, procedures, codes, standards, technical reports, research and development reports and other aspects of the safety system.

How assets and equipment are acquired or designed, how they are maintained and inspected to ensure they are, and continue to be, fit for purpose needs to be described to satisfy g(i).

The rail participant must have an underlying safety system that properly covers all safety-related activities. Depending on the extent of that system it needs to be described but not necessarily repeated in the safety case to satisfy g(ii).

To satisfy g(iii), a description of the methodology and principles applied for training and instruction and how this is covered within the safety system should be provided. How many personnel are covered by what training and at what frequency, should be described.

How this is combined with experience required through on-the-job training, and appropriate supervision while learning, should be covered by the safety case.

To satisfy g(iv), the methodology and principles applied for regular testing, safety observation or refresher training of personnel should be described.

To satisfy g(v) a rail participant would need to have in place and be able to describe adequate regular management reviews of working practices and procedures to determine that they remain fit for purpose.

8. The arrangements for procuring and maintaining evidence to ensure that the measures and processes necessary for safety are working as intended, including (but not limited to):
   1. the identification of key safety performance factors and measures, including (but not limited to) accidents and incidents
   2. the monitoring and recording of, and reporting on (both internally and to the Director), the key safety performance factors and measures, including (but not limited to) accidents and incidents
   3. the regular supervision, inspection, monitoring, and audit of the rail participant's safety case, safety system, and licence conditions
   4. when required, the provision of evidence to the Director substantiating the matters in subparagraphs (i) to (iii).

To satisfy h(i) and h(ii) above, the safety case must show that the rail participant has systems in place to establish what the key safety performance factors and measures are, how the evidence is gathered, monitored, recorded and reported, and to show that the overall safety system is working as intended.

In addition to h(ii) and h(iv) above, section 21(2)(c) requires that the licence holder must report to the Director those matters that are specified in the licence holder's safety case and any other matters that the Director reasonably considers necessary in the interests of safety.

Depending on the complexity of the rail participant's operations, a memorandum of understanding (MOU) may be established with the Director on agreed reporting requirements for accidents and incidents and other key performance factors and measures and the provision of any supporting evidence.

With respect to h(iii) it is important to show how the safety case and safety system is developed, implemented, monitored and revised. Note section 31(2)(c) of the Act requires that the Director must not approve a proposed safety case unless satisfied that the rail participant is capable of establishing, implementing, maintaining, regularly reviewing, and improving its safety case and safety system. A safety system based on the quality management principle of continuous improvement is therefore essential, not optional.

If, for example, the safety system meets the requirements of AS4292, that should be stated, but the safety case need not contain all the documented clauses necessary to meet the standard as they will be contained in the safety system.

To ensure that the above requirements are met, a rail participant would need to describe the internal audit or assessment regime they have in place in addition to the assessments that will be carried out by the Director. The need for inspection and management review is covered in (g) above.

9. The process by which, in consultation with the Director, the frequency of ordinary safety assessments under section 37 may be agreed.

The rail participant's safety case should describe what external audit or assessment frequency and coverage is recommended and it may propose a process for varying this frequency for agreement by the Director. It is envisaged, particularly soon after granting of a licence, that ordinary safety assessments would normally be carried out annually.

10. The arrangements for the rail participant to report concerns about the state or performance of any rail vehicle, rail infrastructure, or railway premises that it considers have implications for the safe operation of the railway to other relevant rail participants.

Rail participants must show in their safety case that they have agreed procedures with the various other rail participants they interact with to cover these issues. This could be covered by having relevant access agreements and inter-operability standards in place that describe how reporting on safety performance issues is carried out between the parties concerned. Generally, if these issues have implications for the safe operation of the railway, they will be an incident or an accident and they must be reported to other parties as detailed in section 13(2) and to the Director as detailed in section 13(3) and section 30(1)(h).

11. The policies in place to ensure that the rail participant's rail personnel:
    1. are fit for duty
    2. are not suffering impairment or incapacitation as a result of fatigue, illness, medication, drugs, alcohol, or any other factor.

The safety case must describe the policies that the rail participant has and how they are implemented to ensure staff are fit for duty.

12. The arrangements for ensuring that safety is maintained or continuously improved despite changes in circumstances that may affect the rail participant, its rail personnel, or any person that uses the rail participant's services, including (but not limited to):
    1. the continuous review of the rail participant's activities to identify potentially significant changes (both internal and external)
    2. the review and revision of the rail participant's safety case and safety system, as a whole and in its various parts, to ensure that its safety case and safety system continue to be the most appropriate
    3. the identification of the areas of significant risk and the plans that are in place or being developed to reduce those risks.

Proper management of change is required to maintain safety. The safety case needs to include information on how it will be kept up-to-date. The process for updating the safety case and safety system should be part of the review process described within the safety system documentation. The process for the management of risks during times of change must be clearly defined.

Of particular importance for the safety case is for it to be updated with changing circumstances, for example if rail activities or risks change, or if expectations around risk change. If the changes required to the safety case are materially different then the rail participant must apply for approval to vary the safety case under section 33 or the Director may require a variation under section 34.

13. The arrangements for ensuring that the rail participant consults any representatives of rail personnel (including, but not limited to, unions) with respect to the development and variation of safety systems that affect, or are likely to affect, rail personnel.

The safety case must describe the process for ensuring that representatives of rail personnel are consulted on safety system development and variation. For example this may be done by providing documentation for comment or by attendance at committee meetings where decisions are made. Where material variations are proposed that affect the safety case, the Director must approve those variations and the Director will seek assurance that the consultation process has been followed.

14. Any other matters that may be prescribed by the rules or that the Director considers appropriate in the interests of safety.

Additional information may need to be submitted as required by the Director and the rail participant needs to ensure that everything specified is provided when the safety case is submitted.

Further to section 30(1) of the Railways Act, reference to section 30(2) shows that:

• ‘A safety case may adopt, by reference and with any necessary modifications, 1 or more parts of another approved safety case.’

Careful consideration would need to be given to using this provision to ensure that unique aspects of an applicant rail participant's operations are not lost in an attempt to use another similar rail participant's safety case as a basis for the applicant's safety case.

In addition section 30(3) states that:

• If a provision of an approved safety case is inconsistent with a rule:
  1. 1. the rule prevails
  2. 2. the rail participant must amend the provision so that it is consistent with the rule.

If and when rules are put in place, rail participants will need to review their safety cases to ensure they are appropriate.

B.   Safety system

The safety case will make reference to the underlying safety system. All rail participants must have a comprehensive documented set of policies and procedures covering the full extent of their safety related rail activities which are reviewed regularly with continuous improvement in rail safety as a goal. These policies and procedures make up the safety system. Smaller rail participant organisations with a limited scope of rail activities may be able to be incorporate the safety case and safety system into the same document.

The safety system can be documented using standards such as AS/NZS ISO 9000:2000 Quality management systems or AS4292 Railway safety management as a guide ( Note: The Railways Act does not require that rail participants are certified to ISO 9000 , but that standard, or AS4292 , are useful as a guideline to ensure that the documented system enables the requirements of the Railways Act to be met.)

Alternatively, it may suit smaller rail participant organisations to use the following guidelines to assist them in documenting their safety system.

Whatever guideline is followed, the safety system must be comprehensive and cover all safety related processes. For all policies and procedures it must fully describe what has to be done, where it is done and how it is done, who has to do it and when they have to do it. The system must also have continuous improvement written into it so that monitoring, review and system updating is covered thoroughly.

Under the Railways Act, Land Transport NZ does not require the safety system documentation to be forwarded for approval provided the safety case is comprehensive in its coverage of the requirements of the Act. However, the safety system will be reviewed and referenced during safety assessments to check appropriateness and compliance. The key point is it is the rail participant's responsibility to ensure their safety system properly covers all aspects of their activities, that the standards applied are appropriate and that it supports the safety case to meet all requirements of the Act.

Those rail participants operating on the national rail system network are also expected to incorporate the NRSS documents and their requirements into their safety system.

Suggested checklist for document preparation

This list shows key issues to be addressed in creating a safety system, many of which will need to be referenced in the safety case. Included are items common to all systems, and others peculiar to particular types of rail activities.

Many rail participants will find they may not need to address all the items listed. For example, most industrial operators will not have tunnels or complex signalling systems.

Conversely, every rail organisation is unique and it is possible that a rail participant may need to address particular issues that are not included in the checklist.

This list is to be used as a guideline only and is not intended to be exhaustive. The paragraph headings are suggestions and not mandatory for universal application to all safety systems.

1.   Introduction

Details of the rail participant seeking the licence should:

• include name, location/address, contact details
• include the nature of the proposed rail activities and high level policies, objectives and functions relating to this
• describe how the HSE Act applies to the organisation
• include rail activities to be carried out on nominated site locations
• include organisation type and structure for whole organisation and for site organisation (include an organisation chart)
• include the purpose(s) for which the railway system is to be used
• include a basic outline of the railway system (include site plans etc)
• include access agreements and/or common access terms where applicable
• include details of rolling stock fleet employed
• adopt requirements of NRSS/1 Definitions if operating on the national rail system.

2.   Management and organisation

(a)   Management

• Key management responsibilities within the overall organisation and for the site(s) covered by the safety system – responsibilities for total railway management and for management of operations, inspection, maintenance, audits, accident and incident reporting and follow-up. Also, responsibilities for staff training, staff competence, contact with other rail participants, setting and reviewing standards, the development and upkeep of the safety system, and document/information control issues.
• Safety policy, the objectives and the deployment of these.
• Meet requirements of NRSS/2 Safety management if operating on the national rail system.
• Nominate a safety liaison officer who is authorised to act as the primary contact with Land Transport NZ.
• Delegations and definition of how the organisation operates in the absence of key personnel.
• Identification of any other resources, such as consultants or contractors who are involved in the activities of the organisation.
• Processes for monitoring and reporting on safety including key performance indicators.
• Management review for continuous improvement.
• Management of change processes including risk management through the change.
• Processes for consultation with rail personnel representatives on safety case, safety system and safety assessment and policies that ensure rail personnel participate in managing health and safety in the workplace.

(b)   Personnel training, competence and protection

• Recruitment processes and standards.
• Site safety management plans and procedures to induct rail personnel to all sites.
• Training requirements for initial qualification, safety observations and periodic re-assessment.
• Identify positions for which there are particular medical standards, define those medical standards, how personnel are assessed against them, and at what frequencies. This must include standards for fit for duty and impairment eg, drugs, medication, alcohol, illness and fatigue.
• Identify positions that require specific qualification and experience eg, a design engineer.
• Identify positions with specific training requirements eg, locomotive drivers.
• Specify requirements for personal protective equipment such as high visibility and protective clothing.

(c)   Risk management

• Have comprehensive risk management policies in place. Identify the risk management tool(s) used.
• Meet requirements of NRSS/4 Risk management if operating on the national rail system.
• Identify the principal risks associated with the operation (hazard identification).
• Quantify the combination of hazard likelihood and consequence for initial risk screening.
• Processes to assess high level risks in more detail as appropriate.
• Measures required or already in place to control the risks.

(d)   Occurrence management

• Have in place appropriate plans for dealing with an emergency (crisis) or other occurrence such as an accident or incident.
• Meet requirements of NRSS/5 Occurrence management and NRSS/10 Crisis management if operating on the national rail system.
• Have adequate evacuation plans.
• Provide clear instructions to all rail personnel who may be involved in initial response, recovery operations, recording, analysing and following up of all accidents and incidents.
• Identify the person in the organisation responsible for contacting Land Transport NZ and DOL to advise of accidents and incidents and the back up person(s) to cover absences of the contact person and detail the policies and procedures they are to follow.
• Describe how the requirements of the HSE Act are met including the notification of serious harm injuries to DOL.

3.   Rail operations

(a)   Operating limits

• Overall train loads (based on engine power, track gradients and other physical limitations).
• Axle loads (permissible axle loads dictated by track and structures limits).
• Loading gauge and other factors which impose geometrical limits, such as tunnels and over bridges.
• Permitted speeds.
• Permitted/prohibited types of wagons and locomotives.

(b)   Network control

Describe:

• train control system(s)
• signalling
• operation of exchange sidings
• communication systems for safe operation
• level crossing management
• control of work and other special trains
• use of non-rail vehicles to move rail vehicles
• engineering work
• road/rail vehicles
• motor trolleys and similar
• management of accidents, incidents and system failures
• safe control of trains when signalling and/or communication equipment is inoperative
• restrictions imposed by limited ventilation in tunnels
• train examinations.

(c)   Inter-operability

• Formal agreement on inter-operability between parties.
• Procedures covering operations by other operators over the railway system of the licence holder, and/or operations by the licence holder over other systems. Access agreements and common access terms may describe regular arrangements, but irregular one-off type events that may occur must also have procedures properly defined.
• Specify inter-operability standards and procedures.
• Procedures to ensure that vehicles are safe to run.
• Meet requirements of NRSS/6 Engineering inter-operability and NRSS/7 Rail operations inter-operability if operating on the national rail system.
• Procedures covering the safe operation of interchange sidings (joint operating plans).

(d)   Shunting

• Shunting procedures, general safe working practices for shunters and drivers. Remote control operation procedures if applicable.
• Exchange sidings. Safe working of trains for interface between forwarding and receiving operators.

(e)   Public safety

• Site safety management plans and procedures to induct visitors to work sites such as workshops.
• Procedures and signage for site access, crowd control and direction of site visitors to safe areas – particularly on ‘open’ days. Note: liaison may be required with local council for events.
• On-board management of passengers (adults and children), including pre-trip briefings to ensure their safety while trains are stationary and in motion.
• Evacuation procedures for open route, in tunnels or on bridges, including route access information and liaison with emergency services (see also Occurrence management above).
• Procedures for the safe management of passengers alighting other than at railway stations eg, for photo stops.

(f)   Dangerous goods

• Describe what legislative and other requirements apply to the operations.
• If dangerous goods are transported, identify the hazardous materials and describe how legislative requirements are met.
• Similarly, identify hazardous materials used for the operation or maintenance of the railway and describe how their storage and handling complies with the regulations.

4.   Infrastructure

(a)   Track and information

• Standards, (appropriate to the nature of the operations), and procedures for track design, construction, and maintenance.
• Track geometry standards and tolerance, the basis for standards and how the values are determined.
• Inspection requirements and frequencies.
• Material and component requirements including rail ballast sleepers, etc.
• Standards for formation design, inspection and maintenance, including drainage issues.
• Procedures to be followed after earthquake activity.
• Procedures for calibration of gauges, instruments, etc, whose accuracy is important.
• Ensure clear documentation.
• Define purchasing specifications/sources for safety critical components and materials.

(b)   Bridges and structures

• Identify all safety critical structures on the system, especially bridges.
• Procedures for bridge inspection and maintenance, including frequencies, reporting regime, analysis of results, and use of specialist expertise for inspection and analysis, for example for ultrasound testing.
• Standards for bridge design and loadings.
• Tunnel locations, profiles, and details of inspection regimes.
• Traction and signal masts and any other structures erected close to the railway line.
• Action to be taken following an earthquake.

(c)   Signalling and communication systems

• Identify the type(s) of signalling system used and the principles on which it/they are based.
• Procedures and standards for design, construction and/or installation, checking, inspection, testing, commissioning and maintenance.
• Component management.
• Define radio, telephone, and any other forms of communication systems used for train operations, including train end monitors and similar devices, and the inspection and maintenance regimes that apply to these systems.
• The issues of maintaining accurate records and drawings, of responsibility for approving variations to designs, and of responsibility for final testing of new and altered installations are common to all railway engineering disciplines but are particularly critical for signalling.
• Requirements for level crossing warning systems and for other warning systems, such as those installed on industrial systems for doorways etc.
• Risk review and level crossing installation upgrade programme.
• Calibration of meters and instruments whose accuracy is important.

(d)   Electric traction systems

• Description of the overhead wiring system, its key features and geometry and the inspection and maintenance regimes which apply to these systems.
• Voltage and frequency.
• Control of traction power and its link to train control.
• Procedures for isolating and earthing traction power in emergencies.
• Procedures which ensure the safety of railway workers and others from electric shock.

5.   Mechanical engineering

(a)   Rolling stock fleet

• Identify all rail vehicles that form part of the operating fleet (it is helpful to include drawings or photographs of vehicles). Include any road/rail vehicles and road vehicles that are used to move rail vehicles, shunting tractors, etc.
• Procedures for vehicle operation and control.
• Vehicles should be identified by manufacturer, date of manufacture, class, operator's number, permitted speed, and tare and loaded weights. Any limitations peculiar to a given vehicle should also be identified eg, running speed, draw-gear strength.
• Identify lifting arrangements and/or jacking points for each type of vehicle.

(b)   Design, construction, inspection and maintenance

• Vehicle design and construction standards, including tyre profiles, draw-gear, passenger vehicle structural strength and impact resistance.
• Details of procedures and standards for periodic, or other, inspection, maintenance, and overhaul regimes.
• Component and materials management.
• Air Brake system, manufacturer(s) and type(s) of equipment, inspection, overhaul and testing regime.
• Air Brake compatibility equipment within the railway and in inter-operability situations.
• Management of pressure vessels including air receivers and reservoirs.
• Procedures for calibration of gauges, meters, tools and instruments whose accuracy is important.
• Steps and handrails, and their provision for safe use by shunters.
• Standards applied to window glass.
• Standards applied for the use of fire retardant/resistant materials.

(c)   Locomotives (including trams, railcars, etc)

• Safe working load schedules over sections of railway route.
• Details of safe management of locomotive boilers and pressure vessels. Indicate which legislative and other requirements apply to the fleet and how these requirements will be met.
• Land Transport NZ requires that all pressure vessels be annually examined and certificated by an approved inspector to meet the requirements of HSE (pressure equipment, cranes and passenger ropeways) Regulations 1999 and also the Approved code of practice for boilers.
• For further details see Appendix 5: Summary of the Health and Safety in Employment Act 1992 .
• Locomotive headlights, safety lights (illuminating couplers, steps, etc), hazard warning lights and similar.
• Locomotive horns or other audible warning devices.
• Details of safety devices fitted to guard against driver illness or sleep (deadman's handle, vigilance systems, event recorders etc).
• First aid equipment, tools and other emergency equipment to be carried.

(d)   Passenger cars

• Braking systems including passenger-operated emergency brakes and any passenger alarm systems.
• Emergency passenger exits, first aid kits and any other emergency equipment or tools carried.
• Number of seats installed.
• Door arrangements, steps for boardimg/alighting, inter-car passenger access verandas and platforms and their protective handrails and gates.
• Buffet layout, fittings, and equipment and the protection of staff and passengers from burns and scalds.
• Safety precautions where gas or oil heaters are installed.
• Details of air conditioning equipment installed, including identification of the refrigerant used.
• Electrical safety procedures where medium voltage (eg, 240volt) systems are installed, including the regime for inspection and certification.

(e)   Road/rail vehicles and ‘road’ vehicles used to move rail vehicles

• Identify any road/rail vehicles and procedures for their safe on and off tracking, and for their operation on rail such as safe loading, speeds etc.
• Identify inspection and maintenance procedures.
• Identify any road vehicles, eg, tractors, forklifts, which are used to move rail vehicles.
• Procedures for their safe use.

(f)   Service and maintenance vehicles

• Identify any service vehicles eg, rail cranes, ballast wagons, tamping machines, and set out procedures for their safe operation, inspection and maintenance.

Note: Where new rolling stock is to be introduced, the Land Transport NZ policy concerning the introduction of rail vehicles must be complied with. A copy of the policy can be found in Appendix 8 .

6.   Document control and system review

• Procedures for the control, management and review of the safety system that ensure staff have access to current versions of the information they need, that changes to the safety system are managed effectively, and obsolete information is disposed of appropriately.
• Meet requirements of NRSS/8 Guidelines for document control if operating on the national rail system.
• Procedure for the review of the safety case and subsequent updating to match changes to the safety system.
• Identify those records which form part of the safety system and specify their location, form in which they are to be retained, period of retention, and method of disposal.
• Identify if the safety system is part of an overall wider ranging quality management system.

7.   Safety assessment and internal audit

• Procedures for a safety liaison officer to interact with Land Transport NZ over safety case, safety system and safety assessment issues.
• Identify details of any internal audit regimes that are in place, including the person(s) responsible for organising and carrying them out.
• Meet requirements of NRSS/9 Audit if operating on the national rail system.
• Procedures for responding to safety assessment, audit or other review non-compliance conditions and recommendations.

C.   Risk management methodology

Principles

Risk is a combination of the probability of an event occurring and the nature of the consequences of that event. Any and all events taking place in the rail environment have an element of risk associated with them. It is a fact of life that an operating railway presents a hazardous environment because there are large moving objects with many moving parts that can potentially come into contact with other moving or stationary objects or people and cause harm. Risk is always with us. Whatever we do there is a chance something will go wrong.

Risk management involves looking at an activity or operation, identifying the hazards and developing or implementing systems and control measures which minimise that risk. The costs of mitigating the risk need to be taken into account as there is no point in investing large sums of money into projects to reduce risk if the resulting benefits do not justify the investment.

In risk management a hazard is a situation or circumstance that has the potential to place a person in danger or cause harm. The risk is the likelihood and consequent harm that will occur. Absolute safety may be impossible to achieve but the management of risk enables judgements to be made on the priorities to be applied to the hazards inherent in an operational railway.

A good way to manage the inherent risks in a railway operation is to carry out a risk analysis of all activities. It should reveal key areas of potential risk (safety critical activities or hazards) and encourage the setting of priorities for preventing or minimising that risk. Risk can be measured as expected values based on a simple formula:

• Risk = probability x consequence of the event occurring

Rail participants must carefully assess the hazards faced by their operation and undertake a thorough risk analysis using sound risk rating criteria. It is important to supply well developed explanations for how they determine the various risk outcomes and rankings for the hazards they need to address.

A hazard is a condition or situation which has the potential to cause one, or a combination of the following:

• harm to a person
• damage to property or environment
• loss of assets
• other increased liabilities.

Importantly, a hazard is not the event itself – it is the condition or situation being present that leads to an event occurring.

The underpinning key to risk management is to eliminate hazards, but if that is not possible, it is to isolate or minimise the effect of that hazard. Therefore, in identifying methods to reduce the risk value, it must be remembered that the priority order for addressing hazards is (1) eliminate, (2) isolate and (3) minimise the hazard. When possible, the action taken should eliminate the hazard so that it is not a factor in the operation. If this is not feasible it should be isolated to reduce its impact. At the very least, if the hazard is to remain within the operation, the risk presented by it must be reduced as low as reasonably practicable.

Once hazards and the unmitigated risk they present have been identified, an assessment of how to reduce the initial risk rating must be carried out. Identification of processes or mitigation measures to bring the initial risk score down to an acceptable level is required. The aim of this risk reduction is for the risk rating to be ‘as low as reasonably practicable’. This is referred to as the ALARP principle. This means that the interventions put in place may have costs included as an element in their determination. That is, significant sums of money would not be spent on a safety improvement if it only results in a very small reduction in the risk presented by the particular hazard.

The ALARP principle broadly breaks down risk tolerability into three main categories; intolerable, tolerable and broadly acceptable as shown in the triangle diagram .

Managing risks

Hazards can be managed with the implementation of control and recovery processes. Controls are the barriers put in place to prevent the hazard impacting on the operation – i.e. they are preventative measures. For example to reduce the likelihood of a derailment, trains could be run at reduced speed. Recovery or defence mechanisms are the processes and procedures that lessen the impact of an event if the control measures have failed to contain the hazard and an event has occurred. As an example, after a derailment there should be well-practised emergency management processes in place to minimise the effect on the operation.

A critical part of risk management is continuous improvement. An organisation's risk register must be reviewed and updated on a regular basis. The frequency of review should be identified as part of the detailed risk assessment process. Over time the risk rating of various hazards will change as better controls are implemented, the nature of the business operation changes or more effective measures are identified to enhance the activities undertaken. Known hazards must be reviewed and any new hazards identified – the risk ratings for all hazards must be reassessed. This helps determine the most significant hazards that need to be addressed at the current point in time. Risk management must be a continually evolving process. It cannot be done once with the expectation that it will remain accurate over time. Safety assessors will be looking for evidence that risk is being regularly reviewed and that appropriate risk mitigation measures are being implemented.

Examples of potential rail related hazards could be as follows (this is not an exhaustive list – a risk rating would be applied to each):

• track defects
• signal failures
• environmental conditions
• driver incapacitation
• rolling stock defect
• safe working breaches
• broken rails
• excessive speed.

Some controls (again not an exhaustive list) that could be implemented to reduce the risk by preventing an event occurring include:

• audit or assessment
• speed restrictions
• monitoring systems
• competent staff
• training and certification
• inspection programmes (infrastructure/rolling stock)
• medical standards.

If the event does occur, the effect can be reduced by putting in place defences (recovery measures) that lessen the impact of the event. For example:

• communication
• emergency response procedures
• train stopping equipment or procedures
• driver training
• train recovery procedures
• incident investigation – to prevent re-occurrence.

Risk management standards

There are a number of risk management tools available. A commonly used and accepted standard is the joint Australian and New Zealand Standard AS/NZS 4360: Risk management (AS/NZS 4360). There are other risk management standards and tools available for use and rail participants should not feel constrained in using a particular standard. The key is that the method chosen must be suitably applicable to the particular railway operation. Different standards provide for a variety of processes that may be used in undertaking risk assessment. These include, but are not limited to, the risk matrix (a common method), bow-tie analysis, and probability trees.

AS/NZS 4360 is written in an easy to follow and understand format. It can be purchased with an accompanying guide book that covers the risk assessment process with examples. Contact Standards NZ to purchase a copy of any New Zealand Standard.

Rail participants who wish to undertake activities on the national network are expected to incorporate NRSS documents into their system and abide by them as discussed earlier in these guidelines. NRSS/4 specifically relates to risk management. It sets out the minimum requirements for risk management principles, analysis, assessment, application and review of operations on the national network. All rail participants are encouraged to read that document as it reinforces the information in these guidelines and is good practice for anyone who may seek mainline running rights in the future. It is far easier to have a thorough risk register in place from the outset (ie, in developing your safety case), than to significantly modify the safety case and safety system in the future to meet such requirements.

An example of a 5x5 risk matrix is shown below. The matrix allows for a comparative risk rating to be given to different hazards. It can then be determined which hazards have the highest priority to be addressed. Note that a 4x4 matrix could have been used and that sometimes the definitions given to frequency and consequence vary. Such assumptions must be made clear in the safety case and safety system, explaining why a particular method was chosen, how risk ratings are determined and the relativity or scale of those ratings, as well as outlining the measures taken to reduce the risks.

5x5 matrix

* Rating is based on the product of frequency x consequence.

ALARP triangle

		Fatalities
		Rail personnel				Public and passengers
	Greatest risk	DPA	EDPA	FAR	EFAR	DPA	EDPA	FAR	EFAR
1		1 in 1000	1 in 400	50	125	1 in 10,000	1 in 4000	20	50
2		1 in 100,000	1 in 40,000	0.5	1.25	1 in 100,000	1 in 40,000	2	5
3		1 in 1,000,000	1 in 400,000	0.05	0.125	1 in 1,000,000	1 in 400,000	0.2	0.5
	Least risk

1.  ALARP or tolerable region. Tolerable only if risk reduction is impractical or if its cost is grossly disproportionate to the improvement gained.

2.  Risk is undertaken only if a benefit is desired. Tolerable if cost of reduction would exceed the improvement gained.

3.  Broadly acceptable region (no need for detailed working to demonstrate ALARP). Necessary to maintain assurance that risk remains at this level.

Explanation of diagram

Fatality rates

Fatalities can be expressed in simple terms as follows:

Injuries will be considered as follows:

• 10 serious injuries is equivalent to 1 death
• 200 minor injuries are equivalent to 1 death.

It is often preferable to express these fatality rates in unit measures of fatal accident rate (FAR) and equivalent fatal accident rate (EFAR).

Fatal accident rate (FAR)

The FAR is a measure of how many people would die per 100 million exposure hours. This is approximately the same as saying how many deaths are likely to occur per 1000 people over their entire working lives. It assumes an average of working 2000 hours a year, and a working life of 50 years.

FARs vary significantly throughout a passenger trip or working day. Therefore, an average rate of exposure is used.

Equivalent fatal accident rate (EFAR)

Injuries will be considered as if 10 serious injuries are equivalent to a death, and 200 minor injuries are equivalent to a death.

Therefore, equivalent deaths per annum (EDPA):

Then equivalent fatal accident rate (EFAR):

Often the DPA or EDPA will have to be assessed statistically eg, one death may be expected every 20 years giving a likelihood of 0.05 deaths p.a. Where no detailed information (such as accident history) is available, consideration of any industry-wide information may assist.

Upper and lower bounds for risk

The upper and lower bounds for risk relate to an individual's exposure, ie how likely is one individual to die in one year.

This is equivalent to the total number of deaths per annum divided by the number of people in the exposed population.

The upper and lower bounds for risk are given in the table below:

* Excludes illegal acts

Risk above the upper bound is intolerable and must be dealt with immediately and can involve temporarily ceasing an activity until improvements can be made.

Risk within the upper and lower bounds is tolerable, but should be ‘reduced at reasonable cost’. These risks should be subject to cost/benefit calculations to determine the value of undertaking risk mitigation steps. Fatalities and serious injuries are costed using statistical ‘avoided deaths and injuries’ criteria based on ‘willingness to pay’ research.

Risk less than the lower bound is considered acceptable.

< previous | next >

Last updated: 12 March 2009