From Construction to Operation & Maintenance of a new mega infrastructure. The experience of an Independent Safety Assessor
Antonio CASTANO (1), Marco CORVINO (1), Andrea GATTI (2), Alessandro GAETANI (2), Giampaolo MANCINI (1), Carmine ZAPPACOSTA (1), Marco MAGNAROSA (1), Luca BECCASTRINI (1)
1 – Italcertifer S.p.A. (Gruppo Ferrovie dello Stato), Rome\Florence, Italy
2 – Railway and metro rail systems consultant, Florence, Italy
Presented to WCRR 2022 in Birmingham – OP.30 Safety, security and certification
The presented paper is related to the “Safety and Security “assurance process issued to an Applicant Organisation by an Independent Body appointed for the assessment of the readiness to Operation and Maintenance of a Metro System to receive a Safety Certificate and Operating License from National Authority.
In particular, this paper covers the general requirements to be met and the methodology to be applied during the assessment accomplished by ITALCERTIFER (ITCF) and the activities carried out in the role of Independent Competent Person (ICP) throughout all phases of the inspection activities expected by the Saudi National Transport General Authority (TGA) to release the Safety Certificate and the Operating License for the Operation and Maintenance (O&M) Services of the Metro lines (3,4,5,6) of the city of Riyadh.
The safety assurance framework designed for the project is complex and includes several steps and milestones to be accomplished by various actors of the Project. One of the most delicate phases of the project is the handover from the Manufacturer, the Construction Consortium, to the Operator of the Metro.
The definition of the handover steps and the minimum safety requirements to be fulfilled for starting the Commercial Service is the challenge which has involved the ICP. A specific methodology has been developed for the assessment as described in the paper. The basis of the assessment is that the implementation of the maintenance, repair and renewal of assets and its organization and operation can keep the assets and operations as acceptably safe. The normative reference applied to the assessment activities is mainly formed by the KSA TGA Guidances.
Keywords: safety management system, assessment, operation, maintenance, metro
1 – Introduction
1.1 – Brief on Riyadh Metro
Although railways are not new to the Kingdom of Saudi Arabia, Riyadh Metro will be the first Mass Transit Project of its kind in the Country and it is expected that the capacity of the project will reach 3.6 million passengers a day. The new Metro System is currently under construction and the network is composed by 6 lines, 4 of which are the subject of this paper, as those will be Operated by the Applicant. The mission of the operator of metro rail networks is to keep operations efficient, work optimised, assets performing at their peak and over all safe.
In particular, the Applicant will operate 4 lines for about 114 km length:
- Line 3 is 41km length with 22 stations
- Line 5 is 13km length with 12 stations
- Line 4 is 30km length with 10 stations
- Line 6 is 30km length with 7 stations
Other characteristics of the whole network:
- 51 stations (2 iconic and 5 interchange)
- 3 maintenance main depot
- 3 OCCs (Line 4 and line 5 share one OCC)
Line 4 and Line 6 have a common track section less than 10km.
Figure 1.1 – The extension of Riyadh Metro Network
1.2 – The role of the Independent Competent Person and his scope as a Safety Assessor
The KSA Railway Authority (TGA) requires to the Applicant to appoint an Independent Competent Person (ICP) to provide assurance for the Safety Management System developed for Operations and Maintenance (O&M) of Riyadh Metro Lines. The challenging definition of ICP scope is the assessment of the required documentation and those evidence gathered by the Applicant Organization to support its application to the Authority to obtain the Safety Certificate (SC) and the Operating License (OL) to perform (O&M) services of Lines 3, 4, 5 and 6 of the Riyadh Metro. The final deliverable of ICP’s assessment and inspection activity for the Applicant is the “Issuance of a Certificate of Verification” to assure the Safety of the Metro System for starting commercial operation.
The assessment methodology applied to the new Metro railway system is based on High-Level Structure Approach. It means to evaluate if the Safety Management System is a mean of demonstrating the effectiveness of the mechanisms in place to comply with international best practices, national regulations and standards, sector and business level requirements. The outcomes of risk assessment and good practice across the range of company activities are integrated into the business processes defined in the organization. It is a living set of arrangements, constructed upon the knowledge the organization has accomplished about:
- the hazards it has identified and the risks it must control.
- the legal framework in which it is operating, that consists of international standards (e.g. ISO 9001, ISO 14001, ISO 45001 etc) and national regulations (TGA Guidances)
- a clear idea of what ‘good’ performance looks like, based on world-wide recognized best practices.
2 – Assessment Methodology
The assessment of Operation and Maintenance safety management system of Riyadh Metro, as well as the level of in-depth analysis of system documents and the coverage of on-site activities (surveys, witnessing, audits, etc.) is based on a sampling methodology which is defined according to a risk-based approach. This risk-based approach, in line with commonly applied international standards (e.g. EN 50126), involves reviewing the criticality of requirements, hazards identified and and risks associated with the project, along with the identification and implementation of the risk mitigation measures, with the aim of planning the assessment activities such that, starting from the definition of risk acceptance criteria:
- items with significant safety risks associated are identified and prioritized.
- areas where safety evidence may be more difficult to source are identified.
- assessment plan is optimized to assure greater assessment effort on safety critical issues and proper timing to ensure an effective management of possible findings.
Further milestone is the assessment of Operator Readiness for Trial Run before getting the authorization to start Commercial Service. The assessment related to Trial Running is implemented and based on results of activities as documental analysis, surveys and definition of Audit(s) on Physical Assets and Infrastructure (on-site inspections) as well as surveys and Audit(s) on Organization, Training & Staff Competences. Specific assessment for the definition of the O&M Hazard log has brought to highlight the need of a Human organizational factor analysis, which has been carried out also by means of a risk-based training need analysis. To reach the effective launch of commercial operation of the system, the ICP must verify the completeness of the implementation of the O&M system, through evidence that must be provided by the Applicant, such as a structured Safety Management System (SMS), a defined Rule Book, the identification of standard, degraded and emergency operating scenarios. The ICP Methodology could be summarized on the steps as follows:
- Phase A – Process Safety Audit – Audit to the Applicant organisation at different levels to assess fitness of the organization for the Metro Operation & Maintenance services.
- Phase B – Safety Management System Analysis, including Rule Book analysis, Maintenance Organization and Resources analysis, Staff Competence and Training verification.
- Phase C – Application for Safety Certificate
- Phase D – Application for Operating License for Commercial Service
2.1 – Phase A – Process Safety Audit
Audits targeted, in particular, at identifying how the Operator is implementing in ordinary operations the mitigation measures identified for relevant risks and/or how it will implement its SMS for selected specific issues (e.g. suppliers qualification, procurement management, awareness of personnel about SMS procedures, competence of personnel in performing safety related tasks, preparation of the staff in managing various types of emergencies, management of interfering risks with third parties, etc). Sample of evidence gathered by the Operator demonstrate the familiarity with described procedures and indicate documents that specify how the statement is implemented into operation and who is responsible for that.
2.2 – Phase B – Safety Management System Analysis
Concerning the Phase B, the ICP document analysis is focused on the following documents:
- Detailed System Description: the adequate and documented description of the Metro configuration.
- Safety Management System: a documented SMS that meets the requirements set out in the Public Transport Authority’s Guidance for Safety Management System.
- Safety Management System Implementation Plan: a comprehensive and realistic plan that shows the activities and timescales for continuous application and development of the SMS.
- Hazard Log: a documented log showing control of risks to “as low as reasonably practicable” (ALARP).
- Further supporting evidence as required by the TGA. This may include, for example, Operations, Maintenance and Training Plans that have been assessed in particular as follows hereunder.
2.2.1 The Rule Book and Maintenance Organization and Resources analysis
The Rule Book and the Maintenance Organisation assessment is focused on:
- Detailed Definition of the System Operation and System Maintenance processes
- Clear association to the system operation processes of clear operating rules for the ordinary, degraded and emergency scenarios
- Clear association to the system and subsystems maintenance processes of clear operating rules for the preventive and corrective maintenance, for rescue and recovery operations
- Clear identification of tasks and responsibilities
- Structured organization of reference documents for the Rule Book application: operating procedures, maintenance procedures, checklists, etc..
- Further supporting evidence as required by the TGA, including the Rule Book approval process
- Availability of maintenance equipment, tools, resources, spare parts adequate to perform the maintenance activities according to the system and subsystems needs.
Further supporting evidence as required by the TGA, including the availability of updated maintenance documents, aligned to the system and subsystems “as built” configuration.
The implementation of the SMS according to the “TGA Railway Guidance for Safety Management Systems” is the key point to obtain the Safety Certificate and the Operating License in the Kingdom of Saudi Arabia. The assessment of the O&M (SMS) for Riyadh Metro acts as a proxy for making a judgement on the capability of the organisation to control the risks from its railway operations. If the SMS is working well it is a reasonable assumption that the risks from the organisation’s operations are being well controlled. If the organisation’s SMS has weak areas, it is an indication that the risks in those areas are not being adequately controlled and as a result it is likely that in these areas there will be the greatest possibility of the conditions existing which will allow an accident or incident to occur compared with other areas where the SMS is performing well. Therefore, the higher the score of the assessment the better is the control of risk. As part of the assessment process, based on his assessment of the Operator’s documentation, ICP issued observations, by the means of Technical Notes, on the 16 topics so called “Elements” as explained by the TGA Railway guidance on SMS. ICP use a monitoring tool called Open Item List (OIL) to manage the planning, recording and closure of all ICP Observations raised within Technical notes and performs the Documental Assessment of Operator documentation on sample basis.
2.3 – Phase C – Application for Safety Certificate
The conditions for the application for the Safety Certificate represent milestone for the start of the Trial Running. To apply for the Safety Certificate, the configuration of the metro system to be commissioned must be defined, the selection and qualification of the Contractors used for the maintenance services must be finalized, the interfaces with the Stakeholders must be finalized and the process of selecting and training the personnel required for the service must be completed. Finally, the Business-Critical Systems (CMMS, EDMS) and SAP Systems need to be fully operational and, in the case of CMMS, (Computerized Maintenance Management System), the migration of the Technical Database must be completed. The plans and procedures used for the Trial Running phase must be finalized and approved by the involved parties.
2.4 – Phase D – Application for Operating License for Commercial Service
The surveys during trial run are focused in checking the readiness of specific processes or arrangements carried out by the Operator to be properly run during the test-runs period, to verify the actual availability, and the suitability of operating condition, of facilities, equipment, stations, OCCs, depots, etc., according to the schedule of the start of O&M by the Operator. In case of positive trial run, the Applicant may apply for Operating License to the Transportation Authority.
3 – The Assessment Outcomes
The Assessment Outcomes for the Phases A and B are Assessment Reports issued for each of the 16 Elements composing the SMS and show the evolution of the progress of the SMS and the related evaluation of the ICP. The issues raised are classified basing on the severity (Critical, Mayor, Comment, Recommendation). The assessment of the SMS has been obtained considering the number of total issues raised for each element and related severity (categories of Table 3.1) as indicated in following table:
3.1 – Phases of SMS Assessment
3.1.1 Phase A – Process Safety Audit
The Process Safety Audit has been performed and Sample of evidence related to TGA Requirements were requested as per Table 3.2 below:
|TGA Requirements (n°)
|Sample of evidence requested (n°)
Together with Documental Assessment performed for provided evidence as described in the Phase B, Improvement Opportunities (IO) for the SMS have been provided to the Applicant, highlighting area of better satisfaction of TGA requirements referring also to a proactive approach towards safety goals.
3.1.2 Phase B – Documental Assessment performed
Several key documents, among thousand, have been assessed through Documental Analysis and the findings are recorded on an Open Item List (OIL) register and classified basing on the severity as is shown in Table 3.3:
|M&C Major and Critical Observation
|C&R Comments and Recommendation
The actual Assessment Status of the whole Safety Management System is shown in Table 3.4
The status of the SMS elements is changing periodically on the “Development Period” of the Project, basing on the Observation and Recommendation issued by the ICP.
The Figure 3.1 – Comparison between Radar Diagram of SMS Maturity level, shows the improvement of the SMS Maturity level from a middle stage of the Project (red line) and the actual status (blue line). The actual Assessment status of the SMS highlights the elements evaluated as sufficient and acceptable and those that need improvements.
Condition to start the commercial service are that the SMS Maturity level for all the SMS elements will reach an acceptable level (Phase A and B) and that the process described in the Phase C and D will be completed.
3.2 – The evaluation of the Safety Management System
The assessment of each and all elements of the SMS has been clarified to the Applicant in order to focus on critical areas of the SMS. The following table summarize the SMS evaluation at middle stage of the project.
4 – Conclusion
The assessment process of the whole Metro System sees the application of international standards and European best practice in a specific and different national legislative context. The implementation of the SMS is progressing together with the finalization phase of the Metro System construction, testing and commissioning, providing an incremental transfer of newly validated assets to the operational configuration and the following handover.
All these conditions make the project unique. The assessment of a new Safety Management System related to Operation and Maintenance of an innovative driverless GoA level 4 Metro System that will be put in service as a whole network of 4 metro lines, including 114 km of rail, 51 stations and 3 main maintenance depots is the challenging task that has been shortly described in this paper.
Further the handover management of an under-construction Metro System is a critical point as it requires a comprehensive knowledge of the railway subsystems. Specific key milestones need to be established for the takeover\handover of the Metro to the Operator, including the definition of Safety Related Application Conditions, the management of the risk to be transferred by the Design & Construction entity to the Operator and the related risk mitigation measures to be identified and implemented into the SMS as well as the definition of the Final Safety Case.
The size of the project requires the active collaboration of all stakeholders and the SMS assessment in such international context opens to collaboration with experts coming from different experiences and professional areas of the railway sector. Contributes to the projects comes from all the continents, and further collaboration and combination of expertise on Safety System is a specific advantage of this Mega Project.
 Public Transport Authority – Railway Guidance – Safety Management Systems ed. October 2017
 EN ISO 9001:2015 “Quality management systems – Requirements”, 2015
 EN ISO 19011 :2012 “Management system audit”, 2012
 EN ISO/IEC 17021-1:2015 “Conformity assessment. Requirements for bodies providing audit and certification of management systems”, 2015
 EN ISO/IEC 17020:2012 “Conformity assessment – Requirements for the operation of various types of bodies performing inspection”, 2012
 ISO 14001:2015 “Environmental management systems — Requirements with guidance for use”, 2015
 ISO 45001:2018 “Occupational health and safety management systems — Requirements with guidance for use”, 2018