Application Guidance

We cannot foresee all the uses to which these models will be put so it is impossible to provide comprehensive guidance. The models are likely to be used in hazard identification and risk assessment. General guidance on this topic is provided in volume 2, chapter 8 of Yellow Book 3.

The best precaution that you can take to check that the way that you are using the models is sound is to write down, carefully and clearly, what you are doing and then to have this checked by another specialist in risk assessment.

The remainder of this page provides some general guidance.

There are three sets of models provided:

	Rail Safety and Standards Board (formerly Railway Safety's) Profile of safety risk on the UK mainline railway (2.1 MB - in pdf format)
	LUL's Quantified Risk Assessment, 2000 Update Network and Business Unit Summary (69 KB - in pdf format)
	Network Rail's Infrastructure Risk Models

The first two take a very similar approach. Both provide risk profiles, that is they start with an estimate of the safety risk at the railway-level and then apportion this geographically or by cause.

Network Rail's infrastructure risk models are complementary. They start with individual infrastructure components, identifying hazards of these systems and then analysing their potential causes and consequences.

Measuring Risk

The Rail Safety and Standards Board (RSSB) and LUL risk profiles are expressed in terms of the risk to the entire population (sometimes called collective risk or societal risk). This is done in similar but slightly different ways. The LUL profile expresses this risk using fatalities whereas the RSSB profile uses the notion of equivalent fatalities, a statistical device for taking account of non-fatal injuries by adding an agreed proportion of such injuries to the number of fatalities.

For some purposes, such as establishing whether or not a risk lies in the tolerable region, you may need to make an estimate of the so called individual risk¸ that is an estimate of the probability of fatality per annum for an average member of the exposed population. This can be estimated from collective risk but you need to know the size of the exposed population to do it.

Network Rail's infrastructure risk models do not estimate risk directly but provide some input into the process. You will need to know other facts such as the number of pieces of equipment installed. You will also need to understand aspects of how the railway is controlled in order to establish the time at risk after a failure. We will provide further guidance on this latter topic in a reissue of this page.

Network Rail has also developed two risk profiles that parallel the Railway Safety and LUL risk models. One, known as CSPR model-1999 models risk on the whole UK railway network while the other, known as CSPWR model-2001 models risk for the West Coast Route Modernisation programme. Neither is yet in the public domain although they may be shared later.

Accuracy of data

You will have to assess the reliability and accuracy of any predictions made using the models yourself as they will depend upon factors that are not related to the model. The models will generally only help you calculate point estimates of risk while you may need some form of statistical distribution or at least an indication of the margins of uncertainty associated with the estimate.

Please note that it is not statistically valid to use statements of comparison with historical data (such as, "A comparison with FRAME data shows good agreement with the results of the fault tree analysis, with a discrepancy of 1.9%") as a basis for assessing the accuracy of any predictions. One reason for this in the example above is that the FRAME data may not be totally accurate.

Terminology

There is some variation in ESM terminology within the UK rail industry and this is reflected in the models. Yellow Book terminology is defined in a glossary in Appendix A of the book. The terminology used in the models is explained within the models themselves.

Generally speaking the Network Rail infrastructure risk models use the Yellow Book terminology. The term accident in the Yellow Book is roughly equivalent to top event in the LUL risk model and hazardous event in the RSSB risk model. The term hazard in the Yellow Book is roughly equivalent to precursor (cause) in the Railway Safety risk model.

Additional guidance on the Network Rail infrastructure risk models

Unlike the RSSB and LUL risk profiles, these do not provide an integrated model of railway risk. Instead they model the risk associated with individual pieces of equipment. This allows more detail to be provided but that in turn means that you should take even more care in establishing whether they are applicable to your situation and in adjusting them if they are.

To do this, as the introductory text has already stated, you should search for assumptions inherent in the model that may not hold in your application. The analysis will be sensitive to any differences between the state of affairs assumed by the model and your application. You will need a complete description of your application to do this.

For example, differences between your application and the model may extend or reduce the time at risk, that is the average time between a hazard occurring and action being taken to make the railway safe again. All other things being equal, the risk associated with the hazard will be higher if the time at risk is extended and lower if it is reduced.

Alternatively, differences may extend or reduce the time to intervene, that is the period after a hazard occurs during which it is possible to act to prevent an accident. All other things being equal, the risk associated with the hazard will be higher if the time to intervene is reduced and lower if it is extended.

There are other ways that differences can change the risk as well. You will need to adjust the risk model to reflect all these differences.

Of course some assumptions may hold unchanged in your application but, before just carrying them forward, you should consider whether they give rise to any dependencies on the environment or caveats on its use that you should record in your risk assessment. For instance, if you choose to carry forward an assumption about the availability of electrical power this may give rise to a dependency on the power supply. Alternatively, if you choose to carry forward an assumption about maintenance frequency this may give rise to a caveat on the maintenance regime.

In searching for assumptions you need to consider:

• The equipment itself, including the functions that it provides and attributes, such as its robustness.
• The application, that is the way in which the equipment will be applied in the railway. Do not restrict yourself to normal functioning but consider failures as well - how they are detected and what the policy is for repairing or replacing the equipment.
• Other aspects of the environment, such as weather, electromagnetic interference and susceptibility to vandalism.
• The policy for operation and maintenance including relevant aspects of the railway organisation, its people and its procedures as set out in rules, regulations, working timetables, traffic notices and so on.

Below we provide some factors to consider when searching for such assumptions. The lists are not comprehensive - you will need to consider other factors as well - however, we hope that they help. The factors are organised under the headings above.

Equipment factors

• What functions does the model assume that the equipment provides (including diagnostic functions)? Does your equipment add or remove any?
• Does the model assume that different items of equipment may be safely interchanged?
  If there are restrictions on interchangeability of your equipment (perhaps because it exists in different versions), these may give rise to hazards arising from using the wrong version and caveats on labelling and maintenance.
• Does the equipment require more or less calibration or adaptation for each installation than the model assumes?
• Is your equipment built to different requirements for reliability, availability and maintainability than the model assumes?
• Is your equipment built to last longer (or less long) than the model assumes?
• Is your equipment built to a different level of robustness than the model assumes?
  Consider for instance the specified tolerable limits for temperature, humidity, EMI, mechanical shock, dust and so on.
• Does your equipment interact in the same way with people as the model assumes?
  There may for instance be a better diagnostic interface for maintainers that could mitigate some hazards.
• Is the equipment the same level of complexity that the model assumes? In particular does your equipment add software?
  Adding software may mitigate some failure modes but add brand new ones.
• To what standards has the equipment been designed and built?
  If trackside equipment was originally produced for another railway administration, for instance, then it may be designed to use longer cable lengths or be built for a different operable temperature range than would be normal in your application.
• Are there likely to be supplier support problems, not considered in the model that could jeopardise the maintenance of the equipment during its service life?
  Inability to maintain reliability because of lack of supplier support can cause increasing levels of risk during the service life.
• Has the design and manufacture of the equipment used processes of similar rigour to those assumed for the model?
  If the equipment has been subject to a rigorous safety analysis, for instance, this may justify increased confidence in its safety.

Application factors

• Does the model assume that the equipment is a defence against a hazard whereas in your application it is not? Or vice versa?
  For instance, in some applications, track circuits are used to provide a defence against rail breaks; in others they are not.
• Does the model assume that the equipment is the sole defence against a hazard whereas in your application there are other defences? Or vice versa?
  For instance, in some applications, track circuits are sequentially checked, and this sequencing can provide an additional defence against failure of one circuit; in other applications this is not the case.
• Will the equipment be operated in the same way as the model assumes? Are the rules for its use the same?
• Are there any special application rules or constraints associated with the use of the equipment in the model, and is the proposed application consistent with these?
• Is the time to intervene longer or shorter than that assumed in the model?
  For some hazards this can be significantly less in a metro application than in a mainline application.
• Is the level of access to the equipment the same as that assumed in the model?
  This can be significantly reduced for equipment installed in a tunnel, for instance.
• Is the level of human supervision the same as that assumed in the model? Is the likely time to detect and respond to failures/alerts the same?
  For instance, the model might assume that the equipment is installed in a manned signalling room whereas in your application, the equipment is installed in an unmanned equipment room and remotely monitored.

• Will the equipment interface to the same systems as that assumed in the model?
• Might the equipment interact unintentionally with some system that was not considered in the model?
• Is the railway line speed the same as that assumed in the model?
• Is the railway electrification status the same as assumed in the model?
  The railway may be electrified or not and, if electrified, this may be DC or AC and may be overhead line equipment or third rail.
• Is the system more (or less) susceptible to environmental factors such as floods and lightning than assumed in the model?
• Is the system more (or less) susceptible to vandalism than assumed in the model?
  If your equipment is in an area where it might be unusually prone to vandalism you may need to increase some of the hazard occurrence rates.
• Are the traffic volumes the same as those assumed in the model?
  If these are higher than the model assumes then both the rates of occurrence of hazards and their consequences might have to be increased.
• Does the model assume that there are alternative paths for traffic to route around failures whereas there are none in your application?
  Whether there are or not may affect the consequences of some failures.
• Are there any additional considerations regarding disposal of the equipment at the end of its life that have not been considered in the model?

• Will faults be detected the same way as the model assumes? And by the same people? Is the likely response time the same?
• If the equipment is to be repaired, is the policy for doing so the same as the model assumes? Are repairs made on the railway, at the workshop or is the equipment returned to the manufacturer for repair
  This policy may affect the risk to trackside workers.
• If the equipment fails, is the process for restoring it to use the same as the model assumes?
  There may be hazards associated with the restoration of equipment as well as its failure.
• Are the arrangements for routine performance and condition monitoring the same as the model assumes? To what extent is the prevention of failure dependent upon the maintenance regime?
• Does the signalling of trains require the same degree of routine intervention by the signaller as the model assumes or is it more (or less) automated?
  Traditionally metros have been more automated than mainline railways but mainline railways are becoming more automated. This can affect the time to intervene.
• Will safe operation of the equipment require additional competencies that were not allowed for in the model?
  This may give rise to caveats on operation.

Acknowledgement