Challenges in risk assessments

29 June 2018

Rail safety law in Australia places a duty on persons including railway operators, contractors and rail safety workers, to ensure safety by eliminating or reducing risks so far as is reasonably practicable.

These duties apply alongside other safety-related requirements of rail safety legislation, including risk management and safety management system (SMS) requirements that specifically relate to risk.

Risk assessment is therefore a fundamental part of rail safety management and its importance means that it forms a key aspect of TSV regulatory activities. However, our staff and those investigating rail incidents commonly encounter several pitfalls.

This article illustrates five commonly seen weaknesses in risk assessment so that they can be more readily avoided.

1 - Risk registers containing generic assessments when a site-specific assessment is required

A common feature of the rail industry is that similar activities occur across different locations. It has been observed that railway operators sometimes carry out a generic assessment, considering all common hazards in a single assessment. However, significant differences that require the implementation of local risk control measures must be identified. Examples of such generic assessments have been seen for distributed infrastructure such as electrical substations, sidings and level crossings.

A consequence of generic risk assessments can be that risk controls are incorrectly listed, which can lead to a false sense of security. For example, an operator had generically assessed the risk of a substation fire and listed fire suppression systems as a control. However, an inspection revealed only a fraction of the substations had suppression systems installed.

It is more useful to use a generic risk assessment as a starting point for site specific assessments.

2 - Risk registers not adequately documenting the causes of hazard

It is a requirement of rail safety legislation in Victoria for the risks associated with each hazard to be documented in the risk register. Incident investigations often find that potential cause or failure is overlooked because the hazard identification process does not clearly differentiate between the hazard and the cause of the hazard.

For example, an explosion occurred in an underframe equipment case of a train at Guildford (U.K.) in 2017. The explosion was caused by an accumulation of flammable gases within the traction equipment case under the train. The gases had been generated following a failure within a large electrical capacitor located within the equipment case. The investigation found that a deficiency with the hazard identification process was that the hazard description limited the potential causes of the explosion hazard to ‘excess voltage/current’. In this case, the explosion at Guildford was caused by a manufacturing defect within a capacitor. Such manufacturing defects had resulted in capacitor failures and explosions in the past. This potential cause of failure was overlooked because the hazard identification process did not clearly differentiate between the explosion hazard and the cause of the hazard (e.g. excess voltage/current, manufacturing defect).

As hazards are conditions, they could have many different causes. For example, the hazard ‘train to object collision’ could be caused by, amongst other things, brake failure, poor adhesion conditions, driver error, objects falling onto the railway. The risk register should show a clear distinction between hazards and the causes of those hazards. This then allows for controls to be implemented that address the causes.

3 - Risk registers not recording the maintenance standards applicable to control measures

There is a requirement for risk registers to cross reference related aspects of the safety management system. There is also a requirement to record the maintenance standards applicable to each control measure (Rail Safety (Local Operations) (Accreditation and Safety) Regulations 2017, Schedule 2, Item 16.2(e)). A recent inspection of a risk register revealed that no maintenance standard was recorded for fire detection systems and there was no technical maintenance plan in place for them. The inspection also found that electronic security systems that provided an alarm signal to a control centre had been installed and recorded as a control.  Australian Standard (AS 2202.2 - 2017) requires electronic security systems to be maintained at intervals of no more than 24 months but no maintenance standard was documented in the risk register against the control. Recording of the maintenance standard against a control in the risk register provides a cross-check to support an effective mitigation being in place. With the register being a dynamic document, the controls and their maintenance standards should be reviewed and updated with additional safety requirements that are identified by the risk assessment process, or as new or revised standards come to light.

4 - No consideration of SFAIRP or further measures that could be taken

In decisions relating to the reasonable practicability of implementing additional control measures, TSV may accept the appropriate application of relevant good practice as a sufficient demonstration of a risk / sacrifice computation. This is reflected in national guidance published by ONRSR which states ‘good practice and standards may in some cases be sufficient to ensure safety SFAIRP’. Examples of good practice include reputable technical standards, such as those published by the Rail Industry Safety and Standards Board (RISSB) and Standards Australia.

Legislation requires operators to document all aspects of a risk assessment, including the reasons for selecting certain controls and rejecting others (Rail Safety (Local Operations) Act 2006 Section 51 (6)(c)(ii)). It is a requirement for operators to identify possible risk reduction options, such as those in Standards, and assess whether they are reasonably practicable. Findings made by TSV at compliance inspections often relate to the operator not identifying standards that could be applied as risk controls. This also applies to comments on risk assessments accompanying applications for variations to accreditation Examples include an application for new rolling-stock that contained no documentation to show that the design had considered controls in standards such as AS 7529.3 (Australia Railway Rolling Stock – Fire Safety – Passenger) or AS 7519.3 (Railway Rolling Stock – Bogie Structural requirements – Part 3: Passenger Rolling Stock), and the one in paragraph 3 relating to electronic security systems.

5 - Failure to assemble the best team to perform a risk assessment

A team approach to risk assessment that includes a range of people with different perspectives should be adopted. It is also important to involve employees who have practical experience of the process or activity being considered in the risk assessment. They know how the job is done, may have experience of abnormal and failure conditions and be aware of dangerous shortcuts or work-arounds.

It is also recommended that the risk assessment process involves management or those with responsibility for the task or physical area in their job description, as well as those responsible for ensuring that the risk assessment process is adequate.

Risk assessment often involves a multi-disciplinary approach, since it may cover a variety of areas of expertise or the systems being assessed may be too complex to be fully understood by one person. While there is often value in external parties contributing to the risk assessment, when consultants are used in the risk assessment process it is recommended that they have adequate knowledge of the process/operation and work closely with those responsible for the activity.

In summary, it is recommended that:

  • a team based approach should be adopted wherever possible
  • the team includes someone with an understanding of technical standards relevant to the system or process
  • input from employees with practical experience of the process or activity being assessed should be included
  • management (or those with responsibility for the job) should be involved
  • those facilitating the risk assessment process should be competent to undertake the task.

Unfortunately, some risk assessments are performed from a less-than-objective viewpoint or a single perspective. In other instances, they may be focused on completing the task rather than ensuring the assessment meets legislative requirements. Risk assessments are excellent opportunities for employee involvement that is critical to the success of any safety effort. Consultation and employee involvement is also a requirement of establishing a safety management system under s26 of the RS(LO)A as well as safety management system standards such as OHSAS 18001.