Taking Safe Decisions Worked Example
The formation of an
Infrastructure Manager/
Railway Undertaking
alliance
1. Origin of review
It is widely recognised that close cooperation
between Railway Undertakings (RUs) and
Infrastructure Managers (IMs) can bring business
efficiency benefits; support delivery of improved
performance and reduce costs. Having an
organisational structure that facilitates teamwork,
communication and cooperation can benefit
the operation of the railway through improved
understanding and operational flexibility, such
as when making timetable alterations to better
accommodate maintenance activities and reducing
safety risks. A joint study between the Department
for Transport (Dft) and the Office of Rail Regulation
(ORR) concluded that the IM and the RUs should
build a closer working relationship.
Summary:
This worked example describes how
qualitative risk assessment can be used
to show that an organisational change is
acceptably safe, and how cooperation
between several parties can support carrying
out such an assessment.
An IM and a RU owning group therefore start
negotiations aimed at forming an alliance to manage
rail operations in one of the regions.
Key learning points:
• A change in organisation requires a new set of
risk controls to be identified and implemented.
2. Option analysis and selection
• Organisational change is difficult to quantify,
therefore qualitative risk assessment based on a
structured workshop process can be used.
• Stakeholder feedback can be a useful ‘sense
check’ when making or monitoring a change.
Factors to consider
This is a complex change, with the risks shared
between the IM and the RU, and key decisions are
therefore taken at Board level within both parties.
Implementation is undertaken through development
of company policy over a period of many months.
Nature of the decision
Risk owner
Owned by one
organisation
Shared by many
organisations
Worst credible case
consequences
Insignificant
Multiple fatalities
Operational experience
Extensive
None
Technology
Mature
Novel
Complexity
Very simple
Highly complex
Ability to monitor and
act post change
Can identify problems
and resolve quickly
Difficult to monitor
and/or intervene
More likely to be catergorised as significant
Approach
for making
the
decision
More senior level decision taking
More consultation
More extensive and detailed analysis
More time to agree and implement the decision
Figure 2: Scoping the formation of an Infrastructure Manager/Railway Undertaking alliiance
www.rssb.co.uk
1
This is supported by consultation at a national level
by the IM, and at a regional level by the RU, with
ORR and other advisors also taking an active role in
the process.
Although there is some previous experience of
joint working based on integrated IM/RU control
rooms at major stations, there is limited operational
experience of the issues along a line of route, as
forming such a ‘deep’ alliance is a novel way of
working in the GB railway industry.
The ROGS legislative requirements are key in
formulating the possible options for an alliance
as the SMS’s of the RU and of the IM need to
be kept separate for each to meet their separate
legal requirements. However it is recognised
that a stronger level of operational integration will
provide benefits. Alongside the legal requirements,
a balance of project, commercial and safety risks
are taken into consideration to formulate the
proposed alliance structure. The Safety Directors
of the IM and RU take a leading role in formulating
the possible options to help provide confidence
that operation under the proposed structure will
be acceptably safe. They propose a structure
of a single combined executive team overseeing
both the track and train responsibilities, which will
be carried out by joint functions. In addition, a
Governance Board is set up comprising members of
the owning groups. However, and as required under
ROGS, the two owning entities each retain ultimate
accountability for their areas of responsibility with
two separate Safety Certificates and Authorisations,
separate SMSs, and separate but compatible, sets
of policies, procedures, standards and other risk
control measures.
3. Making the change
The IM assesses the change in line with the
Common Safety Method on Risk Evaluation and
Assessment (CSM RA) process to identify both
the hazards as well as the mitigations needed to
control the associated risks. With no previously
defined, industry-established methodology available
for the risk assessment of organisational change
it is determined that a qualitative risk assessment
based on a structured workshop process, together
with records of hazard management derived from
the workshops, should be adequate to meet the
requirements of the CSM RA. In addition, the IM
Selection of
Risk Acceptance
Principle
CODES OF
PRACTICE
SIMILAR REFERENCE
SYSTEM
EXPLICIT RISK
ESTIMATION
Application of Codes
of Practice
Similarity Analysis with
Reference System(s)
Identification of Scenarios
& associated Safety
Measures
Safety Criteria
Qualitative
Quantitative
Figure 3: Risk acceptance principles selected
2
www.rssb.co.uk
already has a structured safety validation process for
organisational change within its’ existing SMS which
meets the requirements of the CSM RA, so this is
also used to support the process.
The measures that need to be in place before
implementation and during transition form the ‘go
live’ criteria that have to be signed off as complete
before the new organisation is implemented.
The initial phases of defining the system and
determining whether the proposed change is
significant are carried out by a team of experts
within the IM using systematic assessment against
the criteria set out in the CSM RA. The change is
deemed significant, particularly due to the novelty of
the proposed alliance in the GB railway industry and
the complexity of the change.
Some of the outputs of the assessment process
include: a handbook for senior managers
summarising the key aspects of the alliance to
communicate how it will work in practice and
the information that they need to cascade to
their teams; a joint risk profile, developed with
support from RSSB using the Safety Risk Model
Risk Profiling Tool; a joint Safety and Environment
Improvement Plan; and some revisions of the
Governance arrangements, such as introducing a
single Safety and Environment compliance board
meeting to periodically assess performance against
key targets.
The change is defined using the structure of the risk
management system. Hazards are identified using
workshops involving both managers and front line
staff from the IM and the RU. Broader stakeholder
involvement, including safety representatives from
the relevant Trade Unions, and members of relevant
RUs, are used to identify additional safety hazards.
The workshops are structured into topics that
can be influenced by the organisational changes
to focus the discussions, rather than just general
brainstorming sessions. These workshops involve
a wide range of stakeholders, and help to achieve
buy-in, understanding and acceptance of the
change as they provide a forum to voice opinions.
Once the hazards have been identified they are
classified using vulnerability rankings by the project
team. For organisational change, vulnerability
rankings can typically be challenging and often have
to be based on ‘gut feeling’ as organisational issues,
such as the impact of different personalities within
the company, are complex and difficult to quantify.
Further workshops are then used to identify relevant
risk controls to reduce the hazards to an acceptable
level. These are developed into a risk based
implementation plan by identifying the measures
that have to be put in place at three stages of the
change:
• Before implementation (development), such as
“confirm that new post holders have been briefed
on their job description, cover arrangements or
other duties including relevant standards”.
• During transition (start-up), such as “confirm
that all direct reports have been briefed on
the new organisation structure and they have
arrangement in place to brief their teams within 4
weeks of go live”.
• Post ‘go live’, such as “undertake the Post
Implementation Review”.
www.rssb.co.uk
As the change is considered to be significant,
the assessment is validated by an assessment
body independent of the change. This panel raise
challenges to which the project team has to produce
satisfactory responses, including evidence that
the ‘go live’ criteria have been fulfilled, before they
are awarded a safety validation certificate. This
independent assessment highlights the issue that
traceability can be a difficult area. For example,
there are some controls in the ‘go live’ criteria that
do not initially appear on the risk register as they are
in pre-existing documentation. It is noted that it can
be valuable to use an approach of recording hazards
and controls that initially assumes no existing
controls, so as to document the current controls as
well as the new mitigation measures that need to be
implemented.
4. Monitoring safety
During the implementation of and transition
to the new organisational structure, there are
regular reviews of how it is operating to check the
effectiveness of the control measures put in place.
There is also review of the arrangement after the
new organisation goes live and ongoing monitoring.
The Post Implementation Review committee
report back to the Governance Board at roughly
6 monthly intervals on progress. There is also an
Alliance Group meeting every 8 weeks, together
with meetings with other stakeholders, to give the
broader stakeholder group an opportunity to give
feedback, to identify any arising concerns, and to
provide an external sense check. These methods
allow the change to be monitored to provide
assurance that the organisation post change is safe,
and to respond to any issues as they emerge.
3