The guidance provided by the Office of the National Rail Safety Regulator about the requirement to submit a notification of change included limited detail about the extent or type of changes that necessitated a notification. In addition, with regard to ‘a safety critical element of rolling stock’, it did not provide detail with regard to the interpretation of ‘safety critical’ and the applicability to equipment that may not be inherently part of rolling stock (such as remote control equipment).
While ONRSR’s safety action is a significant step, there is an ongoing need for the rail industry to consider the extent to which even seemingly minor functional, physical, or software changes to any rail system can affect safety, and to apply the appropriate level of safety focus needed to maintain ongoing assurance whenever a change occurs.
On 7 October 2022, ONRSR advised that it was ‘planning to add additional guidance with regards to safety critical elements when The ONRSR Way is next updated (anticipated to be released in 2023).’
ATSB comment
The ATSB anticipates that additional guidance for the criteria for notification of change will help ensure that ONRSR is notified of important safety-related changes, and accordingly will monitor progress on the ONRSR safety action.
On 13 November 2023 ONRSR advised:
In relation to the safety action for RO-2018-014, ONRSR can confirm that the review of the ONRSR Way is in progress. During the process, a determination was made that the safety issue would be best addressed by a definition to be included in the ONRSR Business Glossary.
The ONRSR Business Glossary is currently being updated, the additional definition has been included in the draft. The document will go through the appropriate review and approval processes.
ONRSR anticipates the updated Business Glossary will be published in early 2024. When published, ONRSR will notify the ATSB.
The definition which will be incorporated in the business glossary is as follows:
Safety critical element of existing rolling stock: An element of existing rolling stock that should it malfunction or fail, could reasonably contribute to an immediate and/or direct threat to safety.
Immediate and/or direct threat to safety is already defined in the existing business glossary, being: A condition where there is a clear and/or imminent danger to the safety of people or property and where death, serious injury or significant damage was only narrowly avoided by chance.
ONRSR is also looking at providing some additional guidance in relation to Notification of Change.
The ATSB welcomes the ONRSR safety action to include a definition of 'safety critical element of existing rolling stock' and additional guidance in relation to notifications of change to the regulator. The ATSB will continue to monitor the progress of this action.
On 19 July 2024, the Office of the National Rail Safety Regulator (ONRSR) published an updated Business Glossary, which included the following definition:
Safety critical element of existing rolling stock: An element of existing rolling stock that should it malfunction or fail, could reasonably contribute to an immediate and/or direct threat to safety.
As stated in the ATSB investigation report, three important terms were used in the item 3 requirement that had the potential to be interpreted differently in the absence of clarifying guidance:
The new definition of ‘safety critical’ considerably broadens the range of likely interpretations to appropriately include a broader range of elements that could have an important effect on safety, and not just those that are potentially catastrophic.
However, the other terms remain open to interpretation to some degree. The ATSB report stated: “…the term ‘change’ alone does not convey the extent of functional, physical, or software changes for which a notification of change is justified…even a small change to one function could inadvertently affect other functions in unexpected ways, particularly in complex systems. It is therefore important to be clear about the nature and extent of changes that require closer attention.”
The report also considered that there was the potential for some types of equipment, particularly remote control equipment, to not be viewed as a literal component of the locomotive, although this seems somewhat less problematic given that the people with the authority to make such decisions would likely appreciate the requirement’s intent in this regard (particularly in light of the new definition, which draws more attention to the potential consequences of equipment failure).
Accordingly, while ONRSR’s safety action is a significant step, there is an ongoing need for the rail industry to consider the extent to which even seemingly minor functional, physical, or software changes to any rail system can affect safety, and to apply the appropriate level of safety focus needed to maintain ongoing assurance whenever a change occurs. The continuing adoption and refinement of system safety methodologies for complex and computer-based systems should help with this.
