Safety Message: Management of change

1. Not classifying the change correctly

Operators often classify or categorise proposed changes into ‘levels’ so that corresponding oversight, control and management of the change is proportionate to the risk. Unfortunately, operators can often misclassify or miscategorise proposed changes. This can result in:

• the proposed change not being assessed with the appropriate level of rigour or oversight;
• the proposed change not being subjected to the same number of steps for assessment or approval; or
• the operator not notifying ONRSR of the change i.e. not notifying ONRSR of a change that should be submitted as a notification of change or variation of accreditation.

For example, incorrectly classifying a timetabling change on a regional passenger line, such that the operations area is not required to consult with the maintenance area, may result in loss of train detection risks not being considered. To ensure changes are classified correctly, good practice includes:

• Objective and measurable criteria to classify or categorise the change.
• Documented systems and procedures for classifying changes in the safety management systems.
• Involving diverse perspectives in the classification process, such as an independent party and those impacted by the change.
• Documented processes for ensuring the full scope and implications of the change across all areas of the network and its operation.
• Ensuring clear approvals and sign-off requirements for approving the classification level are part of management of change systems and procedures.

2. Not adequately assessing the risks

Assessing risks associated with the proposed change enables effective controls and treatments to be put in place. However, often such risk assessments are not adequately undertaken e.g.:

• not using an adequate risk assessment methodology or one appropriate to the proposed change;
• not adequately undertaking the risk assessment i.e. skipping steps or not involving suitably competent people;
• not undertaking or documenting the risk assessment or risk assessment process; or
• predetermining the outcome of a risk assessment prior to it being undertaken.

Not adequately assessing risks associated with the proposed change can lead to incidents. For example, adopting new turnout technology which has been used successfully by other railway networks without fully evaluating the wheel/rail profile differences upon which the technology is based may result in an immediate derailment safety risk. To ensure risks associated with the change are adequately assessed, good practice includes:

• Requirements for undertaking risk assessments as part of the proposed change are documented in systems and procedures, templates and work instructions.
• Approval to proceed to the next step in the management of change process is contingent on risk assessments being undertaken and completed.
• Using prototypes, trials, bench testing and other forms or testing as part of the suite of risk assessments to verify and validate the change.
• Assessing the potential failure modes of the new or changed equipment or system when introduced on the network and interfaced with existing systems e.g. including these issues and failure modes in the risk assessment.

3. Not taking human factors into account

Human factors is a discipline that focuses on the way people interact with the design of systems, tools, procedures, and processes. Given proposed changes can impact these systems, tools, procedures, and processes, it is important to take human factors into account.

By contrast, not considering human factors when making a change can increase risks to safety. For example, introducing a new SPAD alarm system without applying human factors considerations may result in alarms being confusing and a critical alarm being missed. To ensure management of change processes adequately take human factors into account, good practice includes:

• End-users (e.g. workers, passengers, contractors, drivers, maintainers, members of the public) are identified, including the tasks or activities they currently perform.
• Altered tasks and activities performed by end-users as a result of the proposed change are assessed e.g. tasks and activities performed by passengers, rail safety workers, contractors including their interaction with systems, structures and components of rolling stock or rail infrastructure.
• Risks associated with altered tasks and activities, including in normal and degraded modes of operation, are identified and assessed.
• Consideration of how the proposed change impacts users from a physical (e.g. anthropometry), cognitive (e.g. workload), task (e.g. tools and equipment used), organisational (e.g. resourcing, IT systems, regulatory) perspective. This includes development and management of controls, and treatments for identified risks.
• Relevant training requirements and training packages identified and developed as a result of the change.
• Clear communication of changes to end-users including the impacts of the change is undertaken.

4. Not considering wider impacts of the change

Changes can have wider impacts on other railway operations, including rolling stock, rail infrastructure and their corresponding systems, structures or components. However, operators often fail to adequately identify or consider the wider impacts of the proposed change. For example, not considering third party assets in an electrolysis study could result in corrosion of underground assets once installed. To ensure wider impacts of the change are adequately considered, good practice includes:

• Systems, structures and components from either rolling stock and rail infrastructure that are impacted by the change are identified and assessed as part of the management of change process.
• Impacts on railway operations and corresponding systems, policies, plans, work instructions, technical maintenance plans, standards, and other documents and procedures are identified and assessed.
• Other related systems and procedures that may be impacted by the change are identified, assessed and updated as necessary, e.g. changes to emergency management plans and security management plans.
• Impacts on other operators, network users as well as external and non-rail parties are taken into account.
• Resource impacts and requirements are taken into account, e.g. impacts on tools and spares, logistics, procurement.
• Impacts on end-users including workload and training requirements are identified and assessed (see Human Factors above).

5. Not consulting relevant affected parties

Changes can affect rail safety workers, contractors, employees, suppliers, road authorities, other rail operators and emergency services. Consulting affected parties throughout the change process helps manage safety risks. However, often consultation is skipped or not properly completed due to time or budget constraints, or pressure to quickly implement or introduce the change. For example, not consulting stakeholders on a bridge infrastructure project could result in local safety requirements and work methodologies not being followed and safety breaches being missed. To ensure relevant affected parties are identified and consulted, good practice includes:

• Systems or processes are in place to allow parties affected by the proposed change to be identified.
• Opportunities given to affected parties to provide input and be consulted at all stages of the change process.
• Information or documentation to be provided to affected parties associated with the proposed change are defined in systems and procedures.
• Training, support, and resources are provided to affected parties associated with the proposed change.
• Systems and procedures ensure adequate system support is available from the manufacturer, installer or developer during the lifecycle of the system to help address any safety issues that may arise.

6. Not allocating sufficient time and resources

Changes, especially those that are novel or complex, can take significant time and resources. Insufficient allocation of time or resources can lead to increased risks to safety during both the implementation and operational life cycle phases. For example, not taking the time to survey the rolling stock fleet condition prior to replacing and upgrading a major system, such as the passenger doors on rolling stock, resulting in doors not closing properly once installed. To ensure adequate time and resources are allocated to a change, good practice includes:

• A detailed and realistic plan for implementation of the change.
• Contingency or redundancy is provided to account for unexpected or unplanned issues that may be identified during rollout or implementation of the change, e.g. especially when an operator relies on a single supplier or when the change is novel or complex.
• Acceptance criteria are defined for each stage of the roll out and are objective and measurable.
• Verification and validation criteria are defined for each stage of the roll out, including reviewing the change post-implementation to assess any unforeseen issues.
• Clearly defined milestones and gates to ensure that only successful completion permits further stages being rolled out.
• Key documents are updated including design templates, general site or arrangements drawings, maintenance manuals, asset configuration and maintenance records.
• Key steps and actions taken as part of the management of change process are documented to demonstrate they were undertaken e.g. risk assessments, consultation with staff, options analyses, etc.