Article - Issue 16, July/August 2003
Protecting the railways: The management of safety in a fragmented industry
Roger Kemp FREng
Transferring UK railways into the private sector was the most challenging of the privatisation programmes in the 1990s. Here, Roger Kemp considers how safety is managed in an industry that requires very high levels of technical and commercial integration but where management has been distributed between more than 100 different organisations.
‘The railway was ripped apart at privatisation and the structure that was put in place was a structure designed, if we are honest, to maximise the proceeds to the Treasury. It was not a structure designed to optimise safety, optimise investment or, indeed, cope with the huge increase in the number of passengers the railway has seen.’
Gerald Corbett in evidence to the Ladbroke Grove Inquiry
An integrated system
In comparison with other transport modes, rail is a highly integrated system. Unlike the situation in the road transport industry, the interface between vehicles and the infrastructure is very tightly specified. To achieve stable operation, particularly at high speeds, the track gauge and the profiles of the rail head and the wheel have to be maintained to tolerances of less than 1 mm. In the UK, which has by international standards a very small infrastructure gauge, the profile of vehicles with respect to the track is also tightly defined and even the compliance of suspension components has to be controlled to millimetre tolerances. The electrical interface is also closely specified, particularly in relation to electrical interference between power and signalling systems.
In comparison, the infrastructure– vehicle interface for the road, shipping or aerospace industries is relatively straightforward. On the road and in ports and airports there are limits on vehicle dimensions, and axleload and infrastructure specifications can impose design constraints on the vehicles, such as turning circles for taxiing planes. However apart from connections to fuelling systems, ground supply equipment, airbridges and the like, there are few closely specified interfaces. In the air or on the high seas, there are no mandatory interface standards, other than for avionics and telecommunications systems such as collision avoidance, instrument landing and voice communication.
Another major difference between the railways and other transport industries is the responsibility for safe operation. In general, the captain of an aircraft or a ship or the driver of a motor vehicle is responsible for the safety of the vehicle. On a railway it is different – the driver of a high speed train has no control over the route the train will take: that is determined by the setting of the points. At night, with the headlights operating, a train driver may be able to see only 0.2 km ahead while the braking distance could be 2 km. On main lines, the safety of the train is, at all times, dependent on the integrity of the route-setting and signalling systems; the driver’s responsibilities are to operate within the speed limits and comply with the signals.
A fragmented management structure
Consult a 20-year-old directory of world railways and you will find a similar structure in almost all countries – Chief Mechanical Engineer, Chief Electrical Engineer, Chief Signalling Engineer, Chief Civil Engineer – each chief officer managing a technical department responsible for the system design and detailed specification of equipment under his jurisdiction. A simplified structure of the British Rail Headquarters in the 1970s is shown below in Figure 1: Each of the departments was run by one man – the Chief Signals & Telecommunications Engineer (CS&TE), Chief Mechanical & Electrical Engineer (CMEE), Chief Civil Engineer (CCE) and Chief Operating Manager (COM). With privatisation, this has completely changed and the current structure is shown, in greatly simplified form, in the diagram in Figure 2.
There are effectively two groups of companies providing services specified by the Strategic Rail Authority: the passenger train operating companies (TOCs) and freight operating companies (FOCs) on one side and the infrastructure controller (now Network Rail, previously Railtrack) on the other. Network Rail includes most of the responsibilities of the Chief Civil and Signals Engineers from the old BR arrangements, plus part of the responsibility of the Chief Operating Manager. The function of the CMEE has been subdivided between a couple of dozen train operators and Rolling Stock leasing Companies (ROSCOs).
The privatisation of the railways represented a seismic shift in structure and responsibilities. The basic regulatory structure that was put in place followed the Health & Safety at Work Act 1974 in that the organisation managing a facility had responsibility for its safety. There may have been complaints about how Railtrack discharged its responsibilities or used its monopoly power, but the overall structure of duty holders was clear – Railtrack was responsible and accountable for the safety of the network and it had an obligation to control risks imported onto it by train operators and other bodies.
Following the Ladbroke Grove accident in 1999, a well publicised decision was taken to strip Railtrack of part of its safety responsibility – creating a situation that was unique under the 1974 Act. The Railways (Safety Case) Regulations 2000 placed obligations on both the infrastructure controller and train operator. Regulation 4(1)(a) prohibits the operation of a train service unless the infrastructure controller has an HSE-approved safety case for the infrastructure and has scrutinised the safety case of the train operating company. Regulation 5(1)(a) requires a train operating company to have HSE approval of its safety case. In effect, this created parallel duty holders charged to control the same risk. Railtrack continued to be accountable for the safety of the network but train operating companies were accountable for running safe services – in practice the opposite side of the same coin.
Train acceptance processes
The regulatory structure described above has resulted in a highly complicated train acceptance process where the many parties involved discharge their responsibilities under the Health and Safety at Work Act to reduce risks to a level that is ‘as low as reasonably practicable’ (ALARP). The key players are:
the Department for Transport (DfT)
the Health and Safety Executive (HSE) including HM Railway Inspectorate (HMRI)
the infrastructure owner, Network Rail
the train operating companies
Vehicle Acceptance Bodies (VABs)
Under the regulations that have been operating for the past three years, there are no fewer than five different approval processes before a train is allowed to operate in passenger service on the mainline network:
Apart from the above, there are many other players involved in this process. Before Network Rail will accept any technical submission, it has to be checked in detail by an approved Independent Safety Assessor (ISA) and frequently other consultants are involved in carrying out risk assessments or specialist studies. In addition, operators and the infrastructure owner are required to have their safety case audited periodically, which brings in another set of bodies.
Cost and complexity
Not surprisingly, the processes summarised above are very expensive and time consuming; they produce filing cabinets full of paper and involve upwards of 1000 people (including Network Rail, LUL, the TOCs, manufacturers, regulators and consultants).
However, it is clear, following accidents at Southall, Ladbroke Grove, Hatfield, Great Heck and Potters Bar, that the present safety regulatory system is failing to deliver a level of safety acceptable to the public. It is also clear that the system has resulted in considerable delay to the introduction of new trains and, following the Hatfield accident, caused unacceptable chaos for many rail users. The Railway Industry Association has criticised the present system in the following words:
‘Safety regulation in the UK is the most complicated and expensive in Europe but our safety record is no better than average. The cost of these provisions and the delays they engender are a disincentive to the growth of rail travel and promote the use of less safe transport modes. We consider that the complexity of the present arrangements is detrimental to a clear allocation of safety responsibilities and that a fundamental overhaul of the system is needed to reduce the number of bodies and simplify their relationships. This is essential for the development of a safe and costeffective railway.’
(Written submission by RIA to Ladbroke Grove Inquiry Part 2.)
The graph in Figure 3 compares fatality rates in the UK with those throughout the EU and it can be seen that, although 30 years ago the UK had a better record, in recent years they are broadly comparable.
The regulatory systems introduced at the time of privatisation were constrained by an industry structure in which initiatives were assumed to come only from the private-sector players and the commercial regulators merely ‘held the ring’ and ensured non-predatory practices. This structure has been shown to be inadequate for the introduction of complex systems involving both track and trains. Because there are no contractual relationships between the train operators and the infrastructure owner, there is no obvious mechanism to manage systems that have components on both sides of the track–train interface. This problem has been addressed by the creation of Systems Authorities.
The Wheel–Rail Interface Systems Authority (WRISA), a registered company limited by guarantee set up after the Hatfield accident, provides advice to train owners and operators on the best way to manage the wheel– rail interface and to resolve commercial issues where the costs fall on one party but the benefits accrue to another. As WRISA was set up to recommend specifications and practices, and to harness the best available information and expertise to do so, its recommendations should carry considerable weight. It will have failed if those recommendations are not, in most cases, promulgated as standards and practice on the railway.
If the recommendations are sound, they will help in the resolution of the post-Hatfield problems. However, in the event that a recommendation turns out to be inappropriate, WRISA and its directors could be exposed to a claim in tort for a ‘careless misstatement that the industry was entitled to rely upon because of the special expertise and the special purpose of the company’. A legal opinion that it is not feasible for WRISA and its directors to avoid potential liability for its recommendations has resulted in major concerns about professional liability insurance and there is some doubt about whether the organisation can survive in its present form.
The future – European interoperability
Within the next two years the regulatory structure for UK railways will be subjected to radical change. The Railways (Interoperability) (High Speed) Regulations came into effect in August 2002, which bring in a new, and more technically prescriptive, interface regime on main lines. The previous standards setter, originally part of Railtrack, was replaced by a new body, Railway Standards and Safety Board (RSSB) in April 2003 and legislation is going through Parliament for the establishment of a new body, modelled on the Air Accident Investigation Board, to investigate rail accidents. In the near future we can expect to see the following:
regulations to implement European interoperability on the whole network becoming effective and changing the responsibilities of HMRI, VABs, Railtrack and many of the bodies with which we now work
a new European Rail Safety Body introducing new processes for safety management
a new European Rail Agency responsible for Technical Standards for Interoperability (TSIs).
These changes will affect the standards against which we design and build fixed systems and vehicles and the methods by which they are approved. We will have to produce different documentation and the balance of responsibilities between the manufacturer, purchaser and regulator will change. Implementation of the new regime will give the UK industry the opportunity to simplify the way in which we manage safety; alternatively institutional inertia and risk avoidance may result in yet more layers of regulation on top of an already overweight approvals structure.
Is the Health and Safety at Work Act still relevant?
The H&SWA and its dependent regulations place an obligation on the managers of enterprises to reduce risks to as low as reasonably practicable (ALARP). Since privatisation, this has been implemented in the rail industry, at least in part, by a requirement that train manufacturers demonstrate that the train design has reduced significant risks to ALARP. European Interoperability, which establishes hard technical and operational interfaces, is not compatible with this approach, at least as far as interface risks are concerned.1 The HSE has recognised that the ALARP principle has been overtaken by the specific requirements of the Technical Standards for Interoperability (TSIs) in a letter to Railway Safety which says:
‘If there is any direct conflict between the requirements of the Health & Safety at Work Act etc. 1974 (HSWA) to reduce risk to the lowest reasonably practicable level and the level of safety required by the TSI, the level of safety required by the TSI will be considered to meet the requirements of the HSWA. This is the case even if the level of safety imposed by the TSI is lower than that which had been previously applied under HSWA. Given that this is so, the level of safety imposed by the TSI must be considered to be the level which is “as low as is reasonably practicable” where this is required under HSWA.’
This advice represents a major change to the railway safety regime and moves the train building industry closer to the motor vehicle industry, where compliance with European safety standards is deemed adequate and where manufacturers are not required to demonstrate that their products have reduced risks to a level ‘as low as reasonably practicable’ (ALARP). The civil aircraft/airline industry also works to European standards which are deemed to represent an acceptable level of safety.
A continued role for the safety case?
The concept of the ‘safety case’ is entirely appropriate for a plant such as a chemical works or a North Sea oil rig where there may be one or more ‘duty holders’ with clear responsibility for the safety of the plant. The concept was also valid for the situation existing under the Railways (Safety Case) Regulations 1994 where Railtrack was unambiguously responsible for the safety of the mainline network and was, at least in theory, the main arbiter of the acceptability of the trains that could run on it.
Over the next few years this situation will change and increasingly Network Rail will be responsible to the Strategic Rail Authority (SRA) for the standards of the track and signalling, while the decision as to whether or not a train may operate will be determined by its conformity to European technical standards, not by the technical judgement of Network Rail. Under this situation, it will be difficult for anyone to claim that Network Rail is the ‘duty holder’ for the railway as a system – increasingly they will be the owners and managers of an infrastructure closely specified by the SRA.
Although it is not specifically spelt out, the presumption behind the draft EC Rail Safety Directive appears to be that the national safety regulator mandates specific interface standards and, if both infrastructure owner and train operators comply with these, the railway will be acceptably safe. Requiring either party to reduce risks to ‘as low as reasonably practicable’ by going further than the regulations prescribe will not be permitted. Under these circumstances it is inappropriate to define either a train operator or the infrastructure owner as a ‘duty holder’, as is generally understood under the 1974 Act, with responsibilities to reduce the risks to ALARP.
As an example, Network Rail might come to the conclusion that the safety of the network could be improved by fitting trains with better braking systems and they might demonstrate that the costs of such a system are well within the nominal Value of Prevented Fatality (VPF) used in the industry. However, unless such brakes are specified in a European Technical Standard for Interoperability, they would have no power to require trains to be so fitted.
Decisions on the specification of assets and the adoption, or otherwise, of European standards are increasingly being made at the level of the Strategic Rail Authority. In the absence of any other body having responsibility for the industry, they, and by association the Government, are effectively the ‘controlling mind’ of the industry which gives them significant, if presently unacknowledged, responsibilities for the safety of the network. It can be argued that we are moving towards a situation where the SRA will be ultimately responsible for the safety of the railways in the UK and will be ‘the duty holder’ under the 1974 Act, and if anyone is to hold an overall safety case for the railway as a system, it should be the SRA.
The quotation at the head of this article from the [then] Chief Executive of Railtrack suggests that the safety management system was not uppermost in the mind of the Government when the railways were privatised. Since then the system has become more, rather than less, complicated and rail safety management has become an industry in its own right, employing large numbers of people in a plethora of consultants, operators and manufacturing companies. This has had well-publicised effects on the costs and delivery of rail projects. The rest of Europe has not found it necessary to spend so much time and money on safety regulation yet their performance is no worse than in the UK.
European directives will change the way in which the rail industry operates. We could make incremental modifications to the safety regulatory structure of the industry, or this could be the opportunity for a proper rationalisation of the system. The changes that will be necessary to meet European Directives offer a ‘once in a lifetime’ chance to rethink the costly and inefficient safety regulatory processes in the UK rail industry. If we take the easy option and merely tinker with the present arrangements, we will perpetuate a structure that works against sustained growth in rail transport and the benefits to congestion and energy efficiency that would bring.
If there are two lessons from the privatisation of the UK rail network, the first is that safety regulation must be taken into account at an early stage in the process and must be allowed to influence the organisational structures that are put in place. The second is that, in an integrated industry, there has to be a ‘controlling mind’ and, if a single industry player is not able to carry this role, responsibility inevitably defaults to the government, however much they may wish to keep the industry at arms length.
I am grateful to many colleagues in the rail, automotive and aerospace industries for their contributions in preparing this article. However the opinions expressed are my own and do not necessarily represent the views of ALSTOM, Lancaster University, or any other organisation.
Roger Kemp FREng
Technical and Safety Director Alstom Transport UK
Roger Kemp has spent most of his career in the rail industry. After the formation of ALSTOM, he moved to the Transport Division Headquarters in Paris where he was responsible for systems engineering on major projects. In 1992, he was appointed Project Director of the consortium building the Eurostar trains for the Channel Tunnel. He is now Technical and Safety Director in ALSTOM Transport UK.
Roger is a Fellow of the Royal Academy of Engineering, the Institution of Electrical Engineers and the Institution of Mechanical Engineers. He is Honorary Professor of Engineering at Lancaster University in the UK.