Towards the one page safety case

There is something in the air. A sense of dissatisfaction, of urgency even, about the rising cost associated with the safety case process. The general perception is that safety cases are too expensive, take to long to compile and assess and add little real value to the safety levels of our railways. A whole new industry seems to have emerged, where “Brains on sticks” work in consultancies and make huge sums from the paper mountains that are our safety cases.

And yet I maintain that it should be possible to produce a one page safety case (ok well  perhaps 10 pages max.) and assess it in two weeks. All it takes is to be clever about it and manage your safety assurance processes well.

Any project, any supplier that applies the systems- and safety assurance processes that are now the norm in our industry and documents the efforts the are making anyway adequately, should not need more than ten pages and two weeks to explain all that and convince their independent safety assessor.

In his blog I will try to develop that thought and expand on the do’s and don’ts.

Join me in that quest and feel free to comment and add your thoughts!

This entry was posted in safety case and tagged . Bookmark the permalink.

3 Responses to Towards the one page safety case

  1. Jerome MAGOUET says:

    Hi Wim,

    I think you are fully right… safety cases following CENELEC templates are really expensive and that’s a terrible work to prepare such a document (we have spent together some nice hours preparing the Betuweroute one !).

    The problem is that both Cenelec and our ISA require a lot of evidences and the easiest and the most exhaustive input remain the safety case. And the ISA we are used to work with likes using this kind of input.

    The risk I can imagine in your proposal is that the assessment cost increase significantly in order to convince the ISA.

    On an other hand I have assessed a safety case prepared following french regulations, prepared using dynamic links to the supporting documents. The safety case itself was quite “light” but the supporting documents were huge… as far as I know it was not so easy to prepare such a document (due to the amount of supporting documents) and it was really hard to assess as you have to go deep in the different documents along your review of the safety case.

    So, the discussion is open and I’ll be really interested in reading the result of your research on this subjet !

    Best regards


  2. signalling says:


    You raise two interesting points. Let’s deal with them one by one. In EN50129 assessment is defined as

    “the process of analysis to determine whether the design authority and the validator have achieved a product that meets the specified requirements and to form a judgement as to whether the product is fit for its intended purpose”.

    One important logical consequence is that the ISA is not the validator or the design authority and should not be allowed to assume their roles or responsibilities. Sometimes they try to, perhaps because they want to sell ore hours, more likely to cover their responsibilities they ask for more and more evidences. Never forget you are the validator (or someone in your company is). The ISA should check whether or not there is a sound validation plan (produce it upfront as part of your safety case strategy!) and agree it at the start of the project, in fact make it a part of your call for tender for the assessment service if you can. You ISA can comment and ask for modifications, but once agreed manage your strategy and manage your ISA. An unmanaged ISA is a certain recipe for scope creep. We have observed this in our project and it was one of the first things I had to remedy. Secondly watch and manage your ISA cost carefully. My rule of thumb is that the cost of the ISA should not be more than 10% of your V&V cost (and this is true for the budgeted costs as well, but be careful not to extrapolate past expensive practices when budgetting!). If the ISA cost exceeds more than 30% of your V&V cost, one of two things may have happened:
    Either your ISA is repeating your validation work (more likely with ISA’s that operate their own test laboratories etc), or you have a project with a lot of errors (findings), or a lot of variations. In both cases you are probably not managing your project as you should. The lesson to learn is that by doing it up front you can control the ISA scope and budget without jeopardising their independence and both you and your ISA should be professional about this.

    Your second point relates to the structure of the safety case. EN50129 is wonderful in that it gives you a structure and guidelines for the safety case. It does not specify anywhere that it has to be a paper mountain. I will repeat myself here: If you have a professional Quality and Safety Management system in your company and you have a proper quality management and V&V plan, the safety case does not need to be more than the collected evidences, reports mostly, of those quality and safety management activities that you have agreed upfront in your safety case strategy and safety case acceptance strategy (that is why these two are such important starting documents). The safety case itself then is just a top level document acting as a set of pointers to and a summary of the results of these reports. But remember that these must be presented in a very clear, concise and assessor friendly manner. You do not want the assessor to have to search for documents that cannot be found, have illogical names and document titles etc. It costs the ISA a lot of time and hence you a lot of money and frustration. Peter Sheppard did a nice presentation on making a safety case assessor friendly at the IRSE aspect 2008 conference. Ask him or the IRSE for it. Once again your safety case strategy and acceptance plan comes to the rescue. You have set out in them what evidences you were going to produce and how you would present it and you have agreed it with the ISA up front. So use it as the basis for the safety case and the hyperlinks to the documents you are providing. And of course, keep it current if things do change. In summary, use the Cenelec structure since it is accepted and you and the ISA are used to it. It avoids unnecessary discussions. But manage the scope ad the size of the evidences and present them in a clear, very structured, concise and assessor friendly way.

    I am not saying that it will not be a lot of work. But not more than you would have had to to if there was no safety case and ISA to begin with. And the process should and can be managed professionally starting from the very start of your project.


  3. Paul says:

    This is an interesting debate but seems to be starting with a solution (10 page safety case) and extrapolating back to a question. The debate reminds me of the Albert Einstein quote “Everything should be made as simple as possible but no simpler”. Railway signalling is complex and it can hurt people. If it takes some paper to demonstrate that a supplier has made a safe system, then so be it. The deployment of an ISA is in the CENELEC standards and reflects a desire to not just build safe systems but convince a thrid party that you have done so. I wonder what you make of observations rasied by the ISA? Are they “invented to jsutify the role”, “due to inadequate understanding”, “idealsitic” or might some of them actually be important enough to listen to? Safe design is not balck and white – second opinions are the basis of medicine. In fact, it would be worrying in the extreme if the ISA did pick up an issue that requried an actual change to a product to be made. That surely woudl undermine confidence in the supplier / designer and raise questions about what else was wrong but as yet unspotted. The ISA is getting towards being the last line of defence and if they are only finding problems in the evidnce (rather than the product) and asking probing questions then that must be welcome.

    Also I should mention that the swipe at Consultancies making huge sums is compeltely unsubstantied. Who or who is not a consultant reflects simply the national structure of the railway industry. Suppliers railway operators and support servies all need to make a profit to remain in business and compared with the overall costs (and assocaited lawyers and accoutants), these technical contributions are a minor price to pay.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s