M Bac 000000 Ge00 MPL 000003 - 00D

Table of Contents
1 GENERAL ............................................................................................................................................................... 4
1.1 PURPOSE............................................................................................................................................................................ 4
1.2 SCOPE OF SYSTEM SAFETY WORK ................................................................................................................................ 4
1.3 SYSTEM SAFETY STRATEGY ........................................................................................................................................... 5
1.4 APPLICABLE DOCUMENTS .............................................................................................................................................. 6
1.5 DEFINITIONS AND ABBREVIATIONS .............................................................................................................................. 7
2 SYSTEM DESCRIPTION ..................................................................................................................................... 9
3 SYSTEM SAFETY ORGANISATION ............................................................................................................... 10
3.1 PROJECT STRUCTURE ................................................................................................................................................... 10
3.2 OVERVIEW ENGINEERING ORGANISATION AND RESPONSIBILITIES .................................................................... 10
3.3 SYSTEM SAFETY ORGANISATION................................................................................................................................ 11
3.4 CONSORTIUM SYSTEM LEVEL ..................................................................................................................................... 11
3.5 CONSORTIUM SYSTEM PARTNERS LEVEL ................................................................................................................. 12
3.6 CONSORTIUM SYSTEM PARTNERS SUBSYSTEMS LEVEL ......................................................................................... 12
4 SYSTEM SAFETY ACTIVITIES ........................................................................................................................ 13
4.1 SAFETY REQUIREMENTS .............................................................................................................................................. 13
4.2 SYSTEM SAFETY PROGRAMME.................................................................................................................................... 13
4.2.1 Hazard Identification ................................................................................................................................................. 14
4.2.2 Hazard Identification and Analysis...................................................................................................................... 14
4.3 RISK ASSESSMENT AND ACCEPTANCE ....................................................................................................................... 15
4.3.1 Priority Order of Risk Reduction ........................................................................................................................... 16
4.3.2 Safety Risk Matrix ........................................................................................................................................................ 16
4.3.3 Fault Tree Analysis ...................................................................................................................................................... 17
4.3.4 Failure Mode Effects Analysis ................................................................................................................................. 18
4.3.5 Safety Integrity Levels ................................................................................................................................................ 18
4.3.6 Safety Requirements Specification ....................................................................................................................... 18
4.3.7 Safety Critical Item List ............................................................................................................................................. 19
4.4 HAZARD MANAGEMENT .............................................................................................................................................. 19
4.4.1 Hazard Log Format ..................................................................................................................................................... 19
4.4.2 Verification of Safety Controls................................................................................................................................ 20
4.5 SAFETY CASES ............................................................................................................................................................... 21
4.5.1 Design Safety Cases...................................................................................................................................................... 21
4.5.2 Final Safety Cases ......................................................................................................................................................... 21
4.6 INDEPENDENT SAFETY ASSESSMENT ........................................................................................................................ 22
4.7 SAFETY VERIFICATION TO MEET THE RAILWAY REGULATIONS........................................................................... 22
4.8 SAFETY AUDITS. ............................................................................................................................................................ 24
4.9 SAFETY REVIEWS .......................................................................................................................................................... 24
5 OTHER SYSTEM SAFETY ACTIVITIES ........................................................................................................ 25
5.1 SAFETY RELATED STUDIES ......................................................................................................................................... 25
5.1.1 Fire Hazards.................................................................................................................................................................... 25
5.1.2 EMC and EMI .................................................................................................................................................................. 25
5.1.3 Human Factors .............................................................................................................................................................. 26
5.2 SAFETY MANAGEMENT PROCESSES ........................................................................................................................... 26
5.2.1 Quality Management .................................................................................................................................................. 26
5.2.2 Verification and Validation...................................................................................................................................... 27
5.2.3 Engineering Design Assurance Gates .................................................................................................................. 27
Document No. M-BAC-000000-GE00-MPL-000003 Page 2 of 41 Printed:3 Jun. 15
Consortium System Safety Plan
Electronic documents once printed, are uncontrolled and may become out-dated. Refer to Aconex for current revision.
2013 High Commission for the Development of ArRiyadh
5.2.4 Design Reviews .............................................................................................................................................................. 27
5.2.5 Requirements Management .................................................................................................................................... 27
5.2.6 Configuration Management .................................................................................................................................... 27
5.2.7 Problem Reporting and Corrective Action ........................................................................................................ 28
5.2.8 Interface Management............................................................................................................................................... 28
5.2.9 System Validation......................................................................................................................................................... 28
5.2.10 Software Safety Management ........................................................................................................................... 28
5.2.11 Change Management ............................................................................................................................................. 28
5.3 BUILT ENVIRONMENT RISK ASSESSMENT ................................................................................................................ 29
5.3.1 Geotechnical Conditions ............................................................................................................................................ 29
5.3.2 Impact on Existing Structures and Utilities ..................................................................................................... 29
6 SYSTEM SAFETY DOCUMENTATION .......................................................................................................... 30
6.1 DOCUMENTATION STRUCTURE................................................................................................................................... 30
6.1.1 Plans ................................................................................................................................................................................... 31
6.1.2 Procedures ....................................................................................................................................................................... 31
6.1.3 Reports .............................................................................................................................................................................. 31
6.1.4 Document Reviews ....................................................................................................................................................... 31
6.2 CONSORTIUM SYSTEM SAFETY DOCUMENTS ........................................................................................................... 32
ATTACHMENT A CONSORTIUM SYSTEM SAFETY APPROACH ............................................................... 33
ATTACHMENT B CONSORTIUM FUNCTIONAL STRUCTURE .................................................................... 34
ATTACHMENT C SAFETY CASE DEVELOPMENT .......................................................................................... 35
ATTACHMENT D SAFETY LIFECYCLE AND PHASE RELATED SAFETY TASKS ................................... 36
ATTACHMENT E SAFETY PLAN TRACEABILITY MATRIX ......................................................................... 39

1 General
This document is the BACS Consortium System Safety Plan. It describes the safety activities that
will be performed by the BACS Consortium as part of the general project programme to ensure a
high safety level of the Riyadh Metro System.
This Plan covers all phases of the project including a particular focus on the design phase. The
plan will be reviewed and updated as required including updates prior to the test & commissioning
phase.
1.1 Purpose
The purpose of this Plan is to:
Describe the system safety organisation within the BACS Consortium,
Describe the processes being implemented by the BACS Consortium to ensure that the
safety requirements are adequately addressed during the design and project
implementation along with the transfer into revenue operation. This includes ensuring, as
far as reasonably practicable, the safety of passengers, railway staff and the general
public,
Describe the Consortium system safety objectives,
Identify Consortium key-stakeholders, and their supply chain along with the responsibility
for key system safety activities,
Describe the Consortium principal system safety activities, considered appropriate to
deliver the objectives,
Define the system safety deliverables and their appropriate delivery schedule milestones.
The deliverables include the Design Safety Case, Final Safety Cases and the Railway
Hazard Log.
This Plan develops themes described in the Preliminary Safety and Security Plan [RD 8] submitted
as part of the Consortium bid. In this regard security requirements have not been included in this
issue of the Plan although similar hazard identification processes will be utilised in the initial stages
of the project. In accordance with the Technical Specification Overview Safety Requirements [RT
3], the Consortium will develop a separate security programme to be documented in a Consortium
Security Plan [RD 13].
1.2 Scope of System Safety Work

This Plan sets out the process by which system safety hazards are identified and managed during
the design and implementation lifecycles. Construction site health and safety matters are outside
the scope of this Plan and are addressed in the Site Health and Safety Plan [RD 19].
This Plan considers the development, verification and validation of system safety requirements
throughout the whole applicable project lifecycle as per contractual obligations. It should be read in
conjunction with the Consortium Requirements Management Plan [RD 18] which describes in
detail the project requirements lifecycle up to system acceptance.
This Plan also details the process for the apportionment of system safety requirements to the
Transit System, the Civil Works Joint Venture (CWJV) System, and the Subsystems. This will lead
to the evolution of reliable Systems and Subsystems designs which when integrated as a railway
system produce a globally compliant safe railway which is fully functional, operable and reliable.
Strategic principles to which this Plan holds are:
To ensure a systematic approach for the fulfilment of system safety requirements,
To eliminate or reduce risks from system safety hazards,
To mitigate system safety hazards that may otherwise be identified at a later stage of the
projects implementation, or planned operations, resulting in constraints and/or extended
delays to operational service,
To develop and implement a system safety process and sequence for integration of the
Subsystems safety activities.
The Consortium System Safety Team has established this plan to govern the principles of the
system safety policies and activities described within this Plan in order to achieve the safety
requirements in accordance with the contract.
1.3 System Safety Strategy

The aim of the safety strategy is to provide and integrate railway infrastructure, systems, products
and services, of appropriate quality, that offer maximum benefit to the Arriyadh Development
Authority (ADA). Quality is an integral part of system safety; therefore the quality system approach
is consistent with the system safety management processes.
Reliability, availability, maintainability and safety (RAMS), play an important role in ensuring the
specified performance, which justifies the special attention paid to system safety requirements
throughout the project.
To ensure the achievement of the Riyadh Metro System (RMS) safety requirements, and to enable
the adequate control of the system safety issues, the following core strategy will be followed:
Application of established system safety and integration processes available in the
organisations of the Consortium and Consortium Partners tailored to the contract
specification requirements,
Use of experiences gained by the Consortium and Consortium Partners from similar metro
and UTO projects,
Establishment of a system safety organisation and execution of the safety work as an
inherent part of the Riyadh Metro project development in line with the principles in the
European Standards EN 50126, EN 50128, EN 50129 and EN 62267 [RD 1, RD 2, RD 3,
RD 4],
Implement the Consortium Partners competence management processes to ensure that
competent resources are applied to those involved in the system safety management
processes
Adequate integration of the system safety work of the Consortium, Consortium Partners
and Subsystems levels,
Individual consideration of the different railway lines but with the same system safety
approach and organisational structure,
To reach the objectives, explicit system safety activities will be performed, as described in
the respective System and Subsystem safety plans in accordance with the contractual
safety requirements,
The Consortium will establish the safety requirements at the Consortium System level and
will review the safety activities (such as hazard analyses and safety cases) for compliance
with the safety requirements,
The Consortium Partners (Transit System and CWJV System) will establish the safety
requirements at their Subsystems, and will review the Subsystem level safety activities
(such as FMEA, FTA, and cases for safety) for compliance with the safety requirements.

1.4 Applicable Documents
The following reference documents listed in Table 1 below form the basis for implementation of the
system safety programme as defined in this Plan.
Reference Title Document Number Ref
[RT 1] Instructions to Tenderers Part 2 Technical Proposal Specification Volume 1 Part 2
[RT 2] Technical Specification Overview Project Overview Volume 2.2 Part 1
[RT 3] Technical Specification Overview Safety Requirements Volume 2.2 Part 4
[RD 1] Railway Applications The Specification and Demonstration of Reliability, EN 50126: 1999
Availability, Maintainability and Safety (RAMS)
[RD 2] Railway Applications Communications, Signalling and Processing Systems EN 50128: 2001
- Software for Railway Control and Protection Systems
[RD 3] Railway Applications Communications, Signalling and Processing Systems EN 50129: 2003
Safety Related Electronic Systems for Signalling
[RD 4] Railway Applications Automated Urban Guided Transport (AUGT) Safety EN 62267: 2011
Requirements
[RD 5] Standard for Fixed Guideway Transit and Passenger Rail Systems NFPA 130: 2010
[RD 6] Configuration Control Plan M-BAC-000000-GECM-MPL-000001
[RD 7] Quality Assurance Plan M-BAC-000000-CQQA-MPL-00001
[RD 8] Preliminary Safety and Security Plan 1B.1.4
[RD 9] Consortium Hazard Identification and Analysis Procedure M-BSM-000000-SYSF-PRO-000004
[RD 10] Consortium Hazard Log Procedure M-BSM-000000-SYSF-PRO-000003
[RD 11] Consortium Safety Case Procedure M-BSM-000000-SYSF-PRO-000001
[RD 12] ICP/ISA Plan and Programme Line 1 and Line 2 TRME-RIYMET1&2-ICP/ISA-ICP-MM02-
& MM03-2014
[RD 13] Project Security Plan M-BAC-000000-CAMS-MPL-000001
[RD 14] System Validation Plan TBDM-BAC-000000-GE00-MPL-000001.
[RD 15] System Architecture Report 1B 2.2
[RD 16] Design Management Plan M-BAC-000000-GE00-MPL-000002
[RD 17] Interface Management Plan M-BAC-000000-GEIM-MPL-000001
[RD 18] Requirements Management Plan M-BAC-000000-GA00-MPL-000007
[RD 19] Health, Safety & Environmental Management Plan M-BAC-000000-GH00-MPL-000001

Reference Title Document Number Ref
[RD 20] Safety Verification and Validation Procedure M-BSM-000000-SYSF-PRO-000002
[RD 21] System Safety Software Procedure M-BAC-000000-SYSF-PRO-000001-
[RD 22] Release for Revenue Service 1B.1.17
Not used
[RD 24] EMC and E&B Management Plan M-BAC-000000-SYEC-MPL-000001
[RD 25] Human Factors Management Plan M-BAC-000000-SYSP-MPL-000001
[RD 26] Safety Review & Audit Plan M-BSM-000000-SYSF-MPL-000004
[RD 27] Engineering Design Assurance Gates Procedure M-BAC-000000-GE00-PRO-00010
[RD 28] Railway Applications The Specification and Demonstration of Reliability, CLC/TR 50126-2: 2007
Availability, Maintainability and Safety (RAMS) Part 2: Guide to the
Application of EN 50126-1 for Safety
[RD 29] RAM Plan (Consortium) M-BAC-000000-GE00-MPL-00004
[RD 30] Quality Management Systems Requirements ISO 9001: 2008
[RD 31] Guidelines for Applying ISO 9001 to Software ISO 90003: 2004
[RD 32] Consortium Failure Mode and Effects (FMEA) Analysis Procedure M-BSM-000000-SYRM-PRO-000002
Table 1: Reference Documents
1.5 Definitions and Abbreviations

The following definitions and abbreviations are used in the document:
ADA Arriyadh Development Authority

ALARP As Low As Reasonably Practicable
BACS Bechtel Almabani CCC Siemens Consortium
CRAM Consortium RAM Manager
CSSM Consortium System Safety Manager
CSCM Consortium Safety Case Manager
CWJV Civil Works Joint Venture
DRACAS Data Reporting and Corrective Action System
EMC Electro Magnetic Compatibility
EMI Electro Magnetic Interference
EN European Norm
FMEA Failure Mode and Effects Analysis
FRACAS Failure Reporting and Corrective Action System
FTA Fault Tree Analysis
HAZID Hazard Identification
ICE Independent Checking Engineer
ICP Independent Competent Person
IHA Interface Hazard Analysis
ISA Independent Safety Assessor
PHA Preliminary Hazard Analysis
RAMS Reliability, Availability, Maintainability, and Safety
RMS Riyadh Metro System
SCIL Safety Critical Item List
SHA System Hazard Analysis
SIL Safety Integrity Level
SRC Saudi Railways Commission
UTO Unattended Train Operation
V&V Verification and Validation

2 System Description
The System to be delivered by the BACS Consortium comprises the Blue Line (Line 1) and the
Red Line (Line 2). The system description is summarised as follows:
Line 1 (Blue Line) runs in the North-South direction along Olaya and Batha streets, starting from
slightly north of Prince Salman Bin Abdul Aziz Street and ending at Dar Al Badia neighbourhood in
the south. The Metro will be mostly underground in a bored tunnel along Olaya and King Faisal
Streets, and elevated on a viaduct along Batha Street and at the northern and southern ends. Line
1 extends over a length of approximately 38 km and features 22 stations, in addition to 4 transfer
stations (including 2 Iconic Stations) with other lines.
The total indicative length of the elevated, at-grade, and underground sections is as follows:
Tunnel: 17.3 km,
Elevated Guideway: 15.9 km,
At-Grade Sections: 4.8 km.
These following depot/stabling facilities are planned:

Northern Depot: located at the northern end of Line 1, near Prince Salman Bin Abdul Aziz
Street,
Southern Depot: located at the southern end of Line 1.
The commercial speed will be between 35 km/h and 40 km/h.
Line 2 (Red Line) (was previously referred to as the Green Line in [RT 2]) runs in the East-West
direction along King Abdullah Road, between King Saud University and the Eastern Sub-Center,
mostly on a raised strip in the median of the planned freeway. This Line extends over a length of
about 25.3 km and features 13 stations, in addition to 3 transfer stations with other lines.
The total indicative length of the elevated, at-grade, and underground sections is as follows:
Tunnel: 2.9 km,
Elevated Guideway: 5.4 km,
At-Grade Sections: 17.0 km.
These following depot/stabling facilities are planned:

Western Stabling: located on the viaduct at the western end of Line 2 near King Saud
University,
Eastern Depot: located at the eastern end of Line 2, near King Fahd Stadium.
The operational speed will be between 40 km/h and 45 km/h.
Both lines will be operated every day of the year, according to the following schedule:
The departure of the first train, in both directions, is scheduled at 6:00am.
The departure of the last train, in both directions, is scheduled at 12:00am (midnight).
For details of the System see the Technical Specification Overview Project Overview [RT 2].

3 System Safety Organisation
The system safety activities of the Consortium are organised on three levels (see Attachment A
Consortium System Safety Approach):
Consortium System level (BACS) Level 1,
Consortium System Partner level (Transit System and CWJV System) Level 2,
Subsystem level Level 3.
This approach is explained in more detail in the sections below.
3.1 Project Structure

This Consortium System Safety Plan applies to the complete BACS Consortium scope of supply.
The detailed scope of the Consortiums delivery and the system boundaries are defined in the
System Architecture Report [RD 15]. An overview of the Consortium functional structure is
presented in Attachment B.
3.2 Overview Engineering Organisation and Responsibilities

The Engineering Organisation will provide a significant input to meeting the safety requirements
and in undertaking system engineering activities to support the safety activities including hazard
identification, safety studies and input to the safety cases.
The main tasks are allocated and broken down within the Consortium as follows:
The Consortium Technical Management Team will provide governance over the
engineering processes to be applied within the Consortium, including the system safety
aspects. These are:
A group of senior specialists in their field of engineering will be set up addressing
system safety aspects for their special field of competence related to Civil Works and
Transit System elements,
This group will assess and undertake the safety tasks to be performed within the
Consortium for this field of engineering as covered in section 4 of this Plan,
An organisational structure has been set up and the processes have been developed,
The individual tasks to be performed by the Consortium Partner level (CWJV System
and Transit System) have been identified and the responsibilities have been allocated
to the relevant entities.
The technical management teams within the organisations of CWJV System and Transit
System will implement a competent and adequately resourced system engineering and
integration organisation to address all engineering and integration aspects within their
organisation. Such integration will address both:
The functional aspects of the engineering for their scope of supply and services,
The integration aspects for individual sets of locations.
For the Subsystems, these activities will be broken down according to the design and
implementation responsibilities assigned to the individual entities within both CWJV
System and Transit System organisations.

3.3 System Safety Organisation
The Consortium and Consortium Partners will deploy teams of competent system safety managers
and engineers for the Riyadh Metro Project. Figure 1 shows the system safety team to be
implemented by the Consortium and the interfaces with the other safety managers and engineers.
In order to ensure the independence of the system safety activities the System and Subsystems
safety managers and engineers will have an independent reporting line to the Consortium System
Safety Manager (CSSM) on system safety issues, who will in turn have a reporting line to the
Consortium Project Director.
Consortium Safety
Case Manager CSCM
and Safety Engineers
Figure 1: Consortium System Safety Organisation
3.4 Consortium System Level

The CSSM will provide safety management direction for the Consortium, Systems level and
Subsystems level, with overall responsibility for the direction of Consortium safety activities for the
Riyadh Metro System Project, including monitoring and reporting of performance against Systems
and Subsystems safety requirements. This will require an integrated approach throughout the
project lifecycle with the Consortium RAM Manager (CRAM).
The main tasks of the CSSM are:
Planning and performance of necessary system safety activities of the Consortium,
Integration of the system safety activities,
Support to the integration of the Systems and Subsystems safety activities,
Liaising, on behalf of the Project Director (Duty Holder), with the ADA ISA, Consortium
ICP/ISA, ICE and Saudi Railways Commission (SRC) as required,
Issue of the Design Safety Case and Final Safety Cases,
Issue of the Consortium Hazard Log.

Additional internal coordination will be established in order to ensure an integrated approach
throughout the project lifecycle with the CSSM and CRAM, and other subject matter experts,
including the Systems and Subsystems safety and RAM managers.
The Consortium Safety Case Manager (CSCM) will provide safety management support for the
specific safety activities needed for the preparation of the Safety Cases. Consortium safety
engineers will provide support as necessary to the safety activities carried out within the team.
3.5 Consortium System Partners Level

The Consortium System Partners (Transit System and CWJV System), will support the CSSM to
manage the integration required between Transit System and Civil Works scopes at the
Consortium level. They will:
Appoint their own system safety managers and management team to lead governance
over systems and subsystem safety activities,
Prepare separate Systems Safety Plans (Level 2 Plans) to comply with the Consortium
requirements in so far as they apply to the respective Consortium System Partners
apportioned scope,
Provide details in the Systems Safety Plans of safety team roles, responsibilities and
competencies,
Apportion and allocate system safety responsibilities to the Transit System and CWJV
System Subsystems,
Describe the goals and objectives of the Subsystems in the context of the Consortium
Partners scope of work,
Coordinate the integration and interaction of their respective Subsystems,
Provide system safety document deliverables prepared on the Systems level to the CSSM
for review and acceptance.
3.6 Consortium System Partners Subsystems Level

The Subsystems safety managers and safety teams will perform system safety activities for the
Subsystems according to their apportioned scope. The Subsystems safety managers will support
the Consortium Partners safety managers to manage the system integration required between the
Consortium Partners and the Consortium level. The Subsystems will:
Appoint their own system safety managers and management team to lead governance
over system safety activities at the Subsystems level,
Prepare separate Subsystems Safety Plans (Level 3 Plans) to comply with the Systems
Safety Plans (Level 2 Plans) in so far as they apply to the respective Subsystems
apportioned scope,
Provide details in the Subsystems Safety Plans of safety team roles, responsibilities and
competencies,
Take adequate measures to satisfy the Consortium Partners system safety requirements,
Coordinate the integration and interaction of their respective subcontractors and suppliers,
Provide system safety document deliverables prepared on the Subsystems level to the
Consortium System Partners safety managers for review and acceptance.

4 System Safety Activities
The system safety activities described below represent the safety programme to satisfy the
requirements stated in EN 50126, EN 50128 and EN 50129 [RD 1, RD 2, RD 3], that will be
undertaken to support the achievement of safe and reliable railway system operation. The primary
system safety documentary evidence that will support the safe operation of the railway is described
in section 6.2.
4.1 Safety Requirements

The objective of the safety requirements process is to achieve and maintain the specified level of
safety. This includes the determination of the safety requirements and the verification and
validation that the design and implementation takes into account and meets these specified
requirements.
The safety requirements process is based on a system lifecycle model in accordance with EN
50126 [RD 1] principles and applies to the Consortium, Consortium Partners and Subsystems
levels. The safety acceptance of the Subsystems will be based on safety verification and validation
activities which will confirm that the safety requirements have been met. Refer to the Safety
Verification and Validation Procedure [RD 20].
The safety requirements contained in the Technical Specification Overview Safety Requirements
[RT 3], and in other parts of the Technical Specification, have been captured and will be managed
through the requirements management process as defined in the Requirements Management Plan
[RD 18]. Other safety requirements will be identified through project applicable standards and in
particular EN 50126, EN 50128 and EN 50129 [RD 1, RD 2, RD 3].
A key element in the identification and analysis of safety requirements are the hazard analyses and
safety study programme which is described in the following sections.
The planned Subsystems safety activities will be undertaken in accordance with the system
lifecycle approach detailed in EN 50126 [RD 1]. A V representation of the project safety lifecycle
with system safety tasks is presented in Attachment D. The system safety activities will include:
Activities in accordance with the system safety programme,
Hazard Identification and analysis,
Risk assessment,
Determination of safety requirements,
Hazard Log management,
Preparation and issue of safety cases,
Safety verification to meet Railway Regulations,
Safety Audits.
4.2 System Safety Programme

The system safety programme scheduled by the Consortium comprises activities relating to the
safety aspects of the Riyadh Metro which will include activities to assist in eliminating system
safety hazards. The system safety programme will consider railway operations in normal, degraded
and emergency conditions, and also, will include consideration of random and systematic failures.

The system safety activities are scheduled in line with the principles stated in EN 50126, EN 50128
and EN 50129 [RD 1, RD 2, RD 3] to satisfy the specific project safety requirements. The system
safety activities described below represent the safety programme that will be undertaken to support
the achievement of safe and reliable railway system operation. The primary system safety
documentary evidence that will support the safe operation of the railway is described in
Section 6.2.Hazard Identification and Analysis
Hazard identification and analysis is a central part of the project safety activities. Relevant aspects
of the hazard analyses to be performed include the hazard identification, risk assessment and the
safety integrity level determinations and assessments. These requirements are indicated in the
following sections. The methods for hazard identification are detailed in the Consortium Hazard
Identification and Analysis Procedure [RD 9].
The hazard analyses and safety case process is indicated in Attachment A Consortium System
Safety Approach.
4.2.1 Hazard Identification

Hazard Identification (HAZID) is fundamental to the hazard analysis and risk assessment process.
It will be undertaken at Consortium, Systems and Subsystems levels. The purpose of hazard
identification is to identify potential hazards associated with the operation and maintenance of the
Riyadh Metro System.
The hazard Identification at the Consortium level is based on the initial list of railway hazards given
in the Technical Specification Overview Project Overview [RT2]. After due consideration of the
Metro operations, the Consortium safety team has identified some additional railway hazards that
need to be considered. The initial list, also including the additional hazards, is given in Attachment
A in the Consortium Hazard Identification and Analysis Procedure [RD 9].
At the systems HAZID sessions both novel and empirical hazards will be considered. A systematic
identification of hazards will be performed by means including:
Checklists,
Hazard Logs,
Experience from similar projects,
Brainstorming,
Outputs from associated systems hazard identification sessions.
The HAZID sessions will involve representatives from relevant stakeholders having appropriate
knowledge and experience to ensure that all applicable hazards and concerns are identified so that
the safety requirements for the respective systems can be determined.
The railway hazards identified by the Consortium will be taken into account by the Systems and
Subsystems in their hazard identification sessions. Any new railway hazards identified during the
sessions will be recorded, together with the system hazards.
4.2.2 Hazard Identification and Analysis

The Systems and Subsystems will use systematic and well-established techniques for the
identification, evaluation and classification of system hazards including:
Hazard Identification (HAZID),
Failure Mode and Effects Analysis (FMEA),
Fault Tree Analysis (FTA).
Hazard identification and analysis will be carried out by the safety teams at key stages in the
system lifecycle, to be defined in the systems safety plans.
Depending on the design stages and the subsystem being considered the following types of
hazard analyses will be carried out Preliminary Hazard Analysis (PHA),
System Hazard Analysis (SHA),
Interface Hazard Analysis (IHA).
Preliminary hazard analysis (PHA) will be undertaken by the Systems and Subsystems during the
initial stages of the design. The PHA will be further developed and verified to take account of
hazards in the final design through the processes of system hazard analysis (SHA) and interface
hazard analysis (IHA). The Consortium Hazard Identification and Analysis Procedure [RD 9] cover
the requirements for PHA, SHA and IHA in more detail.
A process of FMEA will be undertaken, in accordance with the Consortium FMEA Procedure
[RD 32] to identify hazards caused by failures in system functions and components, and the results
will be used as inputs to the HAZID sessions. Where required, the hazard analysis will also take
into account FMEA outputs from the RAM analyses with respect to system hazards.
System hazards identified in the PHA, SHA and IHA, will be recorded in the Hazard Log. Refer to
the Hazard Log references in sections 4.3 and 4.4, and the Consortium Hazard Log Procedure
[RD 10].
4.3 Risk Assessment and Acceptance

For risk assessment and acceptance, the Systems and Subsystems will take account of the
principles described in EN 50126, EN 50128 and EN50129 [RD 1, RD 2, RD 3] and adequate
subsystem guidelines.
These principles include the following requirements to be fulfilled:
The application and compliance with quality management, codes of practice and industry
standards,
Where applicable, comparison of a particular Subsystem with an identified reference
system or software that is proven in use,
Safety management processes complying with EN 50126, EN 50128 and EN 50129 [RD 1,
RD 2, RD 3].
The risk assessment process will apply the Safety Risk Matrix given in Figure 3 in section 4.3.2,
also with reference to Attachment D in the Consortium Hazard Identification and Analysis
Procedure [RD 9].
The Safety Risk Matrix will be used to determine the risk qualitatively. For significant risks with a
severity level that is Critical or Catastrophic quantified risk assessment will be used, where
appropriate, to determine the tolerable hazard rates and to confirm the identified risk level. Refer to
the approach described in section 4.4.3.
For significant risk, the residual risk level needs to be as low as reasonably practicable (ALARP),
and this needs justification in the Hazard Log. Refer to EN 50126 [RD 1] and the Hazard Log
Template described in Attachment A in the Consortium Hazard Log Procedure [RD 10].
The risk acceptance methods to be used for each system will depend on the specific requirements
and operation of the system, and will be stated in the Subsystems safety plans. The Subsystems
will record the method by which acceptance is achieved and the evidence to support it will be
provided in the relevant Subsystems safety cases... The risk assessment process is indicated in
Figure 2.

Figure 2: Risk Assessment Process
4.3.1 Priority Order of Risk Reduction

In considering potential mitigation actions to reduce the risk to acceptable levels the following
priority order will be applied:
Hazard elimination by design,
Risk reduction by design,
Hazard severity reduction,
Hazard frequency of occurrence reduction,
Implementation of operational and maintenance procedures.
4.3.2 Safety Risk Matrix

The Safety Risk Matrix to be used on the Riyadh Metro Project is presented in Figure 3. Details
regarding the application of the safety risk matrix and associated severity and frequency criteria is
defined in Attachment C in the Consortium Hazard Log Procedure [RD 10]. It will be used by the
subsystems to assess and classify the risks of the hazards identified in the PHA, SHA and IHA
activities. The method of assigning risk using this matrix is described in section 3.9 in the
Consortium Hazard Identification and Analysis Procedure [RD 9].

Frequency of Severity of Hazardous Event
Hazardous Event
Insignificant Marginal Critical Catastrophic
Frequent R2 R1 R1 R1
Probable R3 R2 R1 R1
Occasional R3 R2 R2 R1
Remote R4 R3 R2 R2
Improbable R4 R4 R3 R3
Incredible R4 R4 R4 R4
Risk Categories: R1 Intolerable R2 Undesirable R3 Tolerable R4 Negligible

For the definitions of frequencies, severities and risk categories, refer to Tables 2, 3 and 5 in EN 50126.
The tables are also described in Attachment C in the Consortium Hazard Log Procedure [RD 10].
Figure 3: Safety Risk Matrix based on Table 4 in EN 50126
4.3.3 Fault Tree Analysis

Fault Tree Analysis (FTA) will be used, where required, by the subsystems to determine the levels
of quantified risk including the calculation of tolerable hazard rates (THRs). Refer to the
requirements for determining THRs in Annex A in EN 50129 [RD 3], and sections 7, 8 and E.9 in
CLC/TR 50126-2 [RD 28]. Refer also to Annex B in EN 50129 [RD 3].
FTA is a top-down or deductive system failure analysis technique. It begins with a single undesired
top event (for example a hazard at the railway level) and provides a method for determining all the
possible causes (for example hazards in the subsystems) of that event. FTA provides a graphical
and logical model of the various parallel and sequential combinations of events that will result in
the occurrence of the top event.
FTA can be used for both qualitative as well as quantitative analysis. The graphical nature of the
technique aids the qualitative identification of potential sources of single-point failures and safety
critical failure combinations.
The fault tree is made up of gates, which serve to permit or inhibit the flow of fault logic up the tree.
The gates show the relationship of lower events - the inputs to the gate - needed for the
occurrence of a higher event - the output of the gate. The gate symbol denotes the relationship of
the input events required for the output event.
The fault tree is used to produce the minimal cut sets - the minimum combination of independent
base events which, if they occur or exist at the same time, will cause the top event to occur. The
minimal cut sets provide the basis for both the qualitative and quantitative analysis of the system.
Common cause failures will also be considered in the analysis.
FTA will be performed using industry standard software tools to support the hazard identification
and analyses activities.
The FTA process will be used to identify safety targets consisting of THRs for the Subsystems
safety functions and components. The THRs will be used to determine the safety integrity levels of
the system safety functions and components. Refer to section 4.345 below.

The proposed THRs will be submitted by the Consortium for approval and acceptance by the
railway authorities (SRC and ADA/RMTC) with advice from the ICP/ISA.
The FTA activities and results will be described in the technical sections of the Subsystems safety
cases.
4.3.4 Failure Mode Effects Analysis

The subsystems will carry out Failure Mode and Effects Analysis (FMEA) to analyse the effects of
failures in the systems functions and components. It will be necessary to use the FMEA outputs to
determine the failure rates (hazard rates) of the system functions and components and compare
these with the corresponding tolerable hazard rate safety targets assigned from the FTA process
described in section 4.4.3 above.
The methodology adopted for the FMEA Procedure [RD 32] is in accordance with the requirements
stated in the Technical Specification Overview Safety Requirements [RT 3], and taking into
account Annex B in EN 50129 [RD 3] and section E.7 in CLC/TR 50126-2 [RD 28].
The FMEA will be carried out for each system to the applicable system function or component
level. It will identify the Systems and Subsystems effects of component failures, detection and
prevention methods, and assess their criticality.
The FMEA will give consideration to redundancy in the design, for example, hot or cold standby,
and revealed and unrevealed failures as applicable, and determine the criticality of each failure
mode that is analysed.
The FMEA activities and results will be described in the technical sections of the Subsystems
safety cases.
4.3.5 Safety Integrity Levels

The safety integrity levels (SILs) of all safety related equipment and functions will be demonstrated
and assured through compliance with good practice for the design and implementation of high
integrity systems. This will include compliance with EN 50126, EN 50128 and EN 50129 [RD 1, RD
2, RD 3]. Refer also to the relevant techniques and measures for SILs in Annex E in EN 50129 [RD
3], and Annex A and Annex B in EN 560128 [RD 2].
The subsystems will derive a SIL for each system safety function and component that will be
implemented using an electrical, electronic, or programmable electronic system, also using the
relationship between the SILs and THRs described in section 6.4.4 in the Technical Specification
Overview Project Overview [RT 2], and Table A.1 in EN 50129 [RD 3].
The systems that will be subject to documented SIL determination and assessment will be defined
during hazard analyses studies, and where possible, will be based on previous SIL assessments if
these can be demonstrated to be applicable. The SIL allocation will be used to determine the
adequacy of risk mitigation measures.
The SIL determination and assessment activities and results will be described in the technical
sections of the Subsystems safety cases.
4.3.6 Safety Requirements Specification

Safety requirements specifications for the subsystems will be produced in accordance with section
5.2.2 in EN 50126 [RD 1], and sections 5.3.6, A.2 and B.2.4 in EN 50129 [RD 3]. They will capture
the design and additional risk control measures for each safety function and component detailed in
the Hazard Logs. Refer to the Hazard Log Template described in Attachment A in the Consortium
Hazard Log Procedure [RD 10].
The safety requirements specification will be an input document to the software requirements
specification. Refer to section 8.2 in EN 50128 [RD 2].
For each safety requirement, the safety requirements specification should include:
A unique number for the safety requirement,
A description of the safety requirement where this is stated in the contract,
A description of the safety requirement where this has been derived (from the safety
analysis) for the safety function and component,
The tolerable hazard rate for the derived safety requirement applicable to the safety
function and component,
The SIL for the derived safety requirement applicable to the safety function and
component.
4.3.7 Safety Critical Item List

The Subsystems Hazard Log managers will develop the Safety Critical Item List (SCIL) for each of
the Subsystems and include the list in the Hazard Log reports and the safety cases.
An item in the SCIL shall be termed a safety critical item (SCI) based on the following criteria:
The item can be a railway system with an assigned SIL to one or more safety functions
and components,
The item can be a civil structure without an assigned SIL to one or more safety functions
and components,
A failure of the item can result in an accident causing severe injury, fatality or fatalities.
4.4 Hazard Management

Hazard management will be based on the capture and mitigation of significant safety hazards and
is the second element of the system safety activities. The main focus in hazard management is the
identification, analysis and recording of hazards in the Hazard Log. Other hazard management
activities take account of risk assessment and acceptance, and the verification of safety risk
controls and mitigations. These aspects are detailed in the following sections.
The Consortium Hazard Log will be a combination of the Transit System Hazard Log and the
CWJV System Hazard Log.
The Transit System Hazard Log will be a combination of the Transit System Subsystems Hazard
Logs.
The CWJV System Hazard Log will be a combination of the CWJV System Subsystems Hazard
Logs.
The structure of Hazard Logs is indicated in Figure 4.
The overall hazard management approach is included in the hazard analysis and safety case
process described in Attachment A Consortium System Safety Approach.
4.4.1 Hazard Log Format

The Consortium will implement a Consortium Hazard Log Procedure [RD 10], the details of which
are summarised in this section.
The Consortium will establish a structure of Hazard Logs relevant to the Consortium, Consortium
Partners and Subsystems levels as illustrated in Figure 4. This structure will ensure that hazards
can be captured at all levels of the project with risk mitigation actions and hazard closures tracked
by the relevant Hazard Logs.

To maintain a consistent format for the recording of hazards, and other hazard details, the
Consortium Partners and Subsystems will use the Hazard Log Template described in Attachment
A in the Consortium Hazard Log Procedure [RD 10].
The outputs from the Hazard Logs will be maintained as live documents for the duration of the
project with Hazard Log reports issued at key project milestones confirming the hazard status.
Inputs to the Hazard Logs will result from hazards identified during design development and as a
result of the hazard identification and analysis and safety study programmes. The status of Hazard
Logs will be considered during safety and design reviews.
The Subsystems will ensure that closure of the hazards and controls is achieved on a geographical
and project phase basis, and during the required project phases.
For the transfer of hazards, the Subsystems will implement a hazard transfer process setting out
the conditions on how hazards will be transferred between parties. Refer to the hazard transfer
process described in section 2.7 in Consortium Hazard Log Procedure [RD 10].
The Subsystems will provide verification references in their Hazard Logs, for example, references
to safety controls and risk mitigation actions that are provided. Verification references will also
include such items as subsystem design documents and reports, and the results of system safety
analyses. Refer to the Hazard Log Template described in Attachment A in the Consortium Hazard
Log Procedure [RD 10].
4.4.2 Verification of Safety Controls
The safety controls and risk mitigation actions defined in the Hazard Logs will be closed (and will
therefore permit the corresponding hazard to be closed) by the provision of verification evidence.
This evidence will be provided by following safety verification activities carried out in accordance
with the Safety Verification and Validation Procedure [RD 20].
Figure 4: Hazard Logs Structure

4.5 Safety Cases
Safety cases for the project will follow the principles described in EN 50129 [RD 3], and will be
based on the safety and hazard analyses and a diligent hazard management process. They are
the final part of the Consortium System safety activities. They will be provided both on the system
integration level (Consortium System) as well as on the Consortium Partners and Subsystems
levels. The safety cases are considered as part of the hazard analyses and safety case process
indicated in Attachment A Consortium System Safety Approach.
Safety cases for the Consortium System, Transit System, CWJV System and Subsystems, are
described in Attachment C Safety Case development.
The safety case work will be undertaken in accordance with the Consortium Safety Case
Procedure [RD 11] where safety cases will be developed and issued at the following main steps:
Design Safety Case
Final Safety Cases Line 1 and Line 2
4.5.1 Design Safety Cases

The safety case work will be prepared during the design phase and will be updated for each
designated main design activity until final issue. The design safety cases will deliver evidence of
compliance with the safety requirements in the design phase of the Metro System.
The design safety cases will consist of:
Consortium System Design Safety Case,
Transit System Design Safety Case,
CWJV System Design Safety Case,
Subsystems Design Safety Cases.
The Consortium System Design Safety Case will be delivered to the railway authorities (SRC and
ADA/RMTC).
4.5.2 Final Safety Cases

For the purpose of handover at the end of the Metro System testing & commissioning phase Final
Safety Cases work will be provided at Consortium (railway system), Consortium Partners and
Subsystems levels. There will be separate final safety cases for Line 1 and Line 2 to take account
of the handover programme. The final safety case work will deliver evidence for the correct and
safe implementation of the Metro System in respect of final design, construction, testing,
commissioning and trial running.
The final safety cases will consist of:
Consortium System Final Safety Cases Line 1 and Line 2,
Transit System Final Safety Cases Line 1 and Line 2,
CWJV System Final Safety Cases Line 1 and Line 2,
Subsystems Final Safety Cases Line 1 and Line 2.
The Consortium System Final Safety Cases Line 1 and Line 2 will be delivered to the railway
authorities (SRC and ADA/RMTC).

4.6 Independent Safety Assessment
Independent safety assessment will be carried out as applicable to the system development V
lifecycle in accordance with EN 50126 [RD 1]. The Subsystem Independent Assessors will develop
ISA plans to satisfy the requirements of EN 50126 [RD 1] and the Subsystems ISA activities. ISA
requirements are described in Figure 6 and section 5.5.2 in EN 50129 [RD 3].
Independent safety assessment of software will be carried out in accordance with sections 6.2.6,
6.2.10 and 14.4.1 in EN 50128 [RD 2].
4.7 Safety Verification to Meet the Railway Regulations

The railway regulatory regime in the Kingdom of Saudi Arabia requires specific safety verification
processes to be implemented. The Consortium will appoint an ICP/ISA to develop an ICP/ISA Plan
and Programme Line 1 and Line 2 [RD 12] to address the full scope of independent safety
verification requirements in accordance with the ICP/ISA Plan. The Consortium will also appoint an
ICE to cover the requirements for an Independent Checking Engineer.
The key organisational responsibilities related to safety verification to meet railway regulatory
requirements are to provide the safety verification certification at end of detailed final design
leading to operation.
The Consortium will address the requirements of the Saudi Railways Commission (SRC) in line
with the proposals made in the Release for Revenue Service [RD 22] document. The Consortium
will ensure that the railway regulatory requirements are addressed during the design and
development phase including the appointment of the ICP/ISA. The Consortium CSSM and the
appointed ICP/ISA and ICE, will maintain contact with the ADA ISA and the SRC. The ICP/ISA will
provide safety verification certification and referenced documentation at the completion of final
design, leading to trial running, and to support the application for a Safety Certificate by the railway
operator.
The primary organisations involved in the system safety verification and approval process, to meet
the railway regulatory requirements, are outlined in Figure 5.

Saudi Railways
Commission
Arriyadh
Development
Authority
ADA ISA
BACS Consortium
Duty Holder
BACS Consortium
ICP/ISA
BACS Consortium BACS Consortium

Engineering and System Safety ICE
Liaison
Subsystems ISAs
(Safety) Verification
Figure 5: Safety Verification by the ICP/ISA also involving the ICE and Subsystems ISAs
The Consortium has nominated the Consortium Project Director as Duty Holder responsible for all
issues related to system safety and safety related aspects of the Consortium System, Transit
System, CWJV System and Subsystems. The Consortium Project Director is the formal interface
with the SRC for the Metro System safety related issues and will be responsible for ensuring that a
safety verification scheme is implemented including the issue of safety verification certificates.
The ICP/ISA has been appointed by the Consortium Duty Holder to implement the project safety
verification scheme described in the ICP/ISA Plan and Programme Line 1 and Line 2 [RD 12].
The Consortium Duty Holder will also be responsible for obtaining formal approval of the
appointment from the SRC.
The main duties of the ICP/ISA are described as follows:
Review and audit the implementation of system safety and the safety of designs developed
by the Systems and Subsystems. The ICP/ISA will provide safety verification certification
to SRC on behalf of the Duty Holder following completion of final design, leading to trial
running, and handover of the railway systems and infrastructure to the operator.
Review, audit and assess the process application and results of the ICE to confirm that
appropriate safety verification activities are being implemented for the project.
Review the design and implementation of the Metro System via the ongoing and
consequent checking of the RAM and safety activities. The effectiveness of the ICP/ISA
will be ensured by maintaining independence and undertaking appropriate safety
verification activities during and at the completion of each project phase as described in
the ICP/ISA Plan [RD 12].

Issue and maintain the ICP/ISA Plan [RD 12] detailing the safety verification activities in
order to:
Audit the implementation of the system safety activities,
Assess the compliance of system safety activities and analyses with contractual
requirements, national and international regulations and standards.
Provide monthly reporting on the progress of the Metro System safety verification
activities.
The ICP/ISA will liaise with the ICE and the ADA ISA to ensure that safety verification certification
and supporting evidence is developed and issued to the required standards and timescales. The
ADA ISA will act as the interface with the SRC on safety verification matters.
The overall process for safety verification of the Riyadh Metro System is defined in the safety
Verification Procedure [RD 20].
4.8 Safety Audits.

The CSSM will coordinate with the Consortium Quality Manager and Consortium RAM Manager to
develop a coordinated programme of project audits at Consortium, Transit System, CWJV System
and Subsystems levels. This will consider the development and implementation of system safety
processes and procedures. Where necessary specific technical safety audits will also be
undertaken.
The audit programme and scope will be risk based with timescales for corrective actions defined
that take account of the project schedule.
The Consortium will develop a Safety Audit Plan [RD 26] to ensure that an adequate safety audit
regime at Consortium, Consortium Partners and Subsystems levels is in place. Figure 6 in section
6.1 identifies the document structure relevant to the safety audit regime and activities.
4.9 Safety Reviews

The CSSM will review the reports resulting by the ICE and ICP/ISA activities and where safety
issues are identified, remedial actions will be agreed with the project management/engineering
teams and the Consortium Partners safety managers.
The CSSM will implement a programme of formal safety reviews in association with the
Consortium Partners safety managers. The remit of the safety reviews will be to:
Review the details and status in the Hazard Logs, safety studies and analyses,
Review design options related to safety,
Review the reports issued by the ICP/ISA, ICE, Subsystems ISAs, and safety auditors and
the status of the defined remedial actions ,
Monitor progress on the development of the Safety Cases at the different levels.

5 Other System Safety Activities
In addition to the implementation of an adequate system safety process described above, for the
performance of respective system safety activities, there are other project safety activities relevant
to the achievement of the system safety requirements as referred to in the standards [RD 1, RD 2,
RD 3, RD 4 and RD 5]. Further safety activities required for the safety cases are described in the
following sections.
5.1 Safety Related Studies
5.1.1 Fire Hazards
Fire is a significant safety hazard to passengers, staff and general public. In addition to ensuring
compliance with NFPA 130 [RD 5], the Consortium will ensure that appropriate fire risk analyses
are undertaken.
The fire safety analyses will consider the Metro System track, tunnels and station areas. For
example, consideration will be given to undertaking passenger flow and smoke modeling of station
areas to assess the adequacy of the means of escape, based on the fire scenarios such as train
on fire at a platform. Fires in tunnels will also be considered.
Fire safety engineering assessments will include the following aspects:
Means of escape and maximum evacuation time to a place of safety,
Fire ventilation and pressurisation systems,
Fire compartmentation and structural fire protection,
Fire safety of materials,
Fire safety support systems including signage, emergency lighting and communications,
Civil Defence access and facilities.
Where fire safety risks are identified and risk ranking and appropriate risk mitigation actions have
been defined these will entered into the Hazard Logs for resolution and close-out.
Fire safety issues, raised at formal meetings with Civil Defence, will also be included where
necessary, in the Hazard Logs.
5.1.2 EMC and EMI

Hazards due to issues with electromagnetic compatibility and interference (EMC and EMI), arising
from internal and external sources, can present significant safety hazards to railway systems.
EMC risk analysis will be undertaken as an integral element of the design process in accordance
with the required standards. Where necessary, EMC testing will be undertaken to confirm that no
unacceptable levels of EMI exist that could affect the safety performance of the railway systems.
Potential EMI hazards will be considered during the Subsystems hazard analyses. Where
significant EMI hazards are identified and risk ranking and appropriate EMC risk mitigation actions
have been defined, these will entered into the Hazard Logs for resolution and close-out.
The EMC management processes will be detailed in an EMC Management Plan [RD 24].
EMI risks will be controlled to acceptable levels in accordance with:
Where necessary, implementation of an EMC organisation to study the risks and resolution
of the risks,

Coordination of EMC related activities (associated with, for example, design, installation,
testing) for each Subsystem.
The following EMC activities will be undertaken during the design development and installation
phases:
EMC requirements for each Subsystem and for the overall System based on relevant
standards will be defined,
EMC risk analysis will be an integral element of the Subsystem design and technical
specification process,
Subsystem related EMC measures will be verified by measures including design
verification, installation audits and site inspections.
During the commissioning phase the defined EMC measures will be verified, where appropriate, by
means of tests which comply with the relevant standards.
5.1.3 Human Factors

Inadequate consideration of human factors issues can result in significant safety hazards. The
Consortium will therefore consider human factors as an integral element of the design and
configuration processes during the project phases to ensure that relevant safety hazards are
addressed.
Human factors will be considered during the Subsystems hazard analyses, and for this to take
place, the Subsystems will arrange for appropriate human factors studies where required at the
Subsystems level.
Human factors studies will consider such things as:
OCC functions and operations,
Depot operations and maintenance
Passengers, staff and general public,
Safe areas on structures,
Movements and evacuations in stations, viaducts and tunnels,
Emergency plans,
Building and room layouts,
Interfaces,
Signage.
Where human factor safety risks are identified and risk ranking and appropriate risk mitigation
actions have been defined these will entered into the Hazard Logs for resolution and close-out.
The management of human factors risks will be detailed in a Human Factors Management Plan
[RD 25]
5.2 Safety Management Processes
5.2.1 Quality Management

To satisfy the safety management requirements, the Consortium will establish a project quality
management system for the project phases to ensure a high product and system quality and to
supervise and control the quality of the Consortium activities. This will be in accordance with the
Quality Assurance Plan [RD 7].
The CWJV System and Transit System works, as well as the works of the Subsystems and
suppliers, will establish their own quality management systems in accordance with ISO 9001 [RD
30] and ISO 90003 [RD 31].

5.2.2 Verification and Validation
Verification and validation activities will be carried out as applicable to the system development V
lifecycle in accordance with the Safety Verification and Validation Procedure [RD 20], which follows
the verification and validation requirements described in section 5.2 in EN 50126 [RD 1] and
section 5.3.9 in EN 50129 [RD 3]..
Verification will demonstrate that, for specific inputs, the deliverables of each lifecycle phase meet
in all respects the requirements of that phase.
Validation will demonstrate that the system under consideration, at any step of its development and
after its installation, meets the system requirements in all respects.
5.2.3 Engineering Design Assurance Gates

Engineering Design Assurance Gates will be provided by the Consortium to ensure that the
following assurance activities are carried out:
To provide progressive assurance during the design stage that the requirements and
objectives of the project will be achieved,
To establish a regime where agreed products and deliverables are submitted, reviewed and
accepted. In the event that submissions are rejected the Design Assurance Gates will
provide a control mechanism for re-submission,
To provide clear visibility at progress checkpoints,
To align with the project requirements.
Design Assurance Gates requirements are described in the Engineering Design Assurance Gates
Procedure [RD 27].
5.2.4 Design Reviews

The CWJV System, Transit System and Subsystems, will perform adequate design reviews during
the project phases as part of the system design assurance activities, to review all relevant system
safety aspects of the Subsystems designs and implementation.
The design reviews will be in accordance with the Design Management Plan [RD 16].
5.2.5 Requirements Management

The Consortium will establish a project requirements management process for the project phases
to ensure that requirements management is undertaken, including system safety aspects, and to
supervise and control the requirements management activities of the Consortium, CWJV System
and Transit System works, as well as the works of the Subsystems and suppliers.
The requirements management activities will be in accordance with the Requirements
Management Plan [RD 18].
5.2.6 Configuration Management

The Consortium will establish a configuration management process to be part of the project
management activities during the project phases. This will supervise and control the configuration
items status of Consortium deliverables as well as the CWJV System, Transit System and
Subsystems deliverables.
The configuration management activities will be in accordance with the Configuration Control Plan
[RD 6].

5.2.7 Problem Reporting and Corrective Action
A problem or failure reporting and corrective action system (FRACAS) will be provided in
accordance with section 6.4.3.3 and Figure 9 in EN 50126 [RD 1]..
The FRACAS will also be used for:
Software problem reporting and corrective actions in accordance with section 15.4.9 in EN
50128 [RD 2],
Supporting trial running and RAM demonstration activities in the form of a data reporting
and corrective action system (DRACAS) stated in section 6.2 in the Consortium RAM Plan
[RD 29].
5.2.8 Interface Management

The Consortium will establish an interface management process for the project phases to ensure
that interface management is undertaken, including system safety aspects, and to supervise and
control the interfaces in the Consortium, CWJV System and Transit System works, as well as the
works of the Subsystems and suppliers.
The interface management activities will be in accordance with the Interface Management Plan
[RD 17].
5.2.9 System Validation
The Consortium will establish a system validation process for the project phases to ensure
validation activities are undertaken on all relevant system aspects of the CWJV System and Transit
System works, as well as the works of the Subsystems and suppliers.
The validation activities will be in accordance with the System Validation Plan [RD 14].
5.2.10 Software Safety Management
The Consortium will establish a software safety management process for the project phases to
ensure that software safety management is undertaken, , and to supervise and control the software
to be designed and delivered by the CWJV System and Transit System works, as well as the
works of the Subsystems and suppliers.
The software safety management activities will be in accordance with the System Software Safety
Procedure [RD 21].
5.2.11 Change Management

The Consortium will establish a change management process as part of the project management
processes for the project phases to supervise and control the change status of Consortium
deliverables, as well as the deliverables of the CWJV System, Transit System, and the
Subsystems and suppliers.
The change management activities will be in accordance with the Quality Assurance Plan
[RD 7].

5.3 Built Environment Risk Assessment
5.3.1 Geotechnical Conditions

The CWJV Consortium Partner will undertake a risk assessment of the geotechnical conditions,
following a formal safety assessment approach comprising:
Hazard identification to identify the potential hazards associated with geotechnical issues
arising from the preliminary design,
Hazard analysis to assess the causes of the hazards and the hazard probabilities. The
consequences (accident sequences) of each of the identified hazards will also be
assessed,
Risk assessment to determine the overall geotechnical risk associated with the preliminary
design, to be compared with risk tolerability criteria for the project. Alternative risk mitigation
measures that could be incorporated into the developing design will be identified.
Refer to subsection 6.1 in the Technical Specification Overview Project Overview [RT 2].
5.3.2 Impact on Existing Structures and Utilities

The CWJV Consortium Partner will identify the existing and under-construction public facilities and
other permanent (fixed) structures that lie along the routes of the Metro System, including:
Bridges, viaducts, tunnels and underpasses,
Buildings and retaining walls,
High-mast lighting columns,
Large road signs and advertising signs,
Public utilities networks.
The CWJV Consortium Partner will study the impact of the Metro lines on these facilities and
propose, where needed, appropriate protection, diversion or relocation measures. The Partner will
also build on the preliminary utilities diversion scheme included in the drawings, and complete it in
accordance with the project requirements.
Refer to subsection 6.2 in the Technical Specification Overview Project Overview [RT 2].

6 System Safety Documentation
6.1 Documentation Structure

A document structure will be established to document the system safety activities of the
Consortium, Consortium Partners, and Subsystems. Figure 6 below shows an overview of the
safety documents in the structure. The system safety documentation will be prepared on the
Consortium, Consortium Partners and Subsystems levels to document the results of the particular
system safety activities. Respective guidance paths, review and release responsibilities, and
additional safety review stages are shown.
Figure 6: General Structure of System Safety Documentation
The overall approach is that each system level provides safety analysis outputs and guidance on
the scope of the system safety activities on the underlying level and to check and release the
respective results. The particular system level provides information, analyses results and other
input for overall system safety activities based on output of the Subsystems suppliers.
The Consortium CSSM and Consortium Partners will review and audit the Subsystems documents,
procedures and safety activities.
The following groups of documents will be prepared on Consortium, Consortium Partners and
Subsystems levels as necessary:
Plans,
Procedures,
Reports.

6.1.1 Plans
The Consortium System Safety Plan (Level 1) will be supported by the Consortium Partners (Level
2) and Subsystems (Level 3) plans to document the system safety activities applicable to the three
levels. These plans will contain all relevant information about the organisation, schedule, and
activities of the respective level. They will cover the following items:
Safety requirements, recommendations and criteria,
Overview about the system configuration,
Safety organisation and management,
The phasing of system safety activities,
Hazard Logs and cases for safety,
Safety activity document deliverables.
6.1.2 Procedures
The Consortium will prepare procedures for undertaking particular safety activities to describe the
objectives, processes, documentation, roles and responsibilities.
The Consortium procedures are identified in section 6.2.
Subsystems level procedures will be identified in the Subsystems safety plans.
6.1.3 Reports
The Consortium will prepare reports to provide information on particular safety activities relevant to
the Consortium level.
The Consortium reports are identified in section 6.2.
Subsystems level reports will be identified in the Subsystems safety plans.
6.1.4 Document Reviews

The system safety document deliverables including analyses will be updated and reviewed at each
project phase. An overview of the planned reviews and document deliverables updates is
described in section 6.2. Comments and issues raised by the ICP/ISA, the ADA ISA, ICE and
Subsystems ISAs, will be considered as part of the review process.
The Consortium Partners safety plans will be submitted to the CSSM for review and acceptance.
The Subsystems safety plans will be submitted to the CSSM for review and comment after
acceptance by the Consortium Partners.
The Subsystems documents to be reviewed by the Consortium Partners, including the Subsystems
safety plans, will be described in the Consortium Partners safety plans.

6.2 Consortium System Safety Documents
System safety documents prepared on the Consortium level are listed in the following table.
Transit System, CWJV System and Subsystems system safety documents will be described in the particular safety plans.
Manufacturing and
Section Detailed Design Final Design Testing Trial Running
Document Construction
Reference Stage Stage Stage Stage
Stage
Consortium System Safety Plan This document Issue Update
Hazard Identification and Analysis 4.2 Issue

Procedure
Hazard Log Procedure 4.2.2 Issue
Hazard Log Report 4.4.1 Issue Issue Issue Issue Issue
Verification and Validation 4.4.2 Issue

Procedure
Safety Audit Plan 4.7 Issue
System Software Procedure 5.2.13 Issue
Safety Case Procedure 4.5 Issue
Design Safety Case 4.5.1 Draft Issue Issue
Final Safety Cases (Lines 1 and 2) 4.5.2 Draft Issue Issue
Periodic Safety Report 6.1.3 Issue Issue Issue Issue Issue

l
Attachment A Consortium System Safety Approach

Attachment B Consortium Functional Structure

Attachment C Safety Case development

Attachment D Safety Lifecycle and Phase Related Safety Tasks
System System
Definition Acceptance
Preliminary System Requirements Trial

Design Validation Running
Risk System
Analysis Commissioning
Safety
Requirements Subsystem
Testing
Detailed
Design
Installation &
Equipment
Lifecycle Phase Final Design Testing
Verification Lifecycle Phase
Verification
Manufacture &
Construction
Document No. M-BAC-000000-GE00-MPL-000003 Page 36 of 41 Printed: 3 Jun. 15

The system safety tasks relevant to the above safety lifecycle V diagram are indicated in the
following table.
Lifecycle Phase Phase Related System Safety Task Outputs
Consortium Safety Plan

PHA
System Definition & Initial Hazard Log
Preliminary Design ICP/ISA Plan
SRC Approval of ICP/ISA
ICP/ISA & ICE Reports
Safety Related Studies (Fire, EMC, Human Factors)

PHA, SHA, IHA
Updated Hazard Logs
Risk Analysis
Risk Classifications
QRA
THRs and SILs

Safety Acceptance Criteria
Safety Functions
Safety Related Application Conditions
Safety Requirements
Safety Integrity Level Assessment
Safety Requirements Specifications
Safety Critical Item Lists
Validation Test Plan
Safety Management Procedures

Systems and Subsystems Safety Plans
SHA, IHA FMEA, FTA
Updated Hazard Logs
Updated Safety Requirements Specifications
Detailed Design Updated Safety Critical Item Lists
Draft Design Safety Cases
Draft Systems and Subsystems Safety Cases
Safety Review and Audit Reports

Final Design ICP/ISA & ICE Reports
Updated Hazard Logs

Lifecycle Phase Phase Related System Safety Task Outputs
Design Safety Cases

Systems and Subsystems Design Safety Cases
ICP/ISA Safety Verification Certificate
SRC Statement of No Objection
Updated System Safety Plans
Updated Hazard Logs
Manufacture and
Verification Activities
Construction
Factory Acceptance Test Reports (equipment testing)
Verification Reports
Installation & Equipment
Updated Hazard Logs
Testing
Subsystems Verification Reports
Subsystem Testing Updated Hazard Logs
System Validation Reports

Updated Hazard Logs
System Commissioning
ICP/ISA Reports
Updated Safety Related Application Conditions
Updated Hazard Logs
Draft Final Safety Cases
Draft Final Systems and Subsystems Safety Cases
Trial Running
ICP/ISA Reports
SRC Statement of No Objection
Final Hazard Log Report
Final Safety Cases
Final Systems and Subsystems Safety Cases
System Acceptance
ICP/ISA Final Report
SRC Safety Certificate

Attachment E Safety Plan Traceability Matrix
The following table provides traceability from the Safety Plan requirements of EN 50126, section 6.2.3.4, to the Consortium System Safety Plan
(this document) and Procedures.
EN50126 Section 6.2.3.4 Requirement Safety Plan Section Additional Source Information
The Safety Plan should include:
a) the policy and strategy for achieving safety; 1.1 and 1.3
b) the scope of the plan; 1.2
c) a description of the system; 2
d) details of roles, responsibilities, competencies and relationships of

3
bodies undertaking tasks within the life cycle;
e) description of the system life cycle and safety tasks to be undertaken

Attachment D
within the life cycle along with any dependencies;
f) the safety analysis, engineering and assessment processes to be

applied during the life cycle, including processes for:
ensuring an appropriate degree of personnel independence in

3.3 Safety Verification and Validation Procedure
tasks, commensurate with the risk of the system;
hazard identification and analysis; 4.2.2 Hazard Identification and Analysis Procedure
risk assessment and on-going risk management; 4.3 Hazard Identification and Analysis Procedure
risk tolerability criteria; 4.3.2 Hazard Log Procedure

Safety Review and Audit Plan

the establishment and on-going review of the adequacy of the 4.9, 5.2.2, 5.2.3, 5.2.4,
Safety Verification and Validation Procedure
safety requirements; 5.2.7, 5.2.9 and 6.1
System Safety Software Procedure
Design Management Plan

system design; 5.2.3, 5.2.4 and 5.2.10
verification and validation; 4.4.2, 4.7 and 5.2.2 Safety Verification and Validation Procedure
safety assessment, to achieve compliance between system

4.6 System Safety Software Procedure
requirements and realisation;
safety audit, to achieve compliance of the management process 4.8, 6.1 and
with the Safety Plan; Attachment D
safety assessment to achieve compliance between subsystem

4.6 System Safety Software Procedure
and system safety analysis;
g) details of all safety related deliverables from the lifecycle, including:

documentation; 6.1 and 6.2
Safety Case Procedure
Design Management Plan

hardware; Attachment D
System Requirements Specification

software; 5.2.10
Safety Case Procedure
h) a process to prepare system safety cases; 4.5 Safety Case Procedure


4.4.2, 4.5, 4.6, 4.7, 4.8,
i) a process for the safety approval of the system; 4.9, 5.2.2, 5.2.3, 5.2.4, Safety Verification and Validation Procedure
5.2.7, 5.2.9 and 6.1
j) a process for safety approval of system modifications; 5.2.11 Quality Assurance Plan
Hazard Identification and Analysis Procedure

k) a process for analysing operation and maintenance performance to 4.2.1, 4.3, 4.4, 4.4.2, 4.7
Hazard Log Procedure
ensure realised safety is compliant with requirements; and 5.2.2
Safety Verification and Validation Procedure
Quality Assurance Plan

l) a process for the maintenance of safety related documentation,
4.4 and 6 Hazard Log Procedure
including a hazard log;
m) interfaces with other related programmes and plans; 5.2.8 Interface Management Plan

n) constraints and assumptions made in the plan; 1.2 and 2

o) subcontractor management arrangements; 3
p) requirements for periodic safety audit, safety assessment and safety Safety Review and Audit Plan
4.4.2, 4.6, 4.7, 4.8, 4.9,
review, throughout the life cycle and appropriate to the safety
5.2.2, 5.2.3, 5.2.4, 5.2.7, Safety Verification and Validation Procedure
relevance of the system under consideration, including any personnel
5.2.9 and 6.1
independence requirements. System Safety Software Procedure


M Bac 000000 Ge00 MPL 000003 - 00D

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

M Bac 000000 Ge00 MPL 000003 - 00D

Încărcat de

Drepturi de autor:

Formate disponibile

Table of Contents

Document No. M-BAC-000000-GE00-MPL-000003 Page 3 of 41 Printed:3 Jun. 15

1.2 Scope of System Safety Work

1.3 System Safety Strategy

Document No. M-BAC-000000-GE00-MPL-000003 Page 5 of 41 Printed:3 Jun. 15

Reference Title Document Number Ref

[RT 1] Instructions to Tenderers Part 2 Technical Proposal Specification Volume 1 Part 2

[RT 2] Technical Specification Overview Project Overview Volume 2.2 Part 1

[RT 3] Technical Specification Overview Safety Requirements Volume 2.2 Part 4

[RD 6] Configuration Control Plan M-BAC-000000-GECM-MPL-000001

[RD 7] Quality Assurance Plan M-BAC-000000-CQQA-MPL-00001

[RD 8] Preliminary Safety and Security Plan 1B.1.4

[RD 9] Consortium Hazard Identification and Analysis Procedure M-BSM-000000-SYSF-PRO-000004

[RD 10] Consortium Hazard Log Procedure M-BSM-000000-SYSF-PRO-000003

[RD 11] Consortium Safety Case Procedure M-BSM-000000-SYSF-PRO-000001

[RD 13] Project Security Plan M-BAC-000000-CAMS-MPL-000001

[RD 14] System Validation Plan TBDM-BAC-000000-GE00-MPL-000001.

[RD 15] System Architecture Report 1B 2.2

[RD 16] Design Management Plan M-BAC-000000-GE00-MPL-000002

[RD 17] Interface Management Plan M-BAC-000000-GEIM-MPL-000001

[RD 18] Requirements Management Plan M-BAC-000000-GA00-MPL-000007

[RD 19] Health, Safety & Environmental Management Plan M-BAC-000000-GH00-MPL-000001

Document No. M-BAC-000000-GE00-MPL-000003 Page 6 of 41 Printed:3 Jun. 15

[RD 20] Safety Verification and Validation Procedure M-BSM-000000-SYSF-PRO-000002

[RD 21] System Safety Software Procedure M-BAC-000000-SYSF-PRO-000001-

[RD 22] Release for Revenue Service 1B.1.17

[RD 24] EMC and E&B Management Plan M-BAC-000000-SYEC-MPL-000001

[RD 25] Human Factors Management Plan M-BAC-000000-SYSP-MPL-000001

[RD 26] Safety Review & Audit Plan M-BSM-000000-SYSF-MPL-000004

[RD 27] Engineering Design Assurance Gates Procedure M-BAC-000000-GE00-PRO-00010

[RD 29] RAM Plan (Consortium) M-BAC-000000-GE00-MPL-00004

[RD 30] Quality Management Systems Requirements ISO 9001: 2008

Table 1: Reference Documents

1.5 Definitions and Abbreviations

ADA Arriyadh Development Authority

Document No. M-BAC-000000-GE00-MPL-000003 Page 8 of 41 Printed:3 Jun. 15

These following depot/stabling facilities are planned:

The commercial speed will be between 35 km/h and 40 km/h.

These following depot/stabling facilities are planned:

The operational speed will be between 40 km/h and 45 km/h.

Document No. M-BAC-000000-GE00-MPL-000003 Page 9 of 41 Printed:3 Jun. 15

3.1 Project Structure

3.2 Overview Engineering Organisation and Responsibilities

Document No. M-BAC-000000-GE00-MPL-000003 Page 10 of 41 Printed:3 Jun. 15

Figure 1: Consortium System Safety Organisation

3.4 Consortium System Level

Document No. M-BAC-000000-GE00-MPL-000003 Page 11 of 41 Printed:3 Jun. 15

3.5 Consortium System Partners Level

3.6 Consortium System Partners Subsystems Level

Document No. M-BAC-000000-GE00-MPL-000003 Page 12 of 41 Printed:3 Jun. 15

4.1 Safety Requirements

4.2 System Safety Programme

Document No. M-BAC-000000-GE00-MPL-000003 Page 13 of 41 Printed:3 Jun. 15

4.2.1 Hazard Identification

4.2.2 Hazard Identification and Analysis

4.3 Risk Assessment and Acceptance

Document No. M-BAC-000000-GE00-MPL-000003 Page 15 of 41 Printed:3 Jun. 15

4.3.1 Priority Order of Risk Reduction

4.3.2 Safety Risk Matrix

Document No. M-BAC-000000-GE00-MPL-000003 Page 16 of 41 Printed:3 Jun. 15

Risk Categories: R1 Intolerable R2 Undesirable R3 Tolerable R4 Negligible

Figure 3: Safety Risk Matrix based on Table 4 in EN 50126

4.3.3 Fault Tree Analysis