A rail operator was investigating options for improved locomotive fuel management, one of which included programmable logic controllers (PLCs). While the proposed PLC technology had a widely installed industrial base, none had been fitted to the company’s locomotives at the time of this study and local industry knowledge of applications like this was limited.
The proposed application of new technology in railway locomotives required a cautious approach and a sound risk assessment in an inherently conservative sector. At the concept stage of design, the assessment focussed on safety and operational risks, paying special attention to the role and ability of electronic equipment to fulfil strict safety requirements. Other risks were also assessed, including reliability of systems and equipment. In addition, the company sought initial input from key stakeholders who would be using the technology, the train drivers and operators, to assist in improving the design and gaining acceptance for it before making a major investment in production. Early stakeholder engagement was also intended to prepare for changes in operating practices that would be required to put the improved system to work.
The project team had already planned to conduct a further assessment during the detailed design stage, when there was an expectation that the evolving design would incorporate additional specific safety functions.
Inputs to the PLC system would include fuel tank levels, odometer readings, generator power, throttle settings, and diesel engine and traction status. The role of the PLC system was to provide fuel information to the driver, such as tank levels, distance to empty and fuel efficiency, as well as to provide warnings to the driver when appropriate.
At the time of this development, drivers initiated actions in response to the data presented by the existing fuel information system. In contrast, the new PLC system would automate control of some functions of the diesel engine and the traction system, which are widely regarded as safety-related functions where a reduction in direct human involvement can be a cause for concern. This generated compliance issues associated with the use of electronic safety-related systems.
The company planned to introduce the new fuel management system in stages. The aim was to reduce risks by prototyping the system on a small number of locomotives, thereby proving the technology and the benefits that could be derived, before wider implementation across the locomotive fleet.
The project was at the concept stage, so the focus of the initial risk assessment was at an overview level. Further risk assessments were planned to support subsequent decisions as the design evolved. Risk assessments like this, held early in the project life, can provide significant benefits, as options can be evaluated at low cost before major financial commitments are made.
The design involved new technology, so the focus of the risk assessment was on performance, usability and safety, rather than project implementation performance in the form of budget and schedule.
Success criteria for the project were identified early, in consultation with the company, as part of establishing the context for the risk assessment (Table 1). The criteria were used to develop measures for describing the consequences of risks for use in a risk assessment workshop. The criteria do not include the project budget or schedule, as the conduct of the project itself was not part of the assessment.
The company’s existing likelihood ratings and risk priority framework were used.
Profit, competitiveness, value for money, market share, minimum expenses
Reliability, quality, fuel efficiency, flexibility, performance
Business and community relationships
Trust, reputation, fair dealing, good citizen, contractual obligations, continued custom
Technical compliance, accountability and standards, minimum liability, minimum environmental impact, workplace health and safety
A set of key elements was developed to provide a structure for risk identification and an agenda for the workshop. The key elements covered the main physical and functional aspects of the locomotive PLC technology as well as performance requirements:
- Fuel management
- Start and stop control of diesel engines
- Enabling and disabling of traction systems
- Human machine interface (screen)
- PLC hardware
- PLC software
- Maintenance and trouble-shooting
- Field equipment
- Train consist communications
- Future requirements
The approach, criteria and key elements were summarised in a briefing document that was distributed to the participants prior to the workshop.
Workshop participants from the company and its main engineering consultant covered the following functions:
- Fuel management
- Train crewing
- Locomotive engineering and maintenance
- Train performance analysis
- Train scheduling and planning
- Project management.
The risks identified were found to be spread fairly evenly over the key elements, indicating there was no one part of the project with significantly more uncertainty than the others. All elements seemed to have been addressed to a similar level.
One risk was considered extreme enough to threaten the success of the project, three were assessed as major and four as medium (Figure 1).
- The extreme risk and one of the major risks involved the engines starting or the train starting to move spontaneously, with potentially catastrophic consequences for safety and asset integrity
- The other two major risks were associated with malfunctions in the PLC system software.
The majority of the risks were assessed as minor, an indication that most were already under appropriate control.
Most of the highest risks had consequences that affected safety. More specific and detailed analysis would be required for these as the project progressed, particularly of the safety aspects of the PLC system and its specific application to controlling the locomotive consist*.
(* Note: A train consist is the ‘map’ of a train, specifying the individual locomotives and units of rolling stock and their positions in the train. For example, a freight train might have two leading locomotives, followed by a number of freight wagons, then another locomotive and further wagons; the consist would describe the composition of the train and the identifiers of the individual locomotives and wagons.)
The perception of the participants at the workshop was that, apart from the severe risks noted earlier, fuel management issues did not pose a significant risk because the PLC system merely provides information to the driver to allow better and more efficient train operation. There would be no safety implication unless the information provided by the system caused the driver to be distracted in a way that generated a potentially dangerous situation, such as passing a signal at danger; two of the medium risks were concerned with this.
The design of the driver’s information screen would be a crucial factor in determining whether a driver would be distracted. At the time of the workshop, there was a preliminary design but detailed feedback from the drivers was still pending.
The train drivers – the future users of the fuel management system – were important stakeholders. Although only a small number of them participated in the workshop, their early involvement in the project and the risk assessment process enhanced transparency about the company’s intentions, increased the drivers’ knowledge about the new technology and led them to a deeper understanding of the mechanisms of potential software malfunctions. The risk assessment gave them a chance to air their concerns and demonstrated a process by which those concerns would be followed up and addressed appropriately.
All this fostered the drivers’ confidence in the intentions of the project team and the company. This was a necessary precursor to deeper engagement by drivers in the project to optimise its design, and particularly the design of the driver interface unit in the locomotive cabin.
The step-by-step approach adopted by the company assisted in identifying potential issues that could be addressed in a timely way to generate revisions to be incorporated into the design as it progressed. The risks associated with automatic control of engines and traction systems were particularly important. It also gave the company access to the early concerns of drivers, making planning for potential problems easier and minimising future surprises.
Level of detail
The project was at concept stage. As a result, the descriptions of many risks were necessarily expressed in quite general terms. This focused attention on high-level concerns, which was appropriate for the early stages of introducing a new system.
As the design matured, it was expected that many of the risk descriptions would be expanded to include far more specific detail.
The company was able to proceed with further development of the design with more information about its implications and particular stakeholder concerns. This gave a more coherent team view of priorities, with far more confidence in a successful practical implementation than the company would have had without the risk assessment at this stage of the design development.