guidance for integrated project teams for use in ... · document reference stg/181/1/9/1 version...
TRANSCRIPT
Document reference STG/181/1/9/1 Version 1.0 dated 1 June, 2004
Guidance for Integrated ProjectTeams for Use in Contracting
for Independent Safety Auditor(ISA) Services
This guidance has been issued by the Safety Management Offices Group having been developedwith assistance from Adelard
Page 2 of 75
Version 1.0 dated 1 June, 2004
Page 3 of 75
Version 1.0 dated 1 June, 2004
Contents
1 Introduction ............................................................................................................................... 5
2 Glossary..................................................................................................................................... 5
3 Bibliography.............................................................................................................................. 6
4 Basis for the ISA role ................................................................................................................ 74.1 MoD policy and practice ........................................................................................... 74.2 ISA scopes of work ................................................................................................... 8
5 Definitions............................................................................................................................... 105.1 Independent ............................................................................................................. 10
5.1.1 Definition ................................................................................................ 105.1.2 Interpretation........................................................................................... 105.1.3 Illustrations.............................................................................................. 11
5.2 Safety Audit ............................................................................................................ 115.2.1 Definition ................................................................................................ 115.2.2 Interpretation........................................................................................... 115.2.3 Illustrations.............................................................................................. 12
5.3 Safety advice ........................................................................................................... 135.3.1 Definition ................................................................................................ 135.3.2 Interpretation........................................................................................... 135.3.3 Illustrations.............................................................................................. 13
6 Relationships with other organisations ................................................................................... 146.1 The IPT ................................................................................................................... 156.2 The contractor ......................................................................................................... 156.3 The Operating Authority ......................................................................................... 166.4 Safety Management Offices .................................................................................... 166.5 Regulatory/certification bodies ............................................................................... 176.6 Design Authority..................................................................................................... 17
7 Selection of ISAs..................................................................................................................... 187.1 Independence........................................................................................................... 187.2 Competence............................................................................................................. 187.3 Project complexity .................................................................................................. 187.4 Safety risk ............................................................................................................... 197.5 Lifecycle phase........................................................................................................ 19
8 Expertise and competence....................................................................................................... 208.1 Competence criteria ................................................................................................ 20
8.1.1 Technical competence............................................................................. 208.1.2 Auditing competence .............................................................................. 218.1.3 Behavioural competence ......................................................................... 22
8.2 Assessment of competence...................................................................................... 22
9 Scopes of work........................................................................................................................ 239.1 General ISA documentation .................................................................................... 239.2 Scopes of work by lifecycle phase .......................................................................... 25
Page 4 of 75
Version 1.0 dated 1 June, 2004
9.2.1 Concept phase ......................................................................................... 289.2.2 Assessment phase.................................................................................... 319.2.3 Demonstration phase............................................................................... 389.2.4 Manufacturing phase............................................................................... 459.2.5 In-service phase....................................................................................... 519.2.6 Disposal phase......................................................................................... 54
9.3 Legacy systems ....................................................................................................... 569.4 Variation with maturity of contractor’s combined SEMS....................................... 639.5 Variation with safety integrity requirements........................................................... 639.6 Other procurement models ...................................................................................... 64
Appendix A Safety argument over the lifecycle ......................................................................... 69
Figure
Figure 1: Typical ISA organisational interfaces.......................................................................... 14
Table
Table 1: Summary of ISA activities through the lifecycle .......................................................... 25
Page 5 of 75
Version 1.0 dated 1 June, 2004
1 Introduction
1) This document provides guidance for IPTs on contracting for Independent Safety Audit(ISA) services. It has been issued by the Safety Management Offices Group.
2) The document contains guidance on the ISA role, how to select ISAs, and the scopes ofwork for ISAs at different lifecycle phases.
3) The document is guidance for an IPT that can be used in part or additional work items canbe added. Some or all of the activities may be appropriate depending on the system complexityand the information that the IPT may require in order to assure themselves of the validity of asafety argument.
2 Glossary
1) See Def Stan 00-56/3 for a complete set of relevant definitions.
ADRP Airworthiness, Design Requirements and Procedures
ALARP As Low As Reasonably Practicable. HSE’s interpretation of therequirement in the Health and Safety at Work Act that risks are to bereduced “so far as is reasonably practicable”.
BCS British Computer Society
CASS Conformity Assessment of Safety-related Systems
CLS Contractor Logistic Support
COTS Commercial off-the-shelf
DOSG Defence Ordnance Safety Group
DRACAS Data Recording and Corrective Action System
Duty Holder The person responsible for safe operation of a system. Normally the IPTLeader.
EMS Environmental Management System
FRACAS Fault Recording and Corrective Action System
Hazops Hazard and Operability Study
HCI Human Computer Interface
IEE Institute of Electrical Engineers
ISA Independent Safety Auditor
LSSO Land Systems Safety Office
Occupational safety Safety associated with physical or inherent hazards, such as weight,sharp corners or electric shock.
OHHA Occupational Health Hazard Analysis
OME Ordnance, Munitions and Explosives
Page 6 of 75
Version 1.0 dated 1 June, 2004
OSHA Operating and Support Hazard Analysis
PFI Private Finance Initiative
PHA Preliminary Hazard Analysis
PHL Preliminary Hazard Listing
Physical safety Safety associated with inherent hazards of a system such as electricshock, radiation, weight, sharp corners, etc. Sometimes known asoccupational safety.
PPP Public Private Partnership
QMS Quality Management System
Safe Risk has been reduced to a level that is broadly acceptable, or tolerableand ALARP, and relevant prescriptive safety requirements have beenmet, for a system in a given application in a given operatingenvironment.
Safety argument A logically stated and rigorously demonstrated reason why the system issafe.
Safety Audit A systematic and independent examination to determine whether safetyactivities comply with planned arrangements, are implementedeffectively and are suitable to achieve objectives; and whether relatedoutputs are correct, valid and fit for purpose. See also Section 5.2.
Safety case A structured argument, supported by a body of evidence, that provides acompelling, comprehensible and valid case that a system is safe for agiven application in a given operating environment.
SEMS Combined Safety and Environmental Management System
SMO Safety Management Office
SMP Safety Management Plan
SMS Safety Management System
SOW Statement of Work
SRD System Requirements Document
SSMO Ship Safety Management Office
URD User Requirements Document
3 Bibliography
[1] Safety, Competency and Commitment: Competency Guidelines for Safety-Related SystemPractitioners, IEE, 1999. ISBN 0 85296 787 X.
Page 7 of 75
Version 1.0 dated 1 June, 2004
4 Basis for the ISA role
1) Any equipment contracts that will require ISA input on behalf of the MoD will includeappropriate contract clauses and conditions. To enable the ISA role to be undertaken it isessential that the following clause is included: “The Contractor shall provide access torecords, including sub-contractor records, for contract purposes, to enable the MoDappointed Independent Safety Auditor to carry out safety audits and other assessmentactivities to meet MoD safety requirements.” It is strongly recommended that the advice ofCommercial Officers is sought as appropriate.
2) Where an IPT contracts for the provision of ISA services any contract will requireappropriate contract clauses and conditions to be included to take account of reportingrequirements and dispute resolution procedures between the ISA, Duty Holder and theContractor. The requirement for the ISA to sign documents produced by the contractor toindicate that they have been reviewed or endorsed by the ISA should also be considered.
4.1 MoD policy and practice
1) This section describes the basis for the ISA role in MoD policy and practice.
2) The MoD is a self-regulating organisation with regard to safety where it has been grantedspecific exemptions, disapplications or derogations from legislation, international treaties orprotocols. This leads to a potential conflict of interest between the need to deliver new andenhanced capability to time and budget, and the obligation under the Health and Safety at WorkAct and the Secretary of State’s safety policy to reduce safety risks so far as is reasonablypracticable.
3) The ISA role is founded on MoD safety policy that introduces independence into safetyregulation by requiring or recommending the IPT (formally the “Duty Holder”, normally theIPT Leader) to seek an ISA’s opinion on the quality of the safety case for new or modifiedequipment. This independence is of benefit to both the IPT and the contractor and helps toachieve safety certification and compliance with legal requirements.
• In the maritime sector, JSP 430 requires an IPTL to authorise the safety case on thebasis of an endorsement from an independent safety audit of the Safety Case. Beforeauthorisation, the IPT must ensure the satisfactory resolution of any deficiencies orobservations raised through their Safety Committee and ISA.
• In the land sector, JSP 454 currently states, “As part of the IPT’s assurancearrangements, it is strongly recommended that an Independent Safety Auditor beappointed by the IPTL at the outset of the project in consultation with the safetycommittee, to undertake the following tasks of: providing independent assessmentand validation of Safety Case work; providing professional support and advice to thesafety committee and IPTL.”
• In the airworthiness sector, JSP 553 currently states, “The appointment of an ISA isrequired by Def Stan 00-56 for systems in the higher risk classes and is desirable inother cases if the aircraft, its systems or equipment are novel, complex or high risk.The ISA can also provide general safety advice to the IPT, the industrial Designerand other organisations.”
Page 8 of 75
Version 1.0 dated 1 June, 2004
• In the ordnance sector, JSP 520 provides for independence through the review byDOSG and through the OME Safety Advisor assigned to the IPT to provide adviceand support. However, overall system safety will normally be covered by JSP 430,JSP 454 or JSP 553 and an ISA will be needed as described above. Also, JSP 520does provide for other independent technical experts on the OME Safety ReviewPanel, and the ISA can usefully provide independent audit and advice in areas such asoccupational safety.
4) The ISA has no executive authority and the IPT accepts full responsibility for safety. TheIPT may overrule an ISA’s recommendations but in such cases a robust justification for thedecision should be recorded.
5) The ISA role has two other aspects that flow from the need to form an expert, professionalopinion:
• The ISA plays an important part in advising the contractor and the IPT on aframework of appropriate standards and good practice. This is of increasingimportance in the light of the current trend in defence and civil sectors to “goal-based”, as opposed to prescriptive, regulation. A goal-based approach has theadvantage that it makes innovation easier, but it does not provide the same degree ofcertainty as prescriptive regulation. Safety advice is described in more detail inSection 5.3 below.
• According to the SMO’s policy, the ISA may assist the SMO to discharge itsresponsibilities for monitoring effective safety and environmental management bycontractors and IPTs, and for the provision of advice and guidance on safetymanagement. The organisational interface with the SMOs is elaborated in Section 6.4below.
4.2 ISA scopes of work
1) Typically the ISA caries out document reviews, audits against planned arrangements, andadditional analyses. The functions carried out by the ISA are elaborated in Section 5 and thedetailed scopes of work in Section 9.
2) In developing the scopes of work, the IPT should bear in mind the following.
3) The IPT shall arrange to preserve the ISA’s independence and enable them to carry out theirduties effectively. An authorised ISA has the right and duty to raise significant concerns directlywith the IPT or contractor, even when outside their agreed scope of work or TOR and shouldraise unresolved concerns with appropriate Authorities and the relevant SMO.
4) The ISA should be given reasonable resources to carry out the tasks. The cost of employingan ISA should be commensurate with the risk associated with the project. A lack of resources isa poor justification for placing limits on the scope of ISA work or level of involvement of theISA. Experience shows the costs of correcting a deficiency attributed to inadequate Safety Auditsignificantly outweigh any savings made.
5) It is possible that the ISA and the contractor will become deadlocked over some aspect ofthe safety argument, and the IPT will wish to seek another opinion. The relevant SMO may beable to provide informal assistance and advice on the way forward (although the IPT remains
Page 9 of 75
Version 1.0 dated 1 June, 2004
responsible for deciding the way ahead). Also, if the ISA has significant concerns that they donot believe are being adequately addressed, the relevant SMO may be approached forassistance. In these cases the SMO might be asked to co-operate in a process similar to thefollowing:
a. The ISA and the party (IPT or contractor) with whom they disagree should eachproduce a report setting out their position of the disputed area of the safety argument.These reports should be exchanged and also copied to the SMO. The SMO shouldalso be provided with other relevant documents, such as the safety management planand appropriate elements of the safety case.
b. Having read each other’s reports, the ISA and the other party should write an agreedjoint report setting out the precise areas of agreement and disagreement. This shouldbe sent to the SMO.
c. The IPT should arrange an arbitration hearing. Generally this will take a half-day butmight be longer for a complex dispute. The hearing should be chaired by a member ofthe SMO. The ISA and the other party should each present their point of view, whichmay be followed by a general discussion of the issues.
d. Following the hearing, the ISA and the other party should each write a finalsubmission, which should be exchanged and also sent to the SMO.
e. The SMO will consider the reports and points raised at the hearing, and providewritten advice with respect to the issues outstanding.
Page 10 of 75
Version 1.0 dated 1 June, 2004
5 Definitions
1) Def Stan 00-56/3 defines Independent Safety Auditor as an individual or team, from anindependent organisation, that undertakes audits and other assessment activities to provideassurance that safety activities comply with planned arrangements, are implemented effectivelyand are suitable to achieve objectives; and whether related outputs are correct, valid and fit forpurpose.
2) This section of the guide expands on this definition by considering the meaning ofindependent, safety audit and safety advice. Each definition is followed by an interpretationcovering any areas of difficulty, and one or more illustrations of the application of thedefinition.
5.1 Independent
5.1.1 Definition
1) Able to provide an expert, professional opinion without vulnerability to commercial, projector other pressure.
5.1.2 Interpretation
1) Informally, the ISA needs to be sufficiently independent that they are sheltered as far aspracticable from pressure to modify their opinion.
2) It is highly desirable for the ISA to be from an organisation totally separate from thecontractor. Where it is not possible to achieve total separation, the IPT should justify theacceptability of the arrangements that they authorise. Arrangements that may give sufficientindependence include the use of companies in the same group as the contractor, but otherwiseindependent, or organisations or departments in the contractor’s firm that are independent toboard level.
3) Contractors may raise commercial or security objections to other companies having accessto their proprietary information. These can normally be overcome by selecting the ISA from anorganisation that does not compete with the contractor, and putting a non-disclosure agreementin place. Even in very specialised areas, it does not follow that anyone competent to carry out aSafety Audit must be a competitor, since competent personnel are likely to be available whohave retired from or left the contractor or a competitor, or who have worked in the same area forMoD. Also, most of the skills that an ISA should have are generic, and the expertise requiredoften does not need to be so domain or technology specific to require a (current or former)competitor.
4) Some contractors may have an in-house safety organisation. Although these organisationsmay be able to provide scrutiny of the contractor’s organisation, they will often be unable toprovide scrutiny of the activities of the IPT or other parties. In addition, they are highly unlikelyto be involved pre-contract due to their lack of commercial independence from the organisationstendering for work. However, in-house organisations may be able to support the work of theISA, which may lead to a reduced need for Safety Audits. This also applies to safety auditingcarried out in-house, or more general auditing to assess conformance with standards such asISO 9001.
Page 11 of 75
Version 1.0 dated 1 June, 2004
5) The ISA may give general advice to the IPT and the contractor, but will compromise theirindependence if they contribute to the specific safety case: see also Section 5.3.
6) In order not to undermine the ISA’s independent opinion, the IPT should give the ISAsubstantial freedom to conduct the Safety Audit as they judge to be appropriate.
7) The need for independence does not mean that every project in an IPT and everysubcontractor has to have a separate ISA; reference to the requirements of domain specific JSPsshould be made however. A single or small number of ISAs will give a more consistentapproach and will acquire domain-specific knowledge more quickly. Of course the ISA or ISAsshould be independent with respect to all the organisations that they audit, as defined above.
5.1.3 Illustrations
• A major defence contractor asserts that a MoD-appointed ISA is unnecessarybecause it has an in-house safety section with specialist domain knowledge. An ISAshould still be appointed, but their terms of reference should include co-operationwith the safety section to reduce duplication of effort and “audit fatigue”, and also themaking of judgements about the work of the in-house organisation. The ISA shouldbe competent in the domain (see Section 8) although they may not have the samelevel of depth of specialist knowledge as the in-house safety section.
• A contractor resists appointment of an ISA from a competitor because it is notprepared to make proprietary information available. This is a legitimate concern.Even if a non-disclosure agreement is signed, it is impossible to remove theinformation held in the ISA’s head and it might be divulged unwittingly or underpressure from peers. The IPT should negotiate a mutually acceptable ISA from anorganisation that does not compete with the contractor, even though it may then bemore difficult to find an ISA with appropriate domain experience. See also Section 4.
5.2 Safety Audit
5.2.1 Definition
1) Safety Audit is defined in Def Stan 00-56/3 as a systematic and independent examination todetermine whether safety activities comply with planned arrangements, are implementedeffectively and are suitable to achieve objectives; and whether related outputs are correct, validand fit for purpose.
5.2.2 Interpretation
1) Safety Audit consists of the activities that enable an expert, professional, independentopinion to be reached on the safety of the system.
2) The safety case is based on a safety argument. Appendix A shows typical safety argumentsthrough the procurement lifecycle. Typically the overall, top-level argument is that:
Page 12 of 75
Version 1.0 dated 1 June, 2004
The system is safe to use to provide the defined capability because:The meaning of “safe” is defined and correctly captured in the safetyrequirements.The system meets the safety requirements.Safety will be maintained over the system’s lifetime through a culture of safeworking and safety management by the contractor and MoD organisations.The assumptions and prerequisites on which the safety case depends are valid.
3) Safety Audit involves examining each of the components of this safety argument andforming an opinion as to whether it is complete and correct. Safety Audit is targeted at both thecontractor and the IPT. Typically, the ISA will form their opinion on the basis of the following:
• Targeted document reviews.
• Independent assessment and analysis. The ISA may utilise techniques such as diverseanalysis, witnessing, interviewing, traceability checks, vertical slices1 and inspection.
• Audits of safety and development processes. These “traditional” audits check forconformance to relevant policy, standards, the SMS or where appropriate thecombined SEMS, and the safety management plans.
4) Note that Safety Audit consists of considerably more than “traditional” auditing, and in factsuch auditing makes up a fairly small proportion of the ISA’s activities. More detailed scopes ofwork are given in Section 9 below.
5) Note that within the airworthiness sector, the assessment function and the audit and advicefunction are often carried out by different individuals or organisations.
5.2.3 Illustrations
• An ISA Report consists of a detailed audit showing compliance to the requirements ofDef Stan 00-56. This is not sufficient to provide an expert, professional opinion to theIPT. Underlying the ISA role is the fact that safety is fundamentally a property of thesystem, not the process used to develop it. An audit showing simple compliance (i.e.that a process has been carried out) is insufficient and a judgement of theeffectiveness of the process, and how it affects the safety of the system, is alsorequired.
• A contractor refuses to co-operate with the ISA over the provision of data to supportfailure rate claims, on the grounds that analysis of such data is not an audit function.This is not acceptable if the ISA judges the data to be an essential component of thesafety argument. If agreement cannot be reached, the IPT should intervene to obtainthe data.
1 Vertical slice analysis traces the mitigation of a hazard throughout the system lifecycle.
Page 13 of 75
Version 1.0 dated 1 June, 2004
5.3 Safety advice
5.3.1 Definition
1) General advice on the acceptability of a proposed safety argument, which facilitates theIPT’s or contractor’s decision-making.
5.3.2 Interpretation
1) In order to maintain their independence, the ISA cannot give specific advice or contributedirectly to the safety argument. However, it is legitimate, and helpful in reducing project riskfrom safety matters, for the ISA to give general advice that leads to timely production of asatisfactory safety case. General advice is that which would be given to any broadly similarproject, and corresponds to the assessment guides produced by the statutory regulators (e.g. theHSE’s Approved Codes of Practice and the series of Assessment Guides from the NuclearInstallations Inspectorate). General advice may cover the selection of suitable analysistechniques, the structure of safety arguments and the making of tolerability claims.
2) It is also legitimate for the ISA to provide advice on specific technology, and theconsequences of technology choices, providing that the advice is that which would be given inany broadly similar case.
5.3.3 Illustrations
• The ISA has criticised the contractor’s calculation of numerical tolerability criteria,and the contractor asks the ISA to change it to a form that they would findacceptable. The ISA should not do this, as they would then take ownership of part ofthe safety argument. However, they can illustrate how such a calculation should beperformed, by analogy with other, similar projects. It is also legitimate for them tohelp to derive policy and guidance on safety arguments for classes of systems inassociation with the SMOs (see also Section 6.4).
• A cluster IPT is responsible for several interconnected systems, and asks the ISA forone system to write a safety case for another. This is permissible provided that thescope of the two safety cases is clearly defined and does not overlap. The IPT shouldengage a second ISA to provide an independent opinion on the safety case for theother system.
• In accordance with JSP 454, a small IPT asks the ISA to advise and assist in theestablishment and development of the Safety Management System and Safety Case, inlieu of a dedicated Safety Officer. This is permissible provided that the advice andassistance is general and facilitates the IPT’s own development of the SMS andSafety Case, rather than influencing their development directly.
Page 14 of 75
Version 1.0 dated 1 June, 2004
6 Relationships with other organisations
1) This section describes the organisational interfaces between the ISA and other organisationsconcerned with defence safety. The typical interfaces are illustrated in Figure 1 and discussedbelow. Not all the information flows shown apply to all sectors (for example, only the LSSOcurrently offers an arbitration service). The ISA tasks related to these interfaces are expanded inSection 9 below.
2) The formal communication route between the ISA and the contractor and the OperatingAuthority will be defined in the MoD/ISA contract, and will normally be through the IPT asshown. In practice, however, it is usual for the ISA to communicate directly with these bodies,although the IPT should be kept informed of all discussions and given copies of all writtencommunications.
3) JSPs 430, 454 and 553 include the ISA in the membership of relevant safety committees inaccordance with Def Stan 00-56/3, and all the organisations shown in the figure will berepresented on one or other of these. The meetings of these bodies provide an important meansof liaison between the ISA and the other safety organisations.
Figure 1: Typical ISA organisational interfaces
ISA
Safety Office
Contract
Duty H
older’ssafety
documentation
ISA Reports &
papers
ISA advice
Safetyqueries
Progress reports
Contractor
Safetyqueries
ISAadvice
Information& access
ISA Reports
Arbitrationfindings
ISA Reports
Policy & guidance input
Policy & guidanceadvice
Arbitration reports
Informal briefs
OperatingAuthority (inc.service safety
body)
Safetyqueries
ISA advice
ISA Reports& papers Document reviews
Policy & guidanceadvice
Policy &guidance input
IPT
Regulatory/certification
bodies
ISA Reports& papers
Responses toqueries
Queries
ISA
Safety Office
Contract
Duty H
older’ssafety
documentation
ISA Reports &
papers
ISA advice
Safetyqueries
Progress reports
Contractor
Safetyqueries
ISAadvice
Information& access
ISA Reports
Arbitrationfindings
ISA Reports
Policy & guidance input
Policy & guidanceadvice
Arbitration reports
Informal briefs
OperatingAuthority (inc.service safety
body)
Safetyqueries
ISA advice
ISA Reports& papers Document reviews
Policy & guidanceadvice
Policy &guidance input
IPT
Regulatory/certification
bodies
ISA Reports& papers
Responses toqueries
Queries
ISA
Safety Office
Contract
Duty H
older’ssafety
documentation
ISA Reports &
papers
ISA advice
Safetyqueries
Progress reports
Contractor
Safetyqueries
ISAadvice
Information& access
ISA Reports
Arbitrationfindings
ISA Reports
Policy & guidance input
Policy & guidanceadvice
Arbitration reports
Informal briefs
OperatingAuthority (inc.service safety
body)
Safetyqueries
ISA advice
ISA Reports& papers Document reviews
Policy & guidanceadvice
Policy &guidance input
IPT
Regulatory/certification
bodies
ISA Reports& papers
Responses toqueries
Queries
Page 15 of 75
Version 1.0 dated 1 June, 2004
6.1 The IPT
1) Where the IPT directly contracts the ISA, they must respect their independence. Therelationship is similar to contracting an auditor in other areas, such as quality management oraccountancy. An authorised ISA has the right and duty to raise significant concerns directlywith the IPT or contractor, even when outside their agreed scopes of work or terms of reference,and should raise unresolved concerns with the appropriate Authorities and SMO.
2) In the majority of cases, the IPT contracts the ISA on the project. However, the IPT maydirect the contractor to contract the ISA instead. In that case the contractor should employ anISA who is acceptable to the IPT in terms of competence and scope of work as defined in thisguide.
3) The ISA interacts with the IPT as follows:
• Contractually. The ISA contracted by the IPT has to provide value for money and anIPT should monitor ISA performance against the contract accordingly. Selectioncriteria for ISAs are given in Section 7 below.
• Through audits. The ISA audits the IPT’s safety management system and safetyrecords since this forms part of the overall safety argument (see Section 5.2).
• Through the ISA Report. The ISA Reports (and supporting review, analysis and auditrecords) provide the IPT with the independent opinion that they require under MoDsafety policy. This covers safety documents and analysis produced by both thecontractor and the IPT (e.g. as part of requirements definition prior to tendering forthe system).
• By providing advice. The ISA may provide independent, general advice on safetymatters to the IPT (see Section 5.3).
4) The role of the ISA is basically the same for both single-project and cluster IPTs.Experience shows that ISA work for cluster IPTs is project-based and so there is little differencein practice. It is permissible for ISA personnel to give specific advice for some projects whilecarrying out independent safety audit in others; see Section 5.2 and Section 5.3.
6.2 The contractor
1) Where the ISA is contracted by the contractor, the interface will include contractual matters.
2) The contractor’s relationship with the ISA is set out in Def Stan 00-56. Where the ISA iscontracted by the IPT, the ISA should be acceptable to the contractor in terms of competenceand scopes of work. They should also be able to safeguard the contractor’s IPR and confidentialinformation (see Section 5.1.2).
3) The contractor receives from the ISA:
• Reports, including the ISA Report, on reviews, audits and analyses carried out by theISA as part of the Safety Audit function (see Section 5.2).
Page 16 of 75
Version 1.0 dated 1 June, 2004
• General advice on safety matters (see Section 5.3).
4) The ISA receives from the contractor:
• Access to the information needed to form an independent opinion, including safetycase reports.
• The contractor’s response to ISA reviews and reports. (See also Section 4 para 1.)
6.3 The Operating Authority
1) There may be discussions between the Operating Authority and the ISA over safety issues.Typically communication originates in safety committees, but may also occur if the OperatingAuthority raises a safety concern directly to the IPT.
2) In addition, the Operating Authority may have its own safety body, which may liaise withthe ISA as follows. The Operating Authority’s safety body receives from the ISA:
• Reports, including the ISA Report, on reviews, audits and analyses carried out by theISA as part of the Safety Audit function (see Section 5.2).
• Assistance over safety issues, if requested.
3) The ISA receives from the Operating Authority’s safety body:
• Document reviews.
• Requests for assistance on safety issues.
4) In the air sector, the ISA’s organisational interface is with the Release to Service Authorityrather than the Operating Authority.
6.4 Safety Management Offices
1) The ISA interacts with the relevant SMO in several ways:
• Through the ISA report. Some SMOs may require copies of formal ISA Reports. TheISA Reports show that the IPT has received an independent opinion on the quality ofthe safety case. The reports should also address compliance to safety andenvironmental management policy, both by the contractor and the IPT.
• By receiving advice. The relevant SMO may be able to provide advice on difficultsafety issues and areas of policy uncertainty.
• Over the development of policy and generic advice. The ISA may encounter safetyissues that are not covered by existing policy or guidance. Examples include thedevelopment of safety targets for novel situations. They should liaise with therelevant SMO over such issues and if requested assist the SMO in the formation of
Page 17 of 75
Version 1.0 dated 1 June, 2004
relevant policy and guidance. They should also copy the SMO any advice they giveto the IPT concerning such issues.
• Through the need for arbitration. It is possible that the ISA and the IPT or thecontractor will become deadlocked over some aspect of the safety argument. In theLand sector, the LSSO already offers to provide informal arbitration and advice onthe way forward. The ISA (together with the IPT or contractor) should provide areport on the areas of agreement and disagreement, on which the SMO can base itsadvice.
• Through informal communication. Especially in complex projects, it is helpful if theISA informally briefs the relevant SMO from time to time on project safety progressand any areas of difficulty or disagreement.
6.5 Regulatory/certification bodies
1) In a sector where there is a formal regulation or certification regime, the ISA may interfacewith the regulator or certification body by means of the ISA Report and response to questions.An example is the Naval Authority or the Naval Nuclear Regulatory Panel in the maritimedomain.
6.6 Design Authority
1) Generally, the Design Authority will be either the contractor or the IPT. However theDesign Authority may be another organisation. (This case is not shown on the diagram.) In thiscase, the IPT will need to obtain agreement from the Design Authority to provide access for theISA and generally to co-operate with them.
2) The Design Authority receives from the ISA:
• Reports, including the ISA Report, on reviews, audits and analyses carried out by theISA as part of the Safety Audit function covering the contractor and the DesignAuthority (see Section 5.2).
• General advice on safety matters (see Section 5.3).
3) The ISA receives from the Design Authority:
• Access to the information needed to form an independent opinion, including safetycase reports. (See also Section 4 para 1.)
• The Design Authority’s response to ISA reviews and reports.
Page 18 of 75
Version 1.0 dated 1 June, 2004
7 Selection of ISAs
1) This section considers the criteria that the IPT should apply when choosing an ISA or ISAteam. The criteria cover personal (or team) attributes of independence (Section 7.1) andcompetence (Section 7.2), and project attributes of complexity (Section 7.3), risk (Section 7.4)and lifecycle phase (Section 7.5). Expertise and competence is discussed further in Section 8.
2) It is preferable to employ an ISA team for most projects. The team enables effective peerreview of the assessment’s outputs and can provide specialist expertise in areas such as humanfactors and software reliability modelling. It also has the practical advantage that it is easier tocover for normal staff absence and attend concurrent meetings. The guidance for the projectcriteria explains the circumstances when an individual may be sufficient.
3) Even when an ISA team is employed, the ISA team leader and preferably all the teammembers should be individually identified.
7.1 Independence
1) The ISA should be independent as defined in Section 5.1.
7.2 Competence
1) The ISA should be competent in Safety Audit skills in the project domain, includingknowledge of the safety policy for the domain. This is discussed in detail in Section 8.
7.3 Project complexity
1) Project complexity can take several forms, including:
• technical complexity. In this case the safety argument is likely to be complex, withseveral types of evidence for many of the safety claims, especially in the area ofsafety of data and commands. Appendix A illustrates the main elements of a complexsafety argument. The ISA should have a higher level of competence including proventechnical skills applying to any technically difficult safety issues (see alsoSection 8.1.1).
• problems with safety evidence. The Safety Audit will require more effort if there areproblems with the safety evidence, such as a lack of historical evidence for safety oflegacy equipment, or if the historical evidence shows that the system does not meetits safety requirements.
• large project scale. For large-scale projects involving “systems-of-systems”, thesafety argument will involve evidence provided by safety cases for systemshierarchies aggregating up to macro platform or super-system level. The ISA shouldhave proven experience in Safety Audit of interrelated safety cases and the safetyissues that arise due to the interactions between systems, including interfacing toISAs for other equipment.
Page 19 of 75
Version 1.0 dated 1 June, 2004
Conversely, for small-scale projects, where the amount of concurrent work andnumber of meetings is reduced, it may be sufficient to employ a competent individualas ISA, rather than a team.
• PFI or foreign acquisition. In this case, the ISA needs to be able to interpret thesafety standards that have been applied to the development of the system in the lightof MoD policy and UK regulatory requirements.
7.4 Safety risk
1) One of the roles of the ISA is to reduce uncertainty in the validity of the safety argument byproviding an authoritative second opinion. For low risk systems, the safety argument will besimpler, quicker and easier to assess, and because of the amount of mitigation, the likelihood offielding an unsafe system is low. Therefore for systems where the risk is low compared to theday to day risks an individual faces, the IPT could consider:
• the use of an individual ISA rather than an ISA team
• less specific experience as an ISA or in the application domain
7.5 Lifecycle phase
1) The major safety effort is typically during the assessment, demonstration and manufactureacquisition phases. During the other phases less safety work is likely to be needed, and hencethe ISA team can be reduced in size.
2) If the equipment is near the end of its service life, a much simpler safety argument is likelyto be appropriate, centring on maintaining the current level of safety, and on issues of disposal.Safety criteria will be informed by the relatively short “time at risk”, and design changes, if any,are likely to be of low risk. In this case, a limited Safety Audit by an individual is likely to besufficient.
3) Detailed scopes of work for each lifecycle phase are given in Section 9.
Page 20 of 75
Version 1.0 dated 1 June, 2004
8 Expertise and competence
1) It is obviously of the utmost importance that the ISA should be suitably qualified andexperienced. This section describes competence criteria for ISAs, and presents guidance onassessment against the criteria. Where the Safety Audit is carried out by a team, the team as awhole should provide the necessary level of competence.
8.1 Competence criteria
1) There are three types of competence required to assess the suitability of an ISA:
• technical competence—safety and technical knowledge (of the application area andtechnology) required to support the activities of a Safety Audit (this is described inSection 8.1.1)
• auditing competence—skills necessary to perform the Safety Audit, i.e. to performthe activities that enable an expert, professional opinion to be reached on the safety ofthe system, as defined in Section 5.2 above (this is described in Section 8.1.2)
• behavioural competence—qualities and attributes of behaviour and character neededto successfully perform the task (this is described in Section 8.1.3)
8.1.1 Technical competence
1) Technical competence covers the knowledge and experience needed to underpin theactivities of the ISA. This has two aspects:
• Technical competence in Safety Audit independent of the specific application domainand technology used.
• Technical competence in the application domain, where an understanding of thespecific technologies used and the context of their use extends the ability tosuccessfully audit the safety of the system.
2) Technical competence in Safety Audit includes:
• Knowledge and experience of the legal and safety regulatory framework.
• Understanding of the principles and concepts of safety management, e.g. ALARP,hazards, risk and safety requirements.
• Knowledge and experience of techniques and methods to determine and analysesafety issues of importance and to make a judgement on the safety of a system.Examples of such knowledge include safety analysis techniques such as Hazops andFault Tree Analysis, and the ability to estimate the necessary resources to performsuch analyses and to judge the scope and depth of analyses carried out.
Page 21 of 75
Version 1.0 dated 1 June, 2004
• Knowledge and experience of specific standards, guidelines or codes of practicerelevant for the project, e.g. Def Stan 00-56 and the applicable safety managementJSPs.
3) Technical competence in the application domain includes:
• Safety engineering knowledge and experience appropriate to the application area andtechnology, including safety practices appropriate to the organisation and applicationarea.
• Engineering knowledge and experience appropriate to the application area (e.g. airtraffic control) and technology (e.g. digital network communication).
• Experience of other systems engineering disciplines including human factorsintegration, integrated logistic support and availability, reliability and maintainabilitywould also be advantageous.
4) In the ship sector, demonstration of technical competence requires that all key members ofthe ISA’s team should possess or be working toward an SSMO training certificate.
8.1.2 Auditing competence
1) As discussed in Section 8.1.1, technical competence underpins the knowledge needed tocarry out a Safety Audit, independently of the specific activities being performed. By contrast,auditing competence considers the specific activities performed as part of a Safety Audit (thatis, document review, process audits and independent analyses). This includes the ability to:
• determine the scope and objectives of the Safety Audit
• develop and maintain a plan for the activities that comprise a Safety Audit
• collect and analyse objective evidence to support a judgement about the safety of thesystem. This may include: a) interviewing personnel at all levels; b) examining andreviewing documents; c) observing activities
• verify the accuracy of information gathered in interviews by observation,measurements and records analyses
• identify, record and investigate clues suggesting possible problems
• carry out formal process audits against relevant standards, plans, etc.
• make a judgement on the safety of a system
• document findings including producing formal ISA Reports
• verify that any actions necessary to address the results of the Safety Audit activitiesare appropriately completed
Page 22 of 75
Version 1.0 dated 1 June, 2004
8.1.3 Behavioural competence
1) Behavioural competence describes the attributes of conduct and character needed to performthe role of ISA with efficacy. These include:
• interpersonal skills
• competence in communicating at all levels of the organisation
• interviewing skills
• reporting and presentation skills
• integrity and trustworthiness
8.2 Assessment of competence
1) The assessment of competence of ISAs should be in terms of the criteria described inSection 8.1. Where a project requires a team approach, it is the balance of skills that isimportant, and the team leader should demonstrate the ability properly to manage and co-ordinate the team. Individual team members should provide the in-depth knowledge that isrequired.
2) The IPT should ask potential ISAs for evidence of competence, supported by verifiableexamples, as part of their proposal when bidding for an ISA role. Typically, evidence todemonstrate the competencies is based on training, qualifications and experience. Proven abilityis likely to provide the best indicator; and appropriate references to that effect should beobtained wherever possible.
3) Potential ISAs may present evidence of competence of three types, according to who doesthe assessment:
• Self-assessment, i.e. the ISA presents evidence to demonstrate the competencies aspart of their proposal. This will have to be assessed by the IPT on a case-by-casebasis.
• Organisational assessment, i.e. the ISA is assessed by their organisation according toa scheme such as the IEE/BCS Competency Guidelines for Safety-Related SystemPractitioners [1] or the Network Rail ISA Accreditation Scheme. The IPT should askfor any third-party audit of the scheme, which might be an ISO 9001 audit in the caseof the IEE/BCS scheme, or Network Rail’s audit in the case of their scheme.
• Assessment by a third-party independent organisation that designs a scheme andindependently assesses the ISA. Currently the only third-party scheme in the UK isthe CASS (Conformity Assessment of Safety-related Systems) scheme, and there arevery few registrants under the scheme.
Page 23 of 75
Version 1.0 dated 1 June, 2004
9 Scopes of work
1) This section sets out scopes of work for ISA services. The Safety Audit aspect of the ISArole is defined in Section 5.2 and the generic Safety Advice aspect is defined in Section 5.3. Theorganisational interfaces with other organisation are described in Section 6.
2) The ISA produces a number of documents during the course of the Safety Audit, and theseare listed in Section 9.1.
3) Detailed scopes of work covering the CADMID lifecycle phases are tabulated inSection 9.2. The scopes of work cover both safety and environmental protection. Where thetable entries refer to the environment in which the system operates, the term “operatingenvironment” is used.
4) The particular issues relating to legacy systems are described in Section 9.3.
5) Section 9.4 describes how the ISA work items change with the maturity of the contractor’scombined SEMS, Section 9.5 addresses the variation with safety integrity requirements, andSection 9.6 discusses the impact of other procurement models.
9.1 General ISA documentation
1) Irrespective of the lifecycle phase, the ISA should produce the following documents:
Deliverable Comment
ISA Plan This should cover: the scope of the ISA work; aprogramme of work related to major project milestones;management and control including ISA staff competency;the strategy for the audit; and discussion of any specialissues. It should be updated at reasonable intervals, forexample at the start of a new project phase.
Progress reports Reports summarising progress against the ISA Plan ascontracted. These will be produced according to thedemands of the project but may, typically, be on aquarterly basis.
Page 24 of 75
Version 1.0 dated 1 June, 2004
Deliverable Comment
ISA Reports These should be produced prior to major programmemilestones, such as the start of trials and acceptance intoservice. Normally they will follow a new version of thesafety case. They should typically contain: an assessmentof the safety argument; a short summary of the ISA’sactivities since the previous report; references to thedocuments produced; references to the documentsexamined; a discussion of any particular safety issues;and conclusions and recommendations on the safety ofthe activities covered by the safety case. Reference to therequirements of domain-specific JSPs should be made.
In some sectors (e.g. the ship sector), the ISA Report isincluded within the Safety Case Report.
In the air sector, the ISA Report is a customer report thatinforms Release to Service and provides crew advice.
Document reviews The ISA’s reviews of safety documents should bereported.
Audit reports Safety audits should be documented.
Analysis reports Any analyses carried out by the ISA should bedocumented.
Papers giving advice Advice should always be generic (see Section 5.3).Advice may be given verbally, but substantive adviceshould be documented in written papers.
2) According to the sector, the ISA may be asked to sign documents produced by thecontractor to indicate that they have been reviewed or endorsed by the ISA. The relevant safetymanagement JSP will provide details. The contract with the ISA should make it clear if this isrequired.
Page
25
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
9.2
Sco
pes o
f wor
k by
life
cycl
e ph
ase
1)
This
sect
ion
of th
e gu
idan
ce se
ts o
ut g
ener
ic sc
opes
of w
ork
for I
SA se
rvic
es a
ccor
ding
to th
e ph
ase
in th
e C
AD
MID
life
cycl
e. L
ifecy
cle
phas
e is
the
mai
n pa
ram
eter
aff
ectin
g th
e sc
opes
of w
ork.
Indi
vidu
al p
roje
cts m
ay o
f cou
rse
depa
rt fr
om th
e st
rict d
efin
ition
of t
hese
pha
ses,
in w
hich
cas
e th
eIS
A sc
opes
shou
ld b
e ad
just
ed a
ccor
ding
to th
e sa
fety
cas
es to
be
prod
uced
.
2)
The
activ
ities
that
the
ISA
will
und
erta
ke a
t eac
h ph
ase
are
brie
fly su
mm
aris
ed in
Tab
le 1
.
Con
cept
Ass
essm
ent
Dem
onst
ratio
nM
anuf
actu
ring
In-s
ervi
ceD
ispo
sal
Ass
ess s
afet
y an
den
viro
nmen
tal
requ
irem
ents
incl
udin
g in
itial
safe
ty c
ase
Ass
ist w
ith S
OW
Aud
it IP
T’s S
MS
orco
mbi
ned
SEM
S
Atte
nd sa
fety
com
mitt
ees
Ass
ess s
afet
y an
den
viro
nmen
tal
requ
irem
ents
incl
udin
gin
itial
safe
ty c
ase
Ass
ess t
ende
rre
spon
ses f
or sa
fety
Aud
it co
ntra
ctor
(s)
Aud
it IP
T’s S
MS
orco
mbi
ned
SEM
S
Atte
nd sa
fety
com
mitt
ees
Ass
ess c
hang
es to
safe
ty a
nden
viro
nmen
tal
requ
irem
ents
Ass
ess &
aud
itco
ntra
ctor
’s sa
fety
wor
k in
clud
ing
safe
tyca
se
Ass
ess t
ende
rre
spon
ses f
or sa
fety
Aud
it IP
T’s S
MS
orco
mbi
ned
SEM
S
Atte
nd sa
fety
com
mitt
ees
Ass
ess c
hang
es to
safe
ty a
nden
viro
nmen
tal
requ
irem
ents
Ass
ess &
aud
itco
ntra
ctor
’s sa
fety
wor
k in
clud
ing
safe
tyca
se
Ass
ess i
n-se
rvic
esa
fety
cas
e
Aud
it IP
T’s/
Ope
ratin
gA
utho
rity’
s SM
S or
com
bine
d SE
MS
Atte
nd sa
fety
com
mitt
ees
Ass
ess c
hang
es to
safe
ty a
nden
viro
nmen
tal
legi
slat
ion
Mon
itor i
n-se
rvic
epe
rfor
man
ce
Ass
ess i
n-se
rvic
esa
fety
cas
e or
lega
cysa
fety
app
rais
al
Aud
it IP
T’s/
Ope
ratin
gA
utho
rity’
s SM
S or
com
bine
d SE
MS
Atte
nd sa
fety
com
mitt
ees
Ass
ess d
ispo
sal s
afet
yca
se
Ass
ist w
ithco
mpe
titio
n fo
rdi
spos
al
Ass
ess &
aud
itdi
spos
al c
ontra
ctor
’ssa
fety
wor
k in
clud
ing
safe
ty c
ase
Aud
it IP
T’s S
MS
orco
mbi
ned
SEM
S fo
rdi
spos
al
Atte
nd sa
fety
com
mitt
ees
Tab
le 1
: Sum
mar
y of
ISA
act
iviti
es th
roug
h th
e lif
ecyc
le
Page
26
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
3)
In th
e se
ctio
ns b
elow
, eac
h lif
ecyc
le p
hase
is a
ddre
ssed
in a
self-
cont
aine
d su
bsec
tion
tabu
latin
g th
e sa
fety
evi
denc
e, th
e re
late
d IS
A w
ork
item
, the
outp
uts p
rodu
ced
by th
e IS
A, a
nd th
e cu
stom
er o
r ben
efic
iary
for t
he o
utpu
ts. T
he ta
bles
are
div
ided
by
safe
ty c
laim
, and
list
the
evid
ence
that
shou
ld b
epr
ovid
ed b
y th
e co
ntra
ctor
or I
PT to
supp
ort e
ach
clai
m. T
he sa
fety
cla
ims f
or e
ach
phas
e ar
e ill
ustra
ted
in A
ppen
dix
A. N
ote
that
the
fact
that
sepa
rate
safe
ty c
laim
s and
evi
denc
e ar
e sh
own
in th
e ta
bles
doe
s not
mea
n th
at se
para
te d
ocum
ents
are
nec
essa
rily
prod
uced
for e
ach.
4)
Cle
arly
the
ISA
’s w
ork
incr
ease
s in
prop
ortio
n to
the
risk
and
com
plex
ity o
f the
syst
em. T
his i
s bas
ical
ly b
ecau
se th
e sa
fety
arg
umen
t is m
ore
exte
nsiv
e an
d de
taile
d fo
r hig
h ris
k or
hig
h co
mpl
exity
syst
ems.
Bro
adly
spea
king
, the
leve
l of S
afet
y A
udit
will
var
y as
follo
ws:
• A
safe
ty a
rgum
ent o
f the
com
plex
ity il
lust
rate
d in
App
endi
x A
will
requ
ire c
ompr
ehen
sive
inde
pend
ent S
afet
y A
udit
by a
n IS
A te
am,
parti
cula
rly th
roug
h th
e as
sess
men
t, de
mon
stra
tion
and
man
ufac
ture
pha
ses.
• A
sim
pler
safe
ty a
rgum
ent i
s lik
ely
to b
e su
ffic
ient
if, f
or e
xam
ple,
the
safe
ty re
quire
men
ts a
re e
ntire
ly c
odifi
ed in
stan
dard
s suc
h as
the
Dis
play
Scr
een
Reg
ulat
ions
or t
he IE
E W
iring
Reg
ulat
ions
. The
re w
ill th
en b
e no
func
tiona
l saf
ety
aspe
cts t
o th
e sa
fety
arg
umen
t and
the
occu
patio
nal s
afet
y as
pect
s will
sim
ply
invo
lve
show
ing
com
plia
nce
to th
e ap
plic
able
stan
dard
s. Th
e A
LAR
P ar
gum
ent w
ill b
e co
nfor
man
ceto
goo
d pr
actic
e. T
he re
duce
d sa
fety
arg
umen
t tha
t app
lies i
n th
is c
ase
mea
ns th
at a
hig
her-
leve
l Saf
ety
Aud
it by
an
indi
vidu
al is
like
ly to
be
suff
icie
nt.
• If
the
cont
ract
or’s
safe
ty w
ork
is p
oor,
or if
they
hav
e an
imm
atur
e co
mbi
ned
SEM
S, p
ropo
rtion
atel
y m
ore
wor
k w
ill b
e re
quire
d fo
r a g
iven
safe
ty a
rgum
ent,
as d
escr
ibed
in S
ectio
n 9.
4.
• If
the
syst
em is
hig
hly
safe
ty-r
elat
ed o
r saf
ety-
criti
cal,
deep
er in
depe
nden
t ana
lysi
s will
be
requ
ired,
as d
escr
ibed
in S
ectio
n 9.
5.
• Fo
r lar
ge p
roje
cts,
subs
yste
ms w
ill o
ften
have
thei
r ow
n sa
fety
cas
es. T
he o
vera
ll sa
fety
arg
umen
t will
be
sim
ilar t
o a
smal
ler p
roje
ct, b
ut w
illne
ed to
be
asse
mbl
ed fr
om th
e se
ctio
ns o
f the
arg
umen
t in
the
subs
idia
ry c
ases
. Thi
s may
requ
ire e
xtra
gui
danc
e an
d re
view
cyc
les b
y th
eIS
A, a
nd in
terf
acin
g w
ith IS
As f
or su
per-
syst
em o
r sub
syst
em IP
Ts.
• So
me
of th
e Sa
fety
Aud
it fu
nctio
ns c
an b
e co
vere
d by
oth
er o
rgan
isat
ions
. The
way
that
in-h
ouse
org
anis
atio
ns m
ay b
e ab
le to
supp
ort t
hew
ork
of th
e IS
A, l
eadi
ng to
a re
duce
d ne
ed fo
r Saf
ety
Aud
its, i
s des
crib
ed in
Sec
tion
5.1.
2. S
omet
imes
, an
MoD
qua
lity
assu
ranc
ere
pres
enta
tive
is a
ssig
ned
to a
con
tract
or, a
nd th
ey m
ay b
e ab
le to
liai
se w
ith th
e IS
A to
car
ry o
ut so
me
of th
e “t
radi
tiona
l” a
udit
func
tions
.
Page
27
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Espe
cial
ly o
n la
rge
proj
ects
, the
IPT
may
rece
ive
supp
ort f
rom
oth
er o
rgan
isat
ions
and
con
tract
ors i
n th
e sa
fety
are
a (e
.g. t
o w
itnes
s tes
ts),
inw
hich
cas
e th
e IS
A m
ay re
ason
ably
dec
ide
to re
ly o
n th
e co
nclu
sion
s of t
hese
oth
er o
rgan
isat
ions
rath
er th
an fo
rm a
n op
inio
n di
rect
ly.
5)
Som
e w
ork
item
s (e.
g. a
udit
of sa
fety
requ
irem
ents
ana
lysi
s pro
cess
) are
show
n at
eac
h ph
ase
at w
hich
they
mig
ht b
e ca
rrie
d ou
t. In
pra
ctic
e, th
eIS
A m
ight
cho
ose
not t
o ca
rry
out c
erta
in w
ork
item
s at e
very
pha
se if
few
pro
blem
s had
bee
n fo
und
at p
revi
ous p
hase
s. Th
e ra
tiona
le fo
r the
wor
kite
ms t
o be
und
erta
ken
shou
ld b
e re
cord
ed in
the
ISA
Pla
n fo
r the
pha
se.
6)
Whe
re IS
A o
utpu
ts (e
.g. t
he IS
A R
epor
t) ar
e sh
own
as su
pplie
d to
org
anis
atio
ns a
part
from
the
IPT
and
the
rele
vant
SM
O (e
.g. t
o te
nder
ers o
r the
Ope
ratin
g A
utho
rity)
, it i
s im
plic
it th
at th
ey w
ill b
e su
pplie
d vi
a th
e IP
T.
7)
Ther
e m
ay b
e do
mai
n sp
ecifi
c va
riatio
ns in
the
prec
ise
info
rmat
ion
and
evid
ence
that
may
be
prov
ided
at e
ach
phas
e, b
ut th
e in
form
atio
n in
the
tabl
es p
rovi
des a
reas
onab
le su
mm
ary
of w
hat t
he re
latio
nshi
p is
bet
wee
n th
e IP
T an
d th
e IS
A.
8)
A ta
ble
is a
lso
prov
ided
of t
he o
rgan
isat
ions
to w
hich
the
ISA
shou
ld in
terf
ace
at e
ach
lifec
ycle
pha
se.
Page
28
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
9.2.
1 C
once
pt p
hase
1)
At t
his p
hase
, the
safe
ty re
quire
men
ts a
re d
evel
oped
in c
onju
nctio
n w
ith C
usto
mer
1, a
s par
t of t
he b
usin
ess c
ase
for I
nitia
l Gat
e. S
afet
y sh
ould
be
addr
esse
d in
the
draf
ting
of th
e U
RD
. The
safe
ty c
omm
ittee
will
typi
cally
be
set u
p at
this
pha
se.
2)
As i
llust
rate
d in
App
endi
x A
, the
ISA
act
iviti
es a
t thi
s pha
se p
rinci
pally
cov
er th
e de
finiti
on o
f the
safe
ty re
quire
men
ts, c
onfir
mat
ion
that
the
safe
tyre
quire
men
ts a
re a
chie
vabl
e, a
nd th
eir f
low
into
the
UR
D. T
he sc
ope
of w
ork
is a
s fol
low
s:
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Safe
ty c
laim
: Saf
ety
and
envi
ronm
enta
l req
uire
men
ts c
orre
ctly
cap
ture
d an
d va
lidat
ed
Safe
ty a
nd e
nviro
nmen
tal r
equi
rem
ents
anal
ysis
(e.g
. PH
L, P
HA
)C
heck
ana
lysi
s.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, a
chie
vabi
lity,
con
form
ance
to st
anda
rds a
ndle
gisl
atio
n.
Aud
it an
alys
is p
roce
ss fo
r con
form
ance
to st
anda
rds a
ndsa
fety
man
agem
ent p
lan.
Atte
nd a
naly
sis m
eetin
gs to
che
ck c
ondu
cted
inac
cord
ance
with
stan
dard
s and
goo
d pr
actic
e.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT
Safe
ty a
nd e
nviro
nmen
tal t
oler
abili
tycr
iteria
Che
ck a
naly
sis.
Rev
iew
repo
rt fo
r con
form
ance
to st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Che
ck fo
r agr
eem
ent w
ith c
riter
iafr
om si
mila
r pro
ject
s.
Doc
umen
ted
revi
ew.
IPT
Syst
em a
nd o
pera
ting
envi
ronm
ent
desc
riptio
nC
heck
des
crip
tion
is su
ffic
ient
ly c
ompr
ehen
sive
for t
here
ader
to u
nder
stan
d th
e sa
fety
arg
umen
t.In
clud
ed in
abo
ve re
view
s.IP
T
Page
29
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Con
tract
ual s
afet
y an
d en
viro
nmen
tal
requ
irem
ents
(ini
tial s
afet
y ca
se, s
afet
yca
se re
port
and
UR
D).
Rev
iew
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
achi
evab
ility
, con
form
ance
to st
anda
rds a
nd le
gisl
atio
n.
Che
ck th
at e
vide
nce
likel
y to
be
need
ed fo
r sub
sequ
ent
safe
ty a
rgum
ents
is c
ontra
cted
for.
Doc
umen
ted
revi
ew.
IPT
Safe
ty c
laim
: IPT
’s sa
fety
man
agem
ent i
s ade
quat
e
IPT’
s com
bine
d SE
MS
incl
udin
g Sa
fety
Man
agem
ent P
lan
for c
once
pt p
hase
Aud
it fo
r con
form
ance
to st
anda
rds.
Aud
it re
port.
IPT
MoD
’s sa
fety
org
anis
atio
nA
ttend
safe
ty c
omm
ittee
to d
iscu
ss sa
fety
pro
gres
s, ra
ise
and
disc
uss s
afet
y is
sues
, com
men
t on
safe
ty c
ase
and
supp
ortin
g do
cum
ents
and
ana
lyse
s, ag
ree
tole
rabi
lity
ofris
ks.
—Sa
fety
com
mitt
ee m
embe
rs
Org
anis
atio
nal i
nter
face
sIS
A w
ork
item
IPT
Prod
uce
plan
s and
repo
rts li
sted
in S
ectio
n 9.
1.
Supp
ly g
ener
ic a
dvic
e.
Atte
nd a
d-ho
c m
eetin
gs a
nd re
spon
d to
gen
eral
que
ries.
Cus
tom
er o
rgan
isat
ions
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.3.
SMO
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.4.
Page
30
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Org
anis
atio
nal i
nter
face
sIS
A w
ork
item
Reg
ulat
ory/
certi
ficat
ion
bodi
es (w
here
appl
icab
le)
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.5.
Page
31
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
9.2.
2 A
sses
smen
t pha
se
1)
The
safe
ty re
quire
men
ts a
re fu
rther
dev
elop
ed a
t thi
s pha
se. S
afet
y sh
ould
be
addr
esse
d in
the
draf
ting
of th
e SR
D.
2)
Som
e pr
ogra
mm
es c
omm
ence
wor
k as
soci
ated
with
the
Dem
onst
ratio
n Ph
ase
in th
is p
hase
, and
ther
efor
e be
gin
to e
xpan
d th
e sa
fety
cas
e to
cov
erth
ose
activ
ities
.
3)
As i
llust
rate
d in
App
endi
x A
, the
ISA
act
iviti
es c
ontin
ue to
cov
er th
e de
finiti
on o
f the
safe
ty re
quire
men
ts. T
he IS
A c
an h
ave
a va
luab
le ro
le in
asse
ssin
g th
e te
nder
s for
safe
ty, p
artic
ular
ly th
e pr
opos
ed sa
fety
arg
umen
t for
the
safe
ty c
ase
in th
e D
evel
opm
ent P
hase
. Fol
low
ing
sele
ctio
n of
the
cont
ract
or o
r con
tract
ors,
the
ISA
will
ass
ess t
heir
wor
k fo
r saf
ety
durin
g th
e as
sess
men
t pha
se.
4)
See
Sect
ion
9.5
for a
dditi
onal
item
s tha
t may
be
requ
ired
for h
igh
safe
ty in
tegr
ity sy
stem
s.
5)
The
scop
e of
the
ISA
’s w
ork
is a
s fol
low
s:
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Gen
eral
item
s (re
ferr
ing
to a
ny/a
ll in
divi
dual
cla
ims)
Initi
al (C
once
pt) s
afet
y ca
se re
port
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Doc
umen
ted
revi
ew.
IPT
Safe
ty c
ase
repo
rt fo
r Ass
essm
ent P
hase
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Doc
umen
ted
revi
ew.
IPT,
con
tract
or
Sam
ples
of e
vide
nce
Div
erse
ana
lysi
s, w
itnes
sing
, int
ervi
ewin
g, tr
acea
bilit
ych
ecks
, ver
tical
slic
es a
nd in
spec
tion
at th
e di
scre
tion
ofth
e IS
A.
Res
ults
doc
umen
ted
inw
orki
ng p
aper
s or I
SAR
epor
t
IPT,
con
tract
or, S
MO
(ISA
Rep
ort o
nly)
whe
reap
plic
able
Page
32
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Safe
ty c
laim
: Saf
ety
and
envi
ronm
enta
l req
uire
men
ts c
orre
ctly
cap
ture
d an
d va
lidat
ed
Safe
ty a
nd e
nviro
nmen
tal r
equi
rem
ents
anal
ysis
(e.g
. PH
L, P
HA
)C
heck
ana
lysi
s.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Aud
it an
alys
is p
roce
ss fo
r con
form
ance
to st
anda
rds a
ndsa
fety
man
agem
ent p
lan.
Atte
nd a
naly
sis m
eetin
gs to
che
ck c
ondu
cted
inac
cord
ance
with
stan
dard
s and
goo
d pr
actic
e.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT
Safe
ty a
nd e
nviro
nmen
tal t
oler
abili
tycr
iteria
Che
ck a
naly
sis.
Rev
iew
repo
rt fo
r con
form
ance
to st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Che
ck fo
r agr
eem
ent w
ith c
riter
iafr
om si
mila
r pro
ject
s.
Doc
umen
ted
revi
ew.
IPT
Syst
em a
nd o
pera
ting
envi
ronm
ent
desc
riptio
nC
heck
des
crip
tion
is su
ffic
ient
ly c
ompr
ehen
sive
for t
here
ader
to u
nder
stan
d th
e sa
fety
arg
umen
t.In
clud
ed in
abo
ve re
view
s.IP
T
Con
tract
ual s
afet
y an
d en
viro
nmen
tal
requ
irem
ents
(SR
D).
Rev
iew
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
conf
orm
ance
to st
anda
rds a
nd le
gisl
atio
n.
Che
ck th
at e
vide
nce
likel
y to
be
need
ed fo
r sub
sequ
ent
safe
ty a
rgum
ents
is c
ontra
cted
for.
Doc
umen
ted
revi
ewIP
T
Page
33
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Safe
ty c
laim
: Equ
ipm
ent m
eets
safe
ty a
nd e
nvir
onm
enta
l req
uire
men
ts
Tend
erer
s’ sa
fety
subm
issi
ons
Rev
iew
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
conf
orm
ance
to st
anda
rds a
nd le
gisl
atio
n.
Che
ck to
lera
bilit
y cr
iteria
for c
onfo
rman
ce to
stan
dard
san
d sa
fety
man
agem
ent p
lan.
Che
ck fo
r agr
eem
ent w
ithcr
iteria
from
sim
ilar p
roje
cts.
Che
ck a
naly
sis.
Che
ck th
at e
vide
nce
is li
kely
to b
e fo
rthco
min
g (e
.g. i
nth
e lig
ht o
f sof
twar
e de
velo
pmen
t pla
n).
Iden
tify
any
area
s of p
roje
ct ri
sk fr
om sa
fety
.
Doc
umen
ted
tend
eras
sess
men
ts.
IPT
Safe
ty a
naly
sis a
dequ
ate
Aud
it an
alys
is p
roce
ss fo
r con
form
ance
to st
anda
rds a
ndsa
fety
man
agem
ent p
lan.
Atte
nd a
naly
sis m
eetin
gs to
che
ck c
ondu
cted
inac
cord
ance
with
stan
dard
s and
goo
d pr
actic
e.
Rev
iew
per
sonn
el c
ompe
tenc
e.
Doc
umen
ted
tend
eras
sess
men
ts a
nd a
udit
repo
rts.
IPT,
con
tract
or
ALA
RP
asse
ssm
ent
Che
ck a
rgum
ents
for c
ompl
ianc
e w
ith re
leva
nt st
anda
rds
and
HSE
gui
danc
e.In
clud
ed in
doc
umen
tre
view
s or I
SA R
epor
t.IP
T, c
ontra
ctor
, SM
O (I
SAR
epor
t onl
y) w
here
appl
icab
le
Page
34
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Subc
laim
: Equ
ipm
ent m
eets
occ
upat
iona
l saf
ety
requ
irem
ents
Occ
upat
iona
l des
ign
stan
dard
sC
heck
for c
ompl
eten
ess a
nd a
pplic
abili
ty.
Aud
it fo
r com
plia
nce
to le
gisl
atio
n, st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Incl
uded
in d
ocum
ent
revi
ews o
r ISA
Rep
ort.
IPT,
con
tract
or, S
MO
(ISA
Rep
ort o
nly)
whe
reap
plic
able
OH
HA
and
OSH
A (i
f phy
sica
l des
ign
and
user
/mai
ntai
ner m
anua
ls su
ffic
ient
lyad
vanc
ed a
t thi
s pha
se)
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Aud
it pr
oces
s for
com
plia
nce
to le
gisl
atio
n, st
anda
rds
and
safe
ty m
anag
emen
t pla
n.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Subc
laim
: Equ
ipm
ent m
eets
env
iron
men
tal r
equi
rem
ents
Envi
ronm
enta
l im
pact
ana
lysi
sR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
con
form
ance
to st
anda
rds a
nd le
gisl
atio
n.
Aud
it fo
r com
plia
nce
to le
gisl
atio
n, st
anda
rds a
nd sa
fety
man
agem
ent a
nd/o
r env
ironm
enta
l pla
n.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Page
35
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Subc
laim
: Equ
ipm
ent m
eets
safe
ty re
quir
emen
ts fo
r dat
a an
d co
mm
ands
Har
dwar
e sa
fety
ana
lyse
sC
heck
ana
lyse
s for
app
licab
ility
and
cor
rect
ness
.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Aud
it fo
r com
plia
nce
to le
gisl
atio
n, st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Poss
ibly
car
ry o
ut d
iver
se a
naly
ses,
e.g.
relia
bilit
ym
odel
ling.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Softw
are
safe
ty a
naly
ses
Che
ck a
naly
ses f
or a
pplic
abili
ty a
nd c
orre
ctne
ss.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Aud
it fo
r com
plia
nce
to le
gisl
atio
n, st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Poss
ibly
car
ry o
ut d
iver
se a
naly
ses,
e.g.
relia
bilit
ygr
owth
mod
ellin
g.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
es.
IPT,
con
tract
or
Hum
an fa
ctor
s ana
lyse
sA
udit
hum
an fa
ctor
s wor
ksho
ps e
tc. t
o ch
eck
cond
ucte
din
acc
orda
nce
with
stan
dard
s and
goo
d pr
actic
e.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Poss
ibly
car
ry o
ut d
iver
se a
naly
sis o
f HC
I for
safe
ty.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
es.
IPT,
con
tract
or
Page
36
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
CO
TS it
ems
Rev
iew
CO
TS sa
fety
just
ifica
tion.
Con
side
r fea
sibi
lity
and
suff
icie
ncy
of p
ropo
sals
for
CO
TS a
ssur
ance
.
Poss
ibly
car
ry o
ut re
liabi
lity
anal
ysis
.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
is.
IPT,
con
tract
or
Safe
ty c
laim
: IPT
’s sa
fety
man
agem
ent i
s ade
quat
e
IPT’
s com
bine
d SE
MS,
incl
udin
g Sa
fety
Man
agem
ent (
and
Envi
ronm
enta
lM
anag
emen
t ) P
lan
for a
sses
smen
t pha
se
Aud
it fo
r con
form
ance
to st
anda
rds.
Aud
it re
port.
IPT
MoD
’s sa
fety
org
anis
atio
nA
ttend
safe
ty c
omm
ittee
to d
iscu
ss sa
fety
pro
gres
s, ra
ise
and
disc
uss s
afet
y is
sues
, com
men
t on
safe
ty c
ase
and
supp
ortin
g do
cum
ents
and
ana
lyse
s, ag
ree
tole
rabi
lity
ofris
ks.
—Sa
fety
com
mitt
ee m
embe
rs
Safe
ty c
laim
: Con
trac
tor’
s saf
ety
man
agem
ent i
s ade
quat
e
Tend
erer
s’ c
ombi
ned
SEM
SR
evie
w fo
r con
form
ance
to st
anda
rds.
Tend
er a
sses
smen
t.IP
T, te
nder
er
Sele
cted
con
tract
ors
Aud
it fo
r con
form
ance
to st
anda
rds.
Aud
it re
port.
IPT,
con
tract
or
Page
37
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Org
anis
atio
nal i
nter
face
sIS
A w
ork
item
IPT
Prod
uce
plan
s and
repo
rts li
sted
in S
ectio
n 9.
1.
Supp
ly g
ener
ic a
dvic
e.
Atte
nd a
d-ho
c m
eetin
gs a
nd re
spon
d to
gen
eral
que
ries.
Tend
erer
sR
espo
nd to
tend
er q
uerie
s and
form
ulat
e su
pple
men
tary
ques
tions
as n
eces
sary
.
Sele
cted
con
tract
or o
r con
tract
ors
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.2.
Des
ign
Aut
horit
y (w
hen
not I
PT o
rco
ntra
ctor
)In
terf
ace
as d
escr
ibed
in S
ectio
n 6.
6.
Cus
tom
er o
rgan
isat
ions
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.3.
SMO
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.4.
Reg
ulat
ory/
certi
ficat
ion
bodi
es (w
here
appl
icab
le)
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.5.
Page
38
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
9.2.
3 D
emon
stra
tion
phas
e
1)
Gen
eral
ly th
e pr
ime
cont
ract
or w
ill b
e se
lect
ed d
urin
g th
is p
hase
, and
dev
elop
men
t wor
k w
ill c
omm
ence
. The
ISA
can
hav
e a
valu
able
role
inas
sess
ing
the
tend
ers f
or sa
fety
, par
ticul
arly
the
prop
osed
safe
ty a
rgum
ent f
or th
e sa
fety
cas
e. F
ollo
win
g se
lect
ion
of th
e pr
ime
cont
ract
or, t
he IS
A w
illas
sess
thei
r wor
k fo
r saf
ety
durin
g th
e de
mon
stra
tion
and
man
ufac
ture
pha
ses.
2)
At t
his p
hase
, the
safe
ty re
quire
men
ts w
ill b
e flo
wed
to su
bsys
tem
s and
com
pone
nts,
and
deriv
ed sa
fety
requ
irem
ents
iden
tifie
d.
3)
See
Sect
ion
9.5
for a
dditi
onal
item
s tha
t may
be
requ
ired
for h
igh
safe
ty in
tegr
ity sy
stem
s.
4)
The
scop
e of
the
ISA
’s w
ork
is a
s fol
low
s:
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Gen
eral
item
s (re
ferr
ing
to a
ny/a
ll in
divi
dual
cla
ims)
Safe
ty c
ase
repo
rtR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
con
form
ance
to st
anda
rds a
nd le
gisl
atio
n.D
ocum
ente
d re
view
.IP
T, c
ontra
ctor
Sam
ples
of e
vide
nce
Div
erse
ana
lysi
s, w
itnes
sing
, int
ervi
ewin
g, tr
acea
bilit
ych
ecks
, ver
tical
slic
es a
nd in
spec
tion
at th
e di
scre
tion
ofth
e IS
A.
Res
ults
doc
umen
ted
inw
orki
ng p
aper
s or I
SAR
epor
t
IPT,
con
tract
or, S
MO
(ISA
Rep
ort o
nly)
whe
reap
plic
able
Page
39
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Safe
ty c
laim
: Saf
ety
and
envi
ronm
enta
l req
uire
men
ts c
orre
ctly
cap
ture
d an
d va
lidat
ed
Safe
ty a
nd e
nviro
nmen
tal r
equi
rem
ents
anal
ysis
Rev
iew
cha
nges
and
der
ived
requ
irem
ents
for
corr
ectn
ess,
com
plet
enes
s, co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Che
ck a
naly
sis.
Aud
it an
alys
is p
roce
ss fo
r con
form
ance
to st
anda
rds a
ndsa
fety
man
agem
ent p
lan.
Atte
nd a
naly
sis m
eetin
gs to
che
ck c
ondu
cted
inac
cord
ance
with
stan
dard
s and
goo
d pr
actic
e.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Safe
ty a
nd e
nviro
nmen
tal t
oler
abili
tycr
iteria
Rev
iew
cha
nges
and
flow
to su
bsys
tem
s for
conf
orm
ance
to st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Che
ck fo
r agr
eem
ent w
ith c
riter
ia fr
om si
mila
r pro
ject
s.
Che
ck a
naly
sis.
Doc
umen
ted
revi
ew.
IPT,
con
tract
or
Syst
em a
nd o
pera
ting
envi
ronm
ent
desc
riptio
nC
heck
des
crip
tion
is su
ffic
ient
ly c
ompr
ehen
sive
for t
here
ader
to u
nder
stan
d th
e sa
fety
arg
umen
t.In
clud
ed in
abo
ve re
view
s.IP
T, c
ontra
ctor
Con
tract
ual s
afet
y an
d en
viro
nmen
tal
requ
irem
ents
(SR
D).
Rev
iew
cha
nges
and
der
ived
requ
irem
ents
for
corr
ectn
ess,
com
plet
enes
s, co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Che
ck th
at e
vide
nce
likel
y to
be
need
ed fo
r sub
sequ
ent
safe
ty a
rgum
ents
is c
ontra
cted
for.
Doc
umen
ted
revi
ewIP
T, c
ontra
ctor
Page
40
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Safe
ty c
laim
: Equ
ipm
ent m
eets
safe
ty a
nd e
nvir
onm
enta
l req
uire
men
ts
Tend
erer
s’ sa
fety
subm
issi
ons
Rev
iew
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
conf
orm
ance
to st
anda
rds a
nd le
gisl
atio
n.
Che
ck to
lera
bilit
y cr
iteria
for c
onfo
rman
ce to
stan
dard
san
d sa
fety
man
agem
ent p
lan.
Che
ck fo
r agr
eem
ent w
ithcr
iteria
from
sim
ilar p
roje
cts.
Che
ck a
naly
sis.
Che
ck th
at e
vide
nce
likel
y to
be
forth
com
ing
(e.g
. in
the
light
of s
oftw
are
deve
lopm
ent p
lan)
.
Iden
tify
any
area
s of p
roje
ct ri
sk fr
om sa
fety
.
Doc
umen
ted
tend
eras
sess
men
ts.
IPT
Safe
ty a
naly
sis a
dequ
ate
Aud
it an
alys
is p
roce
ss fo
r con
form
ance
to st
anda
rds a
ndsa
fety
man
agem
ent p
lan.
Atte
nd a
naly
sis m
eetin
gs to
che
ck c
ondu
cted
inac
cord
ance
with
stan
dard
s and
goo
d pr
actic
e.
Rev
iew
per
sonn
el c
ompe
tenc
e.
Doc
umen
ted
tend
eras
sess
men
ts a
nd a
udit
repo
rts.
IPT,
con
tract
or
ALA
RP
asse
ssm
ent
Che
ck a
rgum
ents
for c
ompl
ianc
e w
ith re
leva
nt st
anda
rds
and
HSE
gui
danc
e.In
clud
ed in
doc
umen
tre
view
s or I
SA R
epor
t.IP
T, c
ontra
ctor
, SM
O (I
SAR
epor
t onl
y) w
here
appl
icab
le
Page
41
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Subc
laim
: Equ
ipm
ent m
eets
occ
upat
iona
l saf
ety
requ
irem
ents
Occ
upat
iona
l des
ign
stan
dard
sC
heck
for c
ompl
eten
ess a
nd a
pplic
abili
ty.
Aud
it fo
r com
plia
nce
to le
gisl
atio
n, st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Incl
uded
in d
ocum
ent
revi
ews o
r ISA
Rep
ort.
IPT,
con
tract
or, S
MO
(ISA
Rep
ort o
nly)
whe
reap
plic
able
OH
HA
and
OSH
AR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
con
form
ance
to st
anda
rds a
nd le
gisl
atio
n.
Aud
it pr
oces
s for
com
plia
nce
to le
gisl
atio
n, st
anda
rds
and
safe
ty m
anag
emen
t pla
n.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Subc
laim
: Equ
ipm
ent m
eets
env
iron
men
tal r
equi
rem
ents
Envi
ronm
enta
l im
pact
ana
lysi
sR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
con
form
ance
to st
anda
rds a
nd le
gisl
atio
n.
Aud
it fo
r com
plia
nce
to le
gisl
atio
n, st
anda
rds a
nd sa
fety
man
agem
ent a
nd/o
r env
ironm
enta
l man
agem
ent p
lan.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Page
42
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Subc
laim
: Equ
ipm
ent m
eets
safe
ty re
quir
emen
ts fo
r dat
a an
d co
mm
ands
Har
dwar
e sa
fety
ana
lyse
sC
heck
ana
lyse
s for
app
licab
ility
and
cor
rect
ness
.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Aud
it fo
r com
plia
nce
to le
gisl
atio
n, st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Poss
ibly
car
ry o
ut d
iver
se a
naly
ses,
e.g.
relia
bilit
ym
odel
ling.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Softw
are
safe
ty a
naly
ses
Che
ck a
naly
ses f
or a
pplic
abili
ty a
nd c
orre
ctne
ss.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Aud
it fo
r com
plia
nce
to le
gisl
atio
n, st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Poss
ibly
car
ry o
ut d
iver
se a
naly
ses,
e.g.
relia
bilit
ygr
owth
mod
ellin
g.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
es.
IPT,
con
tract
or
Hum
an fa
ctor
s ana
lyse
sA
udit
hum
an fa
ctor
s wor
ksho
ps e
tc. t
o ch
eck
cond
ucte
din
acc
orda
nce
with
stan
dard
s and
goo
d pr
actic
e.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Poss
ibly
car
ry o
ut d
iver
se a
naly
sis o
f HC
I for
safe
ty.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
es.
IPT,
con
tract
or
Page
43
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
CO
TS it
ems
Con
side
r fea
sibi
lity
and
suff
icie
ncy
of p
ropo
sals
for
CO
TS a
ssur
ance
.
Rev
iew
CO
TS sa
fety
just
ifica
tion.
Poss
ibly
car
ry o
ut re
liabi
lity
anal
ysis
.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n C
OTS
issu
es a
nd d
iver
se a
naly
sis.
IPT,
con
tract
or
Safe
ty c
laim
: IPT
’s sa
fety
man
agem
ent i
s ade
quat
e
IPT’
s Saf
ety
Man
agem
ent S
yste
m,
incl
udin
g Sa
fety
Man
agem
ent P
lan
for
dem
onst
ratio
n ph
ase
Aud
it fo
r con
form
ance
to st
anda
rds.
Aud
it re
port.
IPT
MoD
’s sa
fety
org
anis
atio
nA
ttend
safe
ty c
omm
ittee
to d
iscu
ss sa
fety
pro
gres
s, ra
ise
and
disc
uss s
afet
y is
sues
, com
men
t on
safe
ty c
ase
and
supp
ortin
g do
cum
ents
and
ana
lyse
s, ag
ree
tole
rabi
lity
ofris
ks.
—Sa
fety
com
mitt
ee m
embe
rs
Safe
ty c
laim
: Con
trac
tor’
s saf
ety
man
agem
ent i
s ade
quat
e
Tend
erer
s’ c
ombi
ned
SEM
SR
evie
w fo
r con
form
ance
to st
anda
rds.
Tend
er a
sses
smen
t.IP
T, te
nder
er
Con
tract
or’s
com
bine
d SE
MS
Aud
it fo
r con
form
ance
to st
anda
rds.
Aud
it re
port.
IPT,
con
tract
or
Con
tract
or’s
safe
ty o
rgan
isat
ion
Atte
nd sa
fety
com
mitt
ees t
o di
scus
s saf
ety
prog
ress
,ra
ise
and
disc
uss s
afet
y is
sues
, com
men
t on
safe
ty c
ase
and
supp
ortin
g do
cum
ents
and
ana
lyse
s, ag
ree
tole
rabi
lity
of ri
sks.
—Sa
fety
com
mitt
ee m
embe
rs
Con
tract
or’s
safe
ty m
anag
emen
t pla
nR
evie
w fo
r con
form
ance
to st
anda
rds.
Doc
umen
ted
revi
ew.
IPT,
con
tract
or
Page
44
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Org
anis
atio
nal i
nter
face
sIS
A w
ork
item
IPT
Prod
uce
plan
s and
repo
rts li
sted
in S
ectio
n 9.
1.
Supp
ly g
ener
ic a
dvic
e.
Atte
nd a
d-ho
c m
eetin
gs a
nd re
spon
d to
gen
eral
que
ries.
Sele
cted
prim
e co
ntra
ctor
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.2.
Des
ign
Aut
horit
y (w
hen
not I
PT o
rco
ntra
ctor
)In
terf
ace
as d
escr
ibed
in S
ectio
n 6.
6.
Cus
tom
er o
rgan
isat
ions
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.3.
SMO
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.4.
Reg
ulat
ory/
certi
ficat
ion
bodi
es (w
here
appl
icab
le)
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.5.
Page
45
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
9.2.
4 M
anuf
actu
ring
pha
se
1)
In th
is p
hase
, sys
tem
dev
elop
men
t and
pro
duct
ion
is c
ompl
eted
and
acc
epta
nce
take
s pla
ce. T
he sa
fety
cas
e is
exp
ande
d by
dev
elop
ing
oper
atin
gas
pect
s.
2)
The
ISA
act
iviti
es a
re sh
own
in A
ppen
dix
A. T
he w
ork
conc
entra
tes o
n th
e de
taile
d sa
fety
arg
umen
t tha
t the
syst
em m
eets
its s
afet
y re
quire
men
ts.
3)
In th
e ai
r sec
tor,
the
ISA
’s o
rgan
isat
iona
l int
erfa
ce is
with
the
Rel
ease
to S
ervi
ce A
utho
rity
rath
er th
an th
e O
pera
ting
Aut
horit
y.
4)
See
Sect
ion
9.5
for a
dditi
onal
item
s tha
t may
be
requ
ired
for h
igh
safe
ty in
tegr
ity sy
stem
s.
5)
The
scop
e of
the
ISA
’s w
ork
is a
s fol
low
s:
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Gen
eral
item
s (re
ferr
ing
to a
ny/a
ll in
divi
dual
cla
ims)
Safe
ty c
ase
repo
rtR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
con
form
ance
to st
anda
rds a
nd le
gisl
atio
n.D
ocum
ente
d re
view
.IP
T, c
ontra
ctor
Safe
ty c
ase
repo
rt fo
r ope
ratio
n (o
r In-
serv
ice
Phas
e)R
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
con
form
ance
to st
anda
rds a
nd le
gisl
atio
n.
Che
ck a
dequ
acy
and
cove
rage
of S
OPs
and
trai
ning
.
Doc
umen
ted
revi
ew.
IPT,
Ope
ratin
g A
utho
rity
Sam
ples
of e
vide
nce
Div
erse
ana
lysi
s, w
itnes
sing
, int
ervi
ewin
g, tr
acea
bilit
ych
ecks
, ver
tical
slic
es a
nd in
spec
tion
at th
e di
scre
tion
ofth
e IS
A.
Res
ults
doc
umen
ted
inw
orki
ng p
aper
s or I
SAR
epor
t
IPT,
con
tract
or, S
MO
(ISA
Rep
ort o
nly)
whe
reap
plic
able
Page
46
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Safe
ty c
laim
: Saf
ety
and
envi
ronm
enta
l req
uire
men
ts c
orre
ctly
cap
ture
d an
d va
lidat
ed
Safe
ty a
nd e
nviro
nmen
tal r
equi
rem
ents
anal
ysis
Rev
iew
cha
nges
and
der
ived
requ
irem
ents
for
corr
ectn
ess,
com
plet
enes
s, co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Che
ck a
naly
sis.
Aud
it an
alys
is p
roce
ss fo
r con
form
ance
to st
anda
rds a
ndsa
fety
man
agem
ent p
lan.
Atte
nd a
naly
sis m
eetin
gs to
che
ck c
ondu
cted
inac
cord
ance
with
stan
dard
s and
goo
d pr
actic
e.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Safe
ty a
nd e
nviro
nmen
tal t
oler
abili
tycr
iteria
Rev
iew
cha
nges
and
flow
to su
bsys
tem
s for
conf
orm
ance
to st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Che
ck fo
r agr
eem
ent w
ith c
riter
ia fr
om si
mila
r pro
ject
s.
Che
ck a
naly
sis.
Doc
umen
ted
revi
ew.
IPT,
con
tract
or
Syst
em a
nd o
pera
ting
envi
ronm
ent
desc
riptio
nC
heck
any
cha
nges
to d
escr
iptio
n.In
clud
ed in
abo
ve re
view
s.IP
T, c
ontra
ctor
Con
tract
ual s
afet
y an
d en
viro
nmen
tal
requ
irem
ents
(SR
D).
Rev
iew
cha
nges
and
der
ived
requ
irem
ents
for
corr
ectn
ess,
com
plet
enes
s, co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Che
ck th
at e
vide
nce
likel
y to
be
need
ed fo
r sub
sequ
ent
safe
ty a
rgum
ents
is c
ontra
cted
for.
Doc
umen
ted
revi
ewIP
T, c
ontra
ctor
Page
47
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Safe
ty c
laim
: Equ
ipm
ent m
eets
safe
ty a
nd e
nvir
onm
enta
l req
uire
men
ts
Safe
ty a
naly
sis a
dequ
ate
Aud
it an
alys
is p
roce
ss fo
r con
form
ance
to st
anda
rds a
ndsa
fety
man
agem
ent p
lan.
Atte
nd a
naly
sis m
eetin
gs to
che
ck c
ondu
cted
inac
cord
ance
with
stan
dard
s and
goo
d pr
actic
e.
Rev
iew
per
sonn
el c
ompe
tenc
e.
Doc
umen
ted
tend
eras
sess
men
ts a
nd a
udit
repo
rts.
IPT,
con
tract
or
ALA
RP
asse
ssm
ent
Che
ck a
rgum
ents
for c
ompl
ianc
e w
ith re
leva
nt st
anda
rds
and
HSE
gui
danc
e.In
clud
ed in
doc
umen
tre
view
s or I
SA R
epor
t.IP
T, c
ontra
ctor
, SM
O (I
SAR
epor
t onl
y) w
here
appl
icab
le
Subc
laim
: Equ
ipm
ent m
eets
occ
upat
iona
l saf
ety
requ
irem
ents
Occ
upat
iona
l des
ign
stan
dard
sC
heck
for c
ompl
eten
ess a
nd a
pplic
abili
ty.
Aud
it fo
r com
plia
nce
to le
gisl
atio
n, st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Incl
uded
in d
ocum
ent
revi
ews o
r ISA
Rep
ort.
IPT,
con
tract
or, S
MO
(ISA
Rep
ort o
nly)
whe
reap
plic
able
OH
HA
and
OSH
AR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
con
form
ance
to st
anda
rds a
nd le
gisl
atio
n.
Aud
it pr
oces
s for
com
plia
nce
to le
gisl
atio
n, st
anda
rds
and
safe
ty m
anag
emen
t pla
n.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Page
48
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Subc
laim
: Equ
ipm
ent m
eets
env
iron
men
tal r
equi
rem
ents
Envi
ronm
enta
l im
pact
ana
lysi
sR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
con
form
ance
to st
anda
rds a
nd le
gisl
atio
n.
Aud
it fo
r com
plia
nce
to le
gisl
atio
n, st
anda
rds a
nd sa
fety
man
agem
ent a
nd/o
r env
ironm
enta
l pla
n.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Subc
laim
: Equ
ipm
ent m
eets
safe
ty re
quir
emen
ts fo
r dat
a an
d co
mm
ands
Har
dwar
e sa
fety
ana
lyse
sC
heck
ana
lyse
s for
app
licab
ility
and
cor
rect
ness
.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Aud
it fo
r com
plia
nce
to le
gisl
atio
n, st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Poss
ibly
car
ry o
ut d
iver
se a
naly
ses,
e.g.
relia
bilit
ym
odel
ling.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
es.
IPT,
con
tract
or
Softw
are
safe
ty a
naly
ses
Che
ck a
naly
ses f
or a
pplic
abili
ty a
nd c
orre
ctne
ss.
Aud
it fo
r com
plia
nce
to le
gisl
atio
n, st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Poss
ibly
car
ry o
ut d
iver
se a
naly
ses,
e.g.
relia
bilit
ygr
owth
mod
ellin
g.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
es.
IPT,
con
tract
or
Page
49
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Hum
an fa
ctor
s ana
lyse
sA
udit
hum
an fa
ctor
s wor
ksho
ps e
tc. t
o ch
eck
cond
ucte
din
acc
orda
nce
with
stan
dard
s and
goo
d pr
actic
e.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Poss
ibly
car
ry o
ut d
iver
se a
naly
sis o
f HC
I for
safe
ty.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
es.
IPT,
con
tract
or
CO
TS it
ems
Con
side
r fea
sibi
lity
and
suff
icie
ncy
of p
ropo
sals
for
CO
TS a
ssur
ance
.
Rev
iew
CO
TS sa
fety
just
ifica
tion.
Poss
ibly
car
ry o
ut re
liabi
lity
anal
ysis
.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n C
OTS
issu
es a
nd d
iver
se a
naly
sis.
IPT,
con
tract
or
Safe
ty c
laim
: IPT
’s a
nd O
pera
ting
Aut
hori
ty’s
safe
ty m
anag
emen
t is a
dequ
ate
IPT’
s Saf
ety
Man
agem
ent S
yste
m,
incl
udin
g Sa
fety
Man
agem
ent P
lan
for
Man
ufac
turin
g Ph
ase
Aud
it fo
r con
form
ance
to st
anda
rds.
Aud
it re
port
IPT
MoD
’s sa
fety
org
anis
atio
nA
ttend
safe
ty c
omm
ittee
to d
iscu
ss sa
fety
pro
gres
s, ra
ise
and
disc
uss s
afet
y is
sues
, com
men
t on
safe
ty c
ase
and
supp
ortin
g do
cum
ents
and
ana
lyse
s, ag
ree
tole
rabi
lity
ofris
ks.
—Sa
fety
com
mitt
ee m
embe
rs
Safe
ty c
laim
: Con
trac
tor’
s saf
ety
man
agem
ent i
s ade
quat
e
Con
tract
or’s
com
bine
d SE
MS
Aud
it fo
r con
form
ance
to st
anda
rds.
Aud
it re
port.
IPT,
con
tract
or
Page
50
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Con
tract
or’s
safe
ty o
rgan
isat
ion
Atte
nd sa
fety
com
mitt
ees t
o di
scus
s saf
ety
prog
ress
,ra
ise
and
disc
uss s
afet
y is
sues
, com
men
t on
safe
ty c
ase
and
supp
ortin
g do
cum
ents
and
ana
lyse
s, ag
ree
tole
rabi
lity
of ri
sks.
—Sa
fety
com
mitt
ee m
embe
rs
Con
tract
or’s
safe
ty m
anag
emen
t pla
nR
evie
w c
hang
es fo
r con
form
ance
to st
anda
rds.
Doc
umen
ted
revi
ew.
IPT,
con
tract
or
Org
anis
atio
nal i
nter
face
sIS
A w
ork
item
IPT
Prod
uce
plan
s and
repo
rts li
sted
in S
ectio
n 9.
1.
Supp
ly g
ener
ic a
dvic
e.
Atte
nd a
d-ho
c m
eetin
gs a
nd re
spon
d to
gen
eral
que
ries.
Sele
cted
prim
e co
ntra
ctor
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.2.
Des
ign
Aut
horit
y (w
hen
not I
PT o
rco
ntra
ctor
)In
terf
ace
as d
escr
ibed
in S
ectio
n 6.
6.
Cus
tom
er o
rgan
isat
ions
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.3.
SMO
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.4.
Reg
ulat
ory/
certi
ficat
ion
bodi
es (w
here
appl
icab
le)
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.5.
Page
51
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
9.2.
5 In
-ser
vice
pha
se
1)
In th
is p
hase
, the
IPT
mai
ntai
ns th
e le
vels
of p
erfo
rman
ce a
gree
d w
ith it
s cus
tom
ers a
nd c
arrie
s out
app
rove
d up
grad
es o
r im
prov
emen
ts, r
efits
or
acqu
isiti
on in
crem
ents
. The
ISA
may
be
cont
ract
ed in
a st
and-
by ro
le o
n a
limit
of li
abili
ty c
ontra
ct, o
r eng
aged
onl
y w
hen
a sa
fety
issu
e em
erge
s. Th
eIS
A’s
role
is to
mon
itor i
n-se
rvic
e pe
rfor
man
ce to
see
if th
e sy
stem
mee
ts it
s saf
ety
requ
irem
ents
, and
to id
entif
y w
eakn
esse
s in
the
prec
edin
g w
ork
that
only
bec
ome
appa
rent
in se
rvic
e.
2)
Furth
er d
evel
opm
ent w
ork
or a
cha
nge
of ro
le w
ill in
volv
e ch
ange
s to
the
safe
ty a
rgum
ent,
whi
ch w
ill re
quire
ISA
act
ion
as d
escr
ibed
for t
hepr
evio
us p
hase
s.
3)
Safe
ty a
nd e
nviro
nmen
tal r
equi
rem
ents
may
cha
nge
in-s
ervi
ce d
ue to
cha
nges
to th
e sy
stem
, its
role
, leg
isla
tion,
pol
icy,
etc
.
4)
Dep
endi
ng o
n th
e se
ctor
, the
IPT
may
not
be
able
to c
ontra
ct fo
r Saf
ety
Aud
it of
the
Ope
ratin
g A
utho
rity’
s com
bine
d SE
MS.
In th
at c
ase,
the
ISA
’sin
terf
ace
with
the
Ope
ratin
g A
utho
rity
and
DR
AC
AS/
FRA
CA
S da
ta w
ill b
e th
roug
h th
e in
-ser
vice
safe
ty c
omm
ittee
.
5)
In th
e ai
r sec
tor,
the
ISA
’s o
rgan
isat
iona
l int
erfa
ce is
with
the
Rel
ease
to S
ervi
ce A
utho
rity
rath
er th
an th
e O
pera
ting
Aut
horit
y.
6)
The
scop
e of
the
ISA
’s w
ork
is a
s fol
low
s:
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Gen
eral
item
s (re
ferr
ing
to a
ny/a
ll in
divi
dual
cla
ims)
Safe
ty c
ase
repo
rt fo
r ope
ratio
n (o
r In-
serv
ice
Phas
e)R
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
con
form
ance
to st
anda
rds a
nd le
gisl
atio
n.
Che
ck a
dequ
acy
and
cove
rage
of S
OPs
and
trai
ning
.
Doc
umen
ted
revi
ew.
IPT,
Ope
ratin
g A
utho
rity,
CLS
con
tract
or (i
fap
plic
able
)
Page
52
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Safe
ty c
laim
: Saf
ety
and
envi
ronm
enta
l req
uire
men
ts c
orre
ctly
cap
ture
d an
d va
lidat
ed
Con
tract
ual s
afet
y an
d en
viro
nmen
tal
requ
irem
ents
.R
evie
w th
e lig
ht o
f new
or r
evis
ed le
gisl
atio
n,“g
rand
fath
er ri
ghts
”.D
ocum
ente
d re
view
.IP
T, O
pera
ting
Aut
horit
y,C
LS c
ontra
ctor
(if
appl
icab
le)
Safe
ty c
laim
: IPT
’s sa
fety
man
agem
ent i
s ade
quat
e
IPT’
s Saf
ety
Man
agem
ent S
yste
m,
incl
udin
g Sa
fety
Man
agem
ent P
lan
for I
n-se
rvic
e Ph
ase
Aud
it fo
r con
form
ance
to st
anda
rds.
Aud
it re
port.
IPT
MoD
’s in
-ser
vice
safe
ty o
rgan
isat
ion
Atte
nd sa
fety
com
mitt
ee to
dis
cuss
in-s
ervi
ce sa
fety
issu
es fr
om D
RA
CA
S, ra
ise
and
disc
uss s
afet
y is
sues
,co
mm
ent o
n up
date
s to
safe
ty c
ase
and
supp
ortin
gdo
cum
ents
and
ana
lyse
s, ag
ree
cont
inue
d to
lera
bilit
y of
risks
.
—Sa
fety
com
mitt
ee m
embe
rs
Safe
ty c
laim
: Ope
ratin
g A
utho
rity
’s sa
fety
man
agem
ent i
s ade
quat
e
DR
AC
AS/
FRA
CA
SR
evie
w d
ata.
Aud
it pr
oces
s for
con
form
ance
to st
anda
rds.
Mon
itor c
orre
ctiv
e ac
tion.
Aud
it re
port.
IPT,
Ope
ratin
g A
utho
rity,
CLS
con
tract
or (i
fap
plic
able
)
Safe
ty c
laim
: CLS
con
trac
tor’
s saf
ety
man
agem
ent i
s ade
quat
e (w
here
app
oint
ed)
Con
tract
or’s
com
bine
d SE
MS
Aud
it fo
r con
form
ance
to st
anda
rds.
Aud
it re
port.
IPT,
CLS
con
tract
or
Con
tract
or’s
safe
ty m
anag
emen
t pla
nR
evie
w fo
r con
form
ance
to st
anda
rds.
Doc
umen
ted
revi
ew.
IPT,
con
tract
or
Page
53
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
If u
pgra
des o
r im
prov
emen
ts, r
efits
or
acqu
isiti
on in
crem
ents
ISA
wor
k ite
m
Safe
ty a
rgum
ent c
hang
esA
s for
pre
cedi
ng p
hase
s.
Org
anis
atio
nal i
nter
face
sIS
A w
ork
item
IPT
Prod
uce
plan
s and
repo
rts li
sted
in S
ectio
n 9.
1.
Supp
ly g
ener
ic a
dvic
e.
Atte
nd a
d-ho
c m
eetin
gs a
nd re
spon
d to
gen
eral
que
ries.
CLS
con
tract
or (i
f app
licab
le)
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.2.
Des
ign
Aut
horit
y (w
hen
not I
PT o
rco
ntra
ctor
)In
terf
ace
as d
escr
ibed
in S
ectio
n 6.
6.
Cus
tom
er o
rgan
isat
ions
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.3.
SMO
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.4.
Reg
ulat
ory/
certi
ficat
ion
bodi
es (w
here
appl
icab
le)
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.5.
Page
54
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
9.2.
6 D
ispo
sal p
hase
1)
Plan
ned
disp
osal
invo
lves
the
effic
ient
, eff
ectiv
e an
d sa
fe d
ispo
sal o
f the
syst
em. D
ispo
sal s
houl
d co
nsid
er b
oth
end-
of-li
fe a
nd p
ost-a
ccid
ent c
ases
.B
oth
shou
ld b
e ad
dres
sed
by th
e or
igin
al p
lans
but
, whe
re th
ese
wer
e pr
oduc
ed so
me
time
prev
ious
ly, t
hey
shou
ld b
e re
view
ed fo
r ade
quac
y pr
ior t
odi
spos
al o
r per
iodi
cally
as a
ppro
pria
te. W
here
dis
posa
l is s
impl
e an
d th
ere
are
no c
hang
es to
the
appl
icab
le le
gisl
atio
n, it
may
not
be
nece
ssar
y to
empl
oy a
n IS
A.
2)
The
scop
e of
the
ISA
’s w
ork
is a
s fol
low
s:
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Safe
ty c
ase
repo
rt fo
r dis
posa
lR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
con
form
ance
to st
anda
rds a
nd le
gisl
atio
n.D
ocum
ente
d re
view
.IP
T, O
pera
ting
Aut
horit
y,di
spos
al/C
LS c
ontra
ctor
(if
appl
icab
le)
Safe
ty c
laim
: Dis
posa
l is s
afe
IPT’
s Saf
ety
Man
agem
ent S
yste
m, i
nc.
Safe
ty M
anag
emen
t Pla
n fo
r dis
posa
lph
ase
Aud
it fo
r con
form
ance
to st
anda
rds.
Aud
it re
port.
IPT
Dis
posa
l fol
low
s pla
nIf
com
petit
ion
for d
ispo
sal,
revi
ew S
OW
and
tend
erre
spon
ses.
Rev
iew
dis
posa
l saf
ety
case
.
Aud
it di
spos
al c
ontra
ctor
’s S
MS.
Doc
umen
ted
revi
ew.
IPT,
Ope
ratin
g A
utho
rity,
disp
osal
/CLS
con
tract
or (i
fap
plic
able
)
Page
55
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Org
anis
atio
nal i
nter
face
sIS
A w
ork
item
IPT
Prod
uce
plan
s and
repo
rts li
sted
in S
ectio
n 9.
1.
Supp
ly g
ener
ic a
dvic
e.
Atte
nd a
d-ho
c m
eetin
gs a
nd re
spon
d to
gen
eral
que
ries.
Dis
posa
l/CLS
con
tract
or (i
f app
licab
le)
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.2.
Des
ign
Aut
horit
y (w
hen
not I
PT o
rco
ntra
ctor
)In
terf
ace
as d
escr
ibed
in S
ectio
n 6.
6.
Cus
tom
er o
rgan
isat
ions
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.3.
SMO
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.4.
Reg
ulat
ory/
certi
ficat
ion
bodi
es (w
here
appl
icab
le)
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.5.
Page
56
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
9.3
Leg
acy
syst
ems
1)
This
sect
ion
cons
ider
s the
ISA
role
for l
egac
y sy
stem
s, an
d sp
ecifi
cally
whe
re a
retro
spec
tive
safe
ty a
ppra
isal
is to
be
carr
ied
out b
y a
cont
ract
or.
2)
The
scop
e of
the
ISA
’s w
ork
is a
s fol
low
s:
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Gen
eral
item
s (re
ferr
ing
to a
ny/a
ll in
divi
dual
cla
ims)
Ret
rosp
ectiv
e sa
fety
app
rais
al/ s
afet
y ca
seR
evie
w c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
conf
orm
ance
to st
anda
rds a
nd le
gisl
atio
n. C
heck
that
repo
rt is
pro
porti
onat
e to
risk
from
syst
em a
nd re
mai
ning
time
in se
rvic
e.
Doc
umen
ted
revi
ew.
IPT,
con
tract
or
Sam
ples
of e
vide
nce
Div
erse
ana
lysi
s, w
itnes
sing
, int
ervi
ewin
g, tr
acea
bilit
ych
ecks
, ver
tical
slic
es a
nd in
spec
tion
at th
e di
scre
tion
ofth
e IS
A.
Res
ults
doc
umen
ted
inw
orki
ng p
aper
s or I
SAR
epor
t
IPT,
con
tract
or, S
MO
(ISA
Rep
ort o
nly)
whe
reap
plic
able
Page
57
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Safe
ty c
laim
: Saf
ety
and
envi
ronm
enta
l req
uire
men
ts c
orre
ctly
cap
ture
d an
d va
lidat
ed
Safe
ty a
nd e
nviro
nmen
tal r
equi
rem
ents
anal
ysis
Rev
iew
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy
and
conf
orm
ance
to st
anda
rds.
Rev
iew
aga
inst
app
licab
le le
gisl
atio
n be
arin
g in
min
dtim
e of
intro
duct
ion
into
serv
ice.
Che
ck a
naly
sis.
Aud
it an
alys
is p
roce
ss fo
r con
form
ance
to st
anda
rds a
ndsa
fety
man
agem
ent p
lan.
Atte
nd a
naly
sis m
eetin
gs to
che
ck c
ondu
cted
inac
cord
ance
with
stan
dard
s and
goo
d pr
actic
e.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Safe
ty a
nd e
nviro
nmen
tal t
oler
abili
tycr
iteria
Rev
iew
for c
onfo
rman
ce to
stan
dard
s and
safe
tym
anag
emen
t pla
n. C
heck
for a
gree
men
t with
crit
eria
from
sim
ilar p
roje
cts.
Con
side
r app
licat
ion
of“g
rand
fath
er ri
ghts
” fo
r equ
ipm
ent i
n se
rvic
e fo
r sev
eral
year
s or m
ore.
Che
ck if
“tim
e at
risk
” is
pro
perly
cons
ider
ed.
Che
ck a
naly
sis.
Doc
umen
ted
revi
ew.
IPT,
con
tract
or
Syst
em a
nd o
pera
ting
envi
ronm
ent
desc
riptio
nC
heck
des
crip
tion
is su
ffic
ient
ly c
ompr
ehen
sive
for t
here
ader
to u
nder
stan
d th
e sa
fety
arg
umen
t.In
clud
ed in
abo
ve re
view
s.IP
T, c
ontra
ctor
Page
58
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Safe
ty c
laim
: Equ
ipm
ent m
eets
safe
ty a
nd e
nvir
onm
enta
l req
uire
men
ts
Safe
ty a
naly
sis a
dequ
ate
Aud
it an
alys
is p
roce
ss fo
r con
form
ance
to st
anda
rds a
ndsa
fety
man
agem
ent p
lan.
Atte
nd a
naly
sis m
eetin
gs to
che
ck c
ondu
cted
inac
cord
ance
with
stan
dard
s and
goo
d pr
actic
e.
Rev
iew
per
sonn
el c
ompe
tenc
e.
Doc
umen
ted
audi
t rep
orts
.IP
T, c
ontra
ctor
ALA
RP
asse
ssm
ent
Che
ck a
rgum
ents
for c
ompl
ianc
e w
ith re
leva
nt st
anda
rds
and
HSE
gui
danc
e.In
clud
ed in
doc
umen
tre
view
s or I
SA R
epor
t.IP
T, c
ontra
ctor
, SM
O (I
SAR
epor
t onl
y) w
here
appl
icab
le
Subc
laim
: Equ
ipm
ent m
eets
occ
upat
iona
l saf
ety
requ
irem
ents
Occ
upat
iona
l des
ign
stan
dard
sC
heck
for c
ompl
eten
ess a
nd a
pplic
abili
ty.
Aud
it fo
r com
plia
nce
to st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Rev
iew
aga
inst
app
licab
le le
gisl
atio
n be
arin
g in
min
dtim
e of
intro
duct
ion
into
serv
ice.
Incl
uded
in d
ocum
ent
revi
ews o
r ISA
Rep
ort.
IPT,
con
tract
or, S
MO
(ISA
Rep
ort o
nly)
whe
reap
plic
able
OH
HA
and
OSH
AR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy
and
conf
orm
ance
to st
anda
rds.
Rev
iew
aga
inst
app
licab
le le
gisl
atio
n be
arin
g in
min
dtim
e of
intro
duct
ion
into
serv
ice.
Aud
it ag
ains
t sta
ndar
ds a
nd sa
fety
man
agem
ent p
lan.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Page
59
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Subc
laim
: Equ
ipm
ent m
eets
env
iron
men
tal r
equi
rem
ents
Envi
ronm
enta
l im
pact
ana
lysi
sR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy
and
conf
orm
ance
to st
anda
rds.
Rev
iew
aga
inst
app
licab
le le
gisl
atio
n be
arin
g in
min
dtim
e of
intro
duct
ion
into
serv
ice.
Aud
it fo
r com
plia
nce
to st
anda
rds a
nd sa
fety
and
/or
envi
ronm
enta
l man
agem
ent p
lan.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Subc
laim
: Equ
ipm
ent m
eets
safe
ty re
quir
emen
ts fo
r dat
a an
d co
mm
ands
Har
dwar
e sa
fety
ana
lyse
sR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy
and
conf
orm
ance
to st
anda
rds.
Aud
it fo
r com
plia
nce
to st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Che
ck a
naly
ses f
or a
pplic
abili
ty a
nd c
orre
ctne
ss.
Poss
ibly
car
ry o
ut d
iver
se a
naly
ses,
e.g.
relia
bilit
ym
odel
ling.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Page
60
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Softw
are
safe
ty a
naly
ses
Aud
it fo
r com
plia
nce
to st
anda
rds a
nd sa
fety
man
agem
ent p
lan.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s, co
nsis
tenc
yan
d co
nfor
man
ce to
stan
dard
s.
Che
ck a
naly
ses f
or a
pplic
abili
ty a
nd c
orre
ctne
ss.
Poss
ibly
car
ry o
ut d
iver
se a
naly
ses,
e.g.
relia
bilit
ygr
owth
mod
ellin
g.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
es.
IPT,
con
tract
or
Hum
an fa
ctor
s ana
lyse
sR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy
and
conf
orm
ance
to st
anda
rds.
Rev
iew
aga
inst
app
licab
le le
gisl
atio
n be
arin
g in
min
dtim
e of
intro
duct
ion
into
serv
ice.
Poss
ibly
car
ry o
ut d
iver
se a
naly
sis o
f HC
I for
safe
ty.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
es.
IPT,
con
tract
or
CO
TS it
ems
Rev
iew
CO
TS sa
fety
just
ifica
tion.
Poss
ibly
car
ry o
ut re
liabi
lity
anal
ysis
.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n C
OTS
issu
es a
nd d
iver
se a
naly
sis.
IPT,
con
tract
or
Safe
ty c
laim
: IPT
’s sa
fety
man
agem
ent i
s ade
quat
e
IPT’
s Saf
ety
Man
agem
ent S
yste
m, i
nc.
Safe
ty M
anag
emen
t Pla
n fo
r in-
serv
ice
phas
e
Aud
it fo
r con
form
ance
to st
anda
rds.
Aud
it re
port.
IPT
Page
61
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
MoD
’s sa
fety
org
anis
atio
nA
ttend
safe
ty c
omm
ittee
to d
iscu
ss in
-ser
vice
safe
tyis
sues
from
DR
AC
AS,
rais
e an
d di
scus
s saf
ety
issu
es,
com
men
t on
upda
tes t
o sa
fety
cas
e an
d su
ppor
ting
docu
men
ts a
nd a
naly
ses,
agre
e co
ntin
ued
tole
rabi
lity
ofris
ks.
—Sa
fety
com
mitt
ee m
embe
rs
Safe
ty c
laim
: Con
trac
tor’
s saf
ety
man
agem
ent i
s ade
quat
e
Con
tract
or’s
com
bine
d SE
MS
Aud
it fo
r con
form
ance
to st
anda
rds.
Aud
it re
port.
IPT,
con
tract
or
Con
tract
or’s
safe
ty m
anag
emen
t pla
nR
evie
w fo
r con
form
ance
to st
anda
rds.
Doc
umen
ted
revi
ew.
IPT,
con
tract
or
Org
anis
atio
nal i
nter
face
sIS
A w
ork
item
IPT
Prod
uce
plan
s and
repo
rts li
sted
in S
ectio
n 9.
1.
Supp
ly g
ener
ic a
dvic
e.
Atte
nd a
d-ho
c m
eetin
gs a
nd re
spon
d to
gen
eral
que
ries.
Con
tract
orIn
terf
ace
as d
escr
ibed
in S
ectio
n 6.
2.
Des
ign
Aut
horit
y (w
hen
not I
PT o
rco
ntra
ctor
)In
terf
ace
as d
escr
ibed
in S
ectio
n 6.
6.
Cus
tom
er o
rgan
isat
ions
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.3.
SMO
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.4.
Page
62
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Org
anis
atio
nal i
nter
face
sIS
A w
ork
item
Reg
ulat
ory/
certi
ficat
ion
bodi
es (w
here
appl
icab
le)
Inte
rfac
e as
des
crib
ed in
Sec
tion
6.5.
Page
63
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
9.4
Var
iatio
n w
ith m
atur
ity o
f con
trac
tor’
s com
bine
d SE
MS
1)
The
maj
or e
ffec
t of a
n im
mat
ure
cont
ract
or’s
com
bine
d SE
MS
or p
oor s
afet
y cu
lture
is th
at th
e IS
A w
ork
item
s lis
ted
abov
e w
ill ta
ke lo
nger
toco
mpl
ete,
rath
er th
an th
at n
ew w
ork
item
s will
be
requ
ired.
Are
as th
at h
ave
been
foun
d to
be
gene
rally
pro
blem
atic
are
:
• Th
e sa
fety
arg
umen
t is i
mpl
icit
rath
er th
an e
xplic
it, a
nd p
oorly
stru
ctur
ed. T
he IS
A th
en h
as to
par
ticip
ate
in m
ore
docu
men
t rev
iew
cyc
les,
espe
cial
ly fo
r the
safe
ty c
ase
repo
rt, a
nd a
lso
has t
o pr
ovid
e ge
neric
gui
danc
e on
app
licab
le st
anda
rds a
nd a
ccep
tabl
e sa
fety
arg
umen
ts.
• To
lera
bilit
y of
risk
is in
cons
iste
nt w
ith c
ompa
rabl
e pr
ojec
ts. T
his i
nvol
ves t
he IS
A in
add
ition
al w
ork
nego
tiatin
g ch
ange
s in
the
tole
rabi
lity
crite
ria.
• Te
chni
cal a
spec
ts o
f the
safe
ty a
naly
sis a
re p
oorly
don
e. P
artic
ular
pro
blem
s are
con
fusi
on b
etw
een
haza
rds a
nd a
ccid
ents
, jud
gem
ents
of
ALA
RP,
and
com
plet
enes
s of h
azar
d an
alys
is. T
his i
nvol
ves t
he IS
A in
mor
e do
cum
ent r
evie
w c
ycle
s and
det
aile
d an
alys
is o
f iss
ues s
uch
asso
ftwar
e re
liabi
lity.
9.5
Var
iatio
n w
ith sa
fety
inte
grity
requ
irem
ents
1)
The
ISA
role
will
be
prop
ortio
nate
ly m
ore
exte
nsiv
e fo
r hig
h sa
fety
inte
grity
syst
ems.
This
is b
ecau
se th
e sa
fety
arg
umen
t will
be
mor
e in
volv
ed,
with
eac
h cl
aim
typi
cally
bei
ng su
ppor
ted
by se
vera
l div
erse
form
s of e
vide
nce.
For
exa
mpl
e, v
ery
high
inte
grity
avi
onic
s sof
twar
e w
ould
nor
mal
lyha
ve it
s saf
ety
clai
m fo
r cor
rect
ness
of d
ata
and
com
man
ds su
ppor
ted
by a
naly
sis,
exte
nsiv
e te
stin
g an
d pr
oces
s evi
denc
e. O
n th
e ot
her h
and,
a lo
win
tegr
ity c
omm
and
and
cont
rol s
yste
m m
ight
rely
on
a sm
alle
r am
ount
of t
estin
g pl
us p
roce
ss e
vide
nce.
2)
The
ISA
wor
k ite
ms c
anno
t be
accu
rate
ly sc
oped
unt
il th
e sa
fety
arg
umen
t is c
lear
and
ther
efor
e it
is h
ighl
y de
sira
ble
for t
ende
rers
’ saf
ety
subm
issi
ons t
o in
clud
e an
out
line
of th
e sa
fety
arg
umen
t.
3)
Add
ition
al IS
A w
ork
item
s for
hig
h sa
fety
inte
grity
syst
ems t
ypic
ally
incl
ude:
Page
64
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Subc
laim
: Equ
ipm
ent m
eets
safe
ty re
quir
emen
ts fo
r dat
a an
d co
mm
ands
Softw
are
stat
ic a
naly
sis o
r pro
ofTe
chni
cal r
evie
w.
Poss
ibly
sele
cted
div
erse
ana
lyse
s.
Doc
umen
ted
revi
ew/
wor
king
pap
er.
IPT,
con
tract
or
Aut
omat
ed te
stin
gTe
chni
cal r
evie
w o
f tes
t rep
ort.
Che
ck c
over
age
and
real
ism
.
Doc
umen
ted
revi
ew/
wor
king
pap
er.
IPT,
con
tract
or
Hig
h qu
ality
dev
elop
men
t pro
cess
Aud
it fo
r con
form
ance
to st
anda
rds.
Che
ck e
vide
nce
for e
ffec
tiven
ess.
Doc
umen
ted
revi
ew/
wor
king
pap
er.
IPT,
con
tract
or
Faul
t tol
eran
t or f
ail s
afe
desi
gnTe
chni
cal r
evie
w o
f des
ign
desc
riptio
n.
Che
ck e
vide
nce
for e
ffec
tiven
ess a
nd c
over
age.
Doc
umen
ted
revi
ew/
wor
king
pap
er.
IPT,
con
tract
or
Safe
ty m
onito
r pro
vide
d fo
r CO
TS it
ems
Ana
lyse
for c
over
age
of fa
ilure
mod
es.
Doc
umen
ted
revi
ew/
wor
king
pap
er.
IPT,
con
tract
or
Har
dwar
e m
anuf
actu
ring
proc
ess
Aud
it fo
r cor
resp
onde
nce
betw
een
hard
war
e ite
ms a
ndde
sign
.D
ocum
ente
d re
view
/w
orki
ng p
aper
.IP
T, c
ontra
ctor
9.6
Oth
er p
rocu
rem
ent m
odel
s
1)
The
basi
c sa
fety
arg
umen
t illu
stra
ted
in A
ppen
dix
A is
the
sam
e fo
r all
proc
urem
ent m
odel
s. H
owev
er, t
he e
vide
nce
is li
kely
to b
e di
ffer
ent f
orot
her p
rocu
rem
ent m
odel
s suc
h as
fore
ign
proc
urem
ent,
espe
cial
ly w
here
it su
ppor
ts th
e sa
fety
arg
umen
t for
dev
elop
men
t. A
lso,
for s
uch
proc
urem
ents
,
Page
65
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
it m
ay n
ot b
e po
ssib
le to
neg
otia
te th
e sa
me
degr
ee o
f ISA
acc
ess a
s for
a b
espo
ke d
evel
opm
ent.
The
safe
ty c
ase
for t
he sy
stem
shou
ld e
xpla
in h
ow th
edi
ffer
ent t
ypes
of e
vide
nce
adeq
uate
ly su
ppor
t the
safe
ty c
laim
s.
2)
Poss
ible
pro
cure
men
t mod
els a
re:
• Fo
reig
n pr
ocur
emen
t—Th
e em
phas
is w
ill b
e on
issu
es o
f tra
nsla
tion
of th
e sa
fety
arg
umen
t to
the
UK
regi
me.
• Jo
int p
rocu
rem
ent—
Ther
e w
ill b
e in
tera
ctio
ns w
ith th
e ot
her p
rocu
ring
auth
oriti
es w
ho m
ay h
ave
thei
r ow
n pa
rticu
lar c
once
rns,
in o
rder
topl
ace
a si
ngle
set o
f dem
ands
on
the
cont
ract
or. T
his m
ay st
art a
t an
early
pha
se: “
safe
ty re
quire
men
ts c
aptu
red
and
valid
ated
”.
• PP
P/PF
I—Th
e sa
fety
arg
umen
t is b
asic
ally
una
ffec
ted
in th
is ty
pe o
f pro
cure
men
t. If
a sy
stem
is b
eing
pro
cure
d, th
e co
ntra
ctor
dev
elop
s the
syst
em a
nd th
en le
ases
it to
the
Cus
tom
er ra
ther
than
tran
sfer
ring
it ou
trigh
t, bu
t the
con
tract
or sh
ould
pro
vide
a sa
fety
cas
e as
in th
e ba
sic
proc
urem
ent m
odel
. If a
serv
ice
(e.g
. tra
inin
g) is
bei
ng p
rovi
ded,
the
cont
ract
or sh
ould
pro
duce
a sa
fety
cas
e co
verin
g bu
ildin
gs, e
quip
men
tan
d pr
oced
ures
; dep
endi
ng o
n th
e sp
ecifi
c si
tuat
ion,
this
may
be
the
sam
e as
for a
bas
ic p
rocu
rem
ent o
r for
a le
gacy
syst
em.
• O
ff-th
e-sh
elf-
syst
ems—
This
is a
n ex
trem
e ex
ampl
e of
CO
TS c
ompo
nent
s.
3)
In th
ese
othe
r pro
cure
men
t mod
els,
the
ISA
wor
k ite
ms f
or d
evel
opm
ent m
ay in
clud
e th
e fo
llow
ing:
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Gen
eral
item
s (re
ferr
ing
to a
ny/a
ll in
divi
dual
cla
ims)
Safe
ty c
ase
repo
rtR
evie
w re
port
for c
orre
ctne
ss, c
ompl
eten
ess,
cons
iste
ncy,
con
form
ance
to st
anda
rds a
nd le
gisl
atio
n.D
ocum
ente
d re
view
.IP
T, c
ontra
ctor
Sam
ples
of e
vide
nce
Div
erse
ana
lysi
s, w
itnes
sing
, int
ervi
ewin
g, tr
acea
bilit
ych
ecks
, ver
tical
slic
es a
nd in
spec
tion
at th
e di
scre
tion
ofth
e IS
A, b
ut li
mite
d by
the
cont
ract
ual a
rran
gem
ents
for
acce
ss.
Res
ults
doc
umen
ted
inw
orki
ng p
aper
s or I
SAR
epor
t
IPT,
con
tract
or, S
MO
(ISA
Rep
ort o
nly)
whe
reap
plic
able
Page
66
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Safe
ty c
laim
: Equ
ipm
ent m
eets
safe
ty a
nd e
nvir
onm
enta
l req
uire
men
ts
Safe
ty a
naly
sis a
dequ
ate
Rev
iew
of d
evel
opm
ent s
tand
ards
for c
ompl
ianc
e w
ithU
K, E
urop
ean
and
inte
rnat
iona
l reg
ulat
ions
app
licab
le in
the
UK
. Rev
iew
any
act
iviti
es u
nder
take
n to
mak
e up
shor
tfalls
.
Rev
iew
per
sonn
el c
ompe
tenc
e.
Doc
umen
ted
repo
rts.
IPT,
con
tract
or
ALA
RP
asse
ssm
ent
Che
ck a
rgum
ents
for c
ompl
ianc
e w
ith re
leva
nt st
anda
rds
and
HSE
gui
danc
e.In
clud
ed in
doc
umen
tre
view
s or I
SA R
epor
t.IP
T, c
ontra
ctor
, SM
O (I
SAR
epor
t onl
y) w
here
appl
icab
le
Subc
laim
: Equ
ipm
ent m
eets
occ
upat
iona
l saf
ety
requ
irem
ents
Occ
upat
iona
l des
ign
stan
dard
sR
evie
w o
f des
ign
stan
dard
s for
com
plia
nce
with
UK
,Eu
rope
an a
nd in
tern
atio
nal r
egul
atio
ns a
pplic
able
in th
eU
K. R
evie
w a
ny a
ctiv
ities
und
erta
ken
to m
ake
upsh
ortfa
lls.
Incl
uded
in d
ocum
ent
revi
ews o
r ISA
Rep
ort.
IPT,
con
tract
or, S
MO
(ISA
Rep
ort o
nly)
whe
reap
plic
able
OH
HA
and
OSH
AR
evie
w fo
r com
plia
nce
with
UK
, Eur
opea
n an
din
tern
atio
nal r
egul
atio
ns a
pplic
able
in th
e U
K. R
evie
wan
y ac
tiviti
es u
nder
take
n to
mak
e up
shor
tfalls
. Rev
iew
activ
ities
to m
ake
up sh
ortfa
lls.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Page
67
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Subc
laim
: Equ
ipm
ent m
eets
env
iron
men
tal r
equi
rem
ents
Envi
ronm
enta
l im
pact
ana
lysi
sR
evie
w o
f env
ironm
enta
l sta
ndar
ds fo
r com
plia
nce
with
UK
, Eur
opea
n an
d in
tern
atio
nal r
egul
atio
ns a
pplic
able
inth
e U
K. R
evie
w a
ny a
ctiv
ities
und
erta
ken
to m
ake
upsh
ortfa
lls. R
evie
w a
ctiv
ities
to m
ake
up sh
ortfa
lls.
Rev
iew
repo
rt.
Doc
umen
ted
revi
ew.
Aud
it re
port.
IPT,
con
tract
or
Subc
laim
: Equ
ipm
ent m
eets
safe
ty re
quir
emen
ts fo
r dat
a an
d co
mm
ands
Har
dwar
e sa
fety
ana
lyse
sR
evie
w h
ardw
are
deve
lopm
ent p
lans
and
stan
dard
sag
ains
t UK
, Eur
opea
n an
d in
tern
atio
nal r
egul
atio
nsap
plic
able
in th
e U
K. R
evie
w a
ny a
ctiv
ities
und
erta
ken
to m
ake
up sh
ortfa
lls.
Che
ck a
naly
ses f
or a
pplic
abili
ty a
nd c
orre
ctne
ss.
Poss
ibly
car
ry o
ut d
iver
se a
naly
ses,
e.g.
relia
bilit
ym
odel
ling,
CO
TS h
ardw
are
relia
bilit
y.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
es.
IPT,
con
tract
or
Softw
are
safe
ty a
naly
ses
Rev
iew
softw
are
deve
lopm
ent p
lans
and
stan
dard
sag
ains
t UK
, Eur
opea
n an
d in
tern
atio
nal r
egul
atio
nsap
plic
able
in th
e U
K. R
evie
w a
ny a
ctiv
ities
und
erta
ken
to m
ake
up sh
ortfa
lls.
Che
ck a
naly
ses f
or a
pplic
abili
ty a
nd c
orre
ctne
ss.
Poss
ibly
car
ry o
ut d
iver
se a
naly
ses,
e.g.
relia
bilit
ygr
owth
mod
ellin
g, C
OTS
softw
are
relia
bilit
y.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
es.
IPT,
con
tract
or
Page
68
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Safe
ty e
vide
nce
ISA
wor
k ite
mIS
A o
utpu
t/del
iver
able
Cus
tom
er/b
enef
icia
ry
Hum
an fa
ctor
s ana
lyse
sA
udit
hum
an fa
ctor
s wor
ksho
ps e
tc. t
o ch
eck
cond
ucte
din
acc
orda
nce
with
stan
dard
s and
goo
d pr
actic
e.
Rev
iew
repo
rt fo
r cor
rect
ness
, com
plet
enes
s,co
nsis
tenc
y, c
onfo
rman
ce to
stan
dard
s and
legi
slat
ion.
Poss
ibly
car
ry o
ut d
iver
se a
naly
sis o
f HC
I for
safe
ty.
Doc
umen
ted
revi
ew.
Aud
it re
port.
Wor
king
pap
ers o
n di
vers
ean
alys
es.
IPT,
con
tract
or
Page
69
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
App
endi
x A
Saf
ety
argu
men
t ove
r th
e lif
ecyc
le
1)
The
diag
ram
s on
the
follo
win
g pa
ges i
llust
rate
a ty
pica
l, co
mpl
ex sa
fety
arg
umen
t in
term
s of s
afet
y cl
aim
s (bl
ue o
vals
) and
evi
denc
e (p
urpl
ere
ctan
gles
). Fo
r “sy
stem
s of s
yste
ms”
, som
e of
the
evid
ence
will
be
cont
aine
d in
subs
idia
ry sa
fety
cas
es.
2)
The
Dis
posa
l Pha
se is
om
itted
for c
larit
y. It
is b
est t
reat
ed a
s a sm
all s
epar
ate
proj
ect,
build
ing
on th
e di
spos
al a
spec
ts o
f mai
n sa
fety
cas
e.
3)
The
term
SEM
S is
use
d in
the
diag
ram
s to
refe
r to
the
rele
vant
Saf
ety
Man
agem
ent a
nd E
nviro
nmen
tal M
anag
emen
t Sys
tem
s or w
here
app
ropr
iate
the
com
bine
d SE
MS.
4)
The
dia
gram
is r
epea
ted
for
each
life
cycl
e ph
ase
with
the
sect
ions
that
req
uire
ISA
ass
essm
ent s
hade
d. T
he d
iagr
am fo
r th
e In
-ser
vice
phas
e do
es n
ot c
over
new
dev
elop
men
t wor
k; th
e IS
A a
ctiv
ities
in th
at in
stan
ce a
re sh
own
in th
e M
anuf
actu
re P
hase
dia
gram
.
Page
70
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Occ
upational
des
ign s
tandar
ds
Con
trol so
ftw
are
safe
ty a
naly
sis
Saf
ety
soft
ware
analy
sis
Pre
requis
ites
Equip
men
tm
eets
occ
upational
safe
tyre
quir
emen
ts
Hum
an f
act
ors
are
addre
ssed
Har
dw
are
is
safe
Des
ign f
or
occ
upational
safe
ty
The
equip
men
t is
adeq
uate
ly s
afe
and o
fadeq
uate
ly low
danger
to t
he
envi
ronm
ent,
in t
he
oper
ating c
onte
xtdef
ined
by
the
ass
um
ptions
and if
the
pre
requis
ites
are
met
, to
pro
vide
the
def
ined
cap
abili
ty
Sys
tem
&en
viro
nm
ent
des
crip
tion
Saf
ety
&en
viro
nm
enta
lcr
iter
ia
Saf
ety
&en
viro
nm
enta
lre
quir
emen
tsanaly
sis
Con
tract
ual
safe
ty &
envi
ronm
enta
lre
quir
emen
ts
Equip
men
t m
eets
safe
ty &
envi
ronm
enta
l re
quir
emen
ts
Envi
ronm
enta
lim
pac
t an
alys
is
Saf
ety
& e
nvi
ronm
enta
lre
quir
emen
ts c
orre
ctly
captu
red a
nd v
alid
ate
d
Equip
men
tm
eets
envi
ronm
enta
lre
quir
emen
ts
Equip
men
t m
eets
dat
a &
com
mand
requir
emen
ts
Con
tract
or's
SEM
Sis
adeq
uate
Saf
ety
analy
sis
adeq
uate
Hum
an f
act
ors
analy
sis
Har
dw
are
safe
tyanaly
sis
Appro
pri
ate
SEM
S a
nd
culture
of
safe
wor
king a
rein
pla
ce
IPT's
SEM
SC
ontr
act
or's
SEM
SIn
dep
enden
tSaf
ety
Audit
IPT's
SEM
Sis
adeq
uat
e
Oper
ating A
uth
ority'
sSEM
Sis
adeq
uat
e
FRAC
AS
Ass
um
ptions
ALA
RP
ass
essm
ent
Occ
upational
safe
ty a
naly
sis
Sof
tware
is
safe
Con
cept
pha
se
Page
71
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Occ
upat
ional
des
ign s
tandard
sC
ontr
ol so
ftw
are
safe
ty a
nal
ysis
Saf
ety
soft
ware
analy
sis
Pre
requis
ites
Equip
men
tm
eets
occ
upational
safe
tyre
quir
emen
ts
Hum
an f
act
ors
are
addre
ssed
Har
dw
are
is
safe
Des
ign f
or
occ
upational
safe
ty
The
equip
men
t is
adeq
uate
ly s
afe
and o
fadeq
uat
ely
low
danger
to t
he
envi
ronm
ent,
in t
he
oper
ating c
onte
xtdef
ined
by
the
ass
um
ptions
and if
the
pre
requis
ites
are
met
, to
pro
vide
the
def
ined
cap
abili
ty
Sys
tem
&en
viro
nm
ent
des
crip
tion
Saf
ety
&en
viro
nm
enta
lcr
iter
ia
Saf
ety
&en
viro
nm
enta
lre
quir
emen
tsanaly
sis
Con
tract
ual
safe
ty &
envi
ronm
enta
lre
quir
emen
ts
Equip
men
t m
eets
saf
ety
&en
viro
nm
enta
l re
quir
emen
ts
Envi
ronm
enta
lim
pac
t an
alys
is
Saf
ety
& e
nvi
ronm
enta
lre
quir
emen
ts c
orr
ectly
captu
red a
nd v
alid
ate
d
Equip
men
tm
eets
envi
ronm
enta
lre
quir
emen
ts
Equip
men
t m
eets
dat
a &
com
mand
requir
emen
ts
Con
tract
or's
SEM
Sis
adeq
uat
e
Saf
ety
analy
sis
adeq
uat
e
Hum
an f
act
ors
analy
sis
Har
dw
are
safe
tyanaly
sis
Appro
pri
ate
SEM
S a
nd
culture
of
safe
wor
king a
rein
pla
ce
IPT's
SEM
SC
ontr
act
or's
SEM
SIn
dep
enden
tSaf
ety
Audit
IPT's
SEM
Sis
adeq
uat
e
Oper
ating A
uth
ority'
sSEM
Sis
adeq
uat
e
FRAC
AS
Ass
um
ption
s
ALA
RP
ass
essm
ent
Occ
upat
ional
safe
ty a
nal
ysis
Sof
tware
is
safe
Ass
essm
ent p
hase
Page
72
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Occ
upat
ional
des
ign s
tandard
sC
ontr
ol so
ftw
are
safe
ty a
nal
ysis
Saf
ety
soft
ware
analy
sis
Pre
requis
ites
Equip
men
tm
eets
occ
upational
safe
tyre
quir
emen
ts
Hum
an f
act
ors
are
addre
ssed
Har
dw
are
is
safe
Des
ign f
or
occ
upational
safe
ty
The
equip
men
t is
adeq
uate
ly s
afe
and o
fadeq
uat
ely
low
danger
to t
he
envi
ronm
ent,
in t
he
oper
ating c
onte
xtdef
ined
by
the
ass
um
ptions
and if
the
pre
requis
ites
are
met
, to
pro
vide
the
def
ined
cap
abili
ty
Sys
tem
&en
viro
nm
ent
des
crip
tion
Saf
ety
&en
viro
nm
enta
lcr
iter
ia
Saf
ety
&en
viro
nm
enta
lre
quir
emen
tsanaly
sis
Con
tract
ual
safe
ty &
envi
ronm
enta
lre
quir
emen
ts
Equip
men
t m
eets
saf
ety
&en
viro
nm
enta
l re
quir
emen
ts
Envi
ronm
enta
lim
pac
t an
alys
is
Saf
ety
& e
nvi
ronm
enta
lre
quir
emen
ts c
orr
ectly
captu
red a
nd v
alid
ate
d
Equip
men
tm
eets
envi
ronm
enta
lre
quir
emen
ts
Equip
men
t m
eets
dat
a &
com
mand
requir
emen
ts
Con
tract
or's
SEM
Sis
adeq
uat
e
Saf
ety
analy
sis
adeq
uat
e
Hum
an f
act
ors
analy
sis
Har
dw
are
safe
tyanaly
sis
Appro
pri
ate
SEM
S a
nd
culture
of
safe
wor
king a
rein
pla
ce
IPT's
SEM
SC
ontr
act
or's
SEM
SIn
dep
enden
tSaf
ety
Audit
IPT's
SEM
Sis
adeq
uat
e
Oper
ating A
uth
ority'
sSEM
Sis
adeq
uat
e
FRAC
AS
Ass
um
ption
s
ALA
RP
ass
essm
ent
Occ
upat
ional
safe
ty a
nal
ysis
Sof
tware
is
safe
Dem
onst
ratio
n ph
ase
Page
73
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Occ
upat
ional
des
ign s
tandar
ds
Con
trol so
ftw
are
safe
ty a
naly
sis
Saf
ety
soft
ware
analy
sis
Pre
requis
ites
Equip
men
tm
eets
occ
upational
safe
tyre
quir
emen
ts
Hum
an f
act
ors
are
addre
ssed
Har
dw
are
is
safe
Des
ign f
or
occ
upational
safe
ty
The
equip
men
t is
adeq
uate
ly s
afe
and o
fadeq
uat
ely
low
danger
to t
he
envi
ronm
ent,
in t
he
oper
ating c
onte
xtdef
ined
by
the
ass
um
ptions
and if
the
pre
requis
ites
are
met
, to
pro
vide
the
def
ined
cap
abili
ty
Sys
tem
&en
viro
nm
ent
des
crip
tion
Saf
ety
&en
viro
nm
enta
lcr
iter
ia
Saf
ety
&en
viro
nm
enta
lre
quir
emen
tsanaly
sis
Con
tract
ual
safe
ty &
envi
ronm
enta
lre
quir
emen
ts
Equip
men
t m
eets
safe
ty &
envi
ronm
enta
l re
quir
emen
ts
Envi
ronm
enta
lim
pac
t an
alys
is
Saf
ety
& e
nvi
ronm
enta
lre
quir
emen
ts c
orre
ctly
captu
red a
nd v
alid
ate
d
Equip
men
tm
eets
envi
ronm
enta
lre
quir
emen
ts
Equip
men
t m
eets
dat
a &
com
mand
requir
emen
ts
Con
tract
or's
SEM
Sis
adeq
uat
e
Saf
ety
analy
sis
adeq
uat
e
Hum
an f
act
ors
analy
sis
Har
dw
are
safe
tyanaly
sis
Appro
pri
ate
SEM
S a
nd
culture
of
safe
wor
king a
rein
pla
ce
IPT's
SEM
SC
ontr
act
or's
SEM
SIn
dep
enden
tSaf
ety
Audit
IPT's
SEM
Sis
adeq
uat
e
Oper
ating A
uth
ority'
sSEM
Sis
adeq
uat
e
FRAC
AS
Ass
um
ptions
ALA
RP
ass
essm
ent
Occ
upat
ional
safe
ty a
naly
sis
Sof
tware
is
safe
Man
ufac
ture
pha
se
Page
74
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004
Occ
upat
ional
des
ign s
tandar
ds
Con
trol so
ftw
are
safe
ty a
naly
sis
Saf
ety
soft
ware
analy
sis
Pre
requis
ites
Equip
men
tm
eets
occ
upational
safe
tyre
quir
emen
ts
Hum
an f
act
ors
are
addre
ssed
Har
dw
are
is
safe
Des
ign f
or
occ
upational
safe
ty
The
equip
men
t is
adeq
uate
ly s
afe
and o
fadeq
uat
ely
low
danger
to t
he
envi
ronm
ent,
in t
he
oper
ating c
onte
xtdef
ined
by
the
ass
um
ptions
and if
the
pre
requis
ites
are
met
, to
pro
vide
the
def
ined
cap
abili
ty
Sys
tem
&en
viro
nm
ent
des
crip
tion
Saf
ety
&en
viro
nm
enta
lcr
iter
ia
Saf
ety
&en
viro
nm
enta
lre
quir
emen
tsanaly
sis
Con
tract
ual
safe
ty &
envi
ronm
enta
lre
quir
emen
ts
Equip
men
t m
eets
safe
ty &
envi
ronm
enta
l re
quir
emen
ts
Envi
ronm
enta
lim
pac
t an
alys
is
Saf
ety
& e
nvi
ronm
enta
lre
quir
emen
ts c
orre
ctly
captu
red a
nd v
alid
ate
d
Equip
men
tm
eets
envi
ronm
enta
lre
quir
emen
ts
Equip
men
t m
eets
dat
a &
com
mand
requir
emen
ts
Con
tract
or's
SEM
Sis
adeq
uat
e
Saf
ety
analy
sis
adeq
uat
e
Hum
an f
act
ors
analy
sis
Har
dw
are
safe
tyanaly
sis
Appro
pri
ate
SEM
S a
nd
culture
of
safe
wor
king a
rein
pla
ce
IPT's
SEM
SC
ontr
act
or's
SEM
SIn
dep
enden
tSaf
ety
Audit
IPT's
SEM
Sis
adeq
uat
e
Oper
ating A
uth
ority'
sSEM
Sis
adeq
uat
e
FRAC
AS
Ass
um
ptions
ALA
RP
ass
essm
ent
Occ
upat
ional
safe
ty a
naly
sis
Sof
tware
is
safe
In-s
ervi
ce p
hase
Page
75
of 7
5
Vers
ion
1.0
date
d 1 Ju
ne, 2
004