Safety and Security Certification Management Plan Rev...

SAFETY AND SECURITY CERTIFICATION PLAN

REVISION 4.0, NOVEMBER 25, 2015

HJYHONOL..UI..U AUTHORITY for’ RAPID TRANSPORTATION

ar es S. CarnaggiHART Project Director Responsible Manager

;:;3£/“__

Date

David LeachmanDocument Preparer

IDa4

11/2.5/1.5Date

Quality Assurance and

of 93 Honolulu Rail Transit Project

Safety and Security Certification Plan – Rev. 4.0, November 25, 2015

This page intentionally left blank.

Honolulu Rail Transit Project of 93


Revisions

Necessary modification to this document will be made to conform to evolving project needs. As major revisions occur, the entire manual will be reproduced, bound, and distributed and prior versions of the manual shall be destroyed. For minor revisions, only the affected pages will be issued. All minor revisions will be dated and signed by the HART Chief Safety and Security Officer or the HART Project Director, and previous minor revisions of the document shall be destroyed.

CHANGE HISTORY REVISION DATE SECTION(S) DESCRIPTION

0.0 04/01/2010 Initial Issue

1.0 06/01/2011 Submission to FTA for entry into FD

2.0 05/09/2012 Submission to FTA for FFGA

3.0 10/23/2013 Annual Update to include the new HART document format and other minor edits

4.0 11/25/2015 All Annual Update to reflect the current status of the Project, address comments

from PMOC and HDOT, and reflect changes to the certification process



Table of Contents

1 Overview ................................................................................................................................... 13

1.1 Introduction .............................................................................................................................. 13

1.2 Purpose ..................................................................................................................................... 13

1.3 Definitions ................................................................................................................................. 14

1.4 Scope ........................................................................................................................................ 15

1.5 Goals ......................................................................................................................................... 16

1.6 Objectives ................................................................................................................................. 16

1.7 SSCP Review and Updates ........................................................................................................ 17

1.8 References ................................................................................................................................ 17

2 Project Management and Responsibilities .................................................................................. 19

2.1 Project Team ............................................................................................................................. 19

2.2 HART Program Management .................................................................................................... 19 2.2.1 HART Executive Director and Chief Executive Officer (ED-CEO) ................................ 19 2.2.2 HART Chief Safety and Security Officer (CSSO) .......................................................... 19 2.2.3 HART Safety and Security Certification Manager (SSCM) .......................................... 20 2.2.4 HART System Safety and Security Engineers (SSSEs) ................................................. 21

2.3 Project Consultants ................................................................................................................... 22 2.3.1 Program Management Support Consultant (PMSC) .................................................. 22 2.3.2 Safety and Security Services Consultant (SSSC) ......................................................... 22

2.4 Project Contractors ................................................................................................................... 23 2.4.1 CSC Safety and Security Manager (SSM) .................................................................... 24

2.5 Executive Safety and Security Committee (ESSC) ..................................................................... 24

2.6 Safety and Security Review Committee (SSRC) ........................................................................ 25

2.7 Fire/Life-Safety Working Group (FLSWG) ................................................................................. 26

2.8 Safety and Security Certification Working Group (SSCWG) ..................................................... 26

2.9 Operational Readiness Working Group (ORWG) ...................................................................... 27

2.10 Rail Activation Committee (RAC) .............................................................................................. 27

2.11 State Safety Oversight (SSO) ..................................................................................................... 28

2.12 Safety and Security Certification Schedule ............................................................................... 28

3 Certification Process and Procedures .......................................................................................... 29

3.1 Safety and Security Certification Methodology ........................................................................ 29 3.1.1 Safety and Security Review Committee Preparation Process .................................... 29

3.2 Grand Opening and Extensions ................................................................................................ 29

3.3 Steps in the Safety and Security Certification Process ............................................................. 30 3.3.1 Step 1 – Identify Certifiable Elements and Items ....................................................... 30 3.3.2 Step 2 – Perform Hazard Analyses and Threat and Vulnerability Assessments and

Develop Safety and Security Design Criteria .............................................................. 31 3.3.3 Step 3 – Develop and Complete Design Criteria Conformance Checklist .................. 32 3.3.4 Step 4 – Perform Construction Specification Conformance ...................................... 33



3.3.5 Step 5 – Identify Additional Safety and Security Test Requirements ......................... 38 3.3.6 Step 6 – Monitor and Verify Testing and Validation in Support of the SSC

Program ...................................................................................................................... 38 3.3.7 Step 7 – Monitor and Verify Systems Integration Tests ............................................. 39 3.3.8 Step 8 – Manage Open Items in the SSC Program ...................................................... 39 3.3.9 Step 9 – Verify Start-up, PRO Conformance, and Operational Readiness .................. 40 3.3.10 Step 10 – Conduct Final Determination of Project Readiness and Issue Safety

and Security Certification ........................................................................................... 42

4 Safety Hazard and Security Vulnerability Management ............................................................... 45

4.1 Safety Hazard Management ...................................................................................................... 45

Security Threat and ................................................................................................................... 45

4.2 Vulnerability Management ....................................................................................................... 45

4.3 Hazards and Vulnerabilities Tracking ........................................................................................ 45

4.4 Hazard and Vulnerability Resolution Verification ..................................................................... 46

5 Audits ........................................................................................................................................ 47

5.1 Periodic Safety and Security Certification Audits ...................................................................... 47

6 Documentation .......................................................................................................................... 49

6.1 Verification Documentation ...................................................................................................... 49

6.2 Configuration Control Group (CFCG) ......................................................................................... 49

7 Reporting Requirements ............................................................................................................ 51

7.1 Monthly Reporting .................................................................................................................... 51

7.2 Safety and Security Certification Verification Report ............................................................... 51

Figures

Figure 3-1: Design Criteria Conformance Checklist Process Overview ................................................... 35

Figure 3-2: Design Criteria Conformance Checklist Process Flowchart .................................................. 36

Figure 3-3: Detailed Certification Process Flowchart ............................................................................. 37

Appendices

Appendix A: HRTP Certifiable Elements List (CEL) ................................................................... 52

Appendix B: Safety and Security Certification Checklists ......................................................... 57

Exhibit B-1: Design Criteria Conformance Checklist Example ........................................................ 57

Exhibit B-2: Design Criteria Conformance Checklist Instructions .................................................. 58

Exhibit B-3: Construction Specification Conformance Checklist Example ..................................... 59

Exhibit B-4: Specification and Testing Conformance Checklist Example ....................................... 60

Exhibit B-5: Operational Readiness Conformance Checklist Example ........................................... 61

Appendix C: Open Items List Report ....................................................................................... 63


Safety and Security Certification Plan – Rev. 4.0, November 25, 2015 Appendix D: Hazard Tracking Log ........................................................................................... 65

Appendix E: Safety and Security Certification Certificates ....................................................... 67

Exhibit E-1: Certifiable Contract Certificate .................................................................................. 67

Exhibit E-2: Certifiable Element Certificate ................................................................................... 69

Exhibit E-3: Interim Safety and Security Certificate ...................................................................... 70

Exhibit E-4: Project Safety and Security Certificate ....................................................................... 72

Appendix F: Safety Hazard and Security Vulnerability Management Process ........................... 75

Exhibit F-1: Hazard Identification and Resolution Process ............................................................ 76

Exhibit F-2: Hazard Severity Categories ........................................................................................ 79

Exhibit F-3: Hazard Probability Levels ........................................................................................... 79

Exhibit F-4: Hazard Risk Assessment Matrix.................................................................................. 80

Exhibit F-5: Risk Decision Acceptance Criteria .............................................................................. 80

Exhibit F-6: General Crime Categories .......................................................................................... 84

Exhibit F-7: Scenario Development ............................................................................................... 84

Exhibit F-8: Vulnerability Levels .................................................................................................... 85

Exhibit F-9: Threat Impact Categories ........................................................................................... 85

Exhibit F-10: Security Criticality Matrix ........................................................................................... 86

Exhibit F-11: Security Vulnerability Acceptance Criteria ................................................................. 86

Appendix G: Safety and Security Certification Worksheets ...................................................... 89

Exhibit G-1: Hazard Analysis Worksheet ........................................................................................ 89

Exhibit G-2: Threat and Vulnerability Assessment Worksheet ...................................................... 90

Appendix H: Safety and Security Certification Progress Reports .............................................. 91

Exhibit H-1: Design Criteria Conformance Checklist Status Report ............................................... 91

Exhibit H-2: Certification Documents Status Report ...................................................................... 92



Acronyms APO Assistant Project Officer

ATC Automatic Train Control

ATO Automatic Train Operation

ATP Automatic Train Protection

ATS Automatic Train Supervision

BOD Basis of Design

CA Corrective Action

CCTV Closed-circuit Television

CDC Compendium of Design Criteria

CEL Certifiable Elements List

CFCG Configuration Control Group

CFMP Configuration Management Plan

CFR United States Code of Federal Regulations

CIL Certifiable Items List

CMS Contract Management System

COC Certificate of Conformance

CPTED Crime Prevention Through Environmental Design

CSC Core Systems Contractor

CSCC Construction Specification Conformance Checklist

CSOC Core Systems Oversight Consultant

CSSO Chief Safety and Security Officer

DB Design-Build

DBB Design-Bid-Build

DBOM Design-Build-Operate-Maintain

DCCC Design Criteria Conformance Checklist

DEM City and County of Honolulu, Department of Emergency Management

DHS United States Department of Homeland Security

DOT United States Department of Transportation

ED-CEO Executive Director and Chief Executive Officer

EDC Engineering Design Consultant

EIS Environmental Impact Statement

EOP Emergency Operating Procedure

EPP Emergency Preparedness Plan

ESD City and County of Honolulu, Emergency Services Department



ESSC Executive Safety and Security Committee

FD Final Design

FFGA Full Funding Grant Agreement

FLSWG Fire/Life-Safety Working Group

FMECA Failure Modes, Effects, and Criticality Analysis

FTA United States Department of Transportation, Federal Transit Administration

FTAHB FTA Handbook for Transit Safety and Security Certification – Final Report, November 2002

GEC General Engineering Consultant

HA Hazard Analysis

HART Honolulu Authority for Rapid Transportation

HDOT State of Hawaii, Department of Transportation

HFD City and County of Honolulu, Honolulu Fire Department

HPD City and County of Honolulu, Honolulu Police Department

HTL Hazard Tracking Log

HVAC Heating, Ventilation, and Air Conditioning

ITT Integration Test Team

MMIS Maintenance Management Information System

MPS Master Project Schedule

MSF Maintenance and Storage Facility

MTBE Mean Time Between Events

NTSB United States National Transportation Safety Board

O&M Operations and Maintenance

OCC Operations Control Center

OHA Operations Hazard Analysis

OIL Open Items List

OMP Operations and Maintenance Plan

ORR Operational Readiness Review

ORWG Operational Readiness Working Group

PE Preliminary Engineering

PHA Preliminary Hazard Analysis

PMOC Project Management Oversight Contractor

PMSC Program Management Support Consultant

PMP Project Management Plan

POC Point of Contact

PRO Pre-revenue Operations



PTD City and County of Honolulu, Department of Transportation Services, Public Transit Division

QA Quality Assurance

QC Quality Control

RAC Rail Activation Committee

RAP Rail Activation Plan

RFI Request for Information

ROW Right-of-Way

SCADA Supervisory Control and Data Acquisition

SHA System Hazard Analysis

SIT System Integration Testing

SITP System Integration Test Plan

SOP Standard Operating Procedure

SP Special Provisions

SSA Software Safety Analysis

SSC Safety and Security Certification

SSCM Safety and Security Certification Manager

SSCP Safety and Security Certification Plan

SSCVR Safety and Security Certification Verification Report

SSCWG Safety and Security Certification Working Group

SSHA Subsystem Hazard Analysis

SSI Sensitive Security Information

SSM Safety and Security Manager

SSMP Safety and Security Management Plan

SSO State Safety Oversight

SSP System Security Plan

SSPP System Safety Program Plan

SSPS Safety and Security Program Standard

SSRC Safety and Security Review Committee

SSSC Safety and Security Services Consultant

SSSE System Safety and Security Engineer

STCC Specification and Testing Conformance Checklist

TP Technical Provision

TSA United States Department of Homeland Security, Transportation Security Administration

TVA Threat and Vulnerability Assessment



TVM Ticket Vending Machine

UPS Uninterruptible Power Supply

VMS Vehicle Monitoring System

VTA Verification, Testing, and Acceptance

WOFH West Oahu/Farrington Highway Guideway



1 Overview

1.1 Introduction

Federal Transit Administration (FTA) Circular 5800.1, Safety and Security Management Guidance for Major Capital Projects, August 2007, requires grant recipients to develop a Safety and Security Management Plan (SSMP) for major rail capital projects covered by Title 49 of the Code of Federal Regulations (49 CFR) Part 633. Accordingly, the recipient's SSMP must require the Project to achieve safety and security certification prior to its placement into passenger service. This Project Safety and Security Certification Plan (SSCP) fulfills the FTA circular requirement. Additionally, FTA regulation 49 CFR Part 659, "Rail Fixed Guideway Systems, State Safety Oversight," requires the designation of a State Safety Oversight (SSO) to oversee the rail safety and security programs of all rail transit systems operating in the Agency's state. The Hawaii Department of Transportation (HDOT) has been designated as the SSO for the state of Hawaii. HDOT has developed the required Safety and Security Program Standard (SSPS), the Program Standard for Rail Safety and Security Oversight (PSRSSO), Initial Submission, FINAL, March 2013, in compliance with the FTA regulation. This SSCP establishes the process for verifying the incorporation of safety and security requirements into the Project's alignment segments, facilities, systems, equipment, and operations. This SSCP is modeled after the concepts contained in the FTA's Handbook for Transit Safety and Security Certification (FTAHB), November 2002, and after other rail transit agencies, but tailored to the specific needs of this Project. The contract for the West Oahu/Farrington Highway (WOFH) section of the Project required its Contractor, Kiewit Infrastructure West Company (Kiewit), to develop and submit a SSCP to the Honolulu Authority for Rapid Transportation (HART) for approval. The Kiewit Safety and Security Certification Plan – WOFH, Revision 1.0, August 28, 2014, was accepted by the HART Safety and Security Review Committee (SSRC) on October 22, 2014. Per Section 3.1 of the Kiewit SSCP, Kiewit will follow the safety and security certification methodology as described in the FTAHB as well as the most current revision of the HART SSCP.

1.2 Purpose

The purpose of safety and security certification is to assure the system is designed and constructed so that it is acceptably safe and secure for public use prior to revenue operations. Safety and security certification provides traceable verification that:

Design and operational safety hazards and security vulnerabilities are identified, evaluated, and properly controlled or mitigated prior to the commencement of passenger service.

All critical system elements are evaluated for compliance with the identified safety and security requirements during the design, construction/installation, testing, and start-up phases of the Project.



The Project is operationally safe and secure for customers, employees, emergency personnel, and the general public prior to entering passenger service and has the operating rules and procedures in place to assure safe and secure revenue operation.

Safety and security certification provides HART with reasonable assurance that the Project can operate safely and securely and is consistent with accepted industry safety and security practices and standards.

1.3 Definitions

The following definitions apply to the SSCP:

Certifiable Elements – All project elements that can affect the safety and security of transit agency passengers, employees, contractors, emergency responders, or the general public. These elements define the scope of a project's certification effort.

Certifiable Items – Items making up the whole of the major element and requiring individual safety and security verification before the major element is verified as safe and secure for use.

Safety – Freedom from unintentional harm.

Safety Critical – A term applied to any condition, event, operation, process, or item whose proper recognition, control, performance, or tolerance is essential to safe system operation and support.

Safety Hazards – Conditions or circumstances that could lead to an unsafe event.

Safety and Security Certification – Series of processes that collectively verify the safety and security readiness of a project for public use.

Safety and Security Certification Plan (SSCP) – The document that describes the process used to verify that safety- and security-related requirements are incorporated into a project, thereby demonstrating that it is operationally ready for passenger service and is safe and secure for passengers, employees, emergency responders, and the general public.

Safety and Security Management Plan (SSMP) – The document prepared by HART as part of the Project Management Plan (PMP) to describe how HART will address safety and security for the Project from initial project planning through initiation into revenue service.

Safety Engineering – Engineering discipline requiring specialized professional knowledge and skills in applying scientific and engineering principles, criteria, and techniques to identify and eliminate hazards in order to reduce the associated risk.



Security – Freedom from intentional harm.

Security Critical – A term applied to any condition, event, operation, process, or item whose proper recognition, control, performance, or tolerance is essential to secure system operation and support.

Security Vulnerabilities – Characteristics of the system that increase the probability of a security incident.

System Safety – Application of engineering and management principles, criteria, and techniques to optimize all aspects of safety within the constraints of operational effectiveness, time and cost throughout all phases of the project life cycle. System safety is also an attribute of a system similar to quality or reliability.

System Safety Program Plan (SSPP) – The document developed by HART and/or its DBOM contractor, and approved by HDOT, describing HART's safety policies, objectives, responsibilities, and procedures while in revenue service.

System Security – Application of operating, technical, and management techniques and principles to the security aspects of a system throughout its life, to reduce threats and vulnerabilities to the most practical level through the most effective use of available resources.

System Security Plan (SSP) – The document developed by HART and/or its DBOM contractor, and approved by HDOT, describing HART's security policies, objectives, responsibilities, and procedures while in revenue service.

1.4 Scope

Safety and security certification is inclusive of the entire Project life cycle and applies to all systems, fixed facility, testing, and procedural elements and subsequent management and engineering activities necessary to verify the safety and security readiness of the Project for public use. The scope of the SSCP encompasses the equipment, systems, facilities, and operating and maintenance plans and procedures for the following:

System Elements, which include the passenger vehicles, contact rail, train control system, voice and data communications, closed-circuit television (CCTV) cameras and recorders, intrusion detection system, traction power facilities, track, automatic fare vending equipment, supervisory control, fire protection and suppression systems, and auxiliary vehicles and equipment.

Fixed Facilities, which include rail stations, parking garages and parking lots, pedestrian overpasses and bridges, rail yards and shops, structures, and the central control facility. Equipment installed in stations and shops—such as heating, ventilation, and air conditioning (HVAC) systems; escalators; elevators; and lighting—is considered part of the facility.



Testing, which includes contractual, system integration, and pre-revenue tests.

Safety, Security, Operational, and Maintenance Plans and Procedures, which include items such as the SSPP, SSP, Emergency Preparedness Plan (EPP), Operations and Maintenance Training Programs, Employee Certification and Qualification, Operating Rule Book, and Standard and Emergency Operating Procedures.

Contractual acceptance and safety and security certification are separate processes and actions. Contractual acceptance does not constitute safety and security certification, and safety and security certification does not imply acceptance with respect to contract performance.

1.5 Goals

The Project's implementation of the safety and security certification process contributes to its ability to achieve and demonstrate an acceptable level of risk through the following:

Systematic approach to safety hazard and security vulnerability management

Compliance with safety and security codes, standards, and industry practices

Safety and security requirements and design criteria adherence and specification compliance

Design, construction, installation, testing, acceptance, and start-up phase verification and review

Verification of adequate personnel training, operating rules, and operating and maintenance procedures for continuing safe and secure revenue operations

1.6 Objectives

Specific objectives that support the above goals include the following:

Identify, assess, and resolve safety and security issues at the earliest possible phase of the Project, and the resulting actions tracked and documented

Develop practical and cost-effective requirements to support the resolution of safety hazards and security vulnerabilities

Assure the appropriate codes, guidelines, and standards are reviewed and applied so as to provide a basis for safety and security considerations in the design criteria

Assure that facilities, systems, and equipment are designed, constructed, built, inspected, and tested in accordance with design criteria and specifications



Assure that system safety, system security, emergency preparedness, operating and maintenance plans and procedures, rule book, and training programs are developed and implemented

Assure that personnel are trained and certified to operate and maintain the facilities, systems, and equipment

Assure that HART personnel and emergency response agencies are trained on the inherent hazards and vulnerabilities of rail transit operations and those that may occur on the operating system

1.7 SSCP Review and Updates

The SSCP will be reviewed by the SSRC and updated in accordance with FTA requirements or as required to reflect the current status of the Project. The HART Chief Safety and Security Officer (CSSO) will assure revisions to the SSCP are reviewed and accepted by the SSRC and the HART Configuration Control Group (CFCG).

1.8 References

U.S. Department of Transportation, Federal Transit Administration, Handbook for Transit Safety and Security Certification, Final Report, November 2002.

U.S. Department of Transportation, Federal Transit Administration, Hazard Analysis Guidelines for Transit Projects, Final Report, January 2000.

U.S. Department of Transportation, Federal Transit Administration, Transit Security Design Considerations, Final Report, November 2004.

U.S. Department of Transportation, Federal Transit Administration, FTA C5800.1, Safety and Security Management Guidance for Major Capital Projects, August 1, 2007.

U.S. Department of Transportation, Federal Transit Administration, 49 CFR Part 659, Rail Fixed Guideway Systems; State Safety Oversight; Final Rule, April 29, 2005.

U.S. Department of Defense, MIL-STD 882D, System Safety Program Requirements, February 10, 2000.



2 Project Management and Responsibilities

2.1 Project Team

Safety and security certification requires a coordinated effort among the entire Project Team. The Core Project Team consists of HART personnel, Project Consultants, and Project Contractors. Additionally, HART continues to coordinate and partner with Federal, State, and Local Agencies and other Project stakeholders as required. HART requires the entire Project Team to fully comply with the requirements of this SSCP.

The Safety and Security Review Committee (SSRC), chaired by the HART CSSO, will oversee safety and security certification activities and assure implementation of the SSCP. Additionally, a Safety and Security Certification Working Group (SSCWG) has been established by the HART CSSO, as a "working group" of the SSRC, to perform detailed certification activities, such as reviewing certifiable item checklists.

2.2 HART Program Management

HART is responsible for assuring the requirements of the SSCP are implemented and that safety and security certification activities have been completed prior to revenue operations. The HART Executive Director and Chief Executive Officer (ED-CEO) has ultimate responsibility for safety and security and has delegated the authority for its management to the CSSO.

2.2.1 HART Executive Director and Chief Executive Officer (ED-CEO)

The HART ED-CEO is responsible for the coordination and integration functions required to assure the achievement of the overall SSCP objectives. The HART ED-CEO assures integration and coordination between HART, Consultants, Contractors, and supporting agency staff. The HART ED-CEO assures that adequate resources are allocated to meet the objectives of the Program and monitors its progress. The HART ED-CEO must review and approve Safety and Security Certification Verification Reports (SSCVRs) prior to any phased system start-up or full revenue operations. The HART ED-CEO, or identified designee, must authorize and sign for all Unacceptable Hazards and/or Vulnerabilities and chair the Executive Safety and Security Committee (ESSC).

2.2.2 HART Chief Safety and Security Officer (CSSO)

The HART CSSO is responsible for the day-to-day management and implementation of the SSCP throughout all phases of the Project life cycle. The HART CSSO responsibilities include but are not limited to the following:

Overseeing the safety and security certification activities of all Project Consultants and Contractors



Chairing the SSRC, Fire/Life Safety Working Group (FLSWG), and the Safety and Security Certification Working Group (SSCWG)

Reviewing, revising, and supporting the development of safety and security design criteria, Certifiable Element and Item Lists, Construction Specification Conformance Checklists, and other safety and security certification documentation

Leading safety and security related design reviews and supporting the development of Operational Readiness Reviews (ORR), emergency drills, test plans, and start-up plans

Assuring the hazard management and Threat and Vulnerability Assessment (TVA) processes, including identification, analysis, and resolution is implemented over the entire Project life cycle

Overseeing the verification process to assure the closure of identified safety hazards and security vulnerabilities

Monitoring the Open-Items List (OIL) to assure those items are verified for conformance with the design requirements and transferring those safety or security critical hazard issues to the Hazard Tracking Log (HTL)

Participating in and assuring the completion of the review and acceptance process for all safety and security certification documentation submitted by Project Consultants and Contractors

Performing and managing the implementation of safety and security certification audits

Assuring the development, review, and acceptance or approval of safety and security certification documentation required to be completed prior to revenue operations

2.2.3 HART Safety and Security Certification Manager (SSCM)

The HART SSCM reports directly to the HART CSSO. The HART SSCM serves as the primary HART point of contact for safety and security certification and is responsible for management and oversight of Project-wide certification activities. The HART SSCM responsibilities include but are not limited to the following:

Participating as an active member of HART safety and security committees and working groups

Overseeing and supporting coordination, where necessary, of Project Consultant and Contractor completion of safety and security certification activities

Reviewing the SSMP and SSCP, assuring their compliance with FTA requirements



Reporting the status of safety and security certification audit reports assuring the resolution of corrective actions and/or findings

Overseeing Project Consultant and Contractor compliance with safety and security design criteria and notifying the appropriate Project staff of any proposed changes and/or deviations impacting safety and security

Overseeing and providing technical support to Project Consultant and Contractor hazard identification, analysis, and resolution activities and coordination of these activities across multiple contracts as required

Serving on the Rail Activation Committee (RAC) and Integration Test Team (ITT) established for testing and start-up

Participating in and providing safety and security inputs for design reviews, updates, or changes to the design criteria, operational readiness reviews, tabletop exercises and emergency drills, test plans, and start-up plans

Assuring safety and security and emergency preparedness activities required for testing, start-up, and achieving final safety and security certification are completed in accordance with the Project schedule

2.2.4 HART System Safety and Security Engineers (SSSEs)

HART SSSEs report directly to the HART SSCM and/or the HART CSSO and oversee day-to-day safety and security certification activities performed for the Design-Build-Operate-Maintain, (DBOM), Design-Build (DB), or Design-Bid-Build (DBB) contracts. HART SSSE responsibilities include but are not limited to the following:

Participating as an active member or resource of HART's safety and security committees and working groups

Overseeing Project Consultant and Contractor completion of safety and security certification activities for respective contracts

Supporting SSCP reviews and updates

Reviewing, revising, and/or developing safety and security analyses

Participating in and providing safety and security inputs for design reviews, updates or changes to the design criteria, operational readiness reviews, tabletop exercises and emergency drills, test plans, and start-up plans

Assuring Project Consultant and Contractor compliance with the requirements of the SSCP



2.3 Project Consultants

HART has retained the services of a Program Management Support Consultant (PMSC) and Safety and Security Services Consultant (SSSC) to carry out specific safety and security certification activities. Other Project Team members are required to implement the requirements of this SSCP in accordance with the scope of their respective contracts.

2.3.1 Program Management Support Consultant (PMSC)

The PMSC provides in-house project management services and functions as an extension of HART's staff. Such services include professional, technical, managerial, and other support services to initiate and complete the Preliminary Engineering (PE)/Environmental Impact Statement (EIS) phase of the Project and initiation of final design and construction. PMSC staff are fully integrated into HART and augment the City positions required for the Project as needed. The HART CSSO and Safety and Security Certification Manager (SSCM) positions are currently filled by the PMSC. Work activities performed by the PMSC are overseen by HART.

2.3.2 Safety and Security Services Consultant (SSSC)

The SSSC, also a Project Consultant, provides construction and system safety and security technical support services to HART. The SSSC began work in May 2014 to perform many of the scope of services previously carried out under the second General Engineering Consultant (GEC 2) contract. The SSSC responsibilities include but are not limited to the following:

Reviewing, revising, and/or updating annually the SSMP and SSCP.

Participating in and providing safety and security inputs for design reviews, operational readiness reviews, emergency drills, test plans, and start-up plans

Providing technical review and comment on design criteria and construction specification conformance checklists submitted by contractors

Provide technical support to the Hazard Management Process, including hazard identification, analysis, and resolution

Reviewing, revising, and updating the existing HART Preliminary Hazard Analysis (PHA), Hazard Analysis (HA) and TVA

Providing technical review and comment on safety analyses and security assessments submitted by contractors

Assuring Project Contractors compliance with the requirements of the SSCP and provide status reports to HART

Preparing Certificates of Conformance for signature by required parties



Preparing SSCVRs for each revenue service opening that occurs within the period of performance of the Consultant's contract

2.4 Project Contractors

HART is supported by Project Contractors who design and construct various elements of the Project. This includes all Project Contractors procured through DB, DBB, or DBOM contracts. A detailed description of the Project's contract procurements can be found in the Project Contract Packaging Plan. Each Project Contractor and their subcontractors are responsible for certifying the safety and security certifiable elements contained in their respective contract. All Project Contractors and Consultants are required to describe their organizational structure, including internal reporting and coordination, with the HART, GEC, and other Project entities. All Project Contractors and Consultants have designated, or will designate, a staff member to manage and support the implementation of its required safety and security certification activities. Project Contractors include but are not limited to the following:

Engineering Design Consultants (EDC)

Maintenance and Storage Facility (MSF) Contractor

Guideway Contractor(s)

Utility Contractor(s)

Station Contractor(s)

Core Systems Contractor (CSC)

EDCs provide services to HART for all project elements where final detailed designs are to be used for procuring stations and guideways. The EDCs also provide engineering services during construction for both fixed facilities and system-wide elements. Fixed facilities design includes the design of civil and structural facilities, track-work, utilities, stations, and landscaping. Maintenance and Storage Facility (MSF), Guideway, and Station Contractors have provided, or will provide, engineering and construction services in accordance with their respective contract requirements. The CSC has provided, or will provide, engineering, construction, and system integration testing services for system-wide elements. Project Contractor responsibilities include but are not limited to the following:

Supporting and implementing the safety and security certification process for all identified safety and security certifiable elements

Reviewing, revising, and/or developing safety analysis and security assessments for HART review and acceptance

Supporting the closure of all identified safety hazards and security vulnerabilities



Notifying HART of any proposed changes to safety and security design criteria and requirements

Participating in the SSRC and SSCWG as requested

Participating in and providing safety and security inputs for design reviews, ORRs, emergency drills, test plans, and start-up plans

Developing and completing all safety and security certification documentation including Certifiable Items Lists (CIL), Design Criteria Conformance Checklists (DCCC), and Construction Specification Conformance Checklists (CSCC)

Performing safety and security inspections and tests required for the completion of the CSCC

Requesting variances or exceptions when items cannot be designed or constructed in accordance with the Compendium of Design Criteria (CDC)

Supporting the validation and verification process by supplying supporting documentation as required

2.4.1 CSC Safety and Security Manager (SSM)

The CSC is responsible for the final design, construction and installation, verification, testing, and acceptance of system-wide elements and those interfacing with facility elements. System-wide elements include the traction electrification system, train control system, communications and control systems, platform screen gates, fare vending system, and passenger vehicles. In accordance with the DBOM contract requirements, the CSC will assume operation and maintenance of the completed System. Due to its unique role during testing and start-up, the CSC has additional responsibilities pertaining to safety and security certification.

The CSC SSM is responsible for implementing safety and security related activities. These activities include:

Planning and coordination of safety certification activities to achieve acceptable safety and security levels prior to the start of revenue service

Interfacing among the HART Safety and Security Combined Organization for the approval of safety certification documentation

Participating in the audits of the certification process

2.5 Executive Safety and Security Committee (ESSC)

In the event that safety and security issues cannot be resolved at the SSRC level, they are elevated to the Executive Safety and Security Committee (ESSC) for resolution. The ESSC is



chaired by the HART ED-CEO and co-chaired by the HART CSSO. ESSC meetings are convened when the SSRC cannot reach concurrence or as requested by the HART ED-CEO or HART CSSO. The ESSC is responsible for making recommendations for direction and final disposition of SSRC escalated safety or security issues. Also, the ED-CEO and/or the ESSC is responsible for accepting the risk from hazards that cannot be mitigated to an acceptable level.

2.6 Safety and Security Review Committee (SSRC)

The SSRC is the entity charged with assuring safety and security certification has been achieved prior to the start of revenue operations. The SSRC is the primary forum for review and acceptance of all safety and security certification documentation developed for the Project and is accountable to the HART ED-CEO. The HART CSSO chairs the SSRC and determines the meeting agenda and schedule. SSRC members have been selected from a broad range of Project technical disciplines. Other Project staff and stakeholders attend SSRC meetings to serve as technical resources on an as-needed basis. The SSRC membership will change as the Project progresses through the project life cycle. The current SSRC membership and meeting frequency is provided in the SSMP, Appendix E.

The SSRC has oversight responsibility of safety and security activities for the Project and is responsible for approval or acceptance of all plans, procedures, and certification documents. These responsibilities include, but are not limited to, the following:

Assuring SSMP and SSCP updates and revisions are formally reviewed and approved

Supporting the development and updates of safety and security design criteria

Assuring documentation used to verify the closure of safety hazards and security vulnerabilities is formally reviewed and approved

Assuring the resolution of issues concerning the verification process, including documentation discrepancies, and incompleteness

Support interagency coordination activities for safety and security certification during the entire Project life cycle

Assuring certifiable elements and items checklists are formally reviewed and accepted

Reviewing recommendations from the SSCWG for the closure of Hazard Tracking Log (HTL) items to assure they have been properly mitigated to an acceptable level

Preparing SSCVRs and making recommendation for approval to the HART ED-CEO

Providing Safety and Security Certification status updates to the RAC (once activated)



In the event that safety and security issues cannot be resolved at the SSRC level, the issue will be escalated to the ESSC for resolution.

2.7 Fire/Life-Safety Working Group (FLSWG)

The FLSWG is chaired by the HART CSSO, or designee, and is subordinate to the SSRC. The FLSWG serves as the primary forum for coordination between the Project Team and local emergency response agencies. This includes but is not limited to the Honolulu Department of Emergency Management (DEM), Honolulu Police Department (HPD), Honolulu Fire Department (HFD), and Emergency Services Department (ESD). The FLSWG responsibilities include but are not limited to the following:

Coordinating Project activities with emergency response agencies

Reviewing safety and security design criteria and requirements associated with fire/life safety

Identifying, analyzing, and resolving hazards associated with fire/life safety issues

Supporting safety analysis of identified fire/life safety hazards

Participating in the development and implementation of procedures for tabletop exercises and emergency drills

Supporting the coordination of maintenance-of-traffic activities that may impact emergency response near Project worksites.

2.8 Safety and Security Certification Working Group (SSCWG)

The SSCWG is chaired by the HART CSSO, or designee, and serves as the primary forum for staff to coordinate Project-wide and contract-specific certification activities. The SSCWG is a subordinate working group to the SSRC and is tasked with performing the more technically driven activities associated with safety and security certification. SSCWG membership will change as the project progresses through each life cycle phase. Project Contractor representatives are requested to attend SSCWG meetings to provide technical information and status reports as required. The current SSCWG membership and meeting frequency is provided in Appendix E of the SSMP. SSCWG responsibilities include but are not limited to the following:

Recommending revisions and updates to the SSCP and SSMP

Monitoring the overall status of safety and security certification activities

Supporting the development of and reviewing completed Design Conformance Checklists

Supporting the development of and reviewing completed CSCCs



Supporting technical reviews of safety and security analyses

Supporting the issuance of Certificates of Conformance for safety and security certifiable elements once they have been approved by the SSRC

Providing information to assist in the closure of items on the OIL related to safety and security certifiable elements

Assisting with the management and tracking of items on the HTL to closure

Supporting the development of the SSCVR and Project Safety and Security Certificates

2.9 Operational Readiness Working Group (ORWG)

The ORWG is chaired by the HART Director of Operations and Maintenance (currently vacant) and co-chaired by the Deputy Director of Core Systems, and serves as the primary forum to coordinate safety and security activities associated with start-up and rail activation. The ORWG is a subordinate group to the SSRC. As directed by the SSRC, ORWG members will serve as members of the RAC and ITT. The ORWG responsibilities include, but are not limited to:

Reviewing operational safety and security documentation (i.e., SOPs/EOPs, SSPP, SSP, EPP, Rule Book) developed by the CSC with HART coordination

Providing safety and security reviews of Testing and Start-up plans and documentation (i.e., emergency drills, Operations Management Plan [OMP], System Integration Test Plan [SITP], and Rail Activation Plan [RAP])

Providing safety and security reviews of training and qualification programs and procedures required for maintenance and operations personnel

Supporting the compilation of the Operational Readiness Conformance Checklist as part of achieving final safety and security certification

Managing and supporting safety and security activities completed by the ITT and RAC associated with start-up and activation

2.10 Rail Activation Committee (RAC)

The RAC, to be chaired by the HART Project Director, is a future committee (January 2016) to be established in advance of revenue operations. The RAC will support the CSC's development of the RAP, which is subject to HART review and acceptance. The RAC will develop the requirements, sequence of events, and schedule for all tasks necessary for activation and operation of a Project phase. The HART CSSO, or his/her designee, will serve as a member of the RAC and facilitate coordination with the SSRC and ORWG. The RAC will



coordinate with the SSRC to assure safety and security certification has been completed for certifiable elements contained in the RAP prior to phased start-up or full revenue operations.

2.11 State Safety Oversight (SSO)

HDOT has developed its SSPS, the Program Standard for Rail Safety and Security Oversight (PSRSSO), Initial Submittal, March 2013, Final, which describes its roles, responsibilities, and requirements during the safety and security certification process. These requirements are defined in the FTA 49 CFR Part 659. The HART CSSO will coordinate safety and security certification activities with the HDOT SSO Representative. The HDOT SSO will review the HART SSCP in accordance with its PSRSSO, Appendix Q, Safety and Security Certification Plan (SSCP) Review Checklist.

2.12 Safety and Security Certification Schedule

Project Contractors are required to include line items for safety and security certification activities in their milestone and deliverable schedules. Project Contactor schedules must reflect critical path items such as the completion of Conformance Checklists. The HART Safety and Security Division has developed a Safety and Security Certification Schedule and provided it for inclusion into the Master Project Schedule (MPS). The HART Safety and Security Division will track the completion of safety and security activities having major schedule impacts in the MPS. The HART CSSO will participate in the review and approval of Contractor schedules.



3 Certification Process and Procedures

3.1 Safety and Security Certification Methodology

Safety and security certification will be implemented utilizing the methodology described in the FTA Handbook for Transit Safety and Security Certification, November 2002 (FTAHB). This MIL-STD 882D based methodology utilizes the system safety engineering discipline to effectively manage the inherent safety risks and security vulnerabilities identified during the Project life cycle. Certification addresses conditions that could result in harm—whether unintentional (safety) or intentional (security). Through this process, hazards and vulnerabilities are translated into risks, which are then analyzed, assessed, prioritized, and resolved, accepted, or tracked. Safety and security certification is not contractual acceptance and, likewise, contractual acceptance does not constitute safety and security certification. HART is committed to verify that its operation is free from unacceptable risk though a proactive approach that identifies, anticipates, and controls adverse conditions before they occur.

3.1.1 Safety and Security Review Committee Preparation Process

Before items are presented to the SSRC for review and acceptance, the HART Safety and Security Division requires all information (clean version, redline version, comments, etc.) be submitted in the Project's Contract Management System (CMS) three weeks before the SSRC is scheduled. This time allows HART to prepare the documents and supporting materials to be verified and provided to the SSRC members for their two-week review cycle.

3.2 Grand Opening and Extensions

Start-up and revenue operations for the Project will occur via a traditional Grand Opening followed by segmented extensions. The SSRC, supported by the CSC and civil contractors, will develop the safety and security certification requirements for openings and extensions and include them in the SITP and the RAP. These documents must be submitted to the SSRC for review and acceptance by HART.

The Grand Opening will undergo the certification process with safety and security verification performed for the entire operating system. Each additional segment will undergo safety and security verification as an extension to the then operating system, including the additional testing necessary to verify end-to-end operational safety and security over the existing system and the new addition.

The Project must achieve final safety and security certification prior to commencement of full revenue operations for the entire System. Operating plans and schedules will consider lead times for ORRs conducted by the SSO and/or FTA. These reviews are required prior to the commencement of passenger service.



3.3 Steps in the Safety and Security Certification Process

The safety and security certification process consists of the following steps:

Step 1 – Identify Certifiable Elements and Items

Step 2 – Perform Hazard Analyses and Threat and Vulnerability Assessments and Develop Safety and Security Design Criteria

Step 3 – Develop and Complete Design Criteria Conformance Checklist

Step 4 – Perform Construction Specifications Conformance

Step 5 – Identify Additional Safety and Security Test Requirements

Step 6 – Monitor and Verify Testing and Validation in Support of the Safety and Security Certification (SSC) Program

Step 7 – Monitor and Verify Systems Integration Tests

Step 8 – Manage "Open Items" in the SSC Program

Step 9 – Verify Start-up, PRO conformance, and Operational Readiness

Step 10 – Conduct Final Determination of Project Readiness and Issue Safety and Security Certification

3.3.1 Step 1 – Identify Certifiable Elements and Items

The first step in the certification process is to identify the elements that need to be certified for the Project. Safety and security certifiable elements are the Project elements that can impact the safety and security of passengers, employees, contractors, emergency responders, equipment or the general public. The compilation of these elements, known as the Certifiable Elements List (CEL), is one of the initial working documents of the safety and security certification process. Certifiable elements are composed of numerous items. Certifiable items make up the whole of the major element and require individual safety and security verification before the major element is verified as safe and secure for use. The listing of these items for a major element is referred to as the Certifiable Item List (CIL). HART uses the following criteria to identify and define if an item has a direct Safety or Security relationship:

Any product, system, operation, or process whose proper performance, control, recognition, or tolerance is essential for assuring the safety and/or security of personnel, passengers, or the general public

Any product, system, operation, or process that may contribute to an increase the severity or probability of an incident

These items are identified during Step 3.



HART developed an initial CEL and CIL for each element based on the PE phase of the Project. The CELs and CILs were developed by performing technical reviews of contract packages, design criteria, common drawings, specifications, and other project documents. Prior to the Project entering revenue operations, a Certificate of Conformance (COC) must be issued for each certifiable element. Certifiable elements identified for the Project as of the latest revision of this SSCP are provided in Appendix A. The CELs and CILs will be updated as the Project progresses through each life cycle phase. New safety and security certifiable elements, or items within an element, may be identified and incorporated into the checklist as a result of design modifications, re-assessment of safety and/or security critical items, or other reviews of applicable documents, standards, or best practices. Any modification to the checklists generated following CEL/CIL SSRC approval will be vetted through the SSCWG and SSRC.

Certifiable elements will be broken down further into sub-elements which characterize specific features or quantities of the major element to be certified. Certification of major certifiable elements will be contingent upon its associated sub-elements complying with identified safety and security requirements. The process of breaking down certifiable elements and sub-elements into CILs will continue through the Project's PE and FD phases.

The initial PE-Phase CELs and CILs will be provided to Project Contractors for review. Project Contractors will further expand and complete the CELs and CILs based on the scope of their technical specifications and contract requirements. Project Contractors will submit CELs and CILs to HART for review and acceptance. Final acceptance of CELs and CILs occurs at the HART SSRC meetings.

3.3.2 Step 2 – Perform Hazard Analyses and Threat and Vulnerability Assessments and Develop Safety and Security Design Criteria

Safety and security design criteria are used to guide the Project design team in the control of safety hazards and security vulnerabilities. The security criteria include the concepts of Crime Prevention through Environmental Design (CPTED) and guidelines from FTA's Transit Security Design Considerations, November 2004. To facilitate the development of the safety and security design criteria, a Preliminary Hazard Analysis (PHA) and a Threat and Vulnerability Assessment (TVA) were performed for the project.

Safety and security design criteria were generated from the following:

The results of the safety analyses and security assessments described above

Performance criteria specific to the Project

Design criteria from similar transit projects

Operating experience from rail transit operating systems using applicable technologies in similar operating environments



Transit industry safety and security best practices

Applicable safety and security design codes, standards, and regulations

Development and update of safety and security design criteria is coordinated with the SSRC. HART has developed and updated the safety and security design criteria. As Project segments approach FD, the respective Project Contractors and Consultants review the criteria and forward any recommendations for changes to HART for review and acceptance by the SSRC.

3.3.3 Step 3 – Develop and Complete Design Criteria Conformance Checklist

The third step in the certification process is to identify safety and security design criteria requirements for safety and security certifiable elements. This process involves the creation of a checklist for each certifiable element to record requirements generated from the HART CDC developed in Step 2. These checklists are broken down by safety and security certifiable elements and sub-elements from the safety and security design criteria requirements identified in the CDC and other Technical Provisions (TPs) and Special Provisions (SPs) for design as determined in Steps 1 and 2. These Design Criteria Conformance Checklists (DCCC) are developed during the PE phase and are completed and verified upon completion of FD.

The purpose of the DCCC is to document one or more of the following:

Design documentation contains the safety and security related requirements identified in the project design criteria, PHAs, and TVA per Step 2

Designs comply with set safety and security codes

Designs reflect transit industry safety and security standards and best practices

Safety and security design comments are addressed and successfully resolved

The initial PE-Phase draft DCCCs are developed by HART Safety and Security based on the CELs produced in Steps 1 and 2. These draft checklists are reviewed and validated with the Design Certification Points of Contact (POCs) and processed through CMS and ultimately presented to the SSRC for final review and approval.

As the design progresses from PE to FD, each Design Certification POC assures his/her design contractors complete the design verification section of the checklists by entering the means of verification (specification, page, and paragraph number, drawing number[s] and/or notes, Basis of Design [BOD] section, page, and paragraph number, etc.) for each line item along with his/her initials and date. For these individual line items, electronic or wet initials are acceptable. However, at final design, a legend should be submitted that clearly identifies all initials to the full name of each individual confirming the means of verification.



Regular meetings/workshops are conducted between the Design Certification POC and HART Safety and Security to monitor the checklist status. When all of the checklist items have been verified, the Design Certification POC will sign (wet or digital signatures are acceptable) each section or the last page (as applicable) to confirm completeness of the checklist.

Next, HART Safety and Security reviews the design conformance checklists for completeness and conducts final verification of the line items and provides initials and date. Once FD verification is reached, these conformance checklists are processed through CMS to the SSRC for final review and approval. Once approved by the SSRC, the HART CSSO, or designee, will sign (wet or digital signature) the DCCC to indicate HART acceptance. The document will then be uploaded into CMS as a permanent Project record. Supporting verification documents (drawings, specifications, BOD, etc.) are maintained and available in CMS for review.

The DCCC line items are then linked to the applicable Construction Specification Conformance Checklists (Step 4) for verification during the Construction, Installation, and Testing phases. Line items that do not have an absolute link to the CSCCs are tracked as an open item until a means of verification is identified and verified.

The DCCC format is provided in Appendix B, and a diagram outlining the process details is shown in Figures 3.1 to 3.3 below.

3.3.4 Step 4 – Perform Construction Specification Conformance

Construction Specification Conformance Checklists (CSCCs) are utilized to verify that the as-built facilities and structures incorporate the safety and security requirements identified in civil procurement and equipment specifications and other contract documents. Specification Testing Conformance Checklists (STCCs) are utilized to verify that systems components and equipment incorporate the safety and security requirements identified in the systems procurement specifications and other contract documents. These include the approved changes that may have occurred during FD.

The CSCCs and STCCs are the "other half" of the DCCCs, because they:

Identify those safety and security related requirements in the specifications that contribute to the mitigation of identified safety hazards (PHA) and security vulnerabilities (TVA) to include operational needs such as training and Operations and Maintenance (O&M) manuals for revenue service

Provide the necessary link to verify that construction/testing was completed utilizing the safety and security elements and items from the DCCCs

Identify the testing requirements and verification methods necessary to assure the as-built items contain the safety and security specific requirements identified in the applicable specifications and other contract documents



Provide documentation such as approved construction submittals, test plans/reports, specific analyses, technical reports, job photographs, and inspection reports to verify the Project meets these requirements

CSCCs and/or STCCs are developed for all civil, systems, and equipment procurement contracts. Draft CSCCs and STCCs are developed by HART Safety and Security based on approved specifications for construction and procurement. These draft checklists are reviewed and validated with each Construction Certification POC and processed through CMS and ultimately presented to the SSRC for review and final approval. As construction, installation, and testing progresses, the Construction Certification POC enters the means of verification (submittal number, quality control report, inspection report, and etc.) for each line item in the checklist along with his/her initials and date. HART Safety and Security reviews the checklists via monthly meetings/workshops with the Construction Certification POC for completeness and conducts final verification and initials and dates each verified item. Once verification is completed, the checklists are processed through CMS and are presented to the SSRC for final review and approval. Once approved by the SSRC, the HART CSSO will sign (wet or digital) the CSCC/STCC to indicate HART acceptance. The document will then be uploaded into CMS as a permanent project record. Supporting verification documents (submittal number, QC reports, etc.) are maintained and available in CMS for review.

Safety and security requirements that cannot be verified by available documentation or demonstration are tracked to resolution in the OIL. As mentioned in Step 3, the management or resolution of open items should result through the Project Team's use of the CSCC/STCC. This checklist provides a decision-making tool for managers to review the status of open items resulting from deviations to the approved design, work-arounds, change orders, and other temporary measures.

The CSCC and STCC formats are provided in Appendix B, and a diagram outlining the process details for development and verification is outlined in Figures 3-1 to 3-3 below:



Figure 3-1: Design Criteria Conformance Checklist Process Overview



Figure 3-2: Design Criteria Conformance Checklist Process Flowchart



Figure 3-3: Detailed Certification Process Flowchart



3.3.5 Step 5 – Identify Additional Safety and Security Test Requirements

Contractor and integrated testing requirements will be reviewed for safety and security considerations. The need for additional tests may arise for various reasons throughout the Project. The SSRC will make recommendations to the Project Team if it determines additional safety and security tests should be conducted. Both contractor and integrated testing are subject to certification. Certification of contractor testing may be verified in the CSCC, combined with integrated testing in a program certification, or by other acceptable means. These tests will be added to the test program and CSCCs as required.

3.3.6 Step 6 – Monitor and Verify Testing and Validation in Support of the SSC Program

This step is focused on verification that the project's safety and security criteria and related requirements are satisfactorily incorporated into the finished product.

During the construction phase, test reports and other documentation are submitted to HART as a result of Design Qualification Tests (Factory), Construction Inspection Tests, and Installation Verification Tests. Project Contractors will document the results of the safety and security related tests on the CSCCs. Appropriate documentation, clearly listing the means of verification as described in Step 4, should be submitted to HART for review and acceptance by the SSRC.

SSRC members may observe safety and security related tests, including but not limited to first article inspections, mock-up reviews, qualification tests, performance tests, and acceptance tests. Testing of fire/life-safety systems will be coordinated with the appropriate Project staff, which includes Test Managers, Test Program Coordinators, and Resident Engineers.

3.3.6.1 Tests Required by Technical Specifications

Contractor testing, as required by the contract technical specifications, will verify the functionality of the involved system or equipment. Project Contractor factory tests will be subject to safety and security certification. Project Contractor testing will be tracked and verified on the CSCC. The conformance checklists track the testing and verification activities that support and validate conformance. Typical specification tests include qualification, manufacturing, performance, and acceptance tests such as sprinkler systems, alarms, intrusion detection systems, emergency management panels, fire alarm control panels, and security camera systems.

All contractually specified construction phase testing on an element must be satisfactorily completed before that element can receive test program conformance. Typical specification tests include qualification, manufacturing, performance, and acceptance tests such as



sprinkler systems, alarms, intrusion detection systems, emergency management panels, fire alarm control panels, and security camera systems.

3.3.7 Step 7 – Monitor and Verify Systems Integration Tests

During the Testing and Start-up Phases of the Project, system integration testing is conducted. Upon successful completion of Systems Integration Testing (SIT), Pre-revenue Operations (PRO) will begin. These test program activities are detailed in the System Integration Test Plan (SITP) and the Start-Up and PRO Plan. The SITP and PRO Plan will be developed by the CSC and submitted to HART for review and acceptance by the SSRC. The SITP will address emergency drills to be performed during the testing and start-up phase, as well as the procedures for the respective tests and emergency drills. The SITP will also detail the process by which individual tests will be conducted, documented, approved, and certified for each phased opening and full revenue operations. These tests are needed to verify proper operation, functionality, and/or compatibility of the equipment or the systems involved. System integration tests and emergency drills will be designated as certifiable items and incorporated into CSCCs. The SITP and associated test results will become a part of the certification documentation package and are subject to audits by the SSRC.

The HART Test Manager or Test Program Coordinator (future positions) will notify the HART CSSO of the intent to conduct an integration test or emergency drill. In order to conduct a system integration test, a minimum level of safety and security conformance must be demonstrated. The minimum level required will be dependent upon the nature and scope of the test. An Integration Test Permit, developed as part of the SITP, will be issued prior to conducting each test. The permit will indicate that a minimum level of conformance has been met and that the systems may be integrated. The SSRC will determine the current level of verification for each element involved in the test, and will issue a permit for signature. Test restrictions, if any, will follow procedures contained in the SITP. A copy of the completed permit will be included in the test procedure and report. Integration Test Permits will expire upon final completion of the test.

If safety and security certifiable elements related to testing have not been completed, a temporary use permit may be issued in accordance with the SITP. The permit will be forwarded to the Project Contractor responsible for the elements being integrated. Only signatures for those elements that have not been issued a Certificate of Conformance will be obtained. Temporary Use Permits will expire upon completion of certification for the elements involved. The Integration Test Team (ITT), supported by the SSRC, will oversee this process to assure all system integration tests and emergency drills designated as certifiable items have been completed.

3.3.8 Step 8 – Manage Open Items in the SSC Program

During the completion of the CSCCs, instances of nonconformance with a safety or security requirement will be noted. If these items cannot be resolved at the Project staff level, they



will be captured on an Open Items List (OIL) (Appendix C) and forwarded to the SSRC. The OIL will serve as the primary tool used by the SSRC to track certifiable elements and items that could not be verified or are in a nonconformance status. Those items on the OIL that clearly have an associated safety hazard or security vulnerability implication will be transferred to the Hazard Tracking Log to be tracked to closure. The Hazard Tracking Log (Appendix D) will be used to track safety-critical or security-critical items. Safety-critical and security-critical items are defined as those with the potential to result in harm. Those items may be resolved by the following actions:

Correction or elimination of the hazard or vulnerability

Mitigation through physical modification, revised specifications, or revised operating procedures

Deferral of corrections, with operational or use restrictions imposed

Retention, as is, with supporting rationale

Hazard and Vulnerability items will be reviewed in accordance with the Project's risk assessment criteria for safety hazards and security vulnerabilities. Risk assessment criteria definitions are provided in Appendix F. In those cases where it is impractical to resolve the hazard or vulnerability by meeting the original requirement, the SSRC will request Project Contractors to develop an acceptable alternative and to provide technical rationale for the alternative. Other cases may warrant placing the item into service as-is. However, any residual safety and security risks must be reduced to an acceptable level before commencement of revenue operations

3.3.9 Step 9 – Verify Start-up, PRO Conformance, and Operational Readiness

Safety and security related plans and procedures, including training programs, will be certified to assure that the necessary operations, maintenance, safety and security programs, procedures, and plans have been developed and are in place prior to the start of revenue service. In addition, personnel who will operate, maintain, provide security, and respond to emergency situations will be required to have an in-depth knowledge of these plans, procedures, and programs prior to beginning revenue service. Many of these activities are started during the construction phase and even completed during the construction or testing phase. The final start-up element, PRO, cannot begin until SIT has been certified. The SIT certification assures that the test plan demonstrates that train operation is safe and secure and, that should an emergency occur, responders have been trained to respond safely and appropriately.

The CSC will perform pre-passenger demonstration tests prior to the passenger service start date to verify the functional capability and operational readiness of the transit system. During the pre-passenger service phase of the system, procedures and plans will be tested for effectiveness under simulated operating conditions for normal, abnormal, and



emergency situations. These items will be detailed in the PRO Plan. The SSRC will use the Operational Readiness Conformance Checklist, provided in Appendix B, to verify the completion of these items, including the approval of the PRO Plan. The Operational Readiness Conformance Checklist will be developed by CSC and submitted to HART for review and acceptance. The SSRC, as in previous steps, will facilitate the review and acceptance process. The SSRC will coordinate its operational readiness activities for certification with the RAC. In addition, a final walk-through of completed facilities and systems will be performed by members of the SSRC, SSO, and other stakeholders.

3.3.9.1 Training Programs

The training programs and documents that support the applicable certifiable elements will be evaluated to assure critical elements have been addressed. The certification process will verify that:

Training is acceptable and incorporates information regarding safety features of the system for normal, abnormal, and emergency conditions

Safety and security training for operations and maintenance personnel has been developed, performed, and successfully completed

Emergency training has been developed, performed, and successfully completed by agency and public safety personnel as appropriate

3.3.9.2 Tabletop Exercises and Emergency Drills

Emergency drills required for testing and startup will be performed as part of the HART approved SITP developed by the CSC prior to revenue operations. The SSRC will support the development of and perform detailed technical reviews of emergency preparedness documentation developed by the CSC. The SSRC will facilitate the review and acceptance of tabletop drill and emergency drill plans and procedures. This documentation will be reviewed to verify the adequacy of emergency response plans and procedures and to assure that outside emergency response personnel are prepared to adequately respond to Project-related emergencies. Emergency drills will be developed to:

Familiarize and train response personnel in emergency procedures

Evaluate response procedures

Identify opportunities for improvement to response procedures before an actual emergency occurs

Develop and assure an adequate level of preparation for potential emergencies



3.3.10 Step 10 – Conduct Final Determination of Project Readiness and Issue Safety and Security Certification

Project Contractors will submit completed CSCCs, along with the supporting documentation to HART. Once the checklist is reviewed and accepted, a Certificate of Conformance, along with any restrictions or work-arounds, is issued. An example of the Certificate of Conformance is provided in Appendix E. Signature blocks for Certificates of Conformance will be tailored to the specific Project Contractor's management organization. Restrictions or work-arounds will be communicated to all affected Project Team members and departments in writing. Residual risks from restrictions or work-arounds will be reviewed in accordance with risk acceptance criteria. If the SSRC determines that all requirements for certification have not been met, it will make a recommendation to the HART ED-CEO that revenue operations be delayed.

The original signed Certificate of Conformance and verification package will be stored using the primary project documentation control system, CMS. When removal of restrictions attached to a Certificate of Conformance is appropriate, an addendum will be prepared. To become effective, the addendum will be signed by the same levels of authority as that on the original Certificate of Conformance.

3.3.10.1 Interim Certification Certificates

Interim Certification Certificates are issued when requirements surface that require partial utilization of incomplete contracts (civil, systems, and equipment contracts) for specific vehicle testing requirements. The Interim Certificate assures that safety critical items of affected contracts (civil, systems, and vehicle CILs) are identified, placed into a special conformance checklist, approved by the SSRC, completed, and verified. Potential requirements that may require Interim Certificates include:

Vehicle storage tracks in the rail yard for vehicle delivery

Test track in rail yard

Functional tracks, test track along the rail Right of Way (ROW)

Partial utilization (occupancy) of a maintenance bay for vehicle testing prior to 100% completion of civil and system contracts for the maintenance facility

This certification provision is not intended for contractual requirements between disciplines (civil and systems) or coordination efforts as work progresses and transitions from one discipline to another. This process is primarily focused on introducing new rail vehicles to tracks and integrating essential systems into operation for testing purposes when construction contracts are not completed.

The Interim Certification Certificate format and signature authority is shown in Appendix E.



3.3.10.2 Prepare Safety and Security Certification Verification Report (SSCVR)

The SSRC will prepare the SSCVR and Project Safety and Security Certificates, as shown in Appendix E, once all required Certificates of Conformance have been issued. Project Safety and Security Certificates and approved SSCVRs will be required for each phased segment opening, and go through the same process as the final project Certificate. A Final Project Safety and Security Certificate will be issued for the completed Project, which includes activation of all line segments and system elements. Project Safety and Security Certificates will be signed by the appropriate Project staff and included as part of the SSCVR. The SSRC will submit the SSCVR to the HART ED-CEO for review and approval. At a minimum, the SSCVR will include the following elements:

Executive Summary

Safety and Security Certification Activities

Design Conformance Certification

Construction Conformance Certification

System Integration Testing Certification

Pre-revenue Operations Certification

Manuals, Operating Procedures, and other Start-up Element Certification

Training Certification

Completed Certificates of Conformance for all other certifiable elements

Project Safety and Security Certificates signed by the HART ED-CEO

Any restrictions to full operation

Any restrictions to full safety and security certification

Work-arounds to full operations and full certification to allow restricted operation

Schedule for elimination of all work-arounds to allow full unrestricted operation

The HART ED-CEO will sign the Project Safety and Security Certificate, which constitutes approval of the SSCVR. HART ED-CEO approval of the SSCVR signifies that commencement of passenger service or revenue operations for a phased segment opening or the completed Project may proceed.

3.3.10.3 Submit SSCVR to HDOT and Receive Approval

HART will submit the signed SSCVR to HDOT, the SSO. The SSO will review and process the SSCVR in accordance with the requirements of the PSRSSO developed by HDOT.



4 Safety Hazard and Security Vulnerability Management

4.1 Safety Hazard Management

Safety hazard management is the formal process to systematically recognize, identify, evaluate, and resolve safety hazards. This process is coordinated through the SSRC to assure control or elimination of safety hazards associated with the design, construction, testing, start-up, and operation of the Project for customers, employees, and the general public. Recognized hazards will be identified and categorized as to their potential severity and probability of occurrence, and will be analyzed for potential impact. Those hazards will be resolved by design, engineering control, warning device, procedure, training, or a combination of these methods, until they are reduced to a level of risk acceptable to HART.

The hazard management process will be most effective when applied during preliminary engineering and final design, but the process will be used throughout each phase of the Project, including start-up and operations. The hazard management process is used to evaluate the safety impacts of deviations from the baseline design, engineering/construction change orders, operational and other modifications made during construction, testing and Project activation.

The HART methodology to control hazards is described in Appendix F: Safety Hazard and Security Vulnerability Management Process.

4.2 Security Threat and Vulnerability Management

Threat and vulnerability management is an important component of the certification process for the Project. Management of the security threats and vulnerabilities is coordinated through the SSRC in the same way as safety hazards discussed in the previous section. A Threat and Vulnerability Assessment (TVA), Revision 1.0, October 22, 2014, was prepared for the Project and was conducted to identify the potential impact of security threats and analyze inherent vulnerabilities so that they could be resolved during the earliest phases of the Project.

The Security Threat and Vulnerability process is detailed in Appendix F: Safety Hazard and Security Vulnerability Management Process.

4.3 Hazards and Vulnerabilities Tracking

This process includes documentation of identified safety hazard and security vulnerability resolution activities through the use of a Hazards Tracking Log (HTL). HART has developed a safety and security management system to track these items. The tracking log is used to record identified safety hazards and security vulnerabilities as well as their corresponding resolution/mitigation. The effectiveness of the mitigation will be scrutinized to determine that no new hazards and security vulnerabilities have been introduced. In addition,



whenever significant changes are made to the system, analyses and assessments will be conducted to identify and resolve any new safety hazards and/or security vulnerabilities.

Identified safety hazards and security vulnerabilities will be tracked through to resolution. The residual risk of hazards or vulnerabilities having an unacceptable or undesirable risk must be reduced to an acceptable level before revenue operations can commence.

Safety and security analyses submitted by Project Contractors are certifiable items. The SSRC will support the review and acceptance of these documents and issue Certificates of Conformance.

An example of the OIL and HTL can be found in Appendix C and Appendix D, respectively.

4.4 Hazard and Vulnerability Resolution Verification

HART will utilize the safety and security certification process to verify that safety hazards and security vulnerabilities identified through the analyses methods have been eliminated or reduced to an acceptable level of risk. Required safety and security analyses are base documents that were generated to create the CDC where most certifiable elements reside. The results of these analyses will be used to log and track identified safety hazards and security vulnerabilities to closure. The PHA, and following HAs, will be used to develop other required safety and security analyses such as Operations Hazard Analyses (OHAs), Failure Modes, Effects, and Criticality Analyses (FMECAs), and fault tree analyses.

The PHA, and following HAs, formed the basis for the HTL, the central location for tracking identified safety hazards and security vulnerabilities to closure. Severity Category 1 and 2 safety hazards and security vulnerabilities must be reduced to an acceptable level of risk prior to revenue operations or accepted by the ED-CEO and ESSC.

The SSRC will verify satisfactory completion of mitigation measures by reviewing supporting documentation and make recommendations for closure of HTL and TVA items. Supporting documentation will typically come in the form of contractual submittals, inspection reports, test reports, measurements, and other submittals that have been accepted or approved by HART. The SSRC shall proceed with issuing a Certificate of Conformance after verifying that all identified mitigation measures have been satisfactorily completed for the certifiable element. An SSRC member may request that a closed item be reopened if it is determined that changes in the design, construction, installation, or testing of certifiable elements require additional mitigation measures. Upon SSRC concurrence, the item will be reopened and the Certificate of Conformance rescinded or amended.

The HART methodology to control hazards and vulnerabilities is identified in Appendix F: Safety Hazard and Security Vulnerability Management Process, and the Hazard Analysis Worksheet and the Threat and Vulnerability Assessment Worksheet are provided in Appendix G.



5 Audits

5.1 Periodic Safety and Security Certification Audits

Throughout the project life cycle, certification process, and verification efforts, audits will be conducted on a periodic basis, by a management team independent of the Project certification program. Audits should verify that all participants in the design conformance, construction specification conformance, and testing and acceptance processes are reviewing to assure compliance with the safety and security requirements of the Project and appropriately documenting this conformance.

Safety and Security Audit activities include the following:

Reviewing the status of safety and security certification tasks as outlined in the project SSMP and SSCP

Assuring compliance with certification program milestones

Identifying scheduling incompatibilities that may require corrective action

Tracking and implementing positive corrective actions where safety and security related deficiencies are revealed

Working with the Project Team to support the SSC Program

Assuring that HART Safety and Security Certification Team are included in the Change Management processes to assure that project changes do not create safety hazards or security vulnerabilities

Regular audits of the Safety and Security Certification Program are conducted by:

HART QA/QC

PMOC

HDOT (SSO)

FTA Safety and Security Readiness Reviews

APTA Peer Reviews

Additionally, each phase of the project life cycle, design through the start-up and testing phase, will be periodically audited by the HART Safety and Security Division to assure Project Contractor compliance with SSCP requirements and the milestone and deliverable schedule. The HART CSSO will determine the frequency of the audits based on the progress of certification activities. Audits will be conducted by the HART CSSO or his/her designee.



Safety and Security Audit activities of Project Contractor's include the following:

Assuring that the Conformance Checklists and Certificates of Conformance are being completed and are supported by traceable documentation

Assuring that safety hazards and security vulnerabilities are being tracked, analyzed, and resolved in accordance with the SSMP

Assessing the Project Contractor's progress with respect to the HART certification schedule

The HART Safety and Security Division will report critical audit findings to the HART Project management staff and the SSRC. A copy of the audit findings will be provided to the Project Contractors as applicable. Outstanding issues will be tracked to closure via the OIL or HTL as outlined in Appendix F: Safety Hazard and Security Vulnerability Management Process.



6 Documentation

6.1 Verification Documentation

Verification documentation is critical to the success of safety and security certification. Verification documentation provides a detailed audit trail of activities that demonstrate conformance with the safety and security requirements for the Project. The SSRC is ultimately responsible for assuring safety and security certification documentation is completed accurately, signed by appropriate Project staff, and maintained in a secure manner. Verification documentation will be maintained within CMS. The HART CSSO is responsible for facilitating these SSRC responsibilities. A thorough and timely approach will assure that each Certifiable Element is certified as safe and secure, prior to use for passenger service. At a minimum, the Project safety and security certification files the will contain the following:

Certifiable Elements and Items Lists (CELs/CILs)

A summary sheet showing the certification status for the design, construction, testing, and start-up phases of the Project

Completed Design Criteria Conformance Checklists for each certifiable element

Completed Construction Specification Conformance Checklists for each certifiable element

Supporting documentation that may not be contained within the Project files, such as Visual Inspection Reports

Copies of test reports for safety-critical systems

Copies of system integration test permits, procedures, and reports

Certificates of Conformance for each Certifiable Element

Project Safety and Security Certificates (Interim, Phased, and Final Opening).

The HART Safety and Security Division will assure the certification files are stored in the primary Project documentation control system, CMS. They will also assure that HART Document Control has been transmitted the original hardcopies. This documentation should be maintained for the life of the agency. Sensitive Security Information (SSI) will be protected using HART's SSI Plan.

6.2 Configuration Control Group (CFCG)

During the life of a project, it is not uncommon for design and/or construction changes to require corresponding changes be made to Certifiable Elements or Items. The HART CSSO



currently participates as a member of the CFCG and reviews proposed changes for possible impacts to safety and security. The role and responsibility of the CFCG is described in the Project's Configuration Management Plan (CFMP). The implementation of the CFMP ensures that the baselines established for the Project are not changed without a systematic analysis of each proposed change to determine the effects of these changes to the Project. The analysis includes an assessment of whether the proposed change has an impact to the Project budget, schedule, technical criteria, safety and/or security, core systems, and/or overall basic configuration of the Project.

Impacts to safety or security from these changes will be evaluated in accordance with the Hazard Management Process (Appendix F). Hazard Assessments (HAs), used to evaluate the potential safety impacts from these changes, may be conducted by Design Engineers, Resident Engineers, or the HART Safety and Security Team. If an approved change results in a new Certifiable Item, that item will be added and tracked on the Open Items List. If the approved change requires additional verification documentation to be supplied by Project Contractors, that documentation will be reviewed by the SSRC.



7 Reporting Requirements

7.1 Monthly Reporting

An important part of the safety and security certification process will be briefing the SSRC, PMOC, and HDOT (SSO) on the status of ongoing activities (example reports can be found in Appendix H). Written or articulated reports will be provided by the SSSC on behalf of the HART CSSO, for submittal or discussion to the above named entities. The reports will advise these entities of the following:

Status reports and charts showing certification activities

Review and approval of the Contractor Base CELs/CILs, DCCCs and CSCC

Review and approval of the CSSP, SSMP, and SSCP updates

Review and approval of Hazard analyses, TVA, and other similar document updates

Potential changes to, or requests for deviation from Design Criteria and construction change orders

Review and discussion items on the Hazard and Vulnerability Tracking Logs

Review and discussion of items in the Open Items List

Review and discussion of Policing and System Security Status

Review and discussion of Safety and Security Certification Training

Significant problems encountered in the certification effort

Certificate of Conformance expected to be issued in the next reporting period

Audit findings and recommendations for improvement, if any.

7.2 Safety and Security Certification Verification Report

HART's process for delivering final certification that the Project is safe and secure for passengers, employees, emergency responders, and the general public culminates with the HART ED-CEO signature on the Project Safety and Security Certificate and approval of the SSCVR. The required contents of the SSCVR are described in Section 3.3.9. SSRC responsibilities will continue after the start of revenue operations, if needed, until all restrictions or work-arounds identified in the SSCVR are satisfactorily resolved, and final safety and security certification is achieved for the completed project.



Appendix A: HRTP Certifiable Elements List (CEL)

This CEL is intended to serve as a baseline list of major certifiable elements and sub-elements for the Project. This CEL will be updated, revised, and modified as necessary during the life of the Project based on documentation provided by Project Contractors.

1. Guideway

a. Guideway Structure b. Utilities c. Roadway and Drainage d. Environmental

2. Trackwork a. Track Alignment and Vehicle Clearances b. Track

3. Stations & Parking a. Utilities b. Roadway and Drainage c. Environmental d. Traction Power Facilities e. Facilities Mechanical f. Facilities Electrical g. Fire and Intrusion Alarms h. Telephone Systems i. CCTV Systems j. Parking Facilities k. Vertical Circulation l. ADA m. Station Interiors n. Facilities Fire Life Safety o. Facilities Structural

4. Track Electrification a. Environmental b. Track c. Traction Power Facilities d. DC Power Distribution

5. Train Control & Signaling a. Environmental b. Automatic Train Protection c. Automatic Train Operation d. Automatic Train Supervision e. Yard Control Operations f. Train Control Equipment g. Doors



6. Communications & Control

a. Operations and Control Center b. Fire Intrusion & Alarm Systems c. Supervisory Control and Data Acquisition d. Communications Transmission System (CTS) e. Fiber Optic Cabling Network f. Telephone System g. CCTV Systems h. Passenger Information Systems i. Local Area Networks j. Wireless Communications k. Uninterruptible Power Supply (UPS) l. Maintenance Management Information System m. ADA

7. Maintenance & Storage Facility a. Utilities b. Roadway and Drainage c. Environmental d. Track Alignment and Vehicle Clearances e. Track f. Traction Power Facilities g. DC Power Distribution h. Facilities Mechanical i. Facilities Electrical j. Maintenance of Way Building k. Train Wash Facility l. Wheel Truing Machine m. Fire and Intrusion Alarm System n. Yard Control Operations o. Telephone System p. CCTV System q. Parking Facilities r. Vertical Circulation (Elevators, Escalators, Stairs) s. ADA t. Facilities Fire Life Safety u. Facilities Structural

8. Passenger Vehicles a. Environmental b. ADA c. Trucks d. Car Body & Interior e. Doors f. Propulsion



g. HVAC (Vehicles) h. Lighting (Vehicles) i. Braking j. Vehicle Monitoring System k. Couplers

9. Integrated Systems a. Contractor Test Plans

i. Factory Acceptance Tests ii. Verification, Acceptance, and Test (VAT) Plan

10. System Integration Testing a. System Integration Test

i. System Integration Test Plan (SITP) ii. System Integration Test Procedures

iii. Emergency Drills 11. Operational Readiness

a. Pre-Revenue Operations i. Pre-Revenue Operations (PRO) Plan

b. Operations and Maintenance Plans Rules and Procedures i. Safety and Security Program Plan (SSPP)

ii. System Security Plan (SSP) iii. Emergency Preparedness Plan (EPP) iv. Rule Book v. Operations Management Plan

vi. Operating Manuals vii. Standard Operating Procedures (SOPs)

viii. Emergency Operating Procedures (EOPs) c. Training

i. Employee Training and Certification ii. Emergency Responder Training

d. Staffing e. MOUs f. Public Education Program g. Service Contracts

12. Fare Vending a. Environmental b. DC Power Distribution c. Supervisory Control and Data Acquisition d. CCTV Systems e. Local Area Networks f. Ticket Vending Machine (TVM) Equipment (Hardware and Software) g. ADA



Appendix B: Safety and Security Certification Checklists

Exhibit B-1: Design Criteria Conformance Checklist Example



Exhibit B-2: Design Criteria Conformance Checklist Instructions

(1) Contains consecutive identification numbers for each safety and security certifiable item

(2) Identifies the section number of the requirement specified in the Compendium of Design Criteria

(3) Description of the associated requirement

(4) Identifies the source, code, or standard which forms the basis of the design criteria

(5) Identifies the specification section, drawing number, and/or contract reference for the design criteria

(8) Identifies the method used to verify that the requirement has been incorporated into the final design

(6) Status: C, NC, PC

(10) Identifies the method used to verify that the requirement has been incorporated into the delivered, as-built, installed and/or received item

(7) Initials of the designated person who verified the incorporation of the requirement into the final design (9) Initials of the designated person who

verified the incorporation of the requirement into the construction or installation

(10) Wet or digital signature



Exhibit B-3: Construction Specification Conformance Checklist Example

Link to DC Conformance

Line Item # and/or Link to

Specific Hazard #

Submittal # & Date

HART Verification Name/Date

Status Open/Closed

CMS #

Certifiable Element

Means of Verification

CM Cert POC Name/ Date

Specification # / Para # / Title and Description



Exhibit B-4: Specification and Testing Conformance Checklist Example



Exhibit B-5: Operational Readiness Conformance Checklist Example



Appendix C: Open Items List Report



Appendix D: Hazard Tracking Log



Appendix E: Safety and Security Certification Certificates

Exhibit E-1: Certifiable Contract Certificate

HART SAFETY AND SECURITY CERTIFICATION PROGRAM

HONOLULU RAIL TRANSIT PROJECT

CONTRACT NAME

CONTRACT NO.: xxxxxxxx

SAFETY AND SECURITY CERTIFICATE

RESTRICTIONS: YES / NONE

OPEN SAFETY CRITICAL ITEMS: YES / NONE

OPEN NON-SAFETY CRITICAL ITEMS: YES / NONE

NOTE: This safety and security certification is limited as noted on the individual Certifiable Element Certificates: xxxxxxxx, xxxxxxxxxx, xxxxxxxx, etc... Any changes/modifications to the certifiable elements after MM/DD/YYYY are excluded from this certification. The x# of open non-critical items that are listed on page 2 will be placed on the SSRC "Open Items List" and tracked until closed.

This SAFETY AND SECURITY CERTIFICATE indicates that the safety and security critical requirements on the supporting contract Design Criteria Conformance Checklists (DCCC) and Construction Specification Conformance Checklist (CSCC) are completed and verified. The xxxxxxxxx Project/Contract is safety and security certified as a portion of the overall Honolulu Rail Transit Project once all signatures are obtained.

___________________Date:__________ _________________Date:_________ HART – Project Director HART – Safety and Security Officer ___________________Date__________ _________________Date:_________ HART Construction – Project Manager HART – Safety and Security Certification Manager



CONTRACT NAME

CONTRACT NO.: XXX-XXX


OPERATING RESTRICTIONS: YES / NONE





Exhibit E-2: Certifiable Element Certificate



CONTRACT NAME

CERTIFIABLE ELEMENT

"xxxxxxxx"

CERTIFICATE OF CONFORMANCE




NOTE: This Certifiable Element Certificate of Conformance is limited and supported by the attached Contract Design Criteria Conformance Checklists (DCCC) and Construction Specification Conformance Checklist (CSCC). Any changes and/or modifications to the certifiable element and supporting DCCC and CSCC after MM/DD/YYYY are excluded from this certification.

The Certifiable Element conforms to applicable safety and security requirements and is certified in support to the xxxxxxxx Contract certification.

___________________Date:__________ _________________Date:_________ HART – Project Director HART – Safety and Security Officer ___________________Date__________ _________________Date:_________ Construction – Project Manager HART – Safety and Security Certification Manager



Exhibit E-3: Interim Safety and Security Certificate


PROJECT/CONTRACT NAME PROJECT

XXXXXXXXXXXXX

INTERIM SAFETY AND SECURITY CERTIFICATE

RESTRICTIONS: Yes/No – See page 2

OPEN SAFETY CRITICAL ITEMS: Yes/No – See page 2

OPEN NON-SAFETY CRITICAL ITEMS: Yes/No – See page 2

NOTE: Once all safety critical test reports are completed/verified this Interim Safety and Security Certificate takes in affect with an expiration date of MM/DD/YYYY

This INTERIM SAFETY AND SECURITY CERTIFICATE indicates that safety and security critical requirements have been successfully completed and the xxxxxxxxxxxxxxxxx is certified for partial occupancy/revenue service with restrictions as noted above and on page 2.

___________________Date:__________ _________________Date:_________ HART – Project Director HART – Safety and Security Officer ___________________Date__________ _________________Date:_________ HART – Director of Operations HART – Safety and Security Certification Manager ___________________Date__________ _________________Date:_________ HART – Deputy Director of Systems HART – Deputy Director of Construction



OPERATING RESTRICTIONS: YES/NO

Restriction Description……………….

Restrictions/Actions:

Projected Completion:

OPEN SAFETY CRITICAL ITEMS: Yes -

OPEN NON-SAFETY CRITICAL ITEMS: YES – No Noted Restrictions



Exhibit E-4: Project Safety and Security Certificate


HONLOLULU RAIL TRANSIT PROJECT

PROJECT SAFETY AND SECURITY CERTIFICATE




NOTE: This safety and security certification is limited as noted on the individual Contract Certificates as listed on page 2. Any changes/modifications to the Contract Certificates and supporting checklists after MM/DD/YYYY are excluded from this overall project certification. Any open non-critical items will be transferred to the HART Safety Executive Committee and tracked until closure.

This SAFETY AND SECURITY CERTIFICATE indicates that the safety and security critical requirements are completed and verified. This Honolulu Rail Transit Project is safety and security certified for revenue service as of MM/DD/YYYY.

___________________________________ ________________ ____________________________________ ________________

HART – Deputy Director of Date HART – Director of Design Date Systems and Construction

___________________________________ ________________ ____________________________________ ________________

HART – Chief Safety and Date HART – Deputy Executive Date Security Officer Director

_______________________________________ ________________

HART – Executive Director & Date Chief Executive Officer





OPERATING RESTRICTIONS: YES / NONE



Contract Certificates

XXXXXX

XXXXXX



Appendix F: Safety Hazard and Security Vulnerability Management Process

F-1. Safety Hazard Management Process

A safety hazard is any real or potential condition that can cause injury, death, and/or damage or loss of equipment and property. Hazard analyses (HA) will be conducted in accordance with the FTA guidance document Hazard Analysis Guidelines for Transit Projects, January 2000, Final Report and MIL-STD 882D. The objective of the hazard identification, analysis, and resolution process is to identify and define as many credible hazardous conditions as possible and to eliminate or control these hazardous conditions or associated activities prior to their causing or contributing to the aforementioned conditions. This will be accomplished by the following:

Identifying potential hazards resulting from failure of system elements and determine their impact on the overall system, people, property, and the environment

Identifying hazardous activities that could affect the transit system's safe operation

Identifying potential accidents and the consequences (e.g., fatalities, injuries, damage, and service interruptions) associated with each hazardous condition

Identifying measures that will prevent accidents by eliminating or controlling the underlying hazards

Documenting the hazard analysis results in a clear and concise manner and facilitating resolution of the unresolved hazardous until they are closed.

An overview of the hazard identification and resolution process is depicted in Exhibit F-1.



Exhibit F-1: Hazard Identification and Resolution Process

F-1.1 Step 1 – Define the System

The first step in the hazard identification and resolution process is to define the physical and functional characteristics of the system to be analyzed. These characteristics are considered in terms of the individual elements which make up the total system including: equipment and subsystems, procedures, people and the environment. A thorough knowledge and understanding of how individual system elements interface with each other is essential to the hazard identification effort.

F-1.2 Step 2 – Identify the Hazards

There are many methods which can be used to identify safety hazards. These methods include, but are not limited to the following:

Reviewing accident/incident data and experience from transit systems currently in operation, the National Transportation Safety Board (NTSB), and other investigative bodies

STEP 1 – DEFINE THE SYSTEM

Define the physical and functional characteristics and

understand and evaluate the people, procedures,

facilities and equipment, and the environment

STEP 2 – IDENTIFY THE HAZARDS

Identify hazards and undesired events

Determine the causes of the hazards

STEP 3 – ASSESS THE HAZARDS

Determine severity

Determine probability

Decide to accept risk or eliminate/control

STEP 4 – RESOLVE THE HAZARDS

Assume risk or implement corrective action

Eliminate/control

STEP 5 – FOLLOW-UP

Monitor for effectiveness

Monitor for unexpected hazards

STEP 1 – DEFINE THE SYSTEM

Define the physical and functional characteristics and

understand and evaluate the people, procedures,

facilities and equipment, and the environment

STEP 2 – IDENTIFY THE HAZARDS

Identify hazards and undesired events

Determine the causes of the hazards

STEP 3 – ASSESS THE HAZARDS

Determine severity

Determine probability

Decide to accept risk or eliminate/control

STEP 4 – RESOLVE THE HAZARDS

Assume risk or implement corrective action

Eliminate/control

STEP 5 – FOLLOW-UP

Monitor for effectiveness

Monitor for unexpected hazards



Design team expert opinion and knowledge of industry practice

Review of Project designs, engineering data, and drawings

Facility inspections during the construction, testing, and start-up phases to identify unsafe conditions

Observations of unsafe conditions and behaviors during pre-revenue testing

Conducting inductive or deductive analysis.

Two basic methods will be used to identify hazards: inductive and deductive processes. The inductive hazard identification process consists of an analysis of system components to identify their respective failure modes and the effects they will have on the total system. The analysis determines the conditions that could be created if a part of a subsystem fails to operate when required, operates when not required, or operates improperly. The deductive process, or "top down" methodology, involves defining an undesired event (hazard) and then deducing the combinations of conditions and acts necessary to produce that hazard. It involves determining what combinations of "and" and "or" conditions of normal and fault events must exist to produce the undesired event. The most effective of the inductive or deductive methods will be used as required by safety design criteria and requirements, technical specifications, contract documents, the SSCWG, or the SSRC.

Hazard analysis techniques used for the Project will include but are not limited to the following:

Preliminary Hazard Analysis (PHA) – the initial hazard analysis technique used during the system or subsystem design phase. The PHA is used to identify safety critical areas within the system, evaluate hazards, and begin to consider safety design criteria. The PHA establishes the basis for the safety criteria in design, equipment, and performance specifications. The PHA may be used for subsequent hazard analyses to be performed. An example of a hazard analysis worksheet is provided in Appendix G.

System/Subsystem Hazard Analysis (SHA/SSHA) – an expansion of the PHA, identifying design hazards in components and subsystems of a major system. SHA/SSHA is used to determine the functional relationships between the components and equipment based solely on safety considerations and also identifies all components and equipment in which a functional failure could result in a hazardous condition or accidental loss.

Operations Hazard Analysis (OHA) – performed to identify and analyze hazards associated with personnel and procedures, training, maintenance, operations, and emergencies during System operation. OHA will be conducted on all tasks and human actions, including omission and commission, by persons interacting with the systems, subsystems, and assemblies, at any level.



Failure Modes, Effects, and Criticality Analysis (FMECA) – an inductive analysis used to identify equipment failures. It evaluates a system or subsystem to identify possible failures of each individual component in the system. The results or effects of the subsystem and component failures are then classified according to severity and probability.

Fault Tree Analysis – a representation of the deductive method and is used to provide a concise and orderly description of the various combinations of possible occurrences within a system or subsystem that can result in an undesired event.

Software Safety Analysis (SSA) – a method used to evaluate software design, and related software and hardware documentation will be reviewed for safety-critical software-controlled functions. The analysis will review software and hardware failures that could result in unsafe conditions.

F-1.3 Step 3 – Assess the Hazards

A risk assessment determines the acceptability of assuming the risk and involves two primary steps: evaluating hazard severity (categorizing the hazard) and evaluating hazard probability. A hazard severity rating will be assigned to a hazard based on the definitions in MIL-STD 882D. It is a subjective determination of the worst case that could be anticipated to result from human error, design inadequacies, component failure, or malfunction. The categorization of hazards will be consistent with risk-based criteria for severity; it reflects the principle that not all hazards pose an equal amount of risk to safety. The Project will follow these criteria, as do most transit agencies and the NTSB. Hazard severity categories are provided in Exhibit F-2. The results of these risk assessments will be presented at the SSCWG meetings. All new hazards added to the HTL will be introduced at these meetings to provide clarification and begin discussion on potential mitigation efforts to reduce the final HRI to an acceptable level as outlined in Section F-1.4.



Exhibit F-2: Hazard Severity Categories

HAZARD SEVERITY CATEGORIES

Description Category Definition

Catastrophic I Death, system loss, or severe environmental damage

Critical II Severe injury, severe occupational illness, major system or environmental damage

Marginal III Minor injury/occupational illness, or minor system or environmental damage

Negligible IV Less than minor injury, occupational illness, or environmental damage

Probability of occurrence level will be assigned to each identified hazard based on the likelihood of its occurrence during the life of the System. A qualitative hazard probability can be derived from research, analysis, and historical safety data from similar transit systems. Hazard probability levels are shown in Exhibit F-3.

Exhibit F-3: Hazard Probability Levels

HAZARD PROBABILITY LEVELS

Description Level Within Specific Individual Items Within a Fleet or

Inventory Frequent A Likely to occur frequently. MTBE* is less than

1000 operating hours. Continuously experienced

Probable B Will occur several times in life of an item. MTBE is equal to or greater than 1000 operating hours and less than 100,000 operating hours.

Will occur frequently

Occasional

C Likely to occur sometime in life of an item. MTBE is equal to or greater than 100,000 operating hours and less than 1,000,000 operating hours.

Will occur several times

Remote

D Unlikely but possible to occur in life of item. MTBE is greater than 1,000,000 operating hours and less than 100,000,000 operating hours.

Unlikely but can reasonably be expected to occur

Improbable E So unlikely it can be assumed occurrence may not be experienced. MTBE is greater than 100,000,000 hours.

Unlikely to occur, but possible

*MTBE = Mean Time Between Events



A risk assessment determines the acceptability of assuming the risk associated with a hazard. It enables understanding the risk in relation to the costs that may be incurred (i.e., dollars or operational impact). The risk assessment matrix combines the severity and probability of the hazard and quantifies the necessity for implementing corrective measures to reduce the hazard to an acceptable level. The Project will use this matrix to prioritize hazardous conditions and to focus resources on the most serious hazards requiring resolution. The results of the assessments will be documented and presented to the SSRC for review and acceptance. The Hazard Risk Assessment Matrix is provided in Exhibit F-4.

Exhibit F-4: Hazard Risk Assessment Matrix

PROBABILITY OF OCCURRENCE

HAZARD SEVERITY

I Catastrophic

II Critical

III Marginal

IV Negligible

(A) Frequent IA IIA IIIA IVA

(B) Probable IB IIB IIIB IVB

(C) Occasional IC IIC IIIC IVC

(D) Remote ID IID IIID IVD

(E) Improbable IE IIE IIIE IVE

The Hazard Risk Index value determines the specific level of action. A hazard with a risk index of "Unacceptable" will not be permitted and must be eliminated, controlled, or reduced to an acceptable level. Hazard Risk indices and the associated Risk Decision Acceptance Criteria are provided in Exhibit F-5.

Exhibit F-5: Risk Decision Acceptance Criteria

HAZARD RISK INDEX ACCEPTANCE CRITERIA

IA, IB, IC, IIA, IIB Unacceptable

IIIA, IIIB, IIC, ID Undesirable—Requires ED-CEO review

IVA, IVB, IIIC, IID, IIID, IE, IIE, IIIE Acceptable with SSRC review

IVC, IVD, IVE Acceptable without review



F-1.4 Step 4 – Resolve the Hazards

The Hazard and Risk Resolution process involves the analysis and corrective action taken to reduce the risk associated with an identified hazard to the lowest practical level. The order of precedence for satisfying system safety requirements and resolving identified hazards is listed below:

Design for Minimum Risk—Design new facilities and equipment to eliminate hazards. If an identified hazard cannot be eliminated, its associated risks must be reduced to an acceptable level (see Hazard Risk Index) through the design selection.

Use of Safety Devices—In the event that an identified hazard cannot be eliminated or its associated risk cannot be reduced through design selection, that risk must be reduced to an acceptable level through the use of protective safety features or devices. Provision must be made and procedures must be issued for periodic inspection and functional checks of safety devices.

Warning Devices—When neither design nor safety devices can effectively eliminate identified hazards or reduce risk to an acceptable level, warning devices must be used to detect the condition and produce an adequate warning signal to alert individuals to the hazard. Warning devices should be standardized to minimize the probability of incorrect reaction of personnel to these warning signals.

Develop Special Procedures and Training—When it is impossible or impractical to eliminate hazards through design selection or adequately reduce its associated risks through safety or warning devices, then approved procedures and special training programs must be used. Procedures may include the use of personal protective equipment. Precautionary notations and warning signs must be standardized. Employees who perform safety-critical tasks require certification of proficiency and periodic recertification.

Typically, hazards are controlled by more than one corrective method. The use of the terms warning, caution, and other forms of written advisories to control Severity Category I (Catastrophic) and Category II (Critical) hazards will be carefully reviewed to assure that no other additional countermeasures are necessary.

F-1.5 Step 5 – Follow-up

The last step in the hazard identification and resolution process is follow-up. The Project Team will monitor the effectiveness of recommended countermeasures and assure that new hazards are not introduced as a result. The Project Team will utilize a hazard tracking system to track hazards to closure and reopen hazards if necessary. To further assure awareness and tracking of open hazard items, the Project Team will utilize CMS to create internal Requests for Information (RFIs) to address each hazard with the



responsible HART Project Team. The RFI will remain open until an acceptable mitigation/resolution is attained/implemented. This system allows for a complete history of the resolution process.

In the event there are design changes, deviations, or other changes to the elements of the system being analyzed, a new hazard analysis may be conducted to identify and resolve any potential new hazards.

The safety and security certification process will assure that identified safety hazards have been eliminated or their risks reduced to an acceptable level prior to revenue service.

F-2. Security Vulnerability Management Process

Planning in advance of day-to-day transit crimes, a terrorist act, or other security incident is essential in providing transit patrons and employees with a safe and secure environment. A breach in security may result in serious injuries or death, destruction of property and facilities, and the inability to continue transit operations to the region. HART has conducted a Threat and Vulnerability Assessment (TVA), Revision 1.0, October 22, 2014, and will continue to update it as required to identify and resolve security vulnerabilities. The following section describes the security vulnerability management process used by HART. This methodology is based on the guidelines of the FTA Security and Emergency Preparedness Planning Guide, Final Report, January 2003.

F-2.1 Asset Identification and Analysis

Project assets are defined as people (e.g., passengers, employees, contractors, visitors, surrounding communities, etc.), information (e.g., operations and maintenance procedures, computer network information, passwords and facility access codes), and property (e.g., stations, vehicles, buildings, communications systems, etc.). Asset analysis enables the Project Team to quantitatively and qualitatively evaluate assets thereby determining which are of most significance to the completed System. By identifying key assets, the Project Team will be able to direct its resources towards hardening security at critical locations. The security threat and vulnerability worksheet utilized to perform the TVA is provided in Appendix H. The range of key assets for the Project is detailed in the TVA and are considered Sensitive Security Information (SSI).

Assets will be prioritized in terms of criticality. The most weight will be given to those assets that present the greatest threat to life safety or service disruption if attacked. In making this determination, consideration will be given to the following:

Impact on patrons, transit employees, and emergency responders

Impact on System operations

Economic value of the asset, including current and replacement value



Intrinsic value of the asset to a potential adversary

Asset location to other critical assets

F-2.2 Threat and Vulnerability Identification and Analysis

Threat analysis, as described by the FTA, is a process which enables transit systems to "define the level or degree of the threats against a facility by evaluating the intent, motivation, and possible tactics of those who may carry them out." Vulnerability analysis is described by the FTA as a process that can be used by transit systems to identify "specific weaknesses with respect to how they may invite and permit a threat to be accomplished."

HART will utilize these analysis methods to identify and evaluate the security-related risks within the operating environments and surrounding communities of the System. The process may, at times require the involvement of outside parties including Federal, State, and local law enforcement and emergency response agency representatives, and/or security experts. The primary forum for coordinating and addressing these issues will reside with the FLSWG. The entire process involves gathering and evaluating relevant information including, but not limited to:

Security practices, protocols, crime deterrents, and other countermeasures currently in place within the City including an evaluation of their effectiveness

Historical data pertaining to past security breaches and other security-related incidents directed towards the City or towards other similar systems

Crime rate data in the communities and areas surrounding the System

Site layout information such as the ease of accessibility, location of incoming utilities, hazardous storage materials locations, types of building construction, levels of lighting, etc.

Existing criminal or terrorist threats that may be present within the Project's operating environment or which may be directed towards the surrounding communities that may impact the System

The response capabilities of the City and emergency responders such as police, fire, and emergency rescue personnel

The majority of crimes committed do not pose a physical threat to passengers but may erode passengers' sense of security and make passengers feel intimidated. Exhibit F-6 shows possible crimes that may be committed on transit property.



Exhibit F-6: General Crime Categories

Crime Category Crime Types within Category

Crimes against persons Pick-pocketing, purse snatching, assault, rape, homicide, robbery, terrorism

Crimes against property Arson, vandalism, graffiti, burglary, motor vehicle theft, theft from automobiles, sabotage, terrorism

Other crimes committed on transit property

Drug dealing, drinking, prostitution and sex offenses, disorderly conduct, aggressive behavior, intimidation, panhandling, loitering, fare evasion, trespassing

HART is responsible for FTA reporting and record-keeping of security data and information involving future rail operations. HART collects, analyzes, and monitors trends in crime statistics to identify criminal behavior patterns. HART also receives security threat and crime intelligence through other law enforcement sources, including the Hawaii Joint Terrorism Task Force, the State of Hawaii Department of Public Safety, DHS, TSA, and other intelligence sources. The threat analysis will define the level or degree of threats against the System.

F-2.3 Scenario Analysis

Once key assets, potential threats, and system vulnerabilities have been identified, threat scenarios can be developed to evaluate the types of potential attacks and outcomes that may be waged against and experienced by the System. The scenario analysis process combines information gained through the previous analyses of assets, threats, and vulnerabilities. The scenario analysis development process is depicted in Exhibit F-7 below.

Exhibit F-7: Scenario Development

Risk is expressed as a function of the ease of a given threat exploiting a given vulnerability (see Exhibit F-8) and the magnitude of the impact should a threat successfully exploit the vulnerability (see Exhibit F-9).

Asset Threat ScenarioAsset Threat Scenario



Exhibit F-8: Vulnerability Levels

SECURITY VULNERABILITY LEVELS

DESCRIPTION LEVEL SPECIFIC GUIDANCE

Very Easy A Very easy to access area or affect function undetected.

Easy B Relatively easy to access area or function, no significant barriers to prevent.

Difficult C Difficult to access area or function, various barriers in place.

Very Difficult D Very difficult to access area or function, barriers very difficult to overcome.

Too Difficult E Extremely difficult and cumbersome to access area or function. No history of incursion or attempted incursion.

Exhibit F-9: Threat Impact Categories

THREAT IMPACT CATEGORIES

DESCRIPTION CATEGORY PERSONNEL SERVICE

DISRUPTION DOLLARS

LOST

Catastrophic I Loss of life System Loss

Long term (6 months or more) shutdown of line

Above $1M

Critical II Injury

Serious occupational illness

Line loss for <6 months

Loss of critical equipment

$250K to $1M

Marginal III Minor injuries or illness (no lost work days)

Line loss <1 hr.

Car loss <5 days

Below $250K

Negligible IV No injury or illness

No service loss No dollars lost



Each threat scenario is then evaluated to determine its likelihood and severity of occurrence, giving consideration to the extent of identified threats and vulnerabilities, and the level of risk associated with its occurrence. The criticality of an asset being attacked is finally expressed as High, Serious, or Low as shown in Exhibit F-10.

Exhibit F-10: Security Criticality Matrix

VULNERABILITY

CATEGORIES

SECURITY CRITICALITY MATRIX

I Catastrophic

II Critical

III Marginal

IV Negligible

(A) Very Easy High High Serious Serious

(B) Relatively Easy High High Serious Low

(C) Difficult High Serious Low Low

(D) Very Difficult Serious Low Low Low

(E) Too Difficult Serious Low Low Low

The Security Criticality Matrix value determines the specific level of action. Security vulnerabilities ranked as "High" will not be permitted and must be eliminated or mitigated. Security Vulnerability Acceptance Criteria are provided in Exhibit F-11.

Exhibit F-11: Security Vulnerability Acceptance Criteria

VULNERABILITY

INDEX ACCEPTANCE CRITERIA

IA, IB , IC, IIA, IIB Vulnerability must be mitigated

ID, IE, IIC, IIIA, IIIB, IVA Vulnerability should be mitigated if within possible fiscal constraints

IID, IIE, IIIC, IIID, IIIE, IVB, IVC, IVD, IVE

Vulnerability is acceptable with review by HART



F-2.4 Countermeasure Development

Countermeasures and corrective actions are developed at the completion of the analysis processes to eliminate or mitigate identified security threats and vulnerabilities. Effective countermeasures will typically include mutually supporting engineering and administrative elements. Examples of engineering countermeasures include:

Installing physical barriers designed to reduce the asset's vulnerability to unauthorized access, explosive, or other incendiary attacks

Installing integrated intrusion detection and alarm systems throughout key facilities

Installing chemical, biological, radiological and/or nuclear detection devices at facility and station locations.

Administrative countermeasures include:

Increasing the frequency of security patrols at key asset locations

Increasing security-related training to improve the abilities of employees to identify suspicious packages or activities

Conducting tabletop exercises and emergency drills involving security-related scenarios

Developing working groups and information exchange committees with local law enforcement and emergency response agencies.

During the development of countermeasures, consideration will be given not only to the initial costs of procurement and implementation, but also to the associated maintenance costs and expected level of effectiveness at eliminating or controlling the threat and/or vulnerability. Cases where conditions may be exacerbated, such as special events, will be taken into account. During these conditions, ridership is likely to be greater than normal and may impact the effectiveness of the countermeasure.

To assure awareness and tracking of vulnerabilities, the Project Team will utilize CMS to create internal Requests for Information (RFIs) to address each vulnerability with the responsible HART Project Team member(s). The RFI will remain open until an acceptable mitigation/countermeasure is attained/implemented. This system allows for a complete history of the resolution process.

The safety and security certification process will assure that identified security vulnerabilities have been eliminated or reduced to an acceptable level prior to revenue service.



Appendix G: Safety and Security Certification Worksheets

Exhibit G-1: Hazard Analysis Worksheet

SYSTEM:

SUBSYSTEM:

HA NO.:

REV NO.:


HAZARD ANALYSIS WORKSHEET

SHEET_ OF_

PERFORMED BY: DATE:

REVIEWED BY: DATE:

APPROVED BY: DATE:

GENERAL DESCRIPTION HAZARD CAUSE/EFFECT

INITIAL HAZARD INDEX

CORRECTIVE ACTION RESIDUAL HAZARD INDEX

No. Hazard Description Potential Cause Effect on Subsystem/System

Severity

Probability

Possible Controlling Measures and Remarks

Resolution Severity

Probability



Exhibit G-2: Threat and Vulnerability Assessment Worksheet


Asset: TVA Item No. Rev No.

THREAT AND VULNERABILITY ASSESSMENT WORKSHEET

Prepared by: Date: Reviewed by: Date: Approved by: Date:

Potential Threat

Target

Tactical Delivery Device

Potential Effects

Initial Security Vulnerability Index

Potential Countermeasures

Residual Security Vulnerability Index



Appendix H: Safety and Security Certification Progress Reports

Exhibit H-1: Design Criteria Conformance Checklist Status Report



Exhibit H-2: Certification Documents Status Report

Key HART S&S Certification Documents Update & Approval Status

S&S Project Plans, PHAs, Core Systems SSHA and & O&SHA, and TVA Documents Revision # Date

Approved Comments

Safety and Security Management Plan (SSMP)

Safety and Security Certification Plan (SSCP)

WOFH SSCP

Construction Safety and Security Plan (CSSP)

Security Sensitive Information (SSI) Plan

Project Preliminary Hazard Analysis (PHAs)

- MSF – Yard and Shop

- Alignment

- Tracks

- Stations

- Traction Power

- Train Control

- Vehicles

- Communications

Core Systems Contract (CSC) PHAs (DBOM)

- Central ATC O&SHA

- Wayside ATC SSHA

- Wayside ATC O&SHA

- Wayside/ATC SHA

- SCADA O&SHA

- SCADA SSHA

- Vehicle Fire Hazard Analysis (FHA)

- Vehicle SSHA

- Vehicle O&SHA

- Vehicle/ATC SSHA

- Vehicle/ATC O&SHA

- TES SSHA

- TES O&SHA

- PSGS PHAs

- PSGS O&SHA

- PSGS SSHA

- UPS O&SHA

- Communications SSHA

- Communications O&SHA

- FDAS SSHA

- FDAS O&SHA

- MOW Support Vehicles O&SHA

Threat & Vulnerability Assessments (TVAs)

- Project TVA

Safety and Security Certification Management Plan Rev...

Documents

Transcript of Safety and Security Certification Management Plan Rev...