Professional Documents
Culture Documents
C uir
iti
R
us em
In
eq
to e
ts
m nt
en
te
er s
ra
m
pe
re
on
O
ui
se
eq
nt
R
Stage 1 Stage 6
to
of
O
n
pe
io
on es
at
ra
ce ign
in ce
D
fic
te
pt
st an
i
ec
ua
Te ept
g
C
e
Sp
om
pl
c
ci
Ac
pl
in
et
Pr
io
Stage 2 In Stage 5
n
C
al
er
ov
Te Des
tif
pr
ch ig
ic
Ap
ni n
at
st ms
ca
e
Te ste
e
g
l
in
t
ca
Sy
C
i
tif
on
er
se
C
Stage 3 Stage 4
nt
e
nc
to
ia
Te
pl
st
om
re
on
tu
C
st
ac
ru
uf
ct
an
io
n
M
or
reviewed by the Infrastructure Owner’s Asset In addition to the capability measures, the PPP also
Engineer and approved. mandates performance in respect of availability of
Atkins Rail has undertaken many projects at this assets and longevity of operational life. These
conceptual or preliminary design phase and in our requirements can more easily be related to the SCC.
view it is always worth reinforcing the distinction This paper also references a similar project that
between conceptual and detailed design. Engineers Atkins Rail has undertaken for Tube Lines, where we
are naturally drawn into detail; this must be resisted were responsible for developing the concept design of
as it leads to delays in the concept design stage and the communications systems for the Jubilee and
will commercially disadvantage the purchaser by Northern Line Upgrade Project SCCs. While the
restricting the scope of the design/build contractor. scope of this project was more constrained, the same
The approach described herein includes strategies that systematic approach was adopted and it fulfilled
are specifically designed to delay the onset of design exactly the same lifecycle stage as in the VLU SCC
work, thereby providing increased time to understand Concept Design.
the whole problem prior to the onset of more detailed The final example that we will use is the
thinking, whilst not increasing the overall project development of a detailed design for a very large
delivery timescale. computer-based supervisory control and data
The scope of the VLU SCC project is to build a acquisition (SCADA) system. The system in
new SCC and equip it to meet the operational and question provides a business critical function for one
maintenance needs of the railway for the next 30-40 of the world’s largest airports. This final example
years. The concept design had to provide a demonstrates that the approach we have developed is
conceptual solution to the whole problem, which applicable to systems outside the railway industry and
could be subdivided into packages of work for further to different lifecycle stages.
design and development. The source of the business The structure of our paper mimics the overall
requirements for the project is the PPP contract. This make-up of the approach itself, which is shown
is a performance contract that defines the principal diagrammatically in Figure 2. The approach starts
driver for the line upgrade as an increase in line with a mobilisation phase, which is designed to
capability. The requirement is specified as a required ensure that all the necessary procedures, templates,
Journey Time Capability (JTC), which is measured in and tools are in place, and to ensure that all the team
minutes. It is a theoretical measure of the average members are given time to familiarise themselves
journey time of the average passenger, augmented with the project and the approach.
with a number of additional factors. JTC can be The second phase is requirements engineering.
related to traditional railway engineering measures This phase engages the whole team in identifying and
such as signalling headway and carriage (car) design classifying the requirements; this phase is crucial in
features. However, in respect of the SCC these the approach of embedding understanding of the
requirements essentially flow down to a requirement project’s objectives within the team. Depending on
to provide SCC functionality by a certain date; they the nature of the scope, the option development
do not provide measurable targets for SCC systems. phase is employed to a greater or lesser extent. The
Railway Systems Engineering in Action Page 2 of 9
Dr Jon Elphick and Mark Irving, Atkins Rail © Atkins Rail, 2006
Engineering
Mobilisation
Completion
Option Development
and Evaluation
Figure 2 The Generic Systems Approach
principle objective of this phase is to analyse the The amount of material and the detail provided
business requirements, and to identify and compare will vary between projects, depending on project
alternative solutions. The engineering phase is complexity, project novelty and, most importantly,
where the chosen option(s) is(are) developed to the staff involved.
produce a solution that is compliant with the whole From analysis of past projects, we have
spectrum of requirements and domain knowledge. identified four pillars on which a successful
The final phase facilitates the completion of the work systematic approach is built. It is our belief that
and the production of the client deliverables. many projects fail because one or more of these
The paper concludes with our reflections on the pillars is either weak or flawed in some way. We
approach, its successes and failures to date and where have developed procedures, tools and templates that
it goes from here. provide solid foundations in these four areas and
expedite the mobilisation phase. Our four pillars are:
MOBILISATION Planning and Integration – the Design
The key objective of the mobilisation phase is to Management Plan is the key planning tool, but to be
customise the generic approach to suit the specific effective it must be a ‘living’ document. In the
application, and to ensure that this is documented and projects we are presenting here, the DMP was used
that all the necessary tools and templates are easily throughout the project as a reference for the team.
available for the team. The primary vehicle we have We believe that one of the key drivers for this was
adopted for this is a document called the Design that it combined processes, practical procedural
Management Plan (DMP); this might also be called a instructions and project specific milestones that were
Systems Engineering (management) plan, an actively measured by the project management team.
assurance plan or (perhaps 10 years ago) a quality This caused all members of the team to need to refer
assurance plan. to it on a regular basis.
The DMP must be simple and straightforward; The DMP also forced an integrated approach
the authors strongly advocate that clear, easy-to- between engineers, human factors specialists,
understand plans and procedures will facilitate sound operations and maintenance experts. This was
decisions. The documents we have developed to date achieved by insisting that there would be one plan
have generally included the following: listing all the key project phases and deliverables; all
• Project remit and background those involved were forced to use the same language
• Project organisation and team member and to explain their tasks in the context of this
responsibilities framework.
• Project activities during each project phase Information Management – the design
and a list of deliverables for each phase management plan sets out an overall information
• Level 1 programme (a structured work model (see Figure 3), which is used to explain the
breakdown structure of 30-50 activities) relationship between all the information collected and
• Descriptions of the specific management produced. This is critical to enabling consistency of
processes that will be employed for the understanding within the team. The model is
project; e.g. design review process, issues supported by a number of simple, effective
management process, configuration control, procedures that are employed to manage all
document management, etc. Appendices documents and information received and issued. It is
support management processes as necessary, also important that appropriate tools are used to
in order to keep the main body of the support the management of information. The projects
document to an easily manageable size (we presented here successfully used Atkins iProNET, a
suggest less than 30 pages). This also web based collaborative working environment, to
facilitates reuse of procedural, project manage all documentation passed between parties;
independent material. the tool supports configuration management and
Railway Systems Engineering in Action Page 3 of 9
Dr Jon Elphick and Mark Irving, Atkins Rail © Atkins Rail, 2006
Issues ADC
Register Register
Triage Requirement
Documentation
Register Tags
Final Design
Documents
Source
Rationale/
Argument
Analysis
Option
Taxonomy Hazard
Register
provides a single source of truth for project Risk Management – we followed Yellow Book
information. (UK Rail Industry, 2000) principles for managing
We also used Telelogic’s DOORS™ both safety-related and project related risk,
requirements management database to store all the employing a simple hazard register in which we
requirements information and to link it with recorded both safety and non-safety hazards. The
information and documentation generated by the process is anchored with two formal design risk
project. DOORS™ has proven very effective in the workshops, but hazards can be identified at any time
capture and management of the link information, in the project. Hazards are managed in DOORS in
which is then employed as a basis for the assurance the same way as requirements, allowing us to
case for the final design. It has also delivered cost demonstrate the design steps that have been taken to
savings as a result of the speed and accuracy it mitigate hazards, thus supporting the analysis of
affords the process of editing and reissuing residual risk
documentation.
Communication – is an obvious requirement of REQUIREMENTS ENGINEERING
any project, and yet not maintaining a consistent The Requirements Engineering phase of any
understanding of the current position of the whole project must organise the morass of project
project is a recurring cause of failure. Our approach requirements into an ordered set. Traditionally this
to communications during the projects presented here phase takes a great deal of time and produces a set of
was two fold. well formed, atomic requirements – the foundation
Firstly, to establish and monitor clear project for the engineering to come. This work is often
targets; this started with the overall deliverable undertaken by specialists and frequently runs in
milestones in the DMP and was supported by parallel with early design work, justified either on the
additional metrics and targets that were developed basis of programme, or because of attitudes such as
during the projects. ‘this is the way it has always been done’ and ‘we
Metric collection and analysis were key drivers know the solution the systems engineers will arrive
during a weekly telephone conference, which was at’. We have taken a different approach.
structured to allow all team members an opportunity We consider it essential to engage all of the
to describe progress made, what problems they had engineers in a process that allows them to begin to
encountered and what they were planning to do next. become familiar with the requirement source
This forum provided an ideal opportunity for team documentation – with all its foibles – and tease out
members to share ideas. This encouraged teamwork the fundamental requirements that will drive the
and helped to avoid the isolationist (silo) mentality design. In the projects presented here, we
that often leads to problems. encountered between 50 and 1500 requirement source
Secondly, the projects employed a number documents, including standards, user requirements,
registers to formally track issues, technical queries, operational concepts, operational procedures and
and ADCs (assumptions, dependencies and caveats). interface specifications. We also needed to dissuade
These simple tools were shared by all team members the team from jumping to solutions and at the same
and reviewed regularly, providing formal impetus for time identify where we needed to collect additional
individuals to communicate subjects of mutual material; be that requirements or domain knowledge.
interest. To address these objectives we have developed a
Railway Systems Engineering in Action Page 4 of 9
Dr Jon Elphick and Mark Irving, Atkins Rail © Atkins Rail, 2006
process called Triage, and a concept we call a triage questions. The process lends itself to the use of
Requirements Tag. metrics, which can be generated relatively easily to
track progress; our experience is that an individual
Triage
can Triage between 5 and 20 documents a day.
Triage is the name we have given to the process
The documents identified as containing business
of initially reviewing the source material, classifying
requirements are routed straight to the lead systems
and prioritising it (the name derives from the medical
engineer/systems architect, as these will be the key
procedure for the same purpose, albeit that the
drivers for the Option Development phase. Process
‘material’ is human casualties!). This process is
requirements are passed to the Project Manager, as
undertaken by the whole team, and we have found
these are requirements of the process we adopt to
that it is best kicked-off in a workshop environment
develop the design. In some cases the material will
where all the team members are physically co-
raise questions or issues; these are recorded and
located. Undertaking this initial exercise together
where necessary investigations undertaken. When
helps the team bond, ensures consistency and
additional material is uncovered it is fed into the
encourages cross-discipline questioning. There are
Triage Process. Importantly Triage avoids abortive
two key pre-requisites for the triage process:
time spent reviewing in detail irrelevant
• The scope of the problem/design/brief has to documentation.
be clearly stated and understood by all
participants. Requirement Tags
The concept of a requirements tag has evolved
• A system lifecycle has to be agreed and all from the observation of common practice among
participants have to clearly understand
engineers. When reading requirements source
where the scope is positioned on the
material we noticed that the most engineers employ a
lifecycle.
method of visually tagging important sections of the
The Triage process asks five questions about
document; methods vary but include corner folding,
each document (or triage item):
highlighting and post-it notes. The problem with
• Does it contain Business Requirements these methods is that they are typically not accessible
(viz. what the client wants the system to to other team members. The concept of a
achieve) that relate to the defined scope – requirement tag is a traceable, standard tag that is
Answer Yes/No? accessible to all and which conveys an agreed set of
• Does it contain System Requirements (viz. information about the material to which is relates.
what the system must actually do) that relate An important aspect of the requirement tag is
to the defined scope and lifecycle phase – that its scope is left to the engineer to define, based
Answer Lots/Some/None? on the material being tagged. That is to say that one
• Does it contain Process Requirements (viz. requirement tag may relate to one specific, well
how the project team should deliver its formed, atomic requirement; another requirement tag
remit) that relate to the defined scope and may relate to a whole group of requirements. The
lifecycle phase – Answer Lots/Some/None? former tag may point to one sentence, the latter to a
• Does it contain Domain Knowledge (viz. whole document. The engineer is trusted to decide
relevant facts about the environment into the level of granularity that is appropriate, in order for
which the system must integrate) that relate the requirement tag to sufficiently convey the totality
to the defined scope – Answer Yes/No? of that to which it points. However, in order to
achieve consistency between engineers, we have
• Does it contain requirements or domain found it necessary to employ a template (or
knowledge that relate to a later lifecycle boilerplate), which mandates the structure of each
phase – Answer Yes/No? tag.
This is all the information we collect during Initially, the business requirements are tagged
triage; be aware that there is a great temptation to and classified using an appropriate taxonomy; again it
collect more, but our experience has shown that is very tempting to launch into an exercise of system
additional information often proves worthless, as one requirement tagging, which can show great progress
does not really know what other questions to be in terms of measurable targets. However, our
asking at this initial stage. experience is that it is better to wait. In order to
This process requires that there is a strong design an appropriate classification for the system
document management process in place to register requirement tags (and domain knowledge), it is
and track all incoming documents. All documents are necessary to have a clearly defined and stable model
subject to triage by at least one team member; we of the system under design. This will come from the
have employed a process of randomly peer reviewing Option Development phase, which develops the
work to ensure we maintain consistency and system architecture based largely on the business
accuracy. The Triage process is relatively quick, as it requirements. Do not start tagging system
does not require the reviewer to read and digest every requirements until an appropriate taxonomy can
document in detail; the objective is to understand the be agreed based on the evolving system
content just enough to be able to answer the five architecture.
Railway Systems Engineering in Action Page 5 of 9
Dr Jon Elphick and Mark Irving, Atkins Rail © Atkins Rail, 2006
The system requirement tagging process will evaluated to select the optimum solution.
require the engineers to re-visit material that has been Finally, in the development of a detailed design
triaged. This is a necessary and deliberate step in the for a computer-based SCADA system, where we
approach. It may be that material is redistributed to a were introducing new technology, we augmented the
more appropriately skilled individual, but in many systems analysis with trials to evaluate specific
cases the same engineer who performed the triage aspects of performance that were critical to the option
will undertake the tagging. The approach forces selection.
engineers to become more familiar with the source In each case, as the solution options became
material and helps to ensure that designing does not clear, it was also possible to develop an appropriate
commence until all relevant information is known – model, which was used to design the requirement tag
this leads to improved quality of the resultant design. taxonomy. The process of revisiting the source
In the case of the SCADA system design, requirements documents to tag system requirements
initially it seemed that the Requirements Engineering and domain knowledge reinforces the design team’s
phase would be straightforward, as the client had understanding and provides the basis upon which the
presented a very structured set of project assurance case was built.
requirements. However, our approach soon The option development phase is formally
uncovered a host of additional and contradictory completed with a design risk review. This process is
requirements, which were tagged and managed. designed to achieve compliance with the UK Railway
Engineering Safety Management standard Yellow
OPTION DEVELOPMENT Book 3 (UK Rail Industry, 2000), employs a
The approach to this phase will vary significantly workshop to consider the selected design option and
depending on the scope and lifecycle phase of the identify both safety and non-safety hazards that are
work in question. The objective of this phase is to associated with the design. The hazards are noted
identify solution options and identify the one that will and, where appropriate mitigating actions taken in the
best deliver the required business requirements. Engineering phase.
However, successful evaluation also requires the
appropriate consideration of domain knowledge, key ENGINEERING
system requirements, human factors and safety. The Engineering phase is the engine room of the
The options developed at this stage are approach – this is the stage where the majority of the
necessarily conceptual – they must be expected to work is undertaken and when the main project
evolve as more is understood about the requirements deliverables are produced. The actual work
and the domain. The purpose is to develop an undertaken is not significantly different to that which
outline, which will guide and facilitate the design – a might be done if a more traditional approach were
straw man. It is important not to get bogged down in adopted. However, following a systematic
detail at this stage. methodology ensures that the design work is based on
Atkins Rail has employed this approach on a solid foundations.
number of projects in the last two years, and each has The necessary engineering processes will be
taken a different approach to the option development determined by the scope of the project; in recent
phase. The VLU SCC project was guided by a very projects this phase has included specialist
high level description of London Underground’s engineering/design; human factors analysis and
operational concepts. We modelled these concepts assessment; interface design; investigations and
using UML use-cases to provide a simple overview of surveys; prototype development and evaluation;
the services required. This overview was validated safety integrity level (SIL) assessment; migration
via peer review and then used as the basis for a planning; and reliability, availability and
conceptual model of the SCC. Through a process of maintainability (RAM) analysis.
workshops with key experts, the conceptual model The objective of this phase is to develop the
was used to develop a number of architecture options. selected option which best satisfies the identified and
We evaluated the optimum solution using a process tagged system requirements. The approach is
of systems analysis; the analysis considered system structured to allow the design to be subdivided at this
safety, human factors and the business requirements. stage, based on the requirement tag taxonomy
In 2004/05 we developed a concept design for employed. Typically the team will review the totality
the Jubilee and Northern Line SCCs – a project that of the requirement tags and domain knowledge that
was very similar to the VLU project in terms of relate to a particular subdivision, and begin to
scope. However, the option development phase was develop the necessary design. Additional work, such
very different. In this case a clear vision of the as a RAM or SIL analysis, is undertaken where
required systems architecture was already in place, necessary and the results fed into the overall system
and the dominant business requirement was the requirements.
migration from the existing systems to the new We used DOORS™ to provide formal
systems. In this case, we created a suite of simplified configuration control of the design and, crucially, it
schematics of the existing systems and developed allowed the design to be linked to the source
these to establish solution options with a requirement tags. The method we successfully
demonstrable migration path. Once again these were adopted for linking employed an ‘argument’ clause,
Railway Systems Engineering in Action Page 6 of 9
Dr Jon Elphick and Mark Irving, Atkins Rail © Atkins Rail, 2006
Consider the following Source Requirement Tags:
• Tag 1 (from a standard): Communications shall be provided (audio and data) from all Train Control
Centres to other Control Centres, and with emergency services and trains. Such communications shall
also be recorded.
• Tag 2 (from client contract): All incoming and outgoing telephone calls are recorded and the recording
tapes are retained.
• Tag 3 (from User Requirement document): Recording method must provide safe, secure protection for
the recorded data with no ability to modify, delete, edit the material except under formal authorised
methods.
• Tag 4 (from User Requirement document): For post incident review and operational training purposes,
all communications in and out of the Control Centre shall be recorded and the ability for selective
playback provided. Conversation within the Control Room shall also be recorded.
• Assumption: It is assumed that recorded material will be retained for a minimum of 28 days.
which provided rationale and aided understanding. review of the relevant requirement tags (system
As with the requirement tags we mandated that each requirements and domain knowledge). The design
argument follows a “boilerplate” to ensure that all the documentation is then drafted, using expert
arguments were consistent in structure. Each knowledge. Once this draft is complete the team
argument began with a sentence that referred to the return to the argument clauses and complete them as
requirement tags which it supported – in some cases appropriate. A separate exercise is then undertaken to
the requirement tag was self-explanatory and this review all of the requirement tags relevant to each
initial sentence was straightforward; in other cases it design subdivision to ensure that they are all
was necessary to provide more details of how the appropriately considered in the design
requirement tags had been interpreted. The body of documentation. This approach produced surprises for
each argument explained any assumptions, a number of experienced engineers who discovered
dependencies or caveats that were implicit in the aspects of the requirements that they had overlooked.
argument. Each argument stated if it was sufficient to Although it is not possible to quantify the full benefit
provide full compliance, or if it was just partially associated with the identification of these omissions
compliant and why. Finally, the argument provided so early in the design, it is clear evidence of the
an outline of the elements of the design to which it advantages of a systematic approach.
referred, thereby providing a comprehendible link to The quality of the assurance case is dependant on
the actual clauses in the design. An example of a the time spent in developing the argument clauses.
requirement tag, argument clause and design clause is Similarly, it has been shown that the quality of the
included in Table 1. design also improves with effort spent on the
The development of argument clauses for each argument clauses. However, in our view the limit of
requirement tag involved significant effort, but we this latter relationship is reached well before the
found it to be a very valuable exercise, which former. The team must estimate the value of
improved the quality of the engineering and provided improving the assurance case, beyond the point where
a robust assurance case. Project team members took significant design improvements are available, in
a number of approaches to the completion of design order to decide how much effort to expend on the
documentation and argument clauses; our experience argument clauses. In the case of the projects we are
suggests that the best approach is to first develop an presenting here, it is unlikely that the assurance case
outline of the design documentation based on a will be used beyond the Approval in Principle project
REFERENCES
London Underground Limited Chief Engineer’s
Directorate, New or altered assets – approvals
prior to bringing use, E1008 A4 Cat 1 Standard,
Oct 2002
UK Rail Industry, Engineering Safety Management
Yellow Book 3, 2000
BIOGRAPHY
Dr Jon Elphick BEng DPhil CEng MIET
Jon works with many of Atkins key clients
providing engineering expertise and strategic advice.
Within the last 4 years he has acted as lead systems
engineer and systems architect within projects for
Network Rail, BAA, Metronet and Tube Lines; he
has undertaken this role in the three projects referred
to in this paper. Prior to this, he has worked for
MetalBox, Westland Helicopters and Procter and
Gamble, and as a project manager delivering
industrial IT and process control systems. Jon
specialises in the implementation of Systems
Engineering in the rail industry, and delivering
business benefit from the accelerating convergence
between the IT and engineering.