The Concept of Safety Management in the Electromobility Development Strategy

Abstract

Safety monitoring provides the detection of changes in systems or operations that may suggest any case of approaching a point close to exceeding the acceptable safety standards and indicates whether corrective/prevention actions have been taken. Safety information should be maintained within the scope of transport undertakings to ensure safety and be communicated to all responsible staff, depending on each person’s function in the processes. Regulatory authorities should continuously monitor the implementation of safety management processes and the processes performed by road transport service providers. Safety management, therefore, requires investment in development and modernisation to meet market needs resulting from the mobility of residents, the growth of transport, and the obligations of countries resulting from the transport and environmental policy pursued by the European Union. Along with changes in the transport system, a need to assess their significance for the transport system’s safety arises. Depending on the transport mode (rail, air, water, road), the scope of standardised requirements is quite different each time. The paper analyses the legal requirements and acceptable practices for assessing the significance of the change in all transport modes and develops a standard method for assessing the significance of the change that meets all the requirements of electromobility safety management systems.

1. Introduction

The ‘Roadmap to a Single European Transport Area—Towards a competitive and resource-efficient transport system’ [1]), published in March 2011, contains a vision of the development of the European Union’s transport system until 2050, as well as a strategy for achieving its objectives. The scope included in the Report also involves the risk management process:

• in a situation when change in operating conditions or the introduction of new material (products or equipment) creates new hazards to infrastructure or business activity,
• management of changes to equipment, procedures, organisation, staff, or interfaces by entities in charge of maintenance,
• concerning links between transport entities and those interested in using the results and information in that field for safety management within the different transport sector links.

These requirements vary depending on the transport mode (air, rail, maritime, road), and the significance of introducing changes to the universal model is therefore assessed according to criteria drawn from the entire transport industry based on the research conducted [2].

Meeting the challenges of increasing energy demand, reducing mines, preventing environmental problems and pollution from transport, electric vehicles are becoming an alternative to conventional means of transport [3]. Many governments have initiated and implemented policies to stimulate and encourage the production and deployment of electric vehicles [4]. That is why electromobility poses many technical, economic, and social challenges today and creates new opportunities for meeting global needs for products and services [5].

The energy transformation is conducive to the development of renewable energy sources. The European Union, for instance, has set an emission threshold of 95 g CO₂ km⁻¹ for vehicles in 2020 and 2021 [6]. However, the intensified directions of energy production decentralization reveal new threats and challenges for electricity grid operators, increasing the quality and reliability of electricity flow regulation [7,8]. Numerous studies confirm that the problems of price, life, and cost of batteries and technological risks have a negative impact on the probability of choosing an electric vehicle [9,10]. However, another challenge is the security analysis of the electromobility market in urban use. High traffic, small amounts of private charging infrastructure, and high competition for charging points have a substantial impact on the level of safety [11].

Promoting sustainable mobility through the introduction of electric vehicles collides with insufficient knowledge and high uncertainty in technology, which may hinder the acceptance of these new forms of mobility [12]. The published analyses of customer choice preferences focused primarily on the advantages of electric vehicles. However, there are many uncertainties related to electric vehicles, including battery life, availability of a charging station (whether it is occupied by others if needed), depreciation, etc. Moreover, exploratory research confirmed the assumptions that these threats are the main barriers to the development of the electric vehicle market and drivers’ willingness to buy them [13,14]. Therefore, identifying threats to the implementation of electric vehicles may increase positive preferences in this regard [14].

For these reasons, the research objectives can be divided, due to their nature, into exploratory and explanatory purposes.

Exploration purposes of this publication include identifying areas for the analysis of threats resulting from electromobility development (Figure 1). On the other hand, the explanatory objectives include describing the impact of introducing changes on transport safety and identifying relationships between the identified hazards and safety level.

1.1. Air Transport

According to the Safety Management Manual (SMM) [15], change management is a formal process of managing changes within a company, carried out systematically. Changes that may affect identified hazards and risk mitigation strategies are considered before they are implemented. The aim is to describe a given organisation’s change management process that may affect safety risks and describe how such processes are integrated into the organisation.

Aviation organisations, including regulatory authorities, experience changes resulting from development or shrinkage and changes to existing systems, equipment, rules, programs, services, and regulations. Hazards may be inadvertently introduced into the aviation system whenever a change occurs. The existing underlying safety risk mitigation processes may also be affected. The existing safety management practices require the systematic identification of hazards arising from changes and the development, implementation, and subsequent assessment of safety risk management strategies. Sound management of the safety risks associated with change is a critical requirement of the State Safety Programme (SSP) and Safety Management System (SMS) [15]. The management of safety risks arising from changes should address the following three issues:

• Critical assessment of systems and activities. Criticality refers to the potential consequences of a safety risk, whether in the system design process or a system change situation. Changes in the equipment and activities associated with a higher degree of safety risk should be examined to ensure that the necessary corrective actions can be taken to control emerging safety risks;
• Stability of systems and operating environments. Changes can be planned and take place under the direct control of the organisation. Planned changes may involve the organisation’s growth or shrinkage and introducing new equipment, products, or services. Unplanned changes, including changes of an operational, political, or economic nature, may also pose different risks that require a mitigating response from the organisation. Examples where a system or environmental changes frequently occur require managers to update their risk management processes and relevant information more frequently than is the case in more stable situations;
• Operation in the past. The past operation of critical systems may be a reliable indicator of their future performance. In the safety process, trend analyses should be used to track the effectiveness of the safety measures applied over time, and then, in the event of a change in the situation, to include the information obtained for the planning of future actions. Also, when audits, assessments, data analyses, studies, or reports identify and address deficiencies, such information needs to be considered to ensure the effectiveness of corrective actions. As systems evolve, the number of changes may accumulate, which requires the introduction of changes to the original system description. Thus, to determine the continued validity of system descriptions and risk boundary analysis, change management requires periodic reviews. The procedure of change management in an organisation includes the requirement to perform a risk management process whenever a risk occurs.

Risk management requires the service provider to establish and maintain a formal process for identifying hazards that may contribute to safety-related incidents. Hazards may arise in continuous aviation activities or be unintentionally introduced into an operation when changes are made to the aviation system. In such a case, the identification of the hazard is an integral part of the management process. Aviation service providers are experiencing changes due to several factors, including ones other than those listed below:

• the growth or shrinkage of an organisation,
• changes to internal systems, processes, or procedures that support the provision of products and services, and
• changes in the operational environment of the organisation.

Changes may affect the validity or effectiveness of existing safety risk mitigation strategies. Besides, new hazards and associated safety risks can be introduced into an operation each time a change occurs without notice. Such risks should be identified so that the associated safety risks can be assessed and controlled. Change management should be a formal process that identifies external and internal changes that may affect the established practices, processes, and services. It uses an organisation’s existing risk management process to identify potential hazards to check for negative safety impacts. A change may introduce new hazards that may affect the appropriateness and effectiveness of the existing risk reduction [15].

1.2. Rail Transport

The Common Safety Method for risk estimation and evaluation applies to any changes to the railway system in a E.U. Member State that are considered significant [16]. ‘System’ means any element of the railway system that is subject to change. Such changes may be of a technical, operational, or organisational nature. In the case of organisational changes, only those changes that may affect operating conditions are considered. The Regulation also describes the approach when significant changes concern structural subsystems to which the Interoperability Directive applies. If no national rule has been notified to determine whether or not a change is significant in a given Member State, the petitioner assesses the potential impact of a given change on the railway system’s safety. A proposed change does not affect safety. There is no need to use a risk estimation and evaluation process. A proposed change affects safety. The petitioner uses their professional judgement to decide the significance of the change based on the following criteria [16,17]: effects of system failure, innovation, the complexity of the change, monitoring, and additionality.

The criteria for assessing and evaluating the individual areas of the significance of change depend on the petitioner, but they must be specified at the beginning of the process [18]. The system to be assessed (scope, functions, and interfaces) must also be clearly defined. If a change is considered significant, the entities must carry out a risk management process. Risk management following Regulation [16] means implementing management policies, procedures, and practices as part of risk analysis and monitoring tasks. The decision-making process concerning the significance of change rests with the petitioners because:

• it is not possible to establish harmonised thresholds or provisions based on which the significance of change can be decided to a given change,
• it is not possible to draw up an exhaustive list of significant changes,
• the decision cannot be valid for all petitioners and all technical, operational, organisational, and environmental conditions.

An assessment body carries out an independent assessment of the correct application of the risk management process, which is described in Annex I to the Regulation [19], and its results. The petitioner designates their own assessment body, which may be another organization or an internal department where that body has not already been designated in Community or national legislation. ‘Assessment body’ means an independent competent person, organisation or entity that carries out a study to assess, based on evidence, the ability of a system to meet the safety requirements applicable to it. The assessment body provides the petitioner with a safety assessment report. The responsibility related to the assessment body’s work requires a reassessment of hazard estimation and risk evaluation, and risk acceptance principles. Therefore, such work must be performed by experienced, industry-specific entities/persons. The risk acceptance principle means rules that are applied to conclude that the risk associated with a specific hazard is admissible or inadmissible.

In signaling-related systems, the binding document is EN 50129 Railway applications—Communication, signalling and processing systems—Safety related electronic systems for signalling [20]. EN 50126 applies to safety-related electronic systems for railway signalling applications. The document applies to the functional safety of systems. Functional safety of systems clearly can impact personnel safety, and there are other aspects of system design that can also affect occupational health and safety. Evidence should be provided in such cases to demonstrate either:

• that the equipment is not relied on for safety, or
• that the equipment can be relied on for those functions which relate to safety.

1.3. Maritime and Road Transport

Unlike air and rail transport, there are no clear indications and requirements for assessing the modal shift’s significance in maritime and road transport.

In the case of maritime transport, the ISM Code [21,22] obliges shipping companies to implement comprehensive solutions aimed at identifying dangerous situations, but above all, the establishment of preventive measures and protection against all possible hazards, thus ensuring the proper operation of the ship. Therefore, assessing the significance of change in maritime transport is part of a sound risk management process. Every shipping company should develop, implement, and maintain a Safety Management System that includes the following functional requirements:

• safety and environmental protection policy,
• instructions and procedures to ensure the safe operation of ships and environmental protection following relevant international and flag State legislation,
• defined levels of authority and lines of communication between, and amongst, shore and shipboard personnel,
• procedures for reporting accidents and non-conformities with the provisions of this Code [21],
• procedures to prepare for and respond to emergencies,
• procedures for internal audits and management reviews.

Therefore, the Safety Management System for maritime transport, despite its specific framework and the conditions in the procedures, should make it possible to take appropriate action on a case-by-case basis, going beyond the established framework for emergency actions. Each change and incident brings a new element integrating the system as a compatible and coherent whole.

Of all transport modes, this is the most dangerous and socially costly mode, and at the same time, road transport is more commonly used in passenger transport (road accidents account for about 95% of all transport accidents). Road safety is covered in the Polish legislation in a manner inadequate to the problem. The primary document concerning road safety is the Road Traffic Law Act [23]. There are also many other legal provisions related directly or indirectly to the system. Unfortunately, the current provisions are scattered, not precise enough, or not adjusted to the changing external conditions. First, it is necessary to regulate issues related to introducing a stable system of financing road safety and an integrated rescue system (The National Road Safety Programme 2013–2020). Another important aspect is the process-based approach to safety management (as is the case in air, rail, and maritime transport) in public (collective) transport.

The ISO 26262 standard covers designing, developing, and manufacturing a product in the automotive industry [24]. Processes designed and implemented by the requirements of ISO 26262 eliminate unwanted risks and hazards by focusing on the functional safety of the product. It is achieved by minimizing all unacceptable risks and threats by applying a risk-based approach throughout the product life cycle: from the conceptual stage to production and operation through design and development. The central concept is that any component’s failure does not endanger those inside or outside the vehicle. The driver must be able to stay in control of the situation. The starting point is the risk identification, while the measures that will then be applied and the actions are taken depend on the Automotive Safety Integrity Level (ASIL) classification of a given component.

Risk management in road transport is still at an early stage of development, and there are no uniform standards yet, unlike those for other modes of transport except ISO 26262 used by car manufacturers. Nevertheless, risk management elements can be found as a tool to support decision-making at different levels of management, e.g., in: [15,21,25,26,27,28]:

• road infrastructure management: planning, design and operation of road tunnels, road infrastructure safety management, road network planning, and road safety audits,
• traffic management: road network, traffic management automation,
• managing the transport of passengers and goods by road: transport of dangerous goods, occupational risks in road transport companies, and risks in collective transport,
• the driving process of an individual road user: driving models, risk calculators, and risk maps.

By analysing the legal requirements and acceptable practices concerning risk management and assessing the significance of modal shift, common and extreme assessment criteria used for further research can be identified—

Table 1. Legal requirements for risk management and the assessment of the significance of change in transport.

Air Transport	Rail Transport	Maritime Transport	Road Transport
Critical assessment of systems and activities	Effects of system failure	-	-
Stability of systems and operating environments	Complexity of the change Monitoring Reversibility of the change	-	-
Operation in the past	Innovation	-	-
Accumulation of changes	Additionality	-	-
Risk assessment whenever a risk occurs	Risk assessment in case of a significant change	Risk assessment for system changes as well	Limited risk assessment

. The most detailed requirements are contained in documents published for rail transport, and their scope overlaps with other requirements identified in different transport modes. The only more stringent criterion applies to risk assessment whenever it is justified, and not only when a change is considered significant. For research on the introduction of change to the standard model, a methodology derived from rail transport with an extension of the risk management process is applied.

2. Significance of Change Assessment

In line with the rules applicable to transport, assessing the significance of change begins with the initial definition of the system to be changed (Figure 2). Including the description of the technical system’s characteristics and basic parameters and the functions and elements of the system that are subject to the change (technical, organisational, and environmental).

The next step is the selection of criteria (derived from the requirements for rail transport):

(a)

effects of system failure: a credible worst-case scenario in case of the failure of the system under assessment, considering the existence of safety barriers outside the system,

(b)

innovation used to bring about the change—this criterion covers innovations that affect both the entire transport industry and the organisation implementing the change,

(c)

the complexity of the change,

(d)

monitoring: inability to monitor the change introduced throughout the entire life cycle of the system and to carry out appropriate interventions,

(e)

reversibility of the change: inability to return to the system from before the change,

(f)

additionality: assessment of the significance of the change, considering all recent safety-related changes to the system under assessment that were not assessed as significant.

The petitioner keeps appropriate documentation to justify their decision. According to the guidelines contained in the Guide for the application of the CSM Regulation [17], the criteria of innovation and complexity have been combined into one parameter of ‘uncertainty,’ which makes it possible to create a matrix consisting of the ‘uncertainty’ parameters and the effects of system failure (modelled after the risk matrix)—Figure 3. The consequence of multiplying the weights assigned to the Uncertainties and Effects criteria is the initial value defining the change. The next step in the case of sensitive initial assessment values (yellow and red) is to consider the monitoring and reversibility of the change.

Risk Assessment

Regardless of the classification of the significance of change, we begin the risk assessment by defining the system. Including its purpose and intended use and the boundaries of the system, considering other systems with which the system interacts, including interfaces. These actions lead to identifying sources of hazards and, consequently, new hazards related to the introduction of a change to the system. As proposed in the paper, the model for assessing the significance of the change also provides for risk analysis in the case of assessing the change as insignificant, which actively tightens the process of safety management in transport organisations. The process of risk assessment and management may be based on methods commonly used in different transport modes (e.g., FMEA, FHA, HAZOP), which guarantee the fulfilment of necessary steps of proper risk management: identification, estimation, evaluation, response, communication, and monitoring [29,30]. The implementation of recommended corrective and preventive actions should be continuously supervised, and their effects should be verified. After a specified deadline for implementing control/preventive measures, the process should be evaluated, and a new risk indicator calculated. If the risk class for a given hazard exceeds the threshold adopted, it is necessary to define additional risk control measures following the strategy adopted. A person responsible for supervising the implementation of activities was also assigned. Once the planned scenario has been implemented, the assessment body re-examines the risk level of the hazards. If a satisfactory level is reached, the procedure is completed. Otherwise, additional actions are taken.

For industry operators’ risk management areas, the most used method is FMEA (failure mode and effects analysis) [31,32]. Valuation of the hazards identified for the entire hazard area begins with determining, on a scale of 1–10, the factors affecting the hazard, where:

W—probability (possibility) of hazard occurrence, determined in the range from 1 to 10. The probability of occurrence is a relative rather than absolute value. The only way to lower the occurrence rank is to prevent or control the cause of error posing the hazard by changing the process.

Z—the probability of hazard detection, determined in the range from 1 to 10, is an assessment (position in the ranking) associated with the best control tool given in the process control tool column. Detection is a relative assessment within a specific FMEA. As a rule, to achieve lower ranks, the planned control tool should be improved.

S—possible consequences of an incident resulting from hazard propagation, a value between 1 and 10, is the level of ranking assigned to the most severe effect for a given type of error causing a hazard to the power industry.

The risk assessment is based on the product [32]:

R = Z × W × S

(1)

Table 2. Probability of detecting a failure or incident.

Z	Description of the Probability of Detecting a Failure or Incident
1–2	Detection of a failure is certain.
3–4	The chance of detecting a failure is great, a test (control) is used with a high probability of detection.
5–6	The control can detect failures, medium detectability. Optical inspection by the operator (failure relatively easy to detect visually).
7–8	Detection of a failure is difficult. Visual inspection by the operator, and the failure is difficult to detect.
9–10	It is extremely difficult or impossible to detect the failure, or no control is performed that could detect a given failure.

,

Table 3. Probability of occurrence of a failure or incident.

W	Occurrence Frequency		Description of the Probability of Occurrence of a Failure or Incident
	per 1 Million pcs.	per Number of km
1	≤1	>10 million	It is unlikely that a failure or other undesired incident could occur. Virtually has never occurred in this or similar project.
2	≤100	10 million	Very low probability. Failures or other undesired incidents occur individually and very rarely. The process is stable.
3	≤2700	5000	Low probability. There are individual failures or undesired incidents in similar processes.
4	≥2700	2000	Medium probability. Failures or undesired incidents occur in small numbers.
5		1000
6		200
7	≤500,000	100	High probability. Failures or undesired incidents occur frequently, the process is not stable and is not statistically controlled.
8		50
9	≥500,000	10	Very high probability. Failures or undesired incidents will occur.
10		2

and

Table 4. The effect of a failure or incident.

S	Description of the Defect or Undesired Incident Severity
1	The failure or incident is negligible. It is unlikely that a failure or incident could have a noticeable effect on the performance of the product or the design process. The failure or incident will not matter to the customer. It has no significant effect on safety.
2–3	The failure or incident is minor and does not affect customer satisfaction. The customer will probably notice only a slight deterioration of the product, but it is not in default of the provisions of contract. The hazard slightly compromises the safety.
4–6	The failure or incident is medium, causing customer dissatisfaction. The customer feels a discomfort due to the failure, notices a deterioration in the product or service (rescheduling, etc.) and will have to perform unplanned operations. It is not contrary to the arrangements in a contract with the customer. The hazard has significant consequences for the safety.
7–8	The failure or incident causes a large degree of customer dissatisfaction. It can cause serious disruptions to the project (need for additional operations, repairs, significant cost increases, etc.). However, it does not adversely affect the level of safety and is not contrary to the law. It may violate the terms of the contract concluded with the customer. The hazard to safety is considerable.
9–10	Extremely important failure or incident (critical). It prevents further implementation of the project. It affects safety and is contrary to the law and violates the terms of the contract with the customer. The hazard to safety is very high.

refer to the probability of hazard formulation—the probability of hazard detection and the consequences of the hazard used during the analysis.

The R-value for the risk hazard measure ranges from 1 to 1000. Hazards with the R number above 121 are significant. The number R above 150 indicates a critical hazard that seriously threatens the safety of the entire system. The risk value was identified based on the risk matrix:

○

The risk is unacceptable, significantly threatening the safety of the system, corrective measures should be taken immediately, risk class = 3

○

The risk is tolerable; appropriate precautions should be taken, risk class = 2

○

The risk is acceptable, no action is required, risk class = 1

If the risk measure R is in class 3, appropriate process control measures must be taken immediately to eliminate the possible hazard or remove the hazard’s possible effects. However, if the risk R is in class 2, appropriate corrective actions have to be taken to prevent the occurrence of a potential hazard. The preventive/corrective actions assessment should be at first focused on the high-risk measure R items. Any corrective action intends to reduce the ranking values in the following order: effect, occurrence, and detectability ranking.

As a rule, it is assumed that if the number W, S reaches the value of 9–10 or Z, the value of 1–2 (extreme), regardless of the value of the R indicator, special attention is paid to ensuring that the risk of hazards is reduced using existing control measures/tools or preventive actions. In all cases, when the effect of the identified error may pose a hazard to employees, preventive/corrective actions must be taken to prevent the occurrence of a potential hazard by eliminating or controlling the causes, or a method to protect the employee should be developed.

Implementing the recommended corrective and preventive measures should be continuously monitored and their effects verified with the FMEA method. After the specified deadline for implementing the control/preventive measures, the process should be assessed, and a new risk indicator R calculated. If the risk class for a given hazard exceeds the accepted threshold, it is necessary to specify additional risk control measures following the adopted strategy. A person responsible for supervising the implementation of activities was also assigned. After deployment of the planned scenario, the assessment body double-checks the level of risk of hazards. If a satisfactory level is achieved, the procedure is terminated. Otherwise, additional actions are taken. The entire process is recorded in a dedicated blank.

Another method used is the Preliminary Hazard Analysis (PHA). It focuses on identifying all potential hazards and random events that may lead to a breakdown or accident. It is a non-standardized method based on the knowledge available at the initial stage of designing an installation, process, or technical facility. The analysis can already be used when Process Flow Diagram (PFD), primary heat and mass balances, plot, and layout plans are available. Piping & Instrumentation Diagram (P&ID) diagrams are not required in the PHA analysis. The purpose of the PHA analysis is to assess the risk-taking into account the severity of possible effects, which translates into planning preventive actions and remedial measures. Early identification and assessment of hazards enable easier design changes at a significantly lower cost [33].

3. Case Study

The system subject to the assessment of the significance of change is a mobile and web application for determining customised access routes to chargers, considering the driver’s vehicle technical condition and driving style (Figure 4). The application is designed to work with the onboard computer and electric vehicle chargers and calculate customised routes leading to the chargers. It is a mobile and web application for those users who want to optimise their routes, considering the electric vehicle charging stations and their preferences.

The system will make it possible to calculate a route to the destination using a phone or web browser, considering electric car charging stations. It is assumed to move from conventional route selection and navigation to a customised route, with cars’ technical capabilities and the selection of an optimal charging site in mind. The main change to the existing applications used for navigation regarding the technology is its connection with the vehicle onboard computer to select an individual route of the electric car by choosing charging sites based on the available chargers, the vehicle’s technical condition, and driving style.

Changing the conventional route selection and navigation to a customised route, optimised for the need of charging an electric car, in addition to the hardware requirements associated with connecting a mobile phone with an onboard computer, requires the formulation of an algorithm to manage that contact. The concept assumes the use of input data from the onboard computer related to the vehicle’s technical condition, battery condition, and driving style.

After registering in the system, the user will configure their preferences regarding the adaptation of the charging station and charger to the vehicle. Under the user profile, the system will save driving style information which will be used to calculate customised routes.

Through the web and mobile application, the system will indicate the charging sites in the region and the selection of optimal charging sites for the route using the existing infrastructure. The application using data on chargers’ location (approximately 1000 charging sites in the area) suggests the best route to the driver. Charging stations are located at the main transport corridors, motorways, and expressways. One-third are fast DC charging stations, and 67% are slow AC chargers with a power output of 22 kW or less. The number of publicly available charging sites is continuously growing. According to the Policy Framework for the Development of Alternative Fuels Infrastructure for the area, their number in 2020 should amount to 6541 public stations with standard charging power and 318 sites with high charging power output.

Regarding the effects of system failure, the significance of changes concerning technology, IT systems, and road infrastructure is relatively low. The number of charging stations for electric vehicles, including fast-charging stations, i.e., those that can charge batteries with a power output of 50 kW (approx. 20 min per 100 km drive), increases significantly, according to the data of the Alternative Fuel Market Observatory ORPA.PL, which monitors the public infrastructure of electric vehicle charging stations, in Poland (which is the study area), there were about 150 stations in operation offering the appropriate standard (for comparison, there were over 100,000 stations in Europe). Part of the stations included in the ORPA.PL report includes ordinary wall sockets shared, e.g., by private owners or petrol stations, which enable charging a car with the power output of only 3–5 kW, which is ten times slower. In two and a half years the improvement will be a fact due to declarations of companies. By the end of 2019, 20 fast chargers were launched. There will be 11 more chargers available in the first half of next year. The company’s plan is to locate them not more than 85 km apart from one another. State power groups also declare their commitment. A vehicle stoppage’s effects in an area without charging available are possible, but they are relatively low.

In terms of innovativeness, the application introduces a novel method of choosing an optimal route for electric vehicles using experience from data on the vehicle’s technical condition, battery condition, and driving style. However, navigation applications using current traffic data are widespread in motor vehicles. At the stage of assessing the system’s innovativeness, it is recognised that the solutions introduced to the system at the design and production stage are innovative and non-standard, both to the initial state of the products and on the scale of the entire national power system.

Application is built using the interface between the mobile phone and the user profile. This implies the complexity of the change. The application in which the user profile is created uses data sourced from the on-board computer related to the electric car’s technical condition, battery condition, driving style, and driver’s preferences in choosing the route. The application’s concept is to suggest the driver choose a route based on multiple criteria and data sources and to identify compromise solutions. The polyoptimisation of complex systems with strongly non-linear relationships effectively supports the construction. In terms of complexity, the change has a significant impact on operational safety.

The assumed change in the application functioning, which will enable the electric vehicle driver to choose the optimal route, including the charging stations, can be fully monitored at every stage of its implementation. Monitoring is possible during the definition of the algorithm concept, application development, maintenance, and use by drivers. The change does not increase the uncertainty of the system’s behaviour after being implemented (i.e., during its later operation and maintenance). However, the scope of monitoring is extended at least at the initial operation period.

Implementing the application using data obtained from the on-board computer and optimising the route based on it is fully reversible. The connection of the application installed on a mobile phone can be terminated at any time. The team has concluded that, due to the reversibility, the change has no significant effect on the system performance. In terms of additionality, applications using an analogous operating concept and algorithm design have not been implemented before. Due to the additionality, the change has no significant effect on the system safety.

In general, to the entire undertaking, the Uncertainty was estimated to be high = 4, due to the following aspects:

• innovativeness of the system after the change—concerning the initial state, it should be considered innovative and non-standard;
• the complexity of the change should be described as high, e.g., due to polyoptimisation in the choice of optimal input data to optimise the route.

Effects (of the system failure), i.e., a credible, worst-case scenario in the event of system failure, including risk mitigation measures, as marginal = ‘2’ due to the following aspects:

• the worst-case scenario for failure means the necessity to call a tow truck or tow the vehicle to the nearest charging station.

The consequence of the multiplication of significance values assigned to Uncertainty (4) and Effects (2) is the value ‘8’. In this case, monitoring and reversibility should be considered, which has no significant impact on safety in an assessment.

Considering the methodology for assessing the significance of the change described in par. 1, the change resulting from the implementation of innovative energy solutions in critical elements of the road infrastructure should be considered insignificant.

The Act on electromobility [2] provides for the development of alternative fuels, including electric cars. The national policy framework for the development of alternative fuels infrastructure adopted by the Council of Ministers on 29 March 2017, determines the upward trends in the market for electric cars used in Poland and the number of publicly available stations with normal and high charging power. The Act on Electromobility states that a public charging station’s operator is responsible for the construction, management, operational safety, operation, maintenance, and repairs of such station. Article 17. 1. of the Act states that the minister competent for energy shall specify, using a regulation:

The detailed technical requirements, other than for the replacement of batteries used for powering vehicles:

(a)

regarding the operational safety, repair and modernisation of charging stations;

(b)

regarding the operational safety, repair and modernisation of charging sites constituting a part of the charging infrastructure of public road transport.

Within the change’s scope, authors identified technical, organisational, intentional, and non-intentional human factors and environmental hazards (Figure 5), which are included in

Table 5. Categories of the identified hazards.

Category	The Identified Hazards
Technical	▪ Inconsistent data from different types of vehicles; ▪ Lack of battery charging characteristics in individual car versions; ▪ Lack of battery wear characteristics in individual car versions; ▪ Variability of vehicle parameters (including the range and charging characteristics) depending on the vehicle software version; ▪ Shortcomings in design; ▪ No possibility to acquire data from charging station operators; ▪ No possibility to acquire relevant data from the car through a diagnostic interface; ▪ Lack of integration with the onboard multimedia system (e.g., through ‘android auto’ or ‘apple car play’); ▪ Insufficient hardware capabilities—platform server; ▪ Insufficient hardware—mobile phone; ▪ Server failure; ▪ Network failure; ▪ Lack of software support; ▪ Insufficient service support; ▪ Too high number of users.
Organisational	▪ Lack of staff with appropriate qualifications; ▪ Insufficient time resources; ▪ Insufficient marketing; ▪ Insufficient number of users; ▪ Offering similar services by other entities; ▪ Too small number of charging sites; ▪ No network coverage; ▪ Insufficient user support.
Intentional human factor	▪ Hacker attack; ▪ Vandalism; ▪ Sabotage ▪ Tampering; ▪ Ignoring information regarding re-routing; ▪ Ignoring driving style information.
Non-intentional human factor	▪ Design errors; ▪ Insufficient service support; ▪ Insufficient user support; ▪ Specifying a higher-than-actual battery level; ▪ Enter a higher-than-actual battery level.
Environmental	▪ Server flooding; ▪ Flooding; ▪ Fire; ▪ Storm; ▪ Incorrect GPS coordinates of the charging station; ▪ Lack of a complete list of charging stations in the system; ▪ Failure to report inactive charging stations to the system.

.

Figure 5 provides a summary of the risk analysis for the threats. The authors have included the maximum and minimum RPN for all threats identified in individual areas.

4. Results and Discussion

Based on the risk assessment, the hazard areas having the most significant impact on the application’s safe and correct functioning and its use by users have been identified. In the technical area, the most outstanding impact results from the following:

• No possibility to acquire data from charging station operators;
• Inconsistent data from different types of vehicles.

Additionally, two threats were identified in the technical area, for which the component parameters were estimated at the level of 10. Those hazards, despite the acceptable risk level, should be subject to special monitoring at the stage of further work on the project:

• No possibility to acquire relevant data from the car through a diagnostic interface;
• Lack of integration with the onboard multimedia system (e.g., through ‘android auto’ or ‘apple car play’).

In the organisational area, the hazards which have the most significant impact are:

• Too small number of charging sites;
• Offering similar services by other entities.

Fire and storms that can lead to server failure have been identified as the most hazardous environmental area.

The above hazards should be subject to increased monitoring both during the algorithm’s development and during the application’s implementation.

The proposed case study provides an opportunity to analyze how assessing the change’s impact can be used to develop electromobility safety. The process of assessing the significance of the change and risk analysis during the application design process identified several hazards and their causes, summarized in Figure 5. According to it, the threats in the technical, organisational and environmental areas were rated the highest. The slightest differences in the risk analysis were noted in terms of non-intentional threats related to the human factor.

5. Conclusions

The proposed method makes it possible to use the knowledge successfully applied in other modes of transport and quantify safety level. The proposed method for assessing the significance of change in transport systems, as described in the paper, can be successfully applied to all transport modes, for it considers full criteria and acceptable practices in legal requirements. Due to the transport undertakings’ exclusive responsibility for assessing the significance of change, its quality and scope are usually dependent on the organisational culture and the degree to which safety management systems have been implemented.

The results presented in the article are preliminary studies that the authors will develop in their future research. Further analysis will focus on analysing the implementation of the method for assessing the significance of the change for the introduced product and the limitations of inapplicability.

To conclude, the publication presents a new method of analysing the level of electromobility safety, focusing on an innovative approach that proposes using the criterion of assessing the significance of a change based on several criteria. It can be implemented at the legal requirements and applied by persons responsible for safety. Overall, this study’s scientific contribution is based on the following aspects: identifying initial information that may be useful in developing an electromobility market development strategy and identifying the most dangerous areas. Therefore, it contains the necessary information on how to implement the necessary safety measures.