MAINTENANCE LAYERS FOR RAILWAY INFRASTRUCTURE IN POLAND

. The railway network in Poland with over 19000 km is one of the biggest in the European Union (EU). At the same time safety indicators collected by the European Union Agency for Railways (ERA) show that it is one of the least safe in Europe. Consequently, all the actions taken in safety management of Polish Railways are particularly important for the society. In 2015, there was a change in the main infrastructure manager’s rulebook on track maintenance. A new process rule was introduced to replace a large set of long-established action rules. However, supervision reports of the Polish National Safety Authority indicate that the new rule is not used properly. Therefore, the current process of taking maintenance decisions on Polish Railways was described and a novel concept of maintenance layers and Maintenance Board meetings was proposed. The change would allow to choose the order of maintenance activities in a more objective way than it is done nowadays, without the necessity to make any major investments.


Introduction
Railways are generally seen as one of the safest means of transportation. This statement is also true for the situation in Poland, where the risk of being killed or injured on railways is about 7 times lower than in case of their main competitor, road transportation (Krystek 2009). The problem arises when Poland is compared to other Member States of the European Union (EU).
The European Union Agency for Railways (ERA) collects so-called Common Safety Indicators (CSI), a set of characteristics used for describing the level of safety in different parts of the European railway area. According to the data presented in the latest safety performance report (ERA 2016), the fatality risk expressed in number of people killed per million train km for the whole EU amounts to 0.28. In case of Poland, this value reaches nearly 1.2, leaving behind only Greece, Slovakia and Lithuania. At the same time, the Polish Railway Network has a considerable share in the part of the European railway area where safety performance is relatively poor, reaching nearly 30% of the European network where fatality risk is higher than the EU average (ERA 2016). This implies that increasing safety in Poland would have a significant influence on the overall safety performance of the railway system in Europe.
Virtually the entire railway infrastructure in Poland (~96%) is managed by one infrastructure manager, PKP Polskie Linie Kolejowe S.A. (Polish Railway Lines). For this reason, we will refer in this paper to the infrastructure managed by this organisation as "Polish Railway Network". Although the number of railway incidents and accidents directly caused by the degenerated infrastructure equals to about 5% of all such occurrences (MIB 2016), the quality of railway tracks is an issue in Poland. At the end of 2015, the quality of 54.5% of the railway lines in Poland was assessed as "good", 27.2% as "satisfactory" and 18.3% as "bad" (PKP Polskie Linie Kolejowe S. A. 2015). The situation, however, is not only of local importance. According to a study cited by Lidén (2015), 15…25 million EUR is allocated every year by the European railway infrastructure managers to maintenance and renewals.
The maintenance decisions on Polish Railway Network are taken based on a set of documents dating back to the times of integrated Polish State Railways. The rules for railway maintenance are generally written in the form of third-type action rules according to the model proposed by Hale and Swuste (1998), based on the Skill-Rule-Knowledge (SRK) error classification of reason. The rules include, e.g., the maximum lifespan of sleepers and maximum permissible wear values of the railhead and therefore they impede almost all freedom of maintenance decisions. With the introduction of safety management systems, as required by the EU regulations, an increase in so-called "compliance culture" (Jeffcott et al. 2006) can be observed. This was most probably the reason why the infrastructure manager introduced in its safety management system a new rule of the second type, i.e. a process rule, which allows to replace existing action rules. The new process rule states that the action rules may be ignored if a qualified diagnostician changes the allowed operating conditions accordingly. Risk assessment is recommended for determining the scope of the necessary change.
Publicly available but unpublished supervision reports of the Polish National Safety Authority imply that the employees of the infrastructure manager have difficulties in applying the new process rule in their maintenance decisions. Based on these reports and our own experience we can state that it is due to two issues. Firstly, the new process rule has been introduced in such a way that it only covers one out of many diagnostics procedures used by the infrastructure manager. Thus, the risk assessment is executed without considering all the information available. Secondly, the process rule introduced by the infrastructure manager means the enrichment of the maintenance process with the use of risk and requires a reorganisation of the safety management system in respect to the maintenance. Bertsche (2008) defines maintenance as methods for the determination and evaluation of the current status as well as for the preservation and reestablishment of the nominal status of facilities, machines and components. Maintenance methods can be divided into corrective and preventive maintenance, whereas in the preventive maintenance we can distinguish predetermined and conditionbased maintenance (Niu et al. 2010). The condition-based maintenance is performed only after a certain condition or state of the technical system is reached, which increases system availability and decreases costs of renewal of fully functional components.
A special type of condition-based maintenance is riskbased maintenance. It has been developed to provide a basis for taking decisions regarding the type and the time for maintenance actions considering not only the reliability of a system, but also including the risk of an unexpected failure (Khan, Haddara 2004). Risk-based maintenance is extremely important within large complex operations like refineries (Peters 2015), offshore processing facilities (Bhandari et al. 2016), offshore wind farms (Sinha, Steel 2015), public school facilities (Dickerson, Ackerman 2016) and within different high-risk domains like ethylene oxide production facilities (Khan, Haddara 2004) or powergenerating plants (Krishnasamy et al. 2005).
In railway context, a methodology called "reliability centred maintenance" has been developed to, e.g., redefine the maintenance tasks and their standard frequency (Carretero et al. 2003), following similar approaches used for the aircraft industry and several other civil and military branches (Rausand, Vatn 2008). Advanced simulation models are being created for generating adaptive main-tenance plans (Baldi et al. 2016) or optimising specific diagnostics procedures (Podofillini et al. 2006). Special attention is also payed to the routing and scheduling of maintenance in respect to the track possession (Peng et al. 2013). Implementing any of the aforementioned concepts requires a considerable amount of time and money. Therefore, in this paper, we would like to propose the necessary changes in taking railway infrastructure maintenance decisions, which would be based on estimation and evaluation of risk related to the technical state of the given infrastructure elements. The changes can be introduced without any considerable investment. In Section 1 of this paper, we have described the current process of taking maintenance decisions on Polish Railways. In Section 2, we proposed a novel concept of dividing maintenance into layers and introducing a Maintenance Board, which allows to manage all the risks associated with railway line operation and maintenance. The obtained results, implications and limitations are discussed in Section 3. The final section makes conclusions.

Railway infrastructure maintenance in Poland
The essential issue in all condition-based maintenance strategies is the proper condition monitoring, either continuous or performed according to a certain schedule. In case of Polish Railway infrastructure, the monitoring is divided into several diagnostic procedures performed by workers employed on different organisational levels. The most important role is played by the twenty-three Railway Offices, which are located all over the country and each of them is responsible for a certain part of the Polish Railway Network. Railway Offices coordinate the diagnostic process on their territory and are partly supported by subordinated Sections of Operation and Maintenance. Specialist measurement equipment, including track recording cars, is kept in one specialised entity (Diagnostics Centre) and must be "ordered" by the Railway Offices, according to the timetable stated in the safety rules. The organisational structure of the infrastructure manager has been shown in Figure 1. The most frequent of the diagnostic procedures are regular visual inspections of tracks, which should be run up to two times a week, depending on the line characteristics. Three times a month there should be an inspection of dynamic responses, performed qualitatively in first or last vehicle of a train. Technical inspection of track, supported by the measurements of track geometry as well as measurements of neutral temperature in continuous welded tracks should be done once a year. Measurements carried out by track recording cars as well as rail flaw detections should be organised up to 4 times a year. Detailed information can be found in PKP Polskie Linie Kolejowe S.A. (2005) and has been summarised in Table 1.
It is important to notice that the described diagnostic process does not include any procedures, which would allow to gather much information other than pure technical condition of the railway track. Even in case of the most basic and thus the most general procedure, i.e. visual inspection, the scope is limited to the railway line and its closest vicinity. The person performing the inspection should notice, e.g., unauthorised railway crossings, as well as billboards and trees, which could fall onto the track. Things such as construction of new apartment blocks, playing fields or changes in traffic organisation near the level crossings are neglected. Some information on these issues should be provided to the infrastructure manager in form of level crossing diagnostics or land use plans, but it is processed separately from the track maintenance.

Closer look at diagnostic procedures
After listing all the diagnostic procedures performed by the infrastructure manager on railway lines, we examined how they are defined in the infrastructure manager's rulebook. The definition of rules and procedures is of special interest for the safety science, with "rules" being one of the most widely used terms in this field (Hale, Swuste 1998). There have been several attempts to understand the nature of rules and procedures, including the threelevel classification of goal, process and action rules (Hale, Swuste 1998), as well as two models based on the rule function, development and attitude towards its violation (Dekker 2003;Hale, Borys 2013). Special attention was also payed to the procedures in high-risk domains (Grote 2012(Grote , 2015. All the aforementioned approaches relate primarily to single rules, not to the procedures built up from larger group of such single rules, which can take several months to be fully conducted. Praino and Sharit (2016) proposed lately a seven-dimension taxonomy for characterisation of procedures and associated control attributes, noting that the structure of a procedure may be somewhere between comprehensive and limited. Additionally, they suggested a continuous dimension of level of detail, from purely goal-oriented to purely rule-oriented. Other dimensions in the taxonomy are the purpose, nature, target, method and duration.
This model allows us to state that the examined diagnostic procedures are defined differently. For example, the scope of the regular visual inspections of the track is defined on several pages, being comprehensive and rule-oriented. By contrast, the scope of the inspection of dynamic responses is given only indirectly, through the definition of the report form, i.e. by stating the goal of the procedure. Furthermore, the report forms are defined just for selected procedures, leaving the way of recording results of other procedures to the person responsible for conducting them and thus promoting inconsistency.
However, we noticed that all the diagnostic procedures we examined follow a similar pattern of measurement, analysis, information and feedback. Firstly, the measurement is performed according to the scope and rules given by the respective part of the rulebook. The recorded results are then analysed by the person responsible for conducting the diagnostic procedure. This analysis is used to produce the final report with a list of actions necessary to fix all the identified issues within a given deadline. The report is than disseminated to the organisational entities, which can perform the actions, in most cases to both the Railway Office and the respective Section of Operation and Maintenance. The latter is expected to inform the Railway Office on its reaction, measures taken, results obtained, etc. If such a feedback is not directly prescribed, it is collected within the next diagnostic procedure of the same type. Description of several diagnostic procedures can be found in Table 2.  Table 2, the new process rule allowing to replace action rules with the results of risk assessment, directly applies to technical inspection of track only. It means that a person who decides, e.g., to leave in track sleepers, which are older than their designed lifespan has limited information on the track substructure condition. It must be emphasised that lack of data and information is seen as the important factor, which determines the results of the risk analysis (Aven 2015).

Maintenance framework adjustment
In order to produce a comprehensive risk picture, it is necessary to collect all the available information in one place. The easiest way to achieve it would be to wait with decisions until a complete set of diagnostic reports is available. This approach is impractical, as the measurements are being performed continuously throughout the year. Additionally, some of the measurement results may contain information about serious deterioration of the infrastructure technical state, which should be dealt with as soon as possible.
In the following, we propose a framework, which addresses these issues and is visualised in form of layers ( Figure 2). With the grey background, we denoted the elements of the proposed process, which are responsible for reproducing the situation of today. This is important for ensuring a smooth implementation of the change and for minimising the risk resulting from it. White background indicates elements, which can enrich the existing process with the risk-based maintenance principle.
The main purpose of introducing the layers is to divide the maintenance process into sub-processes for better clarity of the framework. Each layer, which we refer to as a "maintenance layer", has a specific set of procedures and contains information on assets needed to follow them, as presented in Table 3.
Detailed description of the proposed framework can be found in the respective subsections.

Measurement and preliminary data analysis -Layer 1
The aim of the Layer 1 is to acquire measurement data under the existing diagnostic procedures, summarised in Table 1. The measurements are performed by railway workers on track, so it is possible to discover a condition, which can directly affect safety, e.g., a broken rail or an object inside a structure gauge. In such a case, the measurement is stopped and the emergency procedure is executed. This is usually done through radio communication with the nearest station dispatcher and entails restrictions in railway traffic until the safe state is restored. To achieve it, an emergency repair (i.e. corrective maintenance) is performed. When the measurement is completed and the data is acquired, the results could theoretically be forwarded to the Layer 2, which would call the Maintenance Board on Layer 3 to analyse the risk of operating the infrastructure. This would improve the clarity of our model, but, in some cases, it could have a negative effect on safety. For this reason, we have decided to keep the preliminary analysis of the measurement results in this layer and, as it is today, the measurement report should contain recommendations for restoring the safe state.
However, the diagnosticians working within our model are encouraged not only to prescribe a deadline for completing the maintenance activity, but also to indicate the latest date when the activity should start to meet the deadline. In case of issues, which require immediate action, such as missing road signs or loose rail fastening bolts, the current date should be indicated. It assures that they will not be postponed until the meeting of the Maintenance Board, but will be dealt with without any additional delay.

Data management -Layer 2
The Layer 2 of our model is purely rule-based and can be implemented in the form of a dedicated computer program, without the need to involve any staff members. All the reports of all the diagnostic procedures are collected and regularly, e.g., once a day, two conditions are checked: -if there is any report in which the starting date of any recommendation has been reached, this report is sent to the Section of Operation and Maintenance in the Layer 4 to perform the required maintenance activities; -if there is enough data collected, the Maintenance Board is called on Layer 3. Introducing the first condition allows to reproduce the situation of today, when all the diagnostic reports are sent to the maintenance immediately after their preparation. Additionally, the first condition is a safety measure that ensures that no report is left without further consideration. However, in normal conditions, the Maintenance Board should be convened based on all the collected reports and soon enough not to trigger the other way of managing measurement data.
The length of lines to be considered during one meeting of a Maintenance Board as well as the minimal amount of data needed for it should be decided by the infrastructure manager. The bigger the network under inspection, the more accurate the risk-based decisions on maintenance activities. On the other hand, along with increasing the length of network covered with a single Maintenance Board meeting, grows its complexity and more time is needed to gather sufficient information.

Maintenance Board -Layer 3
The Maintenance Board is convened only if enough information is gathered in form of the reports from the diagnostic procedures performed on the Layer 1. The reports contain information from the preliminary analysis, so they state, which maintenance activities should be taken to restore the nominal state of the different aspects of the railway infrastructure. The role of the Maintenance Board is to decide on which of the proposed maintenance activities to spend the money, which activities can be postponed, and which can be neglected e.g. due to a planned modernisation of the line in the nearest future. This decision should be taken in respect to risk.
The terminology used in risk management is not unified and a variety of definitions are in use in different contexts (Aven 2010). The understanding well-established on Polish Railways can be found, e.g., in research by Kadziński (2013). According to it, hazard can be defined The causes of hazards, called hazard sources or risk factors, can be defined as such physical, chemical, biological, psychophysical, organisational or human factors whose presence, state or properties are the cause for formulating a hazard. In other words, a factor existing in the analyses domain is a risk factor only if it leads (alone or together with other factors) to loss or damage. This idea is shown in Figure 3. Figure 3 shows an analyses domain. In this domain, several factors were distinguished and presented as circles. The presence of some of the circles causes states of the domain that can lead to loss or damage. These states are called hazards and represented by the dotted lines. In two cases, the presence of one factor is enough to formulate a hazard, in other cases two or three factors are needed simultaneously for hazard formulation. One factor takes part in formulation of two hazards. All the factors, which take part in formulating hazards, presented as black circles (Figure 3), can be called risk factors or hazard sources.
Unfortunately, the potential loss or damage is not always objective. If the hazard activation can lead to injuries, deaths or financial losses, etc.; the same risk factors will be determined regardless of who performs the analysis, provided that the knowledge of the domain is equal. However, some potential scenarios can be harmful only to a specific recipient and from outside they will not be treated as hazards. The factors leading to such scenarios, depicted with white circles (Figure 3), do not take part in hazard formulation and are left out of the scope of the risk management.
The Board Members are therefore asked to identify hazards generated by operation of the infrastructure under examination, looking on it from different points of view or "wearing many hats", such as the one of: -maintenance worker; -train dispatcher; -train driver; -person living near the railway line.
The "wearing many hats" principle should prevent a situation where some hazards are not covered by the risk management and therefore no maintenance activities are taken to influence the respective risk factors. For determining which activities to perform, evaluation of the obtained risk picture should be made. The exact way of how it should be done exceeds the scope of this paper. However, valuable ideas are given by Vatn (2008) for the situation in Norway. For calculating the cost-benefit ratio of rail infrastructure projects, following aspects are taken into consideration: -safety level; -reduced punctuality, speed restrictions; -maintenance costs, e.g., due to increased measurement intervals; -increased life length, e.g., of rails after grinding. Vatn and Aven (2010) comment on the results of a survey (Hokstad, Vatn 2008) pointing that activities related to level crossings, platforms used by children, as well as maintenance of fences should receive a higher priority in decisions taken by the infrastructure manager.
In our opinion, however, the Maintenance Board should not limit itself to calculating risk estimators based purely on the data from diagnostics reports, as it could be done automatically by implementing a set of rules in the computer system used in the Layer 2.

Maintenance activities -Layer 4
Without introducing the proposed changes in the framework, maintenance activities are performed immediately after the measurement is finished and its result analysed. It leads to the situation where the activities on one part of the railway line can be done several times a year, each time requiring, e.g., closing of one track and resulting in more tense traffic situation. In the new framework, more maintenance activities should be performed together, because of the decision taken by the Maintenance Board. This contributes to less administrative work and lower costs of the activity set up (Vatn 2008), and minimises track closures and reduces work costs (Lidén 2015).
The information about how the maintenance activities have been performed and which issues have been encountered during the maintenance can be valuable for taking future decisions by the Maintenance Board. Therefore, there is a connection between the Layer 4 and the data management on the Layer 2. The relevant feedback data gathered this way is then passed on to the Maintenance Board together with the reports created on the Layer 1.

Discussion
The main railway infrastructure manager in Poland recently introduced a new rule that allows to replace longestablished rules defining the maximal lifespan of infrastructure elements if the operating conditions are changed. The scope of the change must be determined by a qualified diagnostician, e.g., with the help of risk assessment. The actual use of the new rule is constrained, possibly due to incorrect embedding in the safety management system. In this paper, we presented a new framework in the form of maintenance layers and Maintenance Board, which addresses this problem.

Layers in maintenance modelling
Although layered models are widely used in process industry, computer science and other application areas, we have found no evidence of describing maintenance with the concept of layers. Still, we think that our proposal is justified, as the layers help visualise the data flow between various parts of the maintenance process, as well as indicate to the maintenance staff members, which role they play: -diagnostician, who performs diagnostic procedures and proposes necessary maintenance activities to restore the initial state of the respective infrastructure elements (Layer 1); -Maintenance Board member, who decides on the order of the maintenance work execution, taking into consideration the risk connected with viable options (Layer 3). As described in Table 3, the layers in our framework join two approaches; each maintenance layer combines a specific set of procedures as well as information on assets needed to follow them. This understanding differs significantly from the layered models used in safety science to describe safety systems, mostly in the process industry in form of Layer Of Protection Analysis (LOPA) (CCPS 2001;Summers 2003;Tong et al. 2016;Wei et al. 2008).
The difference is mainly related to the fact that LOPA and similar methods are based on the defence in depth concept, where the following principle is used: "if one level of protection or barrier fails, the subsequent level or barrier should be available". It mostly refers to the fact that layers should act in a certain order and are independent from one another. The independence is understood as a lack of a susceptibility to the influence of the other layers. It means that the models can handle no failures that would deactivate two or more layers at the same time (Dowell 1998). Another aspect that is omitted in methods such as LOPA is the partial fulfilment of a function by one layer, i.e. the modelled layers are working in zero-one logic.
The inadequacy of LOPA-based models for real-world applications has been appreciated by many authors. Fleming and Silady (2002) focused on the problem of independency of the barriers in nuclear power reactor, where barriers are usually identified as separate layers. They give, among others, the example of radionuclide barriers that are not independent. Bridges and Clark (2010) even points out, that "one of the biggest problems with LOPA is that its users do not always follow the rules of LOPA". In the maintenance system modelling, layer dependencies are important. For example, the maintenance staff members can be employed in distinct roles and thus act on different layers. This idea can be found in the paper of Shah et al. (2003). The authors divide a chemical plant into four different hierarchical levels: -substance layer that lists the properties of substances involved; -reactivity layer that lists the possible interactions between the substances; -equipment layer that lists the possible scenarios resulting from the combination of substances and operating conditions of all equipment; -safety technology layer that describes the safety measures required to run a process safely. The elements of a chemical plant are located on several layers at once. Moreover, the last layer consists of all the individual elements and the entire system as a unity. Introducing such relationships means the that the simple concept of one layer being equal to one element is no longer valid and implies the challenge of finding the right definition of a layer. As stated by Rasmussen (1986), the definition, based on goals and intentions of the model, can affect the way the functional properties of a system are perceived.
It can be seen in literature that many criteria are applied to identify layers, but usually they are not explicitly defined. A typical way is using the types of system elements, e.g., logical and physical (Ni et al. 2013), hardware and behavioural (Guldenmund et al. 2006), or their properties (Birch et al. 2014;Gill, Kadziński 2012). Cheng et al. (2014) proposed a three-layered model to analyse and recognise the activities of a group of people, where the type of interactions is used to distinguish layers. This is similar to the idea of Ratnam et al. (2005), where layers are divided according to the degree of protection demand in different IT applications. Interesting are also the layered models, which are intended to capture the state of an area, e.g., in result of heavy gas dispersion (Hankin, Britter 1999). For other examples of layered models we can refer to the paper of Khan et al. (2015).
A tempting way to organise layers is the use of the cognitive theory, especially the Decision Ladder and the associated model of SRK interactions, proposed by Rasmussen (1986) and discussed recently by Flach (2017). The SRK model has been introduced to the area of safety rules by the paper of Hale and Swuste (1998) and developed by several other contributions, e.g., Grote (2015), Hale and Borys (2013). The description of layers in respect to the SRK model allows to estimate the probability of making mistakes by people involved in each layer, using the values established in previous studies, e.g., Hannaman and Spurgin (1984). The rough estimation of SRK needed on each of the proposed maintenance layers is shown in Figure 4. As we can see from Figure 4, the maintenance Layer 2 and Layer 4 have unambiguous nature, with the data management being rule-based and the maintenance activities skill-based. On the Layer 3 the knowledge of Maintenance Board members is the most important, but some rules can be used as well, e.g., checklists for hazard identification. Layer 1 requires all types of contribution, as it consists of performing diagnostic procedures with respect to the given rules, as well as preliminary analysis of gathered data.
We have examined the option to limit the Layer 1 of our maintenance framework just to the measurement, leaving all the analyses until the Layer 3, which would result in the Layer 1 being mostly skill-based. In consequence, it would allow to involve less qualified people for performing the diagnostics procedures, because less knowledge and experience would be needed. On the other hand, it could lead to lowering the quality of the measurement. As study of Woodcock (2014) has shown, the actual execution of a diagnostic procedure rarely follows predefined checklists and the inspectors take risk-based decisions on what to examine in more detail.

Maintenance layers in the safety management system
European railways have been facing many organisational changes since the end of 20th century, which intended to open the railway market for competition. One of the milestones was adoption of the Railway Safety Directive No 2004/49/EC (EC 2004, which obliged all the railway undertakings and infrastructure managers active on the base EU network to implement safety management systems. The railway companies were from that point responsible for managing their risk, as well as for preparing and obeying procedures covering all their activity related to safety. This also includes the maintenance of the railway infrastructure. The interactions between the relatively new safety management systems and the existing railway rulebooks have been shown in many previous studies, such as the one by Jeffcott et al. (2006) in the UK, Almklov et al. (2014) in Norway, as well as by Smoczyński and Kadziński (2016) in Poland. Particularly interesting is the work of Vatn and Aven (2010), which corresponds closely with our results. The authors proposed an introduction of an additional "administrative layer", i.e. Safety Board, which would deal with major safety issues with respect to the draft maintenance plan. It can be seen in Figure 5a.
In our opinion, the proposal presented in research by Vatn and Aven (2010) does not address the situation in Poland, schematically shown in Figure 5b. In the existing framework, there is also a maintenance plan, but it deals mainly with activities of bigger scope, such as modernisation/renovation of the whole line. This kind of projects are not coordinated by the Railway Offices and therefore were not included in our research. The maintenance activities are performed mainly as a result of diagnostic procedures executed throughout the year. The problem arises when some of the maintenance activities requested by the diagnosticians cannot be carried out, mostly due to financial reasons. In such cases, the new process rule could be used to decide if a maintenance activity can be postponed or not. However, in practice random activities are often simply cancelled, violating respective procedures of the safety management system.
Based on our experience gained by the Polish National Safety Authority we can state that safety management issues are still regarded as something additional that disturbs the "real" railway work. Therefore, in our framework, schematically shown in Figure 5c, we do not propose participation of any additional staff members, who are normally not involved in the railway maintenance. We propose instead to restructure the work of the current maintenance staff in the way, which allows to make decisions after examining the bigger picture, in respect to risk.
We believe that introducing the change in the framework should have one considerable positive effect on the maintenance of the railway infrastructure. This is because, unlike in the current situation, the decisions on which maintenance actions to take and which to postpone should be more objective. Additionally, the Maintenance Board members are encouraged to analyse the data from different perspectives. The proposed principle of wearing many hats is a way to overcome the problem of the "unknown knowns" (Aven 2016), but also to regard as hazards all the scenarios that the Maintenance Board members are aware of but are not personally affected by the loss or damage these scenarios bring.

Applicability of the research
The implementation of the complete maintenance framework presented in Section 2 in the safety management system of the Polish infrastructure manager is a task that requires a time-consuming and cost-intensive evaluation process of the so-called "significant change", in accordance with the respective European Regulations No 402/2013 (EC 2013). Such a decision could be made only if there was a need to sanction existing practice (Figure 5b), which could be the result of strengthening the Polish National Safety Authority supervision. In the near future, it seems only possible that it will be allowed to take maintenance decisions (Layer 3 of the presented framework), but not by the Maintenance Board, but within existing structures, e.g., by the Director of the Railway Office. Such a solution is currently implemented in Poland with respect to relays used in railway traffic control devices. A possible way of selecting risk assessment criteria and developing a risk model for supporting such decisions was the subject of our further research with the participation of experts (Smoczyński 2018;Smoczyński et al. 2019). We have also taken up the subject of Maintenance Board indicating new safety measures (Gill, Smoczyński 2018).
It should be emphasized that the issues of railway infrastructure maintenance are, to high extend, common to all railway infrastructure managers around the world.
The way of qualifying railway infrastructure elements for maintenance is also similar. This is partly due to applicable European legislation -the technical specifications for interoperability that give immediate actions limits for various types of wear. At the same time, the common problem of big entities, such as railway infrastructure managers, in which safety management systems are implemented is the possibility of losing access to employees' knowledge due to the difficulties they have in expressing it in the safetyrelated language (Almklov et al. 2014). Our proposal of inviting diagnosticians to the Maintenance Board is a way to eliminate the negative effects of this problem, which can be successfully applied by various infrastructure managers.

Conclusions
Management of rail infrastructure maintenance is an important element in the implementation of railway infrastructure manager's safety policy. However, it should be remembered that formal safety management systems appeared on the railway at the end of the 20th century, i.e. more than a century later, than the "written in blood" railway rules. In our paper, we were able to present some of these rules in a way that allows them to be integrated with the procedures of the safety management system. For this purpose: -we have identified the measurement -analysis -information -feedback pattern, which describes well the types of diagnostics procedures analysed by us; -we described the way information flows within the infrastructure manager's organisational structure. Preparatory work allowed us to create a new railway infrastructure maintenance framework, which allows the Polish infrastructure manager to take decisions on maintenance actions, taking into account the risk related to the technical state of the infrastructure. The key features of the framework are as follows: -the introduction of the model does not involve any major investment, as it is based on reorganisation of the existing framework rather than on proposal of new assets; -introducing the concept of layers makes the framework transparent and easy-to-use for the maintenance staff who take distinct roles during the process; -making decisions based on a vast amount of data should contribute to their objectivity and, in addition, result in grouping several maintenance activities. The concept of maintenance layers is the main finding of our paper. The need for their use appeared when we firstly tried to describe the framework using standard block diagrams. It turned out that the blocks do not allow to present dependencies related to the necessary resources and procedures. The maintenance layer approach proposed by us has been referred to the existing body of knowledge in this area and the elements distinguishing our approach from the current research have been indicated.
In order to fully assess the appropriateness of the proposed solution, a way of comparing the maintenance effects obtained according to old and new rules should be developed, taking into consideration: -trial implementation in part or in whole of the railway system; -results of simulation. In practice, this is unfortunately impossible. It is unacceptable to experiment/study the functioning of such a high-risk system in real conditions, being aware of the risk it can generate. Even if it were possible, observed changes in the safety level could be explained also by a number of other reasons, unrelated to the manner of making maintenance decisions, resulting from, for example, changes in the number of trains launched, an introduction of new technical solutions, etc. In the considered case, even the possibility of construction a simulation model that reproduces reality in a sufficiently detailed way, is only theoretical.
In addition, due to practical limitations coming from the immersion of the case study in a local context, the results only give a general concept of the framework modelling, use of layers, as well as improvement of taking decisions based on the risk. Further research is needed for confirming the possibility of its full application in other high-risk domains other than railways. However, we believe that the approach we propose enables the inclusion of sharp-end specialists in risk management processes, which is one of the key postulates of modern safety science.