2 7 03 HF in the Development of Safety Critical Railway Systems

8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems

1/25

Lloyds Register Rail (Asia)

Human Factors in the

Development of Safety-Critical

Railway Systems

Simon Zhang,

Technical Director,

Lloyds Register Rail (Asia) Ltd


2/25


2. Capable and

competent

people andculture to deliver

safety objectives

3. Design of safe

and high

performing

equipment

1. Management

systems and

processes to

safely guide and

control business

activities The System

The People

The Equipment

Factors affecting Safety Critical System

Development

IRSC 2012 Conference


3/25


Human Errors in the Railway WorldHuman errors can be costly and/or fatal



4/25


System Lifecycle


Concept

System Definition &Application Conditions

Risk Analysis

System Requirements

Apportionment ofSystem Requirements

Design &Implementation

Manufacture

System Validation(including Safety Acceptance

And Commissioning)

System AcceptanceOperation &Maintenance

De-commissioningand Disposal

Installation

Concept

System Definition &Application Conditions

Risk Analysis

System Requirements

Apportionment ofSystem Requirements

Design &Implementation

Manufacture

System Validation(including Safety Acceptance

And Commissioning)

System AcceptanceOperation &Maintenance

De-commissioningand Disposal

Installation

Where do human errors occur in the

development lifecycle?

What type of errors occur & why?

How can they be addressed?


5/25


Strategies for addressing Human Error in

System Development

EN50126 Guidelines

Human competency

Human independence during design

Human involvement in verification and validation (V&V)

Interface between human and automated tools Systematic failure prevention processes

Application of EN50126

Competency is a prerequisite

Education and training are assumptions



6/25


EN50126 Process Framework



7/25


EN50129 View (1)Safety Organisation



8/25


EN50129 View (2)Systematic failure prevention processes



9/25


EN50129 View (3)

Human

Involvement inV&V



10/25


Limitations of Process-Based Standards

Incompleteness of processes

Inadequate guidance on human factors in systemdevelopment

Questionable rationale for SIL and Processes

The processes for higher SIL may not produce safer

products or systems

Applicability of standards

Well understood problem domain

Risk totally covered

Mature project and safety organisation



11/25


Yellow Books View

Compliance based

approach

Using existing

standards as the driver

to develop and

evaluate a system

Risk based approach

Using risk assessment

as the driver to developand evaluate a system



12/25


Assessors View (from LR Rail experience)



13/25


Emerging Themes from Assessments

Mainly from the Chinese railway signalling industry in recent 3

years 20+ Chinese companies

30+ RPC projects

10+ ISA projects

Aim to explicitly identify and evaluate the underlying risk

associated with known human factors in system development

Using EN50126/9 standards as a starting point

Several themes emerged from the studies relating to humanerrors & human factors



14/25


Chinese Railway Signalling Industry

China has experienced a large number of railway construction

projects in both high speed mainline and metro systems

Lessons from last years 7.23 railway accident

Due to serious design flaws in control equipment and

improper handling of the lightning strike

Personnel competency is questionable

Re-examine existing safety management systems and

development processes



15/25


Initial FindingsTheme 1

Human competency

Undefined competence requirements on many roles suchas verifier, validator and safety engineer

Training and qualification records may not be trusted

Certified or qualified training and education institutes

are required

Domain knowledge and experience are more important and

can be easily verified via interviewing

Organisational culture and HR policy can also influence

Difficult to keep capable safety engineers



16/25



Human Independence during Design

Organisational structures

E.g. rigidly hierarchical structures

Leadership patterns

Two extremes

Responsibilities and roles Incorrect understanding of allocated responsibilities and

authority control



17/25



Human Involvement in V&V

Undefined competence requirements on many roles suchas verifier, validator and safety engineer

Lacking domain knowledge from the verifier or auditor

Misunderstanding the role of V&V

Lack sufficient project resources for V&V activities

Tight project schedule



18/25



Interface between Human and Automated Tools

Undefined competence requirements on the tool users

Lacking of guidance on safety analysis over the tools

Difficult to have a systems approach

Viewing the tool and tool user as a complete system in

a context of a project



19/25



Systematic failure prevention processes

Inadequate guidance on techniques/measuresrecommended from standards

linking techniques/measures with a level of

recommendations does not help

Tactic knowledge is required

Undefined competence requirements on many roles such

as verifier, validator

Safety management system may also help

But there is lack of guidance from the standards



20/25


Enhancing assessments to evaluate human factors


Organisationalarrangements

Procedures/ tasksdemands

Working environment

Workstation/workplace

Machine interface

Person

Is the machine/tool easy to use?Is the behavior of the tool

understood by user?

What happens if the tool fails (e.g.

during V&V)?

Is it available where it is needed?

Does the interface meet

expectations?

Can people reach everything?

Is there enough space to work?

Are there obstructions?

Can a good working posture be

achieved?

Is the lighting OK?

Is noise a distraction or does it

prevent good communication?

Does the temperature make

people tired?

What attributes does a person

need:

good vision/hearing,strength,

particular skills,

personality traits

motivation?

Qualifications & experience

Domain knowledge

Can procedures be followed?

Is there time pressure?

What working hours or

breaks?

What training is given?

What level of

supervision is there?

What competence is requiredare these well defined?

Processes for using tools well

developed?

Is there understanding of

safety standards?

Is there good:

working culture?,

leadership?

motivation?Are roles, responsibilities &

authorities defined?

How can we bring these into the

assessments?


21/25


Evolution of the Standards Introduction of EN50128:2011 Standard

Definition of 10 roles including verifier and validator Guidance on support tool for software development

Focus on tool validation and tool specification

New development on EN50126/9 standards in the near future

Merging the EN50126/8/9 standards together

The role and competence requirements of safety engineer

need to be defined

More guidance on using the HR/R techniques/measures

Develop guidelines on the SMS (safety managementsystem)

Interface between human and tools needs to be elaborated



22/25


Future Work

Get feedback on the viability and effectiveness of the approach

Conduct more empirical studies from other geographical areas

such as Hong Kong, Taiwan, Korea and India

Define robust human factors evaluation framework

Consider ranking or quantitative assessment

Provide input to the development of new EN5016/8/9 standards

Industry research into root causes of Human Errors during

system design



23/25


Conclusions

Do not take human competency for granted;

Company/project management styles can always influence

human independence;

Human judgement determines the V&V success criteria;

Interface between human and automated tools can be

unexpectedly complex;

Understanding the rationale behind techniques/measures is

more important than choosing which in the systematic failure

prevention processes.



24/25


Finally

Human error plays a part in most, if

not all, accidents. If you have not

considered human error when

specifying your work, it will be difficult

to show that you have controlled risk to

an acceptable level.

Human error has causes. We

understand some of these and know

how to prevent them. When designing

railway systems you should look for

opportunities to prevent human errorleading to an accident.



25/25

Services are provided by members of the Lloyd's Register Group.

For further information visit www.lr.org/entities

For more information, please contact:

Simon Zhang, Weihang WuLloyds Register Rail (Asia) Ltd

Room 709, CCS Mansion

9 Dongzhimen South Street

Beijing 100007

T +86 (10) 64030868

E [email protected]

w www.lr.org
http://www.lr.org/entitiesmailto:[email protected]://www.lr.org/http://www.lr.org/mailto:[email protected]://www.lr.org/entities

2 7 03 HF in the Development of Safety Critical Railway Systems

Documents