Lloyds Register Rail (Asia)

Human Factors in the Development of Safety-Critical Railway Systems

Simon Zhang, Technical Director, Lloyds Register Rail (Asia) Ltd

Lloyds Register Rail (Asia)

Factors affecting Safety Critical System Development

The Equipment 3. Design of safe and high performing equipment 1. Management systems and processes to safely guide and control business activities

The System

2. Capable and competent people and culture to deliver safety objectives

The People

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Human Errors in the Railway World

Human errors can be costly and/or fatal

IRSC 2012 Conference

Lloyds Register Rail (Asia)

System Lifecycle
Concept Operation & Maintenance

System Definition & Application Conditions

System Acceptance

De-commissioning and Disposal

Risk Analysis

System Requirements System Validation (including Safety Acceptance And Commissioning) Apportionment of System Requirements

Where do human errors occur in the development lifecycle? What type of errors occur & why? How can they be addressed?

Design & Implementation

Installation

Manufacture

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Strategies for addressing Human Error in System Development

EN50126 Guidelines

Human competency Human independence during design Human involvement in verification and validation (V&V)

Interface between human and automated tools

Systematic failure prevention processes Competency is a prerequisite Education and training are assumptions

Application of EN50126

IRSC 2012 Conference

Lloyds Register Rail (Asia)

EN50126 Process Framework

IRSC 2012 Conference

Lloyds Register Rail (Asia)

EN50129 View (1)

Safety Organisation

IRSC 2012 Conference

Lloyds Register Rail (Asia)

EN50129 View (2)

Systematic failure prevention processes

IRSC 2012 Conference

Lloyds Register Rail (Asia)

EN50129 View (3)

Human Involvement in V&V

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Limitations of Process-Based Standards

Incompleteness of processes

Inadequate guidance on human factors in system development

Questionable rationale for SIL and Processes

The processes for higher SIL may not produce safer products or systems

Applicability of standards

Well understood problem domain Risk totally covered Mature project and safety organisation

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Yellow Books View

Compliance based approach

Using existing standards as the driver to develop and evaluate a system

Risk based approach

Using risk assessment as the driver to develop and evaluate a system

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Assessors View (from LR Rail experience)

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Emerging Themes from Assessments

Mainly from the Chinese railway signalling industry in recent 3 years

20+ Chinese companies 30+ RPC projects

10+ ISA projects

Aim to explicitly identify and evaluate the underlying risk associated with known human factors in system development

Using EN50126/9 standards as a starting point

Several themes emerged from the studies relating to human errors & human factors

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Chinese Railway Signalling Industry

China has experienced a large number of railway construction projects in both high speed mainline and metro systems Lessons from last years 7.23 railway accident

Due to serious design flaws in control equipment and improper handling of the lightning strike
Personnel competency is questionable

Re-examine existing safety management systems and development processes

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Initial Findings Theme 1

Human competency

Undefined competence requirements on many roles such as verifier, validator and safety engineer Training and qualification records may not be trusted

Certified or qualified training and education institutes are required

Domain knowledge and experience are more important and can be easily verified via interviewing

Organisational culture and HR policy can also influence

Difficult to keep capable safety engineers

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Initial Findings Theme 2

Human Independence during Design

Organisational structures

E.g. rigidly hierarchical structures Two extremes Incorrect understanding of allocated responsibilities and authority control

Leadership patterns

Responsibilities and roles

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Initial Findings Theme 3

Human Involvement in V&V

Undefined competence requirements on many roles such as verifier, validator and safety engineer Lacking domain knowledge from the verifier or auditor

Misunderstanding the role of V&V

Lack sufficient project resources for V&V activities Tight project schedule

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Initial Findings Theme 4

Interface between Human and Automated Tools

Undefined competence requirements on the tool users Lacking of guidance on safety analysis over the tools Difficult to have a systems approach

Viewing the tool and tool user as a complete system in a context of a project

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Initial Findings Theme 5

Systematic failure prevention processes

Inadequate guidance on techniques/measures recommended from standards

linking techniques/measures with a level of recommendations does not help Tactic knowledge is required

Undefined competence requirements on many roles such as verifier, validator

Safety management system may also help

But there is lack of guidance from the standards

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Enhancing assessments to evaluate human factors

Organisational arrangements

Is there good: working culture?, leadership? motivation? Are roles, responsibilities & authorities defined? Can procedures be followed? Is there time pressure? What working hours or breaks? What training is given? What level of supervision is there? What competence is required are these well defined? Processes for using tools well developed? Is there understanding of safety standards? Is the lighting OK? Is noise a distraction or does it prevent good communication? Does the temperature make people tired?

Can people reach everything? Is there enough space to work? Are there obstructions? Can a good working posture be achieved? Is the machine/tool easy to use? Is the behavior of the tool understood by user? What happens if the tool fails (e.g. during V&V)? Is it available where it is needed? Does the interface meet expectations? What attributes does a person need: good vision/hearing, strength, particular skills, personality traits motivation? Qualifications & experience Domain knowledge

Procedures/ tasks demands

Working environment

Workstation/ workplace

Machine interface

Person

How can we bring these into the assessments?

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Evolution of the Standards

Introduction of EN50128:2011 Standard

Definition of 10 roles including verifier and validator Guidance on support tool for software development

Focus on tool validation and tool specification

New development on EN50126/9 standards in the near future

Merging the EN50126/8/9 standards together

The role and competence requirements of safety engineer need to be defined More guidance on using the HR/R techniques/measures

Develop guidelines on the SMS (safety management system)

Interface between human and tools needs to be elaborated

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Future Work

Get feedback on the viability and effectiveness of the approach

Conduct more empirical studies from other geographical areas such as Hong Kong, Taiwan, Korea and India
Define robust human factors evaluation framework Consider ranking or quantitative assessment Provide input to the development of new EN5016/8/9 standards Industry research into root causes of Human Errors during system design
IRSC 2012 Conference

Lloyds Register Rail (Asia)

Conclusions

Do not take human competency for granted; Company/project management styles can always influence human independence; Human judgement determines the V&V success criteria; Interface between human and automated tools can be unexpectedly complex; Understanding the rationale behind techniques/measures is more important than choosing which in the systematic failure prevention processes.

IRSC 2012 Conference

Lloyds Register Rail (Asia)

Finally

Human error plays a part in most, if not all, accidents. If you have not considered human error when specifying your work, it will be difficult to show that you have controlled risk to an acceptable level. Human error has causes. We understand some of these and know how to prevent them. When designing railway systems you should look for opportunities to prevent human error leading to an accident.

IRSC 2012 Conference

For more information, please contact:

Simon Zhang, Weihang Wu

Lloyds Register Rail (Asia) Ltd Room 709, CCS Mansion 9 Dongzhimen South Street Beijing 100007 T +86 (10) 64030868 E simon.zhang@lr.org w www.lr.org

Services are provided by members of the Lloyd's Register Group. For further information visit www.lr.org/entities