Presentation - International Rail Safety Conference (IRSC)

advertisement
Lloyd’s Register Rail (Asia)
Human Factors in the
Development of Safety-Critical
Railway Systems
Simon Zhang,
Technical Director,
Lloyd’s Register Rail (Asia) Ltd
Lloyd’s Register Rail (Asia)
Factors affecting Safety Critical System
Development
The Equipment
3. Design of safe
and high
performing
equipment
1. Management
systems and
processes to
safely guide and
control business
activities
2. Capable and
competent
people and
culture to deliver
safety objectives
IRSC 2012 Conference
The People
The System
Lloyd’s Register Rail (Asia)
Human Errors in the Railway World
Human errors can be costly and/or fatal
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
System Lifecycle
Concept
System Definition &
Application Conditions
System Acceptance
Operation &
Maintenance
De-commissioning
and Disposal
Risk Analysis
System Requirements
System Validation
(including Safety Acceptance
And Commissioning)
Apportionment of
System Requirements
Where do human errors occur in the
development lifecycle?
What type of errors occur & why?
How can they be addressed?
Design &
Implementation
Installation
Manufacture
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Strategies for addressing Human Error in
System Development
•
•
EN50126 Guidelines
•
Human competency
•
Human independence during design
•
Human involvement in verification and validation (V&V)
•
Interface between human and automated tools
•
Systematic failure prevention processes
Application of EN50126
•
Competency is a prerequisite
•
Education and training are assumptions
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
EN50126 Process Framework
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
EN50129 View (1)
Safety Organisation
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
EN50129 View (2)
Systematic failure prevention processes
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
EN50129 View (3)
Human
Involvement in
V&V
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Limitations of Process-Based Standards
•
Incompleteness of processes
•
•
Questionable rationale for SIL and Processes
•
•
Inadequate guidance on human factors in system
development
The processes for higher SIL may not produce safer
products or systems
Applicability of standards
•
Well understood problem domain
•
Risk totally covered
•
‘Mature’ project and safety organisation
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Yellow Book’s View
•
Compliance based
approach
•
•
Using existing
standards as the driver
to develop and
evaluate a system
Risk based approach
•
Using risk assessment
as the driver to develop
and evaluate a system
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Assessor’s View (from LR Rail experience)
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Emerging Themes from Assessments
•
•
Mainly from the Chinese railway signalling industry in recent 3
years
•
20+ Chinese companies
•
30+ RPC projects
•
10+ ISA projects
Aim to explicitly identify and evaluate the underlying risk
associated with known human factors in system development
•
•
Using EN50126/9 standards as a starting point
Several themes emerged from the studies relating to human
errors & human factors
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Chinese Railway Signalling Industry
•
China has experienced a large number of railway construction
projects in both high speed mainline and metro systems
•
Lessons from last year’s 7.23 railway accident
•
•
Due to serious design flaws in control equipment and
improper handling of the lightning strike
•
Personnel competency is questionable
Re-examine existing safety management systems and
development processes
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Initial Findings – Theme 1
•
Human competency
•
Undefined competence requirements on many roles such
as verifier, validator and safety engineer
•
Training and qualification records may not be trusted
•
Certified or qualified training and education institutes
are required
•
Domain knowledge and experience are more important and
can be easily verified via interviewing
•
Organisational culture and HR policy can also influence
•
Difficult to keep capable safety engineers
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Initial Findings – Theme 2
•
Human Independence during Design
•
Organisational structures
•
•
Leadership patterns
•
•
E.g. rigidly hierarchical structures
Two extremes
Responsibilities and roles
•
Incorrect understanding of allocated responsibilities and
authority control
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Initial Findings – Theme 3
•
Human Involvement in V&V
•
Undefined competence requirements on many roles such
as verifier, validator and safety engineer
•
Lacking domain knowledge from the verifier or auditor
•
Misunderstanding the role of V&V
•
Lack sufficient project resources for V&V activities
•
Tight project schedule
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Initial Findings – Theme 4
•
Interface between Human and Automated Tools
•
Undefined competence requirements on the tool users
•
Lacking of guidance on safety analysis over the tools
•
Difficult to have a systems approach
•
Viewing the tool and tool user as a complete system in
a context of a project
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Initial Findings – Theme 5
•
Systematic failure prevention processes
•
Inadequate guidance on techniques/measures
recommended from standards
•
linking techniques/measures with a level of
recommendations does not help
•
Tactic knowledge is required
•
Undefined competence requirements on many roles such
as verifier, validator
•
Safety management system may also help
•
But there is lack of guidance from the standards
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Enhancing assessments to evaluate human factors
Organisational
arrangements
Can people reach everything?
Is there enough space to work?
Are there obstructions?
Can a good working posture be
achieved?
Procedures/ tasks
demands
Working environment
Is the machine/tool easy to use?
Is the behavior of the tool
understood by user?
What happens if the tool fails (e.g.
during V&V)?
Is it available where it is needed?
Does the interface meet
expectations?
What attributes does a person
need:
•good vision/hearing,
•strength,
•particular skills,
•personality traits
•motivation?
Qualifications & experience
Domain knowledge
Workstation/
workplace
Machine interface
Person
Is there good:
•working culture?,
•leadership?
•motivation?
Are roles, responsibilities &
authorities defined?
Can procedures be followed?
Is there time pressure?
What working hours or
breaks?
What training is given?
What level of
supervision is there?
What competence is required
– are these well defined?
Processes for using tools well
developed?
Is there understanding of
safety standards?
Is the lighting OK?
Is noise a distraction or does it
prevent good communication?
Does the temperature make
people tired?
How can we bring these into the
assessments?
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Evolution of the Standards
•
Introduction of EN50128:2011 Standard
•
Definition of 10 roles including verifier and validator
•
Guidance on support tool for software development
•
•
Focus on tool validation and tool specification
New development on EN50126/9 standards in the near future
•
Merging the EN50126/8/9 standards together
•
The role and competence requirements of safety engineer
need to be defined
•
More guidance on using the HR/R techniques/measures
•
Develop guidelines on the SMS (safety management
system)
•
Interface between human and tools needs to be elaborated
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Future Work
•
Get feedback on the viability and effectiveness of the approach
•
Conduct more empirical studies from other geographical areas
such as Hong Kong, Taiwan, Korea and India
•
Define robust human factors evaluation framework
•
Consider ranking or quantitative assessment
•
Provide input to the development of new EN5016/8/9 standards
•
Industry research into root causes of Human Errors during
system design
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Conclusions
•
Do not take human competency for granted;
•
Company/project management styles can always influence
human independence;
•
Human judgement determines the V&V success criteria;
•
Interface between human and automated tools can be
unexpectedly complex;
•
Understanding the rationale behind techniques/measures is
more important than choosing which in the systematic failure
prevention processes.
IRSC 2012 Conference
Lloyd’s Register Rail (Asia)
Finally
•
“Human error plays a part in most, if
not all, accidents. If you have not
considered human error when
specifying your work, it will be difficult
to show that you have controlled risk to
an acceptable level”.
•
“Human error has causes. We
understand some of these and know
how to prevent them. When designing
railway systems you should look for
opportunities to prevent human error
leading to an accident”.
IRSC 2012 Conference
For more information, please contact:
Simon Zhang, Weihang Wu
Lloyd’s Register Rail (Asia) Ltd
Room 709, CCS Mansion
9 Dongzhimen South Street
Beijing 100007
T +86 (10) 64030868
E simon.zhang@lr.org
w www.lr.org
Services are provided by members of the Lloyd's Register Group.
For further information visit www.lr.org/entities
Download