8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
1/25
Lloyds Register Rail (Asia)
Human Factors in the
Development of Safety-Critical
Railway Systems
Simon Zhang,
Technical Director,
Lloyds Register Rail (Asia) Ltd
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
2/25
Lloyds Register Rail (Asia)
2. Capable and
competent
people andculture to deliver
safety objectives
3. Design of safe
and high
performing
equipment
1. Management
systems and
processes to
safely guide and
control business
activities The System
The People
The Equipment
Factors affecting Safety Critical System
Development
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
3/25
Lloyds Register Rail (Asia)
Human Errors in the Railway WorldHuman errors can be costly and/or fatal
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
4/25
Lloyds Register Rail (Asia)
System Lifecycle
IRSC 2012 Conference
Concept
System Definition &Application Conditions
Risk Analysis
System Requirements
Apportionment ofSystem Requirements
Design &Implementation
Manufacture
System Validation(including Safety Acceptance
And Commissioning)
System AcceptanceOperation &Maintenance
De-commissioningand Disposal
Installation
Concept
System Definition &Application Conditions
Risk Analysis
System Requirements
Apportionment ofSystem Requirements
Design &Implementation
Manufacture
System Validation(including Safety Acceptance
And Commissioning)
System AcceptanceOperation &Maintenance
De-commissioningand Disposal
Installation
Where do human errors occur in the
development lifecycle?
What type of errors occur & why?
How can they be addressed?
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
5/25
Lloyds Register Rail (Asia)
Strategies for addressing Human Error in
System Development
EN50126 Guidelines
Human competency
Human independence during design
Human involvement in verification and validation (V&V)
Interface between human and automated tools Systematic failure prevention processes
Application of EN50126
Competency is a prerequisite
Education and training are assumptions
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
6/25
Lloyds Register Rail (Asia)
EN50126 Process Framework
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
7/25
Lloyds Register Rail (Asia)
EN50129 View (1)Safety Organisation
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
8/25
Lloyds Register Rail (Asia)
EN50129 View (2)Systematic failure prevention processes
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
9/25
Lloyds Register Rail (Asia)
EN50129 View (3)
Human
Involvement inV&V
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
10/25
Lloyds Register Rail (Asia)
Limitations of Process-Based Standards
Incompleteness of processes
Inadequate guidance on human factors in systemdevelopment
Questionable rationale for SIL and Processes
The processes for higher SIL may not produce safer
products or systems
Applicability of standards
Well understood problem domain
Risk totally covered
Mature project and safety organisation
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
11/25
Lloyds Register Rail (Asia)
Yellow Books View
Compliance based
approach
Using existing
standards as the driver
to develop and
evaluate a system
Risk based approach
Using risk assessment
as the driver to developand evaluate a system
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
12/25
Lloyds Register Rail (Asia)
Assessors View (from LR Rail experience)
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
13/25
Lloyds Register Rail (Asia)
Emerging Themes from Assessments
Mainly from the Chinese railway signalling industry in recent 3
years 20+ Chinese companies
30+ RPC projects
10+ ISA projects
Aim to explicitly identify and evaluate the underlying risk
associated with known human factors in system development
Using EN50126/9 standards as a starting point
Several themes emerged from the studies relating to humanerrors & human factors
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
14/25
Lloyds Register Rail (Asia)
Chinese Railway Signalling Industry
China has experienced a large number of railway construction
projects in both high speed mainline and metro systems
Lessons from last years 7.23 railway accident
Due to serious design flaws in control equipment and
improper handling of the lightning strike
Personnel competency is questionable
Re-examine existing safety management systems and
development processes
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
15/25
Lloyds Register Rail (Asia)
Initial FindingsTheme 1
Human competency
Undefined competence requirements on many roles suchas verifier, validator and safety engineer
Training and qualification records may not be trusted
Certified or qualified training and education institutes
are required
Domain knowledge and experience are more important and
can be easily verified via interviewing
Organisational culture and HR policy can also influence
Difficult to keep capable safety engineers
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
16/25
Lloyds Register Rail (Asia)
Initial FindingsTheme 2
Human Independence during Design
Organisational structures
E.g. rigidly hierarchical structures
Leadership patterns
Two extremes
Responsibilities and roles Incorrect understanding of allocated responsibilities and
authority control
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
17/25
Lloyds Register Rail (Asia)
Initial FindingsTheme 3
Human Involvement in V&V
Undefined competence requirements on many roles suchas verifier, validator and safety engineer
Lacking domain knowledge from the verifier or auditor
Misunderstanding the role of V&V
Lack sufficient project resources for V&V activities
Tight project schedule
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
18/25
Lloyds Register Rail (Asia)
Initial FindingsTheme 4
Interface between Human and Automated Tools
Undefined competence requirements on the tool users
Lacking of guidance on safety analysis over the tools
Difficult to have a systems approach
Viewing the tool and tool user as a complete system in
a context of a project
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
19/25
Lloyds Register Rail (Asia)
Initial FindingsTheme 5
Systematic failure prevention processes
Inadequate guidance on techniques/measuresrecommended from standards
linking techniques/measures with a level of
recommendations does not help
Tactic knowledge is required
Undefined competence requirements on many roles such
as verifier, validator
Safety management system may also help
But there is lack of guidance from the standards
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
20/25
Lloyds Register Rail (Asia)
Enhancing assessments to evaluate human factors
IRSC 2012 Conference
Organisationalarrangements
Procedures/ tasksdemands
Working environment
Workstation/workplace
Machine interface
Person
Is the machine/tool easy to use?Is the behavior of the tool
understood by user?
What happens if the tool fails (e.g.
during V&V)?
Is it available where it is needed?
Does the interface meet
expectations?
Can people reach everything?
Is there enough space to work?
Are there obstructions?
Can a good working posture be
achieved?
Is the lighting OK?
Is noise a distraction or does it
prevent good communication?
Does the temperature make
people tired?
What attributes does a person
need:
good vision/hearing,strength,
particular skills,
personality traits
motivation?
Qualifications & experience
Domain knowledge
Can procedures be followed?
Is there time pressure?
What working hours or
breaks?
What training is given?
What level of
supervision is there?
What competence is requiredare these well defined?
Processes for using tools well
developed?
Is there understanding of
safety standards?
Is there good:
working culture?,
leadership?
motivation?Are roles, responsibilities &
authorities defined?
How can we bring these into the
assessments?
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
21/25
Lloyds Register Rail (Asia)
Evolution of the Standards Introduction of EN50128:2011 Standard
Definition of 10 roles including verifier and validator Guidance on support tool for software development
Focus on tool validation and tool specification
New development on EN50126/9 standards in the near future
Merging the EN50126/8/9 standards together
The role and competence requirements of safety engineer
need to be defined
More guidance on using the HR/R techniques/measures
Develop guidelines on the SMS (safety managementsystem)
Interface between human and tools needs to be elaborated
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
22/25
Lloyds Register Rail (Asia)
Future Work
Get feedback on the viability and effectiveness of the approach
Conduct more empirical studies from other geographical areas
such as Hong Kong, Taiwan, Korea and India
Define robust human factors evaluation framework
Consider ranking or quantitative assessment
Provide input to the development of new EN5016/8/9 standards
Industry research into root causes of Human Errors during
system design
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
23/25
Lloyds Register Rail (Asia)
Conclusions
Do not take human competency for granted;
Company/project management styles can always influence
human independence;
Human judgement determines the V&V success criteria;
Interface between human and automated tools can be
unexpectedly complex;
Understanding the rationale behind techniques/measures is
more important than choosing which in the systematic failure
prevention processes.
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
24/25
Lloyds Register Rail (Asia)
Finally
Human error plays a part in most, if
not all, accidents. If you have not
considered human error when
specifying your work, it will be difficult
to show that you have controlled risk to
an acceptable level.
Human error has causes. We
understand some of these and know
how to prevent them. When designing
railway systems you should look for
opportunities to prevent human errorleading to an accident.
IRSC 2012 Conference
8/12/2019 2 7 03 HF in the Development of Safety Critical Railway Systems
25/25
Services are provided by members of the Lloyd's Register Group.
For further information visit www.lr.org/entities
For more information, please contact:
Simon Zhang, Weihang WuLloyds Register Rail (Asia) Ltd
Room 709, CCS Mansion
9 Dongzhimen South Street
Beijing 100007
T +86 (10) 64030868
w www.lr.org
http://www.lr.org/entitiesmailto:[email protected]://www.lr.org/http://www.lr.org/mailto:[email protected]://www.lr.org/entitiesTop Related