Sie sind auf Seite 1von 12

A SYSTEMS APPROACH TO ENHANCING

RAILWAY SAFETY ASSURANCE


Paul Hollywell
BSc, MSc (Lon), MSc (UCL), CEng, MIET, MINCOSE, FIEHF

Technical Director, Railways Division, Mott MacDonald Limited


T +44 (0)20 8774 2609; E paul.hollywell@mottmac.com

Summary
This paper describes how the quality of Safety Assurance can be enhanced through a full and proper
understanding of (a) how the complexity of major rail projects can be managed successfully, (b) how
human and organisational failures can impact railway safety, and (c) how that understanding can
improve using contemporary Safety Assurance processes, methods and tools. This is done by
exploring the synergistic relationships between Systems Engineering (SE), Human Factors &
Ergonomics (HFE) and Safety Assurance. SE promotes structured design and delivery processes
which reduce risk and improve the efficiency of design, delivery, operation and maintenance of
complex engineering projects. HFE manages the human behaviour contribution to system safety
through understanding a person’s capabilities and limitations and evaluating human performance.
Safety Assurance provides confidence as a project progresses through its lifecycle that the delivered
system will be safe to operate and maintain. This paper explains how the quality of Safety Assurance
can be enhanced by applying SE and HFE principles when using contemporary Safety Assurance
processes, methods and tools on major rail projects.

1. INTRODUCTION interact so that perturbations or failures in one


subsystem can quickly impact on other
“With advances in technology, major projects
subsystems. These subsystems involve a
have become hugely complex. Great
range of different engineering disciplines. In
engineers of the past like Stephenson and
those parts of the world where railways were
Brunel could conduct an entire project with a
established in the 1800s and 1900s, there can
manageable ‘headful’ of information. This is
be a mix of ‘old’ and ‘new’ technologies which
no longer possible …”
is challenging. In some locations, the railway
Major Projects Association, 2002 [11]
is expected to operate almost 24/7, 52 weeks
In recent years it has become widely of the year. This means that introducing a
recognised that “major projects have become major change to a railway has to be done as a
hugely complex”, none more so than rail series of smaller changes (i.e. stage works),
projects. Those working within the rail industry each of which has to be managed as a mini-
are all too familiar with how challenging the rail project in its own right. And at all times, the
environment can be and how difficult it is to public expects high levels of service and safety
introduce changes. It is not always and therefore safety authorities require
appreciated by those outside the industry that projects to adopt rigorous Systems Assurance.
this is because railways are highly complex
Over the last decade the complexity of a
due to their inherent nature.
railway has increased further due to the higher
1.1. Complexity of Rail Projects demands placed on it by passengers and other
stakeholders. The trends and drivers of these
There are a range of factors associated with enhancements cover three areas: effective
the inherent nature of a railway that make rail operations, quality service and efficient
projects highly complex. First, a railway is a systems [1]. Better operational performance
system made up of various different includes increased capacity and improved
subsystems that are normally distributed over reliability. Enhanced quality includes
large geographical areas. Also, these responsive customer information, product
subsystems are normally closely coupled and

1
delivery and increased safety. Improved requirements, and then proceeding with design
efficiency includes reduced cost, lower synthesis and system validation while
emissions and limited external impact. To considering the complete problem: operations,
meet these needs the industry is making cost and schedule, performance, training and
changes to the design and operation of railway support, test, manufacturing, and disposal. SE
systems to improve the service, reduce cost, considers both the business and the technical
raise energy efficiency, lower emissions, needs of all customers with the goal of
provide sustainable solutions and lessen the providing a quality product that meets the user
impact on the environment. While all these needs” [8]. A simpler (and much shorter)
developments are happening, the rail industry definition from the INCOSE UK Chapter
is expected to maintain or even improve its defines SE as: “a structured and auditable
already high safety standards and follow approach to identifying requirements,
rigorous Systems Assurance processes. managing interfaces and controlling risk
Therefore Safety Assurance needs to remain a throughout the project lifecycle” [7].
key part of the overall Systems Assurance
process of all rail projects whilst advancing as SE is essentially ‘systems thinking’ applied to
a discipline to meet these stringent safety engineering projects. Although the Body of
requirements and regulatory approvals. Knowledge for SE is large and wide-ranging
(e.g. INCOSE Handbook [8] and ISO SE
1.2. Objective of Paper standard 15288 [9]), a large part of SE can be
described via the five concepts of ‘systems
This paper explores the synergistic
thinking’ [2].
relationships between Systems Engineering
(SE), Human Factors and Ergonomics (HFE) 2.1. Five Concepts Describing SE
and Safety Assurance. It explains how the
quality of Safety Assurance can be enhanced Applying the five concepts of ‘systems
by applying SE and HFE principles when using thinking’ to an engineering project via the SE
contemporary Safety Assurance processes, discipline, assists in managing project
methods and tools on major rail projects. complexities effectively and reducing risk,
including safety risk.
2. SYSTEMS ENGINEERING (SE)
2.1.1 Holism
“Engineering systems, and the problems that
they seek to solve, are becoming more Holism comes from the Greek word ‘holos’
complex. … We need Integrated System which means ‘whole’. This concept
Design that looks holistically at both the need encourages the analysis of a system as a
and the solution, and we need engineers who whole rather than merely the separate analysis
can think holistic to carry it out”. of its subsystems. This is because the
Royal Academy of Engineering, 2007 [18] system’s functioning and performance cannot
be fully understood solely in terms of its
In recent years Systems Engineering (SE) has component parts. It is only when a system’s
developed into a mature discipline that elements are combined that it gains qualities
promotes structured design and delivery that are not present in the separate parts; they
processes making all decision-making explicit only exist when these parts are combined
and justifiable throughout the project lifecycle. together. Those qualities are known as the
Such an approach reduces risk and improves emergent properties of the system and include
the management of complex engineering safety, reliability and operational performance.
through the project lifecycle. The International Complex systems, in which the parts interact
Council on Systems Engineering (INCOSE) with each other and with the surrounding
defines SE as: “an interdisciplinary approach environment to determine how the system
and means to enable the realization of behaves, are becoming a serious challenge to
successful systems. It focuses on defining engineers as such systems rarely behave
customer needs and required functionality exactly as intuition would predict [18].
early in the development cycle, documenting

2
2.1.2 Hierarchy 2.1.4 Partitioning
The concept of hierarchy is a commonly Considering how a system can be divided up
understood one as most engineered systems into discrete subsystems in order to manage
(and also most organisational systems) are complexity (i.e. ‘dividing and conquering’) is
hierarchical in nature. The structure of the the concept of partitioning. The resulting
whole system can be represented as a relationship between system functions and
supersystem comprising a hierarchy of subsystems can sometimes be modular (i.e.
systems, subsystems and components. (A ‘one-to-one’) or integrated (i.e. ‘X-to-Y’). There
supersystem is also known as a ‘system-of- are clear advantages from partitioning a large
systems’). Considering how the supersystem and complex system, similar to those for
is structured, one engineer’s system can be hierarchy above. It reduces the complexity of
another person’s supersystem or subsystem. the overall system and apportions the
It should be noted that the risks associated responsibilities for individual functions/
with each subsystem in the hierarchy subsystems between the most capable and
contribute to and ultimately determine the risks competent resources. The disadvantage of
of the whole system. A system breakdown these partitions is that they create interfaces
structure is a valuable way in which an (i.e. technical, contractual and organisational)
engineer can, through progressive that need to be carefully managed. Also, it
decomposition of the whole system, represent can again sometimes encourage ‘silo
and gain an understanding of a large, complex engineering’. Having partitioned a system,
system and assign project responsibilities to developed a design and implemented a
the appropriate disciplines. The disadvantage solution, there are the various challenges
of hierarchies is that they can sometimes associated with recombining the whole system
encourage ‘silo engineering’ i.e. a loss of being i.e. system integration. One of these
part of a ‘bigger picture’. challenges is the successful management of a
system’s emergent properties including the
2.1.3 Lifecycles safety of the system.
The concept of lifecycles is also commonly
2.1.5 Subjectivity
understood as most engineering projects are
divided up into discrete stages to make them The concept of subjectivity involves gaining a
more manageable, i.e. to aid the planning and deeper understanding of a system through
control of resources. A lifecycle is composed looking at it from different perspectives. Not
of a number of clearly defined and distinct only does this invite different interpretations
work phases which designers and engineers and a wider set of requirements, it also
use to plan for, design, build, test, and deliver acquires valuable subjective and cultural
engineered systems. Lifecycles make information. Thus, this approach provides a
engineers aware of the totality of the project richer and more complete understanding of a
development and implementation process. system. It may also reveal and anticipate
Lifecycles also remind engineers to think about concerns or issues early in the project lifecycle
the later stages of a project during design when they can be dealt with quickly and
development rather than waiting until designs cheaply. Inviting project stakeholders to
are complete. This is known as ‘left shift’ or become involved at different lifecycle stages
concurrent design which brings efficiencies can bring benefits to a project. For example:
through avoiding redundant design work and/ an owner is mainly interested in system
or poor design solutions caused by irreversible ‘value’; a designer in system design; a supplier
decisions. This is because it is easier and in system manufacture/ construction; an
cheaper to make changes during design than operator in system operability; a maintainer in
afterwards. An obstacle to implementing ‘left system maintainability; a neighbour in system
shift’ is the level of effort needed early in a impact; and a regulator in system compliance
project. with regulations. Each of these stakeholder
perspectives and concerns bring insights that
identify areas of opportunity and risk.

3
2.2. Benefits of SE 2.3. Human Error Types
The benefits from applying SE to rail projects To properly understand human error, first
are varied and numerous, including better some understanding of the different types of
designs, fewer design changes, less design human behaviour is needed. The Skills, Rules
errors, abortive work and rework. Further and Knowledge (SRK) classification of human
benefits can be achieved through reduced performance has been widely adopted to
through-life costs and reduced deployment describe human performance in a range of
timescales. Using a “structured and auditable situations [14].
approach” based on ‘systems thinking’ will
improve system reliability, availability, Skilled-based behaviour is adopted when
maintainability and safety. It is the latter completing familiar and routine tasks that can
benefit of SE that will be explored later in this be carried out smoothly with little conscious
paper. thought. Rule-based behaviour is adopted
when carrying out more complex or less
HUMAN FACTORS & ERGONOMICS (HFE) familiar tasks according to rules (written or
remembered). Knowledge-based behaviour is
“To err is human; to forgive, divine”. adopted when a completely novel situation is
Alexander Pope (1688-1744) [13] encountered for which no rules exist and a
task requires a plan of action. The
It is now widely accepted that human error
development of such a plan is derived from
contributes significantly to accidents in the
‘first principles’ based on the physical and
high-hazard industries including rail. Over the
functional properties of a system.
last few decades this HFE contribution has
increased greatly, not because humans have The main factors that determine whether we
become any less reliable but because select skill, rule or knowledge-based behaviour
engineering and equipment have become is our understanding and experience in a
much more reliable and more controllable particular situation. The more practiced and
functions implemented. The International experienced we are, the more skill-based our
Ergonomics Association (IEA) defines HFE as: behaviour. The less practiced and
“the scientific discipline concerned with the experienced we are, the more we rely on rules.
understanding of interactions among humans In the extreme, we may have to fall back on
and other elements of a system, and the our knowledge-based behaviour and work out
profession that applies theory, principles, data a plan of action from scratch.
and methods to design in order to optimize
human well-being and overall system The SRK classification of human performance
performance.” [6]. is used to describe three basic human error
types: skill-based errors, rule-based errors,
HFE aims to ensure that designs complement and knowledge-based errors [16].
the strengths and abilities of people and
minimise the effects of their limitations, rather 2.3.1 Skill-based errors
than forcing them to adapt. Poor designs can
Skill-based human errors are most likely to
cause people to commit errors, adapt their
occur during the largely automatic execution of
behaviours and violate rules [19]. This can
routine actions in familiar surroundings.
undermine the human reliability and
Almost invariably our minds are on things
performance levels claimed by some safety
other than the immediate details of the task.
arguments used in safety cases. If claims on
People are very good at performing these
human performance are to be used, it is
habitual, skill-based actions so long as things
important to first have a full and proper
remain exactly as they have always been.
understanding of human behaviour and human
‘Slips’ occur when we fail to execute an action
error.
as planned through inattention, due to failing to
monitor the progress of our actions. ‘Lapses’
occur due to memory failures, when we forget

4
to carry out an intended action (i.e. omission) 2.4. Violations
or forget that we have already performed a
A violation is distinct from a human error in
certain action (i.e. repetition).
that a deliberate decision is made to deviate
2.3.2 Rule-based errors from a prescribed plan of action (i.e. rule or
procedure) for many reasons. Usually it is a
Rule-based human errors are most likely to deliberate but non-malicious non-compliance
occur when we are dealing with familiar with the rules and procedures. While the non-
situations, but apply the wrong ready-made compliance is intended, the bad outcomes that
solution. These errors are known as ‘rule- sometimes ensue are not. (Procedural non-
based mistakes’ and they come in two basic compliances committed by vandals, thieves,
forms. We can either misapply a normally saboteurs and terrorists are not normally
‘good’ plan of action, one that has worked in a included as violations in the human error
similar situation before, failing to notice the literature).
signs which indicate the need for another
approach (i.e. strong-but-wrong). Or we can Just as there are different types of human
simply apply a ‘bad’ plan of action, one that error, so there are different types of violation.
has not been used in a similar situation before Violations may be ‘routine’, ‘situational’ or
and therefore we have no previous evidence ‘exceptional’ [4]. Again, using the SRK
that it works. Rule-based mistakes occur classification of human performance, these
when we execute an action as planned but an different types of violation can be classified in
inappropriate plan of action was chosen. a similar way as with human errors [3] & [20].

2.3.3 Knowledge-based errors 2.4.1 Knowledge-based violations


Knowledge-based human errors are most Exceptional violations can be considered as
likely to occur when we run out of ready-made knowledge-based violations. These violations
solutions and have to go back to thinking from are rare and happen only in unusual situations,
‘first principles’ in a totally new situation. often when something goes wrong
Knowledge-based reasoning is fallible and unexpectedly when we enter a totally
these types of errors are known as unfamiliar situation and have to think from ‘first
‘knowledge-based mistakes’. Although people principles’ how to solve the problem, e.g.
are good at coming up with new solutions to during an emergency; or when the plans of
dealing with exceptional circumstances when action that we normally follow start to break
they have plenty of time to think, we are down, forcing us to break the rules and
generally very bad doing this under time procedures. Should this type of violation
pressure, high stress and with the prospect of become a regular or habitual event, then it
imminent disaster. Knowledge-based could become a rule-based violation.
mistakes also occur when we execute an
action as planned but an inappropriate plan of 2.4.2 Rule-based violations
action was chosen. Situational violations can be considered as
rule-based violations. These violations occur
The SRK classification of human performance
when we enter a familiar situation and follow a
explains why the different types of human error
plan of action that has worked for us before
occur (i.e. slips, lapses and mistakes). Such
which goes against the rules and procedures.
human errors can lead to the unintentional
Often these violations are dictated by a
breaking of rules, through incorrectly executing
person’s immediate work space or
an appropriate plan of action or correctly
environment (physical or organisational).
executing an inappropriate plan of action. This
These can include the design and condition of
is in contrast to violations where people
the work area, time pressure, number of staff,
deliberately set out to break rules.
supervision, equipment availability and design,
weather and time of day. Should this type of
violation become the normal way a person (or
peer/ work group) behaves, then it is likely that

5
it will become habitual and develop into a skill- Knowledge-based mistakes can be reduced
based violation. through attempting to ensure that a person
never has to rely on knowledge-based
2.4.3 Skill-based violations reasoning in a safety-related situation, and that
Routine violations can be considered as skill- the available rules and procedures are
based violations. These violations occur when adequate, particularly when the situation could
we automatically and unconsciously break a be stressful. If, however, knowledge-based
rule or procedure because such an action has reasoning is unavoidable, a person should be
become a natural response to us (our peer/ given sufficient knowledge and experience
work group) and such actions have gone about a system to ensure they can reason
unchallenged in the past. things reliably.

The concept of skill, rule and knowledge- 2.5.2 Reducing violations


based violations is extremely useful as it Any strategies adopted to reduce violations
simplifies the nature of violations and makes need to reduce both a person’s motivation to
them more understandable to the non- commit violations and change an
specialist. It also reveals strategies for organisation’s processes to reduce the
reducing violations that are similar to those opportunity and likelihood of violations being
used to combat skill, rule and knowledge- committed. Both these ‘internal’ and ‘external’
based human errors, as outlined later. The aspects of violations need to be dealt with [12].
above reasons for human error and violations Violations tend to originate from a perceived
is summarised in Figure 2. conflict between an individual person’s goals
and the goals of an organisation. For
2.5. Improving Human Performance
example, an organisation wants to improve
Understanding why human error and violations safety, whilst an individual may at times decide
occur enables effective strategies to be to improve their own efficiency, speed,
developed for improving human performance. comfort, convenience, finances or social
conformance. A large part of reducing
2.5.1 Reducing human error violations successfully is about aligning
The strategies adopted to reduce human error personal and organisational goals.
need to recognise the different types of human
2.6. Benefits of HFE
behaviour that cause these occurrences [5].
It can be seen that humans are fallible and
Skill-based errors, i.e. slips and lapses, cannot errors can be expected in predictable ways.
be totally eliminated but changing the design HFE provides a valuable understanding of
through applying HFE guidance can reduce human performance, clarifies how people
the likelihood of human error occurring. contribute to safety, and gives guidance on
Design changes can also reduce the degree of how human performance can be improved and
harm for when human error occurs. assured as part of safety arguments. The
safety of human performance could relate to
Rule-based mistakes can be reduced through
tasks required to be undertaken during normal,
aiding an individual in three areas. Giving
abnormal or emergency conditions.
training to a person provides knowledge and
experience in applying plans of action. This 3. ORGANISATIONAL SAFETY
should be done after design improvements
have been made so that training costs are People form organisations to enable certain
minimised. Supporting a person when functions to be performed. With regards to rail
carrying out a task (e.g. supervision, projects these functions cover project delivery,
procedures, checklists, decision-making tools, and railway operation and maintenance.
automation) will assist greatly. Raising a These organisations have developed
person’s awareness of the needs and benefits processes and procedures to manage safety
of actions rather than allowing them which can be observed in a Design Safety
‘mindlessly’ follow a series of procedural steps. Case, Operational Safety Case and

6
Operational Safety Management System have different underlying psychological
(SMS). By examining a system model of an mechanisms requiring different strategies to
organisation it can be seen how organisations reduce them. Second, decisions that affect
can fail with safety consequences and how safety occur at all levels of the system, not just
HFE contributes to those failures. The system at the ‘sharp end’. Therefore, effective risk
model shows that humans are fallible and management requires the simultaneous and
errors can be expected in predictable ways in targeted deployment of limited remedial
the best of organisations, and errors are the resources (e.g. money, staff, support, training)
consequences of systemic factors. When at different levels of the system: organisation
organisations fail it is due to system defences and senior management, local working
being breached not a deficient individual. conditions and local management, situation/
task and individual/team.
An organisational accident results from the
combination of an unsafe act and an unsafe 4. ENHANCING RAILWAY SAFETY
condition (see Figure 3, based on [15] and ASSURANCE
[17]). The negative consequences of
Having gained a fuller understanding of the
organisational processes can affect the rail
complexity of major rail projects and how
environment where they can influence task
human and organisational failures can impact
and local conditions that promote unsafe acts
railway safety, we can now explore how the
(errors or violations) and unsafe conditions
quality of Railway Safety Assurance can be
(breaches in defences, barriers and
enhanced by improving the use contemporary
safeguards). Organisational accidents result
Safety Assurance processes, methods and
from unsafe acts penetrating the defences to
tools.
produce damaging outcomes. By expanding
the key elements of the model we can see how 4.1. Overview of Safety Assurance
HFE and defensive failures can lead to
accidents (see Figure 4). When a new railway is being introduced or a
change made to an existing rail system, safety
An accident sequence can be divided into four can be compromised. Thus, Safety Analysis
levels: culture, climate, situation and event. techniques have been developed over the
Both HFE and defensive failures have their years to provide structured and systematic
origin in the various organisational processes. approaches to provide confidence as a project
Culture emanates from senior management progresses through its lifecycle that the
and influences climate. Climate relates to delivered system will be safe to operate and
local conditions (local management, resources maintain. During a project’s design
and workforce) and is divided into two development stage this process is achieved by
interacting sets of factors: local working asking:
conditions and defences within that location. It
should be noted that climate changes much  What can go wrong?
more rapidly than culture. Local management (i.e. Hazard Identification)
is highly influential in determining the  How often can it go wrong and what would
psychological working conditions and the be the consequence?
effectiveness of defences. (i.e. Hazard Assessment)
 How can this risk be reduced to the
The system model of an organisation, although required level of safety?
not perfect, tells us a great deal about how (i.e. Hazard Reduction).
organisations can fail, i.e. about accidents, and
what can be done to reduce such occurrences. This process is undertaken by the project
First, human rather than technical failures delivery organisation’s designers and iterates
pose the greatest threat to complex and until the design has reduced all safety risks to
potentially hazardous systems. As has the required level of safety. Any hazards that
already been explained, human failures can be require control measures that involve
reduced but cannot be totally eliminated and operation/ maintenance actions to achieve a

7
tolerable safety level are agreed with the assists in dividing up the task of delivering the
railway operation/ maintenance organisation. different parts of the system and apportioning
Evidence that this process has been done responsibilities. However, it also creates
comprehensively is captured in the Design interfaces that need to be carefully managed.
Safety Case. (See Figure 1). If these interfaces are technical or
organisational, there may be safety
During a project’s production stage, the railway implications if they are not controlled
operation/ maintenance organisation develops adequately. It is therefore important that when
control measures to reduce those safety risks the Safety Analysis of a large and complex rail
associated with the hazards transferred from system has been simplified through
the design development stage to a tolerable Subsystem Hazard Analysis, there is a need
level. Evidence that this process has been for hazards that cross subsystem boundaries
done comprehensively is captured in the to be identified. These interface hazards may
Operational Safety Case. (See Figure 1). The be technical or organisational and should not
railway operation/ maintenance organisation be overlooked during the design development
also develops safety risk control measures, stage. Similarly, it is crucial that hazards that
such as policies and procedures, to manage cross organisational boundaries are properly
the hazards associated with operations and controlled within an Operational SMS.
maintenance activities. Evidence of the
adequacy of these control measures is ‘Lifecycles’ makes it clear that Safety
captured in the Operational SMS. (See Figure Assurance should not just be thinking about
1). designing the system for operation. Designers
should also consider the safety issues that
4.2. Enhancing the Quality of Safety arise during the other lifecycle stages; the
Assurance safety of construction, integration, testing,
The above Safety Assurance processes and commissioning, maintenance and
practices are supported by a number of decommissioning of the rail system. It also
established techniques. By applying SE and reminds us that the consideration of safety
HFE principles to these contemporary Safety early in design development enables Safety
Analysis processes, methods and tools on Assurance to inform the design and not just
major rail projects we are able to enhance the demonstrate the safety of the design. This
quality of Safety Assurance. Some of these early consideration of safety can create the
enhancements are described in this section. opportunity for inherently safer designs and
sometimes lead to cost saving due to avoiding
4.2.1 SE principles the unnecessary over-engineering of safety
features. Sometimes hazard identification
‘Holism’ reminds us that the safety of the
workshops held early in design development
whole rail system needs to be assured and not
provide the first opportunity for the different
just the separate subsystems. This is because
design disciplines to come together to discuss
safety is an emergent property of a system
and evaluate the overall design. Such forums
and can only be assured when all the
are valuable to integrating the design.
interacting parts and surrounding environment
are considered. Although the concept of The concept of ‘subjectivity’ reminds us of the
‘hierarchy’ is valuable when it comes to importance of involving a wide range of
dividing up the safety analysis of a large and stakeholders and not just designers when
complex rail system into simpler less-complex identifying safety hazards and reducing safety
subsystems (i.e. through Subsystem Hazard risks. Thus, by involving contractors, systems
Analysis), it is important to remember that engineers, testing and commissioning
safety can only be assured when safety is engineers, operations and maintenance staff in
assessed for the totally-integrated rail system. hazard identification workshops (e.g. HAZOPs
or checklists), so hazards associated with all
In managing complexity, the concept of
lifecycle stages can be identified. Additionally,
‘partitioning’ a large and complex rail system
having a HFE specialist involved in Safety

8
Assurance will greatly enhance how potential important to recognise that a railway operation/
human failures are identified and dealt with maintenance organisation can fail to maintain
across the system lifecycle. a safe system due to a combination of unsafe
acts and unsafe conditions, as described
4.2.2 HFE principles earlier in this paper and in Figure 4. It is
During a project’s design development stage, therefore crucial that an organisation monitors
HFE has a crucial and important contribution its safety performance. This is often done
to make in enhancing Safety Assurance. As using both reactive indicators (e.g. near-miss,
already mentioned, including a HFE specialist incident and accident reports) and proactive
in hazard identification improves the indicators (e.g. safety tours and inspections,
recognition of how potential human failures audits and reviews). The understanding of the
can impact system safety. For hazard influence that HFE has on how organisational
assessment, HFE techniques such as a processes can influence unsafe acts and
Human Reliability Assessment (HRA) [10] are unsafe conditions, and how these can manifest
able to provide estimates of human error themselves in human error and violations, is
probabilities, thus enabling the cost- an essential part of an organisation’s self-
effectiveness of proposed safety risk control awareness of its resilience in managing safety.
measures to be thoroughly evaluated. For Thus, it is generally accepted that an
hazard reduction where human performance is operation’s SMS needs to be a living
involved, HFE is able to propose safety risk management system, constantly improving
control measures based on strategies that and adapting to changes in the environment.
understand the underlying human behaviour HFE can play an important part in that
types. This identifies effective control continuous improvement process.
measures to tackle human error and violations
5. CONCLUSIONS
to be developed and implemented.
This paper has described how the quality of
Also part of enhancing Safety Assurance is Safety Assurance can be enhanced through a
ensuring that HFE is integral to project design full and proper understanding of (a) how the
as this ensures that designs are developed to complexity of major rail projects can be
take proper account of a person’s human managed successfully, (b) how human and
limitations and capabilities. This increases the organisational failures can impact railway
ability to alter a design to eliminate a safety safety, and (c) how that understanding can
hazard rather than having to resort to less improve using contemporary Safety Analysis
effective measures such as (in order of processes, methods and tools. This was done
precedence) designing to minimise the risk, by exploring the synergistic relationships
adding safety devices, providing warning between SE, HFE and Safety Assurance. It
devices, or developing procedures and concluded that the quality of Safety Assurance
training. can be enhanced by applying SE and HFE
principles when using contemporary Safety
During a project’s production stage, HFE can
Analysis processes, methods and tools on
provide support to the development of effective
major rail projects.
policies and procedures for managing safety
risks to reduce the potential for people to 6. ACKNOWLEDGEMENTS
intentionally or unintentionally not follow rules.
This can be done by applying HFE’s The author would like to thank all those he has
understanding of the causes of human error learned from in over 25 years of working in SE,
and violations and how the likelihood of this HFE and Safety Assurance mostly in the rail
occurring can be reduced. industry. The contents of this paper are solely
the responsibility of the author and do not
Typically a contractor’s Safety Assurance necessarily represent the views of Mott
process finishes when a rail system is handed MacDonald Limited.
over and becomes operational. It is, however,

9
7. REFERENCES
[1] ANU Edge. On Track to 2040: Preparing the Australian Rail Supply Industry for
Challenges and Growth, 2011.
[2] Emes, M. Systems Engineering Management – Systems Thinking. University College
London, UCL Centre for Systems Engineering, October 2009.
[3] Hollywell, P.D. & Corrie, J. D. Reducing Violations on the Railways: What Only
Experience Can Teach? Paper presented at ‘Violations, Procedures and Human
Factors’ Conference organised by IBC, London, March 2000.
[4] HSE. Introduction to Human Factors.
http://www.hse.gov.uk/humanfactors/introduction.htm. Accessed June 2014.
[5] HSE. Reducing Error and Influencing Behaviour, HSG48. HSE Books, 2009.
[6] IEA. What is Ergonomics? http://www.iea.cc/whats/. Accessed June 2014.
[7] INCOSE UK Chapter. Z1 Guide: What is Systems Engineering? Issue 3.0, March
2009.
[8] INCOSE. Systems Engineering Handbook (Version 3.2.2): A Guide for System Life
Cycle Processes and Activities. INCOSE-TP-2003-002-03.2.2, October 2011.
[9] ISO/IEC 15288:2008. Systems Engineering – System Life Cycle Processes.
[10] Kirwan, B. A Guide To Practical Human Reliability Assessment. Taylor & Francis,
1994.
[11] Major Projects Association (MPA). Systems Integration for Major Projects. Summary
notes of a seminar held at the Royal college of Pathologists, London on 12th March
2002.
[12] Mason, S. et al. Improving Compliance with Safety Procedures: Reducing Industrial
Violations. HSE Books, 1995.
[13] Pope, A. An Essay on Criticism, Part II; 1711.
[14] Rasmussen, J. Skills, Rules, Knowledge: Signals, Signs and Symbols and Other
Distinctions in Human Performance Models. In IEEE Transactions on Systems, Man,
and Cybernetics, SMC-13, 257-267, 1983.
[15] Reason, J. A Life in Error: From Little Slips to Big Disasters. Ashgate Publishing
Limited, 2013.
[16] Reason, J. Human Error. Cambridge University Press, 1990.
[17] Reason, J. The Human Contribution: Unsafe Acts, Accidents and Heroic Recoveries.
Ashgate Publishing Limited, 2008.
[18] Royal Academy of Engineering. Creating Systems that Work: Principles of
Engineering Systems for the 21st Century, 2007.
[19] RSSB. Understanding Human Factors: A Guide for the Railway Industry. Rail Safety &
Standards Board, 2008.
[20] Whittingham, R.B. The Blame Machine: Why Human Error Causes Accidents.
Elsevier, 2004.

10
Figure 1: Typical Project Lifecycle with SE and Safety Assurance Elements

Figure 2: Reasons for Human Error and Violations

11
Figure 3: Simple System Model of Organisational Failures

Figure 4: Detailed System Model of Organisational Failures

12