Push Button A or is it B? Alarming design Real consequences for - - PowerPoint PPT Presentation

Push Button A … or is it B? Alarming design

Real consequences for real people

If you are delivering a system or product, you should set up a register of hazards containing information about each hazard. 16.2.2 a

Can we find some hazards?

Can we find some hazards?

 Broadcast emergency call not made

 Driver didn’t log on Train had not been registered for this trip  New train controller registered trailing loco  No communication with driver to confirm  Train controller didn’t use backup system  Train controller didn’t have phone numbers  Incident was not given priority  Repeat of similar incidents.

Can we find some hazards?

 Broadcast emergency call not made  Driver didn’t log on  Trailing loco logged on from previous day  Trailing loco shown on screen as leading  No communication with driver to confirm  Train controller didn’t use backup system  Train controller didn’t have phone numbers  Incident was not given priority  Repeat of similar incidents.

Can we find some hazards?

 Broadcast emergency call not made  Driver didn’t log on  Trailing loco logged on from previous day  Trailing loco shown on screen as leading  No communication with driver to register  Train controller didn’t make broadcast call  Train controller didn’t have phone numbers  Incident was not given priority  Repeat of similar incidents.

Can we find some hazards?

 Broadcast emergency call not made  Driver didn’t log on  Trailing loco logged on from previous day  Trailing loco shown on screen as leading  No communication with driver to confirm  Train controller didn’t make broadcast call  Train controller didn’t have phone numbers  Incident was not given priority  Repeat of similar incidents.

Can we find some hazards?

 Broadcast emergency call not made  Driver didn’t log on  Trailing loco logged on from previous day  Trailing loco shown on screen as leading  No communication with driver to confirm  Train controller didn’t use backup system  Train controller didn’t have phone numbers  Incident was not given priority  Repeat of similar incidents.

Can we find some hazards?

 Broadcast emergency call not made  Driver didn’t log on  Trailing loco logged on from previous day  Trailing loco shown on screen as leading  No communication with driver to confirm  Train controller didn’t use backup system  Train controller didn’t have phone numbers  Incident was not given priority  Repeat of similar incidents.

Can we find some hazards?

 Radio active in trailing locomotive  Driver didn’t log on  Train controller didn’t register train  New train controller registered trailing loco  No communication with driver to confirm  Train controller didn’t use backup system  Train controller didn’t have phone numbers  Incident was not given priority  Repeat of similar incidents.

Can we find some hazards?

 Broadcast emergency call not made  Driver didn’t log on  Trailing loco logged on from previous day  Trailing loco shown on screen as leading  No communication with driver to confirm  Train controller didn’t use backup system  Train controller didn’t have phone numbers  Incident was not given priority by controller  Repeat of similar incidents.

Can we find some hazards?

 Radio active in trailing locomotive  Driver didn’t log on  Trailing loco logged on from previous day  Trailing loco shown on screen as leading  No communication with driver to confirm  Train controller didn’t use backup system  Train controller didn’t have phone numbers  Incident was not given priority  Repeat of similar incidents at same centre

Can we find some hazards?

 Radio active in trailing locomotive  Driver didn’t log on  Trailing loco logged on from previous day  Trailing loco shown on screen as leading  No communication with driver to confirm  Train controller didn’t use backup system  Train controller didn’t have phone numbers  Incident was not given priority  Repeat of similar incidents at same centre

Can we find some hazards?

 Radio active in trailing locomotive  Driver didn’t log on  Train controller didn’t register train  New train controller registered trailing loco  No communication with driver to register  Train controller didn’t make broadcast call  Train controller didn’t have phone numbers  Incident was not given priority  Repeat of similar incidents.

If you are delivering a system or product, you should actively manage the hazards to closure. 16.2.2 b

Everyone wanted to work safely. Everyone thought they had. No one did.

The entire system had drifted. Drifted into failure.

If you have set up a register of hazards, you should keep it up-to-date as new information becomes available. 16.2.2 c

Incident Investigation Reports

Packenham Radio emergency call failed. Cellular only available medium. Situation noted but no comment from investigator.

SPAD!

North Strathfield No response to radio call. No broadcast call. Signallers vigorously wave flags and flash lights from balcony.

SPAD!

Homebush

Lewes

Lewes

Stop train All trains stop

Lewes

Stop train All trains stop Enter train no. _ _ _ _

Hexham

“training in the application of every documented procedure that may be required.” Hexham

“the capacity to think effectively in emergencies e.g. recognising hazards other than those explicitly identified.” Hexham

Design feature

Or unforseen hazard

A great convenience,

• r a lethal distraction?

Used in some countries …

Banned in other countries …

except if convenient for the railway.

We have changed.

We cannot hold back the tide. Embrace change and make it safe!

What is different?

Traditional Radio Mobile Phone Formal Informal Structured Spontaneous Open Channel Closed Channel Situation awareness Just the two of us

Independent check Credibility Monitored, recorded May not be recorded Press to talk Find number, dial, wait Anyone can answer Correct connection? Static configuration Numbers change

This could be dangerous!

New Hamburg Cellular privacy used to cover error, created hazard. Grawlin Plains Incident report by phone, phone numbers not given. Asta Imminent collision, phone numbers not

• known. 19 Dead.

Recommendations for Success

Understand the system

Ensure documentation is accurate

Train and rehearse

Make it second nature

• Train in realistic situations
• Use simulators
• Test a range of scenarios
• Practice until it is natural
• Assess regularly.

Recommendations for Success

• Train in realistic situations
• Use simulators
• Test a range of scenarios
• Practice until it is natural
• Assess regularly.

Recommendations for Success

• Train in realistic situations
• Use simulators
• Test a range of scenarios
• Practice until it is natural
• Assess regularly.

Recommendations for Success

• Train in realistic situations
• Use simulators
• Test a range of scenarios
• Practice until it is natural
• Assess regularly.

Recommendations for Success

• Train in realistic situations
• Use simulators
• Test a range of scenarios
• Practice until it is natural
• Assess regularly.

Recommendations for Success

• Put designers through the

training simulations to verify that the system is what they think they designed.

• Assess regularly.

Recommendations for Success

• Put designers through the training

simulations to verify that the system is what they think they designed.

• Assess regularly.

Recommendations for Success

• Check the rule books and

procedures are relevant and accurate.

• Are they being used?
• Assess regularly.

Recommendations for Success

• Check the rule books and

procedures are relevant and accurate.

• Are they being used?
• Assess regularly.

Recommendations for Success

• Check the rule books and

procedures are relevant and accurate.

• Are they being used?
• Assess regularly.

Recommendations for Success

JJA.com.au Aitken & Partners