Development and Initial Testing of an Autonomous Surface
RUMAPM02 ESREL 2010
1. 1
A proposed model to account human
factors in safety-critical systems
V Rumawas & BE Asbjørnslett
Dept of Marine Technology
Courtesy of Alert! - The International Maritime Human Element Bulletin
2. 2
The outline
• Background
• Current research
• Proposed Markov model
• Proposed model based on safety instrumented
system
• Challenges
• Summary
3. 3
The background:
• 8 Jul 2005 KM Digoel sank in Arafura Sea
Approx. 184 fatalities.
• 30 Dec 2006 KMP Senopati Nusantara lost in South Kalimantan sea.
Approx. 446 fatalities
• 11 Jul 2007 KM Wahai Star sank in Ambon sea.
Approx 100 fatalities
• 11 Jul 2007 KM Sinar Madinah sank in Dompu, Nusa Tenggara Barat.
Fatalities unknown.
• 18 Oct 2007 KM Asita III sank in Kadatua Strait, Sulawesi Tenggara.
Approx. 66 fatalities.
• 11 Jan 2009 KM Teratai Prima 0 sank in Tanjung Baturojo,
Sendana, Majene, West Sulawesi
Aprrox. 264 fatalities.
Ferry accidents in developing countries
5. 5
Introduction: The picture
• Ferry operations in developing countries: a need!
– Low operation standards, cheap fares
– Substandard vessels, second hand fleet, insufficient engine
power, limited redundancy, poor maintenance
– Overloaded cargo & overcrowded passengers
– Minimum information regarding the upcoming weather
– Crew with limited knowledge and training
– Inadequate regulations & the supporting system
– Low safety awareness
• In normal condition, the sea is calm, the vessel can
operate just safely
• During extreme period, when situation escalates, the risk
raised significantly; fatal accident every year
6. 6
the Research
• The goal:
– to develop a model to
account HF that can
represent ~
and predict ~
• The ideas:
– adopt the existing system
(hardware) reliability
framework
• Markov models
• SIS framework:
IEC 61508
– ship = safety-critical system
– environmental condition:
demand system (H/L)
– Modeling HF in safety critical
system
8. 8
Reliability Model:
Safety Instrumented System
• SIS: an independent protection layer that is installed to
mitigate the risk associated with the operation of a
specified hazardous system, which is referred to as the
equipment under control (EUC).
Rausand & Høyland (2004)
9. 9
Human element model
Types of basic functions performed by human
or machine components of human-machine systems
Information
input
Sensing
(information
receiving)
Information
processing and
decision
Action functions
(physical control or
communication)
Output
Information storage
(Saunders & McCormick, 1992 p. 17).
14. 14
Markov diagram for bridge operations
• i = 4 all crew manage to
perform tasks correctly
• i = 3 the crew fail to monitor
the environment correctly
• i = 2 the master fails to make a
correct decision in controlling
the vessel
• i = 1 the crew fail to control
the vessel correctly
• i = 0 the vessel fails to
maintain its integrity.
15. 15
Probability of failure on demand (PFD)
R
1
t
τ 2τ
Probability of failure
on demand (PFD)
Average PFD = λτ/2
PFDSYS = PFDS + PFDL + PFDFE
PFHSYS = PFHS + PFHL + PFHFE
F = 1 - R
λ
In hardware reliability perspective
16. 16
Proposed PFD concept for human ~
R
1
t
τ 2τ
PFD
θ
δ
γ(t)
PFDh = (1 – (θ + ∑ (γi(t) + δi))
Initial condition;
Existing competence
Previous knowledge, experience &
training
Self-learning
Adaptation
Training effect
Courtesy of Alert! - The International Maritime Human Element Bulletin
17. 17
Discussions
• HF x SIS
– Redmill & Rajan (1997), Cacciabue (2004), Carey (2001),
Schönbeck, Rausand & Rouvroye (2010)
• The connecting lines in SIS
• Failure modes, scenarios:
– High seas, storm, typhoon, strong wind, strong current,
overloaded, excessive trim/rolling, fire & explosion,
blackout, etc.
• The challenge:
– Human reliability analysis & failure rates
– How to find a simple & valid numbers: by experiment in
simulators, simulation-based method
18. 18
Summary
• A model has been developed to account HF in SCF
• Human is considered as the barrier or protection layer,
instead of being the hazard or threat
• Scenarios should be identified
• Further validation of the model should be done, e.g. by
experiments in the simulators
end of presentation
Courtesy of Alert! - The International Maritime Human Element Bulletin
Editor's Notes
Hi,
Good afternoon, my name is Vincentius Rumawas, and I’m studying as a PhD student in the Dept. of Marine Technology,
Today I’will present my paper which title: A proposed model to account human factors in safety-critical systems.
This research is fostered by some number of ferry accidents that occurred in developing countries.
As you can see we, in Indonesia have quite a lot of ferry accidents each year.
This research is fostered by some number of ferry accidents that occurred in developing countries.
As you can see we, in Indonesia have quite a lot of ferry accidents each year.
Spouge (1991) made a research about passenger ferry activities in the Phillippines, while Lawson & Weisbrod (2005) made similar research in Bangladesh
If we analyze the situation, it is very similar to the hardware reliability framework; in particular the Safety Instrumented System (SIS) which protect an Equipment Under Control (EUC).
In this research, we are trying to develop a model, to account human factor that can represent those accident cases – so in the long run, hopefully we can predict and reduce the probability of the events to occur.
We will adopt the existing reliability framework; that is Markov model and SIS framework, based on IEC 61508, where ship is considered as a safety-critical system as well as the EUC, the environmental (and other external) condition s as the demand system; and the operators, or the human element as the safety instrumented system; differentiated into three different functions: sensors, logic server and actuators, or sometimes it’s called final elements
One method that can represent the vessel incident cases quite well, is the Markov model.
We are using Markov model to represent the two different conditions that a vessel may encounter; normal con vs extreme or abnormal condition
There are many operations that can be modeled using the Markov diagram:
Bridge operation in the restricted area where a pilot is onboard, accompanied by the master, while the helmsman is operating the wheel
Normal sailing, vessel is going through harsh condition
In case of fire and explosion
Engine blackout, lost of control, lost of power
etc
an example of SIS in our surrounding is the fire-protection system, we have thermal and smoke sensors, there is a logic system that process the incoming information, and the final elements, i.e. the fire alarm and the sprinklers.
in cars, now they installed airbag system to protect the passenger from being injured when the car crashed.
in the oil and gas exploration, we have the BOP system, etc.
Now, if we see human being, - we actually perform the same functions as the SIS:
we have many kinds of sensors, we have our brain, and as the final elements, we can do lots of stuff.
Now, if we imagine how a crew operating a vessel, - he is surrounded with lots of information;
he must be able to perceive the information, select which is the most relevant and significant, process the information, then - act according to the stimulus.
One man can perform as a full safety instrumented system -
But, in this paper we consider two - man operation on the bridge.
Now, if we imagine how a crew operating a vessel, - he is surrounded with lots of information;
he must be able to perceive the information, select which is the most relevant and significant, process the information, then - act according to the stimulus.
One man can perform as a full safety instrumented system -
But, in this paper we consider two - man operation on the bridge.
Now, if we imagine how a crew operating a vessel, - he is surrounded with lots of information;
he must be able to perceive the information, select which is the most relevant and significant, process the information, then - act according to the stimulus.
One man can perform as a full safety instrumented system -
But, in this paper we consider two - man operation on the bridge.
Here we model a bridge operation, i.e. when a vessel is sailing through a certain area.
The helmsman and the captain act as sensors; monitoring the environmental conditions, navigational signs and other relevant information like the ECDIS, RADAR, depth meter, ruder indicator, vessel heading indicator, speed, & compass.
They work as a parallel system or as a one out of two system - it means that only one of them need to detect if there is something wrong.
The master works as the logic server, - he works as a single system or one out of one system. He processes all the incoming information and the make decisions.
Helmsman, as the actuator, is responsible to steer the rudder, while the master is responsible for the telegraph.
Here we develop the Markov model to represent the bridge operations.
At this point we realize that the beta factor, common cause failure - must be extremely large - but at the time being - we disregard this matter.
In the hardware reliability perspective - to find if a safety function is acceptable, they follow this way of thinking:
One unit of component, which acts as a safety function are assumed to work well when it is new. We wish that the unit can be reliable for the whole life time but of course it deteriorates. Let us assume that the failure rate follow this function. Until a certain time, tau, we will do some maintenance to the system - and bring the unit back to its initial condition, as good as new. Then the cycle repeats.
If we define Failure is F = 1 - R; then we can find the probability of failure when a demand comes as this (PFD) - the green small box, and with some derivation, we can make approximation , the average PFD = lambd tau over 2
With the same logic, we develop the following concept for accounting human element in safety critical system:
Now we imagine, on a particular vessel, we are going to recruit some new crew.
Unlike the hardware, - it is almost impossible that we can get a ‘reliable, competent’ sailor who can operate our ship since day one. The opposite, - they usually need time to adjust their knowledge and ability to work in a new environment. Some training program will increase their capability in to a certain degree.
So, now, we can define the probability of failure on demand for human element acting as safety function: PFDh
As you can see, gamma, can be positive as well as negative!
