Andrew Waugh wrote:Having read the report, two immediate observations spring to mind...
2) As a professional programmer, and one interested in user interface design, I would have to say that I think the Thetford workstation displays are diabolically poor. The most common task of the signaller using this workstation is to decide whether a caller can cross the line. This is a safety critical task. But *no* special support is given to the signaller in performing this task. Worse, the screen is cluttered with indications and controls that are probably rarely used - the lockout indications, and the status of the MCB-OO crossings, for example. No wonder the some of the signallers disliked using it.
You'd have your work to convince me that any task based analysis had been carried out in the user interface design. To be brutally honest, it looks like the designers simply replicated a panel, and squashed it all up to get the maximum length on one screen.
I spent the night thinking about this, and my bewilderment only increases.
Network Rail spent quite a bit of time (and resources) investigating and managing the problem that the EBI Gate was really only designed to SIL1, not the required SIL3. Even at SIL1, however, the EBI Gate was only expected to generate "an incident and unsafe mode between 10 and 100 years". Eventually, they turned the installations off because it did not meet the required safety level.
In my view (remember, I'm speaking as a professional software engineer), the incidence of a signaller making a mistake due to the poor GUI design is far more likely than once every 10 and 100 years. Indeed, a serious incident occurred after only 4 years of use of the GUI (and we don't know if other "incidents and unsafe modes" had previously occurred, but not resulted in a reportable accident).
There seems to be a lack of proportionality in the two responses; Network Rail focused their attention on the *less* likely cause of accidents.
Interestingly, the RAIB also seem to be oblivious to this issue. The poor GUI design is relegated to an additional observation (Para 127), and they never explicitly consider the relatively likelihood of failures of the various components of the system. Note also Recommendation 2 (Para 140) - mistakes by signallers are to be addressed by more training to ensure they achieve and maintain competency. There is no consideration that an alternative approach is to improve the GUI to support the signaller in performing their tasks and reduce the likelihood of making mistakes.
I wonder how much expertise the RAIB has in identifying software risks?