PPRuNe Forums - View Single Post - 'No blame' Over RAF Tornado Crash
Thread: 'No blame' Over RAF Tornado Crash
View Single Post
Old 4th May 2010, 16:07
  #150 (permalink)  
Safeware
 
Join Date: Mar 2005
Location: On the outside looking in
Posts: 542
Likes: 0
Received 0 Likes on 0 Posts
Squidlord,

No, I don't think you can exclude HF completely, and AMCs for civil Certification Specifications cover 'reasonably anticipated' errors and crew capability. But I don't think 'reasonable' extends to passing the buck to the human because of poor system design and reliance on the human. Def Stan 00-250 Pt 3 is of this view as well:
10.5.11 Combining Equipment Reliability and Human Reliability predictions in Safety Cases Often, the designer must combine equipment reliability predictions (or failure rates) with similar predictions for human actions informal documents such as HAZOPs, fault trees analysis, event tree analysis, probabilistic safety analyses, etc. The foregoing arguments illustrate the difficulties in qualitatively different sets of data.

In such cases, the designer should identify a range of bounding values for Human Reliability, and should initially use such data to identify critical human activities and the sensitivity of the system to human actions. Where system safety is critically dependent on human actions, the designer should aim to reduce the system sensitivity (i.e. produce an error-tolerant design) through iterative design, and to incorporate suitable Workspace / workload and automation strategies to prevent predictable human performance limits being exceeded (e.g. appropriate allocation of functions).

Specialist advice is required where automation strategies are likely to impact on mission or safety critical functionality.
As for defining a safety case in terms of the lowest level of training and competence, I think that is ineffective. If the safety case and RTS for, say, Typhoon, was based on the ab-initio FJ jock on his first sortie, life would be rather restricted. Instead, have a design safety case, airworthiness argument (and RTS) based on the average pilot and then use the management of safe operation to provide the ab-initio with the required comfort blanket of supervision, sortie allocation, currency etc etc to build up/ maintain the skills required. Unfortunately, it seems clear that this is one of the failures in the F3 case.

sw
Safeware is offline  
Reply