Human Factor Analysis of the Railway Traffic Operators

Abstract

The human factor is an essential aspect of the operability and safety of many technical systems. This paper focuses on the analysis of human errors in the railway domain. The subject of human reliability analysis is the behavior of operators of station-signaling systems responsible for rail traffic management. We use a technique for human-error rate prediction as the 1st generation human reliability analysis to deal with task analyses, error identification and representation, and the quantification of human error probabilities. The paper contributes to the comparison of three technologically different railway traffic control systems, having different degrees of automation—from the manually operated (electro-mechanical), through semi-automated (relay-based) to almost fully automated (computer-based) station-signaling systems. We observe the frequency of individual operations performed in time intervals and calculate human error probability and human success probability values for each operation. Thus, we can analyze human reliability and compare the workload of operators working with control systems of different degrees of automation.

1. Introduction

The actual tasks affect human performance in the presence of various factors, such as time, environment, people, and the nature of the process. According to [1], we can characterize human performance by efficacy (effectiveness) and efficiency. The former can be understood as a person’s success or failure at performing a given task; the latter considers task completion time in light of the corresponding successes or failures. Human error is a dominant factor that affects the likelihood of task failure that could disrupt scheduled operations or damage property and equipment, causing accidents. By actively looking for potential sources of human errors, they can be identified, controlled, and ultimately minimized [2,3]. The meaning of the term ‘human error‘ varies, depending on the viewpoint from which we analyze it. Definitions usually fall into three categories: industrial approach (emphasizing the manifestations of errors), psycho-cognitive approach (based on their modes of production), and psycho-dynamic approach to work (combination of both) [4]. Different approaches may result in different classifications of the term, depending on the objectives of the analysis [5].

In addition to human errors, another frequently used term is ‘human reliability‘. Although both terms may mean the same thing to many people, their definitions convey their primary difference [6,7]. Since humans are unreliable and make errors, we use human factors as the body of knowledge concerned with human abilities and shortcomings [8]. Today, we widely accept the concept of human factors as an essential part of industries in practically every domain [9], including railway transport. Koonce and Debons [10] discuss the historical perspectives of human factors development. The goal of human factor definitions is to make the human interaction with systems such that it enhances performance, increases safety, and increases user satisfaction [11]. The operator is often a weak point of many systems, limiting the overall level of safety and performance. Thus, human error constitutes a major causal factor for the emergence of accidents in several safety sectors: energy production (nuclear and conventional), transportation systems (aviation, railway, automotive, maritime), medical industry, economic systems, chemical and petrochemical environments, manufacturing, tunnels and other critical infrastructure, and others [12,13,14,15,16,17].

Human operators involved in the transport sector vary depending on the application area. Railway transportation performance cannot be guaranteed just by technically perfect design concepts; other aspects (specific procedures, working regulations, working conditions, job descriptions, delineation of tasks and responsibilities) are also important [18]. Railway operations’ effectiveness and safety depend on rail traffic rules, equipment reliability, general and safety management, and human factors [19]. The management of railway system safety and effectiveness cannot ignore the humans working at all levels of the system [20,21] since railway accidents result from human error, mechanical failure, or a combination of both. Therefore, the people who operate railway systems must be selected and trained to operate them safely [22]. Although considering human factors does not have a long tradition in continental Europe [23], it is necessary to study the human factor reliability in the railway field where the actors are mainly operating personnel (drivers, operators at centralized control posts) and maintenance personnel. The thesis [24] proposes a taxonomy of railway performance shaping factors. It also identifies the factors that affect railway operators’ performance and assess human performance. Human factors seen as a discipline are concerned with understanding interactions between people and other elements of complex systems [25]. Different human factor methods become applicable and helpful at different stages of system design [26]. One of the classic test methods is human performance testing [27]. Testing and evaluation is a set of methodologies to characterize, measure, assess, and evaluate the technical merit, operational effectiveness, suitability of any human–system interface [28].

Evaluating existing operational systems requires that specific data regarding task performance in the analyzed system are collected, represented, and analyzed [26]. Data collection, therefore, represents the cornerstone of any human factor analysis effort. At first sight, all we need is information on human behavior and errors. Unfortunately, this is far more difficult when considered more carefully. Data collection aims to provide all necessary information for undertaking the analysis. One of the leading research methods for human factors research is observation—to get representative human behavior samples during tasks performed over different days under various circumstances [11]. When defining a task, we can adopt a definition from [25]: A “task” is a goal-directed behavior performed by one or more people, which involves a coordinated sequence of intentions, perceptions, interpretations/judgments, decisions, and actions directed toward achieving a specific objective within a limited period. Some of the tasks may be critical. The nature of criticality depends on the nature of performed activities, the individual, the operation, and the situation. Accidents in complex systems occur through the accumulation of multiple factors and failures. Reason [29] proposed the model of “Swiss cheese” to explain their occurrence as a series of factors that line up in just the wrong way, allowing seemingly small details to add up to a major incident. The most critical requirement for the proper and efficient functioning of the railway traffic control rooms is solving the problem of functional competence between the operator and the elements of the control rooms. Grozdanovic in [30] investigated specific operator-control desk interaction at the Railway Traffic Control Room in Nis, Serbia, using methods of anthropometric measurement of operators; determining the maximum strength of the operator’s arm movements; workload analysis of the operator’s arms, head and trunk movements; and error analysis of operators’ movements in response to visual cues.

This paper focuses on analyzing human operator behavior in the railway traffic control process. We elaborated on three study cases, with a certain level of automation being a vital aspect in selecting work systems. Automation significantly changes the role of people in complex systems and removes the potential for human errors. Designers develop machines to replace or aid human performance for various reasons. According to [11], we can roughly place these reasons into four categories: processes are either dangerous or impossible for humans to perform the equivalent tasks; processes are difficult or unpleasant (humans carry out the functions poorly); automated functions may not replace but may aid humans by extending their capabilities; or processes are automated because it is technically possible or inexpensive. In our case, almost all of the given reasons play a role. According to ISO 6385 [31], the term ‘work system‘ involves a combination of people and equipment within a given space and environment, and the interactions between these components within a work organization. Our effort was to cover three technologically different station-signaling systems:

• A manually operated electro-mechanical system, supplemented by a few automated functions (such as moving points);
• A semi-automated relay-based system enabling central control of the railway station and adjacent lines (without possibility to automate the process of setting up main routes);
• A modern computer-based system with a lot of fully automated dispatching functions.

Thus, we analyzed the operator’s behavior in several roles, such as a manual controller (signaler) to a supervisory controller (dispatcher). More details on the meanings of these concepts (roles) are available in [25]. A typical human operator acting as a supervisory controller is a train dispatcher that plays a leading role in coordination and control systems [32]. The use of new technologies guarantees new capabilities and functionalities of the control system, but on the other side, it goes hand in hand with rising complexity [18]. Centralized control systems in high-speed railways are more automatic and complex than in general speed railways; therefore, human error is the main factor in recent high-speed railway accidents. However, the conventional human error rate technique may have some weaknesses, which are overcome by introducing hybrid methods for human error probability evaluation in high-speed railway dispatching tasks (sometimes also mentioned as 3rd generation methods). The rail environment considered here does not concern high-speed railway tasks, the topic of high-speed railways tasks is covered by [33]. Rail signaling requires an accurate understanding of the system’s state that the operator controls to make correct, timely decisions and take effective action [34]. Operators must do more than simply perceive the state of their environment. They must understand the integrated meaning of what they are perceiving in light of their goals. In dynamic environments, many decisions are required across a fairly narrow space of time, and tasks are dependent on an ongoing, up-to-date analysis of the environment. Because the state of the environment is constantly changing, often in complex ways, a major portion of the operator’s job becomes that of obtaining and maintaining good situation awareness. Situation awareness is presented as a predominant concern in the system operation, based on a descriptive view of decision making. The decision makers will act first to classify and understand a situation, immediately proceeding to action selection. Endsley [35] presents the model used to generate design implications for enhancing the operator’s situation awareness.

There are several qualitative and quantitative measures of human performance, using a large variety of strategies and instruments [30,36,37,38]. The advantages and disadvantages of some of the main techniques for human error analysis are available in [39]. To assess the reliability of the operator, we used the human reliability assessment (HRA), which is a crucial element of the probabilistic risk assessment (PRA). HRA is a suitable method of analysis to assess the consequences of various human activities on potential risk. The determination of the probability of incorrect execution of a task by the operator (human error probability—HEP) is a part of the human–machine system’s probability safety analysis (PSA). We usually classify the HRA methods to the methods of the 1st generation (e.g., THERP—technique for human-error rate prediction [17], HEART—human error rate technique [40], and SLIM—success likelihood index method [41]) and the 2nd generation (e.g., CREAM—cognitive reliability and error analysis method [42], and ATHEANA—a technique for human error analysis [43]). The method presented in this paper can be extended in the future using the interaction between the equipment and the human operator. Chen et al. [44] facilitated a hidden Markov model on top of a human cognitive model to capture the sequential faults of a production line worker who suffers from work stress. The Markov chain has the discrepancy of time and state. This characteristic is consistent with the changing law of human factors and can be used to predict the risk of human factors. A human factor evaluation model based on the set pair analysis method and the Markov chain was proposed and applied by [45].

2. Materials and Methods

Based on the complex railway transportation process and specificities of operating railway interlocking and signaling systems, we decided to use the THERP as the 1st generation HRA method instead of a universal system-wide analysis belonging to the methods of the 2nd HRA category. THERP is a full methodology for assessing human reliability that deals with task analyses (e.g., documentation reviews and walk/talk-through), error identification and representation, as well as the quantification of HEPs. It has its well-known pros and cons [17,38,46].

There were several reasons why we chose THERP instead of the 2nd HRA generation method:

• Our ability to monitor the operator’s activities was, to a certain extent, limited; we depended on the operators’ willingness to be observed and communicate. Therefore, we chose a simplified view (typical for the 1st generation method), identifying a man as a mechanical or electrical component with natural deficiencies and the possibility to fail to perform tasks. It is recommended for applications with such predominant situations, where only one solution is correct (the only correct response to an unexpected situation). If the operator does not respond according to the prescribed procedure, one may assess such behavior as faulty, concluding the operator’s responsibility for the system failure. This approach can be essential in sensitive areas (for safety or design changes);
• Additional limitations stemmed from the time the observer was officially allowed to spend at the operator’s site. Due to time-limited access to the individual workplaces, we rejected the usage of the 2nd generation method since we could not analyze the causes of errors and study the interaction of the factors increasing the probability of error, as well as the interdependencies of the so-called performance shaping factors (PSFs);
• THERP is a generic tool usable in many sectors (not only in the nuclear industry for which it was designed) and remains the most extensively documented and the most widely used HRA technique from which all subsequent HRA methods are derived;
• THERP provides a logical, well-documented record of the factors and errors needed in the HRA. One can easily review the results and examine the used assumptions.

The price paid for using the 1st generation HRA method was a relatively unstructured approach, unknown interaction between certain PSFs, and the fact that the method is highly judgmental based on the assessor’s experience.

From the analyst’s point of view, we modified and implemented a series of the following successive steps, according to [17]):

1.

Getting acquainted with the working environment:

• Visit the operator’s workplaces to be assessed;
• Obtain information about work procedures, performed tasks, and the influence of the operator on the signaling system;

2.

Qualitative assessment:

• Observe operators to collect and process data;
• Adapt and evaluate;
• Create event trees to assess operator’s reliability;

3.

Quantitative assessment:

• Assign nominal HEP values to individual operator’s actions;
• Estimate relative effects of influencing factors;
• Assess the dependencies between individual actions;
• Estimate the probabilities of success and failure for each action;
• Assess effects of process recovery factors;

4.

Interpretation of results:

• Appropriately evaluate the analysis;
• Potentially propose operator evaluation procedures and present the analysis results to the rail infrastructure manager.

2.1. Description of Operator Workplaces

Control systems in railways, as in other fields, are of different types and use different technologies to determine their level of automation. Parasuraman et al. [47] provided a framework and an objective basis for deciding which system functions should be automated and to what extent. Three workplaces chosen for our analysis can be characterized as follows:

Workplace A (Žilina marshalling yard)—the operator works at the railway station, situated on the electrified double-track line, which also serves as a switch station (marshaling yard) at which trains are split-up and newly formed. The operator operates an old manual electro-mechanical signaling system installed in the station inspector’s office. The system is supplemented by a simplified panel of relay connections to the hump signal-box. There is also the section blocking equipment in the station inspector’s office. It is operated independently for directions from/to the Dolný Hričov station. It is an automatic block system without separate line conductors. The operator cooperates with signalers working at three external station boxes. Analyzed working procedures cover a set of activities related to the passage of a transit train through the station, shunting works (in fact realized by signalers), and emergency actions taken in case of failure of the system or its part.

Workplace B (Centralized control point—Žilina station)—the operator (disposition dispatcher) works at the central Žilina railway station, located on the same electrified double-track line. It is an intermediate station through which transit trains pass, terminating trains enter, and departure trains are assembled. The operator at this workplace operates a semi-automatic relay-based signaling system controlled from the control panel at the centralized control point. Analyzed working procedures cover a set of activities related to the following:

• Setting up (locking) and releasing (unlocking) main and shunting routes;
• Asking for or transmitting single-line permission;
• Transmitting permission for locomotives track connected with workplace A;
• Transmitting or canceling permission for the operation of the dependent signal box;
• Closing and opening railway level crossings (if traffic situation requires that);
• Operating emergency buttons with full responsibility of the operator.

The control panel also allows control of individual point movements using manual switches. The operator uses various means of communication (radio station, telephone connector) and records the current traffic situation using an electronic traffic log (in case of its failure, the operator records all activities manually). Since the relay-based system only shows vacancy or occupancy of track sections and cannot display numbers of trains currently located in occupied track sections, the operator must remember or write down which train occupied which track section. The train schedule work primarily determines the operator’s work.

Workplace C (Traffic Control Center Púchov)—unlike both previous workplaces, it is a fully-automated traffic control center that operates several stations and adjacent line sections. It includes the control of five railway stations (Trenčianske Bohuslavice, Trenčín-Zlatovce, Trenčín, Trenčianska Teplá, passing point Nivy), number of switches and the adjacent line sections. The workplace is equipped with a computer-based signaling system. Working procedures are significantly different because this system works mainly in the automatic mode (setting up and releasing transition train routes, and terminating or starting trains). Unlike workplaces A and B, the operator has an overview of the occupancy of individual tracks and identification numbers of trains located in the occupied sections, which significantly facilitates orientation and reduces the amount of information that the operator must remember or write down. All working tasks mentioned above were itemized into individual actions and described in detail in [48].

A brief overview of the rail infrastructure operated by the Rail Infrastructure Manager (ŽSR) is available in the Annual reports [49]. Detailed data show the age structure of employees, their total numbers, and education level, and suggest the usage of multi-generation installations in the rail network. Even if the last published data on technological generations of station-signaling systems come from the Annual report 2013, the current situation has not changed much and is similar to the following:

• Mechanic interlocking—148;
• Electro-mechanical interlocking—68;
• Relay-based interlocking—151;
• Other interlocking—84;
• Electronic interlocking—24;
• Remote-controlled interlocking—323 km of lines.

Replacement of electro-mechanical (or even mechanical) and relay-based signaling technologies by computer-based is a slow process, mainly depending on the availability of financial resources. The advantages and disadvantages of all three technological generations result from their brief characteristics.

The electro-mechanical station-signaling systems check whether activities performed by the operator and other operational staff are safe and cannot endanger traffic safety. Information links between system parts are secured primarily by technological redundancy (oversizing) and by the forced sequence of individual actions. The station-signaling system works autonomously, without the possibility of remote control, so the role of the human operator is irreplaceable. Working conditions may require an excellent physical disposition.

The relay-based station-signaling systems replace the operator in information links between the system parts or between the systems. Excluding the human factor significantly increases the safety and the quality of provided services. Information links are secured primarily by using elements with asymmetric failure (inherently fail-safe) and their high reliability, functional check through interdependencies, elements arrangement, and high-quality technology. The station-signaling system consists of a set of automatic devices and links between them, in which the human factor participates. Provided services already allow automating the control of trains and shunting parts movement.

Computer-based signaling systems can be characterized similarly to the previous technology; however, they have dispatch control implemented. Elements with high operational reliability create the information links between the control center and the controlled objects. Information links between the system parts or systems are secured primarily by redundancy, technological complexity, and high reliability (reactive and composite fail-safe).

Table 1. Brief characteristics of considered technologies.

Technology:	Electro-Mechanical Station Signaling Systems	Relay-Based Station Signaling Systems	Computer-Based Signaling Systems
Outdoor objects controlled	Mechanically	Electrically	Electrically
Type of logical dependencies (interlocking)	Mechanical + electrical	Electrical (relay-based)	Programmable Logic
Transmission of orders, commands, route information	Mechanically + electrically	Electrically	Electrically
Conditions of outdoor objects derived from	Position of control elements	Electrical supervision circuit	Electrical supervision circuit
Conditions of track sections detected by	Operator	Technical means	Technical means
Rolling stock position detected by	Operator	Electrical circuit	Electrical circuit

shows a simplified comparison of selected characteristics of all three technologies.

2.2. Data Collection and Processing

To obtain a realistic picture of the work of operators and the influencing factors that affect their performance, we conducted practical research consisting of observing the real work of operators at individual workplaces. To carry out the monitoring process, we chose three time periods of the day corresponding to work shifts (6:00–12:00, 12:00–17:40 and 18:00–24:00), during which there is the highest intensity of traffic and operators work under higher load. The typical duration of the working hours is 12 h, of which 6 h are spent at the workplace. The second period contains a particular time (17:40) when the gradual change of work shifts and the cooperation of outgoing and incoming operators occur. It follows that the operator works independently only until 17:40. These data are the same for all monitored workplaces. While monitoring the operator’s work, we focused on capturing as many as possible numbers and types of performed tasks. In several short periods, in which we could not record operational data due to various circumstances, missing data were supplemented by the Electronic Traffic Diary (ETD) or Traffic Dispatching System (TDS). Thus, we determined the type and frequency of actions that the operator had to perform. Data on the frequency of operations corresponded to the smooth operation (with minimal disruptions to the train schedule).

Table 2. Sample data collected at workplace A during the observation of 1 person.

Time	TA	TB	TC	TD	TE	TF	TG	TH	Sum
10:30	1	1	1	1	1				5
10:31	1	5	1						7
10:32				1					1
10:33	1								1

shows sample data recorded at workplace A. Our observation at this workplace lasted 520 min. Symbols TA up to TH represent individual tasks performed by the operator, having the following meanings: TA—communication with co-workers via communications means; TB—work with ETD; TC—setting up a route; TD—releasing a route; TE—transmitting permission for the operation of the dependent interlocking; TF—transmitting single-line permission; TG—transmitting permission for the use of the locomotive track between workplaces A and B, and TH—checking the rear of the train. Then we used observed data to obtain the frequency of individual operations, operator’s commitment and other needed findings (see sections Results and Discussion).

Table 3. Sample data collected at workplace B during the observation of 1 person.

Time	TA	TB	TC	TD	TE	TF	TG	TH	TI	TJ	Sum
10:30											0
10:31	1			1							2
10:32		3						1			4
10:33		1		2							3

shows a similar sample of data recorded at workplace B. The total monitoring time was 810 min. The number and meanings of observed tasks have slightly changed: TA—communication with co-workers via communications means; TB—work with ETD; TC—setting up a shunting route; TD—setting up the main route; TE—transmitting permission for the operation of the dependent interlocking; TF—releasing a route; TG—moving a point individually; TH—transmitting the single-line permission; TI—opening/closing a level crossing installation inside the railway station area; and TJ—transmitting permission for the use of the locomotive track between workplaces A and B.

Finally,

Table 4. Sample data collected at workplace C during the observation of 1 person.

Time	TA	TB	TC	TD	TG	TH	TI	TP	Sum
10:30	1								1
10:31		1			2				3
10:32						1		1	2
10:33			1					1	2

shows sample data collected at workplace C. The observation lasted a total of 1110 min. Since the number of observed action types was higher, in Table 4 we intentionally omitted the columns representing activities not observed during the sample period. The list of them is as follows: TA—communication with co-workers via communications means; TB—work with information systems (in addition to ETD, the operator also used TDS and ADS (arrivals/departures to/from a station)); TC—moving a point individually; TD—changing an automatic setting route sentence; TE—inserting/changing/removing a train number; TF—checking the automatic setting up main routes; TG—setting up the main route; H—releasing the main route; TI—setting up a shunting route; TJ—transmitting permission to operate dependent interlocking; TK—performing an emergency operation; TL—inserting/editing/confirming/removing a warning text; TM—transmitting a single-line permission; TN—confirming/removing a call of the operator; TO—confirming/removing an operational indication; and TP—confirming/removing a fault message.

Table 2, Table 3 and Table 4 indicate that the types of tasks are different at individual workplaces, and performing the same operation (e.g., setting up the main route) will require a different number of them. In order to make at least an approximate comparison of workplaces possible, we assume the subsequent grouping of tasks into more easily comparable groups of a similar type (Section 3.1).

2.3. Event Trees

Another part of our qualitative analysis dealt with building event trees (sometimes also called task trees). This methodical approach makes it possible to determine potential conditions and event sequences. Each node of the tree represents an action, the sequence of which is shown from the top downwards. The branch originating from the node to the left (marked with a capital letter) indicates the success; the branch going to the right (marked with a lowercase letter) indicates the failure. To demonstrate the analyst’s approach, let us show an example of the event tree representing an operation performed at workplace B, which ensures setting up the main route (Figure 1).

Setting up a main route, the operator must select and push the appropriate start and end buttons on the control panel. The meaning of branch A-a is as follows: (A)—the right choice and service of the start button, (a)—incorrect operation of the start button. The meaning of branch B-b is analogical for the end button. The symbol S represents the successful issuing of the order for setting up the main route, and the symbol F represents its failure.

2.4. Quantitative Analysis

We quantified individual branches of the created event trees in the next step. Each branch represents one operator’s action, performable either correctly or incorrectly. By applying the probability of successful or unsuccessful execution of a partial task, we can find out the overall probability of the successful execution of the whole task or, conversely, the probability that the operator may fail to perform the task. For quantitative evaluation, we used recommended data taken from the HRA handbook [17] and worked with two types of values: the human error probability (HEP) and the error factor (EF). To ensure consistency of estimations, we tried to ensure the same or as similar observation conditions as possible: workplaces located in the neighborhood and on the same railway line, the same observer, the same operator within a specific workplace, and the same methodology.

HEP is the probability of an error occurring when performing a given task. Because of the lack of data on distributions of HEPs for railway domain operators, we used the lognormal distribution and the single-point estimates of HEPs regarded as medians of this distribution. We used EF values to designate the range of HEPs. For example, if we have the nominal value HEP = 0.003, and EF = 3, the lower HEP limit can be obtained as $\mathit{HEP}/\mathit{EF}=0.003/3=0.001$, and the upper HEP limit as $\mathit{HEP}\times \mathit{EF}=0.003\times 3=0.009$. The lower limit represents the 5th percentile of the logarithmic normal distribution of the HEP value, and the upper limit represents the 95th percentile of the HEP value. The analyst who knows the evaluated process can apply the appropriate limit of HEP according to his/her judgment and information obtained about the analyzed process. Getting the HEP estimate, we can calculate the human success probability (HSP), according to (1):

$$HSP=1-HEP.$$

(1)

Traversing the task tree up to the value of the resulting HSP, there are various mutually independent actions. Therefore, we can determine the value of the resulting probability of successful execution of the task P(S) according to the THERP method as the product of all partial HSPs of each branch in the tree:

$$P\left(S\right)=\prod _{i=A}^{Z}HS{P}_i,$$

(2)

where A represents the HSP value of the first operation within the task tree and Z is the HSP value of the last operation within the task tree. We can use the calculated value of the total P(S) and determine the probability of failure P(F) of the whole complex task as

$$P\left(F\right)=1-P\left(S\right).$$

(3)

Despite existing limitations, using the models and estimated HEPs from the Handbook [17] can generally lead to realistic risk assessments and reliability analysis.

Figure 2 shows our understanding of the influence of the operator’s and the signaling system’s failure on accident occurrence. It makes it possible to consider various technological levels of the station-signaling systems and the different roles of the operator. Let us assume the following:

$P_{SS}$—the probability of hazardous failure of the signaling system;

$P_{SS\_OK}$—the probability of hazardous failure of the signaling system depending on the level of automation and implementation of safety-related functions:

• $P_{SS\_OK}$ ≈ 0—release of the main route; full automation; all safety-related functions performed by the signaling system;
• $P_{SS\_OK}$ = (0 − 1)—partial automation; not all safety-related functions performed by the signaling system;
• $P_{SS\_OK}$ = 1—without automation and the signaling system.

$P_{SS\_SF}$—the probability of the signaling system failure and its impact on safety-related functions performed by the signaling system:

• $P_{SS\_SF}$ = 0—the signaling system is operational;
• $P_{SS\_SF}$ = (0 − 1)—the signaling system is partially operational; not all safety-related functions are available;
• $P_{SS\_SF}$ = 1—the signaling system is inoperable; no safety-related function is available.

$$P_{SS}=P_{SS\_OK}+P_{SS\_SF}-P_{SS\_OK}\times P_{SS\_SF},$$

(4)

where

• $P_{SS}$ = 0 the signaling system performs all safety-related functions and fully supervises the operator; operator’s error cannot cause an accident ($P_D$ = $P_{SS}$ × $HEP$ = 0);
• $P_{SS}$ = 1 the signaling system is not available (inoperable or non-existent); it cannot perform any safety-related function ($P_D$ = 1× $HEP$ = $HEP$).

Other essential variables we worked with were the factors influencing operators’ performance. In cooperation with the HRA, the THERP method includes these factors in analyzing the operator’s work in the form of PSFs. We adopted the values based on [17]. The interpretation of that approach is as follows: if all the conditions for the operator’s work are optimal, then the multipliers are equal to number 1. It means that they do not affect the calculated probabilities of HEP. Applying these factors requires a perfect situation awareness, i.e., knowledge of the work environment, behavior and experience of the particular operator, knowledge of the current state of the work process, and knowledge of the available work procedures. With this necessary knowledge, the analyst can adapt the analysis to specific work procedures and operators. For this reason, we also observed the work of operators at different workplaces and at different times of the day to know the potential effects of these influencing factors.

In addition, the operator’s performance is also affected by the very dynamics of the controlled process. In our case, the operator’s load depends on the traffic intensity at the given workplace. To model it, we used the values given in

Table 5. PSFs overview for workplace A.

PSF	PSF Level	HEP Multipliers
Time available to solve the task	adequate	×1
Stress factor	normal	×1
The complexity of the task	normal	×1
Experience	high	×0.5
Working practices	satisfactory	×1
Ergonomics and HMI	good	×0.5
Ability to perform work	satisfactory	×1
Working process	smooth	×1
Workload	optimal	×1

,

Table 6. PSFs overview for workplace B.

PSF	PSF Level	HEP Multipliers
Time available to solve the task	adequate	×1.2
Stress factor	normal	×1
The complexity of the task	normal	×1.2
Experience	high	×0.5
Working practices	satisfactory	×1
Ergonomics and HMI	satisfactory	×0.9
Ability to perform work	satisfactory	×1
Working process	dynamic	×0.8
Workload	medium-high	×3

and

Table 7. PSFs overview for workplace C.

PSF	PSF Level	HEP Multipliers
Time available to solve the task	adequate	×1.1
Stress factor	normal	×1
The complexity of the task	normal	×1.1
Experience	high	×0.5
Working practices	satisfactory	×1
Ergonomics and HMI	good	×0.5
Ability to perform work	satisfactory	×1
Working process	smooth	×0.9
Workload	medium-high	×2

.

Data in tables correspond to experienced operators who have experience with all types of tasks for at least six months. When determining the workload levels of the operator, we must also distinguish between the types of fulfilling the tasks. Two basic types of task performance are under consideration:

1.

‘Step-by-step tasks’ are routines, procedural guided tasks, carrying out presc- ribed procedures.

2.

‘Dynamic control’ involves a higher degree of human–machine interaction.

The operator also performs tasks on the basis of his/her own decision, monitoring and adherence to various operating procedures.

3. Results

3.1. Data Processing

The variety of work tasks resulting from different technological levels of control systems at workplaces A, B, and C complicates their mutual comparison. To facilitate the comparison process, we decided to group the tasks into three groups. It is first necessary for the operators to recognize that something unusual has happened and to distinguish the relevant signals (functions of perception and discrimination) [17]. We treated this as primarily a display and communication problem. Having discerned that something unusual is happening, the operating personnel must diagnose the problem, decide what action to take, and it carry out (function of response). Therefore we established three comparable groups discussed below. Processing of the observed and collected data brought the following results. We determined the frequency of individual operations in hourly intervals for a specific 6 h working time:

1.

Communication (COM);

2.

Work with the information system (e.g., ETD);

3.

Operating the interlocking system (IS).

Figure 3, Figure 4 and Figure 5 show the actions observed at workplaces A, B, and C during the work shift 6:00–12:00. Similar results are available for the other two work shifts.

Data processing showed the work commitment of operators during three given periods (

Table 8. Distribution of operator’s actions.

	IS		ETD		COM		Sum
Workplace B	No.	%	No.	%	No.	%	100%
06:00–12:00	216	44	161	33	111	23	488
12:00–17:40	248	47	174	33	104	20	526
18:00–23:59	149	45	115	34.5	69	20.5	333
Workplace B	No.	%	No.	%	No.	%	100%
06:00–12:00	533	46	349	30	279	24	1161
12:00–17:40	426	40	332	31.5	301	28.5	1059
18:00–23:59	495	49	238	23.5	281	27.5	1014
Workplace C	No.	%	No	%	No	%	100%
06:00–12:00	467	57	131	16	218	27	816
12:00–17:40	695	69	142	14	176	17	1013
18:00–23:59	311	66	83	18	75	16	469

).

3.2. Analysis of Communication

Communication is one of the most frequently occurring activities that affect the operator’s performance in managing the transportation process. The communication analysis is finding the potential impact of incorrect communication on the safety of the controlled process. The output of the analysis is the probabilities of correct or incorrect transmission of a certain number of instructions to cooperating employees. We drew data for communication analysis from

Table 9. HEP and EF values for the communication analysis.

Number of Instructions	HEPn	Recommended EF
1	0.001	3
2	0.006	3
3	0.03	5
4	0.1	5

, which is a transcription of the original Table 15-1 column c found in the HRA Handbook [17], containing estimated probabilities of errors in recalling oral instruction items not written down. HEPn means HEPnominal.

We analyzed the communication in which the operator gives or receives a certain number of instructions (most often 2 or 3 of them). An example of calculating the probability of error in communication with three instructions, applying Equation (1), is as follows:

$$HEP=1-HS{P}_1\times HS{P}_2\times HS{P}_3.$$

(5)

Individual (indexed) HSPs represent probabilities of the successful communication of individual instructions. Since the repetition of instructions is used as a sign of understanding and memorizing instructions, the probabilities of communication error are relatively low. We obtain $\mathit{HEP}=1-0.999\times 0.994\times 0.97=0.037$.

3.3. Analysis of Control Operations

Knowing all functional elements, we assigned nominal values of HEPs and applied EFs to define the HEPs limits.

Table 10. Summary of HEPs, HSPs of operated elements (workplace A).

Operating Element	HEPn	EF	HEP	HSP
Slider in the rail yard relief	0.005	1	0.005	0.995
Route locking block	0.05	1	0.05	0.95
Bell key	0.001	1	0.001	0.999
Order reception block handle	0.001	1	0.001	0.999
Route locking block handle	0.001	1	0.001	0.999
Transm. permission signal operates	0.003	3	0.009	0.991
Emergency signal button	0.003	1	0.003	0.997
Emergency block interlock. release	0.001	1	0.001	0.999

,

Table 11. Summary of HEPs, HSPs of operated elements (workplace B).

Operating Element	HEPn	EF	HEP	HSP
3-position return button	0.005	3	0.015	0.985
Emergency button (with seal)	0.005	1	0.005	0.995
3-position point controller	0.001	10	0.01	0.99

and

Table 12. Summary of HEPs, HSPs of operated elements (workplace C).

Operating Element	HEPn	EF	HEP	HSP
Mouse click on the symbol	0.0005	10	0.005	0.995
Select function in the list	0.001	3	0.003	0.997
Emergency operation	0.001	1	0.001	0.999

show us the summary lists of nominal HEPs, chosen EFs, and HEPs, and HSPs for all three workplaces.

The previous Table 10, Table 11 and Table 12 (given for workplaces A, B, and C, respectively), show nominal HEPn values that are multiplied by recommended EF, giving us the resulting HEP and HSP values for each identified and considered operation.

3.4. “How to Apply" Example

Each task consists of a certain number of operations. Once we have all the data available, we can quantify human failure in performing individual tasks. Using the example of the task “setting up the main route”, we can show how to apply the presented procedure. The “main route” means a route set up for a train. In the case of a semi-automated relay-based control system operated at workplace B, the task “setting up the main route” requires pressing two appropriate three-position buttons:

• The start button, delimiting the place at the main signal, where the main route begins;
• The end button, delimiting the place at the next signal, where the main route ends.

Selection and pressing of the buttons are carried out on the control panel.

We must create an event tree (also a task tree) representing the procedure of the task. In this case, we can use the task tree that is already given and explained in Figure 1. The operator selects from a large number of buttons, which are distinguished by the colors of the button heads (in our case, either green or white) and the names of the assigned signals to which they belong. The calculation of HEP for the given task (denoted as $HE{P}_T$) is as follows:

$$HE{P}_T=1-HS{P}_1\times HS{P}_2=1-0.985\times 0.985=0.03.$$

(6)

Then the calculation of the human success probability for the given task (denoted as $HS{P}_T$) is as follows:

$$HS{P}_T=HS{P}_1\times HS{P}_2=0.985\times 0.985=0.97$$

(7)

where $HS{P}_1$ is the human success probability calculated and declared in Table 11 for the correct operation of the 3-position return button (here considered as a start button); and similarly, $HS{P}_2$ is the human success probability calculated and declared in Table 11 for the correct operation of the 3-position return button (here considered an end button).

The next step includes taking into account PSF, which was set to a value of 1.56 for workplace B (achieved as the product of all HEP multipliers in the last column of Table 6). Then the final value of HEP for setting up the main route at workplace B can be reached as:

$$HEP=0.003\times 1.56=0.047$$

(8)

which means that the operator will make an error in approximately 4.7% of cases when performing the task in question.

3.5. Final Overview of Most Frequent Tasks

The same approach as presented in Section 3.4 was applied to the most frequently performed tasks at each workplace. The overview of the final results for workplace A is available in

Table 13. Final overview of workplace A.

	No. of Tasks			Used Values
	6–12 h	12–18 h	18–24 h	HEP	HSP
Task 1	37	40	26	0.014	0.986
Task 2	74	76	48	0.014	0.986
Task 3	37	36	24	0.015	0.985
Task 4	111	104	69	0.009	0.991
Task 5				0.002	0.998
Task 6	-	-	-	0.001	0.999

.

It includes the following actions:

• Task 1—setting up the main route to Žilina direction (without any communication);
• Task 2—release of the main route;
• Task 3—setting up the main route to Dolný Hričov direction (without any communication);
• Task 4—communication with three instructions;
• Task 5—communication with two instructions;
• Task 6—emergency operation of the signal (really observed not once).

Total observed actions recorded during all three work shifts were 488, 526, and 333. The value of the used PSF was 0.25. It was achieved as the product of all HEP multipliers in the last column of Table 5.

Table 14. Final overview of workplace B.

	No. of Tasks			Used Values
	6–12 h	12–18 h	18–24 h	HEP	HSP
Task 1	162	157	113	0.047	0.953
Task 2	302	231	295	0.047	0.953
Task 3	279	301	281	0.009	0.991
Task 4				0.011	0.989
Task 5	19	5	10	0.016	0.984
Task 6	7	8	9	0.001	0.999
Task 7	-	-	-	0.008	0.992
Task 8	-	-	-	0.031	0.969

shows the results for workplace B.

We evaluated the following tasks:

• Task 1—setting up the main route;
• Task 2—setting up a marshaling route;
• Task 3—communication with three instructions;
• Task 4—communication with two instructions;
• Task 5—moving points using a switch;
• Task 6—release of a route;
• Task 7—emergency operation of entry signals;
• Task 8—emergency operation of departure signals (Tasks 7 and 8 not observed).

Total observed actions recorded during all three work shifts were 1161, 1059, and 1014. The value of the used PSF was 1.56. It was achieved as the product of all HEP multipliers in the last column of Table 6.

Table 15. Final overview of workplace C.

	No. of Tasks			Used Values
	6–12 h	12–18 h	18–24 h	HEP	HSP
Task 1	44	46	8	0.007	0.993
Task 2				0.005	0.995
Task 3	69	48	35	0.009	0.991
Task 4				0.007	0.993
Task 5	218	176	75	0.02	0.98
Task 6				0.004	0.996
Task 7	129	295	155	0.003	0.997
Task 8	34	12	37	0.004	0.996
Task 9				0.003	0.997
Task 10	7	6	3	0.004	0.996
Task 11	-	-	-	0.008	0.992

shows the results obtained at workplace C.

In this case, we evaluated the following actions:

• Task 1—setting up the main route based on the selection of the function from the list;
• Task 2—setting up the main route without selection of the function;
• Task 3—setting up a marshaling route based on the selection of the function from the list;
• Task 4—setting up a marshaling route without selection of the function;
• Task 5—communication with three instructions;
• Task 6—communication with two instructions;
• Task 7—check of the main route (1 track section);
• Task 8—moving the points based on the selection of the function from the list;
• Task 9—moving the points by double mouse click;
• Task 10—release of a route;
• Task 11—emergency operation of the signal (really observed not once).

Total observed actions recorded during all three work shifts were 816, 1013, and 469. The value of the used PSF was 0.54. It was achieved as the product of all HEP multipliers in the last column of Table 7.

The following subsections present the results of comparisons of selected tasks performed by the traffic operator.

3.5.1. Setting up the Main Route

We found the lowest value of human error probability for this kind of operation at workplace C (HEP = 0.005 or 0.007, based on the operation procedure—see Table 15). This results from the high degree of automation of the control system functions. The operator can see the train number on display and the current traffic situation on the station’s suitably arranged schematic plan. In addition, the number of operations of this type is limited because the function of the automatic setting up of the main route is used. In contrast, at workplace A, the operator must operate four manual elements (possibly also additional buttons of the relay interface) and cooperate with other persons. Due to the operator’s workload, the HEP value when operating the signaling system is approximately 0.014 (see Table 13). The operator performs approximately 50 to 70 tasks of this type during 6 h (obtained as a sum of Tasks 1 and Tasks 3 in Table 13 in the same work shifts), depending on the current traffic situation. We determined the highest HEP = 0.047 at workplace B (Table 14), where the operator operates a semi-automated central relay-based signaling system. The highest PSF influences the operator. The main route is set up approximately 110 to 160 times in 6 h (see Task 1 in Table 14). What is more, an entrance or departure route typically consists of 1 or 2 separate main sub-routes, manually set up by the operator.

3.5.2. Releasing the Main Route

The nature of this task is different at each workplace. The system at workplace A must get into the default position after each train’s pass (approximately 50 to 75 times in 6 h—see No. of Tasks 2 in Table 13 in individual work shifts). The probability of human error, in this case, is about 0.014 (see HEP value for the Task 2 in Table 13). At the other two workplaces, both main and marshaling routes are released automatically, except for emergencies, which were observed about 7 to 9 times in 6 h at workplace B (HEP = 0.004), and 3 to 7 times in 6 h at workplace C (HEP = 0.023).

3.5.3. Communication

Communication is an important operation at each of the analyzed workplaces. We observed how the operator gives or receives a certain number of instructions, but most often 2 to 3 instructions. We found the smallest HEP value for the communication at workplace A (about 0.002 for 2 instructions, 0.009 for three instructions—see Table 13). The operator communicates in 6 h approximately 70 to 120 times (including communication while setting up the marshaling routes). At workplace C, the operator communicates about 80 to 220 times in six hours, with HEP = 0.004 for two instructions and 0.002 for three instructions (see Table 15). The highest intensity of communication was observed at workplace B—about 280 to 300 times in 6 h. That brings the highest HEP = 0.011 for two instructions and HEP = 0.058 for three instructions (see Table 14).

3.5.4. Setting up a Marshaling Route

At workplace A the operator is not involved in setting up marshaling routes. The operator at workplace B performs it approximately 230 to 300 times in 6 h, HEP = 0.047 (Table 14). At workplace C the frequency of this task is about 35 to 70 times (Table 15).

3.5.5. Point Movement

This task can be performed only at workplaces B and C. At workplace B the operator operates a 3-position switch controller, with HEP = 0.016 (approximately 5 to 20 times in 6 h, (see Table 14)). At workplace C the HEP values are the lowest (0.03 or 0.04, based on the operation type), and the operation is performed 3 to 7 times in 6 h (Table 15).

3.5.6. Emergent Signal Operation

This kind of operation has the lowest HEP at workplace A (Table 13). This value is also influenced by the fact that the operator cooperates with other employees in giving the proceed aspect in an emergency, and those employees may reveal a possible operator’s error. At workplace C, we obtained HEP = 0.008 (Table 15). The value is lower because the operator must check and confirm that the conditions for setting up a considered main route are met. In the case of Workplace B, the situation depends on the type of signal operated in an emergency. For example, the operator uses a particular emergency signal button (HEP = 0.008). When operating a departure signal, one more operation is needed (selecting a group button before use of a particular emergency signal button, then HEP is up to 0.031).

Finally, we can compare all three workplaces using the aggregated distributions of operations, tasks and errors (Figure 6, Figure 7, Figure 8 and Figure 9).

3.5.7. Comparison of Workloads

Due to the number of operations and the operator’s workload in controlling the traffic process, the operator at workplace B (a semi-automated relay-based signaling system) is generally the busiest. There is also a reflection of this fact found in the calculated PSF. Its values are 1.56 times the HEP value. The operator at workplace B performs all actions, comparable at all workplaces, with the highest HEP value. Therefore, another ’auxiliary panel dispatcher’ can also operate the signaling system according to the primary operator’s instructions, thus reducing the operator workload. At workplace C, the character of the operating system (the highest degree of automation) has a positive effect on lower HEP value. PSF factor of 0.54 times the calculated HEP suppresses the overall possible chance error. At workplace A, there is the lowest workload of the operator and the lowest selected PSF at the level of 0.25 times the calculated HEP. The secondary check performed by other cooperating co-workers reduces potential human errors.

4. Discussion

The analysis of human reliability is more developed for some areas, and less for others. Inspired by the principles and methods applied in other well-developed domains (especially nuclear power engineering), our intention was to fill the existing gap in the field of railway traffic management. This is a rather conservative area, as a result of which many railway infrastructure managers around the world use multiple technological generations of railway signaling systems, from the oldest to the latest ones. According to our knowledge so far, there are no scientific studies that would compare different aspects of the work of traffic operators working with control systems of different generations, based on different degrees of automation. Therefore, we decided to apply one of the human reliability assessment (HRA) methods to three different workplaces with different degrees of automation—manually controlled (workplace A), semi-automated (workplace B), and automated (workplace C). Particularly, we chose THERP as the 1st generation HRA method. THERP was developed for probabilistic risk assessments of nuclear industry applications (nuclear power plants) but has been applied to other sectors, such as offshore and medical, and is a generic tool that can be applied in other sectors. The reasons for choosing THERP in our study were detailed in the introductory part of Section 2 (dependence on the willingness of operators to cooperate, limited observation time, well-documented applications in other domains, and nature of controlled process enabling a simplified view).

Implications of our study for human factors theory and methodology, and for the practice of railway operations can be summarized as follows:

• Based on our expertise in railway traffic management, we made the transfer of knowledge from other application areas, where HRA methods are widely and successfully used, and based on practical observations, we made the subjective assignment of important data (PSF, HEP) needed for practical THERP implementation;
• Using particular examples, we demonstrated the procedure of how to apply the THERP method to railway signaling systems that use different technologies and various degrees of automation;
• We also discussed the problem of ensuring at least approximately similar operating conditions that would allow obtaining comparable results in the human operator reliability analysis (e.g., HEP for specific operations, HEP for particular control tasks, and the workload of traffic operators);
• Based on the presented approach, the railway infrastructure manager can obtain an idea of the workload of the operators, the distribution of tasks over time, and their composition (numbers and types of operations), which can be beneficial, e.g., when preparing the content of training and testing activities.

4.1. Limitation of the Method

Human reliability assessment (HRA) involves the use of qualitative and quantitative methods to assess human contribution to risk. The method applied in our study (THERP) is used for the purposes of evaluating the probability of a human error occurring throughout the completion of a specific task. It has the following limitations:

• It can be very resource intensive and time consuming. It may require a large amount of effort to produce reliable HEP values;
• It does not offer enough guidance on modeling scenarios and the impact of PSFs on performance;
• The level of detail that is included in THERP may be excessive for many assessments;
• As the 1st generation technique, it works on the basis of the simple dichotomy of ‘fits/doesn’t fit’ in matching an error situation in context with related error identification and quantification, i.e., it means that its procedures follow the way conventional reliability analysis models a machine.

Generally, the character of collected data makes it possible to analyze the dynamics of human errors. For example, we could expect to observe a dependence between the time spent at the workplace and the probability of human error. However, the practical results and used method did not allow us to confirm or deny this assumption. The number of observed errors was relatively low, and according to our analysis, their occurrence was more dependent on increased traffic intensity and higher stress caused by the need to perform multiple operations simultaneously.

4.2. Limitation of Application Domain

Comparing different railway signaling systems under the same conditions and in the same workplace is a hypothetical and unattainable task. Even upgrading the old station-signaling system to the new one does not guarantee the same comparable conditions. Implementing a higher degree of automation in the same workplace will naturally extend the implemented functions and change the character and scope of the operator’s activities.

However, many influences can undermine the comparability conditions. Humans have certain mental and physical conditions, resistance to fatigue and emotional stress, the ability to perform more than one task simultaneously (multitasking), and various achieved levels of training. Variable traffic conditions can influence the operator’s workload, create time pressure, cause the operator’s inattention, and evoke improper routine habits. Other factors worth mentioning are the availability of the working procedures, experiences with the tasks of the same type, experiences with known tasks, the time interval between two successive operations, knowledge of the operational situation, and the operator behavior mode (skill based, rule based, and knowledge based). Thus the behavior of different operators or even the same operator in the same traffic situation may not always be the same. It is necessary to take into account the different weights of influencing factors. To eliminate as many influencing factors as possible, or reduce their influence at least, we adopted the following monitoring principles:

• We chose such workplaces A, B, C that were situated on the same rail line, close to each other, to ensure similar traffic conditions, and having similar numbers of starting, passing, and ending trains;
• We made observations at the exact daily times (the same days of the week and the same working hours) when the same train schedule determined traffic performance;
• Each time, we monitored the same operator during the chosen work shifts. This choice also had a practical reason since not every operator was willing to take part in the monitoring process and communicate with the observer;
• The same observer performed observations at the same workplace.

4.3. Particular Findings

When presenting results, we grouped operations into three groups to more easily make a comparison possible (Section 3.1). The obtained data showed the following:

• In the considered 3 groups of operations, there are no significant changes in individual work shifts.
• The smallest number of operations is expected at Workplace A, which is connected to their manual (and often physically demanding) nature; on the other hand, the operator at the semi-automated workplace B faces the biggest workload.
• Full automation at workplace C results in the lowest number of actions requiring the need for human communication and a significant limitation of actions related to ETD.

It is worth reminding that, from the safety point of view, the purpose of railway interlocking and signaling systems is to control or completely replace (if possible) the unreliable human factor, and therefore to reduce the number of actions performed by humans.

Our analysis required the collection of data characterizing the activities of individual operators. In total, we completed approximately 1440 min of monitoring the real operation. As a result, we could observe and analyze all the performed tasks and analyze them in 15 min and 1 h time intervals. The analysis resulted in the creation of event trees. In the quantitative part of the analysis, we used the trees to assign probabilities for each task and calculate final HEP and HSP values. An essential part of the analysis was assigning the influencing factors and their application as multipliers. The results indicate that operators do not make many errors. HEP values are between 0.01 and 0.016. The results of the presented research attracted the attention of the railway infrastructure manager. They made it possible to re-evaluate operators’ workload and working duties at the analyzed workplaces and more suitably deal with additional organizational and technical measures.

4.4. Future Work

Our study is closed under the present situation, i.e., we do not plan to collect more data. However, as reconstruction work is underway on the Púchov–Žilina railway line, there is a chance that workplaces A and B will soon be upgraded to a higher technological level. Then we could repeat our monitoring effort to obtain comparable data from the site with (almost) the same traffic intensity, the same track configuration, and maybe the same operators as well.