IAEA-TECDOC-538
HUMAN ERROR CLASSIFICATION AND DATA COLLECTION
REPOR TECHNICAA F TO L COMMITTEE MEETING ORGANIZED BY THE INTERNATIONAL ATOMIC ENERGY AGENCY AND HEL VIENNADN I , 20-24 FEBRUARY 1989
A TECHNICAL DOCUMENT ISSUED BY THE INTERNATIONAL ATOMIC ENERGY AGENCY, VIENNA, 1990 Ti>e ' AHA does not normally maintain stocks of reports in this series. However, microfiche copies of these reports can be obtained from
l h IS Clearinghouse Internationa! Atomic Energy Agency VVagramerstrasse5 P.O. Box 100 A-1400 Vienna, Austria
Orders shoul accompaniee db prepaymeny db f Austriao t n Schillings 100, fore for e chequ3 ath th f nm IAEf m o n i o r eAo microfiche service coupons whicrs may be ordered separately from the INIS Clearinghouse, HUMAN ERROR CLASSIFICATIO DATD NAN A COLLECTION IAEA, VIENNA, 1990 IAEA-TECDOC-538 ISSN 1011-4289
Printed by the IAEA in Austria January 1990 EDITORIAL NOTE
In preparing this material press,the for staff Internationalofthe Atomic Energy Agency have mounted paginatedand originalthe manuscripts submittedas authorsthe givenby and some attention presentation.the to The views expressed in the papers, the statements made and the general style adopted are the responsibility namedofthe authors. necessarily viewsnot The do reflect those governments ofthe of the Member States or organizations under whose auspices the manuscripts were produced. thisin The bookuse of particular designations of countries territoriesor does implynot any judgement by the publisher, the IAEA, as to the legal status of such countries or territories, of their authorities institutions delimitationand the of or theirof boundaries. The mention specificof companies theirof or products brandor names does implynot any endorsement recommendationor IAEA. partthe the of on Authors themselvesare responsible obtainingfor necessarythe permission reproduceto copyright material from other sources. PLEASE BE AWARE THAT MISSINE TH AL F LO G PAGE THIN SI S DOCUMENT WERE ORIGINALLY BLANK CONTENTS
1. HUMAN ERROR CLASSIFICATION AND DATA COLLECTION - GENERAL ..... 9
1.1. Introduction ...... 9 . 1.2. General objective f humao s n error classificatio datd nan a collection ...... 0 1 . 1.2.1. Human error classification ...... 0 1 . 1.2.2. Data collection ...... 1 1 . 1.2.3. Interaction of human error classification and data collection ...... 12 1.3. Specific objective f humao s n error classificatio datd nan a collection ...... 2 1 . 1.4. Current situation ...... 4 1 . 1.5. General remarks/possible ways forward ...... 15
. 2 QUALITATIVE DATA COLLECTIO CLASSIFICATIOD NAN N ...... 7 1 .
2.1. Introduction ...... 7 1 . 2.2. Data requirements ...... 17 2.2.1qualitativy Wh . e human error data shoul collectee db d ...... 7 1 . 2.2.1.1. Plants ...... 8 1 . 2.2.1.2. Researchers ...... 9 1 . 2.2.1.3. Community/authorities ...... 20 2.2.2. Data limitations ...... 21 2.2.3. Factual information ...... 2 2 . 2.2.4. Information base subsequenn do t analysi judgemend an s t ...... 3 2 . 2.2.5. Collection ...... 3 2 . 2.2.6. Classification ...... 4 2 . 2.2.7. Feedbac f datko a ...... 4 2 . 2.3. Promotio f planno t specific human error reporting ...... 5 2 . 2.3.1. Management culture ...... 25 2.3.2. Safety awareness training of plant staff ...... 26 2.3.3. Repeated management actions to promote reporting ...... 26 2.3.3.1. Organization of reporting system ...... 27 2.3.3.2. Benefit fro reportine mth g system ...... 8 2 . 2.4. Recommendations ...... 9 2 .
3. QUANTITATIVE DATA COLLECTION AND CLASSIFICATION ...... 31
3.1. Introduction ...... 31 3.2. Dattechniqued an a s ...... 1 3 . 3.2.1. Techniqu r humaefo n error rate prediction (THERP) ...... 2 3 . 3.2.2. Accident sequence evaluation programme (ASEP) ...... 2 3 . 3.2.3. Human cognitive reliability correlation (HCR) ...... 3 3 . 3.2.4. Maintenance personnel performance simulation (MAPPS) ...... 3 3 . 3.2.5. Operational action tree (OAT) ...... 34 3.2.6. Success likelihood index methodology (SLIM) ...... 5 3 . 3.2.7. Socio-technical approach (STAHR) ...... 5 3 . 3.3. Possible data sources ...... 35 3.3.1. Nuclear power plant experience ...... 36 3.3.2. Use of simulators ...... 36 3.3.3. Expert opinion ...... 37 3.4. Conclusion recommendationd an s s ...... 7 3 . 3.4.1. AxCtual situation ...... 37 3.4.2. Suggested future improvements ...... 38
. 4 PROPOSA CO-ORDINATEA R LFO D RESEARCH PROGRAMME ...... 0 4 .
4.1. Co-ordinated research programme ...... 0 4 . 4.2. Overal ...... lP objectiveCR e th f o s 0 4 . 4.3. Researc discussiod han n topics ...... 1 4 . 4.4. Product f programmo s e ...... 2 4 .
APPENDI . X1 FACTOR S AFFECTING HUMAN PERFORMANCE ...... 3 4 .
ANNEX. PAPERS PRESENTE MEETINE TH T DA G
SSPB activities on analyzing human performance problems ...... 47 L. Jacobsson An approach to human error minimization in PHWR safety related operations ...... 51 GovindarajanG. Human errors — human caused, environment caused ...... 61 K. C. Subramanya Human reliability data collectio r qualitativnfo e modellin quantitativd gan e assessment ...... 1 7 . D.A. Lucas, D.E. Embrey, A.D. Livingston Collection, analysi classificatiod san f humano n performance problem Swedise th t sa h nuclear power plants ...... 3 8 . J.-P. Bento Human characteristics affecting nuclear safety ...... 95 M. Skof Human reliability models validation using simulators ...... 103 Aguinaga,M.de Garcia,A. Nunez,J. PradesA. Outline of the development of a nuclear power plant human factor data base ...... Ill Kameda,A. KabetaniT. Human error classificatio datd nan a collectio surve n— Indian a n yi n nuclear power plant ...... 7 12 . N. Rajasabai, V. Rangarajan, K.S.N. Murthy Possibilitie necessitd san humae th f yo n error data collectio Pake th st n a nuclea r power plant ...... 141 T. Szikszai Higher operational safety of nuclear power plants by evaluating the behaviour of operating personnel ...... 7 14 . M. Mertins, . GlasnerP Human reliability data sources — applications and ideas ...... 155 P. Pyy, U. Pulkkinen, J.K. Vaurio
List of Participants ...... 169 1. HUMAN ERROR CLASSIFICATION AND DATA COLLECTION - GENERAL
1.1 Introduction
Awareness of human factors and human reliability has increased significantly over the last 10 to 15 years primarily due to major catastrophes that havd significanha e t human error contributions, e.g. Three Mile Island, Challenger space shuttle, Chernobyl. Eac f theso h e and other incidents have identified different types of human errors and failings; some of which were not generally recognized prior to the incident. e resultth o t f thesso e eDu events beeha nt i swidel y recognized that more information about human actions and errors is needed to improve safety and operation of nuclear power plants. For a long time the Fault Assessment/Reliability world realized it needed data on component and system failure d createan s d scheme r collectinfo s g suitable data. Probabilistic Safety Assessment (PSA) studies have starte o incorporatt d e human action d errorsan s A specialistPS ; w demandinno e sar g human reliability dat o incorporatt a e withi A modelsPS n .
The initial attempts to collect human reliability and error data wer o reviet e w existing plant data collection scheme d extensan d their coveraya to identify failures due to human errors. Recently schemes have been started that are dedicated solely to the collection of human error analysie datath r ,o f huma so n performance related plant events, e.ge th . Institut Nuclear fo e r Power Operations' Human Performance Evaluation System. (INPO's HPES)
Analysis of human error data requires human error classification. As the human factors/reliability subject has developed so too has the topic of human error classification. The classifications vary considerably dependin n whethes beeo g ha nt i rdevelope d froa m theoretical psychological approach to understanding human behavior or error r whethes bee,o ha n t n empiricai basera n o d l practical approach. This latter approac oftes i h n adopte y nucleab d r power plants that need to make practical improvement soos sa possibles na . This document will review aspects of human error classification and data collectio orden i n o shot r w where potential improvements coule b d made. It will attempt to show why there are problems with human error classificatio d datnan a collection scheme d thasan t these problems will noe eas b to resolve t y .
1.2 General Objectives of Human Error Classification and Data Collection
a varietTher e ar ef genera o y l objective r humafo s n error classification and data collection. The three obvious overall objectives are: o providt e. I qualitative improvement plano t s t safety, i.e. identificatio f humao n n error problem d introductiosan f measureo n s o reduct r preveno e t those human errors thae relatear t o safetyt d ;
II. to provide qualitative improvements to plant performance/availability, i.e. identification of human error problems and introduction of iseasures to reduce or prevent those errors that affect plant performance/availability;
III. to provide numerical data for use in PSAs or other safety studies.
These are discussed in greater detail in Section 1.3 of this report
1.2,1 Human Error Classification
Ther e manar ey different human error classifications, whice ar h being generate assisto t d , analysi f humaso n erro d behavioran r . Hence e classificationth dependene ar sobjectivee th analyste n o tth f so .
A psychologist may be interested in understanding the psychological causes of a human error to compare with a theoretical model. A nuclear power plant engineer will want to classify human errors in a way that enables practical error reduction e takestepb o nt s quickly n botI .h case humae th s n error classification allows human errore b dat o t a handle d "rooan d t causes e classifiedb o t " . However, ther likels i e o t y e considerablb e varianc whan o e t each classe a "roo s sa t cause"e Th . plant enginee wely ma rl define root causes alon practicaa g l basis, e.g.
10 deficient procedures, lac f trainingo k A psychologis. e y prefeus ma t o t r "root causes" relate a theoretica o t d l psychological mode f humao l n behaviour, e.g. Rasmussen's skill-rule-knowledge triangle e GeneriTh . c Error Modelling System (GEMS n exampla s )i f suco e a hhuma n error classification. An example of a more practically based system used in India is presented in one of the papers given in the Annex.
In all cases the human error classification is used to assist the analyst to achieve his or her own objectives. As there can be many different objectives for analysing human behaviour there are many different means of human error classification.
1.2.2 Data Collection
At first sight data collection may not appear to be a problem area; e nee w s informatio i l d al n humao n n behaviou d errorsan r . Unfortunately/ this is far more difficult when considered more carefully. The purpose f dato a collectio provido t s i l necessarn al e y informatioe th r fo n analysis being undertaken, However, as discussed above (and in more detai n sectioi l 3 below1. n ) wida ther e e ar evariet f objectiveo y s which require different type f informatioso e analysisth r fo nr example .Fo , improvement a specifi o t s c plant operation only requires information about errors on that plant; while data for a "generic" PSA data base must provide information on the number of errors/failures, the number of attempts d presenan , t detailplane th tn o swher e incidentth e s occurred o thae s applicabilitth t date otheo th t a f o yr e determinedplantb n ca s .
Ther e manar ey other problems associated with human error data collection e know f wI .wha t informatio requires n thai n ca tw datho d e b a obtained from operating plants? considerable b Ther n eca e problemn i s encouraging operating staff to provide information; are the requirements of the data collection scheme excessive when considered against other duties the staff must perform; are the staff and management made aware of e importancth d potentiaan e f collectino l stafe g th data fn providca ; e the information being requested?
11 Current data collection schemes often contai basio tw n c typef so information:
(i) factual information: e.g. time of day, plant configurations, pressure/temperature readings.
(ii) subjective information - the reporter or assessor's interpretation of the errors or events. It is important to be aware of the biases that this part of the data can have on the final assessment, especiallw dedicatene e th ds a yhuma n error data collection schemes attemp o obtait t n mor f thio e s typ f datao e e type.Th f biaseso s , that are likely to be seen in incident or event reports are for example: plant staff may be reluctant to accept responsibility for errors or to attribute errors to co-workers, they may forget important facts about the event over time, they may be unaware of the causal influences on their behaviour, and they may cover up facts for fear of reprisals.
1.2.3 Interactio f Humano n Error Classificatio d Datan na Collection
From the discussions above (Sections 1.2, 1.2.1, 1.2.2) it becomes apparent that Human Error Classification and Data Collection are very closely linked togethe d theian r r requirements overale depenth n o dl objectives of the analyst. This probably goes a long way in explaining y ther wh e manar e y discussions arid disagreements abou e requirementth t s of human error classification and data collection schemes - there are a wide rang f possiblo e e objectives.
It also follows tha a "globalt " data collection scheme wile b l extremely difficult t impossibleno f i , createo t , n ordeI .provido t r e necessare alth l y informatio wida r e fo nvariet f objectiveo y sa larg e amoun f informatioo t n about each human error would e providedb nee o t d . Eve f thii n s coul e don b dwoult i e d requir a vere y powerfud an l sophisticated computer system to allow effective use of the collected data. Further, because of possible reporting biases, the data may be inaccurate or misleading.
1. 3 Specific Objectives of Human Error Classification and Data Collection
Section 1.2 indicated that there are a wide variety of overall objectives for human error classification and data collection and that three main broad areas wermaie th en interes nucleae th f o tr power
12 industry. These objective consideree sar morn i d e detail below showing some problem d datsan a requirement eachr fo s . a) Qualitative Approach to Improve Plant Performance Availability. e objectivTh f thio e s approac colleco t s i h t informatio n humao n n error r pooso r human performance which affec plantse th t ' performance/availability and devise means to reduce or prevent errors and improve performance.
l aspectAl on-sitf so e personne consideree b y lma managemend an d t and organizational issues coul addressede b d e datTh .a collection scheme needs to define which events/errors must be reported and due e largeth o rt numbe f incidento r s included must ensure thal al t information needed for classification and analysis is documented in the initial reports.
e maiTh n problem e likele defininb sar o t y g which event o report s t d handlinan e largth g e numbe f incidento r s that woulde b nee o t d included in safety studies. b) Qualitative Approach to Improve Plant Safety This appears to be the category in which most current data collection schemes fall. The objective of this approach is to identify errors and events which could degrade plant safety or provide a potential for risk and then devise means to reduce or prevent these errors.
The types of topics to be considered are defining the safety significant events to be recorded (errors leading to technical specification violations, defined initiating events, "near-misses" etc. could all be included); having a screening system to identify events needing more detailed study; encouraging staff to report events.
e datTh a required will classificatioe depenth n o d n scheme being used and whether improvements are only sought for the plant involved or whether "generic" improvements are intended. For the latter, plant specific data mus e collecteb t applicabilite th o s d y e improvementh f e o judgeb n ca dt L..-Ï. other plants.
13 c) Quantitative Information for PSA Use This is probably the area where there is most dissatisfaction with human error data collection. PSA specialists are familiar with plant data collection schemes providing component reliability data for use in the PSA models and are dissatisfied when human error data collection doe t providsno e them with similar information.
Data collectio e spli b A use n PS t ca sr into generafo ntw o l categories. e useb do t witi .a humah n reliability metho o generatt d e data thought te applicablob plane th tr beinfo e g assessed e.g o replac.t e h.e.p.s. from NUREG/CE-1278 directly with plant specific data; specific calibratio ne witpointus h r SLIM-MAUfo s r PaireDo d Comparisons.
ii. to replace theoretical models and reliability methods with appropriate empirically derived data.
There are a great many problems with data collection to generate information for use in PSAs. The following are some of them:
- "success" or number of attempts information is needed as well as error recordin a fundamentathi; g s i s l difference froe th m qualitative approaches. - many of the significant errors modelled in PSAs are for rare or "infrequent" events (eg. larg o rean e e lo LOCAb s datd n )an ca a collected, only simulator studies; perhaps with problems of simulator modelling limitations e.g. performing enough studies to give numerical information; correlation of human performance on a simulator to real-life etc. - therwida s i e rang f humaeo n reliability methods; each requires different type f dataso . - plant specific data are desired; information is needed to modify any "generic" data for the plant being assessed.
1.4 Current Situation
e initiaTh l respons r humafo e n error data collectio modifo t s ynwa or expand existing component reliability data scheme consideo st r human erron causa incidena s f a reo r failureo t . Unfortunately, thers ewa
14 ofte a nlac f uniformito k humae th nf o yfactor s data reportea d an d reluctance of plant personnel to report or attribute incidents and failures as being due to human error.
Recently dedicated human error data collection schemes have been created in an attempt to obtain better human error information e.g. Human Performance Evaluation System (HPES). These schemes appea havo t r e made improvements and certainly have enabled qualitative assessments to be undertaken more easily. They have still not provided benefits for those seeking quantitative data for PSA users.
The previous sections have perhaps given an indication of the problems stemming from the fact that different objectives have different human error classificatio d datan n a requirements. Thi s couplei s d with the practical problems of obtaining the data even if we know what we want l datAl .a collection schemes requir co-operatioe th e f operatinno g staff and all the requirements must be practically achievable.
5 . Genera1 l Remarks/Possible Ways Forward
These comments are put forward for consideration and may help understanding and advancement of the topic.
- human error classification and data collection are closely linked; they both depend on the overall objectives of the analyst using them, - there is a wide range of overall objectives possible even within the nuclear power industry, classificatio d datan n a collection must provide real benefito t s warrant the expenditure on them, - they must be practical i.e. within the ability and co-operation limits of the plant personnel, - excessive requirements may devalue data collection schemes if they force plant personnel to provide poor quality information or limited reporting, t cleano s rii t tha a t"global " human error data collection scheme can be created due to the wide range of objectives and differing data requirements.
15 data collectio provido t n e qualitative improvement plana n so t specific basis seems very possible and useful. Many schemes are well developed, data collection for numerical assessments in PSAs has many problems s likeli o overcom t t o remaii t y d ean a n"fruitless e "th arer fo a foreseeable future.
16 . 2 QUALITATIVE DATA COLLECTIO CLASSIFICATIOD NAN N
2.1 Introduction
It has been recognized that the improvement of safety management, loss preventio d plant-specifinan c error reductio made b y b en nca the systematic use of human error data. To facilitate this, it is e objectivth IAEe promoto th t A f eo collectioe th e d nan classification of qualitative human error data. The purpose of this chapte provido t s i r e advic d recommendationean n so appropriate method r qualitativsfo e human error data collectiod an n classification.
2 2. Data Requirements
2.2.y QualitativWh 1 e Human Error Data Shoul Collectee b d d
The first stage is to give more detailed consideration as to why qualitative human error data should be collected.
words/concepty ke A lis f o t s compileswa d from suggestione th f o s technical committee members. These included: Improved safety Improved availability Error reduction Improvement: in s operator performance man-machine interface (ergonomics) procedures communication safety management (control, awareness) training Dissemination of experience: in plants or organizations to external organizations Exchang f information/experienco e e between plants/organizations Improvements in training Selection of personnel Motivation Promotio a safet f o n y cultur d co-operatioan e f workerno s Improved understanding of error mechanisms (root causes) Improved modelling Validation of methods/scrutability
Way f structurinso g these concepts were then considered.
17 It was noted that there could be a 'top-down1 or a 'bottom-up* approach. Startin e top e cruciath , th t a g l reaso r collectinfo n g dats i a to improve "safety management" as a whole and from there to reduce error l levelsaal t .
The bottom-up approach would first consider the error mechanisms in specific events and from there to pass this understanding up through the management chain.
e interconnectioOwinth o t g d interdependencan n e th f mano e f o y above concepts, it was considered difficult to make progress in prioritizatio f thino s sort.
Instead, the identification of potential end-users of the data provide mora d e amenable basi r orderinfo s g these concepts. Three categorie f end-userso s were identified:
1) Plants ) 2 Researchers 3) Community/Authorities
s recognizeIwa t d thareasone th t r collectinfo s d classifyinan g g datr eacfo ah end-user woul differene b d t since each end-uses ha r different objective d differenan s t data requirements.
Each potential end-use s thewa rn considered.
2.2.1.1 Plants
Reasons for Collecting Qualitative Data
Plants are interested in the discovery, collection, classification and understanding of events for the purposes of developing PLANT-SPECIFIC ERROR REDUCTION STRATEGIES. In particular, they wish to improve work organizatio d operatoan n r performanc n immediata t a e d practicaan e l level.
Plants are also interested in the dissemination of information both internall d externallan y y wit viea h o exchangt w e information.
18 The dissemination of information is particularly important to plant n relatioi s o growint n g awarenes e importancth f so f safeto e y and, in particular, an awareness of the importance of the individual's behaviour. Thus raisin f awareneso g s should hel o generatt p a esafet y culture wherein plant personne t afraino o repore t dlar tr o thei n ow r others' error d whereisan n management adop mora t e error-tolerant policy.
It was noted too that there is a need for evidence from data to validate method develoo t s welsa s d improva l an p e safety management systems and quality assurance.
Potential Sources of Data
e maiTh n source f datso f valuo a planto t e s are:
a) Internal event reports ) b External event reports ) c Near-miss reports/precursors ) d Violations ) e Maintenance reports ) f Plan bookg lo t s g) Simulators
Most of this information with the exception of item (b) is essentially plant-specific information. Additionally, simulatore ar s currently the best available source of surrogate data in highly redundant technologies where accidents are rare events, such as nuclear facilities. Simulator e use b o solidif t dn sca y trainin o creatt d n a ean g industry wide database helpful to every plant operator.
2.2.1.2 Researchers
Reasons for Collecting Qualitative Data
Researchers require qualitative data in order to examine and understand the root causes and mechanisms of human error for the purposes of modelling.
As a result of improved modelling and human performance evaluation, detailed error reduction strategies can be developed which may be of specific or general interest.
19 Potential Sources of Data
e maiTh n source f datso f valuo a researchero t e s are: (1) Generic data for modelling ) Simulation(2 s
and, when conducting specific human performance evaluation studies, for example, some plant-specific data such as those listed above might be required.
The ease with which plant-specific data can be used by researchers depends heavily on the relationship between the researcher and the plant from which the data arise. Plant-specific (human) failure information mus e supporteb t y planb d t desig d proceduraan n l informationf o e Us . this failure data remotely, without access to supporting information, could be very misleading and, in many instances, meaningless. It was noted thae desirth t o centralizt e r gatheo e r plant-specific information y otheb e for us rcountrie r organizationso s could present some difficulties in this respect.(e.g. it is difficult to use USA LERs in a meaningfu r certaifo y nwa l studies because critical, supporting technical informatio t readilno s i n y accessibl n sufficieni e t detai y outsidb l e organizations).
The use of plant-specific data by researchers operating in direct contact and co-operation with plants does not present the above problem (of course, there are still the usual difficulties in eliciting information from personnel).
2.2.1.3 Community/Authorities
Reasons for Collecting Data
The principal reason for the collection of data by regulatory authorities or governmental organizations (local, national and international) is for monitoring major safety issues with respect to operation accordancn i s e with rules, directives, licensed san legislation etc.
20 Potential Source Datf so a
e primarTh y sourc f dateo f immediato a e valu o thest e e organization R typLE es i sdat a (e.g. NUREG/USNRC)
2.2.2 Data Limitations
Each source of data has its limitations.
) a LERs have r huma,fo n error studies, been vere founb yo t dvagu d ean incomplete, LERs are not produced specifically for human error issues. ) b Therneea defino s t di e e what near-miss reporting constituted san it is essential that plant personnel are made aware of their responsibilitie n thii s s respect. c) Existing procedures like HPES are not detailed enough and consideration must be given to potential developments and the subsequent data requirements. ) d Simulator results have inherent bias owin o suct g h things sa difference attituden i s d stresan s s levels between read an l simulated conditions.
For the purposes of the discussion in the following section, only events identified through incident reporting are considered. This is essentially because the committee took into consideration the enormousdemands mad n operatorso e addition i , o theit n r normal duties, when they must repor n incidentss considereto wa t i d ,an d unreasonablo t e achieve more comprehensive recommendations within the time available to e committeeth s alswa ot I note. d tha woult i t d probabl e necessarb y r fo y the IAEA to utilize the existing national collection systems in creating a centralized information system.
o leveltw Ther detaif e so ar e evenn i l t description; give na serie s f sub-eventso , direct causee identifieb e sub-eventn th sca r fo d d san their root causes can be identified by means of detailed analysis.
e cruciaTh l questio whethes i n r sufficient informatio r roofo nt cause definitio obtainee b n nca d froe informatioth m n provide plany b d t personne future)e th l n (noi .r wo
21 s noteIwa t d that data coul e divideb d d into: VERIFIABLE FACTUAL INFORMATION at the direct cause level, and INFORMATION INTERPRETATION at the root cause level, (See Fig. 1)
Sub Sub Sub Ev-1 Ev-2 Ev-3 "—• — — ~-^J Plant-Specific Direct[ Direct Direct Corrective Actions cause cause cause ^x>" \_ \ Root \\RootVRoo Roo\ \ tt 1 Root Specifi d Generian c c Cause\\Cause)ACause\l Cause 1 Cause Long-Term Solutions
Figure 1. Causal Factors
2.2.3 Factual Information
The collection of factual information is currently carried out in Incident Reporting Schemes, e.g. LERs. In order to meet human reliability requirements, however, a more structured approach may be required.
The following framework may be of some guidance:
Incident specific factual information can be provided by the plant personnel and can be collected in a pre-coded format and/or free text format. e usefuHoweverb y appoino t lma t i , plana t t coordinatoro ,wh would be a member of the utility staff, whose responsibilities could be data collection through the medium of structured questionnaires and benefite interviewsth f o f thi so e sOn . typ f approaceo o reduct s i he the bias induced when detailed analysis occurs some time after the original even s beeha tn reported. This typ f immediato e e investigation system permits clearer insigh causee d judgementh an t d o san t s a t contributory factors.
n overviea s A factuawe th som y issuef o eke l addreso t s r eacfo sh sub-event in a scenario (see Fig. 1) would be in relation to: s involve incidente wa th o n Wh i d ? ) 1 role/responsibilits hi Whas twa y etc? What was his area of work? e.g. maintenance, operations etc?
22 2) What happened? What were initial plant/system conditions before the incident? Wha s require plane twa th tf o dpersonne l (task objective)? Dihave h do follo t e wprocedurea ? Was he following a managerial directive? Was he using equipment e.g. in calibration or monitoring? What was done or not done? What wercriticae th e l deviations fronorme th m ? What operator suppor s availablewa t ? What contro s imposeplane wa lth tn o dpersonne l e.g. supervisory; QA.
3) When did the sub-event happen? Not only is it important to know the date and time but it is also essentia r nigh o noto t ly teda t shifwhethea s wa r o tt i r changeover. ) 4 sub-evene Wherth d edi t happen? e.g. control room or plant etc.
) 5 What wercausae th e l factors contributin humae th no t gerrors ? e.g. fatigue, missing or inaccurate information in the procedures, high ambient noise levels that inhibited communication, perceived management pressure to complete the task quickly, interpersonal conflicts, dru r alcohoo g l abuse, etc.
2.2.4 Information Based on Subsequent Analysis and Judgement
e How d WhyTh ?an ? questions regardin n incidena g t greatea rel o t y r r lesseo r exten n analysio t d judgementan s .
shoult i l e considereFirsb dal f o t w thiho ds informatio n besca n t e collectedb classifiede b y ma t ,i the.w ho nThi s then n leada o t s indication of how this data can be used at: a) the plant specific level generie th c) b leve d l an
2.2.5 Collection
Further responsibilities of the plant coordinator, mentioned above would be to elicit more judgemental information by direct questioning of plant personnel, e.g. How did you...... ? you...... d di y anWh d ? and also by establishing relevant performance influencing factors. e.g. Task complexity Leve f traininlo g
23 Experienc operatoe th f eo r Frequency of task performance Conflicting demands Additional demands Communication requirements Stress levels Decision-making
It is essential for the plant coordinator tc find answers to these questions since plant personnel either would not be able to answer them in full or could not give unbiased, impartial responses.
2.2.6 Class] f ica_tip_n
Based on this coarse grain questioning, it may be possible to establis generaha l categor f cognitivo y e behaviour associated wite th h incident o mean.n onl e y Thith b s y s i sclassificatio e b y ma t i t nbu e identificatiousefuth r fo l f rooo n t causes possibl furthen i y r expert analysis alss i ot I suggeste. d that other method f classificatioso n shoul e considereb d d before implementation.
It was also noted that an attempt must be made to avoid the temptation to always place blame on operator deficiencies. It is in fact f rooo m t ai caus e th e analysi deteco t s t deficienciee partl th al f n so i s system which INDUCE human error.
To home in on specific root causes, it may be useful to adopt an iterative approach such that having establishe generaa d l behavioural category plane ,th t coordinator would then pursue more detailed discussions with the operator to determine how and why the error occurred.
It may become apparent chat the plant coordinator requires expert assistance to arrive finally at the ultimate root causes.
2.2.7 Feedback of Data
Plant-specific data provides valuable information as regards the developmen f erroo t r reduction strategies aime t preventina d g recurrence of the incident in question.
24 s suggesteIi t d tha n additionaa t plane l th rol tf o eco-ordinato r o ensurwoult e b de feedbac f thio k s informatio l levelal o f t nso management and operators c.f. Section on Safety Awareness Training (2.3.2.)-
n additionI , upon expert analysi d synthesis an datae th ,f o s generic principle f erroso r reductio establishede b y ma n . e b Thes y ema useful in providing design and safety recommendations for new utilities and/or retrofits. It might also provide general human factors informatio e benefith r f higo tfo n h risk industries.
2.3 Promotion of Plant Specific Human Error Reporting
Plant specific human error information has been generally recognize problema s a d . Although report n safetso y significant events such as LERs are made, no data on situations where operators have succeede recoverinn i d g their errors exis documenten i t d formo T . enhance human error reportin followine th g g area se considered b hav o t e : management culture, safety awareness training of plant staff and repeated emphasi followingn e safetyso th n I . , these subarea e discussesar d with practical questions of how to organize the reporting.
2.3.1 Management Culture
Basically existence th , a safet f s o ea yr orientedfa s a d an , possible, non-punitive management cultur necessara s i e y preconditiof o n human error reporting. This reporting is generally strongly coupled with the reporting on observed safety hazards (accident precursors), near-miss situations and violations of procedures. Although there may be little to advantagee th e managerse e th f t safeto s f no i d availabilito an ysd o d y related human error information, practical example w reportinho f so g could protect plants from e.g. repeated scrams shoul e givenb d t I . shoul e emphasizeb d d tha a non-punitivt o et onl e systey th wa y s i m generate information on non-observable human error, i.e. error with no major consequences.
Another task related to the management culture is to help the managers to see their role as a part of a plant system. This means that besides plant personne d technicaan l l failures management might also have
25 n impaca n disturbanceo t d accidentsan s . Althoug organizationae th h l contribution might be delayed and vague from a certain event point of n stilviewca t li , affect plant safet a commo s a y n root caus n severai e l event sequences. This shoul e takeb d n into accounmanagemene th y b t d an t event investigator, when planning modifications related to e.g. organization, procedure d plansan t system documentation.
2.3.2 Safety Awareness Training of Plant Staff
e personneTh l (shift crews, maintenance personnel e expectear o )wh d to repor n humao t n error SERsn i s , LERs, near misse d accidensan t precursor reports shoul e giveb d n informatio nature th f human o eo n n error e traininTh . g should emphasiz e importancth e f includino e g human error in the safety awareness culture. The general safety attitude should also includ concepe th e t thae shoulon t d view one' n actionsow s sa havin a potentiag r errorfo l .
The training programme should include general training on human factors issues, and also specific training on errors and why they occur. Trainin A techniquePS n o g s could als e includeob exemplifo t d w safetho y y hazards could be identified and reported.
A safety awareness culture that puts an emphasis on analyzing human errors must be well accepted among the plant personnel. A task force could therefor e formeb e d amon operatore th g d maintenancsan e personnel o promott d encouragan e reportinge th e .
It is also important to stress that this implementation of a safety awareness culture takes time. When trying to change attitudes, and especially towards one' n behavioursow e mus givee ,on b t n time.
2.3.3 Repeated Management Action Promoto t s e Reporting
The management must put a continuous and repeated emphasis on the fact that reporting and analyzing human errors is important in keeping d improvinan overale th g l safety level. This coul e donb d e through encouragin e reportinth g f generao g l difficultie handlinn i s e th g equipment. During retraining, repetitio f importano n t human error related events should be included. The management should give
26 non-punitive feedback on the reporting and they must show the personnel tha t punishetno the e r reportingar yfo d .
Promoting reporting, collecting and analyzing human errors are activitie r whicfo s h resources mus e dedicateb t e plantth r t a ,fo d example by having a full-time coordinator.
2.3.3.1 Organization of Reporting System
Simplicity versus data preservation
e reportinTh g shoul e simplifieb d proforme th d an da shoule b d simpl o uset e . However s importani t i , t that whenever possible first hand information should be preserved. Potentially, this might be in the for f freo m e a codetex f i td forma to restrictive woulto e b d s A . experience grow collectinn i s g human performance data might i , e cleab t r that certain root causes and/or types of errors appear frequently so that, over time e developeb a ,forn ca m d tha usefus i t o collect l t data on the large majority of events, and free text descriptions would only be necessary for rare or highly safety significant events.
Anonymit f reporto y s
The management should develop a non-punitive attitude in the case f humao n error s indicatea s d above. However s suggestei t i , d that there is no need to include the name of the person who was involved in the inciden e reportth n i t. Probably operatine th heae f th ,o d r o g maintenanc plane th uni tr o tcoordinato r would keee informatioth p n referre aboveo t d .
A difficulty wite in-planth h t coordinatoe rsh rolr o s tha i ee h t would hav e plan o havt e trusth th etf o tstaf f that their anonymity woul e preserveb d y thib de b se coul sh persot no dr o d tha nan e h t pressure managemeny b d y regulatorb r o t o reveat s l identities. Because it was impossible to establish such trust, the Aviation Safety Reporting System (ASRS) asks personne seno t l d their reports directl ASRe th S o t y and ASRS personnel then telephone the reporters to obtain any additional information, The ASRS has found this high degree of assurance of anonymity to be essential to motivating members of the aviation community
27 to report. However, sending the reports off-site for analysis would prevent plant managers from gainin e informatioth g o improvt n e plant safet r performanco y casen i e f near-missesso , precursors, etc woult .I d als e difficulob preservo t t e reporter'th e s anonymit planf i y t managers have informatioth e accesl al o t sn about evente th h . t Eve no f the i no d y know the reporter's name, they could easily obtain it from log books, timecards, work orders, etc.
Follo actiop wu n
The nuclear power plant authorities should normally review all the human error generan i s d folloan l p actionu w s benefittin e entirth g e station staff are to be taken by plant management. Some of the suggested follo actionp u w givee sar n below: o organizT ) (a e retraining programme tako t s e car f systeeo m modifications, improvements and design changes.
(b) To organize group discussions among the operating staff on incidents where human errors were involved. (c) To organize training on general human behavioural aspects.
(d) To improve the working environments in the plant.
(e) To review/revise the operating and maintenance procedures,
(g) To review the plant operating policies.
2.3.3.2 Benefit FroReportine th m g System
The plant management should periodically review the human errors and make positive recommendations to avoid the errors in the future. Positive persone e givefeedbacth b o o o completet t n swh s i k e th d incident reports.
Incidents with non-safety related consequences are recommended for internal investigation only. These reports although not breaching safety specifications, may provide valuable information regarding human performance deficiencies which may impact on safety in the future.
28 2.4 Recommendat ions
General Recommendations
e firsTh t aim coordinatinn i s g data collectio d classificationan n : to mus e b t
) a generate increased awarenes importance th f so f humao e n error data
b) generate sufficient interest to promote change and improvement in existing national data reporting systems
) c inform developin fundamentae g th nation o t s sa l data requirements for the support of human reliability
d) encourage the free, unhindered flow of information on human error data between all countries.
Specific Recommendations
) e Before substantial step e take ar scentraliso t n e data collection d classificationan , thoughe tth o wilshoule wh us l o e givet b d s a n r whafo datt d reasonsan a . From these consideration wilt i se b l possibl o structurt w decido t eho n databasea eo e . Some ideas have been expresse n thii d s document whic he explore b nee o t d d with vigor.
f) A structured approach to data collection is advocated. e distinctioTh ) g n between technical factual informatiod an n judgemental data should be borne in mind.
h) It is suggested that utilities are encouraged to designate a full-time utilite membeth f o ry staf o takt f e responsibilitr fo y human error data collection and classification and provide appropriate feedback.
t shoulI e emphasizeb d ) i t appropriatno ds i tha t i t o promott e e data collection and classification without promoting non-punitive
29 feedbac f informatioo k orden i n o develot r n appropriata p e safety culture and error reduction measures.
) j Safety awareness training programme y humawh n o s errors occud an r e identifieb w then ho ca y d reportean d d shoul e establishedb d .
30 . 3 QUANTITATIVE DATA COLLECTIO CLASSIFICATIOD NAN N
3.1 Introduction
Human reliability dat mose ath t collectio f problematio e on s i n c issues in performing PSAs. A good PSA study requires reliable data to define the possible event sequences and the human error probabilities. On the other hand the collected data should be used for a more generic problem: reductio f humano n error. Thes areao tw e s serve improving human reliability for maintaining nuclear safety.
Human error data for PSA purposes can be divided into two groups:
) (1 Qualitative human error dat defino t a e error mode d performancsan e shaping factors (PSFs). This typ f dato e describe s i a e firsth tn i dpar f thio t s document, so here we concentrate on the second group:
) (2 Quantitative dat defino t a e human error probabilities. There ar e several methods to obtain the human error probability values, but f theso l eal method e similaar s beinn i r g base n operationao d l experienc d humaan e n action investigation d requiran , e systematical data collection d evaluation,an n thiI .s par e brieflw t y describe the method d datan s a source usee s b defino that dn ca t e human error probabilities.
The use of human error relative frequencies would be ideal, but at the momens impracticai t i t lt hav no becaus eo d enoug e ew h available data to calculate these values. Another solution the analysts can use is to apply several methods and error models.
3.2 Data and Techniques
To obtain the human error probabilities for a PSA, several techniques are available. The selection of the technique(s) in a HRA for quantifying human error depends upoavailable th n e data. This point is important for the Human Reliability analyst to consider in the first stage of his or her work because some techniques need more detailed information than others. In this chapter, the areas of
31 information needed for using the techniques applied in the PSA are enumerate generaa n i d l manner e objectivTh . f thieo s chapteo t s i r illustrate this aspect.*
3.2.1 Techniqu Humar fo e n Error Rate Prediction (THERP)
This technique is one of the most widely used in a HRA for PSA. It can be used for pre-accident and post-accident tasks. By performing a task analysis of the human activities, the more likely errors can be detected and their probabilities estimated. This technique includes a data bas estimato t e e HEPs e influenc.Th wida f eo e varietf o y performance shaping factors is taken into account. The level of detail of data needed is extensive. The general areas of information required for this technique are:
- type of task - recovery factors - dependency - stress - type of equipment - staffing and experience - management and administrative control - diagnosis time orawritted lan n procedures - other parameters related to man-machine interface: displays/ etc.
3.2.2 Accident Sequence Evaluation Programme (ÄSEP)
This metho a revise s i dd shorte an d r versio f THERo n P that allows HRA to be performed more quickly and with less cost. The analyst can find in this technique a new diagnosis model that could be used in place
* The results of any reliability analysis (including human performance) should be used only for comparing different designs for the system that is being analyzed. Since human performance depend numbea n so f o r factors than changca thumae th e n error probability considerablye th , analysis done should be used qualitatively and not quantitatively.
32 of the diagnosis model found in the Handbook. To obtain HEPs using ASEP the data neede e relatee followingar dth o t d :
r post-accidenFo t tasks: - allowable time for correct diagnosis and for completion of action o restort s plane safa th eo et condition (Tm) - tim perforo t e m correctly post-diagnosis action (Ta) Td= Tm-Ta
For pre-accident tasks; - written procedures - recovery factors - dependency - type of system failure mode
recovere e studth Th f o y y factor d dependencsan y requires less data using ASEP than the data needed for evaluating these aspects in THERP.
3.2.3 Human Cognitive Reliability Correlation (HCR)
This model is an analytical method to evaluate HEPs taking into account mainly the dominant cognitive processing and the time available. The data needed to apply this technique are the following:
- time window - median time - experience level - stress level - - man-machine interface (existenc f computerizeeo d operator aids, symptom based procedures, etc.) - cognitive leve behaviouf o l r
It is suggested that the median time is obtained from using simulators.
3.2.4 Maintenance Personnel Performance Simulation (MAPPS)
This metho a simulatio s i d n model that provides reliability estimations for maintenance activities. The analyst has to perform a task analysis. Input data, base n ratingo d s (e.g. various performance
33 shaping factors) or measurements (performance times) are entered along with selected parameter values (PSFs).
The input parameters are not considered independently, but interactively determino t , e their collective effect n subtasso k performance. The following PSFs are quantified:
intellectual capacity and perceptual motor abilities fatigue effects - heat effects ability requirements for the task and subtask - accessibility for performing the task (e.g. removing a component) - clothing impediment - quality of maintenance procedures effect of stress - efficienc f individuao y l workers - organizational climate
3.2.5 Operational Action Tree (OAT)
This techniqu n analyticaa s i e l metho analyzo t d e time dependent post-accident activities e datTh .a neede applyinr fo d g this technique e followingth e ar :
- time available to take the appropriate mitigation actions - factors that influence human behavior.
Ther othee ar e r techniques base n expero d t judgement. (Paired Comparison, Direct Numerical Estimation, etc.). For these kinds of techniques, from the point of view of our subject, the needs are first the numbe f availablo r e expert d alssan o specifi d completcan e information about the plant.
r applyinFo HEPe th gs obtaine experty b d so t judgement A PS a n i s another PSA it is necessary to have documentation about how these HEPs were generated and what were the assumptions adopted.
34 3.2.6 Success Likelihood Index Methodology (SLIM)
This technique is based on expert judgement. It is based on the assumption thahumae th t n failur perforo t e a tasm k depends upoe th n combined effect f PSFsso .
The information to be used is the event description and judgment of the performance shaping factors which influenced the operator behaviour.
3.2.7 Socio-Technical Approach (STAHR)
This techniqu bases i e n expero d t judgement usin n influenca g e diagram as a tool. The quality of information available to the operator, the contribution of organizational aspects, and the psychological and personal factors involved in the event are evaluated.
Needs: - group of experts e informatioth l al n neede- estimato t d aspecte th e s mentioned above.
3.3 Possible Data Sources
Usually in the literature one can find the following list of possible sources e use, b derivinn thai dn ca t g human error probabilities:
- Nuclear power plant experience - Control-room r full-scal,o e simulator experience - Process industries b situationJo othen i s r industries tha e similaP taskar tNP o st r Experiments r laborator,o y data - Expert opinion Literature data (ex. NUREG/CR 1278)
Among these sources the following ones have to be objects for specific data collection:
- Nuclear power plant experience, event reports; - Full-scale simulator exercises; - Expert Opinion
o concentratioS needes i n n theso d e three sources.
35 e mosTh t valuable sourc f informatioeo n humano n behavioe th s i r operational experienc nucleaa f o e r power plant e probleTh . f o m collecting e usedifferenr b dat fo o dt a t e purposeablb o defint o et s i se the purposes beforehand. If a new need (or a new model) is going to be used afte e dats beeth rha a n collected ,vers i the yt i nlikel y thae th t data will not be useful for the new problem.
The following information sources are mainly used:
3.3.1 Nuclear Power Plant Experience
LERs (Licensee Event Reports) of the NRC.
- INPO (Institute of Nuclear Power Operations) records events that voluntara s completa n o t P no s NP ys a e occu i a basis t n i i r o ,s LER.
S (Inciden1R t Reporting System f IAE)NBAd o . an A
AORS (Abnormal Occurrences Reporting System).
3.3.2 Use of Simulators
Simulators have enormous potential for use in qualitative and quantitative data collection. Simulator e followinusefue th sar n i l g areas:
detailed analysi f accidenso t scenarios
developmen f dato t a base f simulatoso througe us e rth h testd an s simulator training
- validatio f techniqueno A s HR use n i d
- developmen d validatioan t f cognitivno e models with applicability in PSA
obtaining concrete measures for applying HRA techniques (e.g. 1/2 time in HCR)
36 The problem associated with the use of simulators is the necessary calibratio date th a f obtaineo n simulatorn i d r takinfo s g into account the influence of parameters such as stress, management influence, etc.,that effect behaviour under actual in-plant conditions.
3.3.3 Expert Opinion
The data sources described above contain documented records of performance. Expert opinion as a human error probability data source shoul e considereb d mann i d y cases, becauspaucite th f eo f relevanyo t data onle d judgementh y,an e sourceb y ma t . This require propee th s r understanding of the problem, and has to be supported by experience, plant-specific information and by an acceptable number of experts.
3 .4 Conclusion Recommendationd san s
This chapter tried to identify data needed to perform HRA within the PSA and also to identify the current data sources available. The objectiv givo t comparisoa es ewa n between need d availablsan e data, e field th givo n t s weli ,a e presens t a l ar e a stattth f eo recommendations and suggestions for future improvements.
3.4.1 Actual situation
The following points can be emphasized related to the techniques:
- the level of data detail needed is very dissimilar when^using different techniques. Consequently s importani t i , t that analysts performing PSAs consider what r wil o dat available s b li a o thet e m when selectin techniquea g .
Another important aspect is the application of the generic data in specifi necessarcs i PSA t I . asseso t y s carefull similarite th y y betwee date th na e situatioapplieth d an d n studied. analyste th f e I simulatosus - r data they will hav evaluato t e e them by taking into account the influence of parameters such as stress, management influence, etc. Simulators should be used to obtain median response time if the technique selected is HCR.
37 Use of expert judgement is recommended only for the following cases:
extrapolation of the generic data to the specific case paucit f relevano y t data - modificatio f humano n error specific probabilitie o similat s r tasks.
With reference to the use of nuclear experience as a source of e saib dn datas ca thaver wa t ti ,yt i untidifficul w no l o utilizt t e this information for VSA purposes. The number of opportunities versus the number of mistakes cannot be found in these reports and the root causes of t alwayerrorno e ssar given e samTh .e situation occurs wite th h PSFs: not all of them are reported or at least not with the level of detail required.
3.4.2 Suggested Future Improvements
f extremo s Ii t e importanc o improvt e e existing data banko t s include human errors, with the objective of obtaining useful information for PSA.
e firsth tn I approximation consideres i t i , d advisabl o collect e t the human behaviour data for PSA applications in the same data bank in which the human factor data are collected for other purposes. Most o€ the data used in evaluative and quantitative phases of the HRA are the same as those needed, for example, for improving operational feedback.
e typ Th f informatioeo n humano n errors tha te recorde b nee o t d n i d e eventh t reports are, without exhaustivity e followingth , :
type of task - frequenc f thio y s task - people involved - failure mode mado erroe wh th e r (contro - l room operator, maintenance, etc.) - where - special tools required - environmental conditions - experience in the job wheerrore th n s occurred how long had the person who made the mistake been at work
38 - kind of procedures used (oral instructions, existence of checkoff/ etc. ) - tagging w manho y time s thi- ha s s typ mistakf o e e bee lase n th madt n yeai e r opportunities to make this error before (last year) - systems, components involved - descriptio probleme th f no b s jo involve e th n i d errore th y s wh occurre a shor( d t classificatio e rooth t f causeo n )
To facilitate the reporting of all this information a computer format with friendl yusee desigsuggesteds th i r r fo n .
39 4. PROPOSAL FOR A CO-ORDINATED RESEARCH PROGRAMME
1 4. Co-ordinated Research Programme
e TechnicaTh l Committe s revieweha e currene th d t situation with respect to data collection from power stations and other sources, and their possible correlation and use for both operational and probabilistic o recommendationpurposestw s ha t I . s which, taken together, provide th e basis for a development programme.
Recommendation 1; A Co-ordinated Research Programme
e CommitteTh e recommend Co-ordinatea settine f sth o p u g d Research Programme (CRP) with the same general scope as the Technical Committee, o contributt widee th ro t eappreciatio e importancth f no d applicatioan e n f humao n performance data collectio d analysi nan desige th d o t an ns operatio f nucleano r power plants. This will also broaden participation and, since operational feedback is often important for availability as wel s safetya l , countries which rely primaril n non-nucleao y r sourcef so energy may also be involved in this part of the programme.
e maiTh n areaP shoulCR f interese e sthoso b d th er fo trecommende d in Section 4.3.
Recommendation 2: A Programme o£ Specialist Meetings
The CRP has been formulated to ensure the broadest possible participation. However P alonCR e e sufficienb ,th wil t no l mako t a e significant improvemen P safetyNP e Committen i tTh . e considers that individual countrie n bes sca e helpe b t o improvt d e their data collection and analysis techniques by allowing their experts to exchange information d experiencan t separatea e committee meetings covering individual topics e proceedingTh . s shoul writtee b dforo t comprehensiva mp u n e compilatio f experiencno e ovewhole th r eTechnicae scopth f eo l Committee.
2 4. Overall ObjectiveP CR e th f so o stimulatT i. e exchangth e f operatineo g experienc n investigatini e g and analyzing the root causes of human performance-related events o prevent t their re-occurrence, thus improving plant safety.
40 ii. To stimulate the exchange of methods and experience regarding collection and classification of human performance data for conducting Probabilistic Safety Assessments (PSAs).
iiio stimulatT . e exchangth e f methodeo d experiencesan regardine th g use of the collected data in Probabilistic Safety Assessments.
3 4. Researc d Discussioan h n Topics
e followinTh g topics have been identifie P r inclusioCR fo de th n i n and for the specialist meetings:
. 1 Methods shoul e developeb d asseso t d s human performance capabilities at nuclear power plants for control room and other technical personnel (e.g. mechanica d electricaan l l maintenance/ instrumentatio d control)an n . Researc n thii h s area should include consideration of factors both internal (e.g. individual abilities, motivation, fatigue, stress d externa)an l (e.g. environmentad an l interpersonal work conditions e individualth o )t . Clear definition e termth sf o suse o describt d e these human factor concepts should be developed to foster communication amongst participants (see Appendix 1 for a list of relevant concepts).
2. Exchange of information related to methodologies/techniques for assessing human performance problem s roosa t cause f plano s t events. This exchange should mainly include discussions of presentations by member countries on the development and use of the different methodologies/techniques and include especially completeness, acceptanc y planb e t staff d techniquean , e th d an s consequences of implementing proposed corrective actions.
3. Exchange of information regarding data collection from plant experience for PSA purposes.
e informatioTh n should concentrat: on e - collection methods - classification methods - results of using plant experience data.
41 . 4 Reportin d discussionan g f simulatoso r runs performe varioun i d s member countrie sassessmene aimeth t a d f controo t l room operator reliability/performance during routin d severan e e (stressed) conditions should be encouraged.
Benchmark simulator tests have already been performed internationally (for example, the EPRI project). The results of thi d similaan s r research projects shoul e broadlb d y presented an d discussed by representatives of member countries.
4.4 Products of Programme
e product programmTh e th f o s e a seriewil e b lf technicao s l documents that include the papers presented at each meeting and a summary discussione oth f f thosso e papers.
42 Appendix 1 FACTORS AFFECTING HUMAN PERFORMANCE Internal Factors
. 1 Ability
1 Cognitiv1. e Ability
1.1.1 Intelligence 1.1.2 Specific Abilities 1.1.3 Psychomotor Coordination
1.2 Conative Ability
1.2.1 Perception 1.2.2 Attention
3 Affectiv1. e Characteristics
1.3.1 Stress Resistance 1.3.2 Mental Stability 1.3.3 Character
1.4 Physical Character
1.4.1 Visual Systems 1.4.2 Hearing 1.4.3 Motor Coordination 1.4.4 General Health Conditions
. 2 Behaviour
2.1 Skill Based Behaviour 2.2 Rule Based Behaviour 2.3 Knowledge Based Behaviour
3. Quality Performance Factors
3.1 General Well Being 2 Fatigu3. e 3 Stres3. s Resistance 3.4 Motivation 3.5. Drugs and Alcohol
43 External Factors
. 1 Environmental Factors
1.1 Temperature 2 Humidit1. y 3 Nois1. e 1.4 Light 1.5 Physical constraints of Work Locations
2. Work Organization
Specificatiob Jo 1 2. n 2 Deficiencie2. Proceduren i s s 3 Socia2. l Organization 2.4 Time and Duration of Work
. 3 Training
3.1. Class Room Training . On-Jo3.2 b Training . Simulato3.3 r Training
44 Annex PAPERS PRESENTED AT THE MEETING SSPB ACTIVITIES ON ANALYZING HUMAN PERFORMANCE PROBLEMS
L. JACOBSSON Human Factors Group, Swedish State Power Board, Vällingby, Sweden
Abstract
The SSPB human Factors Group at the head office has been analyzing human error in a more systematic way since 1987. The purpose of collecting dat primarils ai provido yt e experienc e inputh o t t e feed- back process. Through analysis of human error lessons can be learnt preveno t t future human performance problem same th n es o plan d an t als othen oo r plants. The human factors group reviews all SSPB plants LERs and scram reports on a continous basis and indentifies events related to human error same Th .e tas performes ki locae th y l db safet licensind yan g department and the operation department at each unit. Human error related LER scramd san regularle sar y evaluatee th y db HPES group at each site. The group consists of members from each unit safete licensinth ,d yan g departmen humae plante th th d nt a ,an t factors group. The severity of the event and the generalizabiiity of the human per- formance proble thems i n usecriteria s da determininr afo mora f gi e thorough analysi evene th neededf s i sto . Ther tree ear e levelf so analysis - Statistical analysis minor .Fo r events. - Simplified HPES (develope INPy d b eventr Ofo s with some safety importanc generalizabiiityr eo , approximatel event/year/unity1 ) - Complete HPES for significant events (I/year in Sweden) The HPES technique is still beeing tested for Swedish conditions and will be modified according to Swedish demands. Fopurpose th r estimatinf eo g operator reliabilit studieA PR sr yfo failure data and expert judgments from instructors at the training simulator has been used for estimation of operator reliability.
1. Introduction Collectio f datno huma n ao n performance problem havn sca e different purposes. It can be a part of the experience feedback process to pre- ven occurence th t same th f eeo typ specifie f erroeth o n o r c plant and on other plants. It can also be used to analyze the underlying mechanisms behind different types of human error and provide a more general knowledge of why errors occur. The third main application provido t s i e datknowledgd aan assessmentr efo f humaso n reliability in PRA studies.
47 The SSPB human factors grou sincs pi e last year (1988) collectind gan evaluating data on human error for the experience feedback process and for human reliability assessments. The main effort is being spent on analyzing human performance problems for experience feedback applications in cooperation with the responsible organization at the site.
2. Human performance problems
What do we mean by human performance problems or human error? The technical system (process) continously puts demands on the human operator. The task of the operator and also the maintenance personnel tako t s ei actions accordin demande th technicae o gth t f so l system. If the operator performance is not in accordance with the demands technicae th y b t lse system erron a , r (human error occurn )ca . When analyzing human error or human performance problems, it is essential to analyze the demands put on the operator by the technical system, and answe questioe th r n whether those demand accordancn i e sar e with human needs and limitations. The main effort at SSPB in preventing human performance problems bees ha , n spen findinn o t gnumbea f o r measures to prevent the occurence of the same type of event. One difficult proble statisticamn i l analysi f humaso n errofino t n s da i r appropriate level where to classify errors as human errors, in the end everythin classifiee b n gca humas da n error, e.g. problems with poor material qualit havn yca s origi eit poon ni r quality control, pooA Q r etc. If an operator commits an error and if the man-machine interface t beeno ns constructeha accordancn di e with operator needsn i s i t i , fac desiga t n error above Th . e issue importante able sar b o et o t d an , compare human error classification and analysis between countries, definitioe plantth c classificatioset d nan f humano n error muse b t similar and clearly stated. Often LERs and scram reports (in Sweden) contains limited background informatio human no n performancd an e difficule b non-technicaa n r ca fo t i l exper determino t t e froe mth information on the report whether a human error has been directly involved or not.
. 3 Analyzing human performance problem r experiencsfo e feedback applications
The SSPB human factors group at the main office started activities in analyzing human performance problems during the late part of 1987. The purpose of collecting data is mainly to provide an input to the experience feedback process preveno t , occurence th t f erroreo f so same th same kinth n eothen d o o plan d r an tsimila r plants.
Our categorizatio effortd nan human o s n performance problems si possibiiitiee baseth n do f findinso g practical measure preveno st e th t occurenc f similaeo r events define W . e human error related events sa an even direce th t f whero t causee e on bee s sha nhumaa n errod an r where measures to prevent the error can be found in the human part of the system (e.g. administrative routines). Our goal is to find measu- res that can be implemented to prevent the reoccurrence of these events. The SSPB human factors group reviews all SSPB LERs and scram reports on a continous basis and identifies events related to human error same Th . e tas performes ki locae th y l db safet d yan licensing departmen operationae th d an t le departmenth f o e on t a t sites, the Forsmark site.
48 Human error related LERs and scrams are regularly evaluated by the HPES grou t eacpa h sitegroue Th . mads f memberpi o p eu s from each unit safete licensinth ,d yan g departmen specifie th t a t c pland an t centrae th l human factors group. If the event is identified as a human performance problem, the severi- generalizabilite evene th th d f an to y t humae th f yo n performance problem is then used as a criteria for determining if a more thorough analysi evene th f neededs i sto . Dependin followine severite th th eventf e o n th go e f ygo on , analy- sis types are carried out:
. 1 Categorizatio classificatiod nan statisticar nfo l analysisr fo , less significant events The event classifiee sar direcr dfo t error type operatos sa r error, maintenance error and administrative error
2. Simplified HPES-analysis e methodolog pare Wth f eus o t y develope INPy db r eventOfo s with some safety importanc r generalizabilityeo . Approximate- event/yeae lyon unid analyzeds an ri t .
A decisio perforo nt mmora e detailed analysis, using parf o t HPES-technique th mads ei e when eithe evene th r serious i t s fro msafeta y poin f viewo t , have common cause failurr eo common cause initiator implication generia s i , c human performance problem, or is a scram involving human perform- ance problems simplifiee Th . d HPES analysis consiste th f so following HPES components: cause- and event analysis, barrier analysis, consequence analysis and change analysis. Interviews with personnel involve evente th n e alsdi sar o carried out.
3. Complete HPES analysis is performed for significant events. The latte bases i rars i rd Swedisn do ean h experience less thaevent/1e non 0 year unitd san . The SSPB human performance analysi stils si l under develop- ment and the following improvements are under discussion:
The plants themselves wil analysise l carrth t e you W . think that it is important that the plants themselves carries out most of the HPES-analysis work because then it will also be easier to feed the experience back to plant. The SSPB central human factors group will be a coordinating and supportive function for the plants. The persons responsible for analysis will get training on HPES evaluation techniques and on human factors issues (e.g. basic knowledge on human functioning; stress, cogni- tive processes, psychobiology, organization etc). Training will also be given on the HPES-analysis technique. Pilot training courses have already been given in these areas.
49 f. Collecting data for HRA applications studiee purposA th r PR scollectiof a Fo eo f failurno e dat experd aan t judgment critican so l operator action dons swa e from instructort sa trainine th g simulator facility instructore Th . PWe th Rt sa simulato r facility were give nquestionnaira e concerning significant operator actions. The trainers were asked to estimate the numer of crews who practiced mha crewe transiene manw dth th f ho y so d thaan t t had failed. The instructors were also asked to estimate the median tim perforo et m specific operato crewe r th actiondiffid f i sha d - san culties in handling the transients. These data were then used for making assessments of operator reliability for PRA purposes.
5. Need for future activities in development of analysis of human performance problems
More knowledg needes ei d concernin underlyine gth g mechanisms behind human errors. Model human so n error shoul validatee db n di experimental studies. Ofte resule errointeraction n na th a s f i ro t n between errors committe botn di technicae hth humae th d nan l system (Svenson, 1988)nucleae th n I . r power plant usualls i t s i t enoug yno h with one single failure in one part of the system to cause an accident, it must be a combination of errors in both the human and technical system for an accident to occur.
Effort should als spene ob findinn o t g critical initiator higd san h risk situation r errorinteractioe sfo th n si n betwee e humae th n th d nan technical system.
REFERENCES
Svenson, O., Cognitive psychology, operator behavior and safety in the process industry with emphasis on nuclear power plant applications. Department of Psychology, University of Stockholm. Report No. 29, October, 1988.
50 AN APPROACH TO HUMAN ERROR MINIMIZATION IN PHWR SAFETY RELATED OPERATIONS
. GOVINDARAJAG N Reactor Control Division, Bhabha Atomic Research Centre, Bombay, India
Abstract
e safetTh f nucleao y r power plant t presena s te th rel n o y engineering desig d safetan n y analysis doet addressno humao st n reliability aspects. The human error are generally classified in to accoun e typ th tf activityo e e locatioth , f errorsno , origif no errors, nature of errors, the task performed and the procedures involved, individual factors, equipment design etc. Information available indicate significant contribution among errors is from operator action d frosan m maintenance.
Keepin vie n abovi e g th w e background, emphasi s beini s g placed on improvement of control room functions and information display systems, for improving operator reliability. R & D efforts have been initiated for collecting data from operating plants, design of advanceo computer controls and operator support aids. The simulator being built will be used for functional test of the equipment and evaluate the task executed by them in a particular scenario. The results of these tests will be analysed with appro- priate weighing factors to the operators. The lapses and slips that arise in performing a particular task will be looked into in detai d analysean l providinr fo d g additional informatioe th n i n for f operatomo r aid decisior o s n support system, ergonomicf so control room operation alarm,reductio d functionanan l grouping etc. This paper describes the plan for improving reactor safety in an overall context.
I. Introduction
Indian Nuclear Power threshole Programmth n o f fass o dei t
expansion from the present modest generating capacity of 1250 MWe comprising 2 BWR and 4 PHWR units of sizes below wite MW h 5 increasin23 g indegenous content from uni unito t .
51 The future units of 235 MWe and 500 MWe sizes are of the standardised designs incorporatin necessare th l gal y improve- ment sfeedbace baseth n do k from ove 0 reactor9 r yearf so operational experience emphasie Th . indegenisation so d nan the peculiar operating environments for the plants in India have been responsibl substantiar fo e l design modifications.
2. Human Factor Engineerin Indian i g n PHWRs
e contributioTh humaf no n errors towards bringing dowe th n plant availability is difficult to segregate from those cause othey b d r factorplantr ou n i s mainly because th f eo following: - limited operational experience
evente th -s cause equipmeny b d t failur instrumenr eo t malfunctioning being relatively larg numbern ei s the strength and quality of operating crew being much more tha similan ni r plants elsewhere
due to above factors, human error quantification can be erroneous.
Though occasional modifications have been carrie frot dou m time to time in the control room panels and instruments, the operators feel that they have sufficient informatio handlo nt e all the routine and abnormal events encountered thus far. Also groupine ,th instrumentf go s (switches, light indicat- ions, meters) accordin functionallo L g y related subsystems, the segregatio groupf no s marke colourey db d e bandth n so mimia pane d procesf o clan s flow marked through panel instruments have all given considerable help in fast cognition planf o t situation keepin operatoe th g r stres consequend san t error proneness minimal.
52 3. Areas for Human Factors Improvement
A thorough review of the human factors considerations is however found necessary to ensure reliable and safe operations of the plants under all postulated abnormalities. With detailed analysi scenarioe th f so s followin postulatee gth d events deficienciee ,th information i s operatoe th o nt s ra well as the uncomfortable nature of operator actions during certain scenario identifiedt sge . Exhaustive analysie th f so scenarios following each known initiating event combined with a critical analysis of the past unusual occurences for human error contribution expectes si givo necessare t d eth y inputs for decision additionn so , modificatio d integrationan f no controls and information available in the control room. Also it would be of great use to achieve a classification of human errors depending on whether it is through violation of stipulated procedures, lack of properly defined operating procedure in the given context or the inability of the operator to diagnose an abnormal situation with regard to the root cause of disturbance.
While the end results of these analytic efforts are expected to have significant role in the refinement of plant design feature operatind san g practice brino st g dowhumae nth n error to the lowest achievable level, efforts on several fronts can be initiated right away in the direction of improv- ing man-machine interface and refining the operating organis- ation. Some of these efforts based on the needs felt by operatin desigd gan n review personne outlinee e lar th n i d
subsequent sections.
53 Measures to improve Man-Machine Interface (MMI)
Control room ergonomic PHWl Al R station- s s have twin operating units wit commoha n control room althougo tw e th h normallt unitno o sd y shar commoy an e n auxiliariese Th . contro unito tw le symmetricall sar e panel th f so y arranged as shown in Fig. l,but the panels are not having mirror reflection pattern avoiding the possible confusions in reflex
action following any swapping of operating crew between the
units.
e goalTh f fasso t indegenisatio d increasinnan e informatth g - ion content in the control room have added to the size and
number of control panels making the distances of operator
movement within the control room quite considerable. Efforts procuro t n o ee compacar t panel instrument d combinsan e with their optimal layout giving due considerations for functional grouping, satisfactory task executio operatory nb s during routine procedure wels sa whils a l e handling most postulated
event scenarios.
Other improvements in control room ergonomics like the re- placement of existing lighting arrangement with more diffused one avoiding glare from all directions are also being thought of. More uniformity in colour codes employed in all the standardised unit d increasinsan coloure gth accommodato st e finer classificatio annunciationsf no , lights etc expecte .ar - ed to improve the operator's fast cognition of the plant situation.
54 iX^- 67B7t ARfcS r 1AO MONITOR t3=3 is ,' I9SQ , isso __._ 27CQ • laso , ig» . T85Q - —
CHAHNEL-A/D —
u: N ji-^A^ tf> iKnn-pjA! jig S ll «v to ©- ^«. N.. r f-; fiœ -tSL. ^^cr^ UvJ l^Vv/ i
FIG.1. Typical control room for a twin unit PHWR station. On-line operator aids
Whil date th ea acquisitio d evenan n t recording systemn i s
the presently operating plants are not quite comprehensive,
a more complete and fast data acquisition system (DAS) is to
be incorporated in all future units. With this system, an
operator doesn't hav depeno L e n vaso d t multitud f instruo e -
ments to recognise the status of the plant and that would now
be readily available through a compact mimic on a CRT screen.
Apart froplane th m t overview e detailth , f variouo s s sub-
systems arranged in a hierarchical manner in the DAS computer
can be presented to the operator on his request. Efforts are
on to add query features in the information presentation
system and substantially enhance the selectivity and time-
lines of process information at the disposal of the operator.
Apart from presentatio f informatioo n n convenieni n t format,
the DAS computer is programmed for significant information
integration e processeTh . d information help e operatoth s n i r
avoidin mano s g y correlations mentally performed earlier
thereby enablin mora g e precis d fastean e r diagnosis during
abnormalities.
Procedures have been worked out for suppression of unnecessary
alarm d othean s r irrelevant informatio givea n i nn operating
context again to avoid the operator's distraction towards
extraneous issue d focu an s attentio hi s n currentlo n y
pertinent information. These procedures could be conveniently
implemented through CRT based information presentation systems.
56 5. Measures Towards Improvement of Operating Procedures
Normal operating procedures:
Thes e alreadar e y well define e ford issueth an f d o m n i d
operating manuals aided by flow sheets. Though there is
substantial common contene procedureth n i t s employen i d
various PHWR units, each unit has its procedures documented
separately taking into accoun e locath t l featurew ne d an s
w standardiseadditionsne e th n I .d units e generith , c part
f theso e procedures woul e overwhelminb d e continuouth d an g s
updating of the common procedures is expected to be more efficient
Emergency operating procedures:
Studies were initiated to analyse the scenarios following a
large numbe f componeno r t failure r initiatino s g events
postulated e involvemenTh . experiencef o t d designerd san
operator n thesi s e efforts have enabled arrivin t suitabla g e
operating procedure e followeb o t s n identificatioo d e th f o n
initiating event responsibl e currenth r tfo e abnormality.
e identificatioTh e initiatinLh f o n g event froe symptomth m s
r informatioo n availabl e controth n i t ealwayl no roo y smma
be easy and is subject to large uncertainties and errors.
Procedure monitoo t s e unsafth r e e predeviationth -l al n i s
selected state variables of the plant, restore and maintain
normal or safe state of operations are expected to supplement
the emergency operating procedures for identified initiating
events.
Operating organisation:
The operating crew in each PHWR 235 MWe unit consists a
minimum complimen e shifon f to t engineer e assistanon , t shift
57 engineer, one fuel handling engineer, 4 control enginers,
18 technical a healtstaf d an fh physicis o assist t them.
e engineerAlth l s have good theoretical background froa m
long perio f educatioo d d traininan n 0 year(1 gn school i s ,
year7 o e n yeacollegt i s on 6 rd traininan e n varioui g s
nuclear establishments) e technicaTh . l staf e alsar fo well
trained in the basic principles of operation and maintenance
of plant equipments. The operating crews work in 8 hour
shifts e communicatioTh . n withi e creth nw member d betweean s n
the crews are excellent in view of the high level of under-
standing of the plant processes and their importance by each
crew member. The maintenance personnel maintain a close
observation of operating events and provide all the help when
called for. Since ther s considerabli e e interchangf o e
personnel from operatin maintainanco t g e team e communicatth s -
n o betweeteamio tw s informai e s th n d soundan l . Efforte ar s
on to further improve the communication between crew members
and encourage organised participation of more engineers in
monitoring, diagnosis and recovery actions following events.
6. Measures Towards Improvement of Operator Quality
e selectioTh d traininan n f freso g h graduate engineerr fo s
e yeaon r period bot Trainint a h g e Schooth t n Bombaa i l d an y
training centres locate plant a d t site s quiti s e rigorous.
e prograTh t onlno my provides sufficient theoretical background
in nuclear reactor physics, reactor engineering, radiation
protectio t exposenbu etc. , e sdetail th the o t mf safeto s y
issues involved with nuclear power plants. Thee requirear y d
to clear a set of examinations and checklists before being
absorbed into regular w servicetechnicianne e Th . e alsar so
58 trained with sufficient exposure to plant equipments, their
operating principles and maintenance aspects.
The qualification program of engineers and operators at
various level s organisei s d along well established linef o s
examinations, interview etc. This helps maintain well quali-
fied set of engineers and operators licensed to operate the
plant with sufficient incentives offere o themt d . e participatioTh f operatino n g engineer d technicianan s n i s
sessions reviewing the events of the past and formulation of
new procedures help experience sharing and updation of
knowledge. Periodic seminars and lectures on issues of
importance to plant operation, maintenance and safety also
help the cross-flow of knowledge among staff of different
units and sometimes from other nations also.
The full scope training simulator being commissioned at
Rajasthan Atomic Power Statio s expectei n o providt d a gooe d
boost to operator training and retraining. This simulator
provides opportunity to train operators not only on all normal
operations like unit start-up, shut-down, power manouvres,
periodic e conductetestb o t s d from control rooms etct bu .
als n abnormao l situations create wida y eb d variet f malo y -
functions. Presently the total number of malfunctions provid-
ed in the plant model is around 200 and it includes most
frequently encountered failure mode d failurean s s having
important safety consequences for the plant. They range from
a single pump trip to several modes of instrument failure or
loss of off-site power. However, major failures leading to
LOCA and two phase flow conditions in the primary loop are
59 presentl e t includeb model e no yo t th d then e i an sd ar y
incorporate e nexth tn i dstag f simulatoro e .
Simulator testing of abnormal operating conditions with
regular plant operating crew s expectei s o helt d p refine
emergency operating procedures. Also these exercises would
bring out the operational areas susceptible for human errors
d enablan e concentrated effort o refint s e procedures from
human factor considerations and intensify training in
selected vulnerable areas.
Conclusion
With the problems faced by the first few small nuclear power
unit n Indiai s , sufficient lessons have been learnd an t
effort o improvt s e plant performanc e giveth n i eoperatin g
environment is multifacetied. Some of these efforts aimed
towards minimisin plane th g t unavailabilit humao t e ndu y
error d improvan s e operational safety have been highlighted
in this paper e internationaTh . l experience share n thii d s
front is hoped to help accelerate these efforts and fast
achieve smoother and safer operation of our nuclear power
plants.
60 HUMAN ERROR HUMAS— N CAUSED, ENVIRONMENT CAUSED
K.C. SUBRAMANYA Operating Plants Safety Division, Atomic Energy Regulatory Board, Bombay, India
Abstract
e ImportancTh f Humao e ne saferroth en i roperatio f o n
Nuclear Plants has been well recognised. The human error could a larg o t e e numbedu f e reasonso b r * cominEg . g from factors
like sensing, perceiving, predicting, familiarity, skills, rules,
individual performanc d environmentaan e l factors sucs a h
ergonomics, work organisation, procedure, tim & duratioe f worko n ,
training, physical environment etc. Two incidents highlighting
human cause d environmentaan d l caused error e discribedar s . Also
a distribution of causes of failure and affected systems of Safety
Related Unusual Occurrences is presented on the basis of the
reports receive e regulatorth y b d y body.
A syste o analyst m e human errors with respec o humat t n
cause d environmenan d t cause s beini d g developed e inpuTh . t data
for this analysi s obtainei s d from Safety Related Unusual
Occurrence reports receive e regulatorth y b d y bodye Th .
regulatory requirement for submission of these reports include first information repor y telex(b t , telephone etc) withi 4 hour2 n s
of the incident and detailed report within 20 days. The detailed
report amongst other information also contains information with
e incident respece causth th f o o et t . These report e discussear s d at various levels and an attempt is made to identify the root
cause .
61 Ther e manar e y factors which contribut e safth eo t e
operatio f Nucleao n r Power Plants (NPPs) viz: Design, Reliability
of equipments, Man-machine interface, Human response etc. Safe
operation of the NPPs is ensured by giving due importance to the
above factors. But still there are incidents reported regularly
causing unscheduled outage r degradatioo s f systemo n s requirer fo d
safety.
Of all the factors that cause such incidents, Human error
has been recognised as a very important factor. Human error is
committed due to various reasons. The behaviour of individuals is
very difficult to predict accurately. All persons do not respond n identicaa n i l manne a give o t rn problems alsi t oI ver. y
difficult to assess the capability of an individual fay some simple
tests. Ther e manar e y factors that influenc e humath e n response.
However, human error could be classified very broadly into two
groups viz : a) Human caused b) Environment caused
Human Error -Human Caused
Human factors and behaviour are the key issues which
influence a person to respond in a given situation in a particular
fashion e humaTh . n factor e base ar sn huma o d n thinking process
taking inpu e sensortth frol yal m organ d generatinan s a suitablg e
output .e importanth Som f o e t factor e sensingar s , perceiving,
predicting, familiarity with control d decisionan s . Human
of practice one has undergone for performing the given task. These
can be broadly categorised as skill based behaviour, rule based
behaviour and knowledge based behaviour.
e abovth el Al behaviour d humaan s n e factorimproveb n ca s d upo y propeb n r trainin d gooan g d practice t thera limiBu s .i et
e traineb e degre tth n o r ca giveo whico t d ee on nh practice. Here
62 the individual performance comes into picture. Each individual has an inbuilt ability (or inability) to perform a task. Human
reflexes are excellent examples for individual capabilities.
Hence an individual's performance also makes an impact on the
human performance.
Human Erro - Environmenr t Caused
There are many external factors which influence the
performanc n individuala f o e . Many times, these contribute th o t e human error, which otherwise would not have occurred. The word
"Environment" is used here to mean these external factors. Some of
the important factors are, ergonomics, work organisation,
procedures, timd duratioan e f worko n , trainin d physicaan g l
environment. While all the factors such as design, construction, equipment, man-machine interface etc. contributing to safety are
ultimately huma nf the o e humarelated ar l m nal initiateds a , e th , errors committed by operator only are discussed in this paper.
o incidentTw n Indiai s n NPPs which occurre o humat e ndu d
e errorcason e n i huma, n e othecausedth rd environmenan , t caused, e presentedar . The.se incidents have already been reporte o IAEt d A
1RS, earlier.
. 1 Inciden a Pressurise t a t d Heavy Water Reactor (Figur) I e
Rajasthan Atomic Power Station consists of 2 reactors
f Pressuriseo d Heavy Water type e reactoTh . s coolei r y Heavb d y
Water throug 8 hPrimar y Heat Transporn ti pumpT pump4 PH ) s( s
each loop (4 pumps, 2 in each loop is shown in the figure)
connecte" fashion" figur 8 a f n o i e .d a EacT pums PH hha p
steam generator wher e hea s th etransferrei t o light d t waten o r
e secondarth y side. Stea e mboilin th produce o f t thio g e sdu d secondary wate s user i generatinr fo d g electric powea n i r
63 SHUT DOWN HX SHUT DOWN COOLING PUMP SHUT OOWK COOLING BACKING UP SPECIAL PUMP FROM BLANK LEAKAGE COLLECT!»
!-_-_—_-_-_-V-.h.-.UEflK/»G£: COLKTWI TAJK
5) STORAGO T E TANK FIG.1. (NOT SHOWN)
conventional manner. Each loo s provideI p d wit a shuh t down pump
and a shut down heat exchanger for removal of residual heat.
During shut down of Unit— 2 , maintenance works on one of the
T pump PU d shuan s t down heat exchange e samth e f o loor p were taken
up. After completing the maintenance work on the pump, it was
taken into e operatoserviceth t Bu r. forgo o clos t e tpum th e p
bowl drain valve. After some time, heavy water leas observewa k d
e heafroe blanth th t m f o exchangek r head. (This blan s fixewa k d
temporarily to facilitate work on the heat exchanger.) Firstly it
was suspected that one of the isolation valves for heat exchanger s leakingwa . Bote valveth h s were exercise o seat d t them
properly e leath k t continuedbu , o investigatT . e leakth e e th , only running shut down cooling pump (residual heat removal pump)
on o t
64 Investigations showed that the heavy water tread the path through the pump bowl drain to the leakage collection tank (as the drain valv s lefwa e te hea openth t d backeo t exchangean ) p u d r head an d
due to improper fixing of the temporary blank, started leaking, t closinno e pumth g p drain valve while takin e pumth g p into
service. Procedures for isolating and putting back, the pump into servic e operatoe th exis d an tr faile o follot d e procedureth w s
thus causin e incidentth g .
Incidentall e otheth y r human erro f impropeo r r e fixinth f o g
e heablanth t f o exchangek r aggravate e situationth d .
. Inciden2 a Boilin t a t g Water Reactor (Figur) 2 e
Tarapur Atomic Power Station comprise 2 Reactors f Boilino s g
Water Type. The reactor uses slightly enriched uranium as its fuel
/————————v c- «-e«rf«»«, rU-WV-J————————
FIG.2.
65 and light water as moderator and coolant. When the reactor is e heaoperatingth t o t produce e fuele th e watedu ,th y ,b dr boils
and the steam is directly fed to the turbine for generation of
electricity n emergencA . y condense s providei r o removt d e th e
decay heat when the main condenser is not available or when the
containment is isolated.
While Unit-2 was operating at Power, one of the 2 Primary
feed water pumps, tripped on ground fault. As the discharge check
valve of the pump was passing through, the other feed water pump
could not pump water to the reactor due to short circuiting. This
resulted in scram on reactor water low level and closure of
primary steam isolation valves. Later, water leve s broughwa l p u t
by isolatin e defectivth g e feed pump t thiA . s time emergencth e y
condenser was brought in line. It was found that the reactor
water level was rising. The operator tried to arrest the upward-
trend of the level by using the clean-up system reject, but the
clean-up system trippe n higo d h pressure.
e reactoTh r water leve d lfille an wene steap th u dt m lines
thus forming a water seal and prevented the steam from entering
the emergency condenser. This resulted in the emergency condenser
becoming ineffective. The reactor pressure increased lifting the
reactor relief valve open. (Incidentall e relieth y f valve setting
was found to have drifted to a slightly lower value.) The hot
water entered the containment causing the containment pressure to
go high. This initiate e containmenth d t spray syste o actuatt m e
which brought down the containment pressure in a very short time.
At this stage the operator on his own opened the PSIVs, thus
removing the water seal to make the emergency condenser effective.
After analysing the incident, the station revised the procedure to
take car f suco e h situations.
66 This incident shows that due to lack of proper procedure (of opening PSIVs once leveth e l became normal) cause e reactoth d r relief valve to lift and causing the containment to get pressurised. This is a case of environment caused human error.
Data Collection and Analysis System in India
In India, data on human error is collected and analysed as a part of an elaborate system. In this system, human error as a composite root cause along with other root causes is reviewed and analysed. A brief description of the above mentioned system is givea below.
Atomic Energy Regulatory Board (AERB s responsibli ) r fo e overseeing the safety of all the nuclear installations in India right froe desigth m n stage till decommissioning stage. Following divisioas have been formed to address the above meitioned task.. ( PI. see ligure 3 )
1. Nuclear Safety Division ( N.S.D.)
2. Industrial Safety Divisio I.S.D.( n )
. 3 Operating Plants Safety Divisio O.P.S.D.( n )
. 4 Radiation Safety Division (R.S.D.)
These division e give ar e sresponsibilitie th n f safeto s n i y their respective area d thean s y e Chairmareporth o t t n AERBn I . additio e abovth o et n divisions, various committees appointey b d the Chairman AERB, review the safety aspects of the relevant disciplines. To review the safety of the operating plants, a committee called Safety Review Committee for Operating Plants
( SARCOP ) is constituted. This committee reviews periodically the safety status of these plants and makes suitable recommendations.
These recommendations of SARCOP are implemented by OPSD.
67 ON oo ATOMIC ENERGY COMMISSION ADVISORY BODIES
AERB SECRETARIAT
STANDING COMMITTEES EXECUTIVE COMMITTEE
SAFETY REVIEW COMMITTER EFO OPERATING PLANTS PROJECT (SARCOP) SAFETY REVIEW COMMITTEES
NUCLEAR SAFETY INDUSTRIAL SAFETY OPERATING PLANTS RADIATION SCIENTIFIC ADMINISTRATION DIVISION DIVISION SAFETY DIVISION SAFETY TECHNICAL DIVISION SERVICES • Inspectio nAuthorisatio& n Safety Assessment - - Inspection, Review Nuclear Fuel and Enforcemen' t - Computer • Quality Assurance Mechanical, Electrical, Cycle Facilities - Personnel - Approval of - Library and - Budged an t • Safety Audits Fire, Explosived san Medical, Engineering Reprography Future Reactors Chemical Industrial and Finance Modificationd san - Safety - Publications. - Technical Aspects Inspectiod nan other Enforcement Technical Applications. Research - Safety Analysis Codes, Guide Standards& s Codes, Guides and Specifications • Transportation - Public - Codes, Guided san Information. Computer Codes Standards. Consumed an r Standards products. - Emergency • Codes, Guides Management and standards
FIG.3. Organizational structure of AERB. TABLI E
FAILURE ANALYSI R OPERATINFO S G UNITS
. FAILUR1 E CAUSE
A. Equipment failure 53.00 %
B. Human Error 15.00 % - Operator Error 5.5 X - Human error during maintenance and testing 9.5 Z
. C Maintenanc d repaian e r induced failures 4.80%
. D Trainin d administrativan / g e procedures 12.00%
E. Fire 4.00 %
. F Grid disturbance d othean s r external 11.2% 0 factors
2. SYSTEM
1 . Fuelling machine 16.85 7,
2. Reactor regulating, protective and 12.30 % safet terns y s sy
3. Main heat removal systems 1 1 .20 7.
4. Turbine Generator 6.74 %
5. Feed water, condenser and circulating 12.36 % water systems
6. Electrical power supply system 30 .34 %
7. Miscellaneous 10.10 % - compressed air - ventilation system etc.
y incidenReporan n o t t having safety significance, knows a n
Safety Related Unusual Occurrence Report (SRUOR) is prepared and
sent by the plant to the Operating Plants Safety Division (OPSD) f AERBo A firs. t information report know s prompa n t
notification s seni ,y teleb t r telephono x e withi 4 hours2 n A . detailed report in a standard format is then sent within 20 days
69 of the incident. These reports are received and a. summary is prepared. This summary, along with other criteri s availabla a n i e
the detailed report is fed to a computer and stored. Data thus
collected, is analysed to find out the types of failures, causes e incidentth f o s etc e SRUOe forma.th Th s undei f Ro t r revision
to bring it in line with the Incident Reporting System of IAEA.
These SRUORs are further discussed at various levels. They
are firstly discussed at the Station Operations review Committee.
s Ifurthei t r reviewee Statioth y b dn Safety Committee whics i h
appointed by SARCOP. Finally, they are reviewed by SARCOP and
suitable recommendations are made. Reports of all the above
review e alsar s o receive y OPSDe b abovd th .l e Wital e hel f th ho p
data, analysis of the incidents is done with respect to the
system, root cause, typ f failureo e , effec n operatioo t n etc.
Results of an analysis carried out to study the various causes of
failure and the systems affected, are shown in Table I.
Conclusion
Human erro s recognise i ry facto ke a rs a dwhic h needs proper
addressing for ensuring a safe and efficient operation of the nuclear power plants. A system to analyse human errors with
respect to human caused and environment caused is being developed.
For this, all the incidents involving human error are to be
discussed with the station authorities and the corporate tiody
(which owne stationth s r improvinfo ) e traininth g g programmes
suitablo carrt t modification d ou y an y e operatinth t a s g plants.
Efforts e wildesig e th madb lt a en stag o improvt e e th e
environmental condition se fee th based n o bacd k froe analysith m s
performed so that the environment caused human error could be
minimised.
70 HUMAN RELIABILITY DATA COLLECTIO QUALITATIVR NFO E MODELLING AND QUANTITATIVE ASSESSMENT
D.A. LUCAS, D.E. EMBREY, A.D. LIVINGSTON Human Reliability Associates Limited, tonl , Da Wigan, Lancashire, United Kingdom
Abstract
Effective human reliability assessment requires both qualitative modelling of possible error theid an s r causes quantitativd an , e assessmen f theio t r likelihood. This paper considers the available sources for both qualitative and quantitative data collection. A classification for different types of data is proposed. Currently used methods of gathering data using operational experienc simulatord an e e discussear s n relatioi d n to these data types. The analysis of error data from operational experience is elaborated upon, and requirements for a comprehensive human performance data collection system are proposed. These requirements are examine n relatioi d o existint n g data collection programmee th d an s practical aspect f analysino s g error data.
Introduction
The traditional approac o humat h n reliability analysi s emphasiseha s e th d quantificatio f erroo n r probabilitie r proceduralisefo s d operator actions e faulth n ti tree analyse n Probabilistii s c Safety Assessment (PSA). Discussions of the need for human reliability data have therefore concentrated on the issue of how numerical data on human error probabilitie se obtaineb (HEPs n ca )d from various sources. Although this aspec f humao t n reliability dat s i importanta e humath , n reliability concept also covers qualitative modelling e datTh a. requirementr fo s both areas need to be considered. This paper addresses both qualitative and quantitative modelling.
Various area r whicfo s h human error date requiree definear ab n s a ca dd follows : system w e desigth ne f o n ensurt i o sn e . a us e Datr thafo a t human reliabilit n areai y s suc s operationsa h , maintenanc testind an e s i g optimised.
71 n devisini e . us b gDatr fo erroa r reduction strategie r existinfo s g systems.
. c Datr qualitativelfo a y modellin e typeth g f erroo s r expecte o occut d r in emergency and other situations as part of PSA.
d. Quantitative data for performing cost benefit analyses in areas (a) and (b).
e. Quantitative data in the form of absolute human error probabilities for use primarily in PSA, but also applicable to (a) and (d), if available.
Human error data can be broadly divided into qualitative and quantitative groups. Qualitativ e subdivideeb datn ca a d intfurtheo tw o r categories. The first of these are data that are to be used either at the design stage, or retrospectively, for error minimisation purposes. Typically, these address the underlying causes of error. The second category is data for error modelling structure A withiPS a n . This involve e analysth s t postulating various ways in which the operator could fail for a predefined scenario. These 'error modes e include e ar evend ' th faulan n ti dt tree structur r subseqrenfo e t quantification.
Quantitative datn als e brokeca ab o n down categoriesinto tw o firse Th t. categor s i takey o includt n l numericaal e l data relevan o humat t n reliability assessment excluding data on absolute error probabilities. This categor s i ytypifie y datb d a suc s "detectioa h a faint f o n , infrequently occurring signal s wilinitiait f l o decreas% l 25 leve o t el after about hal n houa f watchkeeping"o r othee Th r. clasf o s quantitativ e eabsolut th dat s i a e estimate f humao s n error probabilities encountere n PSAi d , e.g. "the probabilit e operatoth f o y r failino t g operate valve 27B is 3.6x10 ". In subsequent discussions we shall refer to the above categories of data as QUAL1, QUAL2 and QUANT 1, QUANT2 respectively. The definitions of these types of data are summarised in table 1 :
72 Tabl : 1 eDefinition f Dato s a Categories.
Data Type Definition
QUAL1 Qualitative data to be used for design or error reduction purposes.
QUAL2 Qualitative data for error mode prediction in PSA.
QUANT 1 Quantitative human error data excluding absolute probability estimates r relativfo , e likelihoof o d error d assessmenan s f differeno t t typef o s influences.
QUANT2 Absolute estimates of human error probabilities used in PSA.
In the remainder of this paper, each of these data categories will be considered from the point of view of data sources, the feasibility and cost of obtaining data, and possible application areas.
Qualitative Error Reduction Data (Type QÜAL1)
Nature of the Data
Type QUAL1 data consist f threo s e main subcategories firse f Th theso t . e s i specific human factors information derived from experimentation under laboratory or, (more rarely) field conditions. Such experimental data tends to be specific to a particular combination of variables where only one (or, infrequently, two) factor e changear se th s para df o t experimental design r exampleFo . e increasth , n responsi e e eb y timma e tabulated whe n individuaa n o t responn increasin a s ha o t l d g numbef o r alternative switches whic he operate b nee o t d d whe n alara n m occurs.
The second subcategory is data derived from the systematic analysis of operational experience or simulator trials. For example, in a particular installation t i ma, observee yb d that test engineers frequently lose their place when carryin t lonou g g written procedures obvioun A . s conclusion from this findin s i thae gwritte th t n procedures shoul e brokeb d n down into smaller units. As another example, simulator trials may indicate that certain displays are more effective at aiding performance than others.
73 The third subcategory of qualitative data are general error reduction theories, principles or models which can be applied to a wide range of systems and situations. Examples of principles of this type are those associated with Rasraussen's Skill, Rule, Knowledge (SRK) model (réf. 8) or e GEMth S model propose y Reasob d s i often t (réfI n assume. .9) d that these general error reduction principle e generalisationar s s e froth m specific laboratory studie d operationaan s l experience analysee th f o s first two categories. Although this is true up to a point, the general models are often used to provide a structure within which specific experiment e conductear s o generatt d e data. Similarly, particular cognitive models of human error can be used to structure the collection of operational data.
Application Areas l threAl e subcategorie e applieb f dato n s ca ad durin w e desigth ne g f o n systems. Usually relevant experimental data is condensed into tables in data handbooks. However, such dat an i themselvehandbook t no e ar s sufficien o t achievt e designs which minimise human error systematiA . c design methodolog s i ynecessar y within e appliedwhicb e datn n th h ca aA . exampl f suco e a methodologh s i SHERPy A (Systematic Human Error Reduction and Prediction Approach, Embrey, réf.3). This typ f methodologo e y provide a comprehensivs e analysi e desig th enabled f o an sn e analysth s o t t focus on safety critical aspects of the system that may be jeopardised by human error.
The reduction of human error in operating establishments and systems also utilises data e frol subcategoriethreth al m f o e s discusse o thit p su d point. However, the existence of a systematic error data collection system is probably the most effective means of developing a comprehensive error reduction programme. Such a system allows the nature of human reliability problems to be identified at source and the effectiveness of any error reduction measures to be monitored.
Data Sources
. a Data handbooks
There are considerable amounts of qualitative data available which could potentiall e applieb y o desigt d d erroan n r reductio a numbe n i nf o r industrial contexts. However, these date ofte ar an specialise i n d research reports and journals which may be inaccessible to the general user. For such users, the best sources of data are some of the many
74 handbooks that have become available r example e Fo spacth . n ei , industry, comprehensive design data sources such as the NASA human factors handbook are already extensively used. A text which is specifically orientated towards error reduction is the Guide to Reducing Human Error in Process Operations (Ball et. al, réf. 1) which was developed by the data subgroup of the Human Factors in Reliability Group sponsored by the United Kingdom Atomic Energy Authority. Another document which provides qualitative guideline r errofo s r reduction (althoug s i primaril t i h y orientated towards quantification s i Swai ) Guttmand an n n (réf. 10).
b. Analysis of operational experience
The nuclear power industry (particularly in the USA) and the aerospace industry have attempte o establist d h systematic approachee th o t s reporting of operational experience. One of the most widely established reporting schemes is the Licensee Event Report (LER) system. This is a mandatory reporting scheme operate e Nucleath y b d r Regulatory Commission s (NRClicensinit s para f )o t g requirement r nucleafo s r power stationn i s e U.Sth comprehensivA . e submitteb e e th NRo th t reporn i Cs o t dha t event of any abnormal occurrence that violates the technical specification e plante LEoth f Th R syste. s mi therefor t primarilno e y intendea s a d mean f o reportins g human errors. Nevertheless, because many abnormal occurrences originate from or implicate human performance deficiencies, LERs contain much material that is of interest to the human reliability analyst. In the aviation industry, a system of confidential reporting exists which allows anonymous feedback of problems (including "near miss" reporting). Unfortunately, this system doe t providno s a eframewor k which allow e causeth s f incidento s determinede b o t s . s i suggeste t I d thae mosth t t cost effective metho f erroo d r contros i l the existence of a comprehensive human performance data collection system. Such a system should allow the collection of data on human performance deficiencies such that the underlying causes of errors can be identified and appropriate error reduction measures prescribed n ordeI .o achiev t r e these objectives at least five requirements are necessary:
o A climate of opinion at a contractors plant and in an operational system that views error as a normal part of human behaviou d henc y an meana rnon-punitiv (b ef o s e reporting policy) encourages operators to report not only errors that give ris o undesirablt e e consequence t alsbu so 'near misses'. Reporting of violations should also be encouraged, to determine why short-cut e takenar s . Ther s i generalle a yrequiremen r fo t
75 a proactive reporting system philosophy which promotes the reporting of no-cost incidents.
o A systematic and structured data collection approach that assigns to specific individuals the responsibility to investigate incidents and collect error data.
o A classification scheme for error data that is based on a human error model (or models) such that the causes and contributing factors can be identified.
o Management acceptance (at all levels) of the importance of human reliability as a major determinant of plant safety and profitability. Also e requireth a willingnesn o s i dt ac o t s result n erroa f o sr data collection programm supportiny b e g (financially and otherwise) the implementation of error reduction strategies which aris s recommendationa e s from these data.
o Regular feedback to all levels of employee giving details of the safety measures implemented as a result of the system.
These requirements are, of course, very stringent, and it is therefore not surprising that no error data collection system currently exists which fulfill l thesal s e criteria.
One major scheme whic s i horientate d e collectiosolelth o t y f humao n n performance dat s i operatea e U.Sth y . b dnuclea r industry. e th Thi s i s Human Performance Evaluation System (HPES) administere e Institutth y b d e for Nuclear Power Operations (INPO). A particular advantage of HPES is that it is run by the industry for the industry, and thus there is less of a tendency to "sanitize" the data that is collected. In addition, the system involves voluntary reportin f boto g h actual problem d potentiaan s l problems. The HPES programme fulfills several of the criteria discussed r moro above e e On individual. t eaca s h plan e designatear t s plana d- co t ordinators and are mandated specifically to investigate human performance problems. Plant coordinators receive extensive training in incident analysis technique t a INPO sd regula an , r feedback session e conductear s d where plant co-ordinators discuss problem n operatini s e schemeth ge Th . plant coordinator attempt o investigatt s e causeth e f humao s n errord an s near e misseplan th d recommend an t ta s s appropriate corrective measures.
76 Data which are sufficiently generic to be of general interest are circulated on an industry wide basis, and are added to the central INPO data base.
The HPES programm a relativel t a s i e y early stag f developmeno e doed an ts not yet fulfil all of the criteria discussed earlier. For example, the error classification system requires further elaboration. Nevertheless, the HPES programme has achieved widespread acceptance, as nearly half of e U.Sth . l poweal r utilities now subscrib e schemeth thid o t ean s , initial growth occurred ove a perior f leso d s tha na e yearmajoTh .r reason for this success is that the scheme is perceived to provide real benefits at individual plants in reducing the incidence of errors and other human performance problems. The widespread acceptance of the HPES demonstrates that error data collection schemes are both possible and useful, provided sufficient committment and financial resources are made available. It is also encouraging that the nuclear industry in Canada and in France have implemented the HPES programme, or variation, of it.
The collection and reporting of incidents involving human errors is not an activity which most people take to naturally. Reviews (e.g. Lucas, réf. 6, , Embreréfal t e ) y.hav 4 e reveale a numbed f commonlo r y occurring problems with human performance data collection schemes.
o Firstly, reports tend to be very variable in quality. Many report e vaguar sd incompletean e e leveTh f .o informatio l n reporte s i verd y variable e analysiOn .y Luca b sd Embre an s y ) showe5 (réf. d thaf inciden o t leasa t% 20 t t reports involving human erro e essentiallar r y unusable froe pointh m f vieo tf wo analysin e e naturerroth th g r f o nearo e r miss. Those reports which are both clear and detailed tend to be the rare exceptions.
o Secondly,another serious problem which has been found in reviews of current reporting schemes is that the underlying causes of human erro d neaan r r t adequatelmisseno e ar s y assessede Th . writers of reports concentrate on describing what went wrong, often at the level of the behaviour of the system. The reason whe humath y n performance problem occurre s i dver y rarely established e thereforar e W . e left wit a hclea r descriptiof no what occurred, when and to whom, without the important analysis e humae causth oth ff no e error.
thirrelated A an do d proble s mi tha t analysts fin t i difficuld t to assess the root cause of a human performance problem. This
77 e variablth s i partlo t e e ydu nature informatio th f o e n collecte b aid e jo lac sth f alsd o kwhico an dt o h would help analysts in assigning one or more possible underlying causes to a particular error type. Most analysts havt receiveno e d extensive training in psychology and without explicit guidance on establishing the cause(s) and contributing factors of a human performance problem their assessments wil e unreliableb l .
a cognitiv f o e Thus ee mode f erroo l r would considerably assise th t f theso analysl eal thre n i t e aspects n f particularsucI o .a e h us e th , model could facilitate two of the most important uses of such a data collection scheme. Firstly t i coul, d derivatioe assisth n i t f accuratno e information on the causes of operator error. Secondly, it could help in the generation of effective error reduction strategies from the informatio e databaseth n i n . These error reduction strategies might typically r consisexamplefo , of t , changee desigth f n equipmento i ns a , revised training programme e redesigth r o , f procedureso n e Th . information collected needs to allow the specification of these and other method f reducino s g those human performance problems which have potentially serious consequences.
However, there is an urgent need to provide an appropriate "interface" betwee e theoreticath n l model f humao s n error causatio e pragmatith d an n c concern f accideno s t investigator n i industrys numbeA f . o possiblr e interface devices are feasible ranging from paper-based classifications of error causes, through the provision of decision aids such as flow charts, f knowledgo e us e eth base o t d system r datfo s a gatherin d analysisan g . These idea e discussear s morn i d e detai n Lucai l s . (réf6) .
. c Simulator data
e aerospaceIth n , nuclear certaid an , n area f offshoro s e activities (e.g. transpor buln i f crudo t k l carriersoi e ) sophisticated high fidelity full- scope simulators have been developed, mainl o trait yd certif an n y pilots and operators. In theory these systems should constitute excellent sources of both qualitative and quantitative human error data. The major difficulty arises because of the high cost and therefore heavy usage of most of the simulators that exist in the nuclear and aerospace industries. They often tend to be operated round the clock for use in training applications. This severely limits their availabilit r humafo y n factors a result works A . , most attempt e sucus h o t ssimulator o obtait s n human error data have had to be combined with training exercises. Examples of data collection efforts of this type are those described in Beare et. al
78 (réf. 2). Such studies have often involved the instrumentation of the simulato o enablt r e comprehensive computer based data collectioe th f o n operators actions. However, much useful informatio e gathereb n ca n d without this expense, particularl f i yscenario e pre-analysear s o t d identify aspects of a task that the operators are likely to find difficult.
Some studies have also been carried out specifically to collect qualitative data concerning the cognitive aspects (i.e. decision making, problem solving functions f operatoo ) r performance exampln A . f suco e a h study using a plant simulator is described in Woods (réf. 11) . Encouraging results have also been obtaine y Norrob dd Sammattan s i (réf. 7). meano n y sb certais i t I n that full-scope simulator e essentiaar s r fo l providing data relevant for human error reduction. Useful results have been produce y simulatorb d s base n microcomputero d d evean s n paped an r pencil simulations.
Qualitative Data for Error Mode Prediction in PSA (Type QUAL2)
The concep f predictivo t e error modellin n PSAi g s 'i basically concerned with identifyin e e naturerrorth th g f o es tha e likele committear b t o t y d by an operator in the situation of interest. For example, will the operator choose the wrong switch, will he misdiagnose the pattern of indicators, etc. In order to make these predictions, it is helpful to e availablth utilisf o e eeon model f humao s n error causatio o prompt n e th t analyst. As before, there is a problem of translating such models so that e useb they d yma effectivel risy b yk assessors. Qualitativ ee source datth f ao s fro l considereal m e previouth n i d s category (QUAL1 n obviouslca ) y als e applieb o o assist d e analysth t n i t identifying error modes notablet e widelno On t . ybu , available, data base n thii s e contexConfuciouth s i t s data base being constructey b d Electricité de France. This database contains information collected during simulator test d enablean s s qualitative analysie th f somo sf o e influencing factors determinin e erroth g r modes.
Quantitative Data Excluding Absolute Probability Estimates (Type QUAHT1)
The data sources discusse n detaii d r datfo l a typ ee use b o QUAL t dn ca 1 provide quantitative data regarding the relative likelihood of human errors when comparin situationo tw g s with differing conditionse Th . quantitative impact on human error rates of different factors such as
19 qualit f proceduresyo , time availabl o perfort e m operations, etc alsn .ca o be derived from these sources. An alternative approach is to use techniques which systematically elicit expert judgements regardine th g relative effects of different variables on human reliability.
Estimates of Absolute Human Error Probabilities (Type QDANT2)
The availabilit f absolutyo e dat human o a n error probabilitie a topi s i sc of considerable controversy. Briefly e 'empiricalth , ' position o n quantitative human error data holds that such data are only valid if they are ultimately based on observed frequencies of errors obtained from operational situations, simulations, or experiments which can be validly extrapolated to operational situations. Tha ' subjectivist' position, whilst agreeing with the empirical approach for situations where such data cavalidle b n y collected, argues that:
o Suc n approaca h h canno e applieb t o t 'rard e event' situations becaus t i ewil l neve e possiblb r o gathet e n adequata r e amount of data under conditions similar to those to which the data will be applied.
o Many crucial aspect f humao s n performanc n higi e h risk situations, (e.g. decision making, diagnosis) do not involve externally observable processe recordee sb than ca n ordeti d o t r generate error rates and therefore probabilities.
o However imperfect the perceptions of the available experts may be regarding the likely HEPs for a given (rare) situation, these perceptions (where systematically elicited) represent the best available evidence and must therefore be regarded as being best estimates of HEPs.
o Strictly speaking error probability estimates derived from frequencies are only useful if the underlying causes are the sam r everfo e ye sampleerroth n i r . This assumptio s i rareln y met.
Conclusion
Useful qualitativ e collecteeb datn ca a d from operational experiencd an e from simulators. In the nuclear industry (particularly in the US, France and Scandinavia) the benefits of having structured and systematic human performance data gathering exercises are becoming clear. Other industries
80 need to learn from this success. However, there remains the need to use cognitive model f erroo s r causation more extensivel e collectioth n i y n and analysi f humao s n performance data. Future research should looo t k finding methods of assisting analysts to utilise such theoretical insights in a practical situation.
In our view the best approach to the collection of quantitative human error data within any industrial setting is a pragmatic one. Both empirical ("objective") and judgmental ("subjective") data should be utilised. Since only a small amount of empirical data can be collected (relative to the overall need), this should be used within expert judgement based techniques.
The best source f datr o sthes fo a e purpose e e likelsimulatoar b s o t y r studies (in the medium term) and a comprehensive system aimed at collecting data on operational errors and near misses in the longer term.
References l a . (19851 t Balle . ) P ,Guid o Reducint e g Human Erro n Procesi r s Operations ReporD 3R ,t R347, UKAEA, Wigshaw Lane, Culcheth, Warrington.
2. Beare, A.N. et al (1984) A simulate r-based study of human error in nuclear power plant control room tasks. NUREG/CR-3309, SAND 83-7095.
. 3 Embrey, D.E. (1986) SHERPA SystematiA : c Human Error Reliabilitd an y Prediction Approach. Paper presente e ANS/ENth t a dS international iGOpical meeting on Advances in Human Factors in Nuclear Power Systems, Knoxville, Tennessee.
4. Embrey, D.E., Carroll, J.E. and De Montmollin, M. (1986) The INPO Human Performance Evaluation System revieA : d proposalwan r fo s further development. Proceeding a conferenc f o s e organise y INPb d O and EOF, Lyons, France, June 1986.
5. Lucas, D.A. and Embrey, D.E. (1986) A pilot study of the root causes of human errors in dependent failures. Report prepared for EPRI, Palo Alto, California.
. 6 Lucas, D.A. (198?) Human performance data collectio e nucleath n i n r industry. Human Reliabilit n Nucleai y r PowerTechnicaC IB . l Services Ltd.
7. Norros, L. and Sammatti , P. (1986) Nuclear power plant operator errors during simulator training. Technical Research Centre of Finland, research reports 446.
81 . 8 Rasmussen . J (1983, ) Skills, rule knowledged an s : Signals, signd an s symbols d othean , r distinction n i humas n performance models. IEEE Transaction Systemsn d Cyberneticso s an n Ma , , SMC-13 (3), 257-266.
. 9 Reason . J , (1987) Generic Error-Modelling System (GEMS) CognitivA : e Framewor r Locatinfo k g Common Human Error Forms : RasmussenIn . , J. , Duncan, K. and Leplat, J. (eds.) Hew Technology and Human Error. Chichester: Wiley.
10. Swain, A. and Guttmôr1., H. E. (1983) Handbook of human reliability analysis with emphasis on nuclear power plant applications. NUREG/CR-1278.
11. Woods, D.D. (1984) Some results on operator performance in emergency events. Institute of Chemical Engineers Symposium Series, 90, 21-31.
82 COLLECTION, ANALYSIS AND CLASSIFICATION OF HUMAN PERFORMANCE PROBLEMS AT THE SWEDISH NUCLEAR POWER PLANTS*
J.-P. BENTO Swedish Nuclear Training and Safety Center (KSU), NyRoping, Sweden
Abstract
lasyeare x tsi Th operatiof so l Swedisal f no h nuclear power plants have been studied with respect to human performance problem analysiny sb scraml gal licensed san e event reports (LERs). presene Th t pape updaten a s ri d versio previoua f no s reporo tt which the analysis results of the year 1988's events have been added. stude Th y cover scram7 s19 175 d san 9 LERs generas .A l results, 38% of the scrams and 27% of the LERs, as an average for yeare th s 1983-1988 causee ,ar humay db n performance problems. Amon iteme gth s studied, emphasi analysie th n bees o f t sso ha npu the causal categories involved in human performance problems resulting in plant events. The most significant causal categories appear to be "Work organization", "Work place ergonomics", "Procedure followed"t sno , "Training "Humad "an n variability".
Introduction
Human performance problems in Swedish nuclear plants have been assessed by analysing all reported scrams and licensee event reports (LERs) for the years 1983—1988. The objectives of presene th t study have bee: nto Identif causae yth l categories relate humado t n performance problem Swedise th t sa h nuclear plants. Map the topography and trends of the dominant causal categories. Assess the effects of taken corrective measures and eventually propose complementary ones.
KSU, Nuclear Trainin Safetd gan y Cente compana s ri y owned jointly by the four electricity companies in Sweden operating nuclear power plants. KSU 's main activities are with simulator training, safety analyses and experience feedback.
83 Accordingly, the present study covers 197 scrams and 1759 LERs. scrams/reactor 1 scrame 1, th f r averagn o yearlas sa (o x e s % si th t A r s38 efo / year) and 27% of the LERs (or 7,1 LERs/reactor/year) are caused by human performance problems below 2 figure e d .Se an .1 s Scrams/reactor/year Human performance P1u»U1C1lib
f* n
4- r**""""?1
3- c — —7\ ^ •""ym
2- J> " 71 f
*V*MWW & - _ mean = 1,1 1- ^ —!T !> s ^i V&& <: -3J5K ,1S&. 32% i 36% '. 3391 57% • 33% 38% •
83 84 85 86 87 88 Year
Figure 1: Swedish scram history and human performance problems
LERs/reactor/year Human performance problems
30-
20-
10- mean = 7,1
27%i 25% 24% 22% 29% 35%
83 84 85 86 87 Year
Figur : e2 Swedis historR humahd LE yan n performance problems
84 Data collection
The Swedish nuclear utilities developed early a common computerized system for experience feedback which included the systematic collection, analysi disseminatiod san planf no t events. This exhaustive data base cover licensel sal e event accordancn s(i e with the Plant's Technical Spécifications), scrams and significant events caused by component failures and/or human performance problems at Swedish nuclear power plants. This computerized data base and communication system was operative in 1981.
analysie Th humaf so n performance problem Swedise th t sa h nuclear power plants follow whola s maio sa etw n working lines:
Recurrent screenin analysid gabove an th f seo mentioned data base with respect to scrams and LERs, the results of which are described in the present paper.The two event categories scrams and LERs have been chosen because their reporting criteria are precisely defined in each plant's technical specifications changt whicno o hd e with time. This is a prerequisite for any reliable trend analysis.
In-depth analysis of specific events of the nature of human deficiencies. These events encompass primarily significant lowea evento t rd extensan t selected scram LERsd san . Such detailed analyses have been performed successfully durin latese gth t year usin HPES-methodologe gth y (Human Performance Evaluation System) originally developee th y db NASA and further refined by INPO (Institute of Nuclear Power Operations) in the USA. The results of these analyses furthet no e rar discusse presene th n di t paper underlyine .On g reason is that the selection of these events depends on judgements rather tha unambigoun no s criteria. Another reaso tha s nanalysesi e tth theiy b , r amount, constitutea sparse statistical data base.
Analysis methodology
presene Inth t study reportl yeare al , th r s s198fo 3 -1988 where screened twice and independently by KSU's technical experts with broad syste pland man t knowledge evente .Th s relatedo t human performance problems where studied in further detail, if the human deficiency(ies) had occurred inside the plant(s). This means for example tha humata n error committe valva y db e manufacturer has not been further investigated.
85 The events with feature of human performance problems were evaluated accordin: gto
a) Consequence on plant / system b) Plant operation mode ) c Consequenc plann eo t operation d) System / component affected e) Personnel category involved f) Location of occurrence g) Work type h) Work activity i) Typ inappropriatf eo e action j) Causal category
If interpretation difficulties or other questions arose during the evaluation and classification of some event(s), contacts were taken with the KSU's instructors for the plant affected. When these discussions were judged insufficient, further contacts were taken directly wit concernee hth d plant staff.
After these careful analysis steps and classification, each studied event was entered in a data base installed on a PC for further statistical analysis differene .Th t analysi e stepth f so e sar schematize figurn di belowe3 .
Screening/Identification
•'••"•'T""-" Evaluation/Classificaîion ~ï«--- .... — \ ——h Discussion with instructors 1 1 Discussion with plant staff y....
i i * f V V Entry in data base 1 4 ï Recommendations/Corrective actions
Figure 3: Analysis methodology
86 Analysis results
When analysing the scram répons and the LERs it became eviden eveno t tw tha te categorietdi s shoulmixee b t dno togethef ri valuable trends identifiedwere b o et . Thu resulte sth s presented below cover scrams and LERs separately.
statisticae Th l variatio elemente th f no eacf so h analysed category ) above j t significan- no a ( , s i , categoriese mosr th fo tf o t . Thi valis si d with respec boto reactot e hth yeare r typeth sd san studied. Thus the percentages given in the figures below are mean values averaged over the six years studied.
easier Fo r overvie comparisod wan topographe nth e th f yo different categories is presented by order of decreasing frequency as relate scramso dt figuree .Th s being hopefully self-explanatory, only short comments are provided in connection with each figure.
Consequence on plant/system
In figure 4, scrams associated with human performance problems have been classified as "Safety related" when the EPS- logic (Reactor Protection System bees )ha n actuated first. "Avai- lability related" means primarily that the turbine protection system was actuated first.
Category Scrams LERs Safety related Availability related Several systems unav. One system unav. Several subs unav. One sub unavailable Reduced system function o impacN t % 60 O S 0 4 0 3 0 2 0 1 10 20 30 40 50 60%
Figur : e4 Categorizatio scramf no eventd san s
For LERs the contribution to "Safety related events" originates mostly from human performance problems during refueling and handling of fuel elements.
hige th ho t degre e redundancDu f eo safete th f yo systems in Swedish LWRs (mostly 4-redundancy) LERs have most often only limite dsysteme impactraie on f on n o n .to
87 Plant operation mode
Scrams cause humay db n performance problems occurred mostly expecteds ,a , during power operation (76%), nuclear hearup (13%) and hot standby (7%). Scrams occurring during nuclear heatup originate mostly from untimely (too late) SRMflRM switch- ove BWRsn ri , which activationresultS RP n si .
Concerning LERs the frequency distribution is dominated by power operatio refuelind nan (66%) g (27%)o .t Herebys ha e ,on emphasize the relative difficulty to correctly assess the human performance problems which occur during refueling outages. Indeed their manifestation can often be delayed by weeks or months.
Consequence on operation
No diagram is presented for this item because no LER had any consequence on plant operation. The consequence of scrams on plant operation is obvious.
System/component affected
As shown in figure 5, valves together with components belongin procese th o gt s instrumentation (pressure transmitters etc) componente th e ar s most affecte humay db n performance problems.
In the category "Other" for scrams is included the neutron instrumentation (SRM, IRM etc) which explains the relative high ratio of "Other" in the statistics.
Category Scrams LE]Els 13 Passive component =:"*1 Valve ^ 2= Pump ^ Diesel generator ^^j
Electrical component l Lti jm Instrumentation
3 Electronics IT3 i Process control 1 Computer T Other j 10 20 30 10 20 30%
Figure 5: Components affected by human performance problems
88 Personnel category A remark concerning "Personnel category" derives from the fact that many event spooe occurreth ro performanct e ddu morf eo e than one person. In such cases the person with the highest share in eac thesf ho e event bees sha n selecte "responsible"s da .
The frequency distributions in figure 6 are in good agreement with what could be expected.
Category Scrams LERs Operation personnel departmenC I& t Electrical dept Mechanical dept Contractors Rad-Fire-Data dept Chemical dept Roundmen Cleaning dept
% 60 O S 0 4 0 3 0 2 0 1 % 60 0 5 0 4 0 3 0 2 0 1
involves wa o scramn di Wh Figur eventd s an : e6 s
scramsr Fo , beside categore sth y "Operation personnel" mention ca e non that "Instrumentatio Controln& " performance problems often affec reactoe th t r protection logic directly witha subsequent ris scramr kfo . Thi reflectes si distributione th y db , especially when compariso mads ni e with "Mechanical "Elecr "o - trical".
For both scrams and LERs "Operation personnel" includes both control room personnel and operation support staff. Each of these two sub-categories is roughly the origin of the same number of LERs. Furthermor dominance eth "Mechanicalf eo e b o t s "i associated wit dominane hth t categorie affectef so d components: valve pumpsd san .
89 Location of occurrence
The distributions in figure 7 were expected. A comment for "Radiological areas thas "i t most areas (reacto turbind ran e buildings) of the B WRs have been conservativly classified as radiological ones.
Location Scrams LERs Contro relad an l y rooms Station (radiological areas) Station (non rad. areas) Office "-"-I Workshop Outdoor 10 30 50 70% 10 30 50 70%
Figure 7: Where occur the human performance problems
Work type
frequence Th y distribution figurf so reflece8 completd an t e topographe th f "Componenyo t affecte "Personned an d" l category". r scramsFo , beside obvioue sth s dominanc "Operationf eo e th s "a main single activity resultin scramsn gi , evidenc alss ei o providef do the sensitivity of I&C's performance during testing and calibration.
Fo^ —r. „_^LER„s onee recognizes tnthe strong iniiuinfluence e of Mecha nical's performance durinuring maintenanc repaid e an primarily, anrof d repai, r valves and pumps Work type Scrams LERs Operation Testing/Calibration Maintenance/Repair Installation /Change Design Manufacturing HandlinV RP n i g 10 20 30 40 50% % 50 0 4 0 3 0 2 10
Figure 8: What work types resulted in scrams and events
90 Work activity
The frequency distributions of figure 9 show a good consistency between scram LERsd dominancsan e .Th wore th kf eo activity "Action" is evident and counts for about 60% of the analysed events. The other activities (preparation, interpretation, decision, control distributee )ar d almost evenly. Finally activite th , y "Reporting" contributes with less than 2% to the events of the nature of human performance problems.
Work activity Scrams LERs Action Interpretation Decision Control Preparation Reporting 10 % 370 0 0 5 10 30 50 70%
Figur : e9 What work activities resulte scramn di eventd san s
Typ inappropriatf eo e action The frequency distribution for Scrams in figure 10 is dominated by "Untimely act". This has to be connected with numerous mild scrams occuring during nuclear heatup of some of the BWR untimelo t e sdu y switchove SRM/IRf ro M instrumentation. This manual action has been replaced in newer BWR automatin a y sb c function.
Inappropriate action type
Scrams LERs Untimely act Omission Confusion Wrong/extraneout ac s Not applicable/other
IS 25 35% % 35 5 2 15
Figure 10: How scrams and events occur
91 Causal category The causal categories in figure 11 are important because they represent potential areas for corrective actions. These causal categories reflect "Why" human performance problems occur. It must be observed that two or more causal categories are involved in about half of the scrams and events of the nature of human perfor- mance problems.
The dashed areas in figure 11 represent the ratio of each causal category as single contributor to scrams and LERs respectively.
g&l Single root cause l d Part root cause 75 Scrams LER9 47 s Human variability Training Procedure t followeno s d Work place ergonomics Task complexity Procedures (content) Communications (verbal) Work organization Work schedule Change organization Work environment 5 2 0 2 S I 0 1 0 16 0 13 0 10 0 7 0 4 10
Figure 11 : Why scrams and events occur
mosSome th f te o significan t causal categorie correctivd san e actions are discussed below.
Human variability: The frequency distribution for the analysed scrams is dominated by "Human variability". The main explanation for that is the same as in paragraph "Type of inappro- priate action" and is accordingly related to operator carelessness during nuclear heatup. LERr Fo s "Human variability" mostly express insufficient concentration during task accomplishemen carelessnesr to d san contributes as single causal category to 22% of the LERs related to human performance problems. That corresponds to about 6% of all LERs having occurre Swedisn di h nuclear plants durin lase x gth tsi years.
92 For most of the studied events it appears difficult to propos commoy ean effectivd nan e remedy against this typf eo random performance problems. However higher motivation and enthusiasm of the different staff categories would definitively prevent a significant pan of this type of events. This is especially true today when all plants have reached a "steady-state" of normal operatio fult na l power with verdisturbancew yfe mord d san ean more routine tasks.
Work place ergonomics: The contribution of "Work place ergonomics" was not expected to take such a quantitativly important frequencplace th n ei y distributio botr nfo h scram LERsd san . "Work place ergonomics involve s "scrami e th f o abou sn di % 25 t event d nature an th f humaf seo o n performance problems. Further- more this causal category accounts, as a single root cause category, for about 5% of the studied scrams and LERs. This corresponds to about 2% of all scrams and events having occurred in the Swedish plants during the last six years. These values are roughly the same as the ones obtained for "Procedures not followed" or "Work organization" below.
This causal category represents events relateo dt components with poor accessibilit plante th wels n yi sa s la components with ergonomically poor design for calibration and maintenance.
Procedures not followed: The causal category "Procedures followedt no involves "i evente th f o sabou n d relatei % t25 o dt human deficiencies. A reliable assessment of the underlying causes easyt no s .i Howeve mention ca e rnon that "Training alss "i o invol- ved in about 1/3 of the events categorized as "Procedures not followed" thus i t I .s possible that additional emphasi respece th n so t (attitude mindsetsd san proceduref )o s should reduc numbee eth f ro both scrams and LERs.
Training : In combination with other causal categories "Training" is involved in about 20% of the LERs and 30% of the scram nature th f humaf seo o n performance problems singls .A e causal category "Training "scrame contributeth d f o san % 3 o st LERe th f abouso analyse% t2 thidn i s study. This correspondo st 0,61d %an % respectivel l scramal LERf d yo san s having occurred in Swedish nuclear plants durin lase yearsx gth si t .
commenA t must her formulatee eb d concernin above gth e percentages relatin "Traininggo t "judge lowe o whicb to y s .da h ma It must be hereby recognized that a significant part of human performance problems deals with relatively simpl commod ean n tasks during calibratio maintenancr no e work exampler sfo . Mosf to these human deficiencies have in the present study been assessed as cause "Humay db n variability" i.e. carelessness during task accomplishement.
93 A pertinent questio whethes ni r recurrent practical training (for example dismantlin valvef go goind san g through inadequate maintenace acts, making potentia e cleath f ro l consequence plann so t operation) of maintenance technicians, I&C and other technical support staff could significantly reduce the frequency of this type of human performance problems answee ?Th thio rt s questios ni probably positive.
In the light of the above comment, the critics may be right: trainin broas it gn i d sens probabls ei y involve morn di e plant events than what the above percentages show, reducing through this the contribution from "Human variability"
Work organization: "Work organization" including administrative routines dominates clearly the frequency distribution for LERs. This causal category is involved, in combination with other categories event e nature th th f abouf n humaf o ,i seo o 3 1/ t n performance problems. "Work organization" is the second most important single contributor to the occurrence of the studied LERs (same contribution as "Procedures not followed"). The relative importanc f "Woreo k organization earlies "expectet wa rno suco dt h a degree. To reinforce the plant's administrative protective uarriers by reasonable stringency of organizational methods and routines seems motivated.
Summary
Accordin presene th o gt t study, human performance problems in Swedish nuclear plants have not attained alarming levels. Furthermore robuso n , t tren bees dha n identified ove lase x rth tsi years of operation. However, these conclusions do not mean that the utilities may lull themselves into complacency.
In order to further reduce the impact of human perfor- mance problem thein si r plants Swedise th , h utilities should allocate increased attention to:
reinforcing more stringent work organization and administrative routines
sensitizing the operating staffs to the rigorous respect of procedures
improving work place ergonomics
maintaining high morale, motivatio enthusiasd nan m among the staff.
Succeedin lattee th rgn i delicate utmosf taso s ki t importance for optimum human performance. This task is especially delicate for the Swedish utilities due to the notorious political decision to phase out all nuclear power in Sweden by 2010.
94 HUMAN CHARACTERISTICS AFFECTING NUCLEAR SAFETY
M.SKOF University Institute of Occupational, Traffic and Sports Medicine, University Medical Centre Ljubljana, Ljubljana, Yugoslavia
Abstract
It Is important to collect data about human behavior in work situation and data about work performance. On the basis of these data we can analyse human errors. Human reliability analysis input givesthe us data to improve human behavior at a work place.
We have tried to define those human characteristics that have impact on safe workoperation.and Estimation a work of place usedwas for determination of important human characteristics. Performance estimations were used to define the availability of workers at a work place.
To our experience it is very important to pay attention to R.fl. and R.C. also in the area of human factor.
Data for quality assurance in the area of human factor should be collected from selection procedure (the level of cognitive and conative abilities, the level of physical characteristics, the level of education and other personal data).
Data for quality control should be collected from the periodical examinations annualof checking evaluationand humanof working capacity as well as from training For quality control of every day human performance data staffof estimation theirof daily working performance and well-being should also collected.be Withtheseall data more effective analyses of all events in nuclear power plants could be provided. Quality assurance and quality control in the area of human factor could help us to keep the optimum performance level of the plant staff and to avoid human errors.
95 INTHODUCTION
At the beginning of commercial utilization of nuclear energy it was believed that nuclear power plants were absolutelt no ys safewa t I . though f incidentso t t incidentbu , s have happened , safetSo . y systems improvede b hao t d improvo ,t thed ha ye quality assurance.
With experience of heavy nuclear incidents another important factor in the are f nucleao a r safet s realizewa y worke- d r workin a nuclea n i g r power plant and his errors. His errors were discovered. It can be read in differen tr cen reportf pe incidento t 0 7 so t n nucleai thas 0 5 t r power plants have been caused by workers. Thus, human errors have become very important.
It is simple to say : "Incident was caused by human error". But what kind f humao n error? Whas happeneha t d with workers o d the y y,wh reacn i t this way and not another way?
It is important to collect data about human behaviour in the work situatio datd nan a about work performance basie th f thiso n . O s date aw can analyse human errors. Human reliability analysi sinpue giveth ts su data to improve human behaviour at a work place. Human behaviour has to be change d improvedan d e causeTh .r humafo s n errorse b hav o t e eliminated.
PROBLEM
We have to define those human characteristics that have impact on safe work and operation. We have to define those human behaviour traits that can be recorded and may cause human errors.
In the selection of personnel optimal performance level has to be taken into account. Personnel must have enough high performance level from very beginning and they must keep it at the optimal level during the whole work period.
METHODS
Estimation of a work place was used for determination of important human characteristics. Performance estimations were useo defint de th e
96 availability of workers at a work place. The interviews were used for descriptio f o behavioran l patterns importan r saffo te d woran k operation.
RESULTS e selectio th b analyse e jo basit th go f no sn e O w scriteria . Adequate selection assures safe operation and work. It is a kind of human quality assurance. With selection the right people are choosen. But we can not assure perfect wor ke time th durine assure W .l al g d onle mosth yt adequate persons, with adequate abilitie d stablan s e personalitye W . have had the selection data for ten years. We can compare the level of abilities with work efficiency. From these comparison concludn ca e sw e that operating staff with higher level of general and specific abilities attain higher efficiency. Stable personalities are also more succesful at work. We have the human abilities data, we have the plant performance data. With selection we get quality assurance - but only quality assuranc enought no s ei .
With performance estimations we got the human availability data. The same peopl y behavma e e differentl e samth e n i situationy . Their levels of stress resistance differ.For safe operation and work adequate performance level has to be assured. Adequate performance levels have to be in all shifts.
From our measurements we can see that operating staff can estimate their performance level quite good. Their estimation of their well being also indicates their performance level.
The mos tt possibl i importan s i o fin: t e ds ti thes probles u e r fo m behavioral traits which may cause operating errors? Are the operators abl o estimatt e e their performance level exactly? Does there exisy an t connection between human performance level and errors distribution?
OUR RESULTS
In this purpos e comparisoth e n between human performance leved an l errors distribution was done.
97 The fatigue level M df M _ 1,66 1 0,11 N 1.77
M__1Z83 2 N 2,20
M___2Z29 3 N 2,60
M__2Z63_ 4 0,84 Measurement N 3,11 Legenmea- M n : d SD - Standard deviation thir- 3 d r,3asurement mornin- M g shift(2) 06 2- 4 - fourth measurement 1 - first measurement df - difference between 2 - second measurement morning and night shift
Figure 1 Degree The level of work motivation » MD S df
M 4,01 - A 0,91 1 0,07 N 3,94 0,77 -j. M 3,75 0,85 2 0,13 N 3,62 0,32 *' M 3,47 0,88 3 0,21 t N 3,26 0,79 M 3,19 0,79 U 0,39 4 Z N 2,80 1,06 Measurements Legend : M - mean SD - standard deviation 3 - third naasurement morninM- g shift(2) 06 2- 4 - fourth measurement 1 - first measurement df - difference between 2 - second measurement mornin nighd gan t shift Figure2
98 e estimatioTh f fatiguo n e leve s quiti l e exact e operatinTh . g stafn fca estimate their fatigue level quite well.
From the distribution of fatigue estimation we can see the increase in the fatigue level from the beginning to the end of the shift.The fatigue leve e nighs highei th l tn e differencei rshift th t Bu . e ar s small. During the observing time the fatigue level was not critical.
Motivation for work decreases from the beginning to the end of the shift decrease workin.e Th th n ei g motivatio littla s greatei t n ebi n i r the night shift.
The time distribution of forced trips (from 12.03.198 o 31.12.19883t )
y da e th Hou f o r 3_te Humbe f tripo r s Shifts 06.00 - 06.59
07.00 - 07.59 08.0 - 008.5 9 3
09-00 - 09-59 2
10.0 - 10.50 9 2
11.0 - 11.50 9 3
12.00 - 12.59 3 13.0 - 013-5 9 1 H4.00 - 14.59 3 15.0 - 15-50 9 1 16.0 - 016.5 9 3 17.0 - 017.5 9 2 18.00 - 18.59 2 19.00 - 19.59 li 20.0 - 020.5 9 0 21.00 - 21.59 3
22.00 - 22.59 1
23.0 0- 23-5 9 1
2U.O - O00.5 9 1
01.00 - 01.59 2
02.0 - 002.5 9 0 03-0 - 003-5 9 1 Ot.O O- 04.5 9 1 05.0 0- 05-5 9 0 Figure 3.
99 During the morning shift the number of trips was the greatest one, the nighe th tn i shift smalless wa .e ton
l Curvethreal f eso distributions indicat e performancth e ee leveth f o l plant staff. Staff avalilability depends of staff fatigue and performance and it is realized in the level of production of energy in nuclear power plant.
DISCUSSION
difficuls Ii t defino t mose eth t important datr humafo a n reliability. e convinceWar e d tha e hav w to collec t e t enough human performance and well-being data. The exact estimation of work prformance, fatigue leve behaviorad lan l availability assur qualits eu y control. In the area of human factors, quality assurance is provided with selectio operatiof no n staff.
What is lacking-is quality control in the area of human factors.
Continuous recording and estimation of their performance level by the operating staff assure us the input data for better and more objective analyse planf so t events.
We have equipment data e havW . e quality assuranc d qualitan e y control for equipment, but human data are not collected enough sistematically. We have quality assuranc r operatinfo e g staff e hav,w e annual checking of their availability and performance, but we do not have sistematically collected ever y humada y noperatioe datath n I .g boo equipmene lo nth k t status data are recorded but human performance data are not usually recorded, so we know nothing about the crew. But if something happens, then we would like to have also the human data. We want to know everything aboue crewth t , about their behaviour, performance, communicatio d well-being s an nveri yt i difficult Bu . o collect t t data of past events.
Fror experiencou m s possibli t i e o fine correlatiot e th d n betweee th n estimated work performance of the crew and the plant availability. For further more objective analysis more crew performance data must be collected. Event analyses woul e morb d e exact with collected human factor data.
100 For quality assurance and quality control in the area of human factor impact on safe operation and safe utilization of nuclear energy human factor data shoulbetter o e b dr mus collectede tb .
The data from the selection procedure : levee th cognitivf o l- e abilities, - the level of conative abilities, - the level of affective characteristics, levee th physicaf lo - l characteristics, - €he level of education, - other personal data.
Adequate level of each of the ability or characteristics assures the possibilit effectivr fo y e work.
Data from the periodical examinations : annua- l checkin evaluatiod gan humaf no n working capacity, result- trainingf so , - results of working performance.
Ever humay yda n performance dat: a dat- a from staff estimatio dailf no y working performance
Daily performance leve r eacfo lh e cremembeth w f o shoulr recordee b d d in the operating log book. Self estimation of working performance should be recorde operatine th n i dg boo lo gk likequipmene th e t parametere sar recorded.
With all these data more effective and objective analyses of all the events in the nuclear power plants would be provided. More objective analyses would point to the errors and déficiences in operation and maintenanc nucleaf eo r power plant.
Detection of errors would help us to avoid them, it would help us to assure higher level of safety and better performance. Quality assurance and quality control in the area of human factors would help us to keep the optimum performance level of the plant staff.
101 BIBLIOGRAPHY
. Swain1 , A.D., Guttman, U.E .: Handboo f o Humak n Reliability Analysis with Emphasis on Nuclear Power Plant Applications, Nureg/CR - 1278, October 1980 2. Johansson, G., Gordell, B. : Work-Health Relations as Mediated Through Stress Reactionb SocializationJo d an s , Topic n i Healts h Psychology Yorkw Me , , Wile d Sonan d s Ltd., 1988 3- Johansson, G. : Indivi'dual Control in a Repetetive Task : Effects on Performanc , eEffort d Physiologicaan s l Arousal, 1981, Universitf o y Stockholm
102 HUMAN RELIABILITY MODELS VALIDATION USING SIMULATORS
M. DE AGUINAGA, A. GARCIA TecnatomA S , J. NUNEZ, A. PRADES Centr Investigacionee ed s Energéticas, Medioambîentale Tecnolögicasy s (CIEMAT) Madrid, Spain
Abstract
e ResearcTh h Projece are f th Humao a n o tn Relia- bility, carrie t withi ou de framewor th ne Researc th f o k h Program on Quantitative Risk Analysis (PIACR) financed by UNESA, is centered on observations of behaviour in the diagnosi d managemenan s f accideno t t situations affecting real operational equipment, using requalification programs on full-scope simulatorsf theso m eai observation e Th . s i s to validate the human reliability models currently in use in Probabilistic Risk Assessment (PRA) e projecTh . s beini t g develope Tecnatomy db maie th n s ,participanta .
OBJECTIVES
The objectives of this project, besides the vali- dation just mentioned, (References 1 and 2) can be summed up as follows:
- Analysis and selection of human reliability models and techniques used in PRA.
- Classification and typification of errors and factors influencing human behaviour, using cognitive behaviour models as a reference.
- Developmen a dat f ao t acquisition metodologe th r fo y performance and analysis of observations.
Descriptio methodologa f no y applicabl PRAo et .
103 1968 1989 1990 1991 2 3 •* 0 A 2 >l 1 1 4 1 3 1 l 1 3| M
LITERATURE REVIEW
SELECTIO F SCENARIOO N S
REPOR1 S N T METHOD. OF DATA GATHERING
DATA GATHERING SOFTWARE
REPOR2 2 TN
DATA GATHERING
ANALYSIS
REPORT N2 3
APPLICATION TO PRA
FINAL REPORT
Figure 1: Project Activity Plan
COGNITIVE BEHAVIOUR MODELS
Human e operatioerrorth n i s f nucleao n r power plant n initialitca s e studiee basia b clasy th f o sn - o d sification grouping human activity into two situational areas :
I) Routine situations
) AccidenII t situations
Human errors pertaining to type I situations are already being "satisfactorily" studie d modelledan d e th ; contrary, however, is true of type II situations. The fact is that in these situations, which may be further subdivided theoretically into phasestw o ) diagnosia : ) execub d -an s tion, it has been difficult to interpret human response on psychologicae basie th th f so l models used earlie PSAn i r .
The above problems, combined with the very sig- nificant contribution to overall risk made by human response in accident management, means that researc bees hha n orien- tated towards developmen modelf to s applicabl nonroutino et e situations.
104 The research project described in this paper follows this trend. Its main objective being the validation of models currentl predico t yA PR use tn i humad n reliability in accident situations, focussin modelR HC n i g.
o thit s plannesd i ad objectivt I o t d a secone d one, suc s thaa h t include n Referenci d , consistin9 e f o g classificatioe th humaf no n errors accompanyin selectee gth d model(s). This extension to the basic objective will be based on causal type cognitive behaviour models.
SCENARIO ANALYSIS
This activit a dua s l ha yobjective e handon ,n O . e operationth e y e carrietaskb b th o t t sou d teae ar m e humadefineth nd an derrore expecte b o st tasn i d k execu- tion wil e estimatedb l e otheth rn O . hand e indicatorth , s permitin e aspectth g s influencing task execution (PSF'so )t be evaluated will be established.
Scenario analysis makes possibl o defint e e those tasks whose executio n importana s nha t plante effecth n .o t These tasks are represented by means of a binary tree whose adequacy has been fully corroborated on the simulator while all significant parameters were measured.
Later analysis makes possibl predico et t reliabil- ity-time curves (Seabove th e er Figur fo tasks ) e2 orde n ,i r to quantitatively estimate the probability of no response to be obtained.
The above analyses will be calibrated "a poste- riori" with a view to incorporate more realistic parameters directly based on the observations made. This will allow an estimate to be made with regard to the extent to which the models and techniques used can be adjusted to reality.
Î05 1OO 1OOO TIME
Figur : 2 Probabilite f faulto y y diagnosis with time. Referenc5 e
OBSERVATION MADE B EO ST
s plannei t I o carr t dt observation ou y o t p u f o s e hundreon d situation e controth n i sl room e informatio.Th n wil e gathereb l y meanb d f interviewo s s wite operatorth h s and instructors, direct observation, recordings on audio- visua le surveillanc th medi d e positioan a th f eo handsf no - witches, alarm d indicatoran s y specifib s c software deve- lopped to this end. Some coments on the equipment and re- sources used follow.
Interviews wil e conducteb l d aide y specifib d c ques- tionnaires directed to Instructors and operation teams at the following levels
. Each requalification. Eac. h scenario. . Each time an error is observed.
106 Audivisual records are made using the following equipment:
Video: Camera4 s (B&W) 1 Vision Mixer 1 Magnétoscope Monito1 r
Audio: Unidirectiona7 l Mycrophone Soun2 d Mixer
Direct observation will be based on the presence of two members of the research team later in change of interviews.
Time sequence record keepin beins i g g assure meany db f so the surveillance of:
45 Alarms 100 Handles 13 Parameters 34 Malfunction
All this information will be classified and or- dered through an appropriate database, which will provide the analysts with an useful tool for the handling of the data and their later analysis.
This data bas s structurei e e followinth n i d g three areas:
Theoretical Results
The first area is dedicated to store the results obtained e theoreticaith n l study before simulation t meanI . s estimated, median response times, PSF's, likely errors, cognitive proccesing type and non response probability.
107 - Obiactive Data
e seconTh d area contains real response times actiond san errors comitte y reab d l operator simulatorn i s s requali- fication sessions. All these data will be obtained by audiovisual or software equipment.
- Subjective Data
e lase includeTh on t e informationth s s gatheree th y b d cuestionnaries and instructors observation. The aim of those consists in getting useful data for the PSF's and cognitive processing evaluation.
METHODOLOGY APPLICABLA PR O ET
The results of the project will be incorporated into a methodology applicable to analysis of Human Re- liability in Probabilistic Risk Assessment. More than an application guideline considering different methods and alternatives, this methodology a proposae wil e th b l r fo l phases of analysis to be performed and a detailed descrip- e takestepe b th tio applyinn o i nsf t o n g valid methodr fo s this type of analysis.
CONCLUSIONS
Experience in the operation of nuclear power plants clearly shows thahumae tth n factor play importn sa - ant role in the safety of this type of installations. The project described herein constitutes one of the first research effort e sare th f Humamado an i en Reliabilitn i y Spanish s performancplantsit d an , en importan a wil e b l t first ste thin pi s technology.
The specific project products that should be underline developmene th e dar humaa f to n reliability analy- sis methodology for PRA, classification methods for errors
108 in diagnosis and a contrasting of models currently in use with observation ssimulatoe madth n eo r using Spanish crews.
REFERENCES
1 "Especificacion par realizaciôa l a trabajoe nd invese sd - tigaciöa fiabilida l l are e e d an e n d humana" (Specifi- cation for performance of research tasks in the area of human reliability) UNESA. June, 1987.
2 "Oferta par realizaciôa l a e trabajod n e investigaciôsd n a fiabilida l l are e e d an e d humana" (Offe r perfo r - formanc researcf eo h aree taskhumaf th a o n si n reliabil- ity) TECNATOM, S.A. July, 1987.
S 453NU 3 1 "Human Cognitive ReliabilitA y PR Mode r fo l Analysis", G.W. Hannama December. al t ne , 1984.
4 Ocone ProjecA PR e t Team. Sugnet, W.R. Bayd, G.J., Lewis, S.R.
5 NUREG/CR 4532 "Models of Cognitive Behaviour in Nuclear Power Plant Personnel" D.D. Woods, E.M. Roth, L.F. Hones, 1986.
6 NUREG/CR 4772 "Accident Sequence Evaluation Program; Human Reliability Analysis Procedure". A.D. Swain, 1987.
7 EPRI/REP 2847-1 "Operator Reliability Experimentd an s Model Development; Reques Proposal"r tfo , 1986.
8 "Using Simulator Experiments to Analyze Human Reliability Studies"A foPR r Joksimovich. .V , D.H. Worledge. Nuclear Engineering International, January, 1988.
9 "Human Factors Principles Relevant to the Modelling of Human Error Abnorman si l Conditions" Technical Repor1 tEC 1164-87221-84K. European Atomic Energy Community. Reason, J.T. and Embrey, D.
109 10 "On the Structure of Knowledge. A Morphology of Mental Model a Man-Machin n i s e System Context". Rasmussen. J , Forsogsanlaeget, Riso-M.2192, Roskilde, 1979
11 Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications. Swain, A.D. Guttmann, H.E. NUREG/CR-1278, August, 1983.
110 OUTLINE OF THE DEVELOPMENT OF A NUCLEAR POWER PLANT HUMAN FACTOR DATA BASE
. KAMEDA A Institut f Humaeo n Factors, Nuclear Power Engineering Test Center T. KABETANI Human Factors Research Center, Central Research Institute of Electric Power Industry Tokyo, Japan
Abstract e JapanesIth n e nuclear power plants, every conceivable safety measurs eha been take t eacna h stag designs e it suc s ha , fabrication, construction, opera- tion d maintenancean , ; therefore consideres i t i ,e ver b yo t dunlikel y thaa t significant accident which declines the reactor safety may occur. However, in consideration of the lessons from the TMI and the Chernobyl accidents, organi- zation assessinr fo s g human related events were strongly required. Base sucn do h requirement, the Institute of Huian Factors (JHF) of the Nuclear Power Engineer- ing Center (NUPEC), and the Human Factors Research Center (HFC) of the Central Research Institut f Electrieo c Power Industry have been establihed 1987n i , r fo , national and utility sector respectively. These organizations aim to enhance furthermore reliabilit d safetan y f nucleayo r power plant.The e collaboratinyar g for research on human factor issues from the point of their own view; IHF is mainly in charge of fundamental subjects and HFC is mainly in charge of practi- cal subjects e currenTh . t statu botf so h human factor data bases classifid ,an - cations of human error data in these research centers will be presented. IHF is developping the data base in order to use it for the purposes of: (1)development of human reliability evaluation methods, (2) analysis/evaluation of incident and accident data. (3) analysis/evaluation of cognition, judgement and performanc humansf eo date .Th a) humaconsis o bast (1 s nei : treliabilitof y data file ) huma(2 , n error incident data file ) laborator(3 , y dat) a (4 file d an , literature file. The data are to be collected mainly from domestic and abroad literatures for the time being, and further some human error related data are to be selecte analysed f an dincideno t ou d t data reported accordin nationae th o gt l incident reporting system. HFC's data base is likely to take similar structure to that of IHF: however s somiha t e characteristics different from IHF n r examplea "inforfo ,s ha t i ,- mation exchange data base " and a hardware structure so that it can exchange the information smoothly with the domestic electric utilities because they are con- sidered to be primary users of the data base. Concerning the classification of human error data, it is regarded as a key factor to determination of the above-mentioned data base structure, but it is likely to be affected by purpose of data utilization, analytical technique, etc. Both of the centers are currently conducting survey and study on various classi- fication methods including classificatio PSFy nb , classificatio tasky nb , etc.
ill 1. General
e occurencTh e rat f incideneo d failurdomestie an t th n i e c nuclear power plant, as shown in Fig.1-1, has been decreasing; however/ the occurence rate of human related events has been staying at the almost same level.
Total Number of NPP *
C- \z en 20 o_
Rat f Occurenco e f Evento e s
o oo
as OS
—* 0 Sate of Hunan Belated Events
1969 '70 '71 '72 '73 '74 '75 '76 '77 '78 '79 '80 '81 '32 '83 '84 '85 '86 '37
ConstructioP 1 Fig TrenNP — f 1 o .d Ratd occurencf an no e Eventf o e s
In the Japanese nuclear power plants, every conceivable safety measure has been taken at each stage such as its design, fabrication, construction, opera- tion, and maintenance; therefore, it is considered to be very unlikely that a significant accident which decline e reactoth s r safet occury yma . Howevern i , consideration of the lessons from the TMI and the Chernobyl accidents, organi- zation assessinr sfo g human related events were strongly required. Base sucn do h requirement e Institut,th Humaf eo n Factors Nucleae (IHFth f )o r Power Engineer- ing Center Humae (NÜPEC)th nd Factoran , s Research Center (HFCCentrae th f )o l Research Institut Electrif eo c Power Industry have been established 1987.fon i , r nationa d utilitan l y sector respectively. These organization enhanco t m sai e furthermore reliabilit safetd an y nucleaf yo r power plant.The collaboratine yar g for research on human factor issues from the point of their own view; IHF is
112 mainly in charge of fundamental subjects and HFC is mainly in charge of practi- cal subjects. The current status of both human factor data bases, and classifi- cations of human error data in these research centers will be presented.
Date Th a Bas. 2 e Development Program
Objective 2-1Th . Humaf eo n Factor Data Base The final objective of human factor data base is to reduce human errors in nuclear power plants. For such purpose, human factor data base is prepar- ed to collect such information systematically and to provide the data to the studie d researchesan r reducinsfo g human errors appropriatn timeli d an y e form to be required by such works. Specific applications are, as shown in Figure 2-1, (D Development of Techniques of Human Reliability Analysis The reflection in PRA taking account of human factors. (D Analysis and Evaluation of Incidents and Failures Data. e reflectio Th e improvementh r fo n man-machinf o t e interface, opera- tion/maintenance management, and education/training for personel. D Analysi( Evaluatiod san Humaf no n Cognition, Judgemen Behaviord an t . The reflection in modeling of the human behavior in NPP.
Davelopaent of Techniques Establishnent of PRA Taking Risk Assesaenf to Huaaf o n Reliability Account of Human Factors Nuclear Power Plant Analysis r Sensitivity Analysis
DATA BASE Analysis and Evaluation Uproveaent of HMI,Opera- Cost Analysis/Evalua- f Incidento Failured san s tion/Maintenance Managanent. tion for Modification ; Huaan Error Events Data Data Education/Training and laprovenent :Husaa Reliability Data Laboratory Data Basic Plant Data Analysis and Evaluation Analysis/Evaluatiof no Others Humaf o n Cognition,Judge Modeling of Hunan Behavior Huaan Behavior in nent and Behavior Eaergency
Jther Studie Analysid san s related to Huaan Factors
Fig1 .2- App! ication Hunaf so n Factor Data Base
113 The objective and applications of the human factor data base, described here, are almost common for both IHP and HFC. However,based on the histories of individual organization- the main users of IHF data base are the govern- ment agencies(including IHF itself), and of HFC data base are utility compa- nies(including HFC itself).
Structure 2-2Th . Functiond ean Datf ?o a Base Both IHF and HFC data base has similar structure. But some of their func- tion e differentar s , reflecting different natur f individuaeo l organization.
(1) IHF human factor data base consists of the following files, as shown in Fig.2-2a. D HumaC n Error Events Data File e filTh e will mainly contain human error event f domestiso d overcan - seas nuclear power plants. Besides that, human error events of other industries will be filed whenever possible. The main data source will e incidenb t reporting system. (D Human Reliability Data File Basic human reliability data such as error rate will be collected and filed. (S) Laboratory Data File Laboratory data including simulation data will be collected and fil- ed. The first and the second data files will also include a part of this third data fil necessaryf i e . (D Basic Plant Data File e basiTh c plant data means basic data necessar r varioufo y s analysis and evaluation, such as each plant parameter,opérâtion and maintenance procedure o forths d s.an (D Literature Data File. It will contain document d informatiosan n relate humao t d n factors collected both at home and abroad. Document retrieval system using a personal compute partialls i r y completed.
These data files will be locally controlled and processed by a personal compute earle th yt ra stag developmentf eo e futureth n I . , however, cent- ral processing by a large computer is planned to be introduced.
114 HUMAN ERRAR EVENTS DATA FILE HUMAN RELIABILITY DATA FILE HUMAN FACTOR LABOLATORY DATA BASE DATA FILE
BASIC PLANT DATA FILE
L I TERATURE DATA FILE
Fig. 2 - 2 a The Structure of Human Factor Data Base (IHF)
datC MF a configuratio a ) bas s (2 eha n simila thao t rf Ili o t F data basee .Th system concept is shown in Fig.2-2b. GD Literature Retrieval Data Base Abstracts are filed for retrieval by the input of keywords. Reliabilit) (2 y Analysis Data Base This data base provides data on human error rate and hardware failure rate. D Informatio( n Exchange Data Base The data base is used to facilitate smooth exchange of information with electric utilities. dD Events Analysis Data Base The data base contains data on human error events occured in nuclear power plants e retrieva.Th f evento l s dat d trenaan d analysis wile b l possible.
RFC data base is unique in that they have the information exchange data base. This is because the main users of MFC data base are domestic elect- c utilitiesri .
115 Hunan Factor Data Base Systen
Informa- Relia- Litera- tion bility ture Exchange Analy- Retrle- .sls DC,
\f Inquiry from Electric Utilities Hardware Failure Data and Hunan Reliability Data______Domestic Head Experimental Data on Human Factors Nuclear Office Power of Documen[ t Informatio n Humao n n Factor Station EU
Outlinn A Humaf b o e 2 n - Facto 2 . r ig Dat F a Base System (11PC)
2-3. Some Studie Collectioe th n so Humaf no n Error Data. ) Genera(1 l Issues RelateCollectioe Th o t d Datf no a There are various difficulties might be encountered in collecting human error data.and the nature of difficulties vary depending on the collector.
The utilities have already been collecting and the roughly analyzing data on human errors which appeared as the fact. The difficulty for them is how to identify the errors which does not appear but potentially lead to an accident.
The government side,on the other hand, is trying to extract data related humao t n errors frodate th ma reporte incidenn i d t reporting systemt .Bu the success of the extraction depends on whether the system is designed in the way conducive to retrieval of human error related data.
Collectioe StudA th ) n o y(2 Datf no a IHF has been studying the methods of extracting human error data from the incident reporting system. The data of Japanese incident reporting system are put into computer sys- tem with keyword d naturasan l language which describ situatioe eth d nan D keyworpossiblcausQ s i e t f eventi us eo d o , et retrieva .So l methodd ,an ©natural language retrieval method.
116 CD Keyword Retrieval Method This method is very useful when the retriever can find a proper key- word among the predefined keywords. If not, however,there remains some problem. Natura) (2 l Language Retrieval Method This method has an advantage that the retriever can select any word- ingsearchinr fo s g purpose e problem.Th , - howeverre than e i th ts i , porters may not necessarily use the same wordings to describe the same information. Another problem is that this method usually requires more time than keyword retrieval method both to input and to retrieve data. Both method n advantages ow hav s eit disadvantagesd san r plaou s i n , .So to use either one of them depending on cases. The keyword retrieval method has been studied using data analysis sheet show Tabln i n e 2-i. Tabl 1 Date2- a Analysis Sheet
ERROR MODE
Task Operation ( Start-up, shut-down, constant power, periodical test. Insident/auclden) t responceJ . other[ Maintenance. Unknown.
Time 0:00~B:00, 6:00~12:00. 12:00~18:GO. 18:00-24:00
Place Main Control Roc*. Local Area. Unknown.
Task Proceeding: Omissio ïorn( k step. Checking,), ïrong procedure. Task Subject : Vrong selection. Cognition : Overlooking, ïrong Identification. Wrong judgement. Vron: Actiog positionn , ïrong direction, ïrong setting. ïrong anoun operationf to , dropped, hit. rubbud. Mixture of foreign laterlais Communication : ïrong Instruction. Misunderstood responce, Other : ( )
CAUSE OF ERROR
Hunan Causes Inadequate coiiunication on task Information. Cognition error. Recalling error. Action slip. Poor skill or experience. Unclear task criteria. Inadequate supervision. Technically unforeseen OtheK )
Hardware Causes: Inadequate design. Inadequate Fabllcallon. Inadequate Installation. Other( )
REMARKS
117 The information in data can be categorized under two major groups ; error mode group which describe typee sth errorf so errod san r cause groupe .Th item eacr fo sh group were selected partl yresulte baseth n f preceddo so - ing analyses.
r keywordsAfo s , human factor related keywords have been selected- whose examples are shown in Tablo 2-2. They will be used in combination with key words related to incidents and accidents.By selecting a combination of the different type f keywordso humae ,th n error information wil e properlb l y retrieve anabsisr fo d . It is still undergoing to study the methods of extraction of human error related events from incident reporting system. Therefore, currently, it is too early to produce any conclusion.
Table 2-2 Examples of Human Factor Related Key Words
No. Classification Key word
1 General Hunan Factors Incident. Human error
2 Operation Failure. Operator Error Testing
3 Maintenance Failure. Malntenace Error Inspection Calibration
4 Supervision Failure. Adnlnistrative Control Procedure and Manual CoHBunicatlon Quality Assurance Technical Specification
5 Design Failure, Design Error
6 Fabrication Failure, Fab 11 cat ion Error
7 Installation Failure, Installation Error
118 . Classificatio3 Collectiod nan Humaf no n Error Data
Classification of human error data is one of the most important factors which determines the configuration of the databases, which was discussed in the previous sections. On the other hand, the way data is classified is party deter- mined by how data is going to be used and analyzed and for what purpose. Both 1HF and MFC are currently studying different ways of classification such as claasification based on PSF(Performance Shaping Factors),classification by task and others. The efforts made by HFC classification and collection of human error data are described as follows. 3-1 PreliminarA . Classificatioe y th Stud r fo y Humaf no n Error Data Figur 1 showe1- s human error related dat n nucleaao r power stationn i s Japan. As indicated by • ( solid circle ) the number of failures and inci- dent r reactor-yeaspe decreasings i r . However numbee ,th f failurero d san incident humao t e n errorsdu s represente ope( n circlO y db remaine ) s constant. Statistics tell us automatic reactor trip acounts for 54 % of all the incidents involving human error d reducesan d power output. % account 5 1 r fo s In othe e incidentr th word1 al sf s o almos involvin% 0 7 t g some sor f humao t n errors affecte danotherr o powe y wa r .outpue on Thin i ts clearly indicates that reductio mose humaf th no t f importanno errore on s i sl e taskb o st fulfilled for improvement of reliability of nuclear power plants. Although human error data have been already utilize forminn i d g measures to prevent the occurence of the same or similar incidents or failures, human errors witsame th he natur stily ema l occu othen i r r power plants. In orde o minimizrt e incidenteth d failure an so humat e nsdu errors, full utilizatio f humano n error dat imperativs i a e together witcollectioe th h n of human error data useful for human factor studies. As a first step towards the achievemeut of the objectives, CR1EP1 con- ducte preliminara d y stud human yo n error analysi evaluatiod san n methods with actual dat n incidentao d failuresan s cause humay db n errors, using HPES (Human Performnce Evaluation System operated by Institute of Nuclear Power Operations). As a result of the study CRIEPI concluded that a good human error analysis and evaluation method needs to satisfy the following conditions. methoe Th throughln ) ca d (1 y analyze maintenance-related human errors sa there are more maintenance-related human errors than operation-related human error Japann si .
119 (2) The method can analyze psychological factors such as panicking or pre- judic physiologicad ean l factors suc sleepinesss ha , tirednes sicknesr so s which might have caused the errors. (3) The method needs to have clearly defined terminology to accurately desc- ribe human error related data. ) Huma(4 n error analysis item wele ar sl define d properlan d y classified. (5) The method can identify and analyze the human errors which may poten- tially lea o incidentt d r failureso errore th s wel a ss sa l which surfaced.
3-2. Current stud Classifyinr fo y g Human Error Data e resul Basepreliminara th f n o tdo y studydiscussins i t i , studo gt y various ways of classifying the information related to human errors such as situations where human errors occured,causes of human errors and counter- measures against human errors. The conclusion on which way is best, however, beet no n s reacheha d yet.
3-2-1. The Data on the Situations where Human Errors occured (1)Data on the incident the type of incident effecs it type th f teo the method of its dicovery and others (2)Dathumae th nn a o erro r error type time, data and place of its occurence time, data and method of its discovery actio recoverr nfo otherd yan s (3)Datpersoe th n nao age experience occupation work shift frequency and degree of urgency of the task and others
3-2-2. The Classification of Data on the Causes of Human Errors With regard to the classification of data on the causes of human erroes, in additio mere th e o classificatiot n f errors no s bee ha nt i ,tryin o t g clarify the correlation between different causes, because in many cases a human error is caused by a combination of multiple factors.
120 (l)Classificalio Causaf no l Factors Each causal facto s firsrwa t classified unde n itemra , then int typa o e and further into a sub-type, a. Item More specifically, all possible causal factors were categorized into 1 items1 e .th : A Verbal Communication B: Written Communication C: Man-Machine Interface D: Work Place : Self-CheckinE Worf go k F: Management/Supervision : G Trainin d Educatioan g n : ChangH e Implementation I: Work/Environmental Condition J: Internal Factors K: Personal (private) Issue b.Type and Sub-type e type Th d sub-typesan e classifiesar differenn i d t wayr itemfo s A s through items H and item 1 through item K. (a) I tens AMI causae Th l factors classified into itemH wer~ A se classified into e followinth g type d sub-typesan same th en i sway . D Type-( whaa[ t should have bee dont ne] no dons ewa Sub-type-a.l( What was supposed to be done according to a dont pla manuaeno ) r no s wa l Sub-type-a.2( whasupposes wa tdone b eo t daccordin a o t g plan or manual could not be done ) Sub-type-a.3 supposet donno e b begio s et o wa t d nt (i wit ) h C what should have been don dones ewhawa t dons ,bu wa t e was inappropriate] Sub-type-b.l( what was done was vrong_) Sub-type~b.2( donwhainsufficiens s wa tewa ) t Sub-type-b.3( the plan or the manual was not clear ) Sub-type-b.4( what should have been don somethins ewa g difficult to implement )
121 (DType-C [ what should have been done was done, but an inappropri- ate way] Sub-type-c.l( in a wrong timing ) Sub-type-c.2( in a wrong place ) Sub-type-c.3( wit wrona h g intentio purposr a n o y b r eo person with wrong qualification) Sub-type-c.4 wrona y (b g metho wrona r do g means) Sub-type-c.5 wrona n (i g sequence)
Table3-i shows the types and sub-type of item A:Verbal communication,
Table 3-1 Verbal Communication
Vhy did verbal communications resulted In a cause ? a. Verbal communication perfornet sno d? a 1. Didn't perform communication although planned unabls Va perfor o et . 2 a m coaounlcation although planned plannet No perforo . t d3 a m connunican tIo Othe. a4 ( r b. Inappropriate information transnitted by verbal communication . 1 Vron b g information A par f informatio o t. 2 b e transmitteb o t n s missinwa d g b 3. Ambiguous information . Har4 b d Infornatio communicato t n o et b 5. Other ( c. Inappropriate method for verbal communication c 1. Inappropriate timing for coaaunlcation c 2. Inappropriate place for coomunication c 3. Inappropriate intent/position of the person who performed communication c 4. Inappropriate œethod/tool for communication c 5. Perfoued communication In an Inappropriate sequence Othe. c6 ( r
(b) Items l ~ K Item I through K can not be classified in the same way as item A- Eac f theclassifies ho wa m differena n i d t way. (Dltem 1 : Work / Enviromental Conditioin Type-a [ work time and duration ] Type-b [ work space conditions ] Type-c [ inappropriate environmental conditions ] Type-d [ body posture of workers ] Type-e [ workload ]
122 Each typ s furthei e r categorized into several sub-types. Tabl2 3- e shows the types and sub-types of item I: Work/Enviromental Condi- tion. Dltem J : Internal Factors Type- psychologicaC a l factor] s Type-b [ physiological factors ] Type-c [ incompatible disposition and capability of workers ] Type-d [ experiences ] 1)1 tern K : personal ( Private ) Issue t classifieno s Itei mK d into type t onlbu s y into sub-types. Sub-type-a ( family problems—human relationship and others) Sub-type-b ( problems at work place—human relationship and others ) Sub-type- ( cproble e placth n emi other than homword an ek site—human relationship and others ) Sub-type- ( drudalcohod an g ) l
Tabl 2 Vork/Envircnmenta3- e l Conditions(i)
Vhy were the work/environmental conditions a cause ? a. Influences due to the job time and working hours were a cause a 1. Task performed during midiiight a 2. Task performed during early morning a 3. Long working tine a 4. Overtim assignee th wor n i k d task a 5. Overtime work In the unassigned task ) a 6. Othe ( r b. Influences due to the space and conditions of workplace were a cause b 1. High workplace b 2. United area (coapllcated piping space- etc.) b 3. Confined area ( in tank. In channel head, elc.) b 4. Untidy workplace b 5 .o manTo y peopl aren i e a beyon requiree th d d member b 6. Unstable scaffold b 7. Workplace clos operatino et g equipments b 8. Workplace clos higo et h température materials/equipments b 9. Other ( ) . c Inappropriate environmental conditions c 1. Poor ventilation (gas concentration currentr ,ai , nasty smell. etc.) c 2. Uncoafortable temperature/humidit ytemperaturew (higlo r ho / huaidity, radiant hea) t c 3. Inadequate lighting ( illumination. brightness, flickering. angle. etc.) c 4. Inappropriate coloring (protective color, similar color)
123 Table 3-2 Vork/Environmental Conditions (2)
ïhy were the work/environmental conditions a cause ? c. Inappropriate environmental conditions c 5. Excessive noise/ shock sound level . 6 Excessiv c e vibration/ shock c 7. High radiation (dose rate.surface/ai r contamination) c 8. Other ( d. Influences due to posture in work were a cause d 1. Worked In tight posture/ unsteady posture . Worke2 d d without usin righe gth m a t d 3. Worked In the posture which the area at hand was invisible . 4 Otherd ( e. Influences due to quantity/quality of workload were a cause t Involvea lon tase No r gth fo k. n tin 1 i d e e . Perceive2 e oonotonoua s a d s work t requireNo . 3 d & thinkin deptn i g h . Perceice4 e repetitiva s da e work e 5. Busy with iiany works . Tas6 e k Interruptions . Require7 e d heavy physiological load e 8. Required to keep tention and attention e 9. Required complicate judgment elO. Required instantaneous reactions ell. Task accorapanied with risk el 2. Other (
) Correlatio(2 n between different Causes In orde clarifo rt y correlation between different cause f humaso n errors.it is trying to classify causal factors into direct causes which humaa directl o t nd errorle y direcn i , t causes which cause d actedan d on a direct cause and potential causes which caused and acted on an in- direct cause.
3-2-3. Stud Datr Countermesurefo n yao s Countermeasure takee b variout n na s ca s stages.Whe n incidenna t occures, it actually goes through various steps. Ther certaie ear n things which cause a human error, and in turn the human error cause an incident. So it is needed to clarify at which step each counterraeasure is targeted»whether this countermeasure is to prevent a human error which occured from causing preveno n t incidentsa s occurence i th t i huma e th r , o n f e o error itself, eradicato t s i t possible i e th r o e causes whic humaa y lea o hma t d n error. classificatioe th r Fo n purpose, counteriaeasure plannee clase sar b o t -d sified into the following 4 steps.
124 Ste) (1 p1 A countermeasur preveno et t reoccurrenc n incidenta f eo , evea f i n human error happens. (2) Step 2 A countermeasure to prevent occurrence of a human error, even if a direct cause exists. (3) Step 3 A countermeasure to prevent an effect of a direct cause, even if an indirect cause exists. (4) Step 4 A countermeasure to prevent an effect of an indirect cause, even if a potential cause exists and to eliminate a potential cause itself.
This way the relations between causes and countermeasures become clearer.
3-2-4. Classificatio DatF S a P f no Huiaan reliability varies depending on P S F( Performance Shaping Factor) same th e eve r operatiofo n r maintenancno e work. On the other hand.P S F influence is different in its degree depending on the tasword kan k situations influenced quantificatioe - Th . in F S P f no fluence on human reliability is greatly useful for the effective improve- men f woro t k method environmentd san implementatioe th r ,fo f workinno g safety measures.and for the assessment of human errors affecting system reliability. a firs s A tquantificatione steth f po plannes i t i ,studo t d whao t y t exten workere th t aware sar epossibla thas i t F eace S th caushP r efo increase or aggravation of human errors and which PSF the workers think is relate whico t d h tas whao kt t extent. purposFoe study,e rth th havF f eo PS e been classified intfollowe oth - ing five categories based upo F classificationPS n whic paste h th use n .i d (D P S F related to Internal factors relateF S P Mn-inachino t d) (2 e interface relateF S speciaP o t d) d l tasks ($) P S F related to work and organization relateF S externaP o t d) d l factor otherd san s
havF InS e tota P bee 2 5 ln selectestudye th r . fo dTabl show3 F e3- sPS categorize relateF S P Internao t ds da l factors.
125 F Relate S Internao t d P Tabl l3 Factore3- s
No. P S F Descriptions f doino 1 y gwa thingd ol Stickcannod n san a o t s adapo t situatiow ne a n 2 Cannot Identify danger Involved In a task 3 Lac experiencef ko s with Individual tasks 4 Lack of training and education for Individual tasks 5 s experlnecHa e with individual tasks t lack,bu s sufficient knowledg principlen eo d mechanismsan equipmentf so s 6 Does' t understand the purpose and overall flow of operational procedures 7 s aentaHa physicar o l l healt lasb sro p h 8 Not eage mako rt e effort o learst n about tasks 9 Too old 10 Not cooperative 11 Restles d hastsan y 12 Slow and relaxed too much 13 Too bold and decisive 14 Physically tired 15 Afraid of Baking a uistake too auch because of overenphasis on Us outcome
3-3. Problems concerning Human Error Data Classificatio) (1 Humaf no n Error Data There have been various efforts made and measures taken aiming at the reductio Humaf no n errors Fig.1-s .A 1 shows,however, humant errorno e sar necessarily decreasing. Since early days numerous studies and researches have been conducted on human errors not only in nuclear industries but als othen i o r industries. Still what desire researca s i d h whose results could be fully reflected in the human reduction activities at work site and which comes up with concrete and feasible recomendations. At the moment HFC is still studying several different methods of data classification to see which is the best way. Thus,most of the things above described are still at planning stage. Soon, HFC will start collecting dat d analyzaan e the o identift m ye problem somth f eo s involve datn i d a classification. And for the smooth exchange at human error information, international standardization of data classification is imperative. ) Collectio(2 Humaf no n Error Data incidente Datth n a o d failuresan s which have actually occureo t e ddu human errors have been already collected and analyzed. The problem is how to identify human errors which have potentiality to cause incidents or failures. In general, people have tendency to hide the errors they made, afraie b an o beinf t ddo g punished. This human nature also applien a o t d entire organization. It must be necessary to tackle these problems.
126 HUMAN ERROR CLASSIFICATIO DATD NAN A COLLECTION— SURVE INDIAN A YN I N NUCLEAR POWER PLANT
. RAJASABAIN . RANGARAJANV , , K.S.N. MURTHY Madras Atomic Power Station, Nuclear Power Corporation, Kalpakkam, India
Abstract Any amount of automation and computerised control systems cannot tackle all the postulated and unpostulated abnormal events and hence there is a need to have the human interaction in the operation of a nuclear power plant. With such human interactions, it is likely that certain errors might be committed even though it may be infrequent. These errors may be due to spontaneous actions by the operating staff or due to lack of understanding, co- ordinatio communicationr o n detaileA . e th d reviel al f wo abnormal events in Madras Atomic Power Plant in India indicate e unusual/abnormath f so % tha8 t o t aboul 6 t incident reactod san humao t r e nscramdu errore ar s . Most of the human errors occur while carrying out certain non-routine operations, while carryin t certaiou g n surveillance tests, or while putting back the systems/ equipments in service after maintenance. In Indian nuclear power plants, even when a minor abnormal event away fronormae th m l operatio planf no t takes place (like closing or opening of motorised valve or pneumatic valves due to power or air failure or control circuit getting shorted) an immediate report called incident report is filed by the shift charge engineer. All the incidents are reviewed by the Station Operation Review Committee (SORC) and the reasons for the incident is classified under different headings as equipment failure, system failure, component failure, inadequate inspection, inadequate procedures, inadequate Training, improper/unauthorised operation/mainte-nance, design deficiency, operator error» operator inattention etc. If it is safety related, an exhaustive safety related unusual occurance Report (SRUOR) with rootcause analysis is submitted o headquartert d regulatorsan y bodies. This paper reviews the incidents in Madras Atomic Power Station -Units 1 & 2 for the last 6 years and quantifies the causes attributable to various categories cited above. Even thoug e incidenthth human-erroo t e sdu r remained high during the first year of the operation of the plant, it has come down gradually in subsequent years due to better on the job training to the operating staff, better understanding of the equipment and system behaviour during normal operation as well as abnormal operations.
127 1.0 INTRODUCTION There is no second opinion that the nuclear power is the definite alternative sourc energf eo y wite fasth ht depletion of the conventional sources of fossile fuels. However, since there is a risk of radiation in the nuclear powor production, Htrinyont upocificationa aro choaon for the» various component equipmend an s nucleaa f to r power plant durin desige th g n stage. Strict quality control measuree sar applied durin manufacturee th g , constructio d operatinan n g nucleaa stag f eo r power plant. Intensive trainin gives i g n to the operation and maintenance staff of nuclear power plants in order to ensure that the plant is operated in a safe manner as per the technical specifications. Radiological environmene releasth o t e radiatio d tan n exposure th o t e plant personnel and the public are kept as low as Reasonably Achievabl withid ean limite nth s prescribef o ICRPy e db On . the training aid is the operating manuals giving all step by step procedures and technical parameters applicable for norma d abnormaan l l condition enablo st e safe operatiof o n the plant. Considering the importance of safety of nuclear power plants, special procedures suc s actioa h n o fusn e failure, actio n alarmso n , station blact procedureou k , operating procedure emergencr fo s y condition ( sknow s a n OPEC procedur n i Indiae n nuclear power plants e alsar ) o prepared and workshops were conducted among concerned O&M staff. Many times operating procedures are written making many assumptions on behalf of the operator without realising his handicaps and his limitations as a human being, his timely responses, his span of visualisation of a developing accident scenario e SafetTh . y Report a nucleaf so r power plant generally contain volumes of information on design description accidend san t analysi alsd san o predict scenarios following various initiating events. notwithstandine th g information and the response of built-in instrumentation and channels of information vis-a-vis operator action, there is a need to understand the plant behaviour and translate the informatio languaga n i n e understandabl e operatinth o et g personnel. This approach become necessitsa e operatinth r fo y g personne n undertakini l g atleas firsta t diagnosie th f so plant behaviour based on the information available in the control roocontaio t m mitigatr no incidente eth .
There is also the problem of uncertainities of human behaviour. Different human beings behave differentln i y stress conditions and a few are more prone to human errors under circumstances when their thinking capabilit s mosi y t needed. Incorrect human intervention could also change eth course of progression of an incident into an accident. This o emphasist is action e t e operatoth tha no th f i t f s o e ar r in the correct direction, a minor incident could escalate into a major accident. It should, therefore, be recognised beyond doubt that, inspitautomatioe th f eo n that goes into
128 the control of plant, the importance of man-machine interaction canno underestimatede tb .
2.0 ABNORMAL INCIDENTS Normal operation of a nuclear power plant means operatiostatioe th f no nwithi limite d th ncondition an s s stipulated in the technical specifications for operations, including shut down, power operation, shutting down, starting up, maintenance, testin refuellingd an g . Abnormal incidents r anticipateo d operational occurence e operationath e sar l processes deviating from the normal operation which are expected to occur once or several times during the operating e appropriate th plantth vie lifn f I f .o o we e design provision, these occurance t causy no significan an o ed s t e itemth damag so t importane safete r th leano o o yt t d accident conditions. Accident condition e substantiasar l deviation froe operationath m l state whic expectee ar h o t d e infrequenb whicd tan h could lea releaso t d f unacceptableo e quantitie f o radioactivs e material case n i relevanth ,e t engineered safety features did not function as per the design intent.
0 3. MADRAS ATOMIC POWER STATIO UNUSUAN- L OCCURANCES
Further data given in this paper are compiled from the incident reports of Madras Atomic Power Station, INDIA. Madras Atomic Power Station has two numbers of 235 MWe capacity nuclear power units. The reactors are similar to CANDU units with moderator dumping facility for reactor shut containmene th dowd pressura nan s tha e suppression system. The first unit of Madras Atomic Power Station became critical in the month of July, 1983 and the commercial operatio plane th s declaret wa f o nJanuarn i d y 1984e .Th second unimads wa te critica Septembern i l ,e th 198 d an 5 commercial operation commence n Marci d h 1986.
1 3. FILIN REPORTF GO SHIFY SB T CHARGE ENGINEER There were 334 incident reports in the last 6 years of Unit-I operation alarmet e shoulge On t thiy .b dno d s high number of 334 incidents which works out to 55 incidents per year average. Because, even minor incidents but unusual for operation mode are reported by shift charge engineer in a standard proforma. Only a small fraction of these unusual occurences are having bearing on safety and Safety Related Unusual Occurence Reports (SRUORs) are prepared by the technical service e sstation th e grouunusua Th f o p. l occurences for Unit-II in the last 4 years of operation are 213. The yearwise split up is given in the following table. SRUOR r Unit-respectivel6 4 werfo I I sd e& Ian onl8 r 12 y fo y the above period.
129 TABLE-1
Year 1983 1984 1985 1986 1987 1988 Total Unit-I UOR 68 87 50 45 30 54 334 * * 8 12 8 1 7 6 0 2 8 3 9 3 SRUOR Unit-II
UOR 50 73 51 39 213
SRUOR - 10 15 7 14 46
e numbeTh higs i r * h sinc eclearlt no SRUO s yRwa definen i d early year operationf so .
3.2 REVIE STATIOY WB N OPERATION REVIEW COMMITTEE(SORC) Station Operation Review Committees (SORC) are existing in each operating nuclear power plant in India to review/analyse station operatio regulat a n r intervalo t s detect potential unsafe problems and recommend remedial actions and also to investigate promptly all safety related unusual occurence d incidentan s s including violatiof o n Technical specifications for operation and report safety evaluation and recommendations. Chief Superintendent, Deputy Chief Superintendent, Technical Services Superintendent, Operation Superintendent, Maintenance Superintendent, Training Superintendent, Technical audit engineer, Health Physicist and Heavy water manager are the members of the Station Operation Review Committee timet A e .concernes th d shift charge enginee Assistanr ro t shift charge engineer o r senior maintenance engineer co-optede sar . SORC unusuae reviewth l lal s occurences promptld an y analyse cause th eacr se fo h inciden categoried ty an an o t s one of the following a) System failure ) Equipmenb t failure ) Componenc t failure d) Inadequate inspection e) Inadequate procedures ) Inadequatf e training
130 «9/cm» - . ff » uow TIMf-t40*C
MM NT/Hr rr. S«-Tt »g/cm1 Twt * »o*c «TIAH
OUTLET COOLANT TUBES
ruUUH« «ACMIKl
«MOIMAIT «ATM
MADRAS ATOMIC POWER STATION SIMPLIFIED FLOW DIAGRAM
MOO '-ITC* MOOttATO« coou» ) Impropeg r operation ) Impropeh r maintenance i) Improper system modification j) Violatio Technicaf no l Specification k) Surveillance requirement given in Technical Specificatio carriet nno t dou 1) Design deficiency ) Calibratiom n error ) Human n error ) Operatoo r inattention p) Inadequate health physics measures q) Inadequate industrial safety measures r) Grid problems ) Constructios n deficiency t) Others After review• SORC makes specific recommendations to station to avoid such unusual occurences in future and fixes e th agency which will e havth responsibilite f o y implementing SORC's recommendations. SORC reviews periodicall e prompth r tfo yimplementatios it l al f o n recommendations. Whereve e unusuath r l occurance e safetsar y related, SORC directs that detailed Safety Related Unusual Occurance repor tpreparee b Technicae (SRUORo th t y s b di ) l Services Group of the station. The copies of SRUORs are sent to the members of MAPS Safety Committee and Safety Review Committee for Operating Plants(SARCOP). MAPS Safety Committee reviews SRUORe al th Technicad l san l Specification violationd an s periodical reports of the station health physicist and forward specific recommendations to improve the safety of the plante memberTh .f o unis t safety committee include Technical Services Superintendent from MAPS, members from other nuclear power plants in India, Designers, members from Atomic Energy Regulatory Board (AERB d Healt)an h PHysics Division. SARCOP review safete sth y matterl nucleaal f o s r power plant n Indiai s . membe o n Thi s rsha frooperatine mth g nuclear power plants. but the respective station Chief Superintendent wil askee lb atteno t d meetine th d g whenever the agenda includes the points pertaining to that particular station.
132 TABLE-II NUMBER OF INCIDENTS PER YEAR
Cause of occurances UNIT-I UNIT- I I UNIT-1411 1983 1984 1985 1986 1987 1988 Total 1985 1986 198Tota7 198l 8Total
OPERATING HOURS 1673 6333 4827 4635 6014 667930161 11185291 6382 3535 16326 46467 1 . System/equipment 16 37 32 28 21 34 168 32 54 29 24 139 307 component failure 2. Inadequate inspection 3 4 0 2 1 1 11 2 0 2 2 6 17 3. Inadequate procedures 16 11 4 1 2 8 42 6 9 9 6 30 72 Inadequat. 4 e training 2 0 1 0 0 0 3 1 0 0 0 1 4 Imprope. 5 r maintenance 4 1 1 2 0 2 10 0 0 1 1 2 12 6. Design deficiency 14 17 7 4 0 3 45 4 3 3 2 12 57 Calibratio. 7 n error 4 3 0 0 0 0 7 0 0 0 0 0 7 8. Grid problem 1 5 2 3 5 3 19 2 3 0 1 6 25 9 .Construction 0 0 0 0 0 0 0 0 1 0 0 1 1 deficiency
10. Human error 8 8 2 1 1 3 23 2 2 2 2 8 31 Spuriou. 11 s 0 1 1 4 0 0 6 1 1 5 1 8 14
TOTAL 68 87 50 45 30 54 334 50 73 51 39 213 547 0 4. EXAMPLE INCIDENTF SO HUMAO T E NSDU ERRO DIFFERENF O R T CLASSIFICATIONS Some of the incidents of Madras Atomic Power Station humaduo t e n error discussee sar d below, each coming under different classifications.
4.1 IMPROPER OPERATION For adding Heavy water to the moderator system as a mak , thertransfea eup s ei r tank wit capacitha drum2 f o ys of Heavy water. However during one of the incident, the operator wante finiso t d additioe hth drum3 f f Heavo no s y Water in a short time before the end of his shift. He attempted to carry out simultaneous addition of Heavy water from the drums to the transfer tank and also from the transfer tank to the system which is against the operating philosophy of the station. This led to over flowing of the transfer tancaused kan d spillag Tritiatef eo d Heavy water.
2 4. OPERATOR INATTENTION e moderatoTh r levee calandrivaries th i l n i d y b a utilising heavy water operated ejectors which variee th s differential pressure acros Dume sth p Ports. After doins it g function in the ejector, heavy water enters a tank and gets drained throug controa h l valve e uni.th t f Durino e gon outages, the above system was under shutdown and work permit had been issuer d systean * m pipin s opene gwa r maintenancefo d . However, the heavy water was passing and water entered the d tanhigan kh leve le tan th alark r annunciatefo m e th n i d control room. Howeverattendet d no alar e an s th o ,wa t dm e heavth y water spille e dsystem th throug f o , opee d th hnen
3 4. ERRO OMISSIOF O R N On one occasion, the unit was in operation with the HP heater feee th No.d heatinf 5o ge secondarth syste n o m y circuit on bypass mode for maintenance work. After maintenance worcompleteds kwa heatere th , s were valven i d without gradual fillin aftep gu r thorough venting, Thid le s to sudden filling up of the HP heater causing reduction in feed water floboilero t w so Reactot whic d le h r trin o p primary coolant high pressure.
4.4 CONFUSION During the initial stages of Unit-I commissioning, there were problems with boiler level control valves. Since the level indications of the boiler drums were also not working properly, people were fiele poste th o watct dn i d h the level in the drum wherein feed water flow control was being done from control room. Due to confusion between north bank of boilers and south bank of boilers, the feed water flos beinwa w g controlle bane on k n o frod m control d rooan m water leves beinwa l g observe othen i d e rlocath bany lb k operator which led to water entry to main steam line causing water hammering and breakage of supports.
134 5 4. LAC F JUDGEMENO K T On another occasion, the pegging steam pressure control valve for deaerator failed open due to problem in the control components .openino t Thid relief go le s fe th valve n i s deaerator locae Th .l operator, without informin controe gth l room, started closing the guard valve for the pegging steam control valve without opening the bypass valve, which led to fast reduction in the deaerator pressure threby reducing the NPSH availabilit boiler fo y r fee boilee d th pum d r pan feed pump started cavitating controe Th . l room operator, tooe kth corrective measure and saved the pump.
4.6 INCORRECT RESPONSE On one occasion, the level in the drum of one of the 8 boilers cam operatore e th dow d nan , instea trif do m opening the feed valve, opened the valve fully which caused abrupt increas boilee th n ri e level . Seeing this e operatoth , r close feee th dd valve fully which cause reactoda r scrae mdu higo t h differential temperture acros boilere sth .
7 LAC4. COMMUNICATIOF KO N e reactoTh r protective system consist 3 channel f so s channel2 y an anf si d trip reactoe th , r gets tripped. There is a provision for testing the reactor protections on one channe timea t a .l Normall firse th y t protectio s testei n d with final control element, namely, dump valves in closed conditioe propeth d r an ne openindum th pf o g valves i s checked checkinr Fo . g other protections dume ,th p valvee sar lefopen i tn condition orden i n avoio t r d more operatiof o n these valves. Only the channel trip is checked for rest of the protections. On one occasion, when the primary coolant high pressure trip was being checked for one of the protective system channels by manipulation of valve from the pressurising pump discharge line and the pressure trasmitters, the pressure trasmitter valve for a channel other thatestine nth g channe openes lwa d thereby dump valves of second channel also opened and reactor got scramed.
0 5. HUMAN ERROR DATA COLLECTION Once the cause of an unusual occurence is fixed as human s i furtheerror t i r, classified into improper operation, operator inattention, error of omission, confusion, lack of communication, incorrect response and planning deficiencie s indicatea s n i TABLE-IIId e Th . operation Superintendent who is also the Secretary of SORC discusse e incidenth s t witoperatine hth g stafo werwh fe involved durin concernee th g d inciden whicr tfo e caus hth e was human error. The Operation Superintendent tries to find rootcause humath e th t nbeer s ou eerrorfo ha n t I observe. d tha humate th mos nf followine to error th causee o t ar se gddu reasons.
135 Os
TABLE-III ANALYSIS OF HUMAN ERROR AT MAPS
TYPE HUMAF SO N FAILURE UNIT-I UNIT-II UNIT-I&II 1983 1984 1985 1986 1987 1988 Total 1985 1986 1987 1988 Total Total
OPERATING HOURS 1673 6333 4827 4635 6014 6679 30161 .1118 5291 6382 3535 16326 46487 Imprope. 1 r operation 2 2 2 1 1 3 11 1 2 2 1 6 17 2. Operator inattention 2 2 0 0 0 0 4 0 0 0 0 0 4 3. Erro f omissioo r n 1 3 0 0 0 0 4 0 0 0 0 0 4 4 .Confusion 1 0 0 0 0 0 1 0 0 0 0 0 1 5. Lac f communicatioo k n 1 0 0 0 0 0 1 1 0 0 1 2 3 6. Incorrect response 1 0 0 0 0 0 1 0 0 0 0 0 1 7. Planning deficiency 0 1 0 0 0 0 1 0 0 0 0 0 1
23 31 (a) The individual concerned being under physical strain s hi o t o over-wort eithe e plane e du th du r r tn o ki prior physical exertion while performing his domestic duties. (b) The individual being under emotional tension either due to circumstances in the office or in the household. (c) Due to physical illness. ) Lac(d communicatiof o k n between control roome th staf d an f field staff. ) (e Lacf understandino k e individuath y b g l aboue th t system equipmentd san inadequato t e sdu e training. informatioe Th ) (f n regardin modificatioga n carrien i t dou the systems not reaching down the level of the operating staff. ) Misunderstandin(g g between staff belongin o t varioug s groups such as Operation and Maintenance. (h) Over-confidence amon stafe th g f concerned regardins hi g knowledge and capability. ) (i Fear complex about equipmen radiationr o t . ) (j Instruction t reachinno s e g th e dowleve th f no l operating organisation regardin latese gth t operating philosophies. Once rootcaus th e humaeth nr efo failur s establishei e y b d the Operation superintendent, he takes the necessary action o ensurt e that suc hrepeatet concernee no errorth e y b dar s d individual e otheth ry s b a we-1 operatinss a 1 e g th staf n i f station. Necessary counselling is done and the individual is mad o realist e mistaks ehi madd understano an et e d thae h t does not repeat it again.
0 6. STEP O REDUCST E HUMAN ERROR Various stepe beinar se g Nucleath take n i nr Power Stations in India to reduce the incidents due to human error.
They are listed below: (1) Counselling by O.S. with the individuals concerned as indicated in 5.0. y ensurinB ) (2 g proper administrative controe thase to t l no individual workr morfo es 6 tha1 hourn s conitinuously y undean circumstancer s including overtime hours. (3) Avoiding overtime work for the individuals after completin nighe gth t shift.
137 y B issuin ) g(4 detailed incident reports e bringinth t ou g human error givind an s g wide publicit o s thay t such errors are not repeated in the station. Copies of such reports are sent to other Nuclear Power Stations within countre th ensuro t y e avoidanc f suceo h human errorn si those power stations also. ) Arrangin(5 g periodical meeting with operating staff wherein factors such as human errors are discussed in detail and means of reducing them are dealt with. (6) Periodic seminars are conducted wherein members from operation staff are made to present the incidents cause y humab d n e entirerrorth d esan incidens i t discussed in detail by all the operating staff. (7) Wherever inadequate training is found among the operating staff, Statioe theth e sen o ar yt n Training Centre for re-training and also for updating of knowledge. ) (8 Wheneve desigy an r n modification carriee sar d oute th , information in detail is circulated to all the operating staf meany fb informatiof so n bulletins. (9) For carrying out standard operation, routine tests, surveillance check makind san g isolatio r issuinfo n g permit d bringinan s g e bacsysteth k m into normal operation after maintenance etc., standard Ordeo T r Operate forms (OTO forms kepe contro)n ar i t l rooo s m that the chance for human error is eliminated. However, before utilisin standare th g O formsOT de th , engineer in the shift verifies whether the OTO will be applicabl systee th r mn pe toti statues oa s existing on that particular day. Wherever necessary, he makes minor modifications in the Standard OTO form to suit the prevailing system status and then issues the OTO for implementation.
(10) The standard proforma for Surveillance are periodically reviewed and revised wherever necessary. Since a few incidents of Reactor Scram occured while cuj.rvj.ng the dail Reactoe y th tes f o tr Scra alsd man o weekly testing of the valve gear of the Turbine, necessary steps were include doublo t d y ensure that such Reactor Scrams will not take place again. (11) Wide publicit incidene gives th i y o t n t e reportth f so station and also the other stations within the country and also various U.S.NRC reports so that the updated information will be available for all the operating staff. (12) Periodical special training programmes are conducted for various levels of staff in the subjects such as communication, human relationship etc havo .t e better co-ordination and understanding among the staff.
138 (13) By training the operating staff in a simulator to improv responss ehi e during abnormal occurences.
7.0 CONCLUSION Even witamouny an h f automationto , human elemens i t very much essential for the operation of Nuclear Power Station. Since human error canno altogethee b t r eliminated, essentias i t l tha goinn to g programme e implementear s y b d the operating Nuclear Power Station o ensurt s e e thath t incident humao t e n du serro e keprar t minimum. Necessary data collectio d evaluatioan n n will hel n reducini p e th g human error.
139 Ho POSSIBILITIE NECESSITD SAN E TH F YO HUMAN ERROR DATA COLLECTION AT THE PAKS NUCLEAR POWER PLANT
T. SZIKSZAI Paks Nuclear Power Plant, Paks, Hungary
Abstract yea3 1 ra operationaPake P Ath t sNP l experienc obtaineds ei t huma,bu n error data have not been collected in that form, which could be used for probabilistic evaluati- on and for a more effective feedback. Such data can be obtained from other NPP-s, reports and materials of meetings, but this data cannot be used directly for the Paks NPP in every region of the operation because of the differences in the operational environment and tasks. This facts make us consider to organize a human error data collection system.
sourcee Th f sucso h data collection coul: dbe - the full-scale simulator, that has started recently; - safety related event reports; - incident investigation reports; - reliability data of the plant safety equipment, that has been collected since last year.
future Th e tasks are: - to work out a human error data collection form and database with its content and error categories; - to develop a data evaluation program; - to solve the feedback of the results of the evaluation to the plant operation.
This paper gives a brief description of the possibilities of a human error data collec- tion system explaind an , necessite sth date th a f ycollectiono .
1. Introduction
The first unit of the Paks NPP was put into operation in 1982. Since that time the start-up works were performed on other three units. All together a 13 \mityear experience is obtained. Because the Paks NPP is the only NPP in Hungary, and the hungarian technical background had no experience in maintenance of high quality nuclear equipment founo t manufacturee d dth ha e ,w r basi providd an s personnels eit .
141 The performance indicators of the plant shows high quality of the maintenance work operationsd san have w epersonnea w No . l wit hgooa d experienceg bi e th t Bu . numbe operationae th f o r maintenancd an l e personnel gives more opportunite th f yo human error.
At the beginning of the operation the deterministic safety assesment was mostly general wit operationae usage th hth f eo maintenancd an l e instructions providey db the soviets. These instrucions do not specify any kind of systematic data collection of equipment reliability or human error data, and nothing induced the plant personnel to collect these data in an acceptable for a reliability analysis form. On the basis of the instructions all incidents and safety related events were analysed and documented. The incident investigation and the safety related event reports contain the discripti- analysid operationae an th n o f so l personnel actions. These information have been available since 1982, and have been used successfuly in the operator training. This feedback coul e mucb d h more effective wit a hsystemati c data collectiod nan evaluation. activitA PS e y supporteTh IAEe plane Paktooe P th effecs Th th Ay . t sha dNP t b a t safety system component reliability data collection has already started, and a data evaluation progra developee b o t researcma s i y db h institute personaA . l computer network has been intstalled in the last two years, and many data bases were created at the beginning for several purposes and many kind of data recording were started. mose f thesTh o t e data bases were then integrated into more general data basef so common interest maintenanceregioe e th th f n nI .o <& ,I electrica d Can equipmene lth t failure data has been collected for recording purpose, and their data base are available throug NOVELe th h L network commoe th o s , n data evaluation coule db easy. These data bases are useful for selecting the human errors.
full-scalA e simulato s starteha r d working recentl Pake th t sya NPP. This simulator numbea s ha f possibilitieo r observo st e operator'th e s reactions eve abnorman i n l situation.
2. The possibilities of the human error data collection
2.1. Developing of the existing data collection systems
mentiones wa A e introductiot si th n di e existinth n g data collection systeme sar suitabl seleco e t recor d an thumae dth n errors t significanafteno a r t modification. These data base e similaar s n structurei r e commo d th wor an ,n o k n NOVELL networ o it's ks only organizational questio solvo nt commoe eth n data evaluation. One of this data bases -the reliability data base of the safety system equipment- s developewa r purposdfo calculato et e componenth e t failure probabilities thin I . s
142 system the number of the components involved into the data collection can be extende e datth da„ base structur modifiee b n t ca t ewilli coula d o s e suitabl, db e for human reliability parameter calculation with little modifications.
The structure of the reliability data base can be described as follows: It contains two main data bases with temporary used additional data bases. The firs f componene theo tth m - t data bas e- contain briee sth f descriptioe th f no components, their time- and reliability data, that are calculated using the information of the second data base. The last one - the event, or failure data base - contains the component failure events in a coded form. First the component failure is classified from several point f viewo s , codethes i recordet d i n dan d int computere oth . This data base contains als time oth e e componendatth f ao t failure t givei o goos a ,s d basis for the reliability parameter calculation, and it can be developed toward the human error data collection.
In the first step we should dévide the human errors into two groups. The first group would contai humae nth n errors relatemaintenance th o dt thosd ean e operator failures, that occur during the tests and do not initiate any processes during the test. These failures woul acceptee db componens da t failure f courso s e with attention no the possibility of common cause failures. The second one would contain the failures, that occur during direct operational actions, so called operator failures. In the first step we should then concentrate on the collection of the operator failures, and the data collection system woul e modifiedb developed dan d towar recordine dth e gth operator failures shoule w t dbu , leave ope systeme n th futur e thath o coul e s ,n ew i t d handl e maintenanceth d tesan et failure humas a s n errors.
2.2sourcee date Th .th a f collectinso g
Ther e fouear r sources basicly: - reliability data collection; - incident investigation reports; - safety related event reports; full-scale th - e simulator training.
2.2.1. Reliability data collection
The reliability data collection system was briefly described before, so here we mention only its possibilities to select the human errors.
When we analyse an event, it has to be classified and coded, so that it could be recorded. The points of view are defined by the structure of the event data base.
143 If we extend the data base structure, or the classification with the human error, and an event is analysed from the point of view of the human error, than it coould be e humasourca th f o en error data collecting. This typ f dateo a collection woule db performe followina n i d gsystee steth f pmo development.
2.2.2. Incident investigation reports
e PaksincP Ith nNP se 1982 beginnine th , operatione th f go , every incident have been recorded, analysed e resultth d s an ,hav e been written incidene dowth n i n t investigation reports. These reports contai analysie nth e activitope e th th f - so f yo rational personnel. If the event was initiated by the operator, than it is clearly defined e investigatioith n n report e descriptioTh . evene th f tno makes possibl folloo et w the operator's actions during the process. These reports give the basis for most of the additional operator trainings relateeventse th o the t do significane s , yar t froe mth point of view of the general operator training. There are two conclusions from these reports. The first is the acceptability of the operator actions during the incident, and the second is the role of the operator as an "initiating event generator". The last one n objecothen a a e f b ro t analysio t opiniony s rn ha n si .
2.2.3. Safety related event reports
e safetTh y related event reports differ fro incidene mth t investigation reportn si definition. Incident is an event, that is defined as an incident in the terminology of our Dispatching Centre, and is accompanied with a loss of electricity production. Safety related n eveneventa s i t , that effect plane th objecn sa t s safetyi t t i o s , of an investigation. Both events have tobe investigated, documented or recorded. safete Th y related event reportt leasa s significana e t sar incidene th s a t t investi- gation reports. The structure of such report is the same as the structure of the incident investigation reports theo s , y coulsame th usee der b dpurposefo .
2.2.4. The simulator
n I Januar f thio a y simulato e PaksP th yea NP sn i rr training started fullA . - scale simulator and a process or basic principle simulator serve as a basis for this training s use i r proces e e fo dlas on Th t. s analysis e full-scalTh . e simulatoa s i r control room wit hcomputera , thasimulatn ca t e operational processes softwars .It e is abl describo t e e processes, whe e primarnth y circuit coolan t saturatedno s i t s ,a operational transients incidentsd an , accompaniet , no tha e tar d wit e boilinhe th th f go coolant developmene Th . simulatoe th f to r software towar accidentae dth l processes i s still underway mans ha t yI . facilitie mako t s e easie observatioe th r d analysinan f so the personnel reactions, like freezing the process, or replay an important period of time. These possibilities could be also used for the human error data collection.
144 There is an other benefit of such data collection. The operator does not pay atten- tion on the way, how his reactions are observed and analyzed, so this kind of data collection doe t affronsno t individual interests. Fro othee mth r han behavioue dth f ro the operato perhaps i samrreae n i th ls t ea situation sno , doe t fees responsisno hi l - reactios bilityobservee hi b t n Bu .nca d eve abnorman ni l situation thosd an , e actions e recordedb n ca , thae verar t y frequent durin t caus e operationno th go ed d an , directly abnormalities. In my opinion this is the best possibility to collect and ana- lyse human errors.
3. The necessity of the human error data collection
The necessity of the systematical human error data collection means first of all e necessitth increase th feedbace f th yo f eo k effectivity collectee e trenth f Th .o d d data describes the developing of the operator training effectivity.
The simulator instructors get much more information of the simulator trainings, than before, they would summarize and use the collected information during the trai- nings and the operation, and this information should be provided in an acceptable common form to make easier their work. Their task is to assemble the simulator exercises, so they have to follow the preparedness of the operational personnel.
The simulator development could be supported by those system reliability-, and event analysises, that use the collected component and human reliability data. The optimal feedback would be simulator exercises, that would contain key opera- tor actions given by the analysis. ( Ex. normal operational processes, when the ope- rator is a potential "initiating event generator", or such processes, when the used event trees contain many important operator actions.)
The PSA activity in Hungary requires some Paks NPP specific human error data. There can be many external sources of the human reliability data, that can be used in some cases t thebu ,y have limited acceptabilit r usinyfo gPake P theth sNP r mfo personnel, becaus plane th f t o especifi c operation instructions operationad an , l envi- ronment. There are some points in the event trees of the initiating events, where only plant specific data can be used. A wide scope PSA requires good systematic data collection and data evaluation.
4. Future tasks
If we want to reach the above mentioned goals , we have to work out the human error data classification in the first step, to study several recommendations, to wor t datou ka collectio o modifnt shee existine d th yan t g data collection system
145 toward the human error data processing. The review of the incident investigation reports and safety related event reports could be useful to examine the information they give.
In the second step a data evaluation program should be developed. We are at the point of the literature study now. In this step we should solve the permanent and perfect feedback of the first data evaluation results, and make conclusion of the initial data collection experience modifyd founs i an ,t i df i ,nece.ssery n thi.I s step we should also consider the handling of the maintenance and test failures as human errors, and the modification of the data processing system. For this purpose the events should be more deeply analyzed, the event data base structure should be ex- tended and the data evaluation program should be also modified.
All these require more manpowe timed an r .
146 HIGHER OPERATIONAL SAFET NUCLEAF YO R POWER PLANTS BY EVALUATING THE BEHAVIOUR OF OPERATING PERSONNEL
M. MERTINS Staatliches Amt für Atomsicherheit und Strahlenschutz, Berlin . GLASNEP R VE Kombinat Kernkraftwerke, Greifswald German Democratic Republic
Abstract In the GDR power reactors have been operated since 1966. Since that time operational experiences of 73 cumulative reactor years have been collected. e behaviouTh f operatino r g personne n essentiaa s i l l factor to guarante e safetth e f operatioo y e nucleath f o n r power plant.Therefore a continuous analysis of the behaviour of operating personnel has been introduced at the GOR nuclear power plants. In the paper the overall system of the selection, preparation and control of the behaviour of nuclear power plant operating personne s presentedi l .
The methods concerned are based on recording all errors of operating personnel and on analyzing them in order to find out the reasons. The aim of the analysis of reasons is to reduce e numbeth f errorso r a feedbac y B . f experienceo k e nucleath s r Safety of the nuclear power plant can be increased.
All data necessary for the evaluation of errors are recorded and evaluated by a computer program. This method is explained thoroughly in the paper. Selected results of error analysis are presented. It is explained how the activities of the per- sonnel are made safer by means of this analysis. Comparisons with other method e madear s .
147 l. Introduction
Since 1966 nuclea ro generatt energ R s beeGD ha ye n e th use n i d electricity o datT . e operational experienc 3 cumulativ7 f o e e reactor year s beeha s n gained t presenA . t fivee unitth t a s Rheinsberg and "Bruno Leuschner" Greifswald nuclear power plants are in operation with a total electricity output of 1830 MW. Since 1983 the "Bruno Leuschner" NPP has also supplied the town of Greifswald with hea tt watebaseho n ro d pumped througa h m transik 0 2 t line /!/. Nuclear energ s user i energetiy fo d c n closi R eGO purpose cooperatioe th n i s e n th wit e USSd th han R other CMEA states s basei t I d. exclusivel e proveth n o ny pressurized water reactors e (DWRWWEth R f o )type . With this reactor type annual availabilities of around 80 %, at som eR /2/ unitGD e achieve .e ar sth , % even i d5 8 n
The high percentage of operational availabilities is, at the same time, an essential indicator of the high safety and reli- ability of the facilities. However, it is also due to the high- level qualificatio e operatinth f o n g personnel guaranteeine th g conduc f operatioo t n accordanci n e with existing regulations. That includes particularl e avoidances possibleth a y r fa s a , of disturbances of the regular functioning of the plants and safety devices cause y erroneoub d s actione personneth f o s r o l by errors mad n plani e t monitorin d maintenancean g .
The evaluation of incidents, especially those occured at the nuclear power plant f Threo s e Mile Islan d Tchernobylan d , s showha n that human errors contributed considerable th o t y development of those incidents /3/. From that follows that the qualification, training and retraining of the personnel, an the continuous supervision and evaluation of the behaviour of operating personnel, together with the implementation of pre- ventive measures o essentiatw e ar , l component r ensurinfo s a safg e and reliable operatio f nucleao n r power plants.
148 2. Evaluation of the Behaviour of Operating Personnel
International experience, confirmed als y experiencb o e gained in GDR NPPs, shows that less than 30 % of all events leading to deviations from the planned state of operation, are due to errors made by personnel. Only between 6 % and 8 % of all events are caused by operating personnel, by far the major part being caused by faulty repair and maintenance of plants. So the operating personnel is not the main contributor to unplanned event d disturbancesan s . However a positio y n i t musan i , e t b ta n time to limit, by early detection and reaction, the effects in the plant of errors committed by other personnel (maintenance and repair), and of other errors in order to avoid the degradation of nuclear safety d prevenan , t los f workino s s a gr hourfa s a s possible.
Therefore, sinc e beginninth e f nucleao g e GDR,th r n energi e us y e behaviouth f operatino r g personne s beeha l n continuously analyse d evaluatedan d e methodTh . s applie e subjecar d o t t continuous developmen d improvemenan t t taking into account international experience. The evaluation system covers also abnormal events. Althoug t hhav no the er o onl o d yany y, minor, material and economic consequences, they occur most frequently among the erroneous actions of the operating personnel, and e firsth ofte e t ar stagn f disturbanceo e s entailing losf o s working hours and facility damage. Therefore, the strongly prevention-oriented evaluation system serves the following fundamental purposes: - Comprehensive identification of the causes of erroneous actions by personnel, and of the factors favouring them; - Deductio f measureo n s preventing erroneous actions; - Enhancement of human reliability, thus increasing the overall reliability and safety of the NPP.
These purposes requir a complee x system wit n appropriata h e inner structure. We use four subsystems which are interrelated (fig. 1):
149 e datTh a categorie o identift s y type d causean s f erroneouo s s actions are of special importance for the analysis and evaluation, and therefore they are further classified. For instance, ten different causes of erroneous actions may be distinguished. Examples of such target functions for computer programes for data evaluation are: - Distributio f erroneouo n s action causes; - Qualification level of erroneous action causers; - Probabilit f faulto y y operatio a functio e s totaa nth f lo n number of operating actions.
At present there are more than 50 individual computer programmes which are run periodically (at least once a year) and when re- quired.
Storage of all data and results in central databanks guarantees permanent accessibilit d determinatioan y f cumulativo n e values and results.
. Selecte3 d Results e analysiTh . 1 f causeo s f erroneouo s s e actiooperatinth y b n g personnel showed that subjective failure accounting for 65 % of all erroneous action was the main cause (fig. 3). Shortcomings in plant and workplace layout accounted for 16 %. No erroneous action endangering the safe nuclear operation of the NPP units was recorded. The operating personnel mastered all abnormal events and disturbances, among them more than 90 % not caused by it.
Installation and Labour (Job! Design 16%
FIG.3. Cause f operatinso g staff errors.
152 These results show that even relatively older nuclear power plants (the operating age of the units is between 9 and 15 years) can be safely operated by well-qualified and motivated personnel.
e higTh h . 2 shar f subjectivo e e failur n erroneoui e s action causes s studiewa d more closely wite followinth h g results e frequencTh : y of erroneous actions by operating personnel holding the same posi- tion, but having acquired their fundamental qualifications at a technical college is higher by a factor of 1.9 than by university graduates. In addition, techncal college graduates require a longer training phase at the NPP before they are allowed to work on their own. Wit a vieh o furthet w r increasin e qualificatioth g n levef o l operating personnel, since 1983 engineers have been trained at the Dresden Technical University and the Zittau College of Engineering e brancheith n s "Nuclear Power Plant Technolog d "Nucleaan " y r Energy Technology".
In addition to a solid basic education, the specialist training in nuclear energy concentrates on the following priorities: nuclear power plant technology, thermohydraulics, reactor physics, operational and incident behaviour, dosimetry and radiation protection, safet d realiabilityan y , steam generatord an s heat exchanger n nucleai s r power plants, nuclear reactor technology, nuclear fuel management, and automation.
n appropriatA . 3 e e measurreliabilitth r fo e f actiono y s by the operating personnel is the human error probability. Related to abnormal events, the error probabilities of between " achieve10 e "Brund th an t a o d" Leuschner10 " Greifswald nuclear power plan e gooar t d value n respeci s o internationat t l experience e coursth n f thesI o e. e investigation a correlatios n betwee e humath n n error probabilit e e operastraith th n d o -nan y ting personnel (operating actions per year) could clearly be established (fig. 4) .
Overstrain t alsbu , o understrain, ten o increast d e probabilitth e y of maloperation. By an appropriate distribution of tasks among the various functions and by introducing computer-aided operator support systems, optimum e achievestraib n ca n d reducine th g probability of erroneous action.
153 10cn' CO
in c vt o E O) Q. O 10- cn co to in -*
E Q.
10 2 101 4 1 1 0 1 9 8 7 6 5 4 3 2 1
Operative action r yeape s r
FIG.4. Probability of faulty operation determined by the frequency of operating staff actions.
. 4 Summary
From the beginning of nuclear energy use in the GDR the behaviour of operating personne s beeha l n continuously recorde d perioan d - dically analyse d evaluatedan d o thiT . s end e comple,th x system r recordinfo d evaluatinan g e behaviouth g f operatino r g personnel has proved to be a useful means. Based on the results achieved, measures were adopted designe o furthet d r reduce erroneous actions by the operating personnel at the "Bruno Leuschner" Greifswald NPP. They have a positive effect on the overall reliability and safety of that NPP of those to be constructed in the GDR in future.
REFERENCES
Lehmann. R /!/ Schönherr. A , , Energietechni 5 (1985)3 1 k 20 . ,S
121 R. Lehmann et al. IAEA, CM-43, Tokyo 1988
/3/ IAEA, Safety Series Nr. 75-INSAG-l, Wien 1986
154 HUMAN RELIABILITY DATA SOURCES — APPLICATION IDEAD SAN S
P. PYY, U. PULKKINEN Technical Research Centr f Finlandeo , Espoo J.K. VAURIO Imatran Voim, aOy Loviisa Power Station, Loviisa Finland
Abstract Human reliability data source amone sar mose gth t problematic area probabilistia f so c safety assessment (PSA) study. On one hand there is a great deal of information on everyday human othee behaviouth n r o practicall t bu r dato yn specifin ao c rare transient scenario nucleaa f so r power plant. This proble developmene leas th mo ha dt t of generic human reliability data bases with coefficient multiplierd an s usee b r dfo o st plant specific circumstances. However, plant specific data, if available, is the best source of information of a human reliability analysis. This paper discusse efficiene th s t way f usinso g available sparse human reliabilty data. e currenTh t data source plan: e ar st specific event reports, interview f planso t personnel, generic nuclear event data reports, simulator test runexperd an s t judgment. The use of simulators provides the only possibility to repeat certain accident sequences several times with different crews. When interpretin resultse gth e possiblth , e effecf o t exercise th e considered.The situatiob o t s n ha incidenf o e accidend eus an t t precursor informatio updato nt humae eth n reliability model t planimportann a ge s o si tt y wa t specific data. Their utilisation lead earlo t s y warnin f possiblgo e event aidd n an ssi developing improved procedures, alarms and automation system. Possibilities to incidenf o improv e us e t dateth discussee aar papere th n di . Some practical efforts on the plant specific human reliability data collection and applicatio presentede nar . Furthermore, idea improvementr sfo discussede sar . Among them are the improved event sequence investigation to reveal the proper event contributors and the use of influence networks to study the impact of the identified contributors in a certain sequence. References to the work done in Finland and in the Nordic co-operation projects in the field of PSA are given.
1 INTRODUCTION
The main plant specific human reliability data sources are: simulator runs, event reports, interviews of plant personnel and plant maintenance procedures and practices. Simulator runs are an efficient way to collect data on transients, given that the simulator device is similar to the plant control room and the process simulation is good e effec f Th deviation. o t responsn i s e time measured an s s take a certai n ni n plant condition are discussed later.
155 planf o e t us even e importane Th tth datf o alss ae i oon t human reliability data sources. It normally reflects possible deviations from procedures and confusion among alternative diagnoses. Unfortunately, the event reports do not generally address situations wher operatine eth g personnel manage brino t s plane gth t int osafa e state before anything happens, especially if the deviation originates in a human error which is immediately corrected. Therefore, management activitie o t provids e better backgroun accideno dt t precursor reporting considerede havb o et .
The scarcity of plant specific event data leads to using worldwide event databases to extract usable data. There are, however, difficultie usinn i s g this data, whic partls hi y due to different plant types, differing subsystems and components, different administrative controls and varying operator training/experience levels, but also quite often limited detail reportse th f so .
The same problem is also implicitly included in the generic human reliability data bases (e.g. Swain&Guttman, 1981). The application of generic data requires expert opinio calibrato nplant e th t tdate fi conditions eth o at . Besides extene th , whico t t h the human reliability data bases are results of pure expert opinion is at least so far not clear.
In the following, some latest efforts to collect and apply human reliability data in Finland are presented. Furthermore, ideas for improved use of available data sources are presented.
2 EXPERIENCE FROM DATA SOURCES IN FINLAND
A 1 LoviisPS 2. P aNP
The human reliability data sources used at Loviisa plant include:
— plant specific events during about seventeen plant—years of operation
— simulator test—runs carrier planfo t tdou specific and generic studies
— generic and judgmental data for rare events not experience plante th t d.a
156 Besides assessing human error probabilities, there have been also other important objectives e.g. improvements of procedures, improved generic human error classification d developmenan s f operatoo t r aidse criticaTh . l function monitoring system (CFMS) studie Loviisae th t a s simulator (Hollnage , 1983al t e )l indicated that there was a substantial variation between the crews in terms of the number, order and timing of activities carried out during a given transient. It would be wrong to call all these deviation errorss sa , since non f the o r vereo mw yfe wer e critical fro safete mth y point of view. The lesson learned was that one has to define carefully the really critical actions durin a gspecifi c transien d focu e attentioan tth s n thoso n e actions only. Otherwise, a too pessimistic view about the error rates could be obtained .
Another simulator study (Norros The critical actions the operators have to take in a specific event sequence to avoid the core damag furthed ean r consequencies have been identified withi e ongoinnth g PSA. tase s beeTh kha n variour carriefo t dou s initiating event scenarios.Thd san e simulator is use o verifyt d , whethe e diagnosith r d decisioan s n making time e reasonablar s y estimated, and whether the observed response confirmes the probability estimates for diagnosi actiod an s n errors tesalse n ca otTh . poin t deficiencieou t proceduresn si . e methodologTh y use r assessinfo d g human error probabilities takes into account confusion between different transient similao t e sdu r symptoms, time reliability curves dependin e amounth n f simulatoo go t r trainin eacn go h transient, operator estimates simulatod an rtimin e testth f decisiof so g o othed nan r performance shaping factore du s qualite th o f t symptomsyo , lay-ou proceduresd an t methodologe Th . describes yi n di more details by Illman et al (1986). pre—accidene Datth n ao t tasks suc testss ha , maintenanc calibrationd ean somo t n esca extent be obtained from plant specific records. However, the data is generally scarce compare e objectivth o shoo dt t s we ha i.eerro e .on r probabilitie n beloi y e wa sw on hundred opportunities. Furthermore uncleas i t i , r which fractio thesf no e human errors is ever recorde s humada n originated s easiei t I . r fro personnee mth l poin f vieo t o wt blame hardware and design for the failures. In case of the Loviisa plant, a questionnaire 157 was develope o collect d t informatio l kindal f errorn o so n s thad occurredha t e Th . collection indicates approximately 10 errors per year, but the majority of them is unimportant from the safety point of view (Jänkälä et al, 1987). The majority of errors were detected immediately mose th td commoan , n a slicaus s p i.ewa e . carelessness, althoug hunuseo t abouwer e % 0 r edefectivdu d 2 o tfoun e b o dt e procedures. s becomha t I e obvious that datmeand r assessinaan fo s g human error probabilities e considereb nee o dt thren i d e mutually exclusive categorie f humao s n actionse th : pre—incident tasks (A) accidene th , t initiatin e post—incidenth gd erroran ) (B s t tasks (C). For category A errors the approach developed by Swain (1987) is considered as practical, except some refinement r repeatefo s d errors, written procedure impacd an t layout impact (Illman et al, 1986). For example, the 2 minute time separation between tasks cannot quarantee independence as claimed by Swain (1987). Administrative separatio locatiod nan alse nar o important factor preventinn si g repeated errors. Actual plant specific events shoul takee db n into account availablef i , , because thereveay yma l missing recovery factors e.g. inadequate displays, independent inspections or checking obligations. A systematic methodology for category B errors is largely missing. The data is highly plant specific due to varying layouts and practices. Actual plant specific events should alert the analyst for possible weaknesses in these aspects. Categor errorC y s includ diagnosiss i m e , slo r missinwo g diagnosi r decision(o s d an ) action errors (slips). Different method usee r analysinsar dfo assessmene gth eac d han t s highli y judgmenta eacn i l h case. Dat difficuls a i transferree b o t t d froplane mon o t t another because of different designs and practices etc. The following views can be expressed based on the human reliability data generation at Loviisa: — Symmetric confusion matrices shoul e replacedb d with asymmetric ones considering that a well practiced transient is less likely to be confused with an unfamiliar one than the other way around (Illman et al, 1986). — Qualitative terms such as skill, rule and knowledge based task categories shoul replacee db d with more measurabl transiend ean t specific traininr go familiarity categories , e amounbaseth n f dsimulatoo o t r practice given no each transient. 158 - The HCR (Worledge, 1988) method is extremely sensitive to the estimatio mediae th f no n time cree take th completwo t y nb diagnosie eth s anactione dth . Besides, user instructee ar s correco dt estimatee th t d time by factors depending on operator experience, stress and operator—plant interface. The best way to anchor the median time is, however, using plant specific simulator runs. If the median time is estimated by simulator runs, there is no justification to correct it by using the PSFs. 2.2 Other experience e analysi 1 Th OECD/NE3 f o s A Incident Reporting System reports (serial numbers between 500 and 699) has been performed by a group composed of the representatives of the two nuclear power companies of Finland (IVO and TVO) and the representative of the Technical Research Centre of Finland. The purpose of the analysis was to identify event contributor o studt e importancd e yth huma an se typth th f eo nd an e errors in the event sequences (Pyy, 1988). 22 events had occured in PWRs and 9 in BWRs. The analysis showed that approximately 4.5 root causes could be identified per incident. Together, 139 root causes were identified. From this number, 26 % were technical factors such as component faults and system ageing. About 21 % originated from individual slips and mistakes, whereas 34 % of the contributing factors were found o organisationat e du e b o t l reasons e.g. missing transient specific training, deficient supervision system, lack of information flow etc. This means that several operator errors are basicly due to other reasons than pure human failure. Besides, design contributed to about 19 % in the results. 4 cases1 n I , remarkable common cause failures coul e identifiedb d . When appearing wit e los f electricahth o s r controo l l systems they without exception caused extremely difficult situations, where the plant personnel had to improvise to bring the installation back into safe state again. One main obstacle of the work was that the 1RS—reports do not necessarily include enough information for a thorough analysis, which can result in bias in the results. Although this problem is widely known, it is especially true in the reports concerning human activities. This may reflect the personnel and plant management attitudes toward humae sth n factor problems. However levee th , l varie t dependinlo a se th n go countrplante th d . yan 159 A study performed durin yeare gth s 1985—198 Finnise th n 6i h process industries yielded quite similar results (Suokas & Pyy, 1988). Real event contributors could only be extracted by interviewing the plant personnel. The results of this study demonstrate als importance oth informatioe th f eo n exchang organisationad ean l factors ther e fo , yar extremely difficul foreseee b o t tsafet n i n y studies. Therefore a continuou, s attention paie b do t e.g repeates n o .ha d training. Besides Loviisa, plant specific knowledge base on the human errors in test and maintenance has also been used in the OIkiluoto NPP. Especially, human originated common cause failure safetn i s y systems have been under major consideration r thiFo .s purpose methodologa , experf o e us ty teame baseth n systematia ,do c procedura d ean special form has been tested. The form used is shown in Fig. 1 (Pyy & Saarenpää, 1988). Analysed by: Sy»t«m:«SO O*H:tS.4.1ttT I Peg «1(3: ) nolalon d*u:20,S.1MP P * PP. TS HCCF ANALYSI TESR MAINTENANCD SFO AN T E THE ERROR SECTON THE DETECTION SECTION COMPONENT TASK; TASK DETECTION Til CCf CONSEQUENCES MEASURES nEUARKS GROUP CCF SOURCE FRECUEHCY PROCEDURE FREQ. CLASS DIESEL Oil lev«! 1/w AGGREGATE Air leakages l/w Oil sample 1/6m Vibration lojl 1;8w Start le« î/2w Load but 1/m Trial run after outage A: FILLING A:WHEN THE FUEL HEEDCD RESERVOIR 1. Wrong fuel t. Diesels don't 1. Eventually BIC) t. A study on Are tampl« start or they detected In load th« tu«l quality taken f? stop In demand teal of In trial run A common B: CHANGING B: 1/2y tank ftxail L OI E OFTH the dl«»*i» AHO THE FILTER . Wron1 l goi 1. Dtos«ls clop IK It «vident that BSO 1. Dlettl How after a while wrong lubrican» r t Pl-dlagrama serwrtHr« Ift* not detected In ariouM b« dle»«le ar« •tart teshï and only updated! « o « toth mayb« In load and quality? vibration tests. Sample* and trial run should reveal the error alter the outage 2. Omission ol 2. Usua'.iy no 2. Detected. If See C 1. UnMoim oH changing harm blocked th«n no abov« filters u%ed start Mlets Figur forA . m1 e use colleco dt d screean t n possible common cause initiating human activitie maintenancetesd n si an t . e basiTh c principl methoe th f eo d use s thadi t human error maintenancn si onln eca y act as failure causes. This means that when mapping possible errors, the fault revelatio possibld nan e fault types consideree havb o et iden a possiblf at o d ge firs o t ty undetected human errors. 160 The experience from testing the method yielded about 20 CCFs found to be of major interest n additionI . , several minor CCfs were classified into lower risk categories causing evidently no significant risk. The discussion between the representatives of maintenance and operation generated many suggestions for improvements. The group felt the work was useful, because normally plant people do not think how things can go wrong e selectio e Th grou. th f pno peopl e importan b s see o ewa t n t froe resulmth t poin f view o e tanalysi Th . a mediu f o s m sized system took about 3—4 s hourswa t I . even found possible e session, th tha n i t s reasonable probability estimates coule b d generated instea coarsf do e screening. 3 DEVELOPMENT IDEAD SAN S influencf o e Us e1 diagram3. s Since ther e intrinsiar e c problem n determiningi s , whethe a persor n performea n o s skill, rul knowledgr eo e based level, more transparent concepts shoul foune db orden di r to aid the quantification (See 2.1). In post accident tasks, these could be e.g. the amount and quality of specific sequence training, crew experience, task complexity (includin time gth e windonumbee th d subtasks)f wan o r qualite proceduree th , th f yo s and the functioning of the alarm and control system. In order to model their influences influencn a , e network mode suggestes i l enablo dt compacea t presentation. Influence diagrams are discussed for example by Howard and Matheson (1984) and Barlow and Pereira (1987). Such causal models are useful in the decomposition of subevent extend an s d conversatio coveo nt calleo rs alse doth root causes humae Th . n actions essential in every nuclear transient sequence are the diagnosis, the selection of action e sexecutio th takee actiond th an nf o ns selected e feedbac th e rol f Th o e. k becomes salient only in the scenarios where ample time is available and generally an abnormal event is observed without difficulty. In the following, an application example in the Swedish Forsmark 3 manual depressurisation sequenc s presentedei e sequencTh . s beeeha n studie e Nordith n di c cooperation project NKA/RAS-470 supported by the Nordic Liaison Committee for Atomic Energy (Pulkkine , 1988)al t ne . Human error d commoan s n cause failuren i s PSA are the main objects of the project. The accident sequence, TrUX2, analysed within the reference study (Pulkkinen et al, 1988 s i compose) e losf th maio s f o nd feedwate n initiatina s a r g evenA (T t 161 unavailability of the auxiliary feedwater (U) and the failure of manual depressurisation e reactooth f r (Xg)e sequencTh . e contribute e totath lo s t corabou% e 90 tmel t frequency e even Th consist.U t s mainle quadruplth f o y e e auxiliarCCFth f o s y feedwater systemsequencee th n I e reacto. th , rmanualle b pressur o t s yeha lowered from 70 bar to about 11 bar to enable the coolant flow into the core from the core injection system. The depressurisation is performed automatically, if the reactor level reaches about -f-0.5 m point and high pressure exists in the containment (as in the LOCA case). Because such pressure is impossible in the loss of feedwater transient, the high pressure logie giveconditioe th bringinb y cb o o n t t e turnin d certais a th an n ha n gi i y t gi nke keyhole of the control panel. Then, after the level +0.5 is reached, the reactor blowdown is activated automatically. Althoug indicatione th h e quitar s e deaevidentld an r doubo n ye b tther aboun eca t e whaoperator th s i goin , ty e appeareluctanb on gma so t r o activatt t e th e depressurisation. This is mainly due to the fact that a sudden pressure relief causes an extended outage with degraded pressure vessel lifetime. Therefore s obvioui t i , s that the operating crew tries to restore the FWS and AFWS until it is necessary to launch blowdowne th . Other features increasing uncertaint thae placee yar th t ,y wherke e eth t completelfoune b no s o ii t sd time y th clea ed availablan r operatine th r efo g creo wt perform their t exactltaskno s si y known. Thus appreciabln a , e exten f uncertainto t s yi related with the sequence. examplee Inth tase th ,k characteristic complee fixee b sar o dt x with remarkable stress and time pressure and the crew is supposed to be well experienced. These assumptions simplify the model interactions. The availability of the instrumentation, the use of the instructions and the quality of the training on the sequence are considered as stochastic paramètre e influencth f o s e diagram describin e manuath g l depressurisatione Th . network is presented in Fig. 2. Figure 2. An influence network for the manual depressurisation of Forsmark 3 BWR reactor. 162 The stochastic nodes of our influence network model are described in more detail in Table 1. Table 1. The nodes of the influence network model Node Description Values of the variable ) (Ï 1 Stat instruf eo - 1 = 1: needed instrumentation available mentation 1 = 2: instrumentation unavailable 2 (Tr) Training specifi: 1 = r c T simulator training Tr = 2: general sequence training Tr = 3: no training 3 (P) Us proceduref eo s P = 1: procedures used p _ 2: procedures not used 4 (In) Interpretation of In = 1: correct interpretation the initiating In = 2: incorrect interpretation event 5 (S) Selection of S ~ 1: correct actions selected action s = 2: incorrect action selected 6 (A) Action A = 1: successful action A = 2: unsuccessful action The nodes 1, 2 and 3 (I, Tr, and P) are assumed to be independent on other nodes. The other nodes depen presentey f eacdo wa h e othe r evaluatinth figurn di Fo n i r. 2 e e gth error probabilit e manuath f o y l depressurisation e hav w ,o determin t e e jointh e t probability distributio e nodth ef no variables y v/rit e distributioma th ee W .e th n i n form: PCl.Tr.P.In.S.A) = P(AjTr,P,S).P(SjTr,P,In). 1 P(In|I,Tr).P(I).P(Tr).P(P)J where P(AjTr,P,S), P(S|Tr,P,In) and P(In|I,Tr) denote the conditional probability distributions of the variables A, S, and In and P(I), P(Tr) and P(P) are the probability distributions of the variables I, Tr and P. e quantitTh f intereso y s P(Ai t ) which represent e erroth s r probabilit f manuao y l depressurisation. In order to find this probability we have to determine the marginal probability distribution of the variable A by integrating the joint probability distribution ove valuee th r othef so r variables: SS S S S P(I,Tr,P,In,S,A). S n I P r T I 163 e probabilitTh y distributions P(I), P(Tr conditionae P(Pd th ) an d )an l distributions P(A|Tr,P,S), P(S|Tr,P,In d P(InJI.Tran ) e e needeevaluatioar th ) e n i th d f o n distribution P(A). If the nodes of the influence network are defined properly, the above probabilitie evaluatee b n sca d base actuan do l statistical evidenc judgementr eo r ou n I . case study we used judgemental estimates (Pyy & Pulkkinen, 1989). It is possible to develope the nodes further e.g. to include the effect of the time on the conditional probabilities explicitly, but it would lead to more complex network. Now, the time available is taken implicitly into account as one parameter affecting the task complexity. Apart froe simulatomth d experan r t usage e influencth , n alsca eo hel n eveni p t analysis. Current projects for enhanced event analyses such as ASSET (Swaton, 1988) have highlighted the importance of multilevel analysis of event sequences. This means in practice tha influence th t e diagram concep indirectls i t y used. principlen I , after observing set f correcso incorrecd an t t event f dependenso t variables one could use the probabilities of Eq. 1 within the bayesian framework to obtain updated probabilités for independent variables . At the beginning, noninformative distributions for the contributors can be used if there is no evidence about their effect. f influenco e us e diagramTh o modet s l event sequences mean n extensioa s e th f no current accident sequence modeling described e abl b o updatt eo T e even. th e t contributor probabilitie r thei(o s r distributions) mora , e generic classificatio f evenno t generatede b causeo t s sha . 3.2 Measure supporo st plane th t t reporting The conditions for using event information as human reliability data are: motivating e personneth r thorougfo l h reportin e conversioth d gan f qualitativno e event sequence to quantitative data. Organising event reporting is a difficult task. This means that e unavailabilitiee scramth eveth d f i nan s f safeto s y systems e reporteo ar t e du d regulatory requirements, near—event d unsafan s e plant conditions e.g. accident precursors restored without external consequences are seldom reported voluntarily. e greatesTh t obstacle preventin reportine gth e fea f punishmenth o r s gi t amone gth plant personnel, if their errors became public. The fear is quite normal human behaviour taking into account strict regulatory requirement d generaan s l historical 164 examples, where erroneous acts have been punished. Thus establishmene th , plana f o t t specific accident precursor reporting system requires independency of strict reporting rules thud an ,s understanding also fro regulatore mth y body. Als managemene oth t actions insid plane needee th ar t encourago dt personnee eth o t l report and safety significant problems, because interviews cannot be performed continuously. Anonymity shoul quaranteee db reportere th r positivd fo an s e response shown. Finally e cas, th als e n i otha o modificationn t o rewar n e mad ar d ss i dan e available e reportinth , g personnel shoul t immediatge d e feed—bac f theio k r reporo t t show them that the report is considered valuable. This is often forgotten in a reporting system. 4 DISCUSSION AND CONCLUSIONS Currently, there are only partial solutions to the human reliability data problem. More robus e collectet b datn aca d through repeated simulator runs with different, equally trained crews. Different attitudes due to differing experiences on rare plant transients among the control room crews have to be minimized by the training organisation through repeated feedbac planf ko t inciden near—incidend an t t information. Simulator exercises yield a great deal of evidence concerning reaction times and the time required for certain activities inside the control room. In the scenarios, where the interface wit othee hth r plant personne minimas time i l th ed availablan l shors ei e th t simulator represents the best possibility to generate human reliability data. However, contributor spreae resulte th th n n do si s shoul studiee db d more with methods sucs ha influence diagrams instea jusf do t referin skillo gt , rulknowledgd ean e based behaviour. e otheTh r data sources suc s expera h t opinio d incident/near—incidenan n t reports shoul combinee db generato dt e informatio morn o n e complex event sequences e.gn .o those including an appreciable amount of information exchange on certain organisational levels and actions outside the control room. Here, the major problem is e missinth g plant specific information, whic o somt h ee completeb exten n ca t y b d near—events composed of similar precursors as the event sequence quantified. An effort to enhance the accident precursor reporting is thus strongly suggested. The latest worldwide efforts to collect human reliability data (Worledge, 1988; Moieni , 1987al t e ) have show impossible nb tha t problee no th t y solveo et m ma . Howevere th , applicatio e datth af n o collecte d from other plant s difficultsi . Thus e planth , t specific 165 simulator, incident and near—incident data is irreplaceable. Also in future the only way solvo t e humath e n reliability data proble e combinatio th e availabl ms th i l al f eo n sources seen to be valid to give reasonably unbiased information on the situation. REFERENCES Barlow, R. & Pereira, C. 1987. The bayesian operation and probabilistic influence diagrams. University of California, engineering systems research center. Technical report, ESRC 87-7. Hollnagel, E., Hunt, G., Marshall, E. 1983. The experimental validation of the critical function monitoring system. HWR-111. OECD Halden Reactor Project, Halden, Norway. Further detail Finnisn si Makkoneny hb , 1984 ReporO L. , IV , t SYA-0083. Howard, R & Matheson, J. 1984. Influence Diagrams. In Readings in the principles and application decisiof so n analysis. Strategic decision group, Menlo Park , USACA , . Illman, L., Vaurio, J.K. et al. 1986. Human reliability analysis in Loviisa PSA. SRE Symposium 1986, October 14—16 1986. Technical Research Centre of Finland, Espoo. Jänkälä, K.E., Vaurio, J.K., Vuorio, U.M. 1987. Plant specific reliabilit humad yan n data analysis for safety assessment. IAEA conference on nuclear power performance and safety. Wien, Austria. Moieni , DombekP. , , HannamanF. , baseA . 1987G ,PR d A huma. n reliability catalog. PSA 1987 Conference. Zuerich, Switzerland. Norros Sammatti& . L , . 1986P , . Nuclear power plant operator errors during simulator training researcT VT . h report 446. Technical Research Centr Finlandf eo , Espoo. Pulkkinen , KuhakoskiU. , , Pyy . K. 1988, P , . Uncertaint sensitivitd yan y analysin a f so accident sequenc n Forsmari e 3 PSAk . NKA/RAS-^70(88)16. Technical research centre of Finland, Work Report SÄH/18/88. Pyy . 1988P , . Analysi f somo s e NEA/IRS reports containing significantly human actions (Yhteenveto eräistä merkittävissä määrin ihmisen toimintaa sisältävistä NEA/IRS raporteista). Technical Research Centr f Finlandeo , Electrical Engineering Laboratory, Work Report SAH 2/88. In finnish. 166 Pyy, P. & Pulkkinen, U. 1989. Treatment of uncertainties in human reliability analysis publishebe ProceedingTo the . din Sixtof s h EuReData Conference, Siena, Italy. Saarenpää& Pyy P , . 1988 methoT ,A . identificatior dfo humaf no n originated tesd an t maintenance failures. Fourth IEEE Conferenc Human o e n Factor Powed an s r Plants. Monterey, USA, June 1988. Suokas, J. &: Pyy, P. 1988. Evaluation of the validity of four hazard identification methods with event descriptions. Technical Research centre of Finland, Research Report 516. Swain, A & Guttman, H. 1983. Handbook of human reliability analysis with emphasis on nuclear power plant applications. Sandia National Laboratories, Albuquerque, NM, USA. NUREG-CR/1287. Swain, A. 1987. Accident sequence evaluation programme, Human reliability analysis procedure. NUREG/CR-4772. U.S. Nuclear Regulatory Commmission, Washington D.C. Swaton, E. 1988. The IAEA assessment of Safety Significant events team (ASSET) programme. International Symposiu e Feedbacth n o mf o Operationak l Safety Experience from Nuclear Power Plants. Paris, 16—20 May, 1988. Worledge, David. 1988. Interim results and conclusions from EPRI experimental operator reliability program. IEEE Fourth Conference on Human Factors and Power Plants. Monterey, California, USA. 167 LIST OF PARTICIPANTS ARGENTINA . J.MMr . GuaLa C.H.E.A. C.îï. Atuchai Argent ina . G.JMr . Caruso C.H.E.A. GCIA Prot. Rady Seg Centvo Atomico Ezeiza Acropuerto InternacionaL Ezeiza Buenos Aires Argentina Tlx. 23462 ceaprs F1BLAMP y Py . P . Mr Technical Research Centre of Finland PL 34 02150 ESPOO Finland 455011Tlx0 8 35 : 5 G.D.R Mertin. M . Mr s Staatliche t fueAm sr Atomsicherheit und Strahlenschutz beim Ministerrat der Deutschen Demokratischen Republik Waldowallee 117, Berlin German Democratic Republic Mr. P. Glasner VE Kombinat Kernkraftwerke "Bruno Leuschner" Greifswald GDR - 2200 HUHGARY Mr. T. Szikszai Huclear Power Plant Uzemviteli O. 7031 Paks Pf71 Hungary 1HDIA Rajasaba- U . Mr i Nuclear Power Corporation Madras Atomic Power Station P.O. Kalpakkam Pl»:603102 India 169 IHD1A (cont.) Mr. K. Subramanya Atomic Energy Regulatory Board OPSD/AERB Central Complex, 4th Floor Bhabha Atomic Research Centre Bombay-400085 India Mr. G. Govindarajan Bhabha Atomic Research Centre Reactor Control Division Bombay-85 India-400085 ISRAEL Hert. Y . zMr IsraeC lAE Licencing Division P.O x 706.Bo 1 Tel-Aviv 61070 Israel ITALY Mr. Antonino Ruffa EMEA Via Vitaliano Brancat8 i4 00144 Roma Italy JAP AH Mr. A. Kameda Institute of Human Factors Nuclear Power Engineering Test Centre Fujita Kariko Building 3.17.1 Toranomon, Minato-Ku Tofcyo/Japan Mr Kabetan. .T i Human Factors Research Center Central Research Institute of Electric Power Industry 2,11.1. Iwato-Kita Komae-Shi Tokyo 201/Japan POLABD Ms. W. Stepien-Rudzka Central Laboratory for Radiological Protection ul. Konwaliowa 7 03-194 Warsaw Poland SPAIH Mr. A. Garcia TECHATOM C.M.I. Km. 19 Madrid-Irun Madrid/Spain 170 SPAIN (cont.) Ms. J. Nunez C1EMAT Avda Complu tens2 e2 280AO Madrid Spain SUEDE» J-P. Mr . Bento Nuclear Trainin Safetg& y Centre S-61182 Wytcoping Sweden Tel, 46-155-60700 fax: 46-155-63074 Ms. Lena Jacobsson Swedish State Power Board 16287 Vaellingby Sweden Tel.: 46-08-7397231 UNITED KINGDOM G.D. Mr . Collier CEGB (HSD) Room C819 Newgat5 1 e Street London EC1AY .7A United Kingdom Ms. A.M. Jerikins DKAEA. Safet Reliabilit& y y Directorate Warrington/Cheshire United Kingdom Tel.: 0925 31244/4354 Mr. A..U. Livingston HRA. Ltd. Dalton, Wigan Lancashire United Kingdom Tel.: 02576/3121 Mr. .P CEGB Sizewell 'B* P.M.T. Booths Hall Knutsford/Cheshire United Kingdom Tel.: 0565/82676 U.S.A. Valeri. Ms e Barnes Battelle-HARC P.OC-539x Bo . 5 Seattle/Washington, 98105 U.S.A. Tel.: 206-525-3130 171 YUGOSLAVIA. . SfcoM . f Ms University Institute of Occupational Traffic& Sports Medicine Ljubljana, Korytkov7 a Yugoslavia Tel.: 061/317861 IAEA. Niehaus. F . Mr , SENS Toroic. B . Mr , NEKS Mr. V. Tolstykh, WEHS Mr. V. Neboyan, NENP Scientific Secretaries Mr. M. Dusic, BENS Ms. E. Swaton, NEHS o CO o o 172