Ti>e ' AHA does not normally maintain stocks of reports in this series. However, microfiche copies of these reports can be obtained from l h IS Clearinghouse Internationa! Atomic Energy Agency VVagramerstrasse 5 P.O. Box 100 A-1400 Vienna, Austria Orders should be accompanied by prepayment of Austrian Schillings 100, an the form of 3 cheque or in the form of IAEA microfiche service coupons whicrs may be ordered separately from the INIS Clearinghouse,HUMAN ERROR CLASSIFICATION AND DATA COLLECTION IAEA, VIENNA, 1990 IAEA-TECDOC-538 ISSN 1011-4289 Printed by the IAEA in Austria January 1990EDITORIAL NOTE In preparing this material for the press, staff of the International Atomic Energy Agency have mounted and paginated the original manuscripts as submitted by the authors and given some attention to the presentation. The views expressed in the papers, the statements made and the general style adopted are the responsibility of the named authors. The views do not necessarily reflect those of the governments of the Member States or organizations under whose auspices the manuscripts were produced. The use in this book of particular designations of countries or territories does not imply any judgement by the publisher, the IAEA, as to the legal status of such countries or territories, of their authorities and institutions or of the delimitation of their boundaries. The mention of specific companies or of their products or brand names does not imply any endorsement or recommendation on the part of the IAEA. Authors are themselves responsible for obtaining the necessary permission to reproduce copyright material from other sources.PLEASE BE AWARE THAT ALL OF THE MISSING PAGES IN THIS DOCUMENT WERE ORIGINALLY BLANKCONTENTS 1. HUMAN ERROR CLASSIFICATION AND DATA COLLECTION - GENERAL ..... 9 1.1. Introduction ......................................................................................... 9 1.2. General objectives of human error classification and data collection .................... 10 1.2.1. Human error classification ............................................................. 10 1.2.2. Data collection ............................................................................ 11 1.2.3. Interaction of human error classification and data collection .................... 12 1.3. Specific objectives of human error classification and data collection .................... 12 1.4. Current situation ................................................................................... 14 1.5. General remarks/possible ways forward ....................................................... 15 2. QUALITATIVE DATA COLLECTION AND CLASSIFICATION ........................... 17 2.1. Introduction ......................................................................................... 17 2.2. Data requirements ................................................................................. 17 2.2.1. Why qualitative human error data should be collected ........................... 17 2.2.1.1. Plants ............................................................................ 18 2.2.1.2. Researchers .................................................................... 19 2.2.1.3. Community/authorities ....................................................... 20 2.2.2. Data limitations ........................................................................... 21 2.2.3. Factual information ...................................................................... 22 2.2.4. Information based on subsequent analysis and judgement ....................... 23 2.2.5. Collection .................................................................................. 23 2.2.6. Classification .............................................................................. 24 2.2.7. Feedback of data ......................................................................... 24 2.3. Promotion of plant specific human error reporting ......................................... 25 2.3.1. Management culture ..................................................................... 25 2.3.2. Safety awareness training of plant staff .............................................. 26 2.3.3. Repeated management actions to promote reporting .............................. 26 2.3.3.1. Organization of reporting system .......................................... 27 2.3.3.2. Benefit from the reporting system ......................................... 28 2.4. Recommendations .................................................................................. 29 3. QUANTITATIVE DATA COLLECTION AND CLASSIFICATION ......................... 31 3.1. Introduction ......................................................................................... 31 3.2. Data and techniques ............................................................................... 31 3.2.1. Technique for human error rate prediction (THERP) ............................ 32 3.2.2. Accident sequence evaluation programme (ASEP) ................................ 32 3.2.3. Human cognitive reliability correlation (HCR) ..................................... 33 3.2.4. Maintenance personnel performance simulation (MAPPS) ....................... 33 3.2.5. Operational action tree (OAT) ......................................................... 34 3.2.6. Success likelihood index methodology (SLIM) ..................................... 35 3.2.7. Socio-technical approach (STAHR) ................................................... 353.3. Possible data sources .............................................................................. 35 3.3.1. Nuclear power plant experience ....................................................... 36 3.3.2. Use of simulators ....................................................................... . 36 3.3.3. Expert opinion ............................................................................ 37 3.4. Conclusions and recommendations ............................................................ . 37 3.4.1. AxCtual situation ........................................................................... 37 3.4.2. Suggested future improvements ....................................................... 38 4. PROPOSAL FOR A CO-ORDINATED RESEARCH PROGRAMME ...................... . 40 4.1. Co-ordinated research programme .............................................................. 40 4.2. Overall objectives of the CRP ................................................................... 40 4.3. Research and discussion topics .................................................................. 41 4.4. Products of programme ........................................................................... 42 APPENDIX 1. FACTORS AFFECTING HUMAN PERFORMANCE ............................ 43 ANNEX. PAPERS PRESENTED AT THE MEETING SSPB activities on analyzing human performance problems .......................................... . 47 L. Jacobsson An approach to human error minimization in PHWR safety related operations .................... 51 G. Govindarajan Human errors — human caused, environment caused ................................................... 61 K. C. Subramanya Human reliability data collection for qualitative modelling and quantitative assessment .......... 71 D.A. Lucas, D.E. Embrey, A.D. Livingston Collection, analysis and classification of human performance problems at the Swedish nuclear power plants ........................................................................................ 83 J.-P. Bento Human characteristics affecting nuclear safety ............................................................ 95 M. Skof Human reliability models validation using simulators ................................................... 103 M. de Aguinaga, A. Garcia, J. Nunez, A. Prades Outline of the development of a nuclear power plant human factor data base ..................... Ill A. Kameda, T. Kabetani Human error classification and data collection — survey in an Indian nuclear power plant ................................................................................................... 127 N. Rajasabai, V. Rangarajan, K.S.N. Murthy Possibilities and necessity of the human error data collection at the Paks nuclear power plant ................................................................................................... 141 T. SzikszaiHigher operational safety of nuclear power plants by evaluating the behaviour of operating personnel ...................................................................................... 147 M. Mertins, P. Glasner Human reliability data sources — applications and ideas ............................................... 155 P. Pyy, U. Pulkkinen, J.K. Vaurio List of Participants ............................................................................................. 1691. HUMAN ERROR CLASSIFICATION AND DATA COLLECTION - GENERAL 1.1 Introduction Awareness of human factors and human reliability has increased significantly over the last 10 to 15 years primarily due to major catastrophes that have had significant human error contributions, e.g. Three Mile Island, Challenger space shuttle, Chernobyl. Each of these and other incidents have identified different types of human errors and failings; some of which were not generally recognized prior to the incident. Due to the results of these events it has been widely recognized that more information about human actions and errors is needed to improve safety and operation of nuclear power plants. For a long time the Fault Assessment/Reliability world realized it needed data on component and system failures and created schemes for collecting suitable data. Probabilistic Safety Assessment (PSA) studies have started to incorporate human actions and errors; PSA specialists are now demanding human reliability data to incorporate within PSA models. The initial attempts to collect human reliability and error data were to review existing plant data collection schemes and extend their coveraya to identify failures due to human errors. Recently schemes have been started that are dedicated solely to the collection of human error data, or the analysis of human performance related plant events, e.g. the Institute for Nuclear Power Operations' Human Performance Evaluation System. (INPO's HPES) Analysis of human error data requires human error classification. As the human factors/reliability subject has developed so too has the topic of human error classification. The classifications vary considerably depending on whether it has been developed from a theoretical psychological approach to understanding human behavior or error, or whether it has been based on an empirical practical approach. This latter approach is often adopted by nuclear power plants that need to make practical improvements as soon as possible.This document will review aspects of human error classification and data collection in order to show where potential improvements could be made. It will attempt to show why there are problems with human error classification and data collection schemes and that these problems will not be easy to resolve. 1.2 General Objectives of Human Error Classification and Data Collection There are a variety of general objectives for human error classification and data collection. The three obvious overall objectives are: I. to provide qualitative improvements to plant safety, i.e. identification of human error problems and introduction of measures to reduce or prevent those human errors that are related to safety; II. to provide qualitative improvements to plant performance/availability, i.e. identification of human error problems and introduction of iseasures to reduce or prevent those errors that affect plant performance/availability; III. to provide numerical data for use in PSAs or other safety studies. These are discussed in greater detail in Section 1.3 of this report 1.2,1 Human Error Classification There are many different human error classifications, which are being generated to assist, analysis of human error and behavior. Hence the classifications are dependent on the objectives of the analyst. A psychologist may be interested in understanding the psychological causes of a human error to compare with a theoretical model. A nuclear power plant engineer will want to classify human errors in a way that enables practical error reduction steps to be taken quickly. In both cases the human error classification allows human error data to be handled and "root causes" to be classified. However, there is likely to be considerable variance on what each classes as a "root cause". The plant engineer may well define root causes along a practical basis, e.g. 10deficient procedures, lack of training. A psychologist may prefer to use "root causes" related to a theoretical psychological model of human behaviour, e.g. Rasmussen's skill-rule-knowledge triangle. The Generic Error Modelling System (GEMS) is an example of such a human error classification. An example of a more practically based system used in India is presented in one of the papers given in the Annex. In all cases the human error classification is used to assist the analyst to achieve his or her own objectives. As there can be many different objectives for analysing human behaviour there are many different means of human error classification. 1.2.2 Data Collection At first sight data collection may not appear to be a problem area; all we need is information on human behaviour and errors. Unfortunately/ this is far more difficult when considered more carefully. The purpose of data collection is to provide all necessary information for the analysis being undertaken, However, as discussed above (and in more detail in section 1.3 below) there are a wide variety of objectives which require different types of information for the analysis. For example, improvements to a specific plant operation only requires information about errors on that plant; while data for a "generic" PSA data base must provide information on the number of errors/failures, the number of attempts, and present details on the plant where the incidents occurred so that the applicability of the data to other plants can be determined. There are many other problems associated with human error data collection. If we know what information is required how can that data be obtained from operating plants? There can be considerable problems in encouraging operating staff to provide information; are the requirements of the data collection scheme excessive when considered against other duties the staff must perform; are the staff and management made aware of the importance and potential of collecting data; can the staff provide the information being requested? 11Current data collection schemes often contain two basic types of information: (i) factual information: e.g. time of day, plant configurations, pressure/temperature readings. (ii) subjective information - the reporter or assessor's interpretation of the errors or events. It is important to be aware of the biases that this part of the data can have on the final assessment, especially as the new dedicated human error data collection schemes attempt to obtain more of this type of data. The types of biases, that are likely to be seen in incident or event reports are for example: plant staff may be reluctant to accept responsibility for errors or to attribute errors to co-workers, they may forget important facts about the event over time, they may be unaware of the causal influences on their behaviour, and they may cover up facts for fear of reprisals. 1.2.3 Interaction of Human Error Classification and Data Collection From the discussions above (Sections 1.2, 1.2.1, 1.2.2) it becomes apparent that Human Error Classification and Data Collection are very closely linked together and their requirements depend on the overall objectives of the analyst. This probably goes a long way in explaining why there are many discussions arid disagreements about the requirements of human error classification and data collection schemes - there are a wide range of possible objectives. It also follows that a "global" data collection scheme will be extremely difficult, if not impossible, to create. In order to provide all the necessary information for a wide variety of objectives a large amount of information about each human error would need to be provided. Even if this could be done it would require a very powerful and sophisticated computer system to allow effective use of the collected data. Further, because of possible reporting biases, the data may be inaccurate or misleading. 1. 3 Specific Objectives of Human Error Classification and Data Collection Section 1.2 indicated that there are a wide variety of overall objectives for human error classification and data collection and that three main broad areas were the main interest of the nuclear power 12industry. These objectives are considered in more detail below showing some problems and data requirements for each. a) Qualitative Approach to Improve Plant Performance Availability. The objective of this approach is to collect information on human errors or poor human performance which affect the plants' performance/availability and devise means to reduce or prevent errors and improve performance. All aspects of on-site personnel may be considered and management and organizational issues could be addressed. The data collection scheme needs to define which events/errors must be reported and due to the larger number of incidents included must ensure that all information needed for classification and analysis is documented in the initial reports. The main problems are likely to be defining which events to report and handling the large number of incidents that would need to be included in safety studies. b) Qualitative Approach to Improve Plant Safety This appears to be the category in which most current data collection schemes fall. The objective of this approach is to identify errors and events which could degrade plant safety or provide a potential for risk and then devise means to reduce or prevent these errors. The types of topics to be considered are defining the safety significant events to be recorded (errors leading to technical specification violations, defined initiating events, "near-misses" etc. could all be included); having a screening system to identify events needing more detailed study; encouraging staff to report events. The data required will depend on the classification scheme being used and whether improvements are only sought for the plant involved or whether "generic" improvements are intended. For the latter, plant specific data must be collected so the applicability of the improvement can be judged L..-Ï. other plants. 13c) Quantitative Information for PSA Use This is probably the area where there is most dissatisfaction with human error data collection. PSA specialists are familiar with plant data collection schemes providing component reliability data for use in the PSA models and are dissatisfied when human error data collection does not provide them with similar information. Data collection for PSA uses can be split into two general categories. i. to be used with a human reliability method to generate data thought to be applicable for the plant being assessed e.g. to replace h.e.p.s. from NUREG/CE-1278 directly with plant specific data; specific calibration points for use with SLIM-MAUD or Paired Comparisons. ii. to replace theoretical models and reliability methods with appropriate empirically derived data. There are a great many problems with data collection to generate information for use in PSAs. The following are some of them: - "success" or number of attempts information is needed as well as error recording ; this is a fundamental difference from the qualitative approaches. - many of the significant errors modelled in PSAs are for rare or "infrequent" events (eg. large LOCA) and so no real data can be collected, only simulator studies; perhaps with problems of simulator modelling limitations e.g. performing enough studies to give numerical information; correlation of human performance on a simulator to real-life etc. - there is a wide range of human reliability methods; each requires different types of data. - plant specific data are desired; information is needed to modify any "generic" data for the plant being assessed. 1.4 Current Situation The initial response for human error data collection was to modify or expand existing component reliability data schemes to consider human error as a cause of an incident or failure. Unfortunately, there was 14often a lack of uniformity of the human factors data reported and a reluctance of plant personnel to report or attribute incidents and failures as being due to human error. Recently dedicated human error data collection schemes have been created in an attempt to obtain better human error information e.g. Human Performance Evaluation System (HPES). These schemes appear to have made improvements and certainly have enabled qualitative assessments to be undertaken more easily. They have still not provided benefits for those seeking quantitative data for PSA users. The previous sections have perhaps given an indication of the problems stemming from the fact that different objectives have different human error classification and data requirements. This is coupled with the practical problems of obtaining the data even if we know what we want. All data collection schemes require the co-operation of operating staff and all the requirements must be practically achievable. 1. 5 General Remarks/Possible Ways Forward These comments are put forward for consideration and may help understanding and advancement of the topic. - human error classification and data collection are closely linked; they both depend on the overall objectives of the analyst using them, - there is a wide range of overall objectives possible even within the nuclear power industry, classification and data collection must provide real benefits to warrant the expenditure on them, - they must be practical i.e. within the ability and co-operation limits of the plant personnel, - excessive requirements may devalue data collection schemes if they force plant personnel to provide poor quality information or limited reporting, it is not clear that a "global" human error data collection scheme can be created due to the wide range of objectives and differing data requirements. 15data collection to provide qualitative improvements on a plant specific basis seems very possible and useful. Many schemes are well developed, data collection for numerical assessments in PSAs has many problems to overcome and it is likely to remain a "fruitless" area for the foreseeable future. 162. QUALITATIVE DATA COLLECTION AND CLASSIFICATION 2.1 Introduction It has been recognized that the improvement of safety management, loss prevention and plant-specific error reduction can be made by the systematic use of human error data. To facilitate this, it is the objective of the IAEA to promote the collection and classification of qualitative human error data. The purpose of this chapter is to provide advice and recommendations on appropriate methods for qualitative human error data collection and classification. 2.2 Data Requirements 2.2.1 Why Qualitative Human Error Data Should be Collected The first stage is to give more detailed consideration as to why qualitative human error data should be collected. A list of key words/concepts was compiled from suggestions of the technical committee members. These included: Improved safety Improved availability Error reduction Improvements in: operator performance man-machine interface (ergonomics) procedures communication safety management (control, awareness) training Dissemination of experience: in plants or organizations to external organizations Exchange of information/experience between plants/organizations Improvements in training Selection of personnel Motivation Promotion of a safety culture and co-operation of workers Improved understanding of error mechanisms (root causes) Improved modelling Validation of methods/scrutability Ways of structuring these concepts were then considered. 17It was noted that there could be a 'top-down1 or a 'bottom-up* approach. Starting at the top, the crucial reason for collecting data is to improve "safety management" as a whole and from there to reduce error at all levels. The bottom-up approach would first consider the error mechanisms in specific events and from there to pass this understanding up through the management chain. Owing to the interconnection and interdependence of many of the above concepts, it was considered difficult to make progress in prioritization of this sort. Instead, the identification of potential end-users of the data provided a more amenable basis for ordering these concepts. Three categories of end-users were identified: 1) Plants 2) Researchers 3) Community/Authorities It was recognized that the reasons for collecting and classifying data for each end-user would be different since each end-user has different objectives and different data requirements. Each potential end-user was then considered. 2.2.1.1 Plants Reasons for Collecting Qualitative Data Plants are interested in the discovery, collection, classification and understanding of events for the purposes of developing PLANT-SPECIFIC ERROR REDUCTION STRATEGIES. In particular, they wish to improve work organization and operator performance at an immediate and practical level. Plants are also interested in the dissemination of information both internally and externally with a view to exchange information. 18The dissemination of information is particularly important to plants in relation to growing awareness of the importance of safety and, in particular, an awareness of the importance of the individual's behaviour. Thus raising of awareness should help to generate a safety culture wherein plant personnel are not afraid to report their own or others' errors and wherein management adopt a more error-tolerant policy. It was noted too that there is a need for evidence from data to validate methods as well as to develop and improve safety management systems and quality assurance. Potential Sources of Data The main sources of data of value to plants are: a) Internal event reports b) External event reports c) Near-miss reports/precursors d) Violations e) Maintenance reports f) Plant log books g) Simulators Most of this information with the exception of item (b) is essentially plant-specific information. Additionally, simulators are currently the best available source of surrogate data in highly redundant technologies where accidents are rare events, such as nuclear facilities. Simulators can be used to solidify training and to create an industry wide database helpful to every plant operator. 2.2.1.2 Researchers Reasons for Collecting Qualitative Data Researchers require qualitative data in order to examine and understand the root causes and mechanisms of human error for the purposes of modelling. As a result of improved modelling and human performance evaluation, detailed error reduction strategies can be developed which may be of specific or general interest. 19Potential Sources of Data The main sources of data of value to researchers are: (1) Generic data for modelling (2) Simulations and, when conducting specific human performance evaluation studies, for example, some plant-specific data such as those listed above might be required. The ease with which plant-specific data can be used by researchers depends heavily on the relationship between the researcher and the plant from which the data arise. Plant-specific (human) failure information must be supported by plant design and procedural information. Use of this failure data remotely, without access to supporting information, could be very misleading and, in many instances, meaningless. It was noted that the desire to centralize or gather plant-specific information for use by other countries or organizations could present some difficulties in this respect.(e.g. it is difficult to use USA LERs in a meaningful way for certain studies because critical, supporting technical information is not readily accessible in sufficient detail by outside organizations). The use of plant-specific data by researchers operating in direct contact and co-operation with plants does not present the above problem (of course, there are still the usual difficulties in eliciting information from personnel). 2.2.1.3 Community/Authorities Reasons for Collecting Data The principal reason for the collection of data by regulatory authorities or governmental organizations (local, national and international) is for monitoring major safety issues with respect to operations in accordance with rules, directives, licenses and legislation etc. 20Potential Sources of Data The primary source of data of immediate value to these organizations is LER type data (e.g. NUREG/USNRC) 2.2.2 Data Limitations Each source of data has its limitations. a) LERs have, for human error studies, been found to be very vague and incomplete, LERs are not produced specifically for human error issues. b) There is a need to define what near-miss reporting constitutes and it is essential that plant personnel are made aware of their responsibilities in this respect. c) Existing procedures like HPES are not detailed enough and consideration must be given to potential developments and the subsequent data requirements. d) Simulator results have inherent bias owing to such things as differences in attitudes and stress levels between real and simulated conditions. For the purposes of the discussion in the following section, only events identified through incident reporting are considered. This is essentially because the committee took into consideration the enormousdemands made on operators, in addition to their normal duties, when they must report on incidents, and it was considered unreasonable to achieve more comprehensive recommendations within the time available to the committee. It was also noted that it would probably be necessary for the IAEA to utilize the existing national collection systems in creating a centralized information system. There are two levels of detail in event description; given a series of sub-events, direct causes can be identified for the sub-events and their root causes can be identified by means of detailed analysis. The crucial question is whether sufficient information for root cause definition can be obtained from the information provided by plant personnel (now or in the future). 21It was noted that data could be divided into: VERIFIABLE FACTUAL INFORMATION at the direct cause level, and INFORMATION INTERPRETATION at the root cause level, (See Fig. 1) ^ Sub Ev-1 " — • — — Direct[ cause x>" Sub Ev-2 ~-^ J Direct cause \_ \ Root \\RootVRoot \\ Root Cause\\Cause)ACause\l Cause Sub Ev-3 Direct cause 1 Root 1 Cause Plant-Specific Corrective Actions Specific and Generic Long-Term Solutions Figure 1. Causal Factors 2.2.3 Factual Information The collection of factual information is currently carried out in Incident Reporting Schemes, e.g. LERs. In order to meet human reliability requirements, however, a more structured approach may be required. The following framework may be of some guidance: Incident specific factual information can be provided by the plant personnel and can be collected in a pre-coded format and/or free text format. However, it may be useful to appoint a plant coordinator, who would be a member of the utility staff, whose responsibilities could be data collection through the medium of structured questionnaires and interviews. One of the benefits of this type of approach is to reduce the bias induced when detailed analysis occurs some time after the original event has been reported. This type of immediate investigation system permits clearer insight and judgement as to the causes and contributory factors. As an overview some of the factual key issues to address for each sub-event in a scenario (see Fig. 1) would be in relation to: 1) Who was involved in the incident? What was his role/responsibility etc? What was his area of work? e.g. maintenance, operations etc? 222) What happened? What were initial plant/system conditions before the incident? What was required of the plant personnel (task objective)? Did he have to follow a procedure? Was he following a managerial directive? Was he using equipment e.g. in calibration or monitoring? What was done or not done? What were the critical deviations from the norm? What operator support was available? What control was imposed on the plant personnel e.g. supervisory; QA. 3) When did the sub-event happen? Not only is it important to know the date and time but it is also essential to note whether it was day or night shift or at shift changeover. 4) Where did the sub-event happen? e.g. control room or plant etc. 5) What were the causal factors contributing to the human errors? e.g. fatigue, missing or inaccurate information in the procedures, high ambient noise levels that inhibited communication, perceived management pressure to complete the task quickly, interpersonal conflicts, drug or alcohol abuse, etc. 2.2.4 Information Based on Subsequent Analysis and Judgement The How? and Why? questions regarding an incident rely to a greater or lesser extent on analysis and judgement. First of all it should be considered how this information can best be collected, then how it may be classified. This then leads to an indication of how this data can be used at: a) the plant specific level and b) the generic level 2.2.5 Collection Further responsibilities of the plant coordinator, mentioned above would be to elicit more judgemental information by direct questioning of plant personnel, e.g. How did you...................? and Why did you...................? and also by establishing relevant performance influencing factors. e.g. Task complexity Level of training 23Experience of the operator Frequency of task performance Conflicting demands Additional demands Communication requirements Stress levels Decision-making It is essential for the plant coordinator tc find answers to these questions since plant personnel either would not be able to answer them in full or could not give unbiased, impartial responses. 2.2.6 Class] f ica_tip_n Based on this coarse grain questioning, it may be possible to establish a general category of cognitive behaviour associated with the incident. This is by no means the only classification but it may be useful for the identification of root causes possibly in further expert analysis. It is also suggested that other methods of classification should be considered before implementation. It was also noted that an attempt must be made to avoid the temptation to always place blame on operator deficiencies. It is in fact the aim of root cause analysis to detect deficiencies in all parts of the system which INDUCE human error. To home in on specific root causes, it may be useful to adopt an iterative approach such that having established a general behavioural category, the plant coordinator would then pursue more detailed discussions with the operator to determine how and why the error occurred. It may become apparent chat the plant coordinator requires expert assistance to arrive finally at the ultimate root causes. 2.2.7 Feedback of Data Plant-specific data provides valuable information as regards the development of error reduction strategies aimed at preventing recurrence of the incident in question. 24It is suggested that an additional role of the plant co-ordinator would be to ensure feedback of this information to all levels of management and operators c.f. Section on Safety Awareness Training (2.3.2.)- In addition, upon expert analysis and synthesis of the data, generic principles of error reduction may be established. These may be useful in providing design and safety recommendations for new utilities and/or retrofits. It might also provide general human factors information for the benefit of high risk industries. 2.3 Promotion of Plant Specific Human Error Reporting Plant specific human error information has been generally recognized as a problem. Although reports on safety significant events such as LERs are made, no data on situations where operators have succeeded in recovering their errors exist in documented form. To enhance human error reporting the following areas have to be considered: management culture, safety awareness training of plant staff and repeated emphasis on safety. In the following, these subareas are discussed with practical questions of how to organize the reporting. 2.3.1 Management Culture Basically, the existence of a safety oriented, and as far as possible, non-punitive management culture is a necessary precondition of human error reporting. This reporting is generally strongly coupled with the reporting on observed safety hazards (accident precursors), near-miss situations and violations of procedures. Although there may be little to do if the managers do not see the advantages of safety and availability related human error information, practical examples of how reporting could protect plants from e.g. repeated scrams should be given. It should be emphasized that a non-punitive system is the only way to generate information on non-observable human error, i.e. error with no major consequences. Another task related to the management culture is to help the managers to see their role as a part of a plant system. This means that besides plant personnel and technical failures management might also have 25an impact on disturbances and accidents. Although the organizational contribution might be delayed and vague from a certain event point of view, it can still affect plant safety as a common root cause in several event sequences. This should be taken into account by the management and event investigator, when planning modifications related to e.g. organization, procedures and plant system documentation. 2.3.2 Safety Awareness Training of Plant Staff The personnel (shift crews, maintenance personnel) who are expected to report on human errors in SERs, LERs, near misses and accident precursor reports should be given information on the nature of human error. The training should emphasize the importance of including human error in the safety awareness culture. The general safety attitude should also include the concept that one should view one's own actions as having a potential for error. The training programme should include general training on human factors issues, and also specific training on errors and why they occur. Training on PSA techniques could also be included to exemplify how safety hazards could be identified and reported. A safety awareness culture that puts an emphasis on analyzing human errors must be well accepted among the plant personnel. A task force could therefore be formed among the operators and maintenance personnel to promote and encourage the reporting. It is also important to stress that this implementation of a safety awareness culture takes time. When trying to change attitudes, and especially towards one's own behaviour, one must be given time. 2.3.3 Repeated Management Actions to Promote Reporting The management must put a continuous and repeated emphasis on the fact that reporting and analyzing human errors is important in keeping and improving the overall safety level. This could be done through encouraging the reporting of general difficulties in handling the equipment. During retraining, repetition of important human error related events should be included. The management should give 26non-punitive feedback on the reporting and they must show the personnel that they are not punished for reporting. Promoting reporting, collecting and analyzing human errors are activities for which resources must be dedicated at the plant, for example by having a full-time coordinator. 2.3.3.1 Organization of Reporting System Simplicity versus data preservation The reporting should be simplified and the proforma should be simple to use. However, it is important that whenever possible first hand information should be preserved. Potentially, this might be in the form of free text if a coded format would be too restrictive. As experience grows in collecting human performance data, it might be clear that certain root causes and/or types of errors appear frequently so that, over time, a form can be developed that is useful to collect data on the large majority of events, and free text descriptions would only be necessary for rare or highly safety significant events. Anonymity of reports The management should develop a non-punitive attitude in the case of human errors as indicated above. However, it is suggested that there is no need to include the name of the person who was involved in the incident in the report. Probably, the head of the operating or maintenance unit or the plant coordinator would keep the information referred to above. A difficulty with the in-plant coordinator role is that he or she would have to have the trust of the plant staff that their anonymity would be preserved by this person and that he or she could not be pressured by management or by regulators to reveal identities. Because it was impossible to establish such trust, the Aviation Safety Reporting System (ASRS) asks personnel to send their reports directly to the ASRS and ASRS personnel then telephone the reporters to obtain any additional information, The ASRS has found this high degree of assurance of anonymity to be essential to motivating members of the aviation community 27to report. However, sending the reports off-site for analysis would prevent plant managers from gaining the information to improve plant safety or performance in cases of near-misses, precursors, etc. It would also be difficult to preserve the reporter's anonymity if plant managers have access to all the information abouth the event. Even if they do not know the reporter's name, they could easily obtain it from log books, timecards, work orders, etc. Follow up action The nuclear power plant authorities should normally review all the human errors in general and follow up actions benefitting the entire station staff are to be taken by plant management. Some of the suggested follow up actions are given below: (a) To organize retraining programmes to take care of system modifications, improvements and design changes. (b) To organize group discussions among the operating staff on incidents where human errors were involved. (c) To organize training on general human behavioural aspects. (d) To improve the working environments in the plant. (e) To review/revise the operating and maintenance procedures, (g) To review the plant operating policies. 2.3.3.2 Benefit From the Reporting System The plant management should periodically review the human errors and make positive recommendations to avoid the errors in the future. Positive feedback is to be given to the persons who completed the incident reports. Incidents with non-safety related consequences are recommended for internal investigation only. These reports although not breaching safety specifications, may provide valuable information regarding human performance deficiencies which may impact on safety in the future. 282.4 Recommendat ions General Recommendations The first aims in coordinating data collection and classification must be to: a) generate increased awareness of the importance of human error data b) generate sufficient interest to promote change and improvement in existing national data reporting systems c) inform developing nations as to the fundamental data requirements for the support of human reliability d) encourage the free, unhindered flow of information on human error data between all countries. Specific Recommendations e) Before substantial steps are taken to centralise data collection and classification, thought should be given as to who will use the data and for what reasons. From these considerations it will be possible to decide on how to structure a database. Some ideas have been expressed in this document which need to be explored with vigor. f) A structured approach to data collection is advocated. g) The distinction between technical factual information and judgemental data should be borne in mind. h) It is suggested that utilities are encouraged to designate a full-time member of the utility staff to take responsibility for human error data collection and classification and provide appropriate feedback. i) It should be emphasized that it is not appropriate to promote data collection and classification without promoting non-punitive 29feedback of information in order to develop an appropriate safety culture and error reduction measures. j) Safety awareness training programmes on why human errors occur and how they can be identified and reported should be established. 303. QUANTITATIVE DATA COLLECTION AND CLASSIFICATION 3.1 Introduction Human reliability data collection is one of the most problematic issues in performing PSAs. A good PSA study requires reliable data to define the possible event sequences and the human error probabilities. On the other hand the collected data should be used for a more generic problem: reduction of human error. These two areas serve improving human reliability for maintaining nuclear safety. Human error data for PSA purposes can be divided into two groups: (1) Qualitative human error data to define error modes and performance shaping factors (PSFs). This type of data is described in the first part of this document, so here we concentrate on the second group: (2) Quantitative data to define human error probabilities. There are several methods to obtain the human error probability values, but all of these methods are similar in being based on operational experience and human action investigation, and require systematical data collection, and evaluation. In this part we briefly describe the methods and data sources that can be used to define human error probabilities. The use of human error relative frequencies would be ideal, but at the moment it is impractical because we do not have enough available data to calculate these values. Another solution the analysts can use is to apply several methods and error models. 3.2 Data and Techniques To obtain the human error probabilities for a PSA, several techniques are available. The selection of the technique(s) in a HRA for quantifying human error depends upon the available data. This point is important for the Human Reliability analyst to consider in the first stage of his or her work because some techniques need more detailed information than others. In this chapter, the areas of 31information needed for using the techniques applied in the PSA are enumerated in a general manner. The objective of this chapter is to illustrate this aspect.* 3.2.1 Technique for Human Error Rate Prediction (THERP) This technique is one of the most widely used in a HRA for PSA. It can be used for pre-accident and post-accident tasks. By performing a task analysis of the human activities, the more likely errors can be detected and their probabilities estimated. This technique includes a data base to estimate HEPs. The influence of a wide variety of performance shaping factors is taken into account. The level of detail of data needed is extensive. The general areas of information required for this technique are: - type of task - recovery factors - dependency - stress - type of equipment - staffing and experience - management and administrative control - diagnosis time oral and written procedures - other parameters related to man-machine interface: displays/ etc. 3.2.2 Accident Sequence Evaluation Programme (ÄSEP) This method is a revised and shorter version of THERP that allows HRA to be performed more quickly and with less cost. The analyst can find in this technique a new diagnosis model that could be used in place * The results of any reliability analysis (including human performance) should be used only for comparing different designs for the system that is being analyzed. Since human performance depends on a number of factors that can change the human error probability considerably, the analysis done should be used qualitatively and not quantitatively. 32of the diagnosis model found in the Handbook. To obtain HEPs using ASEP the data needed are related to the following: For post-accident tasks: - allowable time for correct diagnosis and for completion of actions to restore the plant to a safe condition (Tm) - time to perform correctly post-diagnosis action (Ta) Td= Tm-Ta For pre-accident tasks; - written procedures - recovery factors - dependency - type of system failure mode The study of the recovery factors and dependency requires less data using ASEP than the data needed for evaluating these aspects in THERP. 3.2.3 Human Cognitive Reliability Correlation (HCR) This model is an analytical method to evaluate HEPs taking into account mainly the dominant cognitive processing and the time available. The data needed to apply this technique are the following: - time window - median time - experience level - stress level - - man-machine interface (existence of computerized operator aids, symptom based procedures, etc.) - cognitive level of behaviour It is suggested that the median time is obtained from using simulators. 3.2.4 Maintenance Personnel Performance Simulation (MAPPS) This method is a simulation model that provides reliability estimations for maintenance activities. The analyst has to perform a task analysis. Input data, based on ratings (e.g. various performance 33shaping factors) or measurements (performance times) are entered along with selected parameter values (PSFs). The input parameters are not considered independently, but interactively, to determine their collective effects on subtask performance. The following PSFs are quantified: intellectual capacity and perceptual motor abilities fatigue effects - heat effects ability requirements for the task and subtask - accessibility for performing the task (e.g. removing a component) - clothing impediment - quality of maintenance procedures effect of stress - efficiency of individual workers - organizational climate 3.2.5 Operational Action Tree (OAT) This technique is an analytical method to analyze time dependent post-accident activities. The data needed for applying this technique are the following: - time available to take the appropriate mitigation actions - factors that influence human behavior. There are other techniques based on expert judgement. (Paired Comparison, Direct Numerical Estimation, etc.). For these kinds of techniques, from the point of view of our subject, the needs are first the number of available experts and also specific and complete information about the plant. For applying the HEPs obtained by experts judgements in a PSA to another PSA it is necessary to have documentation about how these HEPs were generated and what were the assumptions adopted. 343.2.6 Success Likelihood Index Methodology (SLIM) This technique is based on expert judgement. It is based on the assumption that the human failure to perform a task depends upon the combined effects of PSFs. The information to be used is the event description and judgment of the performance shaping factors which influenced the operator behaviour. 3.2.7 Socio-Technical Approach (STAHR) This technique is based on expert judgement using an influence diagram as a tool. The quality of information available to the operator, the contribution of organizational aspects, and the psychological and personal factors involved in the event are evaluated. Needs: - group of experts - all the information needed to estimate the aspects mentioned above. 3.3 Possible Data Sources Usually in the literature one can find the following list of possible sources, that can be used in deriving human error probabilities: - Nuclear power plant experience - Control-room, or full-scale simulator experience - Process industries Job situations in other industries that are similar to NPP tasks Experiments, or laboratory data - Expert opinion Literature data (ex. NUREG/CR 1278) Among these sources the following ones have to be objects for specific data collection: - Nuclear power plant experience, event reports; - Full-scale simulator exercises; - Expert Opinion So concentration is needed on these three sources. 35The most valuable source of information on human behavior is the operational experience of a nuclear power plant. The problem of collecting data to be used for different purposes is to be able to define the purposes beforehand. If a new need (or a new model) is going to be used after the data has been collected, then it is very likely that the data will not be useful for the new problem. The following information sources are mainly used: 3.3.1 Nuclear Power Plant Experience LERs (Licensee Event Reports) of the NRC. - INPO (Institute of Nuclear Power Operations) records events that occur in a NPP on a voluntary basis, so it is not as complete as LER. 1RS (Incident Reporting System) of IAEA and NBA. AORS (Abnormal Occurrences Reporting System). 3.3.2 Use of Simulators Simulators have enormous potential for use in qualitative and quantitative data collection. Simulators are useful in the following areas: detailed analysis of accident scenarios development of data bases through the use of simulator tests and simulator training - validation of techniques used in HRA - development and validation of cognitive models with applicability in PSA obtaining concrete measures for applying HRA techniques (e.g. 1/2 time in HCR) 36The problem associated with the use of simulators is the necessary calibration of the data obtained in simulators for taking into account the influence of parameters such as stress, management influence, etc.,that effect behaviour under actual in-plant conditions. 3.3.3 Expert Opinion The data sources described above contain documented records of performance. Expert opinion as a human error probability data source should be considered in many cases, because of the paucity of relevant data, and judgement may be the only source. This requires the proper understanding of the problem, and has to be supported by experience, plant-specific information and by an acceptable number of experts. 3. 4 Conclusions and Recommendations This chapter tried to identify data needed to perform HRA within the PSA and also to identify the current data sources available. The objective was to give a comparison between needs and available data, present a state of the art in the field, as well as to give recommendations and suggestions for future improvements. 3.4.1 Actual situation The following points can be emphasized related to the techniques: - the level of data detail needed is very dissimilar when^using different techniques. Consequently, it is important that analysts performing PSAs consider what data is or will be available to them when selecting a technique. Another important aspect is the application of the generic data in specific PSA. It is necessary to assess carefully the similarity between the data applied and the situation studied. - If the analysts use simulator data they will have to evaluate them by taking into account the influence of parameters such as stress, management influence, etc. Simulators should be used to obtain median response time if the technique selected is HCR. 37Use of expert judgement is recommended only for the following cases: extrapolation of the generic data to the specific case paucity of relevant data - modification of human error specific probabilities to similar tasks. With reference to the use of nuclear experience as a source of data, it can be said that until now it was very difficult to utilize this information for VSA purposes. The number of opportunities versus the number of mistakes cannot be found in these reports and the root causes of errors are not always given. The same situation occurs with the PSFs: not all of them are reported or at least not with the level of detail required. 3.4.2 Suggested Future Improvements It is of extreme importance to improve existing data banks to include human errors, with the objective of obtaining useful information for PSA. In the first approximation, it is considered advisable to collect the human behaviour data for PSA applications in the same data bank in which the human factor data are collected for other purposes. Most o€ the data used in evaluative and quantitative phases of the HRA are the same as those needed, for example, for improving operational feedback. The type of information on human errors that need to be recorded in the event reports are, without exhaustivity, the following: type of task - frequency of this task - people involved - failure mode - who made the error (control room operator, maintenance, etc.) - where - special tools required - environmental conditions - experience in the job when the errors occurred how long had the person who made the mistake been at work 38- kind of procedures used (oral instructions, existence of checkoff/ etc. ) - tagging - how many times has this type of mistake been made in the last year opportunities to make this error before (last year) - systems, components involved - description of the problems involved in the job why the errors occurred (a short classification of the root cause) To facilitate the reporting of all this information a computer format with friendly design for the user is suggested. 394. PROPOSAL FOR A CO-ORDINATED RESEARCH PROGRAMME 4.1 Co-ordinated Research Programme The Technical Committee has reviewed the current situation with respect to data collection from power stations and other sources, and their possible correlation and use for both operational and probabilistic purposes. It has two recommendations which, taken together, provide the basis for a development programme. Recommendation 1; A Co-ordinated Research Programme The Committee recommends the setting up of a Co-ordinated Research Programme (CRP) with the same general scope as the Technical Committee, to contribute to the wider appreciation of the importance and application of human performance data collection and analysis to the design and operation of nuclear power plants. This will also broaden participation and, since operational feedback is often important for availability as well as safety, countries which rely primarily on non-nuclear sources of energy may also be involved in this part of the programme. The main areas of interest for the CRP should be those recommended in Section 4.3. Recommendation 2: A Programme o£ Specialist Meetings The CRP has been formulated to ensure the broadest possible participation. However, the CRP alone will not be sufficient to make a significant improvement in NPP safety. The Committee considers that individual countries can best be helped to improve their data collection and analysis techniques by allowing their experts to exchange information and experience at separate committee meetings covering individual topics. The proceedings should be written up to form a comprehensive compilation of experience over the whole scope of the Technical Committee. 4.2 Overall Objectives of the CRP i. To stimulate the exchange of operating experience in investigating and analyzing the root causes of human performance-related events to prevent their re-occurrence, thus improving plant safety. 40ii. To stimulate the exchange of methods and experience regarding collection and classification of human performance data for conducting Probabilistic Safety Assessments (PSAs). iii. To stimulate the exchange of methods and experience regarding the use of the collected data in Probabilistic Safety Assessments. 4.3 Research and Discussion Topics The following topics have been identified for inclusion in the CRP and for the specialist meetings: 1. Methods should be developed to assess human performance capabilities at nuclear power plants for control room and other technical personnel (e.g. mechanical and electrical maintenance/ instrumentation and control). Research in this area should include consideration of factors both internal (e.g. individual abilities, motivation, fatigue, stress) and external (e.g. environmental and interpersonal work conditions) to the individual. Clear definitions of the terms used to describe these human factor concepts should be developed to foster communication amongst participants (see Appendix 1 for a list of relevant concepts). 2. Exchange of information related to methodologies/techniques for assessing human performance problems as root causes of plant events. This exchange should mainly include discussions of presentations by member countries on the development and use of the different methodologies/techniques and include especially completeness, acceptance by plant staff, and techniques and the consequences of implementing proposed corrective actions. 3. Exchange of information regarding data collection from plant experience for PSA purposes. The information should concentrate on: - collection methods - classification methods - results of using plant experience data. 414. Reporting and discussions of simulator runs performed in various member countries aimed at the assessment of control room operator reliability/performance during routine and severe (stressed) conditions should be encouraged. Benchmark simulator tests have already been performed internationally (for example, the EPRI project). The results of this and similar research projects should be broadly presented and discussed by representatives of member countries. 4.4 Products of Programme The products of the programme will be a series of technical documents that include the papers presented at each meeting and a summary of the discussions of those papers. 42Appendix 1 FACTORS AFFECTING HUMAN PERFORMANCE Internal Factors 1. Ability 1.1 Cognitive Ability 1.1.1 Intelligence 1.1.2 Specific Abilities 1.1.3 Psychomotor Coordination 1.2 Conative Ability 1.2.1 Perception 1.2.2 Attention 1.3 Affective Characteristics 1.3.1 Stress Resistance 1.3.2 Mental Stability 1.3.3 Character 1.4 Physical Character 1.4.1 Visual Systems 1.4.2 Hearing 1.4.3 Motor Coordination 1.4.4 General Health Conditions 2. Behaviour 2.1 Skill Based Behaviour 2.2 Rule Based Behaviour 2.3 Knowledge Based Behaviour 3. Quality Performance Factors 3.1 General Well Being 3.2 Fatigue 3.3 Stress Resistance 3.4 Motivation 3.5. Drugs and Alcohol 43External Factors 1. Environmental Factors 1.1 Temperature 1.2 Humidity 1.3 Noise 1.4 Light 1.5 Physical constraints of Work Locations 2. Work Organization 2.1 Job Specification 2.2 Deficiencies in Procedures 2.3 Social Organization 2.4 Time and Duration of Work 3. Training 3.1. Class Room Training 3.2. On-Job Training 3.3. Simulator Training 4 4Annex PAPERS PRESENTED AT THE MEETINGSSPB ACTIVITIES ON ANALYZING HUMAN PERFORMANCE PROBLEMS L. JACOBSSON Human Factors Group, Swedish State Power Board, Vällingby, Sweden Abstract The SSPB human Factors Group at the head office has been analyzing human error in a more systematic way since 1987. The purpose of collecting data is primarily to provide input to the experience feed- back process. Through analysis of human error lessons can be learnt to prevent future human performance problems on the same plant and also on other plants. The human factors group reviews all SSPB plants LERs and scram reports on a continous basis and indentifies events related to human error. The same task is performed by the local safety and licensing department and the operation department at each unit. Human error related LERs and scrams are regularly evaluated by the HPES group at each site. The group consists of members from each unit, the safety and licensing department at the plant, and the human factors group. The severity of the event and the generalizabiiity of the human per- formance problem is then used as a criteria for determining if a more thorough analysis of the event is needed. There are tree levels of analysis - Statistical analysis. For minor events. - Simplified HPES (developed by INPO for events with some safety importance or generalizabiiity, approximately 1 event/year/unit) - Complete HPES for significant events (I/year in Sweden) The HPES technique is still beeing tested for Swedish conditions and will be modified according to Swedish demands. For the purpose of estimating operator reliability for PRA studies failure data and expert judgments from instructors at the training simulator has been used for estimation of operator reliability. 1. Introduction Collection of data on human performance problems can have different purposes. It can be a part of the experience feedback process to pre- vent the occurence of the same type of error on the specific plant and on other plants. It can also be used to analyze the underlying mechanisms behind different types of human error and provide a more general knowledge of why errors occur. The third main application is to provide data and knowledge for assessments of human reliability in PRA studies. 47The SSPB human factors group is since last year (1988) collecting and evaluating data on human error for the experience feedback process and for human reliability assessments. The main effort is being spent on analyzing human performance problems for experience feedback applications in cooperation with the responsible organization at the site. 2. Human performance problems What do we mean by human performance problems or human error? The technical system (process) continously puts demands on the human operator. The task of the operator and also the maintenance personnel is to take actions according to the demands of the technical system. If the operator performance is not in accordance with the demands set by the technical system, an error (human error) can occur. When analyzing human error or human performance problems, it is essential to analyze the demands put on the operator by the technical system, and answer the question whether those demands are in accordance with human needs and limitations. The main effort at SSPB in preventing human performance problems, has been spent on finding a number of measures to prevent the occurence of the same type of event. One difficult problem in statistical analysis of human error is to find an appropriate level where to classify errors as human errors, in the end everything can be classified as human error, e.g. problems with poor material quality can have its origin in poor quality control, poor QA etc. If an operator commits an error and if the man-machine interface has not been constructed in accordance with operator needs, it is in fact a design error. The above issues are important, and to be able to compare human error classification and analysis between countries, plants etc the definition and classification of human error must be similar and clearly stated. Often LERs and scram reports (in Sweden) contains limited background information on human performance and it can be difficul t for a non-technical expert to determine from the information on the report whether a human error has been directly involved or not. 3. Analyzing human performance problems for experience feedback applications The SSPB human factors group at the main office started activities in analyzing human performance problems during the late part of 1987. The purpose of collecting data is mainly to provide an input to the experience feedback process, to prevent the occurence of errors of the same kind on the same plant and on other similar plants. Our categorization and efforts on human performance problems is based on the possibiiities of finding practical measures to prevent the occurence of similar events. We define human error related events as an event where one of the direct causes has been a human error and where measures to prevent the error can be found in the human part of the system (e.g. administrative routines). Our goal is to find measu- res that can be implemented to prevent the reoccurrence of these events. The SSPB human factors group reviews all SSPB LERs and scram reports on a continous basis and identifies events related to human error. The same task is performed by the local safety and licensing department and the operational department at one of the sites, the Forsmark site. 48Human error related LERs and scrams are regularly evaluated by the HPES group at each site. The group is made up of members from each unit, the safety and licensing department at the specific plant and the central human factors group. If the event is identified as a human performance problem, the severi- ty of the event and the generalizability of the human performance problem is then used as a criteria for determining if a more thorough analysis of the event is needed. Depending on the severity of the event, one of the following analy- sis types are carried out: 1. Categorization and classification for statistical analysis, for less significant events The events are classified for direct error types as operator error, maintenance error and administrative error 2. Simplified HPES-analysis We use part of the methodology developed by INPO for events with some safety importance or generalizability. Approximate- ly one event/year and unit is analyzed. A decision to perform a more detailed analysis, using part of the HPES-technique is made when either the event is serious from a safety point of view, have common cause failure or common cause initiator implication, is a generic human performance problem, or is a scram involving human perform- ance problems. The simplified HPES analysis consists of the following HPES components: cause- and event analysis, barrier analysis, consequence analysis and change analysis. Interviews with personnel involved in the events are also carried out. 3. Complete HPES analysis is performed for significant events. The latter is rare and is based on Swedish experience less than one event/10 years and unit. The SSPB human performance analysis is still under develop- ment and the following improvements are under discussion: The plants themselves will carry out the analysis. We think that it is important that the plants themselves carries out most of the HPES-analysis work because then it will also be easier to feed the experience back to plant. The SSPB central human factors group will be a coordinating and supportive function for the plants. The persons responsible for analysis will get training on HPES evaluation techniques and on human factors issues (e.g. basic knowledge on human functioning; stress, cogni- tive processes, psychobiology, organization etc). Training will also be given on the HPES-analysis technique. Pilot training courses have already been given in these areas. 49f. Collecting data for HRA applications For the purpose of PRA studies a collection of failure data and expert judgments on critical operator actions was done from instructors at the training simulator facility. The instructors at the PWR simulator facility were given a questionnaire concerning significant operator actions. The trainers were asked to estimate the numer of crews whom had practiced the transient and how many of the crews that had failed. The instructors were also asked to estimate the median time to perform specific operator actions and if the crews had diffi- culties in handling the transients. These data were then used for making assessments of operator reliability for PRA purposes. 5. Need for future activities in development of analysis of human performance problems More knowledge is needed concerning the underlying mechanisms behind human errors. Models on human error should be validated in experimental studies. Often an error is the result of an interaction between errors committed in both the technical and the human system (Svenson, 1988). In the nuclear power plants it is usually not enough with one single failure in one part of the system to cause an accident, it must be a combination of errors in both the human and technical system for an accident to occur. Effort should also be spent on finding critical initiators and high risk situations for errors in the interaction between the human and the technical system. REFERENCES Svenson, O., Cognitive psychology, operator behavior and safety in the process industry with emphasis on nuclear power plant applications. Department of Psychology, University of Stockholm. Report No. 29, October, 1988. 50AN APPROACH TO HUMAN ERROR MINIMIZATION IN PHWR SAFETY RELATED OPERATIONS G. GOVINDARAJAN Reactor Control Division, Bhabha Atomic Research Centre, Bombay, India Abstract The safety of nuclear power plants at present rely on the engineering design and safety analysis does not address to human reliability aspects. The human error are generally classified in to account the type of activity, the location of errors, origin of errors, nature of errors, the task performed and the procedures involved, individual factors, equipment design etc. Information available indicate significant contribution among errors is from operator actions and from maintenance. Keeping in view the above background, emphasis is being placed on improvement of control room functions and information display systems, for improving operator reliability. R & D efforts have been initiated for collecting data from operating plants, design of advanceo computer controls and operator support aids. The simulator being built will be used for functional test of the equipment and evaluate the task executed by them in a particular scenario. The results of these tests will be analysed with appro- priate weighing factors to the operators. The lapses and slips that arise in performing a particular task will be looked into in detail and analysed for providing additional information in the form of operator aids or decision support system, ergonomics of control room operation alarm,reduction and functional grouping etc. This paper describes the plan for improving reactor safety in an overall context. I. Introduction Indian Nuclear Power Programme is on the threshold of fast expansion from the present modest generating capacity of 1250 MWe comprising 2 BWR and 4 PHWR units of sizes below 235 MWe with increasing indegenous content from unit to unit. 51The future units of 235 MWe and 500 MWe sizes are of the standardised designs incorporating all the necessary improve- ments based on the feedback from over 90 reactor years of operational experience. The emphasis on indegenisation and the peculiar operating environments for the plants in India have been responsible for substantial design modifications. 2. Human Factor Engineering in Indian PHWRs The contribution of human errors towards bringing down the plant availability is difficult to segregate from those caused by other factors in our plants mainly because of the following: - limited operational experience - the events caused by equipment failure or instrument malfunctioning being relatively large in numbers the strength and quality of operating crew being much more than in similar plants elsewhere due to above factors, human error quantification can be erroneous. Though occasional modifications have been carried out from time to time in the control room panels and instruments, the operators feel that they have sufficient information to handle all the routine and abnormal events encountered thus far. Also, the grouping of instruments (switches, light indicat- ions, meters) according Lo functionally related subsystems, the segregation of groups marked by coloured bands on the panel and a mimic of process flow marked through panel instruments have all given considerable help in fast cognition of plant situation keeping the operator stress and consequent error proneness minimal. 523. Areas for Human Factors Improvement A thorough review of the human factors considerations is however found necessary to ensure reliable and safe operations of the plants under all postulated abnormalities. With detailed analysis of the scenarios following the postulated events, the deficiencies in information to the operator as well as the uncomfortable nature of operator actions during certain scenarios get identified. Exhaustive analysis of the scenarios following each known initiating event combined with a critical analysis of the past unusual occurences for human error contributions is expected to give the necessary inputs for decisions on addition, modification and integration of controls and information available in the control room. Also it would be of great use to achieve a classification of human errors depending on whether it is through violation of stipulated procedures, lack of properly defined operating procedure in the given context or the inability of the operator to diagnose an abnormal situation with regard to the root cause of disturbance. While the end results of these analytic efforts are expected to have significant role in the refinement of plant design features and operating practices to bring down the human error to the lowest achievable level, efforts on several fronts can be initiated right away in the direction of improv- ing man-machine interface and refining the operating organis- ation. Some of these efforts based on the needs felt by operating and design review personnel are outlined in the subsequent sections. 53Measures to improve Man-Machine Interface (MMI) Control room ergonomics - All PHWR stations have twin operating units with a common control room although the two units do not normally share any common auxiliaries. The control panels of the two units are symmetrically arranged as shown in Fig. l,but the panels are not having mirror reflection pattern avoiding the possible confusions in reflex action following any swapping of operating crew between the units. The goals of fast indegenisation and increasing the informat- ion content in the control room have added to the size and number of control panels making the distances of operator movement within the control room quite considerable. Efforts are on to procure compact panel instruments and combine with their optimal layout giving due considerations for functional grouping, satisfactory task execution by operators during routine procedures as well as while handling most postulated event scenarios. Other improvements in control room ergonomics like the re- placement of existing lighting arrangement with more diffused one avoiding glare from all directions are also being thought of. More uniformity in colour codes employed in all the standardised units and increasing the colours to accommodate finer classification of annunciations, lights etc. are expect- ed to improve the operator's fast cognition of the plant situation. 54iX^- 67B71 Or St ARfcA MONITOR t3=3 i s ,' I9SQ , isso __. _ 27CQ • laso , ig» . T85Q - — CHAHNEL-A/D — ©- iKnn-pj N ji-^A^ A! jig ^«. N. . tf> ll to r u: S «v f-; fiœ -tSL. UvJ ^^cr^ l^Vv / i FIG.1. Typical control room for a twin unit PHWR station.On-line operator aids While the data acquisition and event recording systems in the presently operating plants are not quite comprehensive, a more complete and fast data acquisition system (DAS) is to be incorporated in all future units. With this system, an operator doesn't have Lo depend on vast multitude of instru- ments to recognise the status of the plant and that would now be readily available through a compact mimic on a CRT screen. Apart from the plant overview, the details of various sub- systems arranged in a hierarchical manner in the DAS computer can be presented to the operator on his request. Efforts are on to add query features in the information presentation system and substantially enhance the selectivity and time- lines of process information at the disposal of the operator. Apart from presentation of information in convenient format, the DAS computer is programmed for significant information integration. The processed information helps the operator in avoiding so many correlations mentally performed earlier thereby enabling a more precise and faster diagnosis during abnormalities. Procedures have been worked out for suppression of unnecessary alarms and other irrelevant information in a given operating context again to avoid the operator's distraction towards extraneous issues and focus his attention on currently pertinent information. These procedures could be conveniently implemented through CRT based information presentation systems. 565. Measures Towards Improvement of Operating Procedures Normal operating procedures: These are already well defined and issued in the form of operating manuals aided by flow sheets. Though there is substantial common content in the procedures employed in various PHWR units, each unit has its procedures documented separately taking into account the local features and new additions. In the new standardised units, the generic part of these procedures would be overwhelming and the continuous updating of the common procedures is expected to be more efficient Emergency operating procedures: Studies were initiated to analyse the scenarios following a large number of component failures or initiating events postulated. The involvement of experienced designers and operators in these efforts have enabled arriving at suitable operating procedures to be followed on identification of the initiating event responsible for the current abnormality. The identification of Lhe initiating event from the symptoms or information available in the control room may not always be easy and is subject to large uncertainties and errors. Procedures to monitor the unsafe deviations in all the pre- selected state variables of the plant, restore and maintain normal or safe state of operations are expected to supplement the emergency operating procedures for identified initiating events. Operating organisation: The operating crew in each PHWR 235 MWe unit consists a minimum compliment of one shift engineer, one assistant shift 57engineer, one fuel handling engineer, 4 control enginers, 18 technical staff and a health physicist to assist them. All the engineers have good theoretical background from a long period of education and training (10 years in school, 6 to 7 years in college and one year training in various nuclear establishments). The technical staff are also well trained in the basic principles of operation and maintenance of plant equipments. The operating crews work in 8 hour shifts. The communication within the crew members and between the crews are excellent in view of the high level of under- standing of the plant processes and their importance by each crew member. The maintenance personnel maintain a close observation of operating events and provide all the help when called for. Since there is considerable interchange of personnel from operating to maintainance teams the communicat- ion between the two teams is informal and sound. Efforts are on to further improve the communication between crew members and encourage organised participation of more engineers in monitoring, diagnosis and recovery actions following events. 6. Measures Towards Improvement of Operator Quality The selection and training of fresh graduate engineers for one year period both at Training School in Bombay and at the training centres located at plant sites is quite rigorous. The program not only provides sufficient theoretical background in nuclear reactor physics, reactor engineering, radiation protection etc., but exposes them to the details of safety issues involved with nuclear power plants. They are required to clear a set of examinations and checklists before being absorbed into regular service. The new technicians are also 58trained with sufficient exposure to plant equipments, their operating principles and maintenance aspects. The qualification program of engineers and operators at various levels is organised along well established lines of examinations, interview etc. This helps maintain well quali- fied set of engineers and operators licensed to operate the plant with sufficient incentives offered to them. The participation of operating engineers and technicians in sessions reviewing the events of the past and formulation of new procedures help experience sharing and updation of knowledge. Periodic seminars and lectures on issues of importance to plant operation, maintenance and safety also help the cross-flow of knowledge among staff of different units and sometimes from other nations also. The full scope training simulator being commissioned at Rajasthan Atomic Power Station is expected to provide a good boost to operator training and retraining. This simulator provides opportunity to train operators not only on all normal operations like unit start-up, shut-down, power manouvres, periodic tests to be conducted from control rooms etc. but also on abnormal situations created by a wide variety of mal- functions. Presently the total number of malfunctions provid- ed in the plant model is around 200 and it includes most frequently encountered failure modes and failures having important safety consequences for the plant. They range from a single pump trip to several modes of instrument failure or loss of off-site power. However, major failures leading to LOCA and two phase flow conditions in the primary loop are 59presently not included in the models and they are to be incorporated in the next stage of simulator. Simulator testing of abnormal operating conditions with regular plant operating crews is expected to help refine emergency operating procedures. Also these exercises would bring out the operational areas susceptible for human errors and enable concentrated efforts to refine procedures from human factor considerations and intensify training in selected vulnerable areas. Conclusion With the problems faced by the first few small nuclear power units in India, sufficient lessons have been learnt and efforts to improve plant performance in the given operating environment is multifacetied. Some of these efforts aimed towards minimising the plant unavailability due to human errors and improve operational safety have been highlighted in this paper. The international experience shared in this front is hoped to help accelerate these efforts and fast achieve smoother and safer operation of our nuclear power plants. 6 0HUMAN ERRORS — HUMAN CAUSED, ENVIRONMENT CAUSED K.C. SUBRAMANYA Operating Plants Safety Division, Atomic Energy Regulatory Board, Bombay, India Abstract The Importance of Human error in the safe operation of Nuclear Plants has been well recognised. The human error could be due to a large number of reasons. Eg* coming from factors like sensing, perceiving, predicting, familiarity, skills, rules, individua l performanc e and environmenta l factor s such as ergonomics, work organisation, procedure, time & duration of work, training, physical environment etc. Two incidents highlighting human caused and environmental caused errors are discribed. Also a distribution of causes of failure and affected systems of Safety Related Unusual Occurrences is presented on the basis of the reports received by the regulatory body. A system to analyse human errors with respect to human caused and environment caused is being developed. The input data for this analysis is obtaine d from Safety Related Unusua l Occurrence reports received by the regulatory body. The regulatory requirement for submission of these reports include first information report (by telex, telephone etc) within 24 hours of the incident and detailed report within 20 days. The detailed report amongst other information also contains information with respect to the cause of the incident. These reports are discussed at various levels and an attempt is made to identify the root cause . 61There are many factor s which contribut e to the safe operation of Nuclear Power Plants (NPPs) viz: Design, Reliability of equipments, Man-machine interface, Human response etc. Safe operation of the NPPs is ensured by giving due importance to the above factors. But still there are incidents reported regularly causing unscheduled outages or degradation of systems required for safety. Of all the factors that cause such incidents, Human error has been recognised as a very important factor. Human error is committed due to various reasons. The behaviour of individuals is very difficult to predict accurately. All persons do not respond in an identical manner to a given problem. It is also very difficult to assess the capability of an individual fay some simple tests. There are many factors that influence the human response. However, human error could be classified very broadly into two groups viz : a) Human caused b) Environment caused Human Error -Human Caused Human factor s and behaviou r are the key issues which influence a person to respond in a given situation in a particular fashion. The human factors are based on human thinking process taking input from all the sensory organs and generating a suitable output. Some of the important factors are sensing, perceiving, predicting, familiarity with controls and decision. Human of practice one has undergone for performing the given task. These can be broadly categorised as skill based behaviour, rule based behaviour and knowledge based behaviour. All the above behaviours and human factors can be improved upon by proper training and good practice. But there is a limit to the degree to which one can be trained or given practice. Here 62the individual performance comes into picture. Each individual has an inbuilt ability (or inability) to perform a task. Human reflexes are excellent examples for individual capabilities. Hence an individual's performance also makes an impact on the human performance. Human Error - Environment Caused There are many external factors which influence the performance of an individual. Many times, these contribute to the human error, which otherwise would not have occurred. The word "Environment" is used here to mean these external factors. Some of the importan t factor s are, ergonomics , work organisation , procedures, time and duration of work, training and physical environment. While all the factors such as design, construction, equipment, man-machine interface etc. contributing to safety are ultimately human related, as all of them are human initiated, the errors committed by operator only are discussed in this paper. Two incidents in Indian NPPs which occurred due to human error, in one case human caused, and the other environment caused, are presented. The.se incidents have already been reported to IAEA 1RS, earlier. 1. Incident at a Pressurised Heavy Water Reactor (Figure I) Rajasthan Atomic Power Station consists of 2 reactors of Pressurised Heavy Water type. The reactor is cooled by Heavy Water through 8 Primary Heat Transport pumps ( PHT pumps ) 4 in each loop (4 pumps, 2 in each loop is shown in the figure) connected in a " figure of 8 " fashion. Each PHT pump has a steam generator where the heat is transferred to light water on the secondary side. Steam produced due to the boiling of this secondary wate r is used for generatin g electri c powe r in a 63SHUT DOWN HX SHUT DOWN COOLING PUMP SHUT OOWK COOLING PUMP BACKING UP SPECIAL FROM BLANK LEAKAGE COLLECT!» !-_-_—_-_-_-V-.h.-.UEflK/»G£: COLKTWI TAJK 5) FIG.1. TO STORAGE TANK (NOT SHOWN) conventional manner. Each loop Is provided with a shut down pump and a shut down heat exchanger for removal of residual heat. During shut down of Unit— 2 , maintenance works on one of the PUT pumps and shut down heat exchanger of the same loop were taken up. After completing the maintenance work on the pump, it was taken into service. But the operator forgot to close the pump bowl drain valve. After some time, heavy water leak was observed from the blank of the heat exchanger head. (This blank was fixed temporarily to facilitate work on the heat exchanger.) Firstly it was suspected that one of the isolation valves for heat exchanger was leaking. Bot h the valve s were exercise d to seat the m properly, but the leak continued. To investigate the leak, the only running shut down cooling pump (residual heat removal pump) on o t 6 4Investigations showed that the heavy water tread the path through the pump bowl drain to the leakage collection tank (as the drain valve was left open) and backed up to the heat exchanger head and due to improper fixing of the temporary blank, started leaking, not closing the pump drain valve while taking the pum p into service. Procedures for isolating and putting back, the pump into service exist and the operator failed to follow the procedures thus causing the incident. Incidentally the other human error of improper fixing of the blank of the heat exchanger aggravated the situation. 2. Incident at a Boiling Water Reactor (Figure 2) Tarapur Atomic Power Station comprises 2 Reactors of Boiling Water Type. The reactor uses slightly enriched uranium as its fuel /————————v c- «-e«rf«»«, rU-WV-J———————— FIG.2. 65and light water as moderator and coolant. When the reactor is operating, due to the heat produced by the fuel, the water boils and the steam is directly fed to the turbine for generation of electricity. An emergency condenser is provided to remove the decay heat when the main condenser is not available or when the containment is isolated. While Unit-2 was operating at Power, one of the 2 Primary feed water pumps, tripped on ground fault. As the discharge check valve of the pump was passing through, the other feed water pump could not pump water to the reactor due to short circuiting. This resulted in scram on reactor water low level and closure of primary steam isolation valves. Later, water level was brought up by isolating the defective feed pump. At this time the emergency condenser was brought in line. It was found that the reactor water level was rising. The operator tried to arrest the upward- trend of the level by using the clean-up system reject, but the clean-up system tripped on high pressure. The reactor water level went up and filled the steam lines thus forming a water seal and prevented the steam from entering the emergency condenser. This resulted in the emergency condenser becoming ineffective. The reactor pressure increased lifting the reactor relief valve open. (Incidentally the relief valve setting was found to have drifted to a slightly lower value.) The hot water entered the containment causing the containment pressure to go high. This initiated the containment spray system to actuate which brought down the containment pressure in a very short time. At this stage the operator on his own opened the PSIVs, thus removing the water seal to make the emergency condenser effective. After analysing the incident, the station revised the procedure to take care of such situations. 66This incident shows that due to lack of proper procedure (of opening PSIVs once the level became normal) caused the reactor relief valv e to lif t and causing the containmen t to get pressurised. This is a case of environment caused human error. Data Collection and Analysis System in India In India, data on human error is collected and analysed as a part of an elaborate system. In this system, human error as a composite root cause along with other root causes is reviewed and analysed. A brief description of the above mentioned system is givea below. Atomic Energy Regulatory Board (AERB) is responsible for overseeing the safety of all the nuclear installations in India right from the design stage till decommissioning stage. Following divisioas have been formed to address the above meitioned task.. ( PI. see ligure 3 ) 1. Nuclear Safety Division ( N.S.D.) 2. Industrial Safety Division ( I.S.D.) 3. Operating Plants Safety Division ( O.P.S.D.) 4. Radiation Safety Division (R.S.D.) These divisions are given the responsibilities of safety in their respective areas and they report to the Chairman AERB. In addition to the above divisions, various committees appointed by the Chairman AERB, review the safety aspects of the relevant disciplines. To review the safety of the operating plants, a committee called Safety Review Committee for Operating Plants ( SARCOP ) is constituted. This committee reviews periodically the safety status of these plants and makes suitable recommendations. These recommendations of SARCOP are implemented by OPSD. 67ON oo ATOMIC ENERGY COMMISSION AERB SECRETARIAT EXECUTIVE COMMITTEE ADVISORY BODIES PROJECT SAFETY REVIEW COMMITTEES NUCLEAR SAFETY DIVISION • Inspection & Authorisation • Quality Assurance • Safety Audits Future Reactors - Technical Aspects - Safety Analysis Codes, Guides & Standards Computer Codes SAFETY REVIEW COMMITTEE FOR OPERATING PLANTS (SARCOP) INDUSTRIAL SAFETY DIVISION Safety Assessment - Mechanical, Electrical, Fire, Explosives and Chemical Inspection and Enforcement Codes, Guides and Standards. STANDING COMMITTEES OPERATING PLANTS SAFETY DIVISION - Inspection, Review and Enforcement ' - Approval of Engineering Modifications and Technical Specifications - Codes, Guides and Standards - Emergency Management RADIATION SAFETY DIVISION Nuclear Fuel Cycle Facilities Medical, Industrial and other Applications. • Transportation and Consumer products. • Codes, Guides and standards SCIENTIFIC TECHNICAL SERVICES - Computer - Library and Reprography - Safety Research - Public Information. ADMINISTRATION - Personnel - Budget and Finance - Publications. FIG.3. Organizational structure of AERB.TABLE I FAILURE ANALYSIS FOR OPERATING UNITS 1. FAILURE CAUSE A. Equipment failure 53.00 % B. Human Error 15.00 % - Operator Error 5.5 X - Human error during maintenance and testing 9.5 Z C. Maintenance and repair induced failures 4.80 % D. Training / and administrative procedures 12.00 % E. Fire 4.00 % F. Grid disturbances and other external 11.20 % factors 2. 1 . 2. 3. 4. 5. 6. 7. SYSTEM Fuelling machine Reactor regulating, protective and safety sy s terns Main heat removal systems Turbine Generator Feed water, condenser and circulating water systems Electrical power supply system Miscellaneous - compressed air - ventilation system etc. 1 1 1 1 6 2 1 6 2 30 10 .85 .30 .20 .74 .36 .34 .10 7, % 7. % % % % Report on any incident having safety significance, known as Safety Related Unusual Occurrence Report (SRUOR) is prepared and sent by the plant to the Operating Plants Safety Division (OPSD) o f AERB . A firs t informatio n repor t know n a s promp t notification, is sent by telex or telephone within 24 hours. A detailed report in a standard format is then sent within 20 days 6 9of the incident. These reports are received and a. summary is prepared. This summary, along with other criteria as available in the detailed report is fed to a computer and stored. Data thus collected, is analysed to find out the types of failures, causes of the incidents etc. The format of the SRUOR is under revision to bring it in line with the Incident Reporting System of IAEA. These SRUORs are further discussed at various levels. They are firstly discussed at the Station Operations review Committee. It is further reviewed by the Station Safety Committee which is appointed by SARCOP. Finally, they are reviewed by SARCOP and suitable recommendations are made. Report s of all the above reviews are also received by OPSD. With the help of all the above data, analysis of the incidents is done with respect to the system, root cause, type of failure, effect on operation etc. Results of an analysis carried out to study the various causes of failure and the systems affected, are shown in Table I. Conclusion Human error is recognised as a key factor which needs proper addressing for ensuring a safe and efficient operation of the nuclear power plants. A system to analyse human errors with respect to human caused and environment caused is being developed. For this, all the incidents involving human error are to be discussed with the station authorities and the corporat e tiody (which owns the station) for improving the training programmes suitably and to carry out modifications at the operating plants. Effort s wil l b e mad e a t th e desig n stag e t o improv e th e environmental conditions based on the feed back from the analysis performed so that the environment caused human error could be minimised. 70HUMAN RELIABILITY DATA COLLECTION FOR QUALITATIVE MODELLING AND QUANTITATIVE ASSESSMENT D.A. LUCAS, D.E. EMBREY, A.D. LIVINGSTON Human Reliability Associates Limited, Dal ton, Wigan, Lancashire, United Kingdom Abstract Effective human reliability assessment requires both qualitative modelling of possible errors and their causes, and quantitative assessment of their likelihood. This paper considers the available sources for both qualitative and quantitative data collection. A classification for different types of data is proposed. Currently used methods of gathering data using operational experience and simulators are discussed in relation to these data types. The analysis of error data from operational experience is elaborated upon, and requirements for a comprehensive human performance data collection system are proposed. These requirements are examined in relation to existing data collection programmes and the practical aspects of analysing error data. Introduction The traditional approach to human reliability analysis has emphasised the quantification of error probabilities for proceduralised operator actions in the faul t tree analyses in Probabilistic Safety Assessment (PSA) . Discussions of the need for human reliability data have therefore concentrate d on the issue of how numerica l data on human error probabilities (HEPs) can be obtained from various sources. Although this aspect of human reliability data is important , the human reliability concept also covers qualitative modelling. The data requirements for both areas need to be considered. This paper addresses both qualitative and quantitative modelling. Various areas for which human error data are required can be defined as follows : a. Data for use in the design of new systems to ensure that human reliability in areas such as operations, maintenance and testing is optimised. 71b. Data for use in devising error reduction strategies for existing systems. c. Data for qualitatively modelling the types of error expected to occur in emergency and other situations as part of PSA. d. Quantitative data for performing cost benefit analyses in areas (a) and (b) . e. Quantitative data in the form of absolute human error probabilities for use primarily in PSA, but also applicable to (a) and (d) , if available. Human error data can be broadly divided into qualitative and quantitative groups. Qualitative data can be subdivided into two further categories. The first of these are data that are to be used either at the design stage, or retrospectively, for error minimisation purposes. Typically, these address the underlying causes of error. The second category is data for error modelling within a PSA structure. This involves the analyst postulating various ways in which the operator could fail for a predefined scenario. These 'error modes' are included in the event and fault tree structure for subseqrent quantification. Quantitative data can also be broken down into two categories. The first category is taken to include all numerical data relevant to human reliability assessment excluding data on absolute error probabilities. This category is typified by data such as "detection of a faint , infrequently occurring signal will decrease to 25% of its initial level afte r about half an hour of watchkeeping" . The othe r class of quantitative data is the absolute estimates of human error probabilities encountered in PSA, e.g. "the probability of the operator failing to operate valve 27B is 3.6x10 ". In subsequent discussions we shall refer to the above categories of data as QUAL1 , QUAL2 and QUANT 1, QUANT2 respectively. The definitions of these types of data are summarised in table 1 : 72Table 1: Definitions of Data Categories. Data Type Definition QUAL1 Qualitative data to be used for design or error reduction purposes. QUAL2 Qualitative data for error mode prediction in PSA. QUANT 1 Quantitative human error data excluding absolute probability estimates, for relative likelihood of errors and assessment of different types of influences. QUANT2 Absolute estimates of human error probabilities used in PSA. In the remainder of this paper, each of these data categories will be considered from the point of view of data sources, the feasibility and cost of obtaining data, and possible application areas. Qualitative Error Reduction Data (Type QÜAL1) Nature of the Data Type QUAL1 data consists of three main subcategories. The first of these is specific human factors information derived from experimentation under laboratory or, (more rarely) field conditions. Such experimental data tends to be specific to a particular combination of variables where only one (or , infrequently , two ) factor s are change d as par t of the experimental design. For example, the increase in response time may be tabulated when an individual has to respond to an increasing number of alternative switches which need to be operated when an alarm occurs. The second subcategory is data derived from the systematic analysis of operational experience or simulator trials. For example, in a particular installation, it may be observed that test engineers frequently lose their place when carrying out long written procedures. An obvious conclusion from this finding is that the written procedures should be broken down into smaller units. As another example, simulator trials may indicate that certain displays are more effective at aiding performance than others. 73The third subcategory of qualitative data are general error reduction theories, principles or models which can be applied to a wide range of systems and situations. Examples of principles of this type are those associated with Rasraussen's Skill, Rule, Knowledge (SRK) model (réf . 8) or the GEMS model proposed by Reason (réf. 9). It is often assumed that these general error reduction principles are generalisations from the specific laboratory studies and operational experience analyses of the first two categories. Although this is true up to a point, the general models are often used to provide a structure within which specific experiments are conducted to generate data. Similarly, particular cognitive models of human error can be used to structure the collection of operational data. Application Areas All three subcategories of data can be applied during the design of new systems. Usually relevant experimental data is condensed into tables in data handbooks . However , such data handbooks are not in themselves sufficient to achieve designs which minimise human error. A systematic design methodology is necessary within which the data can be applied. An example of such a methodology is SHERPA (Systematic Human Error Reduction and Prediction Approach, Embrey, réf.3) . This type of methodology provides a comprehensive analysis of the design and enables the analyst to focus on safety critical aspects of the system that may be jeopardised by human error. The reduction of human error in operating establishments and systems also utilises data from all three of the subcategories discussed up to this point . However , the existence of a systematic error data collection system is probably the most effective means of developing a comprehensive error reduction programme. Such a system allows the nature of human reliability problems to be identified at source and the effectiveness of any error reduction measures to be monitored. Data Sources a. Data handbooks There are considerable amounts of qualitative data available which could potentially be applied to design and error reduction in a number of industrial contexts. However , these data are often in specialised research reports and journals which may be inaccessible to the general user. For such users, the best sources of data are some of the many 74handbooks that have become available. For example, in the space industry, comprehensive design data sources such as the NASA human factors handbook are already extensively used. A text which is specifically orientated towards error reduction is the Guide to Reducing Human Error in Process Operations (Ball et. al, réf. 1) which was developed by the data subgroup of the Human Factors in Reliability Group sponsored by the United Kingdom Atomic Energy Authority. Another document which provides qualitative guidelines for error reduction (although i t is primarily orientated towards quantification) is Swain and Guttmann (réf . 10) . b. Analysis of operational experience The nuclear power industry (particularly in the USA) and the aerospace industry have attempted to establish systematic approaches to the reporting of operational experience. One of the most widely established reporting schemes is the Licensee Event Report (LER) system. This is a mandatory reporting scheme operated by the Nuclear Regulatory Commission (NRC) as part of its licensing requirements for nuclear power stations in the U.S. A comprehensive report has to be submitted to the NRC in the event of any abnormal occurrence that violates the technical specification of the plant. The LER system is therefore not primarily intended as a means of reporting human errors. Nevertheless, because many abnormal occurrences originate from or implicate human performance deficiencies, LERs contain much material that is of interest to the human reliability analyst. In the aviation industry, a system of confidential reporting exists which allows anonymous feedback of problems (including "near miss" reporting). Unfortunately, this system does not provide a framework which allows the causes of incidents to be determined. It is suggested that the most cost effective method of error control is the existence of a comprehensive human performance data collection system. Such a system should allow the collection of data on human performance deficiencies such that the underlying causes of errors can be identified and appropriate error reduction measures prescribed. In order to achieve these objectives at least five requirements are necessary: o A climate of opinion at a contractor s plant and in an operational system that views error as a normal part of human behaviour and hence (by means of a non-punitive reporting policy) encourages operators to report not only errors that give rise to undesirable consequences but also 'near misses' . Reporting of violations should also be encouraged, to determine why short-cuts are taken. There is generally a requirement for 75a proactive reporting system philosophy which promotes the reporting of no-cost incidents. o A systematic and structured data collection approach that assigns to specific individual s the responsibility to investigate incidents and collect error data. o A classification scheme for error data that is based on a human error model (or models) such that the causes and contributing factors can be identified. o Management acceptance (at all levels) of the importance of human reliability as a majo r determinan t of plant safet y and profitability. Also required is a willingness to act on the results of an error data collection programme by supporting (financially and otherwise) the implementation of error reduction strategies which arise as recommendations from these data. o Regular feedback to all levels of employee giving details of the safety measures implemented as a result of the system. These requirements are, of course, very stringent, and it is therefore not surprising that no error data collection system currently exists which fulfills all these criteria. One major scheme which is orientated solely to the collection of human performance data is operated by the U.S. nuclear industry. This is the Human Performance Evaluation System (HPES) administered by the Institute for Nuclear Power Operations (INPO) . A particular advantage of HPES is that it is run by the industry for the industry, and thus there is less of a tendency to "sanitize" the data that is collected. In addition, the system involves voluntary reporting of both actual problems and potential problems. The HPES programme fulfills several of the criteria discussed above. One or more individuals at each plant are designated as plant co- ordinators and are mandated specifically to investigate human performance problems. Plant coordinators receive extensive training in incident analysis techniques at INPO, and regular feedback sessions are conducted where plant co-ordinators discuss problems in operating the scheme. The plant coordinator attempts to investigate the causes of human errors and near misses at the plant and recommends appropriate corrective measures. 76Data which are sufficiently generic to be of general interest are circulated on an industry wide basis, and are added to the central INPO data base. The HPES programme is at a relatively early stage of development and does not yet fulfil all of the criteria discussed earlier. For example, the error classification system requires further elaboration. Nevertheless, the HPES programme has achieved widespread acceptance, as nearly half of all the U.S. power utilities now subscribe to the scheme, and this initial growth occurred over a period of less than a year. The major reason for this success is that the scheme is perceived to provide real benefits at individual plants in reducing the incidence of errors and other human performance problems. The widespread acceptance of the HPES demonstrates that error data collection schemes are both possible and useful, provided sufficient committment and financial resources are made available. It is also encouraging that the nuclear industry in Canada and in France have implemented the HPES programme, or variation, of it. The collection and reporting of incidents involving human errors is not an activity which most people take to naturally. Reviews (e.g. Lucas, réf. 6, Embrey et al, réf. 4) have revealed a number of commonly occurring problems with human performance data collection schemes. o Firstly, reports tend to be very variable in quality. Many reports are vague and incomplete. The level of information reported is very variable. One analysis by Lucas and Embrey (réf . 5) showed that at least 20% of incident reports involving human error are essentially unusable from the point of view of analysing the nature of the error or near miss. Those reports which are both clear and detailed tend to be the rare exceptions. o Secondly,another serious problem which has been found in reviews of current reporting schemes is that the underlying causes of human error and near misses are not adequately assessed. The writers of reports concentrate on describing what went wrong, often at the level of the behaviour of the system. The reason why the human performance problem occurred is very rarely established. We are therefore left with a clear description of what occurred, when and to whom, without the important analysis of the cause of the human error. o A third and related problem is that analysts find it difficult to assess the root cause of a human performance problem. This 77is partly due to the variabl e natur e of the informatio n collected and also to the lack of job aids which would help analysts in assigning one or more possible underlying causes to a particular error type. Most analysts have not received extensive training in psychology and without explicit guidance on establishing the cause(s) and contributing factors of a human performance problem their assessments will be unreliable. The use of a cognitive model of error would considerably assist the analyst in all of these three aspects. In particular, the use of such a model could facilitate two of the most important uses of such a data collection scheme. Firstly, it could assist in the derivation of accurate information on the causes of operator error. Secondly, it could help in the generation of effectiv e error reductio n strategies from the information in the database. These error reduction strategies might typically consist of, for example, changes in the design of equipment, a revised training programme , or the redesign of procedures . The information collected needs to allow the specification of these and other method s of reducing those human performanc e problems whic h have potentially serious consequences. However, there is an urgent need to provide an appropriate "interface" between the theoretical models of human error causation and the pragmatic concerns of accident investigators in industry. A number of possible interface devices are feasible ranging from paper-based classifications of error causes, through the provision of decision aids such as flow charts, to the use of knowledge based systems for data gathering and analysis. These ideas are discussed in more detail in Lucas (réf . 6). c. Simulator data In the aerospace, nuclear, and certain areas of offshore activities (e.g. transport of crude oil in bulk carriers) sophisticated high fidelity full- scope simulators have been developed, mainly to train and certify pilots and operators. In theory these systems should constitute excellent sources of both qualitative and quantitative human error data. The major difficulty arises because of the high cost and therefore heavy usage of most of the simulators that exist in the nuclear and aerospace industries. They often tend to be operated round the clock for use in training applications. This severely limits their availability for human factors work. As a result, most attempts to use such simulators to obtain human error data have had to be combined with training exercises. Examples of data collection efforts of this type are those described in Beare et. al 78(réf . 2). Such studies have often involved the instrumentation of the simulator to enable comprehensive computer based data collection of the operators actions. However , much useful information can be gathered without this expense, particularly if scenarios are pre-analysed to identify aspects of a task that the operators are likely to find difficult . Some studies have also been carried out specifically to collect qualitative data concerning the cognitive aspects (i.e. decision making, problem solving functions) of operator performance. An example of such a study using a plant simulator is described in Wood s (réf . 11) . Encouraging results have also been obtained by Norros and Sammatti (réf . 7) . It is by no means certain that full-scope simulators are essential for providing data relevant for human error reduction. Useful results have been produced by simulators based on microcomputers and even paper and pencil simulations. Qualitative Data for Error Mode Prediction in PSA (Type QUAL2) The concept of predictive error modelling in PSA' is basically concerned with identifying the nature of the errors that are likely to be committed by an operator in the situation of interest . For example, will the operator choose the wrong switch, will he misdiagnose the pattern of indicators, etc. In order to make these predictions, it is helpful to utilise one of the available models of human error causation to prompt the analyst. As before, there is a problem of translating such models so that they may be used effectively by risk assessors. Qualitative data from all of the sources considered in the previous category (QUAL1) can obviously also be applied to assist the analyst in identifying error modes. One notable, but not widely available, data base in this context is the Confucious data base being constructed by Electricité de France. This database contains information collected during simulator tests and enables qualitative analysis of some of the influencing factors determining the error modes. Quantitative Data Excluding Absolute Probability Estimates (Type QUAHT1) The data sources discussed in detail for data type QUAL1 can be used to provide quantitative data regarding the relative likelihood of human errors when comparing two situations with differing conditions. The quantitative impact on human error rates of different factors such as 19quality of procedures, time available to perform operations, etc. can also be derived from these sources. An alternative approach is to use techniques which systematically elicit expert judgements regarding the relative effects of different variables on human reliability. Estimates of Absolute Human Error Probabilities (Type QDANT2) The availability of absolute data on human error probabilities is a topic of considerable controversy. Briefly, the 'empirical ' position on quantitative human error data holds that such data are only valid if they are ultimately based on observed frequencies of errors obtained from operational situations, simulations, or experiments which can be validly extrapolated to operational situations. Tha ' subjectivist' position, whilst agreeing with the empirical approach for situations where such data can be validly collected, argues that: o Such an approach cannot be applied to 'rare event' situations because it will never be possible to gather an adequate amount of data under conditions similar to those to which the data will be applied. o Many crucial aspect s of huma n performanc e in high risk situations, (e.g. decision making, diagnosis) do not involve externally observable processes that can be recorded in order to generate error rates and therefore probabilities. o However imperfect the perceptions of the available experts may be regarding the likely HEPs for a given (rare) situation, these perceptions (where systematically elicited) represent the best available evidence and must therefore be regarded as being best estimates of HEPs. o Strictly speaking error probability estimates derived from frequencies are only useful if the underlying causes are the same for every error in the sample. This assumption is rarely met. Conclusion Useful qualitative data can be collected from operational experience and from simulators. In the nuclear industry (particularly in the US, France and Scandinavia) the benefits of having structured and systematic human performance data gathering exercises are becoming clear. Other industries 80need to learn from this success. However , there remains the need to use cognitive models of error causation more extensively in the collection and analysis of human performance data. Future research should look to finding methods of assisting analysts to utilise such theoretical insights in a practical situation. In our view the best approach to the collection of quantitative human error data within any industrial setting is a pragmatic one. Both empirical ("objective") and judgmental ("subjective" ) data should be utilised. Since only a small amount of empirical data can be collected (relative to the overal l need) , this should be used within expert judgement based techniques. The best sources of data for these purposes are likely to be simulator studies (in the medium term) and a comprehensive system aimed at collecting data on operational errors and near misses in the longer term. References 1. Ball, P. et al (1985 ) Guide to Reducing Human Error in Process Operations, 3RD Report R347, UKAEA, Wigshaw Lane, Culcheth, Warrington. 2. Beare, A.N. et al (1984) A simulate r-based study of human error in nuclear power plant control room tasks. NUREG/CR-3309, SAND 83-7095. 3. Embrey, D.E. (1986) SHERPA: A Systematic Human Error Reliability and Prediction Approach. Paper presented at the ANS/ENS international iGOpical meeting on Advances in Human Factors in Nuclear Power Systems, Knoxville, Tennessee. 4. Embrey, D.E. , Carroll, J.E. and De Montmollin, M. (1986) The INPO Human Performance Evaluation System: A review and proposals for further development. Proceedings of a conference organised by INPO and EOF, Lyons, France, June 1986. 5. Lucas, D.A. and Embrey, D.E. (1986) A pilot study of the root causes of human errors in dependent failures. Report prepared for EPRI , Palo Alto, California. 6. Lucas, D.A. (198?) Human performance data collection in the nuclear industry. Human Reliability in Nuclear Power. IBC Technical Services Ltd. 7. Norros, L. and Sammatti , P. (1986 ) Nuclear power plant operator errors during simulator training. Technical Research Centre of Finland, research reports 446. 818. Rasmussen, J. (1983) Skills, rules and knowledge: Signals, signs and symbols, and other distinctions in human performance models. IEEE Transactions on Systems, Man and Cybernetics, SMC-13 (3) , 257-266. 9. Reason, J. (1987) Generic Error-Modelling System (GEMS): A Cognitive Framework for Locating Common Human Error Forms. In: Rasmussen, J., Duncan, K. and Leplat, J. (eds. ) Hew Technology and Human Error. Chichester: Wiley. 10. Swain, A. and Guttmôr 1 ., H. E. (1983) Handbook of human reliability analysis with emphasis on nuclear power plant applications. NUREG/CR-1278. 11. Woods, D.D. (1984) Some results on operator performance in emergency events. Institute of Chemical Engineers Symposium Series, 90, 21-31. 82COLLECTION, ANALYSIS AND CLASSIFICATION OF HUMAN PERFORMANCE PROBLEMS AT THE SWEDISH NUCLEAR POWER PLANTS* J.-P. BENTO Swedish Nuclear Training and Safety Center (KSU), NyRoping, Sweden Abstract The last six years of operation of all Swedish nuclear power plants have been studied with respect to human performance problems by analysing all scrams and licensee event reports (LERs). The present paper is an updated version of a previous report to which the analysis results of the year 1988's events have been added. The study covers 197 scrams and 1759 LERs. As general results, 38% of the scrams and 27% of the LERs, as an average for the years 1983-1988, are caused by human performance problems. Among the items studied, emphasis has been put on the analysis of the causal categories involved in human performance problems resulting in plant events. The most significant causal categories appear to be "Work organization", "Work place ergonomics", "Procedures not followed", "Training" and "Human variability". Introduction Human performance problems in Swedish nuclear plants have been assessed by analysing all reported scrams and licensee event reports (LERs) for the years 1983—1988. The objectives of the present study have been to: Identify the causal categories related to human performance problems at the Swedish nuclear plants. Map the topography and trends of the dominant causal categories. Assess the effects of taken corrective measures and eventually propose complementary ones. KSU, Nuclear Training and Safety Center is a company owned jointly by the four electricity companies in Sweden operating nuclear power plants. KSU 's main activities are with simulator training, safety analyses and experience feedback. 83Accordingly, the present study covers 197 scrams and 1759 LERs. As an average for the last six years 38% of the scrams (or 1,1 scrams/reactor/ year) and 27% of the LERs (or 7,1 LERs/reactor/year) are caused by human performance problems. See figures 1 and 2 below. Scrams/reactor/year Human performance 4- 3- 2- 1- f* *V*MWW !> V&& 32% n i c — — 36% 7\ '. r**""" " 3391 ?1 <: P1 ^ •"" & ^ 57% u ym f • »U1C1lib J> " -3J5K 33% 71 s —!T ^i ,1S&. 38% • - _ mean = 1,1 83 84 85 86 87 88 Year Figure 1: Swedish scram history and human performance problems LERs/reactor/year 30- 20- 10- Human performance problems 27%i 25% 24% 22% 29% 35% mean = 7,1 83 84 85 86 87 Year Figure 2: Swedish LER history and human performance problems 84Data collection The Swedish nuclear utilities developed early a common computerized system for experience feedback which included the systematic collection, analysis and dissemination of plant events. This exhaustive data base covers all licensee events (in accordance with the Plant's Technical Spécifications), scrams and significant events caused by component failures and/or human performance problems at Swedish nuclear power plants. This computerized data base and communication system was operative in 1981. The analysis of human performance problems at the Swedish nuclear power plants follows as a whole two main working lines: Recurrent screening and analysis of the above mentioned data base with respect to scrams and LERs, the results of which are described in the present paper.The two event categories scrams and LERs have been chosen because their reporting criteria are precisely defined in each plant's technical specifications which do not change with time. This is a prerequisite for any reliable trend analysis. In-depth analysis of specific events of the nature of human deficiencies. These events encompass primarily significant events and to a lower extent selected scrams and LERs. Such detailed analyses have been performed successfully during the latest year using the HPES-methodology (Human Performance Evaluation System) originally developed by the NASA and further refined by INPO (Institute of Nuclear Power Operations) in the USA. The results of these analyses are not further discussed in the present paper. One underlying reason is that the selection of these events depends on judgements rather than on unambigous criteria. Another reason is that the analyses, by their amount, constitute a sparse statistical data base. Analysis methodology In the present study, all reports for the years 1983 -1988 where screened twice and independently by KSU's technical experts with broad system and plant knowledge. The events related to human performance problems where studied in further detail, if the human deficiency(ies) had occurred inside the plant(s). This means for example that a human error committed by a valve manufacturer has not been further investigated. 85The events with feature of human performance problems were evaluated according to: a) Consequence on plant / system b) Plant operation mode c) Consequence on plant operation d) System / component affected e) Personnel category involved f) Location of occurrence g) Work type h) Work activity i) Type of inappropriate action j) Causal category If interpretation difficulties or other questions arose during the evaluation and classification of some event(s), contacts were taken with the KSU's instructors for the plant affected. When these discussions were judged insufficient, further contacts were taken directly with the concerned plant staff. After these careful analysis steps and classification, each studied event was entered in a data base installed on a PC for further statistical analysis. The different steps of the analysis are schematized in figure 3 below. Screening/Identification •'••"•'T""-" Evaluation/Classificaîion — \ —— ~ï«--- h Discussion with instructors i 1 Discussion with plant staff i * f V V Entry in data base 1 .... 1 y.... 4 ï Recommendations/Corrective actions Figure 3: Analysis methodology 86Analysis results When analysing the scram répons and the LERs it became evident that die two event categories should not be mixed together if valuable trends were to be identified. Thus the results presented below cover scrams and LERs separately. The statistical variation of the elements of each analysed category, (a - j) above, is not significant for most of the categories. This is valid with respect to both the reactor types and the years studied. Thus the percentages given in the figures below are mean values averaged over the six years studied. For easier overview and comparison the topography of the different categories is presented by order of decreasing frequency as related to scrams. The figures being hopefully self-explanatory, only short comments are provided in connection with each figure. Consequence on plant/system In figure 4, scrams associated with human performance problems have been classified as "Safety related" when the EPS- logic (Reactor Protection System) has been actuated first. "Avai- lability related" means primarily that the turbine protection system was actuated first. Scrams Category Safety related Availability related Several systems unav. One system unav. Several subs unav. One sub unavailable Reduced system function No impact LERs 10 20 30 40 SO 60% 10 20 30 40 50 60% Figure 4: Categorization of scrams and events For LERs the contribution to "Safety related events" originates mostly from human performance problems during refueling and handling of fuel elements. Due to the high degree of redundancy of the safety systems in Swedish LWRs (mostly 4-redundancy) LERs have most often only limited impact on one train of one system. 87Plant operation mode Scrams caused by human performance problems occurred mostly, as expected, during power operation (76%), nuclear hearup (13%) and hot standby (7%). Scrams occurring during nuclear heatup originate mostly from untimely (too late) SRMflRM switch- over in BWRs, which results in RPS activation. Concerning LERs the frequency distribution is dominated by power operation (66%) and refueling (27%). Hereby, one has to emphasize the relative difficulty to correctly assess the human performance problems which occur during refueling outages. Indeed their manifestation can often be delayed by weeks or months. Consequence on operation No diagram is presented for this item because no LER had any consequence on plant operation. The consequence of scrams on plant operation is obvious. System/component affected As shown in figure 5, valves together with components belonging to the process instrumentation (pressure transmitters etc) are the components most affected by human performance problems. In the category "Other" for scrams is included the neutron instrumentation (SRM, IRM etc) which explains the relative high ratio of "Other" in the statistics. Scrams 1 3 2= 1 3 jm i 10 20 30 Category Passive component Valve Pump Diesel generator Electrical component Instrumentation Electronics Process control Computer Other LE] =: til L IT3 T Els "*1 ^^j ^ j ^ 10 20 30% Figure 5: Components affected by human performance problems 88Personnel category A remark concerning "Personnel category" derives from the fact that many events occurred due to the poor performance of more than one person. In such cases the person with the highest share in each of these events has been selected as "responsible". The frequency distributions in figure 6 are in good agreement with what could be expected. Scrams Category Operation personnel I&C department Electrical dept Mechanical dept Contractors Rad-Fire-Data dept Chemical dept Roundmen Cleaning dept LERs 10 20 30 40 SO 60% 10 20 30 40 50 60% Figure 6: Who was involved in scrams and events For scrams, besides the category "Operation personnel" one can mention that "Instrumentation & Control" performance problems often affect the reactor protection logic directly with a subsequent risk for scram. This is reflected by the distribution, especially when comparison is made with "Mechanical" or "Elec- trical". For both scrams and LERs "Operation personnel" includes both control room personnel and operation support staff. Each of these two sub-categories is roughly the origin of the same number of LERs. Furthermore the dominance of "Mechanical" is to be associated with the dominant categories of affected components: valves and pumps. 89Location of occurrence The distributions in figure 7 were expected. A comment for "Radiological areas" is that most areas (reactor and turbine buildings) of the B WRs have been conservativly classified as radiological ones. Scrams 10 30 50 Location Control and relay rooms Station (radiological areas) Station (non rad. areas) Office Workshop Outdoor LERs 70% "-"- I 10 30 50 70% Figure 7: Where occur the human performance problems Work type The frequency distributions of figure 8 reflect and complete the topography of "Component affected " and "Personnel category". For scrams, besides the obvious dominance of "Operation" as the main single activity resulting in scrams, evidence is also provided of the sensitivity of I&C's performance during testing and calibration. For LERs one recognizes the strong influence of Mecha uring maintenance and repair of, primarily, ^ —. „_^„ one recognizes tne strong iniiue nical's performance during maintenance and repair valves and pumps Scrams Work type Operation Testing/Calibration Maintenance/Repair Installation /Change Design Manufacturing Handling in RPV LERs 10 20 30 40 50% 10 20 30 40 50% Figure 8: What work types resulted in scrams and events 90Work activity The frequency distributions of figure 9 show a good consistency between scrams and LERs. The dominance of the work activity "Action" is evident and counts for about 60% of the analysed events. The other activities (preparation, interpretation, decision, control) are distributed almost evenly. Finally, the activity "Reporting" contributes with less than 2% to the events of the nature of human performance problems. Scrams Work activity Action Interpretation Decision Control Preparation Reporting 10 30 50 70% LERs 10 30 50 70% Figure 9: What work activities resulted in scrams and events Type of inappropriate action The frequency distribution for Scrams in figure 10 is dominated by "Untimely act". This has to be connected with numerous mild scrams occuring during nuclear heatup of some of the BWRs due to untimely switchover of SRM/IRM instrumentation. This manual action has been replaced in newer BWRs by an automatic function. Inappropriate action type Scrams LERs Untimely act Omission Confusion Wrong/extraneous act Not applicable/other IS 25 35% 15 25 35% Figure 10: How scrams and events occur 91Causal category The causal categories in figure 11 are important because they represent potential areas for corrective actions. These causal categories reflect "Why" human performance problems occur. It must be observed that two or more causal categories are involved in about half of the scrams and events of the nature of human perfor- mance problems. The dashed areas in figure 11 represent the ratio of each causal category as single contributor to scrams and LERs respectively. 75 Scrams g&l Single root cause dl Part root cause Human variability Training Procedures not followed Work place ergonomics Task complexity Procedures (content) Communications (verbal) Work organization Work schedule Change organization Work environment 479 LERs 10 IS 20 25 10 40 70 100 130 160 Figure 11 : Why scrams and events occur Some of the most significant causal categories and corrective actions are discussed below. Human variability: The frequency distribution for the analysed scrams is dominated by "Human variability". The main explanation for that is the same as in paragraph "Type of inappro- priate action" and is accordingly related to operator carelessness during nuclear heatup. For LERs "Human variability" mostly express insufficient concentration during task accomplishement or carelessness and contributes as single causal category to 22% of the LERs related to human performance problems. That corresponds to about 6% of all LERs having occurred in Swedish nuclear plants during the last six years. 92For most of the studied events it appears difficult to propose any common and effective remedy against this type of random performance problems. However higher motivation and enthusiasm of the different staff categories would definitively prevent a significant pan of this type of events. This is especially true today when all plants have reached a "steady-state" of normal operation at full power with very few disturbances and more and more routine tasks. Work place ergonomics: The contribution of "Work place ergonomics" was not expected to take such a quantitativly important place in the frequency distribution for both scrams and LERs. "Work place ergonomics" is involved in about 25% of the scrams and events of the nature of human performance problems. Further- more this causal category accounts, as a single root cause category, for about 5% of the studied scrams and LERs. This corresponds to about 2% of all scrams and events having occurred in the Swedish plants during the last six years. These values are roughly the same as the ones obtained for "Procedures not followed" or "Work organization" below. This causal category represents events related to components with poor accessibility in the plants as well as components with ergonomically poor design for calibration and maintenance. Procedures not followed: The causal category "Procedures not followed" is involved in about 25% of the events related to human deficiencies. A reliable assessment of the underlying causes is not easy. However one can mention that "Training" is also invol- ved in about 1/3 of the events categorized as "Procedures not followed". It is thus possible that additional emphasis on the respect (attitudes and mindsets) of procedures should reduce the number of both scrams and LERs. Training : In combination with other causal categories "Training" is involved in about 20% of the LERs and 30% of the scrams of the nature of human performance problems. As single causal category "Training" contributes to 3% of the scrams and about 2% of the LERs analysed in this study. This corresponds to 1% and 0,6% respectively of all scrams and LERs having occurred in Swedish nuclear plants during the last six years. A comment must here be formulated concerning the above percentages relating to "Training" which may be judged as too low. It must be hereby recognized that a significant part of human performance problems deals with relatively simple and common tasks during calibration or maintenance works for example. Most of these human deficiencies have in the present study been assessed as caused by "Human variability" i.e. carelessness during task accomplishement. 93A pertinent question is whether recurrent practical training (for example dismantling of valves and going through inadequate maintenace acts, making clear of the potential consequences on plant operation) of maintenance technicians, I&C and other technical support staff could significantly reduce the frequency of this type of human performance problems? The answer to this question is probably positive. In the light of the above comment, the critics may be right: training in its broad sense is probably involved in more plant events than what the above percentages show, reducing through this the contribution from "Human variability" Work organization: "Work organization" including administrative routines dominates clearly the frequency distribution for LERs. This causal category is involved, in combination with other categories, in about 1/3 of the events of the nature of human performance problems. "Work organization" is the second most important single contributor to the occurrence of the studied LERs (same contribution as "Procedures not followed"). The relative importance of "Work organization" was earlier not expected to such a degree. To reinforce the plant's administrative protective uarriers by reasonable stringency of organizational methods and routines seems motivated. Summary According to the present study, human performance problems in Swedish nuclear plants have not attained alarming levels. Furthermore, no robust trend has been identified over the last six years of operation. However, these conclusions do not mean that the utilities may lull themselves into complacency. In order to further reduce the impact of human perfor- mance problems in their plants, the Swedish utilities should allocate increased attention to: reinforcing more stringent work organization and administrative routines sensitizing the operating staffs to the rigorous respect of procedures improving work place ergonomics maintaining high morale, motivation and enthusiasm among the staff. Succeeding in the latter delicate task is of utmost importance for optimum human performance. This task is especially delicate for the Swedish utilities due to the notorious political decision to phase out all nuclear power in Sweden by 2010. 94HUMAN CHARACTERISTICS AFFECTING NUCLEAR SAFETY M.SKOF University Institute of Occupational, Traffic and Sports Medicine, University Medical Centre Ljubljana, Ljubljana, Yugoslavia Abstract It Is important to collect data about human behavior in work situation and data about work performance. On the basis of these data we can analyse human errors. Human reliability analysis gives us the input data to improve human behavior at a work place. We have tried to define those human characteristics that have impact on safe work and operation. Estimation of a work place was used for determination of important human characteristics. Performance estimations were used to define the availability of workers at a work place. To our experience it is very important to pay attention to R.fl. and R.C. also in the area of human factor. Data for quality assurance in the area of human factor should be collected from selection procedure (the level of cognitive and conative abilities, the level of physical characteristics, the level of education and other personal data). Data for quality control should be collected from the periodical examinations of annual checking and evaluation of human working capacity as well as from training For quality control of every day human performance data of staff estimation of their daily working performance and well-being should also be collected. With all these data more effective analyses of all events in nuclear power plants could be provided. Quality assurance and quality control in the area of human factor could help us to keep the optimum performance level of the plant staff and to avoid human errors. 95INTHODUCTION At the beginning of commercial utilization of nuclear energy it was believed that nuclear power plants were absolutely safe. It was not thought of incidents, but incidents have happened. So, safety systems had to be improved, they had to improve quality assurance. With experience of heavy nuclear incidents another important factor in the area of nuclear safety was realized - worker working in a nuclear power plant and his errors. His errors were discovered. It can be read in different reports that 50 to 70 per cent of incidents in nuclear power plants have been caused by workers. Thus, human errors have become very important. It is simple to say : "Incident was caused by human error". But what kind of human error? What has happened with workers, why do they react in this way and not another way? It is important to collect data about human behaviour in the work situation and data about work performance. On the basis of this data we can analyse human errors. Human reliability analysis gives us the input data to improve human behaviour at a work place. Human behaviour has to be changed and improved. The causes for human errors have to be eliminated. PROBLEM We have to define those human characteristics that have impact on safe work and operation. We have to define those human behaviour traits that can be recorded and may cause human errors. In the selection of personnel optimal performance level has to be taken into account. Personnel must have enough high performance level from very beginning and they must keep it at the optimal level during the whole work period. METHODS Estimation of a work place was used for determination of important human characteristics. Performance estimations were used to define the 96availability of workers at a work place. The interviews were used for description of behavioral patterns important for safe work and operation. RESULTS On the basis of job analyses we got the selection criteria. Adequate selection assures safe operation and work. It is a kind of human quality assurance. With selection the right people are choosen. But we can not assure perfect work during all the time. We assured only the most adequate persons, with adequate abilities and stable personality. We have had the selection data for ten years. We can compare the level of abilities with work efficiency. From these comparisons we can conclude that operating staff with higher level of general and specific abilities attain higher efficiency. Stable personalities are also more succesful at work. We have the human abilities data, we have the plant performance data. With selection we get quality assurance - but only quality assurance is not enough. With performance estimations we got the human availability data. The same people may behave differently in the same situation. Their levels of stress resistance differ.For safe operation and work adequate performance level has to be assured. Adequate performance levels have to be in all shifts. From our measurements we can see that operating staff can estimate their performance level quite good. Their estimation of their well being also indicates their performance level. The most important problem for us is : is it possible to find these behavioral traits which may cause operating errors? Are the operators able to estimate their performance level exactly? Does there exist any connection between human performance level and errors distribution? OUR RESULTS In this purpose the comparison between human performance level and errors distribution was done. 97The fatigue level M df M _ 1,66 1 N 1.77 0,11 M__1Z83 2 N 2,20 M___2Z29 3 N 2,60 M__2Z63_ 4 N 3,11 0,84 Measurement Legend : M - mean SD - Standard deviation M - morning shift(22 - 06) 1 - first measurement 2 - second measurement 3 - third r,3asurement 4 - fourth measurement df - difference between morning and night shift The M 1 N M 2 N M 3 N M U N level of M 4,01 3,94 3,75 3,62 3,47 3,26 3,19 2,80 work motivation » df SD 0,91 A- 0,07 0,77 -j. 0,85 0,13 0,32 *' 0,88 0,21 t 0,7 9 0,79 0,39 1,06 Figure 1 Degree 4 Z Measurements Legend : M - mean SD - standard deviation M - morning shift(22 - 06) 1 - first measurement 2 - second measurement 3 - third naasurement 4 - fourth measurement df - difference between morning and night shift Figure 2 98The estimation of fatigue level is quite exact. The operating staff can estimate their fatigue level quite well. From the distribution of fatigue estimation we can see the increase in the fatigue level from the beginning to the end of the shift.The fatigue level is higher in the night shift. But the differences are small. During the observing time the fatigue level was not critical. Motivation for work decreases from the beginning to the end of the shift. The decrease in the working motivation is a little bit greater in the night shift. The time distribution of forced trips (from 12.03.1983 to 31.12.1988) Hour of the day 06.00 - 06.59 07.00 - 07.59 08.00 - 08.59 09-00 - 09-59 10.00 - 10.59 11.00 - 11.59 12.00 - 12.59 13.00 - 13-59 H4.00 - 14.59 15.00 - 15-59 16.00 - 16.59 17.00 - 17.59 18.00 - 18.59 19.00 - 19.59 20.00 - 20.59 21.00 - 21.59 22.00 - 22.59 23.00 - 23-59 2U.OO - 00.59 01.00 - 01.59 02.00 - 02.59 03-00 - 03-59 Ot.OO - 04.59 05.00 - 05-59 3_te Humber of trips 3 2 2 3 3 1 3 1 3 2 2 li 0 3 1 1 1 2 0 1 1 0 Shifts Figure 3. 99During the morning shift the number of trips was the greatest one, the smallest one was in the night shift. Curves of all three distributions indicate the performance level of the plant staff. Staff avalilability depends of staff fatigue and performance and it is realized in the level of production of energy in nuclear power plant. DISCUSSION It is difficult to define the most important data for human reliability. We are convinced that we have to collect enough human performance and well-being data. The exact estimation of work prformance, fatigue level and behavioral availability assure us quality control. In the area of human factors, quality assurance is provided with selection of operation staff. What is lacking-is quality control in the area of human factors. Continuous recording and estimation of their performance level by the operating staff assure us the input data for better and more objective analyses of plant events. We have equipment data. We have quality assurance and quality control for equipment, but human data are not collected enough sistematically. We have quality assurance for operating staff, we have annual checking of their availability and performance, but we do not have sistematically collected every day human data. In the operation log book the equipment status data are recorded but human performance data are not usually recorded, so we know nothing about the crew. But if something happens, then we would like to have also the human data. We want to know everything about the crew, about their behaviour, performance, communication and well-being. But it is very difficult to collect data of past events. From our experience it is possible to find the correlation between the estimated work performance of the crew and the plant availability. For further more objective analysis more crew performance data must be collected. Event analyses would be more exact with collected human factor data. 100For quality assurance and quality control in the area of human factor impact on safe operation and safe utilization of nuclear energy human factor data should be or better must be collected. The data from the selection procedure : - the level of cognitive abilities, - the level of conative abilities, - the level of affective characteristics, - the level of physical characteristics, - €he level of education, - other personal data. Adequate level of each of the ability or characteristics assures the possibility for effective work. Data from the periodical examinations : - annual checking and evaluation of human working capacity, - results of training, - results of working performance. Every day human performance data : - data from staff estimation of daily working performance Daily performance level for each member of the crew should be recorded in the operating log book. Self estimation of working performance should be recorded in the operating log book like the equipment parameters are recorded. With all these data more effective and objective analyses of all the events in the nuclear power plants would be provided. More objective analyses would point to the errors and déficiences in operation and maintenance of nuclear power plant. Detection of errors would help us to avoid them, it would help us to assure higher level of safety and better performance. Quality assurance and quality control in the area of human factors would help us to keep the optimum performance level of the plant staff. 101BIBLIOGRAPHY 1. Swain, A.D. , Guttman, U.E. : Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, Nureg/CR - 1278, October 1980 2. Johansson, G., Gordell, B. : Work-Health Relations as Mediated Through Stress Reactions and Job Socialization, Topics in Health Psychology, Mew York, Wiled and Sons Ltd. , 1988 3- Johansson, G. : Indivi'dual Control in a Repetetive Task : Effects on Performance , Efforts and Physiological Arousal, 1981, University of Stockholm 102HUMAN RELIABILITY MODELS VALIDATION USING SIMULATORS M. DE AGUINAGA, A. GARCIA Tecnatom, SA J. NUNEZ, A. PRADES Centre de Investigaciones Energéticas, Medioambîentales y Tecnolögicas (CIEMAT) Madrid, Spain Abstract The Research Project on the area of Human Relia- bility, carried out within the framework of the Research Program on Quantitative Risk Analysis (PIACR) financed by UNESA, is centered on observations of behaviour in the diagnosis and management of accident situations affecting real operational equipment, using requalification programs on full-scope simulators. The aim of these observations is to validate the human reliability models currently in use in Probabilistic Risk Assessment (PRA). The project is being developed by Tecnatom, as the main participant. OBJECTIVES The objectives of this project, besides the vali- dation just mentioned, (References 1 and 2) can be summed up as follows: - Analysis and selection of human reliability models and techniques used in PRA. - Classification and typification of errors and factors influencing human behaviour, using cognitive behaviour models as a reference. - Development of a data acquisition metodology for the performance and analysis of observations. Description of a methodology applicable to PRA. 1031968 > l 2 1 3 1 1989 • * 0 A 3 1 4 1 l 1990 2 1 3 | M 1991 LITERATURE REVIEW SELECTION OF SCENARIOS REPORT NS 1 METHOD. OF DATA GATHERING DATA GATHERING SOFTWARE REPORT N2 2 DATA GATHERING ANALYSIS REPORT N2 3 APPLICATION TO PRA FINAL REPORT Figure 1: Project Activity Plan COGNITIVE BEHAVIOUR MODELS Human errors in the operation of nuclear power plants can initiality be studied on the basis of a clas- sification grouping human activity into two situational areas : I) Routine situations II) Accident situations Human errors pertaining to type I situations are already being "satisfactorily" studied and modelled; the contrary, however, is true of type II situations. The fact is that in these situations, which may be further subdivided theoretically into two phases: a) diagnosis and b) execu- tion, it has been difficult to interpret human response on the basis of the psychological models used earlier in PSA. The above problems, combined with the very sig- nificant contribution to overall risk made by human response in accident management, means that research has been orien- tated towards development of models applicable to nonroutine situations. 104The research project described in this paper follows this trend. Its main objective being the validation of models currently used in PRA to predict human reliability in accident situations, focussing in HCR model. It is planned to add to this objective a second one, such as that included in Reference 9, consisting of the classification of human errors accompanying the selected model(s). This extension to the basic objective will be based on causal type cognitive behaviour models. SCENARIO ANALYSIS This activity has a dual objective. On one hand, the tasks to be carried out by the operations team are defined and the human errors to be expected in task execu- tion will be estimated. On the other hand, the indicators permiting the aspects influencing task execution (PSF's) to be evaluated will be established. Scenario analysis makes possible to define those tasks whose execution has an important effect on the plant. These tasks are represented by means of a binary tree whose adequacy has been fully corroborated on the simulator while all significant parameters were measured. Later analysis makes possible to predict reliabil- ity-time curves (See Figure 2) for the above tasks, in order to quantitatively estimate the probability of no response to be obtained. The above analyses will be calibrated "a poste- riori" with a view to incorporate more realistic parameters directly based on the observations made. This will allow an estimate to be made with regard to the extent to which the models and techniques used can be adjusted to reality. Î051OO 1OOO TIME Figure 2: Probability of faulty diagnosis with time. Reference 5 OBSERVATIONS TO BE MADE It is planned to carry out observations of up to one hundred situations in the control room. The information will be gathered by means of interviews with the operators and instructors, direct observation, recordings on audio- visual media and the surveillance of the position of hands- witches, alarms and indicators by specific software deve- lopped to this end. Some coments on the equipment and re- sources used follow. Interviews will be conducted aided by specific ques- tionnaires directed to Instructors and operation teams at the following levels . Each requalification. . Each scenario. . Each time an error is observed. 106Audivisual records are made using the following equipment: Video: 4 Cameras (B&W) 1 Vision Mixer 1 Magnétoscope 1 Monitor Audio: 7 Unidirectional Mycrophone 2 Sound Mixer Direct observation will be based on the presence of two members of the research team later in change of interviews. Time sequence record keeping is being assured by means of the surveillance of: 45 Alarms 100 Handles 13 Parameters 34 Malfunction All this information will be classified and or- dered through an appropriate database, which will provide the analysts with an useful tool for the handling of the data and their later analysis. This data base is structured in the following three areas: Theoretical Results The first area is dedicated to store the results obtained in the theoretical study before simulation. It means estimated, median response times, PSF's, likely errors, cognitive proccesing type and non response probability. 107- Obiactive Data The second area contains real response times actions and errors comitted by real operators in simulators requali- fication sessions. All these data will be obtained by audiovisual or software equipment. - Subjective Data The last one includes the informations gathered by the cuestionnaries and instructors observation. The aim of those consists in getting useful data for the PSF's and cognitive processing evaluation. METHODOLOGY APPLICABLE TO PRA The results of the project will be incorporated into a methodology applicable to analysis of Human Re- liability in Probabilistic Risk Assessment. More than an application guideline considering different methods and alternatives, this methodology will be a proposal for the phases of analysis to be performed and a detailed descrip- tion of the steps to be taken in applying valid methods for this type of analysis. CONCLUSIONS Experience in the operation of nuclear power plants clearly shows that the human factor plays an import- ant role in the safety of this type of installations. The project described herein constitutes one of the first research efforts made in the area of Human Reliability in Spanish plants, and its performance will be an important first step in this technology. The specific project products that should be underlined are the development of a human reliability analy- sis methodology for PRA, classification methods for errors 108in diagnosis and a contrasting of models currently in use with observations made on the simulator using Spanish crews. REFERENCES 1 "Especificacion para la realizaciôn de trabajos de inves- tigaciön en el area de la fiabilidad humana" (Specifi- cation for performance of research tasks in the area of human reliability) UNESA. June, 1987. 2 "Oferta para la realizaciôn de trabajos de investigaciôn en el area de la fiabilidad humana" (Offer for per- formance of research tasks in the area of human reliabil- ity) TECNATOM, S.A. July, 1987. 3 NUS 4531 "Human Cognitive Reliability Model for PRA Analysis", G.W. Hannaman et al. December, 1984. 4 Oconee PRA Project Team. Sugnet, W.R. Bayd, G.J., Lewis, S.R. 5 NUREG/CR 4532 "Models of Cognitive Behaviour in Nuclear Power Plant Personnel" D.D. Woods, E.M. Roth, L.F. Hones, 1986. 6 NUREG/CR 4772 "Accident Sequence Evaluation Program; Human Reliability Analysis Procedure". A.D. Swain, 1987. 7 EPRI/REP 2847-1 "Operator Reliability Experiments and Model Development; Request for Proposal", 1986. 8 "Using Simulator Experiments to Analyze Human Reliability for PRA Studies". V. Joksimovich, D.H. Worledge. Nuclear Engineering International, January, 1988. 9 "Human Factors Principles Relevant to the Modelling of Human Errors in Abnormal Conditions" Technical Report EC1 1164-87221-84K. European Atomic Energy Community. Reason, J.T. and Embrey, D. 10910 "On the Structure of Knowledge. A Morphology of Mental Models in a Man-Machine System Context". Rasmussen, J. Forsogsanlaeget, Riso-M.2192, Roskilde, 1979 11 Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications. Swain, A.D. Guttmann, H.E. NUREG/CR-1278, August, 1983. 110OUTLINE OF THE DEVELOPMENT OF A NUCLEAR POWER PLANT HUMAN FACTOR DATA BASE A. KAMEDA Institute of Human Factors, Nuclear Power Engineering Test Center T. KABETANI Human Factors Research Center, Central Research Institute of Electric Power Industry Tokyo, Japan Abstract In the Japanese nuclear power plants, every conceivable safety measure has been taken at each stage such as its design, fabrication, construction, opera- tion, and maintenance; therefore, it is considered to be very unlikely that a significant accident which declines the reactor safety may occur. However, in consideration of the lessons from the TMI and the Chernobyl accidents, organi- zations for assessing human related events were strongly required. Based on such requirement, the Institute of Huian Factors (JHF) of the Nuclear Power Engineer- ing Center (NUPEC), and the Human Factors Research Center (HFC ) of the Central Research Institute of Electric Power Industry have been establihed, in 1987, for national and utility sector respectively. These organizations aim to enhance furthermore reliability and safety of nuclear power plant.They are collaborating for research on human factor issues from the point of their own view; IHF is mainly in charge of fundamental subjects and HFC is mainly in charge of practi- cal subjects. The current status of both human factor data bases, and classifi- cations of human error data in these research centers will be presented. IHF is developping the data base in order to use it for the purposes of: (1)development of human reliability evaluation methods, (2) analysis/evaluation of incident and accident data. (3) analysis/evaluation of cognition, judgement and performance of humans. The data base is to consist of: (1) human reliability data file, (2) human error incident data file, (3) laboratory data file, and (4) literature file. The data are to be collected mainly from domestic and abroad literatures for the time being, and further some human error related data are to be selected and analysed out of incident data reported according to the national incident reporting system. HFC's data base is likely to take similar structure to that of IHF: however it has some characteristics different from IHF, for example, it has an "infor- mation exchange data base " and a hardware structure so that it can exchange the information smoothly with the domestic electric utilities because they are con- sidered to be primary users of the data base. Concerning the classification of human error data, it is regarded as a key factor to determination of the above-mentioned data base structure, but it is likely to be affected by purpose of data utilization, analytical technique, etc. Both of the centers are currently conducting survey and study on various classi- fication methods including classification by PSF, classification by task, etc. il l1. General The occurence rate of incident and failure in the domestic nuclear power plant, as shown in Fig.1-1, has been decreasing; however/ the occurence rate of human related events has been staying at the almost same level. C- z \ en o o o as OS Total Number of NPP * Rate of Occurence of Events —* Sate of Hunan Belated Events 0 20 o_ 1969 '7 0 '7 1 '7 2 '7 3 '7 4 '7 5 '7 6 '7 7 '7 8 '7 9 '8 0 '8 1 '3 2 '8 3 '8 4 '8 5 '8 6 '3 7 Fig . 1 — 1 Trend of NPP Construction and Rate of occurence of Events In the Japanese nuclear power plants, every conceivable safety measure has been taken at each stage such as its design, fabrication, construction, opera- tion, and maintenance; therefore, it is considered to be very unlikely that a significant accident which declines the reactor safety may occur. However, in consideration of the lessons from the TMI and the Chernobyl accidents, organi- zations for assessing human related events were strongly required. Based on such requirement, the Institute of Human Factors (IHF) of the Nuclear Power Engineer- ing Center (NÜPEC), and the Human Factors Research Center (HFC) of the Central Research Institute of Electric Power Industry have been established, in 1987.for national and utility sector respectively. These organizations aim to enhance furthermore reliability and safety of nuclear power plant.They are collaborating for research on human factor issues from the point of their own view; IHF is 112mainly in charge of fundamental subjects and HFC is mainly in charge of practi- cal subjects. The current status of both human factor data bases, and classifi- cations of human error data in these research centers will be presented. 2. The Data Base Development Program 2-1. The Objective of Human Factor Data Base The final objective of human factor data base is to reduce human errors in nuclear power plants. For such purpose, human factor data base is prepar- ed to collect such information systematically and to provide the data to the studies and researches for reducing human errors timely and in appropriate form to be required by such works. Specific applications are, as shown in Figure 2-1, (D Development of Techniques of Human Reliability Analysis The reflection in PRA taking account of human factors. (D Analysis and Evaluation of Incidents and Failures Data. The reflection for the improvement of man-machine interface, opera- tion/maintenance management, and education/training for personel. (D Analysis and Evaluation of Human Cognition, Judgement and Behavior. The reflection in modeling of the human behavior in NPP. DATA BASE ; Huaan Error Events Data :Husaa Reliability Data Laboratory Data Basic Plant Data Others Davelopaent of Techniques of Huaan Reliability Analysis Analysis and Evaluation of Incidents and Failures Data Analysis and Evaluation of Human Cognition,Judge nent and Behavior Jther Studies and Analysis related to Huaan Factors Establishnent of PRA Taking Account of Human Factors r Risk Assesaent of Nuclear Power Plant Sensitivity Analysis Uproveaent of HMI,Opera- tion/Maintenance Managanent. Education/Training Modeling of Hunan Behavior Cost Analysis/Evalua- tion for Modification and laprovenent Analysis/Evaluation of Huaan Behavior in Eaergency Fig. 2-1 App! ications of Hunan Factor Data Base 113The objective and applications of the human factor data base, described here, are almost common for both IHP and HFC. However,based on the histories of individual organization- the main users of IHF data base are the govern- ment agencies(including IHF itself), and of HFC data base are utility compa- nies(including HFC itself). 2-2. The Structure and Function? of Data Base Both IHF and HFC data base has similar structure. But some of their func- tions are different, reflecting different nature of individual organization. (1) IHF human factor data base consists of the following files, as shown in Fig.2-2a. CD Human Error Events Data File The file wil l mainly contain human error events of domestic and over- seas nuclear power plants. Besides that, human error events of other industries wil l be filed whenever possible. The main data source wil l be incident reporting system. (D Human Reliability Data File Basic human reliability data such as error rate will be collected and filed. (S) Laboratory Data File Laboratory data including simulation data will be collected and fil- ed. The first and the second data files wil l also include a part of this third data file if necessary. (D Basic Plant Data File The basic plant data means basic data necessary for various analysis and evaluation, such as each plant parameter,opérâtion and maintenance procedures and so forth. (D Literature Data File. It wil l contain documents and information related to human factors collected both at home and abroad. Document retrieval system using a personal computer is partially completed. These data files wil l be locally controlled and processed by a personal computer at the early stage of development. In the future, however, cent- ral processing by a large computer is planned to be introduced. 114HUMA N FACTO R DAT A BAS E HUMA N ERRA R EVENT S DATA FIL E HUMA N RELIABILIT Y DATA FIL E LABOLATOR Y DATA FIL E BASI C PLAN T DATA FIL E L I TERATUR E DATA FIL E Fig . 2 - 2 a The Structure of Human Factor Data Base (IHF) (2) MFC data base has a configuration similar to that of IliF data base. The system concept is shown in Fig.2-2b. GD Literature Retrieval Data Base Abstracts are filed for retrieval by the input of keywords. (2) Reliability Analysis Data Base This data base provides data on human error rate and hardware failure rate. (D Information Exchange Data Base The data base is used to facilitate smooth exchange of information with electric utilities. dD Events Analysis Data Base The data base contains data on human error events occured in nuclear power plants. The retrieval of events data and trend analysis wil l be possible. RFC data base is unique in that they have the information exchange data base. This is because the main users of MFC data base are domestic elect- ric utilities. 115Hunan Factor Data Base Systen Informa- tion Exchange Relia- bilit y Analy- .sls DC, Litera- ture Retrle- \f Inquiry from Electric Utilitie s Hardware Failure Data and Hunan Reliabilit y Data____ ____ Domestic Nuclear Power Station Head Office of EU Experimental Data on Human Factors [ Document Information on Human Factor F ig. 2 - 2 b An Outline of Human Factor Data Base System (11PC) 2-3. Some Studies on the Collection of Human Error Data. (1) General Issues Related to The Collection of Data There are various difficulties might be encountered in collecting human error data.and the nature of difficulties vary depending on the collector. The utilities have already been collecting and the roughly analyzing data on human errors which appeared as the fact. The difficulty for them is how to identify the errors which does not appear but potentially lead to an accident. The government side,on the other hand, is trying to extract data related to human errors from the data reported in incident reporting system. But the success of the extraction depends on whether the system is designed in the way conducive to retrieval of human error related data. (2) A Study on the Collection of Data IHF has been studying the methods of extracting human error data from the incident reporting system. The data of Japanese incident reporting system are put into computer sys- tem with keywords and natural language which describe the situation and cause of event. So, it is possible to use QD keyword retrieval method, and ©natural language retrieval method. 116CD Keyword Retrieval Method This method is very useful when the retriever can find a proper key- word among the predefined keywords. If not, however,there remains some problem. (2) Natural Language Retrieval Method This method has an advantage that the retriever can select any word- ings for searching purpose. The problem, however, is in that the re- porters may not necessarily use the same wordings to describe the same information. Another problem is that this method usually requires more time than keyword retrieval method both to input and to retrieve data. Both methods have its own advantages and disadvantages. So, our plan is to use either one of them depending on cases. The keyword retrieval method has been studied using data analysis sheet shown in Table 2-i. Table 2-1 Data Analysis Sheet ERROR MODE Task Time Place Operation ( Start-up, shut-down, constant power, periodical test. Insident/aucldent responce. other[ J ) Maintenance. Unknown. 0:00~B:00, 6:00~12:00. 12:00~18:GO. 18:00-24:00 Main Control Roc*. Local Area. Unknown. Task Proceeding: Omission ( ïork step. Checking,), ïrong procedure. Task Subject : Vrong selection. Cognition : Overlooking, ïrong Identification. Wrong judgement. Action : Vrong position, ïrong direction, ïrong setting. ïrong anount of operation, dropped, hit. rubbud. Mixture of foreign laterlais Communication : ïrong Instruction. Misunderstood responce, Other : ( ) CAUSE OF ERROR Hunan Causes Inadequate coiiunication on task Information. Cognition error. Recalling error. Action slip. Poor skill or experience. Unclear task criteria. Inadequate supervision. Technically unforeseen OtheK ) Hardware Causes: Inadequate design. Inadequate Fabllcallon. Inadequate Installation. Other( ) REMARKS 117The information in data can be categorized under two major groups ; error mode group which describes the types of errors and error cause group. The items for each group were selected partly based on the results of preced- ing analyses. As for keywords, human factor related keywords have been selected- whose examples are shown in Tablo 2-2. They wil l be used in combination with key words related to incidents and accidents.By selecting a combination of the different types of keyword, the human error information wil l be properly retrieved for anabsis. It is still undergoing to study the methods of extraction of human error related events from incident reporting system. Therefore, currently, it is too early to produce any conclusion. Table 2-2 Examples of Human Factor Related Key Words No. 1 2 3 4 5 6 7 Classification General Operation Maintenance Supervision Design Fabrication Installation Key word Hunan Factors Incident. Human error Failure. Operator Error Testing Failure. Malntenace Error Inspection Calibration Failure. Adnlnistrative Procedure and Manual CoHBunicatlon Quality Assurance Technical Specification Control Failure, Design Error Failure, Fab 11 cat ion Error Failure, Installation Error 1183. Classification and Collection of Human Error Data Classification of human error data is one of the most important factors which determines the configuration of the databases, which was discussed in the previous sections. On the other hand, the way data is classified is party deter- mined by how data is going to be used and analyzed and for what purpose. Both 1HF and MFC are currently studying different ways of classification such as claasification based on PSF(Performance Shaping Factors),classification by task and others. The efforts made by HFC classification and collection of human error data are described as follows. 3-1. A Preliminary Study for the Classification of Human Error Data Figure 1-1 shows human error related data on nuclear power stations in Japan. As indicated by • ( solid circle ) the number of failures and inci- dents per reactor-year is decreasing. However, the number of failures and incidents due to human errors represented by O ( open circle ) remains constant. Statistics tell us automatic reactor trip acounts for 54 % of all the incidents involving human errors and reduced power output accounts for 15 %. In other words almost 70 % of al1 the incidents involving some sort of human errors affected power output in one way or another. This clearly indicates that reduction of human errors is one of the most importanl tasks to be fulfilled for improvement of reliability of nuclear power plants. Although human error data have been already utilized in forming measures to prevent the occurence of the same or similar incidents or failures, human errors with the same nature may still occur in other power plants. In order to minimize the incidents and failures due to human errors, full utilization of human error data is imperative together with the collection of human error data useful for human factor studies. As a first step towards the achievemeut of the objectives, CR1EP1 con- ducted a preliminary study on human error analysis and evaluation methods with actual data on incidents and failures caused by human errors, using HPES (Human Performnce Evaluation System operated by Institute of Nuclear Power Operations). As a result of the study CRIEPI concluded that a good human error analysis and evaluation method needs to satisfy the following conditions. (1) The method can throughly analyze maintenance-related human errors as there are more maintenance-related human errors than operation-related human errors in Japan. 119(2) The method can analyze psychological factors such as panicking or pre- judice and physiological factors such as sleepiness, tiredness or sickness which might have caused the errors. (3) The method needs to have clearly defined terminology to accurately desc- ribe human error related data. (4) Human error analysis items are well defined and properly classified. (5) The method can identify and analyze the human errors which may poten- tially lead to incidents or failures as well as the errors which surfaced. 3-2. Current study for Classifying Human Error Data Based on the result of a preliminary study, it is discussing to study various ways of classifying the information related to human errors such as situations where human errors occured,causes of human errors and counter- measures against human errors. The conclusion on which way is best, however, has not been reached yet. 3-2-1. The Data on the Situations where Human Errors occured (1)Dat a on the incident the type of incident the type of its effect the method of its dicovery and others (2)Dat a on the human error error type time, data and place of its occurence time, data and method of its discovery action for recovery and others (3)Dat a on the person age experience occupation work shift frequency and degree of urgency of the task and others 3-2-2. The Classification of Data on the Causes of Human Errors With regard to the classification of data on the causes of human erroes, in addition to the mere classification of errors, it has been trying to clarify the correlation between different causes, because in many cases a human error is caused by a combination of multiple factors. 120(l)Classificalion of Causal Factors Each causal factor was first classified under an item, then into a type and further into a sub-type, a. Item More specifically, all possible causal factors were categorized into the 11 items. A: Verbal Communication B: Written Communication C: Man-Machine Interface D: Work Place E: Self-Checking of Work F: Management/Supervision G: Training and Education H: Change Implementation I: Work/Environmental Condition J: Internal Factors K: Personal (private) Issue b.Type and Sub-type The types and sub-types are classified in different ways for items A through items H and item 1 through item K. (a) I tens AMI The causal factors classified into items A ~H were classified into the following types and sub-types in the same way. (D Type-a [ what should have been done was not done ] Sub-type-a.l( What was supposed to be done according to a plan or manual was not done ) Sub-type-a.2( what was supposed to be done according to a plan or manual could not be done ) Sub-type-a.3( it was not supposed to be done to begin with ) C what should have been done was done, but what was done was inappropriate ] Sub-type-b.l( what was done was vrong_) Sub-type~b.2( what was done was insufficient ) Sub-type-b.3( the plan or the manual was not clear ) Sub-type-b.4( what should have been done was something difficult to implement ) 121(DType-C [ what should have been done was done, but an inappropri- ate way ] Sub-type-c.l( in a wrong timing ) Sub-type-c.2( in a wrong place ) Sub-type-c.3( with a wrong intention or purpose or by a person with wrong qualification ) Sub-type-c.4( by a wrong method or a wrong means ) Sub-type-c.5( in a wrong sequence ) Table3-i shows the types and sub-type of item A:Verbal communication, Table 3-1 Verbal Communication Vhy did verbal communications resulted In a cause ? a. Verbal communications not perforned ? a 1. Didn't perform communication although planned a 2. Vas unable to perform coaounlcation although planned a 3. Not planned to perform connunicat Ion a 4. Other ( b. Inappropriate information transnitted by verbal communication b 1. Vrong information b 2. A part of information to be transmitted was missing b 3. Ambiguous information b 4. Hard Infornation to communicate to b 5. Other ( c. Inappropriate method for verbal communication c 1. Inappropriate timing for coaaunlcation c 2. Inappropriate place for coomunication c 3. Inappropriate intent/position of the person who performed communication c 4. Inappropriate œethod/tool for communication c 5. Perfoued communication In an Inappropriate sequence c 6. Other ( (b) Items l ~ K Item I through K can not be classified in the same way as item A- Each of them was classified in a different way. (Dltem 1 : Work / Enviromental Conditioin Type-a [ work time and duration ] Type-b [ work space conditions ] Type-c [ inappropriate environmental conditions ] Type-d [ body posture of workers ] Type-e [ workload ] 122Each type is further categorized into several sub-types. Table 3-2 shows the types and sub-types of item I: Work/Enviromental Condi- tion. Dltem J : Internal Factors Type-a C psychological factors ] Type-b [ physiological factors ] Type-c [ incompatible disposition and capability of workers ] Type-d [ experiences ] 1)1 tern K : personal ( Private ) Issue Item K is not classified into types but only into sub-types. Sub-type-a ( family problems—human relationship and others) Sub-type-b ( problems at work place—human relationship and others ) Sub-type-c ( problem in the place other than home and work site—human relationship and others ) Sub-type-d ( drug and alcohol ) Table 3-2 Vork/Envircnmental Conditions(i) Vhy were the work/environmental conditions a cause ? a. Influences due to the job time and working hours were a cause a 1. a 2. a 3. a 4. a 5. a 6. Task performed during midiiight Task performed during early morning Long working tine Overtime work in the assigned task Overtime work In the unassigned task Other ( ) b. Influences due to the space and conditions of workplace were a cause b 1. b 2. b 3. b 4. b 5. b 6. b 7. b 8. b 9. High workplace United area (coapllcated piping space- etc.) Confined area ( in tank. In channel head, elc.) Untidy workplace Too many people in area beyond the required member Unstable scaffold Workplace close to operating equipments Workplace close to high température materials/equipments Other ( ) c. Inappropriate environmental conditions c 1. c 2. c 3. c 4. Poor ventilation (gas concentration, air current, nasty smell. etc.) Uncoafortable temperature/humidity (high or low temperature/ huaidity, radiant heat ) Inadequate lighting ( illumination. brightness, flickering. angle. etc.) Inappropriate coloring (protective color, similar color) 123Table 3-2 Vork/Environmental Conditions (2) ïhy were the work/environmental conditions a cause ? c. Inappropriate environmental conditions c 5. Excessive noise/ shock sound level c 6. Excessive vibration/ shock c 7. High radiation (dose rate.surface/ai r contamination) c 8. Other ( d. Influences due to posture in work were a cause d 1. Worked In tight posture/ unsteady posture d 2. Worked without using the right am d 3. Worked In the posture which the area at hand was invisible d 4. Other( e. Influences due to quantity/quality of workload were a cause e 1. Not Involved in the task for a long tine e 2. Perceived as a oonotonous work & 3. Not required thinking in depth e 4. Perceiced as a repetitive work e 5. Busy with iiany works e 6. Task Interruptions e 7. Required heavy physiological load e 8. Required to keep tention and attention e 9. Required complicate judgment elO. Required instantaneous reactions ell. Task accorapanied with risk el 2. Other ( (2) Correlation between different Causes In order to clarify correlation between different causes of human errors.it is trying to classify causal factors into direct causes which directly led to a human error, in direct causes which caused and acted on a direct cause and potential causes which caused and acted on an in- direct cause. 3-2-3. Study for Data on Countermesures Countermeasures can be taken at various stages.When an incident occures, it actually goes through various steps. There are certain things which cause a human error, and in turn the human error cause an incident. So it is needed to clarify at which step each counterraeasure is targeted»whether this countermeasure is to prevent a human error which occured from causing an incidents, or it is to prevent the occurence of the human error itself, or it is to eradicate the possible causes which may lead to a human error. For the classification purpose, counteriaeasures are planned to be clas- sified into the following 4 steps. 124(1) Step 1 A countermeasure to prevent reoccurrence of an incident, even if a human error happens. (2) Step 2 A countermeasure to prevent occurrence of a human error, even if a direct cause exists. (3) Step 3 A countermeasure to prevent an effect of a direct cause, even if an indirect cause exists. (4) Step 4 A countermeasure to prevent an effect of an indirect cause, even if a potential cause exists and to eliminate a potential cause itself. This way the relations between causes and countermeasures become clearer. 3-2-4. Classification of P S F Data Huiaan reliability varies depending on P S F( Performance Shaping Factor) even for the same operation or maintenance work. On the other hand.P S F influence is different in its degree depending on the task and work situations influenced. The quantification of P S F in- fluence on human reliability is greatly useful for the effective improve- ment of work methods and environment, for the implementation of working safety measures.and for the assessment of human errors affecting system reliability. As a first step of the quantification, it is planned to study to what extent the workers are aware that each P S F is a possible cause for the increase or aggravation of human errors and which PSF the workers think is related to which task to what extent. For the purpose of the study,P S F have been classified into the follow- ing five categories based upon PSF classification which used in the past. (D P S F related to Internal factors (2) P S F related to Mn-inachine interface d) P S F related to special tasks ($) P S F related to work and organization d) P S F related to external factors and others In total 52 P S F have been selected for the study. Table 3-3 shows PSF categorized as P S F related to Internal factors. 125Table 3-3 P S F Related to Internal Factors No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 P S F Description s Sticks to an old way of doing things and cannot adapt to a new situation Cannot Identify danger Involved In a task Lack of experiences with Individual tasks Lack of training and education for Individual tasks Has experlnece with individual tasks, but lacks sufficient knowledge on principles and mechanisms of equipments Does' t understand the purpose and overall flow of operational procedures Has aental or physical health p rob lass Not eager to make efforts to learn about tasks Too old Not cooperative Restless and hasty Slow and relaxed too much Too bold and decisive Physically tired Afraid of Baking a uistake too auch because of overenphasis on Us outcome 3-3. Problems concerning Human Error Data (1) Classification of Human Error Data There have been various efforts made and measures taken aiming at the reduction of Human errors. As Fig.1-1 shows,however, human errors are not necessarily decreasing. Since early days numerous studies and researches have been conducted on human errors not only in nuclear industries but also in other industries. Still what desired is a research whose results could be fully reflected in the human reduction activities at work site and which comes up with concrete and feasible recomendations. At the moment HFC is still studying several different methods of data classification to see which is the best way. Thus,most of the things above described are still at planning stage. Soon, HFC will start collecting data and analyze them to identify some of the problems involved in data classification. And for the smooth exchange at human error information, international standardization of data classification is imperative. (2) Collection of Human Error Data Data on the incidents and failures which have actually occured due to human errors have been already collected and analyzed. The problem is how to identify human errors which have potentiality to cause incidents or failures. In general, people have tendency to hide the errors they made, and to be afraid of being punished. This human nature also applied to an entire organization. It must be necessary to tackle these problems. 126HUMAN ERROR CLASSIFICATION AND DATA COLLECTION — SURVEY IN AN INDIAN NUCLEAR POWER PLANT N. RAJASABAI, V. RANGARAJAN, K.S.N. MURTHY Madras Atomic Power Station, Nuclear Power Corporation, Kalpakkam, India Abstract Any amount of automation and computerised control systems cannot tackle all the postulated and unpostulated abnormal events and hence there is a need to have the human interaction in the operation of a nuclear power plant. With such human interactions, it is likely that certain errors might be committed even though it may be infrequent. These errors may be due to spontaneous actions by the operating staff or due to lack of understanding, co- ordination or communication. A detailed review of all the abnormal events in Madras Atomic Power Plant in India indicates that about 6 to 8% of the unusual/abnormal incidents and reactor scrams are due to human error. Most of the human errors occur while carrying out certain non-routine operations, while carrying out certain surveillance tests, or while putting back the systems/ equipments in service after maintenance. In Indian nuclear power plants, even when a minor abnormal event away from the normal operation of plant takes place (like closing or opening of motorised valve or pneumatic valves due to power or air failure or control circuit getting shorted) an immediate report called incident report is filed by the shift charge engineer. All the incidents are reviewed by the Station Operation Review Committee (SORC) and the reasons for the incident is classified under different headings as equipment failure, system failure, component failure, inadequate inspection, inadequate procedures, inadequate Training, improper/unauthorised operation/mainte-nance, design deficiency, operator error» operator inattention etc. If it is safety related, an exhaustive safety related unusual occurance Report (SRUOR) with rootcause analysis is submitted to headquarters and regulatory bodies. This paper reviews the incidents in Madras Atomic Power Station -Units 1 & 2 for the last 6 years and quantifies the causes attributable to various categories cited above. Even though the incidents due to human-error remained high during the first year of the operation of the plant, it has come down gradually in subsequent years due to better on the job training to the operating staff, better understanding of the equipment and system behaviour during normal operation as well as abnormal operations. 1271.0 INTRODUCTION There is no second opinion that the nuclear power is the definite alternative source of energy with the fast depletion of the conventional sources of fossile fuels. However, since there is a risk of radiation in the nuclear powor production, Htrinyont upocificationa aro choaon for the» various components and equipment of a nuclear power plant during the design stage. Strict quality control measures are applied during the manufacture, construction and operating stage of a nuclear power plant. Intensive training is given to the operation and maintenance staff of nuclear power plants in order to ensure that the plant is operated in a safe manner as per the technical specifications. Radiological release to the environment and radiation exposure to the plant personnel and the public are kept as low as Reasonably Achievable and within the limits prescribed by ICRP. One of the training aid is the operating manuals giving all step by step procedures and technical parameters applicable for normal and abnormal conditions to enable safe operation of the plant. Considering the importance of safety of nuclear power plants, special procedures such as action on fuse failure, action on alarms, station black out procedure, operating procedures for emergency conditions ( known as OPEC procedure in Indian nuclear power plants) are also prepared and workshops were conducted among concerned O&M staff. Many times operating procedures are written making many assumptions on behalf of the operator without realising his handicaps and his limitations as a human being, his timely responses, his span of visualisation of a developing accident scenario. The Safety Reports of a nuclear power plant generally contain volumes of information on design descriptions and accident analysis and also predict scenarios following various initiating events. notwithstanding the information and the response of built-in instrumentation and channels of information vis-a-vis operator action, there is a need to understand the plant behaviour and translate the information in a language understandable to the operating personnel. This approach becomes a necessity for the operating personnel in undertaking atleast a first diagnosis of the plant behaviour based on the information available in the control room to contain or mitigate the incident. There is also the problem of uncertainities of human behaviour. Different human beings behave differently in stress conditions and a few are more prone to human errors under circumstances when their thinking capability is most needed. Incorrect human intervention could also change the course of progression of an incident into an accident. This is to emphasise that if the actions of the operator are not in the correct direction, a minor incident could escalate into a major accident. It should, therefore, be recognised beyond doubt that, inspite of the automation that goes into 128the control of plant, the importance of man-machine interaction cannot be underestimated. 2.0 ABNORMAL INCIDENTS Normal operation of a nuclear power plant means operation of the station within the limits and conditions stipulated in the technical specifications for operations, including shut down, power operation, shutting down, starting up, maintenance, testing and refuelling. Abnormal incidents or anticipated operational occurences are the operational processes deviating from the normal operation which are expected to occur once or several times during the operating life of the plant. In view of the appropriate design provision, these occurances do not cause any significant damage to the items important to the safety nor lead to accident conditions. Accident conditions are substantial deviation from the operational state which are expected to be infrequent and which could lead to release of unacceptable quantities of radioactive material, in case the relevant engineered safety features did not function as per the design intent. 3.0 MADRAS ATOMIC POWER STATION - UNUSUAL OCCURANCES Further data given in this paper are compiled from the incident reports of Madras Atomic Power Station, INDIA. Madras Atomic Power Station has two numbers of 235 MWe capacity nuclear power units. The reactors are similar to CANDU units with moderator dumping facility for reactor shut down and the containment has a pressure suppression system. The first unit of Madras Atomic Power Station became critical in the month of July, 1983 and the commercial operation of the plant was declared in January 1984. The second unit was made critical in September, 1985 and the commercial operation commenced in March 1986. 3.1 FILING OF REPORTS BY SHIFT CHARGE ENGINEER There were 334 incident reports in the last 6 years of Unit-I operation. One should not get alarmed by this high number of 334 incidents which works out to 55 incidents per year average. Because, even minor incidents but unusual for operation mode are reported by shift charge engineer in a standard proforma. Only a small fraction of these unusual occurences are having bearing on safety and Safety Related Unusual Occurence Reports (SRUORs) are prepared by the technical services group of the station. The unusual occurences for Unit-II in the last 4 years of operation are 213. The yearwise split up is given in the following table. SRUORs for Unit-I & II were only 128 and 46 respectively for the above period. 129TABLE-1 Year 1983 1984 1985 1986 1987 198 Unit-I UOR 68 87 50 45 30 54 334 * * SRUOR 39 38 20 6 7 18 128 Unit-II UOR 50 73 51 39 213 SRUOR - 10 15 7 14 46 * The number is high since SRUOR was not clearly defined in early years of operation. 3.2 REVIEW BY STATION OPERATION REVIEW COMMITTEE(SORC) Station Operation Review Committees (SORC) are existing in each operating nuclear power plant in India to review/analyse station operation at regular intervals to detect potential unsafe problems and recommend remedial actions and also to investigate promptly all safety related unusual occurences and incidents including violation of Technical specifications for operation and report safety evaluation and recommendations. Chief Superintendent, Deputy Chief Superintendent, Technical Services Superintendent, Operation Superintendent, Maintenance Superintendent, Training Superintendent, Technical audit engineer, Health Physicist and Heavy water manager are the members of the Station Operation Review Committee. At times the concerned shift charge engineer or Assistant shift charge engineer or senior maintenance engineers are co-opted. SORC reviews all the unusual occurences promptly and analyses the cause for each incident and categories to any one of the following a) System failure b) Equipment failure c) Component failure d) Inadequate inspection e) Inadequate procedures f) Inadequate training 130ff. -» «9/cm» TIMf-t40*C uow MM NT/Hr rr. S«-Tt »g/cm1 T t w* »o*c «TIAH OUTLET COOLANT TUBES ruUUH« «ACMIKl «MOIMAIT «ATM MADRAS ATOMIC POWER STATION SIMPLIFIED FLOW DIAGRAM MOO '-ITC* MOOttATO« coou»g) Improper operation h) Improper maintenance i) Improper system modification j) Violation of Technical Specification k) Surveillance requirement given in Technical Specification not carried out 1) Design deficiency m) Calibration error n) Human error o) Operator inattention p) Inadequate health physics measures q) Inadequate industrial safety measures r) Grid problems s) Construction deficiency t) Others After review• SORC makes specific recommendations to station to avoid such unusual occurences in future and fixes the agency which will have the responsibility of implementing SORC's recommendations. SORC reviews periodically for the prompt implementation of all its recommendations. Wherever the unusual occurances are safety related, SORC directs that detailed Safety Related Unusual Occurance report (SRUOR) is to be prepared by the Technical Services Group of the station. The copies of SRUORs are sent to the members of MAPS Safety Committee and Safety Review Committee for Operating Plants(SARCOP). MAPS Safety Committee reviews all the SRUORs and Technical Specification violations and periodical reports of the station health physicist and forward specific recommendations to improve the safety of the plant. The members of unit safety committee include Technical Services Superintendent from MAPS, members from other nuclear power plants in India, Designers, members from Atomic Energy Regulatory Board (AERB) and Health PHysics Division. SARCOP reviews the safety matters of all nuclear power plants in India. This has no member from the operating nuclear power plants. but the respective station Chief Superintendent will be asked to attend the meeting whenever the agenda includes the points pertaining to that particular station. 132TABLE-II NUMBER OF INCIDENTS PER YEAR Cause of occurances UNIT-I UNIT- I I 1983 1984 1985 1986 1987 1988 Total 1985 1986 1987 1988 OPERATING HOURS 1 . System/equipment component failure 2. Inadequate inspection 3. Inadequate procedures 4. Inadequate training 5. Improper maintenance 6. Design deficiency 7. Calibration error 8. Grid problem 9 .Construction deficiency 10. Human error 11. Spurious TOTAL 1673 6333 4827 4635 6014 6679 16 3 16 2 4 14 4 1 0 8 0 68 37 4 11 0 1 17 3 5 0 8 1 87 32 0 4 1 1 7 0 2 0 2 1 50 28 2 1 0 2 4 0 3 0 1 4 45 21 1 2 0 0 0 0 5 0 1 0 30 34 1 8 0 2 3 0 3 0 3 0 54 30161 1118 168 11 42 3 10 45 7 19 0 23 6 334 32 2 6 1 0 4 0 2 0 2 1 50 Total 5291 6382 3535 16326 54 0 9 0 0 3 0 3 1 2 1 73 29 2 9 0 1 3 0 0 0 2 5 51 24 2 6 0 1 2 0 1 0 2 1 39 139 6 30 1 2 12 0 6 1 8 8 213 UNIT-1411 Total 46467 307 17 72 4 12 57 7 25 1 31 14 5474.0 EXAMPLES OF INCIDENTS DUE TO HUMAN ERROR OF DIFFERENT CLASSIFICATIONS Some of the incidents of Madras Atomic Power Station due to human errors are discussed below, each coming under different classifications. 4.1 IMPROPER OPERATION For adding Heavy water to the moderator system as a make up, there is a transfer tank with a capacity of 2 drums of Heavy water. However during one of the incident, the operator wanted to finish the addition of 3 drums of Heavy Water in a short time before the end of his shift. He attempted to carry out simultaneous addition of Heavy water from the drums to the transfer tank and also from the transfer tank to the system which is against the operating philosophy of the station. This led to over flowing of the transfer tank and caused spillage of Tritiated Heavy water. 4.2 OPERATOR INATTENTION The moderator level is varied in the calandria by utilising heavy water operated ejectors which varies the differential pressure across the Dump Ports. After doing its function in the ejector, heavy water enters a tank and gets drained through a control valve. During one of the unit outages, the above system was under shutdown and work permit had been issuer* and system piping was opened for maintenance. However, the heavy water was passing and water entered the tank and high level alarm for the tank annunciated in the control room. However, the alarm was not attended to and the heavy water spilled through the open end of the system, 4.3 ERROR OF OMISSION On one occasion, the unit was in operation with the HP heater No.5 of the feed heating system on the secondary circuit on bypass mode for maintenance work. After maintenance work was completed, the heaters were valved in without gradual filling up after thorough venting, This led to sudden filling up of the HP heater causing reduction in feed water flow to boilers which led to Reactor trip on primary coolant high pressure. 4.4 CONFUSION During the initial stages of Unit-I commissioning, there were problems with boiler level control valves. Since the level indications of the boiler drums were also not working properly, people were posted in the field to watch the level in the drum wherein feed water flow control was being done from control room. Due to confusion between north bank of boilers and south bank of boilers, the feed water flow was being controlled on one bank from control room and water level was being observed in other bank by the local operator which led to water entry to main steam line causing water hammering and breakage of supports. 1344.5 LACK OF JUDGEMENT On another occasion, the pegging steam pressure control valve for deaerator failed open due to problem in the control components. This led to opening of relief valves in the deaerator. The local operator, without informing the control room, started closing the guard valve for the pegging steam control valve without opening the bypass valve, which led to fast reduction in the deaerator pressure threby reducing the NPSH availability for boiler feed pump and the boiler feed pump started cavitating. The control room operator, took the corrective measure and saved the pump. 4.6 INCORRECT RESPONSE On one occasion, the level in the drum of one of the 8 boilers came down and the operator, instead of trim opening the feed valve, opened the valve fully which caused abrupt increase in the boiler level. Seeing this, the operator closed the feed valve fully which caused a reactor scram due to high differential temperture across the boiler. 4.7 LACK OF COMMUNICATION The reactor protective system consists of 3 channels and if any 2 channels trip, the reactor gets tripped. There is a provision for testing the reactor protections on one channel at a time. Normally the first protection is tested with final control element, namely, dump valves in closed condition and the proper opening of the dump valves is checked. For checking other protections, the dump valves are left in open conditionn in order to avoid more operation of these valves. Only the channel trip is checked for rest of the protections. On one occasion, when the primary coolant high pressure trip was being checked for one of the protective system channels by manipulation of valve from the pressurising pump discharge line and the pressure trasmitters, the pressure trasmitter valve for a channel other than the testing channel was opened thereby dump valves of second channel also opened and reactor got scramed. 5.0 HUMAN ERROR DATA COLLECTION Once the cause of an unusual occurence is fixed as human error, it is further classified into improper operation, operator inattention, error of omission, confusion, lack of communication, incorrect response and planning deficiencies as indicated in TABLE-III. The operation Superintendent who is also the Secretary of SORC discusses the incident with the operating staff who were involved during the concerned incident for which the cause was human error. The Operation Superintendent tries to find out the rootcause for the human error. It has been observed that most of the human errors are caused due to the following reasons. 135Os TABLE-III ANALYSIS OF HUMAN ERROR AT MAPS TYPES OF HUMAN FAILURE OPERATING HOURS 1. Improper operation 2. Operator inattention 3. Error of omission 4 .Confusion 5. Lack of communication 6. Incorrect response 7. Planning deficiency UNIT- I 1983 1673 2 2 1 1 1 1 0 1984 6333 2 2 3 0 0 0 1 1985 4827 2 0 0 0 0 0 0 1986 4635 1 0 0 0 0 0 0 1987 6014 1 0 0 0 0 0 0 1988 6679 3 0 0 0 0 0 0 Total 30161 11 4 4 1 1 1 1 UNIT-II 1985 .111 8 1 0 0 0 1 0 0 1986 5291 2 0 0 0 0 0 0 1987 6382 2 0 0 0 0 0 0 1988 3535 1 0 0 0 1 0 0 UNIT-I&II Total 16326 6 0 0 0 2 0 0 Total 46487 17 4 4 1 3 1 1 23 31(a) The individual concerned being under physical strain either due to over-work in the plant or due to his prior physical exertion while performing his domestic duties. (b) The individual being under emotional tension either due to circumstances in the office or in the household. (c) Due to physical illness. (d) Lack of communication between control room staff and the field staff. (e) Lack of understanding by the individual about the systems and equipments due to inadequate training. (f) The information regarding a modification carried out in the systems not reaching down the level of the operating staff. (g) Misunderstanding between staff belonging to various groups such as Operation and Maintenance. (h) Over-confidence among the staff concerned regarding his knowledge and capability. (i) Fear complex about equipment or radiation. (j) Instructions not reaching down the level of the operating organisation regarding the latest operating philosophies. Once the rootcause for the human failure is established by the Operation superintendent, he takes the necessary action to ensure that such errors are not repeated by the concerned individuals as we-11 as by the other operating staff in the station. Necessary counselling is done and the individual is made to realise his mistake and made to understand that he does not repeat it again. 6.0 STEPS TO REDUCE HUMAN ERROR Various steps are being taken in the Nuclear Power Stations in India to reduce the incidents due to human error. They are listed below: (1) Counselling by O.S. with the individuals concerned as indicated in 5.0. (2) By ensuring proper administrative control to see that no individual works for more than 16 hours conitinuously under any circumstances including overtime hours. (3) Avoiding overtime work for the individuals after completing the night shift. 137(4) By issuing detailed incident reports bringing out the human errors and giving wide publicity so that such errors are not repeated in the station. Copies of such reports are sent to other Nuclear Power Stations within the country to ensure avoidance of such human errors in those power stations also. (5) Arranging periodical meeting with operating staff wherein factors such as human errors are discussed in detail and means of reducing them are dealt with. (6) Periodic seminars are conducted wherein members from operation staff are made to present the incidents caused by human errors and the entire incident is discussed in detail by all the operating staff. (7) Wherever inadequate training is found among the operating staff, they are sent to the Station Training Centre for re-training and also for updating of knowledge. (8) Whenever any design modifications are carried out, the information in detail is circulated to all the operating staff by means of information bulletins. (9) For carrying out standard operation, routine tests, surveillance checks and making isolation for issuing permits and bringing back the system into normal operation after maintenance etc., standard Order To Operate forms (OTO forms) are kept in control room so that the chance for human error is eliminated. However, before utilising the standard OTO forms, the engineer in the shift verifies whether the OTO will be applicable in toto as per the system status existing on that particular day. Wherever necessary, he makes minor modifications in the Standard OTO form to suit the prevailing system status and then issues the OTO for implementation. (10) The standard proforma for Surveillance are periodically reviewed and revised wherever necessary. Since a few incidents of Reactor Scram occured while cuj.rvj.ng the daily test of the Reactor Scram and also weekly testing of the valve gear of the Turbine, necessary steps were included to doubly ensure that such Reactor Scrams will not take place again. (11) Wide publicity is given to the incident reports of the station and also the other stations within the country and also various U.S.NRC reports so that the updated information will be available for all the operating staff. (12) Periodical special training programmes are conducted for various levels of staff in the subjects such as communication, human relationship etc. to have better co-ordination and understanding among the staff. 138(13) By training the operating staff in a simulator to improve his response during abnormal occurences. 7.0 CONCLUSION Even with any amount of automation, human element is very much essential for the operation of Nuclear Power Station. Since human error cannot be altogether eliminated, it is essential that on going programmes are implemented by the operating Nuclear Power Stations to ensure that the incidents due to human error are kept minimum. Necessary data collection and evaluation will help in reducing the human error. 139 HoPOSSIBILITIES AND NECESSITY OF THE HUMAN ERROR DATA COLLECTION AT THE PAKS NUCLEAR POWER PLANT T. SZIKSZAI Paks Nuclear Power Plant, Paks, Hungary Abstract At the Paks NPP a 13 year operational experience is obtained, but human error data have not been collected in that form, which could be used for probabilistic evaluati- on and for a more effective feedback. Such data can be obtained from other NPP-s, reports and materials of meetings, but this data cannot be used directly for the Paks NPP in every region of the operation because of the differences in the operational environment and tasks. This facts make us consider to organize a human error data collection system. The sources of such data collection could be: - the full-scale simulator, that has started recently; - safety related event reports; - incident investigation reports; - reliability data of the plant safety equipment, that has been collected since last year. The future tasks are: - to work out a human error data collection form and database with its content and error categories; - to develop a data evaluation program; - to solve the feedback of the results of the evaluation to the plant operation. This paper gives a brief description of the possibilities of a human error data collec- tion system, and explains the necessity of the data collection. 1. Introduction The first unit of the Paks NPP was put into operation in 1982. Since that time the start-up works were performed on other three units. All together a 13 \mityear experience is obtained. Because the Paks NPP is the only NPP in Hungary, and the hungarian technical background had no experience in maintenance of high quality nuclear equipment, we had to found the manufacturer basis and provide its personnel. 141The performance indicators of the plant shows high quality of the maintenance works and operations. Now we have a personnel with a good experience. But the big number of the operational and maintenance personnel gives more opportunity of the human error. At the beginning of the operation the deterministic safety assesment was mostly general with the usage of the operational and maintenance instructions provided by the soviets. These instrucions do not specify any kind of systematic data collection of equipment reliability or human error data, and nothing induced the plant personnel to collect these data in an acceptable for a reliability analysis form. On the basis of the instructions all incidents and safety related events were analysed and documented. The incident investigation and the safety related event reports contain the discripti- on and analysis of the operational personnel actions. These information have been available since 1982, and have been used successfuly in the operator training. This feedback could be much more effective with a systematic data collection and evaluation. The PSA activity supported by the IAEA has effect at the Paks NPP too. The plant safety system component reliability data collection has already started, and a data evaluation program is to be developed by a research institute. A personal computer network has been intstalled in the last two years, and many data bases were created at the beginning for several purposes and many kind of data recording were started. The most of these data bases were then integrated into more general data bases of common interest. In the region of the maintenance, I <&C and electrical the equipment failure data has been collected for recording purpose, and their data base are available through the NOVELL network, so the common data evaluation could be easy. These data bases are useful for selecting the human errors. A full-scale simulator has started working recently at the Paks NPP. This simulator has a number of possibilities to observe the operator's reactions even in abnormal situation. 2. The possibilities of the human error data collection 2.1. Developing of the existing data collection systems As it was mentioned in the introduction the existing data collection systems are suitable to select and record the human errors after a not significant modification. These data bases are similar in structure, and work on the common NOVELL network so it's only organizational question to solve the common data evaluation. One of this data bases -the reliability data base of the safety system equipment- was developed for purpose to calculate the component failure probabilities. In this 142system the number of the components involved into the data collection can be extended „ the data base structure can be modified at will, so it could be suitable for human reliability parameter calculation with little modifications. The structure of the reliability data base can be described as follows: It contains two main data bases with temporary used additional data bases. The first of them - the component data base - contains the brief description of the components, their time- and reliability data, that are calculated using the information of the second data base. The last one - the event, or failure data base - contains the component failure events in a coded form. First the component failure is classified from several points of view, then it is coded and recorded into the computer. This data base contains also the time data of the component failure, so it gives a good basis for the reliability parameter calculation, and it can be developed toward the human error data collection. In the first step we should dévide the human errors into two groups. The first group would contain the human errors related to the maintenance and those operator failures, that occur during the tests and do not initiate any processes during the test. These failures would be accepted as component failures of course with attention on the possibility of common cause failures. The second one would contain the failures, that occur during direct operational actions, so called operator failures. In the first step we should then concentrate on the collection of the operator failures, and the data collection system would be modified and developed toward the recording the operator failures, but we should leave open the system, so that in the future we could handle the maintenance and test failures as human errors. 2.2. The sources of the data collecting There are four sources basicly: - reliability data collection; - incident investigation reports; - safety related event reports; - the full-scale simulator training. 2.2.1. Reliability data collection The reliability data collection system was briefly described before, so here we mention only its possibilities to select the human errors. When we analyse an event, it has to be classified and coded, so that it could be recorded. The points of view are defined by the structure of the event data base. 143If we extend the data base structure, or the classification with the human error, and an event is analysed from the point of view of the human error, than it coould be a source of the human error data collecting. This type of data collection would be performed in a following step of the system development. 2.2.2. Incident investigation reports In the Paks NPP since 1982, the beginning of the operation, every incident have been recorded, analysed, and the results have been written down in the incident investigation reports. These reports contain the analysis of the activity of the ope- rational personnel. If the event was initiated by the operator, than it is clearly defined in the investigation report. The description of the event makes possible to follow the operator's actions during the process. These reports give the basis for most of the additional operator trainings related to the events, so they are significant from the point of view of the general operator training. There are two conclusions from these reports. The first is the acceptability of the operator actions during the incident, and the second is the role of the operator as an "initiating event generator". The last one has to be an object of an other analysis in rny opinion. 2.2.3. Safety related event reports The safety related event reports differ from the incident investigation reports in definition. Incident is an event, that is defined as an incident in the terminology of our Dispatching Centre, and is accompanied with a loss of electricity production. Safety related event is an event, that effects the plant safety, so it is an object of an investigation. Both events have tobe investigated, documented or recorded. The safety related event reports are at least as significant as the incident investi- gation reports. The structure of such report is the same as the structure of the incident investigation reports, so they could be used for the same purpose. 2.2.4. The simulator In January of this year in the Paks NPP a simulator training started. A full- scale simulator and a process or basic principle simulator serve as a basis for this training. The last one is used for process analysis. The full-scale simulator is a control room with a computer, that can simulate operational processes. Its software is able to describe processes, when the primary circuit coolant is not saturated, as operational transients, and incidents, that are not accompanied with the boiling of the coolant. The development of the simulator software toward the accidental processes is still underway. It has many facilities to make easier the observation and analysis of the personnel reactions, like freezing the process, or replay an important period of time. These possibilities could be also used for the human error data collection. 144There is an other benefit of such data collection. The operator does not pay atten- tion on the way, how his reactions are observed and analyzed, so this kind of data collection does not affront individual interests. From the other hand the behaviour of the operator is perhaps not the same as in real situation, does not feel his responsi- bility. But his reaction can be observed even in abnormal situation, and those actions can be recorded, that are very frequent during the operation, and do not cause directly abnormalities. In my opinion this is the best possibility to collect and ana- lyse human errors. 3. The necessity of the human error data collection The necessity of the systematical human error data collection means first of all the necessity of the increase of the feedback effectivity. The trend of the collected data describes the developing of the operator training effectivity. The simulator instructors get much more information of the simulator trainings, than before, they would summarize and use the collected information during the trai- nings and the operation, and this information should be provided in an acceptable common form to make easier their work. Their task is to assemble the simulator exercises, so they have to follow the preparedness of the operational personnel. The simulator development could be supported by those system reliability-, and event analysises, that use the collected component and human reliability data. The optimal feedback would be simulator exercises, that would contain key opera- tor actions given by the analysis. ( Ex. normal operational processes, when the ope- rator is a potential "initiating event generator", or such processes, when the used event trees contain many important operator actions.) The PSA activity in Hungary requires some Paks NPP specific human error data. There can be many external sources of the human reliability data, that can be used in some cases, but they have limited acceptability for using them for the Paks NPP personnel, because of the plant specific operation instructions, and operational envi- ronment. There are some points in the event trees of the initiating events, where only plant specific data can be used. A wide scope PSA requires good systematic data collection and data evaluation. 4. Future tasks If we want to reach the above mentioned goals , we have to work out the human error data classification in the first step, to study several recommendations, to work out data collection sheet and to modify the existing data collection system 145toward the human error data processing. The review of the incident investigation reports and safety related event reports could be useful to examine the information they give. In the second step a data evaluation program should be developed. We are at the point of the literature study now. In this step we should solve the permanent and perfect feedback of the first data evaluation results, and make conclusion of the initial data collection experience, and modify, if it is found nece.ssery. In this step we should also consider the handling of the maintenance and test failures as human errors, and the modification of the data processing system. For this purpose the events should be more deeply analyzed, the event data base structure should be ex- tended and the data evaluation program should be also modified. All these require more manpower and time. 146HIGHER OPERATIONAL SAFETY OF NUCLEAR POWER PLANTS BY EVALUATING THE BEHAVIOUR OF OPERATING PERSONNEL M. MERTINS Staatliches Amt für Atomsicherheit und Strahlenschutz, Berlin P. GLASNER VE Kombinat Kernkraftwerke, Greifswald German Democratic Republic Abstract In the GDR power reactors have been operated since 1966. Since that time operational experiences of 73 cumulative reactor years have been collected. The behaviour of operating personnel is an essential factor to guarantee the safety of operation of the nuclear power plant.Therefore a continuous analysis of the behaviour of operating personnel has been introduced at the GOR nuclear power plants. In the paper the overall system of the selection, preparation and control of the behaviour of nuclear power plant operating personnel is presented. The methods concerned are based on recording all errors of operating personnel and on analyzing them in order to find out the reasons. The aim of the analysis of reasons is to reduce the number of errors. By a feedback of experiences the nuclear Safety of the nuclear power plant can be increased. All data necessary for the evaluation of errors are recorded and evaluated by a computer program. This method is explained thoroughly in the paper. Selected results of error analysis are presented. It is explained how the activities of the per- sonnel are made safer by means of this analysis. Comparisons with other methods are made. 147l. Introduction Since 1966 nuclear energy has been used in the GDR to generate electricity. To date operational experience of 73 cumulative reactor years has been gained. At present five units at the Rheinsberg and "Bruno Leuschner" Greifswald nuclear power plants are in operation with a total electricity output of 1830 MW. Since 1983 the "Bruno Leuschner" NPP has also supplied the town of Greifswald with heat based on hot water pumped through a 20 km transit line /!/ . Nuclear energy is used for energetic purposes in the GOR in close cooperation with the USSR and the other CMEA states. It is based exclusively on the proven pressurized water reactors (DWR) of the WWER type. With this reactor type annual availabilities of around 80 %, at some units even 85 %, are achieved in the GDR /2/. The high percentage of operational availabilities is, at the same time, an essential indicator of the high safety and reli- ability of the facilities. However, it is also due to the high- level qualification of the operating personnel guaranteeing the conduct of operation in accordance with existing regulations. That includes particularly the avoidance, as far as possible, of disturbances of the regular functioning of the plants and safety devices caused by erroneous actions of the personnel or by errors made in plant monitoring and maintenance. The evaluation of incidents, especially those occured at the nuclear power plants of Three Mile Island and Tchernobyl, has shown that human errors contributed considerably to the development of those incidents /3/. From that follows that the qualification, training and retraining of the personnel, an the continuous supervision and evaluation of the behaviour of operating personnel, together with the implementation of pre- ventive measures, are two essential components for ensuring a safe and reliable operation of nuclear power plants. 1482. Evaluation of the Behaviour of Operating Personnel International experience, confirmed also by experience gained in GDR NPPs, shows that less than 30 % of all events leading to deviations from the planned state of operation, are due to errors made by personnel. Only between 6 % and 8 % of all events are caused by operating personnel, by far the major part being caused by faulty repair and maintenance of plants. So the operating personnel is not the main contributor to unplanned events and disturbances. However, it must be in a position at any time to limit, by early detection and reaction, the effects in the plant of errors committed by other personnel (maintenance and repair), and of other errors in order to avoid the degradation of nuclear safety, and prevent loss of working hours as far as possible. Therefore, since the beginning of nuclear energy use in the GDR, the behaviour of operating personnel has been continuously analysed and evaluated. The methods applied are subject to continuous development and improvement taking into account international experience. The evaluation system covers also abnormal events. Although they do not have any, or only minor, material and economic consequences, they occur most frequently among the erroneous actions of the operating personnel, and often are the first stage of disturbances entailing loss of working hours and facility damage. Therefore, the strongly prevention-oriented evaluation system serves the following fundamental purposes: - Comprehensive identification of the causes of erroneous actions by personnel, and of the factors favouring them; - Deduction of measures preventing erroneous actions; - Enhancement of human reliability, thus increasing the overall reliability and safety of the NPP. These purposes require a complex system with an appropriate inner structure. We use four subsystems which are interrelated (fig. 1): 149The data categories to identify types and causes of erroneous actions are of special importance for the analysis and evaluation, and therefore they are further classified. For instance, ten different causes of erroneous actions may be distinguished. Examples of such target functions for computer programes for data evaluation are: - Distribution of erroneous action causes; - Qualification level of erroneous action causers; - Probability of faulty operation as a function of the total number of operating actions. At present there are more than 50 individual computer programmes which are run periodically (at least once a year) and when re- quired. Storage of all data and results in central databanks guarantees permanent accessibility and determination of cumulative values and results. 3. Selected Results 1. The analysis of causes of erroneous action by the operating personnel showed that subjective failure accounting for 65 % of all erroneous action was the main cause (fig. 3). Shortcomings in plant and workplace layout accounted for 16 %. No erroneous action endangering the safe nuclear operation of the NPP units was recorded. The operating personnel mastered all abnormal events and disturbances, among them more than 90 % not caused by it. Installation and Labour (Job! Design 16% FIG.3. Causes of operating staff errors. 152These results show that even relatively older nuclear power plants (the operating age of the units is between 9 and 15 years) can be safely operated by well-qualified and motivated personnel. 2. The high share of subjective failure in erroneous action causes was studied more closely with the following results: The frequency of erroneous actions by operating personnel holding the same posi- tion, but having acquired their fundamental qualifications at a technical college is higher by a factor of 1.9 than by university graduates. In addition, techncal college graduates require a longer training phase at the NPP before they are allowed to work on their own. With a view to further increasing the qualification level of operating personnel, since 1983 engineers have been trained at the Dresden Technical University and the Zittau College of Engineering in the branches "Nuclear Power Plant Technology " and "Nuclear Energy Technology". In addition to a solid basic education, the specialist training in nuclear energy concentrates on the following priorities: nuclear power plant technology, thermohydraulics, reactor physics, operational and incident behaviour, dosimetry and radiation protection, safety and realiability, steam generators and heat exchangers in nuclear power plants, nuclear reactor technology, nuclear fuel management, and automation. 3. An appropriate measure for the reliability of actions by the operating personnel is the human error probability. Related to abnormal events, the error probabilities of between 10" and 10" achieved at the "Bruno Leuschner" Greifswald nuclear power plant are good values in respect to international experience. In the course of these investigations a correlation between the human error probability and the strain on the opera- ting personnel (operating actions per year) could clearly be established (fig. 4). Overstrain, but also understrain, tend to increase the probability of maloperation. By an appropriate distribution of tasks among the various functions and by introducing computer-aided operator support systems, optimum strain can be achieved reducing the probability of erroneous action. 15310' c o E O) Q. O cn CO in vt 10- cn co to in -* E Q. 10 1 2 3 4 5 6 7 8 9 10 11 12 104 Operative actions per year FIG.4. Probability of faulty operation determined by the frequency of operating staff actions. 4. Summar y From the beginning of nuclear energy use in the GDR the behaviour of operating personnel has been continuously recorded and perio- dically analysed and evaluated. To this end, the complex system for recording and evaluating the behaviour of operating personnel has proved to be a useful means. Based on the results achieved, measures were adopted designed to further reduce erroneous actions by the operating personnel at the "Bruno Leuschner" Greifswald NPP. They have a positive effect on the overall reliability and safety of that NPP of those to be constructed in the GDR in future. REFERENCES /! / R. Lehmann, A. Schönherr, Energietechnik 35 (1985), S. 201 121 R. Lehmann et al. IAEA, CM-43, Tokyo 1988 /3/ IAEA, Safety Series Nr. 75-INSAG-l, Wien 1986 154HUMAN RELIABILITY DATA SOURCES — APPLICATIONS AND IDEAS P. PYY, U. PULKKINEN Technical Research Centre of Finland, Espoo J.K. VAURIO Imatran Voima Oy, Loviisa Power Station, Loviisa Finland Abstract Human reliability data sources are among the most problematic areas of a probabilistic safety assessment (PSA) study. On one hand there is a great deal of information on everyday human behaviour but on the other practically no data on specific rare transient scenarios of a nuclear power plant. This problem has lead to the development of generic human reliability data bases with coefficients and multipliers to be used for plant specific circumstances. However, plant specific data, if available, is the best source of information of a human reliability analysis. This paper discusses the efficient ways of using available sparse human reliabilty data. The current data sources are : plant specific event reports, interviews of plant personnel, generic nuclear event data reports, simulator test runs and expert judgment. The use of simulators provides the only possibility to repeat certain accident sequences several times with different crews. When interpreting the results, the possible effect of the exercise situation has to be considered.The use of incident and accident precursor information to update the human reliability models is an important way to get plant specific data. Their utilisation leads to early warning of possible events and aids in developing improved procedures, alarms and automation system. Possibilities to improve the use of incident data are discussed in the paper. Some practical efforts on the plant specific human reliability data collection and application are presented. Furthermore, ideas for improvements are discussed. Among them are the improved event sequence investigation to reveal the proper event contributors and the use of influence networks to study the impact of the identified contributors in a certain sequence. References to the work done in Finland and in the Nordic co-operation projects in the field of PSA are given. 1 INTRODUCTION The main plant specific human reliability data sources are: simulator runs, event reports, interviews of plant personnel and plant maintenance procedures and practices. Simulator runs are an efficient way to collect data on transients, given that the simulator device is similar to the plant control room and the process simulation is good. The effect of deviations in response times and measures taken in a certain plant condition are discussed later. 155The use of plant event data is also one of the important human reliability data sources. It normally reflects possible deviations from procedures and confusion among alternative diagnoses. Unfortunately, the event reports do not generally address situations where the operating personnel manages to bring the plant into a safe state before anything happens, especially if the deviation originates in a human error which is immediately corrected. Therefore, management activities to provide better background to accident precursor reporting have to be considered. The scarcity of plant specific event data leads to using worldwide event databases to extract usable data. There are, however, difficulties in using this data, which is partly due to different plant types, differing subsystems and components, different administrative controls and varying operator training/experience levels, but also quite often limited details of the reports. The same problem is also implicitly included in the generic human reliability data bases (e.g. Swain&Guttman, 1981). The application of generic data requires expert opinion to calibrate the data to fit the plant conditions. Besides, the extent to which the human reliability data bases are results of pure expert opinion is at least so far not clear. In the following, some latest efforts to collect and apply human reliability data in Finland are presented. Furthermore, ideas for improved use of available data sources are presented. 2 EXPERIENCE FROM DATA SOURCES IN FINLAND 2.1 Loviisa NPP PSA The human reliability data sources used at Loviisa plant include: — plant specific events during about seventeen plant—years of operation — simulator test—runs carried out for plant specific and generic studies — generic and judgmental data for rare events not experienced at the plant. 156Besides assessing human error probabilities, there have been also other important objectives e.g. improvements of procedures, improved generic human error classifications and development of operator aids. The critical function monitoring system (CFMS) studies at the Loviisa simulator (Hollnagel et al, 1983) indicated that there was a substantial variation between the crews in terms of the number, order and timing of activities carried out during a given transient. It would be wrong to call all these deviations as errors, since none or very few of them were critical from the safety point of view. The lesson learned was that one has to define carefully the really critical actions during a specific transient and focus the attention on those actions only. Otherwise, a too pessimistic view about the error rates could be obtained . Another simulator study (Norros