A study on the systematic framework to develop effective diagnosis procedures of nuclear power plants

Reliability Engineering and System Safety 84 (2004) 319–335 www.elsevier.com/locate/ress

A study on the systematic framework to develop effective diagnosis procedures of nuclear power plants Jinkyun Park*, Wondea Jung Integrated Safety Assessment Division, Korea Atomic Energy Research Institute, P.O. Box 105, Duckjin-Dong, Yusong-Ku, Taejon 305-600, South Korea Received 3 September 2003; revised 3 December 2003; accepted 10 December 2003

Abstract In complex systems such as the nuclear and chemical industry, the importance of a diagnosis procedure has been well recognized, since identifying the nature of an on-going event should be preceded to determine successful countermeasures or remedial actions. Unfortunately, a systematic framework that can suggest a unified and consistent process for constructing useful diagnosis procedures seems to be scant. In this paper, the systematic framework that can provide a sound way in constructing a diagnosis procedure is suggested based on two kinds of technical bases, such as the decision-making strategies of human and the test sequencing technique. To demonstrate the appropriateness of suggested framework, the diagnosis procedure of the reference nuclear power plant is reformed based on it. Subjective ratings are conducted to compare reformed procedure with the original one, and results support that operators’ performance in an event diagnosis could be improved. Thus, although well designed experiments are needed to draw a reliable conclusion, it is expected that suggested framework could be applied to provide a consistent process in constructing useful diagnosis procedures. q 2004 Elsevier Ltd. All rights reserved. Keywords: Nuclear power plant; Diagnosis procedure; Decision-making strategy; Test sequencing technique; Human performance

1. Introduction As process plants become more complex, it becomes apparent that it is almost impossible to rely exclusively on operators’ skill and memory to accomplish tasks. This means that various kinds of job aids and/or procedures are indispensable to support them. Actually, the importance of procedures, especially under emergencies, has been emphasized in many industries. For example, in case of the nuclear industry, it is obvious that emergency operating procedures (EOPs) are one of the most effective ways to cope with emergency events, since it is highly desirable that operators can effectively and confidently conduct specified tasks for mitigating the consequences of events, if they select a proper EOP [1 – 5]. Similarly, experience from other industries, such as the aviation and the chemical industry, offers preliminary evidences that support the importance of procedures in coping with the emergencies [6 –8]. To select a proper procedure, however, it is crucial for operators to correctly understand what has happened. In * Corresponding author. Tel.: þ 82-42-868-2186; fax: þ82-42-868-8374. E-mail address: [email protected] (J. Park). 0951-8320/$ - see front matter q 2004 Elsevier Ltd. All rights reserved. doi:10.1016/j.ress.2003.12.004

other words, operators must first diagnose the nature of an event before selecting a procedure to cope with it. Unfortunately, diagnostic activities under emergencies have been regarded as the dominant risk-significant human behavior, since operators have to perform diagnosis under very complicated and stressful environments (such as many process parameters that are very rapidly changing and severe time pressure, etc.) [3,9 – 13]. This means that effective responses may be delayed or that serious consequences may occur due to selecting an inadequate procedure (i.e. misdiagnosis). Actually, it is well known that the TMI accident is one of the canonical evidences related to the misdiagnosis [2,11], and many accidents and incidents have indicated a significant effect on safety due to the misdiagnosis [5,8,11 –13]. From this concern, several kinds of the diagnostic aids that can guide operators to select an appropriate procedure based on various symptoms (such as components’ status and the characteristics of process parameters, etc.) have been provided [14 – 19], and one of the typical diagnostic aids is a diagnosis procedure [7,20 – 25]. However, there is a critical problem in providing a diagnosis procedure. That is, a systematic framework that

320

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

Nomenclature AC ATWS CSF CTMT DBA DC EBA EOP ESDE FRP LPS LOAF LOCA

alternating current anticipated transient without scram critical safety function containment design basis accident direct current elimination by aspect emergency operating procedure excess steam demand event functional recovery procedure liter per second loss of all feed water loss of coolant accident

can suggest a unified and consistent process for constructing useful diagnosis procedures seems to be scant. Although there are many guidelines and checklists that can significantly contribute to the construction of diagnosis procedures, it is still ambiguous, since they are mainly focused on their format (such as text size to enhance legibility, layout, symbols, referencing, etc) [26]. This means that, even if all required items are satisfied, it may be still doubtful whether a diagnosis procedure is designed so that it allows operators to enhance diagnostic performance or not. In this paper, in order to compensate for this problem, a systematic framework is suggested based on both the decision-making strategies of human and the test sequencing technique that has been used to generate the optimal test sequences of complex systems. In addition, to demonstrate the appropriateness of suggested framework, the diagnosis procedure of the reference nuclear power plant (NPP) is reformed along with it. After that, reformed procedure is compared to the original one by subjective ratings obtained from interviews with plant experts of the reference NPP. As a result, suggested framework seems to be useful, since most of experts consented that reformed diagnosis procedure can enhance operators’ performance in an event diagnosis. Thus, although additional activities such as conducting well designed experiments are inevitable to draw a concrete conclusion, it is believed that suggested framework could be applied to provide a consistent process in constructing useful diagnosis procedures. The remainder of this paper is organized as follows. In Section 2, several important requirements for a diagnosis procedure that assists operators to select an appropriate EOP are explained. Based on those, more detailed requirements including the reason why the test sequencing technique is introduced to prepare a diagnosis procedure are explained in Section 3. In Section 4, how the test sequencing technique can be applied for

LOOP MCR NPP ORP PRZ PSA RCP RCS RT SRO SBO SG SGTR TMI

loss of off-site power main control room nuclear power plant optimal recovery procedure pressurizer probabilistic safety assessment reactor coolant pump reactor coolant system reactor trip senior reactor operator station black out steam generator steam generator tube rupture three mile island

preparing a diagnosis procedure is succinctly described. After that, as a case study, the diagnosis procedure of the reference NPP is reformed in Section 5. Finally, discussions and conclusions of this study are given in Section 6 with the results of experts’ ratings that compare reformed diagnosis procedure and the original one.

2. Important requirements for a diagnosis procedure in selecting an EOP For the last few decades, extensive effort has been made by the nuclear community to develop EOPs that can effectively transmit essential instructions to operators. Several types of EOPs have been suggested to achieve this objective, and EOPs based on the integrated approach (i.e. considering both the event-based and the symptombased approach) have been widely adopted from the viewpoint of optimization [27 – 29]. Thus, EOPs that are developed based on the integrated approach consist of optimal recovery procedures (ORPs) representing the eventbased approach and functional recovery procedures (FRPs) representing the symptom-based approach. This is because, in general, all emergency events can be divided into two categories—either diagnosable or not. The first category implies the events that can be diagnosed properly by recognizing correlated symptoms and recent operating history. Typical examples for this category are design basis accidents (DBAs), such as loss of coolant accident (LOCA), steam generator tube rupture (SGTR) and excess steam demand event (ESDE), etc. Unfortunately, for the emergency events that belong to the second category, it is almost impossible to accurately diagnose them because they are previously unanalyzed and/or have a very complex nature. Typical examples are multiple events and instrumentation failures, and they can be covered by FRPs because it has been experimentally

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

321

Fig. 1. Overall structure of the EOPs in the reference NPP.

shown that FRPs are a suitable countermeasure in dealing with these kinds of events [30]. Based on these distinctions, Fig. 1 depicts overall structure of EOPs in the reference NPP. It is noted that EOPs for the events such as anticipated transient without scram (ATWS) and loss of all alternating current (AC) and direct current (DC) power are covered by FRPs, although they can be properly diagnosed based on several distinct symptoms, because they can directly jeopardize critical safety functions (CSFs). For example, the occurrence of ATWS directly indicates loss of reactivity control function which is one of the CSFs of the reference NPP. It is also noted that, an ORP for a routine reactor trip (RT) has been prepared, although it is not an emergency situation (such as manual reactor trip to conduct a regular overhaul), since any off-normal event that either automatically or manually actuates RT has been regarded as an emergency event [28,31]. Under this structure, the role of a diagnosis procedure can be defined as “the provision of a logical and systematic process which allows operators to select an appropriate EOP [4,12,25 –27].” From this point of view, several high level requirements and rationales for the development of diagnosis procedures could be summarized as in Table 1.

3. How diagnosis procedures that are compatible with the decision-making strategies of human can be prepared? At the end of Section 2, four high-level requirements are identified as a result of extensive literature surveys. Here, it may be interesting to investigate whether the diagnosis procedure of the reference NPP satisfies these requirements or not. Fig. 2 shows simplified diagnosis procedure of the reference NPP [28], and Table 2 compares the requirements with their implementations in the diagnosis procedure. It is noted that more detailed explanations about the diagnosis procedure can be found in Ref. [46]. As shown in Table 2, it is apparent that this diagnosis procedure fulfills the first two requirements (i.e. R1 and R2). In contrast, both the third and fourth requirement seem not to be satisfied. Firstly, to clarify the problem pertaining to R3, the structure of the diagnosis procedure should be pointed out. That is, it is structured so that operators have to continuously check important symptoms for other events (such as LOCA or ESDE) even if decisive symptoms (such as the secondary radiation alarms that indicate the occurrence of SGTR) are observed. For example, operators of the reference NPP have actually pointed out that, when SGTR occurred, successive checking of both negative symptoms (i.e. information about what has not failed, such

322

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

Table 1 High-level requirements for a diagnosis procedure

R1

R2

Requirement

Rationale

A diagnosis procedure should be designed so that operators can distinguish between DBAs (i.e. diagnosable events) and the other events that cannot be diagnosed. In addition, a diagnosis procedure should be designed so that operators can identify each DBA without concerning its initiating conditions A diagnosis procedure should be designed so that DBAs that are directly related to CSFs has a high priority in identification

The provision of a diagnosis procedure that can give a systematic and adequate guidance from the beginning of any event is indispensable not only to effectively cope with it but also to prevent a severe accident such as the TMI accident [5,11,26,32]

R3

A diagnosis procedure should be designed so that operators can focus on the most important information and/or symptoms to prevent from misdiagnosing that can be caused by lesser important symptoms

R4

A diagnosis procedure should be compatible with the decision-making strategies of operators

as low CTMT pressure or SG pressure high, etc.) and positive symptoms (i.e. information about what has failed, such as secondary radiation alarms) can make them desultory, since they have to pay attention to numerous symptoms at the same time [46]. In other words, this problem can create an undue difficulty because operators prefer positive information in the course of a decisionmaking [41,47 – 50]. As for the second, the diagnosis procedure demands a lot of cognitive effort, since its structure seems to be different from the decision-making strategies of operators. According to the related studies, the characteristics of the decision-making strategies that are frequently adopted under emergency situations can be listed as below. † One of the decisive factors making decisions complicated is the number of hypotheses (or alternatives) to be considered [48,51 – 55]. † Because of a working memory limitation, people can only consider several hypotheses (from one to four) at one time. In addition, the number of hypotheses decreases as time pressure increases. In extreme, some people only can consider a single hypothesis under a severe time pressure [53,56,57].

The jeopardy of any CSF implies that there is a possibility of making a direct pathway resulting in core damage or a large release of radiation. This means that the initial diagnosis for determining whether a challenge to any CSF is more important than for identifying the specific cause of an event [33] When an emergency event took place, operators have to perform diagnosis under very stressful environment, such as severe time pressure. This strongly implies that operators’ burden in collecting information and/or symptoms that are needed for diagnosis will increase. Thus, a diagnosis procedure should assist operators in focusing priority attention on the most important information to prevent possible confusion or misdirection of attention caused by lesser importance one [27] Many requirements related to the design of decision support tools (or systems) have been accentuated to enhance human performance. Among them, one of the common requirements is the compatibility between decision support tools and the decision-making strategies of human [32,34–39], since it is strongly believed that human performance will be degraded due to the mismatch between human ability and task demands [7,40,41]. In other words, if the decision-making processes implemented in decision support tools are compatible with those of human, then it is expected that human can accomplish tasks more correctly and effectively [42– 45]. Accordingly, this requirement can be regarded as the requirement for diagnosis procedures at the same time, since they obviously belong to decision support tools

† Most people systematically change their decisionmaking approach based on a task complexity affected by the number of hypotheses and time pressure, etc. When people faced a situation in which several hypotheses are simultaneously considered, for example, they frequently adopt the non-compensatory approach to reduce the number of plausible hypotheses. In contrast, if the number of hypotheses is sufficiently reduced (typically one or two hypotheses remained), then they adopt the compensatory approach to compare remaining hypotheses more deeply and precisely [11,43,49,58 – 63]. † The most principal strategy to embody the noncompensatory approach under a severe time pressure is known as the elimination by aspect (EBA) [54,57, 59,64]. In addition, the representativeness (the degree to which a set of symptoms is similar or representative of a particular hypothesis) and the availability (the easiness of recalling a particular hypothesis) are essential in materializing EBA strategy [3,46,57,65 – 70]. From the above characteristics, it is apparent that the diagnosis procedure is structured on the basis of the compensatory approach, since the number of plausible

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

hypotheses (i.e. DBAs) is not changed in the course of a diagnosis. Evidently, this strongly implies that operators may feel a burden, since they have to simultaneously consider the possibility of occurrence for many events [46]. In addition, it is very interesting to point out that R3 is closely related to the compensatory approach which forced operators to simultaneously check positive as well as negative symptoms. Thus, to provide the diagnosis procedure that can satisfy the last two requirements (R3 and R4), it is inevitable to apply two-stage approach which integrates both the noncompensatory and the compensatory approach. As for the first stage, operators’ burden can be effectively reduced by eliminating less meaningful events until only one event remains. After that, as the second stage, operators have a chance to confirm whether the remaining event is a DBA (i.e.

323

a diagnosable event) or not (i.e. events such as multiple failures), by comparing many symptoms more deeply and precisely (i.e. applying the compensatory strategy). Here, there are two remarkable points in implementing both the non-compensatory and compensatory approach. First, the key of EBA strategy is the provision of a technique that can distinguish the most diagnostic symptom (i.e. which symptom can effectively eliminate less meaningful events?) from a set of available symptoms. In other words, a systematic and reliable technique is inevitable to embody EBA strategy, since inappropriate event elimination can directly result in a misdiagnosis. In addition, as stated above, the technique should be developed on the basis of the representativeness and availability. Because of these reasons, the test sequence technique is introduced in this study.

Fig. 2. (a) Simplified diagnosis procedure of the reference NPP—its structure. (b) Simplified diagnosis procedure of the reference NPP—its contents.

324

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

Fig. 2 (continued )

Table 2 Requirements and their implementations in the diagnostic procedure of the reference NPP Requirement

Implementation

R1

The diagnosis procedure is designed so that operators can distinguish each DBA without concerning its initiating conditions. In addition, multiple events or instrumentation failures can be distinguished from DBAs (i.e. a diagnosable event including RT). See ‘part B’ and ‘part C’ in Fig. 2(a) The diagnosis procedure is designed so that DBAs that are directly related to CSFs (i.e. ATWS and loss of all AC and DC power) can be diagnosed prior to the other DBAs. See ‘part A’ in Fig. 2(a) This requirement seems not to be sufficiently fulfilled, since operators have to pay attention to processing important symptoms as well as less important symptoms This requirement seems not to be sufficiently fulfilled, since the structure of the diagnosis procedure is not compatible with the decision-making strategies of operators

R2

R3

R4

Secondly, it is noted that defining a unique strategy that can represent the compensatory approach is difficult (such as EBA strategy for the non-compensatory approach), since several different strategies can be used for conducting the compensatory decision-making [58,69]. Thus, in this study, an equally weighted linear model that allows operators to directly compare an expected state with a current state is introduced, since this model can be regarded as the simplest strategy in implementing the compensatory approach.

4. Implementing EBA strategy using the test sequencing technique 4.1. Basic concept of the test sequencing problem In modern complex systems, maintainability is one of the most important concerns from manufacturers’ point of view. Accordingly, various researches have been performed to enhance testability (such as amount of time or test costs to find a failure state) because it is known as the most critical factor affecting maintainability [71]. To accomplish this goal, it is necessary to answer the question of ‘how the test

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

sequence that optimally identifies many failure states with a reasonable test cost/time can be generated?’ A lot of methods/techniques have been suggested to answer this question. As one of them, the test sequencing technique based on the entropy concept has been applied to many fields, such as a circuit design, vindicating an electronic control unit, diagnosing electronic systems, etc. [71 – 75]. In producing an optimal test sequence, a problem domain is described by the four-tuple ðS; p; T; cÞ and test matrix [71 – 73]. † S ¼ {s1 ; …; si } specifies different system states ð1 # i # mÞ: † p ¼ ½pðs1 Þ; …; pðsi ÞT means the prior probability vector for system states. † T ¼ {t1 ; …; tj } represents a set of n available tests to identify system states ð1 # j # nÞ: † c ¼ ½c1 ; …cj T indicates the test cost vector measured by test time, required resources to perform a test, etc. Generally, it is assumed that all test costs are identical (i.e. setting to one). † The test matrix (or the troubleshooting table) describes a relationship between system states included in S and available tests included in T: Based on these definitions, an optimal test sequence can be determined so that an information gain per unit cost is maximized, since each test can be regarded as an information source to describe a system state. To understand the test sequencing technique more clearly, let us consider an arbitrary system that has the test matrix shown in Fig. 3. In Fig. 3, symbol ‘X’ denotes that the result of test tj is ‘Yes’ if system state is si : In contrast, the blank means that the result of test tj is ‘No’ if system state is si : In addition, symbol ‘ £ ’ indicates that test tj has no relationship with system state si (i.e. unrelated test) [74]. In this case, an optimal test sequence can be determined so that a value of the discriminatory function for test tj is maximized. Discriminatory function for test tj ¼

2p·ðpy · log2 py þ pn · log2 pn Þ : cj

Fig. 3. Test matrix of an arbitrary system.

325

Table 3 Meaning of each term included in the discriminatory function Meaning

Quantified by

p

The probability of getting a definite result when the test tj is performed

py

The conditional probability of getting Yes when the test tj is performed

pn

The conditional probability of getting No when the test tj is performed Test cost for the test tj

1 2 (sum of the prior probabilities for the system states that are denoted by the symbol ‘ £ ’) (Sum of the prior probabilities for the system states that are denoted by the symbol ‘X’)/p 1 2 py

cj

Fig. 4. An example to determine the first test.

Table 3 summarizes detailed meaning with how to quantify each term in the above equation. For example, Fig. 4 shows the result indicating test t2 should be selected as the first test to be done, since the value of the discriminatory function for t2 has the largest value. Similarly, the same process can be applied to determine which test should be done as the next test. For example, when the result of the first test is No, the next test could be either t4 or t5 as shown in Fig. 5. In this way, the optimal test sequence for the test matrix shown in Fig. 3 can be determined as depicted in Fig. 6.

Fig. 5. An example to determine the second test.

326

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

Fig. 7. Modified test sequence representing ‘OR’ relation. Fig. 6. The optimal test sequence for the test matrix shown in Fig. 3.

4.2. Comparing an optimal test sequence and a diagnosis procedure As stated in Section 3, a systematic technique that can distinguish the most diagnostic symptom based on two important features (the representativeness and availability) is a prerequisite for implementing EBA strategy. From this point of view, the test sequencing technique seems to be useful, since it suggests an optimal way of testing through determining the most diagnostic test by two factors—‘which test is the most representative to distinguish a given system state?’ and ‘which test is the most effective to distinguish a system state that occurs more frequently?’—if a test cost is identical. In other words, if we, respectively, think of each system state and test shown in Fig. 3 as a DBA and a plant symptom, then the concept of generating an optimal test sequence may be applied as the basis for implementing EBA strategy. In this sense, Fig. 6 can be regarded as a diagnosis procedure that is structured based on EBA strategy. However, this idea needs two kinds of modifications: one is concerning a relationship among events and the other is concerning a relationship among symptoms. Firstly, a relationship among events should be concerned to properly implement EBA strategy. According to EBA strategy, for example, it is evident that operators will immediately envisage several plausible events (such as LOCA or ESDE) when they observe a symptom, such as ‘PRZ pressure is decreasing,’ which commonly indicates ‘something is broken.’ In addition, it is also expected that operators will discard the possibility of occurrence of several events (such as SBO or LOAF, etc.) that are far from break events [46]. This means that, even if a diagnosis sequence is determined in an optimal way, operators may have difficulty if they have to simultaneously consider the events that have different natures. In this sense, inappropriate diagnosis procedures that compel operators to simultaneously consider the events that belong to different categories should be restructured in order to minimize their burden (detailed example will be explained in Section 5.3).

Secondly, to understand why a relationship among symptoms has to be contemplated, let us reexamine the meaning of two tests {t4 ; t5 } in Fig. 5. When the result of the first test {t2 } is No, it is apparent that either t4 or t5 can be selected as the second test because they share the largest value of the discriminatory function. In other words, either {t2 ; t4 ; t3 }; or {t2 ; t5 ; t3 } is a sufficient solution for a test sequencing problem, since all tests can be sequentially and thoroughly performed by testers. In contrast, from the point of view of a diagnosis procedure, providing only one sequence is somewhat dangerous because operators have to diagnose each event not only by sequentially generated symptoms but also concurrently generated ones. In other words, the meaning of Yes and No for a test sequence problem implies ‘test result is positive’ and ‘test result is negative,’ while it denotes ‘symptom is observed’ and ‘symptom is not observed’ in case of an event diagnosis problem, respectively. This means that the contents of observed symptoms could be changed with respect to the nature of an on-going event. For example, if symptom set {t2 ; t5 ; t3 } is observed instead of {t2 ; t4 ; t3 }; then operators who use the diagnosis procedure shown in Fig. 6 may fail in a correct diagnosis. To compensate for this problem, therefore, a test sequence should be expanded by two relations (i.e. ‘AND’ and ‘OR’) so that as many symptoms as possible can correctly represent the nature of an on-going event. In other words, the identical symptoms that share AND relation for a given failure state have to be combined in serial, while those sharing OR relation should be combined in parallel. For example, if the occurrence of two system states {s5 and s6 } can be represented by either t4 or t5 (i.e. OR relation), then these symptoms have to be combined in parallel, as highlighted by a dark color in Fig. 7.

5. Reforming the diagnosis procedure of the reference NPP—a case study As stated at the end of Section 3, two-stage approach is inevitable for developing diagnosis procedures that are compatible with the decision-making strategies of

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

327

Fig. 8. The symptom-failure matrix.

operators. In addition, in Section 4.2, it was pointed out that the test sequencing technique seems to be useful for implementing EBA strategy, since it can be applied to distinguish the most diagnostic symptom based on the representativeness and the availability. Thus, the systematic framework to construct a diagnosis procedure can be outlined by the following four major steps. † Preparing a symptom-failure matrix. † Applying the test sequencing technique to embody EBA strategy. † Modifying the diagnosis procedure † Implementing the compensatory approach to confirm a suspected DBA. In this section, as a case study, the diagnosis procedure of the reference NPP is reformed to vindicate the appropriateness of suggested framework. 5.1. Preparing symptom-failure matrix As for the first step, a symptom-failure matrix that corresponds to a test matrix has to be prepared. In general, an extensive effort (such as a thermal-hydrauric analysis and a plant design/experience review, etc.) has been required to prepare this matrix. However, since the purpose of this case study is the vindication of suggested framework, a symptom-failure matrix is prepared based on the background materials that are used to construct the diagnosis procedure of the reference NPP [28]. As a result, Fig. 8 shows the symptom-failure matrix for seven DBAs of the reference NPP. It is noted that, in diagnosing LOCA and ESDE, the symptoms of CTMT pressure and/or radiation level can be changed due to initiating conditions. For example, LOCA

can be roughly subdivided into two kinds according to break locations (i.e. inside or outside CTMT). In these cases, the symptoms of CTMT pressure and radiation level could be changed as shown in Table 4 [28]. From Table 4, it is apparent that these symptoms will be either important or meaningless according to a break location. Thus, they are regarded as unrelated symptoms (i.e. corresponding to unrelated tests shown in Fig. 3), and denoted by ‘ £ ’ in Fig. 8. It is also noted that two DBAs, such as ATWS and loss of all AC and DC power, are excluded from Fig. 8, since they have to be diagnosed before anything else (see R2 in Table 1). Thus, they are not considered in the reformation of the diagnosis procedure (i.e. reformation is restricted to ‘part B’ in Fig. 2(a)). 5.2. Applying the test sequencing technique The next step, after the symptom-failure matrix is obtained, is the selection of diagnostic symptoms (i.e. applying the test sequencing technique) to properly embody EBA strategy. It is noted that the prior probabilities for DBAs are essential for applying the test sequencing Table 4 Several LOCA symptoms with respect to the break location Symptom

CTMT pressure is over 70 cm H2O CTMT pressure is increasing CTMT radiation level is larger than 350 mR/h CTMT radiation level is increasing

Break location Inside CTMT

Outside CTMT

Yes Yes Yes

No No No

Yes

No

328

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

Table 5 Prior probabilities for DBAs Event

Initiating frequencya

Relative frequency

RT LOOP SGTR LOCA ESDE SBO LOAF

3.4700 £ 10þ00 6.2000 £ 10202 3.6300 £ 10203 3.2540 £ 10203 1.3800 £ 10203 1.4500 £ 10205 2.1417 £ 10206

9.8015 £ 10201 1.7513 £ 10202 1.0253 £ 10203 9.1914 £ 10204 3.8980 £ 10204 4.0957 £ 10206 6.0495 £ 10207

Total

3.5403 £ 10þ00

1.0000 £ 10þ00

a

The unit of initiating frequency is RY21(reactor year).

technique. In this study, the relative frequencies that are quantified by the initiating event frequencies used in probabilistic safety assessment (PSA) of the reference NPP are regarded as prior probabilities [76]. Table 5 summarizes the prior probabilities for DBAs. Based on Fig. 8 and Table 5, the test sequencing technique is applied, and Fig. 9 shows the preliminary diagnosis procedure produced by it (all test costs are assumed as one). 5.3. Modifying the diagnosis procedure As stated at the end of Section 4.2, it is necessary to modify the preliminary diagnosis procedure. Two criteria are available for this purpose. † The diagnosis procedure should be modified so that the events that share a similar nature can be dealt with together. † The diagnosis procedure should be modified so that the symptoms having the same value of the discriminatory function can be integrated with their relations, as many as possible. First, the diagnosis procedure shown in Fig. 9 should be restructured so that LOAF event can be diagnosed prior to break events (i.e. SGTR, LOCA and ESDE), since it belongs to non-break events, such as LOOP and SBO. In other words, as stated in Section 4.2, the diagnosis procedure shown in Fig. 9 may be a burden on operators, since it requires simultaneous consideration for the events that have different

Fig. 9. Reformed diagnosis procedure—before modification.

Fig. 10. Restructured diagnosis procedure based on the first criterion.

natures. Thus, to solve this problem, the diagnosis procedure can be modified as shown in Fig. 10. Secondly, the symptoms that have the same value of the discriminatory function are grouped in order to combine them into Fig. 10. Table 6 presents the symptoms that have the same value with their relations. For example, when t3 and t4 are simultaneously observed, it is suspected that LOAF has occurred. Conversely, if either t3 or t4 is not observed then it is expected that an on-going event is not LOAF. Using these relations, the diagnosis procedure can be modified as shown in Fig. 11. Unfortunately, the diagnosis procedure given in Fig. 11 still seems to be insufficient because two symptoms {t11 ; t12 } are excluded. Thus, to integrate these symptoms, it is inevitable to modify the diagnosis procedure so that ESDE can be diagnosed prior to SGTR and LOCA. Fig. 12 shows the result of this modification. In addition, to facilitate a comparison between reformed diagnosis procedure and the original one (i.e. corresponding Table 6 Relations among symptoms that have the same value of the discriminatory function Relation

DBA

Symptom

AND

LOAF

t3 : all SGs’ level are under 23.5% t4 : total feed water flow rate is under 35LPS

OR

SGTR, LOCA, ESDE

t5 t6 t7 t8

AND

SGTR, LOCA

t9 : RCS subcooling margin is under 15 8C t10 : RCS subcooling margin is decreasing

AND

ESDE

t11 : at least one SG pressure is under 75 kg/cm2 t12 : at least one SG pressure is decreasing

OR

SGTR

t13 : there is a secondary radiation alarm t14 : there is unexpected feed flow mismatching between SGs t15 : there is unexpected increasing of SG level in one SG

: PRZ : PRZ : PRZ : PRZ

pressure is under 135 kg/cm2 pressure is decreasing level is under 15% level is decreasing

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

329

Fig. 11. Modified diagnosis procedure based on the second criterion.

to ‘part B’ in Fig. 2(a)), the diagnosis procedure that has an equivalent logic against Fig. 12 is shown in Fig. 13. 5.4. Implementing the compensatory approach to confirm a suspected DBA As shown in Fig. 13, the diagnosis procedure is structured so that less meaningful DBAs are effectively eliminated by checking several symptoms until a single DBA remains (i.e. a suspected DBA). After that, as for the last step in constructing the diagnosis procedure, an equally weighted linear model (i.e. the compensatory approach) should be embodied because operators have to identify

the events that cannot be diagnosed (such as multiple events). This means that the symptoms which can be used to confirm the occurrence of a suspected event are essential. In this correspondence, a basic idea is identifying the symptoms that are not used to prepare the diagnosis procedure shown in Fig. 13, and as such four criteria can be applied for this purpose. C1 The unrelated symptoms for a suspected event are excluded. C2 Among all symptoms that are expected when a suspected DBA occurred (i.e. the symptoms indicated by ‘X’ in Fig. 8), the symptoms that are included in

Fig. 12. The diagnosis procedure including two missing symptoms.

330

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

Fig. 13. The diagnosis procedure that is equivalent to Fig. 13.

the primary diagnosis procedure (i.e. Fig. 13) are excluded. C3 The symptoms that belong to the shortest path to diagnose a suspected DBA are excluded. C4 When symptoms are rearranged to confirm a suspected DBA, a dependency among symptoms should be taken into account. For example, let us assume when LOCA occurred. In this case, the symptoms that are available to confirm LOCA can be distinguished as shown in Table 7. Firstly, four symptoms (i.e. from t16 to t19 ) are discarded because they are associated with C1. This criterion is inevitable, since the symptoms that can be changed with respect to initiating conditions increase a diagnostic uncertainty [68]. Secondly, C2 criterion is applied to select available symptoms to confirm LOCA. It is noted that this criterion plays an important role in implementing the compensatory approach, since symptoms should be compared under a stressful condition. In other words, although comparing symptoms, as many as possible, will be helpful for confirming a suspected DBA, it is necessary to limit the number of symptoms to be compared so that operators’ burden does not exceed their capability. For this reason, comparing once again the symptoms that are already checked to identify the occurrence of a suspected DBA seems to be unnecessary. Thus, six symptoms (i.e. from t5 to t10 ) are discarded because they can be observed when LOCA occurs.

Table 7 Available symptoms to confirm LOCA The whole symptoms included in Fig. 8 t1 : all vital AC buses are de-energized t2 : all RCPs are stopped t3 : all SGs’ level are under 23.5% t4 : total feed water flow rate is under 35LPS t5 : PRZ pressure is under 135 kg/cm2 t6 : PRZ pressure is decreasing t7 : PRZ level is under 15% t8 : PRZ level is decreasing t9 : RCS subcooling margin is under 15 8C t10 : RCS subcooling margin is decreasing t11 : at least one SG pressure is under 75 kg/cm2 t12 : at least one SG pressure is decreasing t13 : there is a secondary radiation alarm t14 : there is unexpected feed flow mismatching between SGs t15 : there is unexpected increasing of SG level in one SG t16 : CTMT pressure is over 70 cm H2O t17 : CTMT pressure is increasing t18 : CTMT radiation level is larger than 350 mR/h t19 : CTMT radiation level is increasing

C1 C2 C3 C4 Available?

Yes U U

U

Yes Yes

U U U U U

U

U

U

U

Yes Yes U U U U U U U

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

331

Fig. 14. The diagnosis procedure including the symptoms to confirm LOCA.

Thirdly, eight symptoms {t2 ; t3 ; t5 ; t9 ; t10 ; t13 ; t14 ; t15 } are discarded by C3 because they belong to the shortest path to diagnose LOCA as shown in Fig. 13. In other words, at least eight symptoms are checked to diagnose LOCA. It is noted that this is the reason why C3 is considered, similar to that of C2. That is, reaffirming the symptoms that are already checked in the course of diagnosing LOCA seems to be ineffective. As a result, the symptoms that are available to confirm LOCA are {t1 ; t4 ; t11 ; t12 }: This means that these symptoms should be structured so that they ascertain the presupposition—‘if LOCA occurred, then it is expected that these four symptoms will not be observed.’ However, to properly ascertain this presupposition, t3 should be added to the available symptom list because of the dependency between t3 and t4 (i.e. C4 criterion). In other words, a sole checking of t4 without t3 can result in an inept confirmation. For example, LOAF should be suspected if total feed water flow rate is under 35LPS when both SGs’ levels are under 23.5%. In contrast, total feed water flow rate could be under 35LPS, even if LOAF did not occur, if one SG’s level is so high that feed water control system automatically reduces it. Actually, as mentioned at the end of Section 4.2, this is the reason why the distinctions of AND and OR relations among symptoms are carefully considered to construct diagnosis procedures.

Based on the above criteria, to confirm LOCA, the diagnosis sequence shown in Fig. 13 should be modified as highlighted by a dark color in Fig. 14 so that they effectively embody the compensatory strategy. In this way, Table 8 Results of subjective ratings Category

Questionnaire

Yes

No

Compatibility

Is the diagnosis process implemented in reformed diagnosis procedure similar to that of operators under emergencies? Is it expected that operators can focus on more important symptoms (i.e. more diagnostic symptoms), if reformed procedure is used? When the performance of reformed diagnosis procedure is finished, is it expected that operators can understand the current situation more clearly? Is it expected that the operators can perform reformed diagnosis procedure more easily rather than the original one?

4

1

5

0

4

1

2

3

Situation awareness

Ease of use

332

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

the diagnosis sequences for the other DBAs can be determined, and they will constitute the remaining parts of reformed diagnosis procedure.

6. Discussions and conclusions Till now, the systematic framework to construct diagnosis procedures that are compatible with the decision-making

strategies of operators has been suggested. In addition, to demonstrate the effectiveness of suggested framework, the diagnosis procedure of the reference NPP is reformed based on it. As a result, reformed diagnosis procedure can be obtained. This means that the appropriateness of suggested framework could be proven by evaluating the appropriateness of reformed diagnosis procedure. In this study, subjective ratings by five plant experts are conducted to evaluate the appropriateness of

Fig. 15. The diagnosis sequence including the symptoms to confirm LOAF.

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

reformed diagnosis procedure. All experts have a senior reactor operator (SRO) license and have worked as a training instructor of the reference NPP. In addition, they have experienced main control room (MCR) operations for more than 10 years. Four questionnaires related to the compatibility, the situation awareness and the ease of use of reformed diagnosis procedure are asked. Table 8 summarizes the results of subjective ratings. In general, as can be seen from Table 8, most of experts agreed that reformed diagnosis procedure could be useful, since it seems: (1) to increase operators’ situation awareness, (2) to be helpful in concentrating on diagnostic symptoms, and (3) to be compatible with operators’ decision-making strategies under emergencies. However, experts’ opinion appears to be negative for the ease of use. That is, three experts pointed out that reformed diagnosis procedure still seems to be difficult because, in some cases, operators have to check many symptoms to confirm a suspected DBA. For example, reformed diagnosis procedure compels operators to confirm LOAF by checking sixteen symptoms (i.e. t1 and symptoms from t5 to t19 ). In addition, thirteen symptoms (i.e. t1 ; t4 and from t9 to t19 ) and seventeen symptoms (i.e. from t3 to t19 ) have to be checked to confirm RT and LOOP/SBO, respectively. Evidently, checking many symptoms will increase operators’ burden in performing the reformed diagnosis procedure. In contrast, two experts commented that, even if operators have to check many symptoms for some DBAs, it is expected that operators’ burden will be significantly reduced because the number of plausible DBAs is effectively decreased. In other words, operators have difficulty (i.e. memory load) because they have to remember what events are considered during the performance of the diagnosis procedure shown in Fig. 2 [46]. This means that, if the problem related to the number of symptoms is solved, then it can be said that operators can perform reformed diagnosis procedure more easily, since they do not need to pay attention to events that are considered in the course of a diagnosis. Fortunately, this problem can be solved by the C4 criterion (i.e. considering a dependency among symptoms). That is, identifying DBAs such as ESDE, SGTR and LOCA can be simplified, since they share four common symptoms (i.e. from t5 to t8 ). In other words, eleven symptoms (i.e. from t9 to t19 ) are meaningful in diagnosing these DBAs only if one of four symptoms is observed. This means that, for example, checking only five symptoms (i.e. t1 and symptoms from t5 to t8 ) is sufficient to confirm LOAF as depicted in Fig. 15. In Fig. 15, it is evident that the number of symptoms that have to be checked to diagnose LOAF is almost identical compared with that of Fig. 2. Thus, it is reasonable to expect that operators’ burden will be reduced if reformed diagnosis procedure is used. In addition, to ascertain this expectation more objectively, an experiment using a full scope simulator

333

of the reference NPP is designed to compare two kinds of diagnosis procedures. In this experiment, the appropriateness of reformed diagnosis procedure will be vindicated through comparing typical performance measures, such as diagnosis time, diagnosis accuracy and diagnostic burden quantified by a subjective workload evaluation technique. Although it is still insufficient to assure the appropriateness of reformed diagnosis procedure without these kinds of comparisons, it is possible to say that the results of subjective ratings give an important clue supporting the following conclusions. † The suggested framework seems to be useful in constructing a diagnosis procedure that is compatible with the decision-making strategies of operators. † The diagnosis procedure reformed by suggested framework seems to be helpful in understanding the on-going situation more clearly, since it is structured so that the operators can focus on diagnostic symptoms. † The diagnosis procedure reformed by the suggested framework could be helpful in reducing operators’ diagnostic burden, since not only the less meaningful events can be effectively reduced but also they do not need to remember what events are considered in the course of a diagnosis.

Acknowledgements This research was supported by ‘The Mid- and Long Term Nuclear R & D Program’ of MOST (Ministry of Science and Technology), Korea. The authors would like to express appreciation to the instructors of the reference plant for their sincere support.

References [1] Kontogiannis T. Applying information technology to the presentation of emergency operating procedures: implications for usability criteria. Behav Inf Technol 1999;18(4):261–76. [2] Bongarra JrJP, Persensky JJ. Implementing requirements for upgrading emergency operating procedures: a regulatory perspective. Proceedings of IEEE Fourth Conference on Human Factors and Power Plants; 1988. p. 208–13. [3] Kontogiannis T. Stress and operator decision making in coping with emergencies. Int J Human-Comput Interact 1996;45:75–104. [4] US Nuclear Regulatory Commission, Guidelines for preparing emergency procedures for nuclear power plants USNRC, NUREG/ CR-1977, Washington DC. ; 1981. [5] US Nuclear Regulatory Commission, Steam generator tube failures. NUREG/CR-6365, Washington, DC. ; 1996. [6] Degani A, Heymann M, Shafto M. Formal aspects of procedures: the problem of sequential correctness. Proceedings on Human Factors and Ergonomics Society (HFES) Annual Meeting, vol. 43.; 1999. p. 1113– 7. [7] American Institute of Chemical Engineers, Guidelines for preventing human error in process safety. Center for Chemical Process Safety of the American Institute of Chemical Engineers; 1994.

334

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335

[8] US Nuclear Regulatory Commission, Weakness in emergency operating procedures found as result of steam generator tube rupture. NRC Information Notice 93-56; 1993. [9] Woods DD. Coping with complexity: the psychology of human behavior in complex systems. In: Goodstein LP, Anderson HB, Olsen SE, editors. Tasks, errors, and mental models. London: Taylor & Francis; 1998. p. 128–48. [10] Meister D. Cognitive behavior of nuclear reactor operators. Int J Ind Ergon 1995;16:109–22. [11] Vaudrey B, Patrick J, Halliday P. Training to break the barriers of habit in diagnosing unusual faults. Nuclear Engng Int 1999;August: 15–18. [12] Nuclear Energy Agency, Critical operator actions: human reliability modeling and data issues. NEA/CSNI/R(98)1; 1998. [13] Dougherty E. Human errors of commission revisited: an evaluation of the ATHEANA approach. Reliab Engng Syst Safety 1998;60:71– 82. [14] Underwood WE. A CSA model-based nuclear power plant consultant. Proceedings of the National Conference on Artificial Intelligence; 1982. p. 302–5. [15] Chung DT, Modarres M, Hunt RNM. GOTRES: an expert system for fault detection and analysis. Reliab Engng Syst Safety 1989;24: 113–37. [16] Varde PV, Sankar S, Verma AK. An opertor support system for research reactor operations and fault diagnosis through a connectionist framework and PSA based knowledge based systems. Reliab Engng Syst Safety 1998;60:53–69. [17] Larsson JE. Diagnosis based on explicit means-end models. Artif Intell 1996;80:29 –93. [18] Palmer C, Chung PWH. Verifying signed directed graph models for process plants. Comput Chem Engng 1990;23:391–4. [19] Ng HT. Model-based, multiple-fault diagnosis of dynamic, continuous physical devices. IEEE Expert 1991;38–43. [20] Depond G, Resse L. Operating procedures for emergency situations in EdF PWR plants. Proceedings of IAEA International Training Course on Accident Management in Nuclear Power Plants; 1989. p. 1–12. [21] Pelin H, Sureau H, Mesnage J. EdF adopts a state-oriented approach to emergency operations. Nuclear Engng Int 1986;34–5. [22] Roth-Seefrid H, Fischer HD. Advanced information systems to enhance operational safety. Reliab Engng Syst Safety 1988;22: 91–106. [23] Rasmussen J, Duncan K, Leplat J, editors. New technology and human error. New York: Wiley; 1987. [24] Batistic JA. Embalse NGS: abnormal event procedures development lifecycle. operating procedures for nuclear power plants and their presentation. Proceedings of a Specialist Meeting Organized by the International Atomic Energy Agency, Vienna, 31 March–2 April; 1992. [25] Muller RE, Moser HJ, Roth-Seefrid H. The new modular emergency procedure concept for SIEMENS PWRs. Operating procedures for nuclear power plants and their presentation. Proceedings of a Specialist Meeting Organized by the International Atomic Energy Agency, Vienna, 31 March–2 April; 1992. [26] US Nuclear Regulatory Commission, Techniques for preparing flowchart-format emergency operating procedures. NUREG/CR5228, Washington DC, vols. 1 and 2.; 1989. [27] International Atomic Energy Agency, Developments in the preparation of operating procedures for emergency conditions of nuclear power plants. IAEA-TECDOC-341, Vienna; 1985. [28] CE Owner’s Group, Combustion engineering emergency response guidance. CEN-152, Rev. 04; 1996. [29] Westinghouse Owner’s Group, Emergency response guidance. High pressure volume, Rev. 1A; 1987. [30] US Nuclear Regulatory Commission, Onsite assessments of the effectiveness and impacts of upgraded emergency operating procedures. NUREG/CR-4617, Washington, DC; 1987. [31] US Nuclear Regulatory Commission, Guidelines for the preparation of emergency operating procedures. NUREG-0899, Washington, DC; 1982.

[32] Long AB. Computerized operator decision aids. Nuclear Safety 1984; 25(4):512–24. [33] US Nuclear Regulatory Commission, Functions and operations of nuclear power plant crews. NUREC/CR-2587, Washington, DC; 1982. [34] Benbasat I, Taylor RN. Behavioral aspects of information processing for the design of management information systems. IEEE Trans on Syst, Man Cybern 1982;SMC-12(4):439–50. [35] Parr A. Fault diagnosis—a user’s view. IEE Colloquium Fault Diagn Process Syst Digest 1997;174:1–10. [36] Latorella KA, Prabhu PV. A review of human error in aviation maintenance and inspection. Int J Ind Ergon 2000;26:133–61. [37] Vessey I. The effect of information presentation on decision making: a cost-benefit analysis. Inf Mgmt 1994;27:103 –19. [38] Pejtersen AM. Search strategies and database design for information retrieval in libraries. In: Goodstein LP, Andersen HB, Olsen SE, editors. Tasks, errors and mental models. London: Taylor & Francis; 1988. [39] Gieci A. Operating procedure and operator’s decision-making process. Operating procedures for nuclear power plants and their presentation. Proceedings of a Specialist Meeting Organized by the International Atomic Energy Agency, Vienna, 31 March–2 April; 1992. [40] Rouse WB, Rouse SH. Analysis and classification of human error. IEEE Trans Syst, Man Cybern 1983;SMC-13(4):539–49. [41] Morris NM, Rouse WB. Review and evaluation of empirical research in troubleshooting. Hum Factors 1985;27(5):503–30. [42] Kernan MC, Bruning NS, Miller-Guhde L. Individual and group performance: effects of task complexity and information. Hum Perform 1994;7(4):273 –89. [43] Benbasat I, Todd P. The effects of decision support and task contingencies on model formulation: a cognitive perspective. Decision Support Syst 1996;10:241 –52. [44] Schmuck P, Gundlach W. Reduction of mental effort in tasks of different complexity. In: Klix F, Streitz NA, Waern Y, Wandke H, editors. Man–computer interaction research. Amsterdam: NorthHolland; 1989. p. 235 –44. [45] Friedman L, Howell WC, Jensen CR. Diagnostic judgment as a function of the preprocessing of evidence. Human Factors 1985;27(6): 665 –73. [46] Park J, Jung W. The requisite characteristics for diagnosis procedures based on the empirical findings of the operators’ behavior under emergency situations. Reliab Engng Syst Safety 2003;81:197–213. [47] Mumaw RJ, Roth EM, Vicente KJ, Burns CM. There is more to monitoring a nuclear power plant than meets the eye. Human Factors 2000;42(1):36– 55. [48] Rouse WB. Human problem solving performance in a fault diagnosis task. IEEE Trans Syst, Man Cybern 1978;SMC-8(4):258–71. [49] Cox T, Cox S. Work-related stress and control-room operations in nuclear power generation. In: Stanton N, editor. Human factors in nuclear safety. London: Taylor & Francis; 1996. [50] Reinartz SJ, Reinartz G. Verbal communication in collective control of simulated nuclear power plant incidents. Reliab Engng Syst Safety 1992;36:245–51. [51] Campbell DJ. Task complexity: a review and analysis. Acad Mgmt Rev 1988;13(1):40–52. [52] Svensson E, Angelborg-Thanderz M, Sjoberg L, Olsson S. Information complexity—mental workload and performance in combat aircraft. Ergonomics 1997;40(3):362–80. [53] Su Y, Govindaraj T. Fault diagnosis in a large dynamic system: experiments on a training simulator. IEEE Trans Syst, Man Cybern 1986;SMC-16(1):129–41. [54] Teague RC, Allen JA. The reduction of uncertainty and troubleshooting performance. Human Factors 1997;39(2):254– 67. [55] Carnino A, Wanner JC. Misrepresentation errors. IEEE Fourth Conference on Human Factors and Power Plants; 1988. p. 343–8.

J. Park, W. Jung / Reliability Engineering and System Safety 84 (2004) 319–335 [56] Wickens CD, Gordon SE, Liu Y. An introduction to human factors engineering. Reading, MA: Addison-Wesley; 1998. [57] Wickens CD. Engineering psychology and human performance, 2nd ed. University of Illinois at Champaign-Urbana: Haper Collins Publishers; 1992. [58] Payne JW. Task complexity and contingent processing in decision making: an information search and protocol analysis. Organizational Behavior Hum Perform 1976;16:366–87. [59] Payne JW, Bettman JR, Johnson EJ. Adaptive strategy selection in decision making. J Exp Psychol: Learn, Mem Cogn 1988;14(3): 534–52. [60] Maynard DC, Hakel MD. Effects of objective and subjective task complexity on performance. Hum Perform 1997;10(4):303–30. [61] Paquette L, Kida T. The effect of decision strategy and task complexity on decision performance. Organizational Behav Hum Decision Process 1988;41:128–42. [62] Gensch DH, Soofi ES. Information-theoretic estimation of individual consideration set. Int J Res Marketing 1995;12:25 –38. [63] Huber O. The influence of some task variables on cognitive operations in an information-processing decision model. Acta Psychol 1980;45: 187–96. [64] Tversky A. Elimination by aspects: a theory of choice. Psychol Rev 1972;79:281– 99. [65] Fujita Y. Human reliability analysis: a human point of view. Reliab Engng Syst Safety 1992;38:71 –9.

335

[66] Kontogiannis T, Kossiavelou Z. Stress and team performance: principles and challenges for intelligence decision aids. Safety Sci 1999;33:103–28. [67] Grosdeva T, de Montmollin M. Reasoning and knowledge of nuclear power plant operators in case of accidents. Appl Ergon 1994;25(5): 305–9. [68] Lindgaard G. Human performance in fault diagnosis: can expert systems help? Interact Comput 1995;7(3):254– 72. [69] Kahneman D, Slovic P, Tversky A, editors. Judgement under undertainty: heuristics and biases. Cambridge: Cambridge University Press; 1982. [70] Reason J. Human error. Cambridge: Cambridge University Press; 1990. [71] Zuzek A, Biasizzo A, Novak F. Sequential diagnosis tool. Microprocessors Microsystems 2000;24:191–7. [72] Pattipati KR, Alexandridis MG. Application of heuristic search and information theory to sequential fault diagnosis. IEEE Trans Syst, Man Cybern 1990;20(4):872–87. [73] Yeung RW. On noiseless diagnosis. IEEE Trans Syst, Man Cybern 1994;24(7):1074–82. [74] Zhou H, Qu L, Li A. Test sequencing and diagnosis in electronic systems with decision table. Microelectron Reliab 1996;36(9):1167–75. [75] Moret BME. Decision trees and diagrams. Comput Surv 1982;14(4): 593–623. [76] Korea Atomic Energy Research Institute, Final level 1 probabilistic risk assessment update for Yonggwang nuclear unit 3 and 4. ; 1993.