Quantitative estimation of the human error probability during soft control operations

Annals of Nuclear Energy 57 (2013) 318–326

Contents lists available at SciVerse ScienceDirect

Annals of Nuclear Energy journal homepage: www.elsevier.com/locate/anucene

Quantitative estimation of the human error probability during soft control operations Seung Jun Lee ⇑, Jaewhan Kim, Wondea Jung Korea Atomic Energy Research Institute, 1405 Daedeok-daero, Yuseong-gu, Daejeon 305-353, Republic of Korea

a r t i c l e

i n f o

Article history: Received 16 October 2012 Received in revised form 29 January 2013 Accepted 14 February 2013 Available online 21 March 2013 Keywords: Advanced control room Soft control Human reliability analysis

a b s t r a c t In this work, a method was proposed for quantifying human errors that can occur during operation executions using soft controls. Soft controls of advanced main control rooms have totally different features from conventional controls, and thus they may have different human error modes and occurrence probabilities. It is important to identify the human error modes and quantify the error probability for evaluating the reliability of the system and preventing errors. This work suggests an evaluation framework for quantifying the execution error probability using soft controls. In the application result, it was observed that the human error probabilities of soft controls showed both positive and negative results compared to the conventional controls according to the design quality of advanced main control rooms. Ó 2013 Elsevier Ltd. All rights reserved.

1. Introduction A nuclear power plant (NPP) is operated and maintained by operators in a main control room (MCR) whose errors can cause serious consequences. The identification and quantification of operator errors are very important for preventing undesired situations and enhancing the reliability of NPPs. Human errors can be predicted by human error evaluation methods, and appropriate interface design and training/education programs can be made based on the evaluation results. The accident sequence evaluation program (ASEP) (Swain, 1987) and the technique for human error rate prediction (THERP) (Swain and Guttman, 1983) methods have been mainly used for a human reliability analysis (HRA) in the probabilistic safety assessment (PSA) of Korean NPPs (Kang et al., 2005). However, the previously performed PSA results for Korean NPPs show that the human error probabilities (HEPs) are estimated differently even though the HRA analysts use the same HRA procedure and method. Thus, as a part of improving the PSA quality through minimizing the uncertainty caused by the subjective judgments of HRA analysts, KAERI (Korea Atomic Energy Research Institute) developed the K-HRA method, which is a standard HRA method for the PSA of conventional NPPs during full power and low power/shutdown operations. It is based on the ASEP and THERP methods (Jung and Kang, 2005; Kang et al., 2005). MCRs in NPPs, which have been recently constructed or developed, have been designed using digital and computer technologies. The operational environments of these advanced MCRs (they are also called computerized or modernized MCRs) are totally different from those of conventional MCRs. The interfaces of advanced MCRs ⇑ Corresponding author. Tel.: +82 42 868 2766; fax: +82 42 868 8256. E-mail address: [email protected] (S.J. Lee). 0306-4549/$ - see front matter Ó 2013 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.anucene.2013.02.018

are greatly simplified using computer displays and soft controls (SCs), and adapt computerized operator support systems such as a computerized procedure system (CPS). The different interfaces require operators to perform different tasks for operating and maintaining plants. This computerized operational environment may make operation tasks more convenient, but may make some controversial issues of human errors or cause new types of human errors. Also, while the workload, mainly considered in conventional MCRs could decrease, a new kind of workload can be introduced in advanced MCRs. For the changed interfaces, different design-related influencing factors (DIFs) should be considered according to the design characteristics. In this work, the HuRECAs (Human Reliability Evaluator for Control Actions) method for advanced MCRs was proposed based on the basic framework of the K-HRA. Based on the characteristics and task analysis of soft controls, DIFs of soft controls are defined. The newly identified DIFs have been reflected into the conventional HRA framework as performance shaping factors (PSFs) (Kim et al., 2011b). While, the total HEP is calculated by a summation of a diagnosis HEP and an execution HEP, this paper focuses on a method for estimating the execution HEP for advanced MCRs. The characteristics and process of SC operations are explained in Section 2, and the issues which should be considered in human error probability quantification are described in Section 3. The proposed method and its application result are described in Section 4. 2. Human errors of soft controls 2.1. Characteristics of soft controls Advanced MCRs have totally a different operational environment from conventional MCRs. The actions for the plant operation

S.J. Lee et al. / Annals of Nuclear Energy 57 (2013) 318–326

are performed by SCs in advanced MCRs. SCs are control devices having connections with control and display systems by software rather than direct physical connections. Consequently, their functions may be variable and context dependent rather than statically defined. Also, devices may be located virtually rather than spatially dedicated. There are various kinds of input devices for the SCs; touch screens, light pens, mouses, trackballs, joysticks, and so on (Stubler and O‘Hara, 2000). While only primary tasks are considered in conventional MCRs, secondary tasks such as interface management are one of the major concerns of advanced MCRs. Operators in advanced MCRs search for necessary information by navigating computerized displays and control devices using SCs at their positions. NUREG/CR-6635 (Stubler and O‘Hara, 2000) explains the general characteristics of SCs such as multiple locations for access, serial access, present and available, physical decoupling of the input and display interfaces, interface management control, multiple modes, software-defined functions, and interface flexibility. These characteristics of SCs may be advantageous for reducing and preventing the human errors of conventional controls. They can provide good functions and convenience to the operators if they are well designed using the characteristics of SCs such as ‘software-defined functions’ and ‘interface flexibility’. However, characteristics like ‘interface management control’ may make new types of human errors. It changes the process for the control actions and could make them more complex (Lee et al., 2011). 2.2. Operation process of soft controls Generally, sequential tasks are performed in SCs to perform an operation. The plant information of advanced MCRs is provided to operators by computer screens in hierarchical forms due to spatial limits. While device controllers are widely spread and located in fixed positions in conventional MCRs, operators in advanced MCRs need to navigate a screen to monitor plant variables and select the target device. The operation actions of operators are divided into primary tasks (e.g., providing control inputs to plant systems) and secondary tasks (e.g., manipulating the user interface to access information or controls, or to change the control modes). Operators should perform secondary tasks to find appropriate screens or devices by screen navigations and screen selections before they perform the primary task to control a device. While conventional MCRs do not have secondary tasks, the secondary tasks of SC take a relatively large portion. Lee et al. (2011) analyzed the SC tasks using a systematic human error reduction and prediction approach (SHERPA) (Harris et al., 2005). The SC tasks consist of four sequential tasks as follows: (1) Operation selection: according to the operating procedures, an operator selects an operation appropriate for the current situation. (2) Screen selection: an operator navigates the screens to find the target control device. Only one navigation or two or more navigations may be required. Or this step may not be necessary if the appropriate screen is activated on the screen. (3) Control device selection: after selecting the appropriate screen including the target control device, an operator selects the device by pointing input devices. (4) Operation execution: an operator performs the required operation on the device. 3. Issues of soft control error quantification Different interfaces affect human performance. The effects should be analyzed carefully with consideration of the characteris-

319

tics of the changed interface design, especially in safety critical systems such as NPPs. Following issues are considered for a human error analysis of computerized interfaces with SCs. – The operation tasks in advanced MCRs consist of primary and secondary tasks. The primary tasks are related to the physical control of plant devices such as opening/closing valves, and the secondary tasks are about the interface management. If only primary tasks are considered for an SC task analysis, the analysis is not much different from conventional controls. However, secondary tasks such as navigating screens and handling different types of input devices should be considered in SCs. The secondary tasks are one of the general characteristics of all advanced MCRs, and also major differences from conventional MCRs. As described in the previous section, the process for SCs consists of four steps. The second and third steps are related to the secondary tasks, which are not considered in conventional controls. Since the required efforts and workload for these secondary tasks affect the operator performance, the whole process including secondary tasks should be considered for an SC evaluation. – The operator support systems involved in a target MCR should be considered for a human error evaluation. In advanced MCRs, various kinds of operator support systems using computer technology can be utilized to prevent human errors (Lee and Seong, 2007). The cognitive process of an operator is supported by a CPS, a fault diagnosis system, an alarm system, an operation validation system, and so on. The operators are supported by appropriate information for the current situation and feedback for operations. The kinds of provided support systems and their level of automation are determined by the design concept of each MCR. According to the automation level of the support system, the operator’s tasks and possible human errors are changed. Moreover, both positive and negative aspects of computerized support systems should be considered for human error analysis. – If only SCs are considered without other computerized operator support functions, a better HEP (low HEP) is hard to expect because of the secondary tasks. A spatial limitation of advanced MCRs may cause more additional tasks including interface management and the problems related to the keyhole effect during SC operations. However, there are advantages of advanced MCRs, which are useful for preventing human errors. A simple comparison between the operator performance in conventional and advanced MCRs may be inappropriate. Basically, the number of required actions for controls using SCs is greater than that of analog controls owing to the secondary tasks. As mentioned above, while only primary controls are necessary in conventional MCRs, secondary tasks are required in advanced MCRs. As common sense implies, more actions cause more frequent human errors. This means the HEP of SCs may be difficult to reduce to less than that of conventional SCs. However, the operator performance and HEP of advanced and conventional MCRs cannot be compared with only the numbers of actions. The physical location movements of operators in a conventional MCR are substituted by interface management in an advanced MCR. Since two types of MCRs have different ways of control, the performance should be compared carefully. – The whole operation process should be considered for evaluating human errors in advanced MCRs. Human errors of an MCR operator are categorized into two types: diagnosis and control error. If only control errors are considered, the effect of advanced MCRs on operator performance may not be positive. However, the operation of an operator is performed through four cognitive activities, and there is only one cognitive activity related to the control actions. The other cognitive activities are

320

S.J. Lee et al. / Annals of Nuclear Energy 57 (2013) 318–326

supported by other characteristics of advanced MCRs, such as advanced alarm systems, CPS, and so on. Especially, in emergency situations within limited time, operators are under high workload and decision burden and the support functions for diagnosis could have relatively large positive effects on operator performance (Choi, 2012; Jung and Park, 2012). Therefore, not only control errors but also diagnosis errors should be considered to evaluate whole human errors in advanced MCRs. – Different interfaces have different basic HEPs. In several HRA methods, HEPs are calculated by basic HEP and PSFs. Different PSFs and different weighting factor for each PSF should be considered for advanced MCRs. Moreover, different basic HEPs should be considered for a more accurate evaluation. Even though the same control is performed, HEP varies according to the control methods used. Different tasks are required by operators according to the interfaces and input devices, and a different basic error probability should be considered to estimate human errors precisely. Also, the HEP may be different in primary and secondary tasks because they have a different workload and burden. 4. Quantification of human error probabilities in soft controls 4.1. K-HRA method In the K-HRA method, the human tasks of NPPs are classified into pre-initiating and post-initiating human failure events (HFEs). Postinitiating HFEs can be further subdivided into diagnosis errors and execution errors. Fig. 1 shows the framework of the HRA method for a detailed quantification (Jung and Kang, 2005; Kang et al., 2005). Detailed quantifications of pre-initiating HFEs are performed using the unavailability equation of THERP (Swain and Guttman, 1983). Detailed quantifications of the diagnosis and the execution errors for post-initiating HFEs are performed using the following equations:

HEPdiag ¼ Basic HEP diag  Pwi ðPSF i Þ

ð1Þ

HEPexec ¼ R½Basic HEPexec ðiÞ  HEPrec ðiÞ

ð2Þ Basic diagnosis HEP

where Basic_HEPdiag = f(available time for diagnosis), Basic_HEPexec(i) = f(task type(i), stress level(i)) and HEPrec(i) = f(available time(i), MMI(i), supervisor recovery(i)). The basic HEP of a diagnosis error (Basic_HEPdiag) is quantified according to the available time. ‘w’ is a weighing factor for the PSFs estimated using the decision tree. The basic HEP of an execution error (Basic_HEPexec) is determined by the subtask types and stress level. The recovery HEP of an execution error (HEPrec) is estimated using the decision tree. The total HEP is a summation of the diagnosis HEP (HEPdiag) and execution HEP (HEPexec). 4.2. Evaluation method for execution HEPs in advanced MCRs In this work, the evaluation method for an execution HEP considering SCs, which is called HuRECA, is proposed based on the K-HRA method. As mentioned in the previous section, the secondary tasks, operator support systems, and different basic HEPs should be considered in the HRA for advanced MCRs. In the HuRECA method, the secondary tasks and operator support functions are reflected in the assessment of HEP and error recovery probability. However, the same basic HEPs as those of K-HRA are used because it is difficult to estimate the specific basic HEPs for advanced MCRs, and the basic HEPs of K-HRA are conservative. It is expected that the difference between the basic HEPs of advanced and conventional MCRs is not significant. Since advanced MCRs have their own features, PSFs and weighting factors should be determined according to the target MCR features. In this work, the MCR of the APR1400 (Lee et al., 2009) was used. From the observations of human factor engineering verification and validation experiments of the APR1400, we have drawn some major important characteristics on operator behaviors and DIFs from the perspective of human reliability (Kim et al., 2009, 2010). First, there are new DIFs that should be considered in developing an HRA method for advanced MCRs including SCs. DIFs refer to the specific design features or design elements that affect the occurrence of human errors. The DIFs for advanced MCRs have been identified through the following steps: (1) literature review including NUREG/CR-6634 (O’Hara et al., 2000), NUREG-0700 Allowed time, Perceived time, Execution time

Diagnosis available time

Diagnosis HEP Weighting factor

Primary task, MMI (alarm), Decision burden, Procedure, Education/Training

Sum (execution time)

Post-initiating HFEs

Task type of subtask i

Execution HEP

Basic execution HEP Stress level of subtask i

Recovery failure HEP

Subtask complexity, Procedure, Task familiarity

Time after IE, Scenario severity, MCR/Local, Education/Training,

Available time, Supervisor, MMI (feedback)

Fig. 1. The framework of the HRA method for conventional MCRs.

Execution time for each subtask

321

S.J. Lee et al. / Annals of Nuclear Energy 57 (2013) 318–326

(O’Hara et al., 2002), and NUREG/CR-6635 (Stubler and O‘Hara, 2000); (2) the identification of important influencing factors through the observation of operator behaviors under advanced control rooms; (3) a human error analysis based on the task analysis of the required operator actions (Lee et al., 2011); and (4) an organization of the identified DIFs according to the task types. The DIFs reflect the specific characteristics of each MCR design, and the APR1400 MCR design was used in this work. The major DIFs for SCs are identified as follows (Kim et al., 2011b, 2011b):  The number of unit actions using SCs.  Level of composite use between the safety-grade and nonsafety-grade SCs (SCs using different types of input devices).  The number of controlling mimic screen pages required for completing the task. Most of the identified DIFs for SCs are associated with the secondary tasks, which are required for manipulating the user interface to access information or controls. In addition to these DIFs associated with SCs, there are DIFs that help the error recovery. The major error recovery features for advanced MCRs include the automatic logic checking function of the CPS and the information sharing feature of the general computer-based designs. The error recovery DIFs are identified for execution errors. The execution error recovery DIFs are identified as follows:  Error detection through the feedback information of the SCs and the mimic information on the system/component status.  Error detection by the shift supervisor through the feedback information of the system/component status provided on the computer-based procedure. With the DIFs for SCs, the HRA framework for conventional MCRs is modified as shown in Fig. 2. Basically, they have almost same structure and factors. However, some factors (e.g., interface management complexity) were added and different factors or decision trees were considered for some factors.

Diagnosis HEP

Basic diagnosis HEP

Weighting factor

A detailed quantification of the execution errors for advanced MCRs is performed using the following equations:

HEPexec ¼ R½Basic HEPexec ðiÞ  HEP rec ðiÞ  IM C

where Basic_HEPexec(i) is the f(task type(i), stress level(i)), HEPrec(i) the f(available time(i), supervision at time(i), supervision at subsequent step(i)) and IM_C is the f(# of unit action, input devices types, # of controlling mimic screens). The execution HEP of the K-HRA is calculated by a multiplication of the basic execution HEP and recovery failure probability of an error. The basic HEP of a task is determined by the stress level of an operator and type of the task. Some factors of SCs are the same or have almost similar values compared to those of conventional ones (e.g., stress level of an operator) because those factors are not much affected by different interface designs. However, some factors (e.g., recovery failure probability) should have specific values for SCs. The control processes of SCs and conventional controls have different sub-tasks because secondary tasks are not considered in conventional controls (e.g., screen navigations are not necessary in conventional controls). Moreover, all operators in control rooms can share operational information through computerized displays, and useful functions using computerized interfaces can be provided for preventing human errors. This environment can cause an increase in the recovery probability or require more workload of the operators. As shown in Eq. (3), the interface management complexity (IM_C) factor was newly introduced to reflect the effect of the workload associated with the task of managing the user interface on the execution error probability. Additionally, the error recovery factor was modified by considering the role of error recovery capability of the CPS. Based on the basic HEPs, the final HEPs are calculated with a consideration of the ‘recovery failure’ and ‘interface management complexity.’ For a quantification of the human errors of SCs, the effect of each factor of SCs was determined by experts. They were required to determine the values of factors compared to those of conventional controls.

Allowed time, Perceived time, Execution time

Diagnosis available time

Primary task, MMI (alarm), Decision burden,

Sum (execution time)

Computerized procedure system, Education/Training

Post-initiating HFEs

Task type of subtask i

Execution HEP

Basic execution HEP Stress level of subtask i Recovery failure HEP Interface Management Complexity

ð3Þ

Available time, Level of HMI Supervision at time Supervision at subsequent step

Unit actions Input devices types Controlling mimic screens

Fig. 2. The modified framework of advanced MCRs.

Subtask complexity, Procedure, Task familiarity

Time after IE, Scenario severity, MCR/Local, Education/Training,

Execution time for each subtask

322

S.J. Lee et al. / Annals of Nuclear Energy 57 (2013) 318–326

4.2.1. Error of an unitary action The HuRECA method adopts the decomposition method for estimating execution HEPs. The level of decomposition of required actions sometimes makes a significant difference in the results of the execution HEP. In conventional HRAs, however, the level of decomposition has been treated differently between analysts, resulting in different HEP results for the same HFE. The HuRECA adopts the same principles of decomposition as in the K-HRA, except that the work activity in an open control room panel is changed into the one in a computer-based workstation displays. A unitary action is defined as an active action that is performed by the same single operator on a single specific system page of a single plant system within a finite time to achieve a single specific goal. For instance, in the case that two or more valves are needed to operate for lining up valve configuration, if this activity is described within the same single step of a operating procedure, and is performed on the same system and computer screen, and if the time interval between valve operation is within a specific duration (e.g., 5 min.), then this activity can be defined as a separate unitary action. But, the execution HEP for this unitary action is adjusted by the number of operating valves as described below. In summary, when each of the following conditions is applicable, it is classified as a separate unitary action.  When an acting operator is different.  When a system or a type of components (e.g., pump, valve, chiller, etc.) to be operated is changed.  When the goal of a task or relevant safety function is different.  When a computer screen to be operated is different.  When a time interval between operations is more than 5 min.

‘quality of procedure’ and ‘time availability and action familiarity’. The brief definitions of those factors are described as follows.  Complexity of a unitary action: The complexity of a unitary action itself is classified as ‘simple’, ‘if-then’, or ‘complex’. Most of proceduralized tasks in emergency situations can usually be classified as an ‘if-then’ type or a ‘complex’ type. The ‘complex’ type includes continuous control tasks or the tasks requiring comparison/integration of several sources of information. However, there are some unitary actions that are more simple and straightforward than the ‘if-then’ type. To deal with these actions separately, another task type, a ‘simple response’ type is introduced. The ‘simple response’ type is applied only if a prompt response can be possible with a simple and straightforward action and a level of HMI being ‘medium/high’.  Quality of procedure (in view of execution): The level of a procedural description on physical or executional implementation of a unitary action is evaluated.  Time availability and action familiarity: This factor implies that how much time is available for an operator to complete required actions and how much he is familiar with the actions. Even if ‘complexity of a unitary action’ is classified as ‘complex’, the task type of the unitary action can be considered ‘step-bystep’ action only if ‘quality of procedure’ is classified as medium/high and ‘time availability and action familiarity’ is satisfied. Consequently, a task type of a unitary action is represented as one of three types: Simple-Response, Step-by-Step, and Dynamic. Each type is explained by the following definition.

 1–2 components (e.g., valves): the same as the basic execution HEP,  3–5 components (e.g., valves): 1.5  the basic execution HEP,  6 and more components (e.g., valves): 2  the basic execution HEP.

 Simple response: The ‘Simple-Response’ type is only applicable for straightforward actions that are simple and immediate responses on an HMI of a higher level and without collecting any more information.  Step-by-step: This type of actions is applicable for well-established proceduralized ‘if-then’ actions.  Dynamic: The tasks requiring continuous monitoring and control, or requiring checking and integration of several sources of information for implementing actions.

The type of a unitary action can basically be determined by ‘complexity of a unitary action’, but it can also be changed by the

A stress level of a unitary action is determined by ‘time urgency’, ‘scenario severity’, ‘environmental hazard’, and ‘training

In the case that a unitary action includes two or more the same kind of components such as pumps and valves, the execution HEP for this unitary action is adjusted by the number of operating components (e.g., valves) as follows.

Complexity of a unitary action

Quality of procedure (in view of execution)

Time availability and action familiarity?

Simple (simple and straight forward actions with a level of HMI being medium/high)

If -t hen (proceduralized actions with if-then rule)

High/Medium

Simple Response Step-by-Step

Low

Dynamic Yes

Complex (continuous control tasks OR the tasks requiring comparison/integration of several sources of information)

Task type of a unitary action

High/Medium No

Low

Step-by-Step Dynamic Dynamic

Fig. 3. The decision tree for task type.

323

S.J. Lee et al. / Annals of Nuclear Energy 57 (2013) 318–326

Scenario severity

Time urgency

Environmental hazard

Training/ Education

T < 30 min.

Stress Level Extremely High

The task is the last resort (within 2 hr.)

Extremely High

The task is the last resort (more than 2 hr.) Dangerous environment / Necessity of special clothing

Moderately High

High/Medium

Extremely High Very High

MCR Low

30 =< T < 60 min. Local

Extremely High High/Medium

Yes (LOCA, Failure of the Safety System, Failure of an auto actuation)

Extremely High

Moderately High

MCR Low

Very High

Local

Very High

T >= 60 min. High/Medium

Optimum

MCR Low

No

Moderately High Local

Moderately High Fig. 4. The decision tree for stress level.

Table 1 Task type. Task type

Stress level

Basic HEP (mean)

EF

Simple response

Low Optimum/moderately high

0.002 0.003

3 3

Step-by-step

Low Optimum Moderately high Very high Extremely high

0.01 0.005 0.01 0.02 0.05

3 3 3 3 5

Low Optimum Moderately high Very high Extremely high

– 0.01 0.03 0.08 0.25

5 5 5 5 3

Dynamic

 Environmental hazard: It includes the cases such as a hazard from work environment, a problem in equipment accessibility, necessity of special equipment/clothing, etc.  Training and education (in view of execution): It represents the frequency of training and education for a given task, or the level of familiarity in view of normal experience. Table 1 shows the basic execution HEPs according to the ‘task type’ and ‘stress level’. The HEP values are the same as the values of the K-HRA because the same ‘take type’ and ‘stress level’ are used. Although the operator actions in computer-based interfaces of a control room require secondary tasks such as interface management tasks, the basic execution HEP at a unitary action level is not expected to be much different from the level of the execution HEP for a conventional control room action because the operator’s actions are basically goal-oriented.

and education’, as shown in Fig. 4. The definitions for the stress level are the same as the K-HRA (Jung and Kang, 2005). The stress level is classified into five levels (‘Extremely High’, ‘Very High’, ‘Moderately High’, ‘Optimum’, and ‘Low’), while in emergency situations only four stress levels excluding ‘Low’ among the five levels are used. Those factors that influence the stress level are explained briefly as below.

4.2.2. Recovery failure ‘Recovery failure’ means the probability of recovery of each unitary action error. Four factors are considered to determine the value of recovery failure probability: time urgency, level of HMI, supervision at the time of an operator’s execution and supervision at a subsequent step after operator’s execution, as shown in Fig. 5.

 Time urgency: It is represented as time duration from the time of cue to the time by which a required task should be completed.  Scenario severity: It applies to the cases that a given task is the last resort or a given scenario situation is very severe; for example, the cases include LOCA scenarios, scenarios involving failure of a safety system or failure of an automatic actuation, etc.

 ‘Time urgency’: The time available to the operator in view of the error detection and recovery after the action implementation should be considered to accurately assess the factor ‘time urgency’. But in situations where it requires a great deal of analytical resources to obtain accurate information on the time available for error detection, the total allowed time can be used to assess the ‘time urgency’. In case an estimated time available

324

S.J. Lee et al. / Annals of Nuclear Energy 57 (2013) 318–326

Fig. 5. The decision tree for recovery failure probability.











for error detection and recovery is less than the required time to recover committed or omitted erroneous events, then the recovery failure probability is assigned 1.0. ‘Level of HMI’: Due to the flexible design of advanced MCR interfaces, indicators for feedback can be located in unfixed locations. For the quality of the feedback, two aspects are considered: (1) the existence of a direct feedback indicator and (2) the location of the indicators of the feedback. The level of adequacy of the feedback instrumentations can be classified as follows. High: There is directly verifiable feedback information on the same computer display as that the action was implemented on, so that the effectiveness of the implemented actions could be verified with ease. Medium: There requires an integration of two sources of information displayed on the same computer display as that the action was implemented on, to get the feedback on the implemented actions. Low: There are no directly verifiable feedback information on the effectiveness of the implemented actions or there requires reasoning from an integration of a variety of information sources. ‘Supervision at the time of an operator’s execution’: If the CPS provides directly available information for verifying the actions implemented by an operator and the practice of supervision is well-established for verifying the actions, then the possibility of error recovery at the time of an operator’s execution by the shift supervisor via the CPS is considered.

 ‘Supervision at a subsequent step after an operator’s execution’: When there are clear procedural instructions at a later step that provide verification of the implemented actions in the previous step, then the possibility of error recovery by the shift supervisor through the procedural step of the CPS is also considered. There are some exceptional rules to the estimation of the recovery failure probability.  In case a roughly estimated available time for error recovery is less than the actually required time for the operators to recover from the committed or omitted errors, the recovery failure probability should be assigned 1.0.  For the ‘Simple-Response’ task type, even in the case that the time available or the time allowed is estimated to be less than 30 min., the recovery failure probability can be assigned 0.5 if only the level of HMI from the error recovery viewpoint is evaluated ‘High or Medium’.  If the task is not a ‘primary task’, the recovery failure probability should be assigned 1.0. The decision tree for ‘recovery failure’ was developed as shown in Fig. 5 based on the K-HRA method. While two supervision factors are considered in the HuRECA, there was only one factor for supervision in the K-HRA method.  ‘Level of supervision’: When there are clear procedural instructions at a later step that provide verification of the implemented actions in the previous step, then the possibility of error recovery by the shift supervisor through the procedural step is considered.

325

S.J. Lee et al. / Annals of Nuclear Energy 57 (2013) 318–326 Table 2 Interface management complexity.

a b

IM complexity

Description

Weighting factor

High

A task includes – 4 or more actions which consist of only SCPa or SCP + NCPb – OR, 7 or more actions which consists of only NCP – OR, the actions which are controlled in 3 or more different system screens

1.5

Mid

A task includes – The actions which consist of only 4–6 NCP or of 2–3 SCP or SCP + NCP – AND the actions which are controlled in 2 or less system screen.

1.2

Low

A task includes – the actions which consist of 3 or less NCP or of 2 or less SCP – And, the actions which are controlled in the same system screen

1

SCP: A control panel for a safety component which is located at independent screen. NCP: A pop-up control panel for a non-safety component.

The recovery failure probabilities of the HuRECA were adjusted by the K-HRA and experts. If both supervision factors are ‘No’ in the HuRECA, the recovery failure probability was assumed as the value of ‘Level of supervision is No’ condition in the K-HRA. If one of two supervision factors is ‘No’, the recovery failure probability was assumed as the value of ‘Level of supervision is Yes’ in the K-HRA. In case both supervisions are ‘Yes’, the weightings were adjusted by experts. When operators are fully supported by well-established interfaces and both supervision factors are ‘Yes’, the experts expected the recovery failure probabilities will reduce by 60–80%. 4.2.3. Interface management complexity The factor of ‘the complexity of interface management (IM) tasks’ is newly introduced to reflect the influence of workload due to interface management tasks (or secondary tasks) during computer-based operations using SCs. The IM complexity reflects the overall manipulative complexity arising from managing the computer-based interfaces that are necessary to perform a series of required primary actions. The final execution HEP is obtained by multiplying the summated recovery-considered execution HEP by an appropriate adjusting value (IM_C) representing the influence of the overall IM complexity on the execution HEP. In the HuRECA method, the level of IM complexity and consequent adjusting value (IM_C) is determined by the number of operations using soft-controls, the number of mixed uses of different kinds of soft-controls, and the number of altering computer screens for operations using soft-controls. The adjusting factors for IM complexity should be varied according to the soft control design of each MCR. Based on the analysis result of the interface design and task analysis of each MCR, the adjusting value of each level is defined based on the simulation analysis results or expert judgment. This paper shows an example to define adjusting factors for an advanced MCR, which is APR1400 MCR. In the APR1400 MCR, two different input devices are used according to the safety level of each control. The controls for non-safety components are available as pop-up control panels in the same screens used for monitoring. The controls for the safety components are located in independent screens. Table 2 shows the definition of the IM complexity of APR1400 MCR design and their weighting factors determined by experts and the observation from simulations. It was observed that the number of secondary tasks occupied quite large portion compared to that of primary tasks in the simulations. The experts expected that secondary tasks will affect operator performance and, in particular, screen navigations and screen changes to independent displays during execution of a task will have large effects. As shown in Table 2, the weighting of IM complexity was determined as 1.0–1.5. That means the IM complexity does not reduce the execution HEP in any cases, and high IM complexity can increase the execution HEP by 50%.

4.3. Application An application was performed to verify the proposed method. The tasks for six accidents were analyzed based on the given situation, operating procedures, and the interface of the APR1400. Followings are assumed for the application. – The levels of factors, which should be determined by considering the characteristics of an operator crew, were assumed. (e.g., task familiarity and education/training). – Two level of the ‘level of HMI’ were considered to observe the effect of interface design quality. The application was performed following process. – For each task, the unitary action lists are generated based on the operating procedures. – Based on the APR1400 interface design, required primary tasks and secondary tasks were determined for each unitary action. – The task type and stress level of each unitary action are defined using the decision trees shown in Figs. 3 and 4. – The basic execution HEPs of unitary actions are defined according to Table 1. – The recovery failure probability of each unitary action is determined form the decision tree shown in Fig. 5. – Total execution HEP is calculated with basic HEP and recovery failure probability of each unitary action. – The IM complexity of a task is determined by analysis of necessary secondary tasks. (The number of actions, the number of mixed uses of different input devices, and the number of controlling mimic screens). – Finally, the execution HEP of a task is calculated with the summation of unitary action HEPs and the IM complexity. Table 3 shows the application results for six accidents. ‘K-HRA’ means the control error probabilities using conventional controls. ‘HuRECA’ indicates the control error probabilities using SCs according to the ‘level of HMI’ and interface management complexity level. The results showed that SCs can have both positive and negative effects on human errors according to the tasks, situations, and quality of the system. In the first case, the allowed time for the operation is very short (less than 29 min), so that there is no effect of the feedback quality on the HEP. It is not easy to use the feedback for operators, and the effects of the feedback are not significant in very urgent situations. For the worst case (level of HMI is mid and IM_C is high), the HEP increases 55% compared to the KHRA. From this result, it can be said that complex interface management tasks and inappropriate feedback, which is not very helpful for recovery, create greater burden to operators and cause more

326

S.J. Lee et al. / Annals of Nuclear Energy 57 (2013) 318–326

Table 3 An application result. Accident

Operator Operator Operator Operator Operator Operator

K-HRA

fails fails fails fails fails fails

to to to to to to

perform F&B operation (Early-in LOFW) initiate hot and cold leg recirculation lineup MF S/U FWP 07P perform RCS cooldown and depressurization initiate shutdown cooling initiate emergency boration

1.0E1 7.5E4 2.5E3 1.0E3 1.1E3 5.0E3

frequent errors. However, if the design quality is high and appropriate feedback is provided to an operator, relatively low HEPs are obtained in almost all cases.

5. Conclusions The SC is one of the particular features of advanced MCRs, and its effect on human errors is an important issue. This work described the issues that should be considered for quantifying the HEP induced by SCs, and proposed an evaluation framework for the quantification of human errors that can occur during operation executions using SCs. The proposed method was developed based on the features of the APR1400 MCR, and the method might be modified according to the features of each advanced MCR. An application for the quantification method was performed, and the results showed that SCs can have both positive and negative effects on human errors according to the tasks, situations, and quality of the system. In this work, all the decision trees, parameters, and values of the quantification method were determined by experts because of a lack of data. However, for more reliable and accurate evaluations, a refinement of the proposed method based on practical data is necessary. When a sufficient amount of operational data of advanced MCRs is accumulated, the method can be adjusted by more reliable and practical values.

Acknowledgments This research was supported by a Nuclear Research and Development Program of the National Research Foundation (NRF) grant funded by the Korean government. (Grant Code: 2012-011506).

HuRECA Level of HMI: High

Level of HMI: Mid

1.2E1 1.8E4 9.0E4 3.0E4 3.4E4 1.8E3

1.2E1 9.0E4 3.0E3 1.0E3 1.7E3 6.0E3

20% 76% 64% 70% 69% 64%

IM_C 20% 20% 20% 0% 55% 20%

Mid Mid Mid Low High Mid

References Choi, S.Y., Park, J., 2012. Operator Behaviors Observed in Following Emergency Operating Procedure under a Simulated Emergency. Nucl. Eng. Technol. 44, 379–386. Harris, D., Stanton, N.A., Marshall, A., Young, M.S., Demagalski, J., Salmon, P., 2005. Using SHERPA to predict design-induced error on the flight deck. Aerosp. Sci. Technol. 9, 525–532. Jung, W., Kang, D., 2005. Development of a Standard Human Reliability Analysis Method of Nuclear Power Plants. KAERI/TR-2961/2005. KAERI. (in Korean). Jung, W., Park, J., 2012. Estimating the Operator’s Performance Time of Emergency Procedural Tasks Based on a Task Complexity Measure. Nucl. Eng. Technol. 44, 415–420. Kang, D., et al., 2005. Development of a standard HRA method for PSA. In: Proc. Am. Nucl. Society, Washington, DC, USA, pp. 307–308. Kim, J., Lee, S.J., Jang., S.C., 2009. Human Performance and Human Error Characteristics for Event Diagnosis Tasks in an Advanced Main Control Room. KAERI/TR-3913. KAERI. Kim, J., Lee, S.J., Jang., S.C., 2010. Analysis of Human Error Potentials and DesignRelated Influencing Factors for Computer-Based Procedure and Soft Controllers to Develop Human Reliability Analysis Method for Advanced Control Rooms. KAERI/TR-4207. KAERI. Kim, J., Lee, S.J., Jang., S.C., 2011. Development of the Human Reliability Analysis Method for Computer-based Advanced Control Rooms, KAERI/TR-4385. KAERI. Kim, J., Lee, S.J., Jang., S.C., 2011. HuRECA: Human reliability evaluator for computerbased control room actions. In: Proc. Korea Nucl. Society, Kyoungju, Korea. Lee, M.S. et al., 2009. Development of human foactors validation system for the advanced control room of APR1400. J. Nucl. Sci. Technol. 46, 90–101. Lee, S.J., Seong, P.H., 2007. Development of an integrated decision support system to aid cognitive process of operators. Nucl. Eng. Technol. 39, 703–717. Lee, S.J., Kim, J., Jang, S.C., 2011. Human error mode identification for NPP main control room operations using soft controls. J. Nucl. Sci. Technol. 48, 902–910. O’Hara, J., et al., 2000. Computer-Based Procedure Systems: Technical Basis and Human Factors Review Guidance. NUREG/CR-6634. US Nuclear Regulatory Commission. O’Hara, J., et al., 2002. Human-System Interface Design Review Guidelines, NUREG0700, Rev.2. US Nuclear Regulatory Commission. Stubler, W.F., O‘Hara, J.M., 2000. Soft Controls: Technical Basis and Human Factors Review Guidance. NUREG/CR-6635, US Nuclear Regulatory Commission. Swain, A.D., 1987. Accident Sequence Evaluation Program Human Reliability Analysis Procedure. NUREG/CR-4772. US Nuclear Regulatory Commission. Swain, A.D., Guttman, H.E., 1983. Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications. NUREG/CR-1278. US Nuclear Regulatory Commission.