An analytic model for situation assessment of nuclear power plant operators based on Bayesian inference

Simulation-based human reliability analysis (HRA) methods such as IDAC seem to provide a new direction for the development of advanced HRA methods. In such simulation-based HRA methods, the simulation model for the situation assessment of nuclear power plant (NPP) operators is essential, especially for addressing the issue of errors-of-commission (EOCs). Therefore, we propose an analytic model for the situation assessment of NPP operators based on Bayesian inference. The proposed model is found to be able to address several important features of the situation assessment of NPP operators, and is expected to provide good approximations to some parts of the situation assessment. A comparison with an existing model and identification of several other features of the situation assessment of NPP operators that should be further addressed are also provided.     

Diversity in computerized reactor protection systems

Based on engineering judgement, the most important measures to increase the independency of redundant trains of a computerized safety instrumentation and control system (I&C) in a nuclear power plant are evaluated with respect to practical applications. This paper will contribute to an objective discussion on the necessary and justifiable arrangement of diversity in a computerized safety I&C system. Important conclusions are:

(i) diverse equipment may be used to control dependent failures only if measures necessary for designing, licensing, and operating a computerized safety I&C system homogeneous in equipment are neither technically nor economically feasible;

(ii) the considerable large operating experience in France with a non-diverse equipment digital reactor protection system does not call for equipment diversity. Although there are no generally accepted methods, the licensing authority is still required to take into account dependent failures in a probabilistic safety analysis;

(ii) the frequency of postulated initiating events implies which I&C functionality should be implemented on diverse equipment. Using non-safety I&C equipment in addition to safety I&C equipment is attractive because its necessary unavailability to control an initiating event in teamwork with the safety I&C equipment is estimated to range from 0.01 to 0.1. This can be achieved by operational experience.

Automated hazard analysis of digital control systems

Digital instrumentation and control (I&C) systems can provide important benefits in many safety-critical applications, but they can also introduce potential new failure modes that can affect safety. Unlike electro-mechanical systems, whose failure modes are fairly well understood and which can often be built to fail in a particular way, software errors are very unpredictable. There is virtually no nontrivial software that will function as expected under all conditions. Consequently, there is a great deal of concern about whether there is a sufficient basis on which to resolve questions about safety. In this paper, an approach for validating the safety requirements of digital I&C systems is developed which uses the Dynamic Flowgraph Methodology to conduct automated hazard analyses. The prime implicants of these analyses can be used to identify unknown system hazards, prioritize the disposition of known system hazards, and guide lower-level design decisions to either eliminate or mitigate known hazards. In a case study involving a space-based reactor control system, the method succeeded in identifying an unknown failure mechanism.     

Assessment of human reliability based on evaluation of plant experience: requirements and implementation

A major problem in assessment of human failures in probabilistic safety assessment is the lack of empirical data needed for human reliability analysis (HRA). This problem is aggravated by the fact that different HRA methods use different parameters for the assessment and that HRA is currently enforced to provide data and methods for assessment of human reliability in new technical environments such as computerized control rooms, in accident management situations, or in low-power and shut down situations. Plant experience is one source to deal with this problem. In this paper, a method is presented that describes how plant experience about human failures and human performance may be used to support the process of analyzing and assessing human reliability. Based on considerations of requirements of HRA, a method is presented first which is able to describe and analyze human interactions that were observed within events. Implementation of the approach as a database application is outlined. Second, the main results of the application of the method to 165 boiling water reactor events are presented. Observed influencing factors on human performance are discussed; estimates for probabilities are calculated and compared with the data tables of the THERP handbook. An outline is given for using the presented method for the analysis of cognitive errors or organizational aspects.     

Human reliability and human factors in complex organizations: epistemological and critical analysis—Practical avenues to action

This paper starts from the realization that persistent problems remain in probabilistic safety assessments due to the difficulty to take into account collective and socal behavior in complex sociotechnical systems. An epistemological analysis of the foundations of human reliability analysis (HRA) leads to possible improvement issues of HRA, particularly to allow for the psychological aspects of human factors. Three sources of progress are briefly analyzed: quantitative assessment of the psychological climate inside a company; non-linear predictive model of the accident rate; analysis of the personnel's stress on off-shore platforms, using clinical inquiries, then an epidemiologic-type study.The paper concludes about the need for analysis of ‘positive’ human factors, not only focussed on human errors.     

A probabilistic cognitive simulator for HRA studies (PROCOS)

The paper deals with the development of a simulator for approaching human errors in complex operational frameworks (e.g., plant commissioning). The aim is to integrate the quantification capabilities of the so-called ‘first-generation’ human reliability assessment (HRA) methods with a cognitive evaluation of the operator. The simulator allows analysing both error prevention and error recovery. It integrates cognitive human error analysis with standard hazard analysis methods (Hazop and event tree) by means of a ‘semi static approach’. The comparison between the results obtained through the proposed approach and those of a traditional HRA method such as human error assessment and reduction technique, shows the capability of the simulator to provide coherent and accurate analysis.     

An analytical approach to quantitative effect estimation of operation advisory system based on human cognitive process using the Bayesian belief network

The design of instrumentation and control (I&C) systems for nuclear power plants (NPPs) is rapidly moving towards fully digital I&C systems and is trending towards the introduction of modern computer techniques into the design of advanced main control rooms (MCRs) of NPPs. In the design of advanced MCRs, human–machine interfaces have improved and various types of decision support systems have been developed. It is important to design highly reliable decision support systems in order to adapt them in actual NPPs. In addition, to evaluate decision support systems in order to validate their efficiency is as important as to design highly reliable decision support systems. In this paper, an operation advisory system based on the human cognitive process is evaluated in order to estimate its effect. The Bayesian belief network model is used in the evaluation of the target system, and a model is constructed based on human reliability analysis event trees. In the evaluation results, a target system based on the operator's cognitive process showed better performance compared to independent decision support systems.     

Human error data collection as a precursor to the development of a human reliability assessment capability in air traffic management

Quantified risk and safety assessments are now required for safety cases for European air traffic management (ATM) services. Since ATM is highly human-dependent for its safety, this suggests a need for formal human reliability assessment (HRA), as carried out in other industries such as nuclear power. Since the fundamental aspect of HRA is human error data, in the form of human error probabilities (HEPs), it was decided to take a first step towards development of an ATM HRA approach by deriving some HEPs in an ATM context.This paper reports a study, which collected HEPs via analysing the results of a real-time simulation involving air traffic controllers (ATCOs) and pilots, with a focus on communication errors. This study did indeed derive HEPs that were found to be concordant with other known communication human error data. This is a first step, and shows promise for HRA in ATM, since HEPs have been derived which could be used in safety assessments, although these HEPs are for only one (albeit critical) aspect of ATCOs’ tasks (communications). The paper discusses options and potential ways forward for the development of a full HRA capability in ATM.     

秦山核电厂操纵员可靠性模拟机实验研究

数据匮乏与可用性差是长期困扰人因可靠性分析（HRA）的一大难题。在秦山核电厂HRA过程中用秦山核电厂全尺寸模拟机实施了操纵员可靠性实验。该项实验选择包含技能型、规则型和知识型3种认知类型以及对电厂运行安全有重大影响的23个异常事件（55个HIs界面），对38名操纵员事件响应状况和时间进行录像和记录，取得764个数据点，经数据处理和分析后获得适合秦山核电厂系统与人员特性的HRA/HCR模型基本参数。介绍了该实验的背景、理论、方法、过程、结果及与国外数据的比较。     

A method for identifying instrument faults in nuclear power plants possibly leading to wrong situation assessment

In this paper, we propose a method for identifying instrument faults that could potentially affect an operators’ situation assessment capability in nuclear power plants (NPPs), an issue which has received a lot of attention recently. In the proposed method, patterns of selected plant parameter trends in selected plant states and NPP operators’ patterns of selected plant parameter trends in selected plant states are analyzed, and a comparison between the two kinds of patterns is performed to identify instrument faults which could potentially affect a NPP operators’ capability to correctly assess a plant's conditions. An example application is presented to demonstrate how the proposed method can be used to identify the possibilities of operators’ developing a wrong situation assessment because of instrument faults and to identify the corresponding safety concerns. We conclude that in order to get more accurate results, an analysis with a full-scope NPP simulator and interviews with NPP operators will be necessary.     

Advances in human reliability analysis methodology. Part II: PC-based HRA software

This paper, in two parts, summarizes some of the advancements made in the area of human reliability analysis (HRA) in the past decade. The paper focuses on the HRA program sponsored by the Electric Power Research Institute (EPRI) since 1982 as part of an effort to better understand the role of operators in safe operation of nuclear power plants (NPPs) and advance the state-of-the-art in HRA. Many technical reports have been published and numerous papers have been presented in national and international conferences on the various EPRI HRA projects. This paper is an attempt to summarize a decade of research in this area with an emphasis on recent advancements made towards development of a simulator-based HRA methodology using data from NPP simulators. HRA frameworks, models, data and computer codes are discussed, and areas for further research are pointed out. Part I herein covers the frameworks, models and data. Part II of the paper (see this issue, pp. 57–66) discusses the PC-based software developed to facilitate the process of simulator data collection and analysis as well as the assessment of human reliability.     

A computational model for evaluating the effects of attention, memory, and mental models on situation assessment of nuclear power plant operators

Operators in nuclear power plants have to acquire information from human system interfaces (HSIs) and the environment in order to create, update, and confirm their understanding of a plant state, as failures of situation assessment may cause wrong decisions for process control and finally errors of commission in nuclear power plants. A few computational models that can be used to predict and quantify the situation awareness of operators have been suggested. However, these models do not sufficiently consider human characteristics for nuclear power plant operators.In this paper, we propose a computational model for situation assessment of nuclear power plant operators using a Bayesian network. This model incorporates human factors significantly affecting operators’ situation assessment, such as attention, working memory decay, and mental model.As this proposed model provides quantitative results of situation assessment and diagnostic performance, we expect that this model can be used in the design and evaluation of human system interfaces as well as the prediction of situation awareness errors in the human reliability analysis.     

事故序列评估程序:核电厂事故后人的可靠性分析技术

核电厂事故后人的可靠性分析(HRA)是核电厂概率安全评价和核电厂安全运行的重要组成部分。人因可靠性分析事故序列评估程序技术(ASEP)是对于传统的人的失误率预测技术(THERP)方法的改进和规范。文章介绍了事故序列评估程序技术的应用程序和应用，并给出某核电厂的一个全厂断电(LOOP)应用实例。     

Representing cognitive activities and errors in HRA trees

A graphic representation method is presented herein for adapting an existing technology—human reliability analysis (HRA) event trees, used to support event sequence logic structures and calculations—to include a representation of the underlying cognitive activity and corresponding errors associated with human performance. The analyst is presented with three potential means of representing human activity: the NUREG/CR-1278 HRA event-tree approach; the skill-, rule- and knowledge-based paradigm; and the slips, lapses, and mistakes paradigm. The above approaches for representing human activity are integrated in order to produce an enriched HRA event tree—the cognitive event tree system (COGENT)—which, in turn, can be used to increase the analyst's understanding of the basic behavioral mechanisms underlying human error and the representation of that error in probabilistic risk assessment. Issues pertaining to the implementation of COGENT are also discussed.     

OPERA—a human performance database under simulated emergencies of nuclear power plants

In complex systems such as the nuclear and chemical industry, the importance of human performance related problems is well recognized. Thus a lot of effort has been spent on this area, and one of the main streams for unraveling human performance related problems is the execution of HRA. Unfortunately a lack of prerequisite information has been pointed out as the most critical problem in conducting HRA. From this necessity, OPERA database that can provide operators’ performance data obtained under simulated emergencies has been developed. In this study, typical operators’ performance data that are available from OPERA database are briefly explained. After that, in order to ensure the appropriateness of OPERA database, operators’ performance data from OPERA database are compared with those of other studies and real events. As a result, it is believed that operators’ performance data of OPERA database are fairly comparable to those of other studies and real events. Therefore it is meaningful to expect that OPERA database can be used as a serviceable data source for scrutinizing human performance related problems including HRA.     

Addressing dependability by applying an approach for model-based risk assessment

This paper describes how an approach for model-based risk assessment (MBRA) can be applied for addressing different dependability factors in a critical application. Dependability factors, such as availability, reliability, safety and security, are important when assessing the dependability degree of total systems involving digital instrumentation and control (I&C) sub-systems. In order to identify risk sources their roles with regard to intentional system aspects such as system functions, component behaviours and intercommunications must be clarified. Traditional risk assessment is based on fault or risk models of the system. In contrast to this, MBRA utilizes success-oriented models describing all intended system aspects, including functional, operational and organizational aspects of the target. The EU-funded CORAS project developed a tool-supported methodology for the application of MBRA in security-critical systems. The methodology has been tried out within the telemedicine and e-commerce areas, and provided through a series of seven trials a sound basis for risk assessments. In this paper the results from the CORAS project are presented, and it is discussed how the approach for applying MBRA meets the needs of a risk-informed Man–Technology–Organization (MTO) model, and how methodology can be applied as a part of a trust case development.     

Software reliability analysis for safety-critical and control systems

The transition from analog to digital safety-critical instrumentation and control (I&C) systems has introduced new challenges for software experts to deliver increased software reliability. Since the 1970s, researchers are continuing to propose software reliability models for reliability estimation of software. However, these approaches rely on the failure history for the assessment of reliability. Due to insufficient failure data, these models fail to predict the reliability of safety critical systems. This paper utilizes the Bayesian update methodology and proposes a framework for the reliability assessment of the safety-critical systems (SCSs). The proposed methodology is validated using experiments performed on real data of 12 safety-critical control systems of nuclear power plants.     

Review of advances in human reliability analysis of errors of commission, Part 1: EOC identification

In close connection with examples relevant to contemporary probabilistic safety assessment (PSA), a review of advances in human reliability analysis (HRA) of post-initiator errors of commission (EOCs), i.e. inappropriate actions under abnormal operating conditions, has been carried out. The review comprises both EOC identification (part 1) and quantification (part 2); part 1 is presented in this article. Emerging HRA methods addressing the problem of EOC identification are: A Technique for Human Event Analysis (ATHEANA), the EOC HRA method developed by Gesellschaft für Anlagen- und Reaktorsicherheit (GRS), the Misdiagnosis Tree Analysis (MDTA) method, and the Commission Errors Search and Assessment (CESA) method. Most of the EOCs referred to in predictive studies comprise the stop of running or the inhibition of anticipated functions; a few comprise the start of a function. The CESA search scheme—which proceeds from possible operator actions to the affected systems to scenarios and uses procedures and importance measures as key sources of input information—provides a formalized way for identifying relatively important scenarios with EOC opportunities. In the implementation however, attention should be paid regarding EOCs associated with familiar but non-procedural actions and EOCs leading to failures of manually initiated safety functions.     

Reliability analysis and operator modelling

The paper considers the state of operator modelling in reliability analysis. Operator models are needed in reliability analysis because operators are needed in process control systems. HRA methods must therefore be able to account both for human performance variability and for the dynamics of the interaction. A selected set of first generation HRA approaches is briefly described in terms of the operator model they use, their classification principle, and the actual method they propose. In addition, two examples of second generation methods are also considered. It is concluded that first generation HRA methods generally have very simplistic operator models, either referring to the time-reliability relationship or to elementary information processing concepts. It is argued that second generation HRA methods must recognise that cognition is embedded in a context, and be able to account for that in the way human reliability is analysed and assessed.