Human Error Probability Assessment for Functional Control Groups in the Process Industry

7/28/2019 Human Error Probability Assessment for Functional Control Groups in the Process Industry

http://slidepdf.com/reader/full/human-error-probability-assessment-for-functional-control-groups-in-the-process 1/9

17 t h Eur opean Ar nua l Conf e re nce onHumanDéci si on Maki ng and Manual Cont r o l

H U M A N E R R O R P R O B A B I L I T Y A S S E S S M E N T F O R

F U N C T I O N A L C O N T R O L G R O U P S IN T H E P R O C E S S I N D U S T R Y

MartinVISSERPeter A . WIERINGA

Man-MachineSystemsand Control. FacultyofDesign, EngineeringandProduction,

Delft UniversityofTechnology, Mekelweg2,2628CD Delft, TheNetherlands.

P.A. [email protected]

A B S T R A C T

This paper describes a methodology to use

Human Error Probabilities (HEP) and design to

create robust complex Syst ems. If a HumanReiabilityAssessment (HRA) is performed, than

this is done mostly after the detailed design phase

is finished. The presented method heps to

understand the influence ofHuman Error (HE) in

an earlier design phase e.g. at the functional

analysis leve.

The method consists of several steps. First

alternative configurations of functional control

groups wth different complexities are deveoped.

For each configuration, a fault tree is deveoped

to find the initiating events (fàilures ofequipment) which lead to a chosen top event.

This top event is an undesired event such as an

overflowng tank. The initiatingevents are used

to create event trees (ET) wth special emphass

on operator actions, such as monitoring the

process and fault diagnosis. A diagnosis diagram

simulâtes the fault diagnosis process to identify

the initiating failures. The probability of a top

event due to human error can then be found, by

usingHEP-factorsand by normalising the failure

probabilities of the equipment. The methodology

is demonstrated by two examples of functional

control groups wth two different leves ofcomplexity.

The results of the example configurations

indicate that: The BasicHuman Error Probability

(BHEP) of a top event decreaseswth increasing

task complexity (measure for task complexity:

maxmumnumber of consécutive alarm ponts in

a configuration. In this paper, the configurations

havemaximal one to four alarmpoints). In a very

simple system too few recovery pathsexist.

This does not imply that the more alarm pontsthe lower the BHEP . The HEP for mssing

consecutive alarms above 10 are not available. It

is plausible that an adverseeffect of the number

of alarms on the BHEP can be seen for large

alarmsequences. This suggeststhat thereexista

mnimumBHEP for a certain number of alarmponts.

K E Y W O R D S

Complexity, design, reiability.

I N T R O D U C T I O N

Human error is extremey commonplace, with

almost everyone commtting at least someerrors

every dayJ 13"121 Most errors are recoverable

having none or reativey small impact on ourlives. However, in complex systemsthis may not

be the case. It is very important to design a

systemthat is robust to human errors under all

crcurnstances.

The increase in complexity of industrial

processes makes the design of large industrial

systemsmorediffïcult.[j ]" [41 Another reason is the

necessity for human centred automation. In

addition, Iittleis known about the details of the

system during the first phases of the design

process. Furthermore, the M M I [ 5 H S J (Man-

Machine Interface) will not be known in this

phase. The designer has little or no information

about thehumanactions and the associated HEPs

(HumanError Probabilities), displayed in table 1

Thus a HRA (Human reiability assessmenf/21

will be difficult to perform in this phase. Only

global, time independent errors may be

determned, e.g. wrong reading of data and not

following the procedures.121 Furthermore, the

actions of all the human operators should be

considered: the control room operators,

supervisors, fiedworkers, etc.

169

mailto:[email protected]

mailto:[email protected]



17t h Eur opean Annual Conf er ence onHumanDéci si on Maki ng and Manual Cont r o l

T abl e 1 : L ev el s undertaken when designing a

System.

Designphase Level

Concept Goals •

FunctionsTasks

Jobs

• Means

Detailed design Actions HEP

M E T H O D O L O G Y

Elementary modules, further called Functional

Control Groups(FCGs), wth ther Human Error

Probability(HEP)will be identified. Such aF C G

covers a part of theprocessand performs one of

the many fùnctions, which are necessary toaccomplish the overall goal of the System Some

examplesof theFCGsare:

• Level control.

• Steam provision.

• Températurecontrol.

• Flow control.

• Position control.

• Pressure control.

(1) Functional control group analvsis. —

(2) Generate alternative configurations.

(3) Perform Human reiabilitv assessment:This

means determning:

(i) Tasks.(ii) Topeventfs).

(iii) Initiatingevents.

(iv) Operator-actioneventtree.

(v) HumanOperator diagnosis diagram.

(4) H EP for aF C G .

A C L O SE R L O O K A T T H E STEPS

O F T H E M E T H O D O L O G Y

In this paragraph, the steps of the methodology

are briefly described using an example F C G .

(1) Functional control group analvsis:

In this step, identification of FCGs (Functional

Control Groups) will be done Définition of the

physical boundary of aF C G is an importantissue

here and includes the définition of input, output

signaisand disturbances.

Due to the absenceof a detailed layout of the

M M I andof the operator tasksin the early designstage, a mnimum of alarms, controls and

indicators for each F C G will bedefïned.

In this paper, we assume that the error

probabilities of the human actions may be

obtained using the T H E R P (Technique for

Human Error Rate Prediction)-handbook of

Swain & Guttmann9]. Although some of the

valuesare derived for nuclear Systemsand not for

theprocess industry.

Thefollowing methodology has been deveoped

to détermine the HEP of a functional control

group (figure 1):

J

(2) Generate alternative configurations:

For each FCG,différent configurations wth

increasing complexity will be generated.

Environmental, safety and reiability demands

afifect the choice for spécifie components. The

complexity of theFCGs is affected by the use of

différent configurations and by the type of

components used. For instance, the choice of a

pump driven by a steam turbine instead of a

motor-drivenpump will affect the complexity. In

this step the alarms, controls and indicators

(MMI) will alsobe defined using a mnimum of

necessaryéléments.

H E P o I o p e rato r tasks (TH ERP ) & D i a g n o s e d tagrarr

C o n t iou ratio n 1 "— ^

To p e ve n t 1

To p e ve n t n

- i n i t i a tin g e/en t 1 {M H j

j i n i t i a tin g e v e n t 2 ( M F 2 )

• In i t ia t in g even t 3 (M F3]

' l n i t i a t i n g even t n (M Fn î

^ C o n f i g u r a t i o n 2

0 p erato r A c t i o n E v e n t T r e e 1

— O p e r a t o r A c t i o n E v e n t T r e e 2

0 p erato r A c t i o n E v e n t T r e e 3

0 p ar a to r A c t i o n E v e n t T r e e n

(MFS " 10)

(H El P r o b a b i l i t y of top ev en t 1

C o m p ex i t y in c r aas i n g

F i gur e. 1 : Appr oach t o dét erm ne t he HEP of t he f u n c t i o n a l cont r o l gr oups .

- > H E P 1

— H EP 2

- > H E P 3

* - H EP n

170



17t h Eur opean Annual Conf er ence onHumanDéci si onMaki ng a nd Manual Cont r o l

The définition of complexity for the

configurations is important. A good définition of

System complexity doesn't really exist

(Stassen[4). Since we are concentrating on the

control roomOperator actions, it is better to focus

at theTaskDemandLoad(TDL)

I10]

"

[12)

. TheTDLis inhérent to a task and independent of the

human. TheMMI has a strong influence on the

T D L . I 1 3 ] The task complexity (during fault

diagnosis) will be used as a measure for the

complexity of aconfiguration and is based on the

maxmumnumber of consécutive alarms after an

initiating event. The more consécutive alarm

ponts, the more complex a system will be.

Physical robustness of a systemwill reduce the

interaction,and will induce fewer alarms.

Exampleconfiguration o f L L C :

The P&I diagram of the low complexity L L C is

presented in figure 2. It consistsof a tank, a not

controllable pump, a control valve and a leve

Controller. Theliquid could be water or another

substance (not volatile). The following notation

(ISO 3511) in the P&I diagrams is used for a

measured property; F: Flow; L : Leve; S: Speed;

G: Position. For an instrument function the

following notation is used; I: Indicating; C:

Controlling;A: Alarmng.

inpu!

j 0utput

(SIA) (Gl j

F i gur e 2 : L L C wi t h l ow t a s k c ompl ex i t y .

(3) Humanreiabilityassessment̂

In summary, the following have to be

determned:

(i) Tasks.

The définition of the Operator tasks for each

configuration will be done.

(ii) Top eventfs).

The most important top eventsfor theFCGswill

be determned. These are theeventswth a highimpact onsafety or production.

The top event of the example FCG, L L C, could

be an overflowof the tank.

(iii) Initiatingevents.

The identification of initiatingevents. EachFCG

may have several initiatingevents leading to the

sametopevent.For each topevent,a fault treeis

deveoped todétermine the initiatingevents(top-

down approach). These events can have ther

orign wthin a functional control group or

outsde a group. The latter initiatingeventcan be

considered as disturbances.

0 verflow of

tank

[~ Inf townot

' normif

Pump not 1 0 utput valve

wortin g 1 position notnormal

j 0bitruciion in

} tbe ouîflow

0 utputvilve j

LflVftl Controller

noîworking | notworScing

Measurmg

davicR (LI not

working

Convoiter (Li

notworking

F i gur e 3 : Sy s t emf a u l t t r e e f o r l ow c ompl ex i t yLLC.

ExampleF CG , L L C :

Figure 3 displays the fault tree for the low

complexity L L C . In figure 3, the initiatingevents

caused by components outside a FCG are

displayed wth dashed lines. They will not be

treated further here. The term device "X" "not

working" in the figure refers to a mechanical

failure (device "X" "defect") or to a human

Operatorerror.

(iv) Operator-action event tree(OAET)[21.

Derivation of event treesfor the initiatingeventscaused by a mechanical failure (MF) of the

components of a FCG. The Operator Action

Event Tree (OAET) describes the consécutive

actions or lack of actions taken by theOperator.

Each Operator action consists of détection

followed by a fault diagnosis. This set of actions

is referred to asphases. Theevent treeswill be

derivedonly wth the information available for a

F CG , becausethecontentsof the process before

or after aF C G are not known.

System dynamcs détermine the rime betweeneach alarm and thus the possibility of the

Operator reacting to one or more alarms at the

171



17t h Eur opean Annual Conf er ence onHuman Dec i s i on Maki ng and Manual Cont r o l

time. Thesystemdynamcs are not known in this

phase of design and are not taken into account. In

addition, theevent dynamcs itsef are not known,

e.g. a defect pump may stop completey or may

continue at a low rotation speed. Consequently,

all the alarms and the reactions in theeventtreeare considered separatey regardless ther

dynamcs.

ExampleF C G , L L C :

Figure4 displays theOperatorActionEvent Tree

for the initiatingevent "pumpdefect" of thefault

treedisplayed in figure 3.

ThisO A E T of the initiatingevent "pumpdefect"

has three phases. After not detecting the first

alarmor after an unsuccessful fault diagnosis in

phase A, the operator maydetect a second alarminphase B. If the operator performs a successful

fault diagnosis in phase B, full recovery of the

situation occurs. If the operator does not detect

the second alarm or performs the fault diagnosis

unsuccessfully in phase B, than a recovery path

in phase C exists. This pattern of phases is

appliedin all theevent trees.

Note that the operator can make several time

independent errors while perforrmng the task

"humanoperator detectsan alarm low (or high)"

(Detection Error Probability DEP1 to DEP3 in

theeventtree):

(1) Missingan alarm

Due to not attending.

Due to assumng afalsealarm

(2) Seecting a wrong mmc and thus assumng

it is a falsealarm

(3) Detecting wrong alarm high (low) instead of

low (high).

TheFault detection error probabilities (FDEPs)

are determned in the next stepwith a diagnose

diagram

(v) Humanoperator diagnosis diagram.

Diagnosis diagrams are deveoped to describe the

fault diagnosis. After the human operator detects

an alarm several steps will be followed to

diagnose the initiatingevent. Thesestepsare part

of an (assumed) procedure and are described in

the diagnosis diagrams.

Although an operator, after detecting an alarm

would first start wth checking the indicator

associated wth the detected alarm we assume

that the operator always starts at the top of the

diagnosis diagram after detecting an alarm The

advantage of thisapproach is that in every phase

andevent treethesamediagnosis diagram can be

appliedto derive theH E P for the fault diagnosis.

Thedisadvantage is that the BHEP may be too

high because of the "summation" of the

probabilities due to the "or functions" in the

diagnosis diagrams.

ExampleF CG , L L C :

Figure5 displays the diagnosis diagram for the

L L C . The triangular tags labeled "A" in the

diagnosis diagrams refer to figure 6.

i Phase A Phase B Phase C

Detection D iagnosis D etection D iagnosis D etection Diagnosis

Pump

defect

Human operator

detects alarmpump lo w

Fault diagnosis

correct and contactsfield operator

H urn an operator

detects alarm

outflow low

Fault diagnosis

correct and contactsfield operator

H urn an operator

detects alarm Level

tank high

Fault diagnosis

correct and contacts

field operator

Final

outcom e

Su c c e s s ,

Y i/

/

/disturbance

F D E P 1!1

// in output

\11 /

\\

1N DEP1 \

\FDEP2

!

/\

//

\\

D E P2\\

FDEP3

D E P 3

\\

\\ 0 verflow of

tank

F i gur e 4: Event t r e e f o r l ow c ompl ex i t y L L C s t a r t i n g wi t h i n i t i a t i n g event "pump de f ec t '

172



17t h Eur opean Annual Conf erence onHumanDéci si on Maki ng a nd Manual Cont r o l

Ht un

C h i c k o u t p u t

l e * h i gh«OW

A L A R U HI B HTo o lo w

A L A R M LO W D r o p p u i cC h t c k p u m p

m o t i o nToo law

L t v t i f t » t i » l t a r I L O »

M 4>vic »

[ L U D ] ritlact

F i gur e 5 : Di agnos i s di a gr a mf o r t he l owc ompl ex i t y LLC.

Check output:

mcasurementdevice of

controller and indication

Contralier

defect

MeaserementdeWce

defect

F i gur e 6: Di a gno s i s di a gr a m t o déci de bet weena def ect c o n t r o l l e r or meas ur ement devi ce .

The status of a component checked by an

operator isdépendent on the timepassedafter the

initiating event happened. Thus, the text at a

décision pont of the diagnosis diagrams refers to

a trend or a threshold for a component or process

state variable. This is demonstrated in anexample for the initiating event "pump defect"

for the low complexity configuration L L C :

Phase A: The human operator detectsthe alarm

"pump low". The operator starts than wth the

fault diagnosis (figure 5 at the top). Thesuccess

path through the diagnosis diagram todetect that

the pump isdefect:

(1) "Check leve tank". The operator detectsa

not normal value anddécides that the leve is

"rising" in thedécision point.

(2) "Check output flow". The operator detectsa

not normal value anddécides that the output

flow is"dropping" in thedécision pont.

(3) "Checkpump rotation". The operator detects

a too low value and décides that the pump

nn k "ton ]ow, alarm low" in theotation is "too

décision pont,

Phase B: The operator detectsthe alarm "output

flow low". The operator starts again wth the

fault diagnosis (figure 5 at the top). Only pont

(2) is different in this phase: The operator

"checks the output flow" and detects a too low

value and décides that the output flow is "too

low, alarmlow" in thedécision point.

Phase C: The operator detects the alarm "leve

tank high". The operator detectsnow a too high

value (alarm high) for the "leve in the tank" for

pont (1).

Note that the Check Errors CE I to CE3 in the

diagnosis diagrams are the probabilities of a

human operator making an error while checking

an indicator. These probabilities consist of more

than one human error. The human errors for an

operator perforrriingthe task "check thestatusof

an indicator" (CEI) are:

• Seecting wrongmmc.

• Checkreadingerror.

The human errors for an operator performng the

task "check thestatusof indicator 1 and 2" (CE2)

are

• First indicator: seectingwrong mmc.

• First indicator: check readingerror.

• Second indicator: seectingwrong mmc.

• Second indicator: check readingerror.

(v) H E P for a topeventof a configuration:

Calculation of the HEP for a top event by

inserting theHEPs into theevent and fault trees.

A Mechanical Failure rate of one is assumed for

all the initiating mechanical failures in this step.

The Basic Human Error Probabilities (BHEPs)

for the event and diagnose diagrams will be

determned. Weassumethat therequiredtime for

the operators to perform fault diagnosis is 30

mnutes. This is what is often used for a Nuclear

Power Plant (NPP). In theprocess industry there

is not such time defined. The situation where the

operator has 30 mnutes to perform a fault

173



17t h Eur opean Annual Conf er ence onHuman Dec i s i on Maki ng and Manual Cont r o l

diagnosis simulates a normal condition. The

mmmurn time within which weassumea human

operator has to perform a fault diagnosis is set to

5 mnutes and represents a situation under stress.

The BHEP will be determned for both

conditions. The handbook of Swain &Guttmann9 is used to obtain theBHEPs.

DISCUSSION

In this paper, we focussed on two different leves

of complexity for a F C G . The complexity was

defined using the maximum number of

consecutive alarmponts after an initiatingevent.

Note that, using this definition, an increase in the

number of components doesnot always imply an

increase in the task complexity.

The function of a F G C determnes the choce of

the top vent. In this paper, the L L C performs a

buffering function; thus, the top event is

"overflow of tank". For instance, the top event

would be different for a L L C that provides

coolingwater:"no outflow".

The initiatingeventscan have a human or system

orign. The human initiatingevents, eg. anerror

of commssion, require a more detailed

knowledge of the whole process and the working

conditions, which are not known at the

preimnarystageof design. Thus, in this survey

only mechanical failures are considered. In

addition, the initiatingevents, like a rupturedor

blocked pipe (a defect non-return valve) are not

treated in this paper.

The event trees are much more extensivethan

normally in a H R A , becauseeveryalarmthat the

operator doesnot detect has a possible recovery

path. Such recover paths are realistic compared

to the actions performed by an operator in the

control room. For instance, it is possible that an

operator realises due to a second alarm that thefirst fault diagnosis was incorrect. This is only

realistic for a small number of alarms;a twentieth

consecutive alarm provides very little

information to the operator. Note that the

probability of recovery (by detecting a

consecutive alarm) becomes less according to

T H E R P table20-23.

Diagnosis diagrams are flowchart procedures and

are used to determne the probability for not

achieving the top goal in a F C G . The operator

has several options at various ponts in theprocedure (here all two options). Furthermore

the procedures are symptom-based whichenables

the operator to act in a deveoping event

accordingto what symptoms are present.121

We assumed that the operator always starts at the

top of the diagnosis diagram after detecting analarm Another approach is to start at the "check

box" in the diagnosis diagram associated wth the

detectedalarm This doesnot make a difference,

becausethe order of the boxes in the diagnosis

diagrams is interchangeable (or-functions).

A refinement can be done in the diagnosis

diagrams:

(1) Starting at the top of the diagram for an

alarmpont on a "process variable" (indirect

alarm).

(2) Starting at the check box associated wth the

detected alarm for an alarm pont on a

"component" (direct alarm).

The operator only checks the indicator associated

wth an alarm point on a "component" (direct

alarm), thus starting at the top of the diagnosis

diagram is than not realistic. For example, the

pumpin the low complexity L L C (figure 2) has a

direct alarm point. If the operator detects the

pump alarm the operator checks the rotation

indicator of the pump and concludes, that the

pump isdefect wthout checking the indicator of

the outflow and the leve in the tank. The

operator must check other indicators, in caseof

an alarm pont on a "process variable" (indirect

alarm e.g. alarm outflow, figure 2), to perform a

successful fault diagnosis, becausethere are more

components that cancausethis disturbance.

It is possible that the operator seects a wrong

procedure(diagnosediagram) while performng a

fault diagnosis. This is not taken into account,

becausethere is a high probability of recovery.There is also the probability that the operator

performs an error: namey skipping a procedure

step(diagnosediagramstep).This is a very small

error (BHEP=0.001) according to T H E R P [9 ]

table T20-7 item (1) and will not be taken in

account in this paper. In addition, it is assumed

that theH E of not contacting the fied operator is

zero. Following emergency operating procedures

are considered in more detail byMacwanet al.[15i

T H E R P suggests a much higher B H E P for a

humanoperator performng fault diagnosis understress ( 5 mnutes) than was obtained using the

174



17t h Eur opean Annual Conf er ence onHumanDéci si on Maki ng and Manual Cont r o l

diagnosis diagrams (table 2). This can be

explained as follows. First, the modifying factor

of five, that we assumed to obtain a situation wth

stress wth, could be too small. Secondly and

more likey, the diagnosis diagrams are

dépendent on the complexity of the system The

configurations in this paper are small (unlike

THERP) and thus one can expect a smaller

BHEP for fault diagnosis under stress. For

instance in case of the normal condition (30

mnutes), the operator has enough time to

perform a successful fault diagnosis for a small

as wel as for a more complex system Thus, the

BHEP will be thesamefor both Systems. This is

not the case for the condition under stress (5

mnutes). The probability for the operator to

make an error will be higher for the higher

complexity systemthan wth a small system(wth

only 5 mnutes toperforma fault diagnosis).

T abl e 2: BHEP of di agnos i s of a s i n g l e e v enl .

Available B H E P obtained wth

time for T H E R P Diagnose diagram

diagnosis of table 20-1

singleevent

5 mnutes 0.75 0.08 to 0.26

30 mnutes 0.01 0.015 to 0.06

The BHEP obtained from T H E R P should be

corrected for low task complexity Systems by

applyingaPSF. Thus, the diagnose diagrams area good approach to détermine theB H E P of fault

diagnosis.lt is impossible to assessthe effect of

all the PSFs due to the absence of knowledge

about the MMI , situation and human factors.

However, if this method is applied during design

of a chemcal process someof thePSFs can be

determned:

(1) The factor "training" (The Internal PSF's) is

omtted,becauseweassumethat the operator

is skiliedand wel trained.

(2) The influence of the factor "stress" (The

Stressor PSF's)on the control room operator

is taken into account by assumng a higher

stress Ieve for the condition that there are

only 5 mnutes available to perform a fault

diagnosis.

(3) The influence of "task load" (The Stressor

PSF's) is already taken into account in this

methodology by using the diagnose

diagrams.

Table 1 depicts the various leves undertakenduring design of a system However, on which

leve! can the deived methodology be

implemented? On the function leve, the

implementation is expected to be possible by

creating standardised FCGs. TheseFCGs can be

implemented into computer design programmes

as modules. The designer can than 'seect

equipment wth the desired mechanical failure

(MF) rate based on the B H E P associated wth

that equipment as initiatingevent.

A question arises if the implementation of this

methodology is possible on the goal leve. The

goalscan be too global. For a large plant such as

a nuclear power plant this will be thecasefor ail

the goal leves, top goal, goal and sub-goal

level.fl4} Décomposition into sub-goals reveals

the critica! fractions. For instance, a sub-goal

like: "control leve under various normal

conditions" consists of many critical functions,like control nuclear power, neutron flux

distribution, turbine generator system, etc. Such

critical function groups are essentially thesame

as the FCGs addressed in this paper. Thus, îhe

implementing of this methodology is only

possible on the leve of functions.

The only remaining problem on the functional

leve is the unknown mechanical failure rate of

the equipment that détermines the probability of

a topevent. I f the equipment isseected,than the

assocated mechanical failure rates are known.Before this step, it is only possible to work wth

estimated or average mechanical failure rates.

V E R I F I C A T I O N

It was found that the B H E P decreases with

increasing task complexity. This resuit is shown

in table 3 where theBHEPs of the topeventsare

depicted against the maximum number of

consécutive alarm ponts in a configuration. The

table depicts the normal condition (second

column: 30 mnutes to perform fault diagnosis)and the condition under stress (first column: 5

mnutes toperformfault diagnosis).

T abl e 3: T h e BHEP f o r t h e t o p ev e nt s

F CG 5 mnutes 30 mnutes

L ow ComplexityH T C 0.3779 0.0889

(onealarmpont)

HighComplexityH T C 0.1630 0.0081

(two alarmponts)

L ow Complexity L L C 0.1124 0.0055

(threealarmponts)

High Complexity L L C 0.0440 0.0004(four alarmponts)

175

http://diagnosis.lt/

http://diagnosis.lt/



17i h Eur opean Annual Conf er ence onHumanDéci si on Maki ng and Manual Cont r o l

As previous stated we assume the maximum

number of consécutive alarmponts as ameasure

for the task complexity. Thus, the BHEP

decreaseswth an increasing task complexity. In

the higher complexity FCGs, the Operator has

more recovery opportunities due to more

available information.

Table3showsthat theBHEPs of a topevent for

the condition under stress(5 mnutes) decreases

froma very high (unacceptable) BHEP to a more

acceptable one The BHEP of the normal

situation (30 mnutes) decreases from an

acceptable BHEP to a very small BHEP . This

can be explained as follows: The configurations

wth few alarms provide too little information for

the operator incaseof the condition under stress.

Therefore, the operator has not much possibility

to recover froman incorrect fault diagnosis.

Thisconclusion and table 3 do not imply that the

morealarmponts the lower theB H E P . TheH E P

for mssing consécutive alarms above 10 are not

available. It is plausible that an adverseeffect of

the number of alarms on the B H E P can beseen

for large alarm séquences. This suggests that

there exist a mnimum B H E P for a certain

number ofalarmpoints.

T abl e 4. T h e pros a nd c o n s o f t he pres ent ed met hod.

Pro

Information about HE available in an early

designstage.

The designer can balance the choice of a

configuration of a F C G wth the desired H E P

for a topevent.

The possibility of inserting the FCGs into

computer designing programmes for chemcal

processes. Thesélection of the B H E P can be

done than maybe based on the System

dynamcs. Slow dynamcs: normal condition

and fast dynamcs: situation under stress.

No invention of the whee again. A ll the

known information about a FCG can beimplemented in a standardisedF C G and is thus

available for any designer.

Simple method based upon the information

available for a functional System The method

can be applied to any part of a process by

usinga modular set-up.

The BHEP of fault diagnosis is determned

wth a more realisticapproach. T H E R P applies

the same B H E P for fault diagnosis in ail

situations, which is onlydépendent on the time

between theevents. In the approach presented

here the BHEP are dépendent on the timebetween events and on the type of systemby

applyingdiagnose diagrams.

Con

Based upon idéal situation wth idéal Man-

Machineinteraction design.

Implementing Basic HEP into event trees,

becausethe influenceof thePSF's is unknown.

Therefore, the overall H EP of a top event of a

F C G isalsonormative.

The method disregards theeffectsof theevents

outside the F C G that follow on an initiating

event in a F C G . Thecontents of the process

before or after a FC G are not known.

A il the possible functional control groups and

ther différent complex configurations have tobe identified.

Dependencies between human action are not

considered in this survey. This is more

interesting incaseof more operators.

Spécial situations are not considered. For

exampleduringstart-up, there may occur many

falsealarms; thus, the probability of mssing a

real alarmincreases.

The effect of the sizeof a plant is not taken

into account.

C O N C L U S I O N S

A methodology has been presented to incorporate

BHEP associated with operator errors and

functional analysis. The approach consists of

determning the initiatingevents for a top event

of a functional group using a fault treeand then

derivingtheOperator Action Event Tree(OAET)

for thèse events.The fault diagnosis in theO A E Tis done wth the aid of a diagnosis diagram.With

ail the mechanical failureratesequal to one, the

overall BHEP for the top event can be derived

(using the outcomeof theevent trees).

One has to bear inmndthat the probabilities can

be used only as an aid for choosing equipment

layout and applying redundancy. The complète

process is not taken into account, because the

M M I and the dynamcs of the process are notknown in thepreimnarydesignphases.

176



17t h Eur opean Annual Conf er ence onHumanDéci si on Maki ng an d Man ua o n t r o

The results of the example configurations

indicarethat: TheBHEP of a top event decreases

wth increasing task complexity (measure for task

complexity: maximum number of consécutive

alarmponts in a configuration). In a very simple

System too few recovery pathsexist.

The pros and cons of the methodology are

depicted in table 4. Further work needs to be

carried out to derive the best procédure of

implementing the method into the design process.

R E F E R E N C E S

[1] B. Kirwan, L . K . Ainsworth, « Guide to

task analysis », Taylor and Francis,

London, ISBN 0-7484-0058-3, 1992.

[2] B. Kirwan, « A guide to practical human

reiability assessment », Taylor and

Francis, London, ISBN 0-7484-0052-4

(cloth), 0-7484-0052-3(paper), 1994.

[3] G . Johannsen,A . H . Levis,H.G. Stassen, «

Theoretical problems in man-machine

Systemsand ther experimental validation

», Automát i ca 30 ( 2 ) , pp 217 - 231, 1994.

[4] H.G. Stassen, « Hoe complex is een

industriee procès voor een procesoperator

», Inspeen op complexitet, Alkemade

M .J .A . Samson bedrijfsinformatie b.v.,

Alphen aan den Rijn / Zaventem. ISBN

90-14-03883-6,pp184-195, 1992.

[5] J .P. Scanlon, « Guideines for the design

of Man-MachineInterfaces: Leve 0 », tc-

6 (Man-machine communications) of

EWICS, Sintef, division of automatic

control, N-7043 Trondhem NTH

Norway, 1981.

[ 6] J .P. Scanlon, « Guideines for the designof Man-MachineInterfaces: Leve 1 », tc-

6 (Man-machine communications) of



Norway, 1981.

[7] J .Wirstad, « Guideines for the design of

Man-Machine Interfaces: Leve 2 », tc-6

(Man-machine communications) of



Norway, 1982.

[8] E. van Ravenzwaaij, H. G. Stassen, «

Guideinesfor the design ofMan-Machine

Interfaces: Leve 3 », tc-6 (Man-machine

Communications) of EWICS, Sintef,

división of automatic control, N-7043

Trondhem N T H Norway, 1986.

[9] A.D. Swain, H.E. Guttmann, « Handbook

of Human Reiability Analysis wth

emphass on nuclear power applications »,

NUREG/CR-1278, 1983.

[10] H.G . Stassen, G. Johannsen, N.Moray, «

Internal representation, intemal mode,

human performance mode and mental

workload»,Automática 26, pp 811 - 820,

1990.

[11] S. Bi, G. Salvendy, « Analytical

modeling and experimental study of

human workload in scheduling of

advanced manufacturing systems », The

international joumal of human factors in

manufacturing, vol. 4, pp. 205 - 234,

1994.

[12] Zhi Gang We, Añil P. Macwan, P.A.

Wieringa, « Quantitative degree of

automation », Man-MachineSystemsand

Control, Fac. WbMt, Tu Deft, p 26,

1996.

[13] J .H .M. Andriessen, P.A. Wieringa, «

Influencing complexity by means of the

man-machine interface », Fac. WbMt,

VakgroepM & R , T U Deft, p 15, 1995.

[14] « Design for control rooms of nuclear

power plants », Nen 10964 Ie druk,

november 1989. Nederlandse

Elektrotechnisch Comité (NEC),

NormcommssieN E C 45 "Kerntechnische

instrumentatie", Dutch institution ofNormalisation, Kalfjeslaan 2, Postbox

5059,2600Deft.

[15] A.P. Macwan, P.A.Wieringa, A. Mosleh,

« Quantification of multiple error

expressions in following emergency

operating procedures in nuclear power

plant control room », Preprints of the

PSAM-11, Apostoakis,G.E. andW U , J .S.

San Diego: 2 (1) 066-15 066-20, 1994.

177

Human Error Probability Assessment for Functional Control Groups in the Process Industry

Documents

Transcript of Human Error Probability Assessment for Functional Control Groups in the Process Industry