Please download to get full document.

View again

of 12

A Mid-Layer Model for Human Reliability Analysis: Understanding the Cognitive Causes of Human Failure Events

A Mid-Layer Model for Human Reliability Analysis: Understanding the Cognitive Causes of Human Failure Events
0 views12 pages
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Documenttranscript
  1 A Mid-Layer Model for Human Reliability Analysis: Understanding the Cognitive Causes of Human Failure Events 1   Stacey M. L. Hendrickson a* , April M. Whaley b , Ronald L. Boring b , James Y.H. Chang c , Song-Hua Shen c , Ali Mosleh d , Johanna H. Oxstrand e , John A. Forester a , Dana L. Kelly b   a Sandia National Laboratories, Albuquerque, NM, USA  b Idaho National Laboratory, Idaho Falls, ID, USA c US Nuclear Regulatory Commission, Washington, DC, USA d University of Maryland, College Park, MD, USA eVattenfall Ringhals AB, Väröbacka, Sweden Abstract: The Office of Nuclear Regulatory Research (RES) is sponsoring work in response to a Staff Requirements Memorandum (SRM) directing an effort to establish a single human reliability analysis (HRA) method for the agency or guidance for the use of multiple methods. As part of this effort an attempt to develop a comprehensive HRA qualitative approach is being pursued. This paper presents a draft of the method’s middle layer, a part of the qualitative analysis phase that links failure mechanisms to performance shaping factors. Starting with a Crew Response Tree (CRT) that has identified human failure events, analysts identify potential failure mechanisms using the mid-layer model. The mid-layer model presented in this paper traces the identification of the failure mechanisms using the Information-Diagnosis/Decision-Action (IDA) model and cognitive models from the  psychological literature. Each failure mechanism is grouped according to a phase of IDA. Under each  phase of IDA, the cognitive models help identify the relevant performance shaping factors for the failure mechanism. The use of IDA and cognitive models can be traced through fault trees, which  provide a detailed complement to the CRT. Keywords: HRA, Failure Mechanism, Cognitive Model, IDA.  1. INTRODUCTION In a Staff Requirements Memorandum (SRM) to the Advisory Committee on Reactor Safeguards (ACRS) [1], the US Nuclear Regulatory Commission (NRC) directed the ACRS to “work with the staff and external stakeholders to evaluate the different human reliability models in an effort to  propose a single model for the agency to use or guidance on which model(s) should be used in specific circumstances.” As a first step toward meeting this directive, an effort has been undertaken to build on existing knowledge and methods in an attempt to develop a comprehensive qualitative analysis approach for human reliability analysis (HRA). Current HRA methods in use as well as psychological and cognitive theories were referenced in the development of the qualitative analysis approach. This approach is intended to be applicable for HRA within a full-power internal events probabilistic risk assessment (PRA) as well as for event evaluation associated with low-power shutdown (LPSD) operations. The qualitative analysis to be proposed through this effort is a three-stage process. The first stage is the construction of crew response trees (CRTs). These CRTs resemble event trees and describe the evolution of the scenario and human failures (potential paths) through the procedures (e.g., emergency operating procedures [EOPs] or alarm response procedures [ARPs]). Instances of possible human failures are indentified within these CRTs, which are then explored further in supporting fault trees. 1  The information presented in this paper does not currently represent an agreed-upon NRC staff  position. The NRC has neither approved nor disapproved its technical content.  2 Therefore, a second stage within the qualitative analysis is the exploration of failure mechanisms (within a fault tree logic) underlying the possible human failures identified within the CRTs. A final step is the identification of relevant performance shaping factors (PSFs) driving the identified failure mechanisms. The terms  failure mechanism  and  failure mode  are sometimes used interchangeably, leading to occasional confusion. In the present research project, the authors have adopted failure mode to refer to the specific instantiation of a failure (e.g., “failure to close valve”), whereas a failure mechanism  prescribes a general explanation for the cause of the failure (e.g., “skip step in procedure”). The  purpose of the research outlined in this paper is to introduce a consensus list of failure mechanisms,  provide explicit links to cognitive models that account for those failure mechanisms, and further introduce how cognitive models map to specific PSFs. Note that the same failure mechanism may have multiple cognitive models to account for it, and each of these cognitive models may, in turn, map to a unique configuration of PSFs. The goal of the mid-layer model is to provide a clear mapping from failure mechanisms to PSFs via well-understood cognitive models. This paper will discuss the development and identification of the failure mechanisms. The failure mechanisms represent the link connecting the PSFs to the possible human failures identified within the CRTs. Therefore, the failure mechanisms represent a middle layer to the qualitative analysis approach, with the CRTs representing a top layer and the PSFs representing the bottom or lower layer. The mid-layer linkage is an important component as it ensures the correct PSFs (and scenario context) are identified for quantifying the probability of the possible human failures. The inclusion of such a mid-layer model within the qualitative analysis not only links the current method under development to other HRA methods that are currently in use (e.g., Cause-Based Decision Trees (CBDT) [2]), but also allows the method to be supported by human factors (HF) and  psychological literature. This explicit grounding within the HF literature has not been a part of HRA methods in the past; however, the vast experience and knowledge available within the literature should  be harvested in order to build more complete and comprehensive failure mechanisms as well as  provide a cognitive framework linking operator psychological processes with behavior and  performance. Another advantage to the inclusion of the mid-layer is to allow greater traceability of the application of the method. 2. OVERVIEW OF MID-LAYER MODEL APPROACH 2.1. IDA Cognitive Model A set of failure mechanisms has been identified for use within the qualitative analysis. These failure mechanisms are linked to the possible human failures identified within the CRTs based on the IDA cognitive model [3]. The IDA cognitive model represents a three-stage model srcinally developed to model the response of nuclear power plant (NPP) operators within an emergency situation. The stages of the IDA cognitive model are: 1.    Information.  This stage focuses on the perception of the environment and presented cues to the operator. The information is presented externally to the operator. Cognitive processing of the information is limited to the task of perceiving the information, but limited processing of the information is done at this stage. 2.    Diagnosis/Decision.  This stage is internal to the operator. At this phase, the operator uses what information was perceived in the previous stage along with stored memories, knowledge, and experience to develop an understanding of and a mental model of the situation. Following this situational assessment, the operator engages in decision making strategies to plan the appropriate course of action. Operators may use external resources such as procedures to assist them in both parts of this stage. 3.    Action.  In this final stage, the operator puts the decided upon course of action into play.  3 The IDA model accords well with the information processing paradigm commonly used in cognitive  psychology and HF. Information processing theory outlines how information from the environment is sensed and perceived (corresponding to the “I” phase of IDA), used for decision making (corresponding to the “D” phase of IDA), and translated into behavior (corresponding to the “A” phase of IDA). Within each of these elements, a nested IDA structure may exist [4]. In other words, each phase of the IDA model may be decomposed into further IDA structures. For instance, I-in-I explains the information being perceived and recognized, D-in-I involves deciding what to do with the perceived information (e.g., discard it or keep it), and A-in-I is acting on the decision made. For the application described within this paper, only the nested structure for the primary I phase was used. 2.2. Failure Mechanisms Although IDA was srcinally tailored to the behavior of NPP operators who are assumed to have expertise in the area and be largely directed by procedures, the larger list of failure mechanisms developed has applicability outside of this domain and can be applied in less constrained or procedure-directed situations. Tables 1-3 list those failure mechanisms identified within each of the IDA phases. These tables were derived from a review of failure mechanisms included in current HRA methods, a derivation of failure mechanisms from cognitive models in the psychological literature, and input from nuclear power plant operations expertise. Included in these tables is a discussion relating the failure mechanisms to relevant literature within the fields of psychology and HF. In order to identify failure mechanisms within the psychological and HF literature, a search was conducted including examining the last ten years of articles published within the  Annual Review of Psychology , the 50 th  anniversary edition of the  Human Factors  journal, and current text books in the cognitive psychology. Additional books and seminal articles related to topics found in this exploration were also included. Specific topic areas that were explored as being relevant to each of the IDA phases were: •   I Phase: sensation and perception models, situation awareness, information foraging theory, and working memory •   D Phase: situation awareness, sensemaking, naturalistic decision making (with particular emphasis on recognition primed decision making), cognitive biases, and working memory •   A Phase: slips, lapses, and working memory Because memory limitations, and in particular working memory, can be so influential on the  performance by a person, it was included in all phases of search. Although this list represents the greatest area of search, it is not meant to be all-inclusive or exhaustive. In conducting the literature review, if other areas of interest were discovered, they were also included as possible failure mechanisms. Note that due to space constraints, Tables 1-3 only provide examples of the cognitive models that support failure mechanisms. The complete list includes multiple evidence sources for most failure mechanisms, each source providing a different explanation for how the failure mechanism may manifest.  4 Table 1. Failure Mechanisms Identified for the I Phase of the IDA Cognitive Model I-D-A Sub-loop Failure Mechanism Support in the Psychological and HF Literature Information Error (I-in-I)   Cues not perceived Broadbent’s Filter Theory [5] explains sensory bottlenecks in which some cue or alarm may be missed by the operator due to sensory overload. Instrumentation failure Failing instruments, either due to spurious affects or not  being available or readable, are outside the cognition of the operator. These failures are due to the state and/or design of the plant. Information not available/missing Decision Error (D-in-I)   Intentionally not collecting The operator may fail to attend to cues or alarms due to an improper focus of attention on some element to the exclusion of noticing other elements [5]. Intentionally ignored alarms/cues Cues may be ignored due to a confirmation bias [6] in which  people tend to seek out information that confirms their current position and will ignore or disregard evidence to the contrary. Collect but dismiss The Data/Frame theory [7] suggests that a person processes incoming information by comparing it to an initial frame of mind. The data may be integrated into the existing frame, the person may re-frame to account for the existing data, or the data may be dismissed as being irrelevant. If the initial frame is incorrect, important data may be dismissed as being irrelevant or unimportant. Collected wrong information Collecting the wrong information may be due to confirmation bias in which the operator is seeking out information to confirm his or her current position [6]. Another possible explanation is incorrect information sampling by the operator due to, for example, an inadequate sampling strategy or internal model directing the sampling [8]. Action Error (A-in-I)   Reading error (procedures) In one instance, the operator may misread or misperceive an instrument due to elements being arranged close together on a control panel [9]. This misperception can account for either misreading the correct indicator or reading the wrong indicator. A similar phenomenon may be witnessed when reading steps within a procedure. Reading error (indicator) Locate the wrong indicator Unintentionally ignored alarms or cues Alarms and/or cues may be unintentionally ignored due to a narrowing of attention brought on up stress or a heavy workload such that the perception of relevant elements is reduced [8]  5 Table 2. Failure Mechanisms Identified for the D Phase of the IDA Cognitive Model Failure Mechanism Support in the Psychological and HF Literature Assess the plant condition incorrectly This collection of failures is primarily related to the situational awareness  by the operator. If the situation is assessed incorrectly such as through data misinterpretation due to insufficient expertise or knowledge by the decision maker, the classification of the system and the problem solving process can  be misleading or wrong [8]. Map the collected information to a different event Inability to develop diagnosis from the dataInappropriate goal selected Incorrect action ordering Skip procedure steps The decision leading to an incorrect application of the procedures, either by skipping steps, postponing steps, or deviating in some way from the guidance, may be due to a misinterpretation of the situation by the operator such that the current procedural guidance is not judged to be applicable [10]. Deviate from procedure Postpone procedure steps Decide to wait for more information Deciding upon the wrong action, whether seen through a delay of taking the action, incorrectly waiting for more information, or implementing the wrong action may be due to the incorrect mental simulation by the operator [11]. The mental simulation occurs while the decision maker is deciding upon the proper action to take in a situation and he or she mentally simulates the initiation and outcome of an action. This simulation may be incorrect for a number of reasons including an incorrect judgment of time available or time needed, an incorrect imagination of possible action outcomes, or not including a likely problem to occur within the simulation. Decide to take an alternative action Decide to take an action later Table 3. Failure Mechanisms Identified for the A Phase of the IDA Cognitive Model Failure Mechanism Support in the Psychological and HF Literature Select wrong component The wrong action may be committed (e.g., selecting the wrong component or omitting a component) due to a strong but incorrect instinctive or habitual action. For instance, behavior that is correct in most situations but is on some occasions inappropriate or incorrect [12]. Omit one or more components Skip step in procedure Skipping a step, whether an action step or a step within the procedural guidance, may be due to memory loading in which the amount of information that has to be carried in a person’s head to complete the action exceeds the person’s memory limits [13]. Therefore, steps are likely to be omitted. Skip step in action Incorrectly repeat a step in the action A step may be incorrectly repeated due to a distraction or interruption causing the action-taker to lose his or her place within the action  progression [12]. Delay in execution of the action A delay in action may be due to distraction or due to a momentary lapse in memory in which the action taker momentarily forgets the order of action steps or forgets what step within the action is next [12]. Failure to perform the action (omission) The omission of an action may be due to a number of issues including fault memory or a distraction or an interruption.
Advertisement
MostRelated
View more
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x