Upload
napoleonpt2
View
222
Download
0
Embed Size (px)
Citation preview
7/28/2019 Human Error Probability Assessment for Functional Control Groups in the Process Industry
http://slidepdf.com/reader/full/human-error-probability-assessment-for-functional-control-groups-in-the-process 1/9
17 t h Eur opean Ar nua l Conf e re nce onHumanDéci si on Maki ng and Manual Cont r o l
H U M A N E R R O R P R O B A B I L I T Y A S S E S S M E N T F O R
F U N C T I O N A L C O N T R O L G R O U P S IN T H E P R O C E S S I N D U S T R Y
MartinVISSERPeter A . WIERINGA
Man-MachineSystemsand Control. FacultyofDesign, EngineeringandProduction,
Delft UniversityofTechnology, Mekelweg2,2628CD Delft, TheNetherlands.
P.A. [email protected]
A B S T R A C T
This paper describes a methodology to use
Human Error Probabilities (HEP) and design to
create robust complex Syst ems. If a HumanReiabilityAssessment (HRA) is performed, than
this is done mostly after the detailed design phase
is finished. The presented method heps to
understand the influence ofHuman Error (HE) in
an earlier design phase e.g. at the functional
analysis leve.
The method consists of several steps. First
alternative configurations of functional control
groups wth different complexities are deveoped.
For each configuration, a fault tree is deveoped
to find the initiating events (fàilures ofequipment) which lead to a chosen top event.
This top event is an undesired event such as an
overflowng tank. The initiatingevents are used
to create event trees (ET) wth special emphass
on operator actions, such as monitoring the
process and fault diagnosis. A diagnosis diagram
simulâtes the fault diagnosis process to identify
the initiating failures. The probability of a top
event due to human error can then be found, by
usingHEP-factorsand by normalising the failure
probabilities of the equipment. The methodology
is demonstrated by two examples of functional
control groups wth two different leves ofcomplexity.
The results of the example configurations
indicate that: The BasicHuman Error Probability
(BHEP) of a top event decreaseswth increasing
task complexity (measure for task complexity:
maxmumnumber of consécutive alarm ponts in
a configuration. In this paper, the configurations
havemaximal one to four alarmpoints). In a very
simple system too few recovery pathsexist.
This does not imply that the more alarm pontsthe lower the BHEP . The HEP for mssing
consecutive alarms above 10 are not available. It
is plausible that an adverseeffect of the number
of alarms on the BHEP can be seen for large
alarmsequences. This suggeststhat thereexista
mnimumBHEP for a certain number of alarmponts.
K E Y W O R D S
Complexity, design, reiability.
I N T R O D U C T I O N
Human error is extremey commonplace, with
almost everyone commtting at least someerrors
every dayJ 13"121 Most errors are recoverable
having none or reativey small impact on ourlives. However, in complex systemsthis may not
be the case. It is very important to design a
systemthat is robust to human errors under all
crcurnstances.
The increase in complexity of industrial
processes makes the design of large industrial
systemsmorediffïcult.[j ]" [41 Another reason is the
necessity for human centred automation. In
addition, Iittleis known about the details of the
system during the first phases of the design
process. Furthermore, the M M I [ 5 H S J (Man-
Machine Interface) will not be known in this
phase. The designer has little or no information
about thehumanactions and the associated HEPs
(HumanError Probabilities), displayed in table 1
Thus a HRA (Human reiability assessmenf/21
will be difficult to perform in this phase. Only
global, time independent errors may be
determned, e.g. wrong reading of data and not
following the procedures.121 Furthermore, the
actions of all the human operators should be
considered: the control room operators,
supervisors, fiedworkers, etc.
169
7/28/2019 Human Error Probability Assessment for Functional Control Groups in the Process Industry
http://slidepdf.com/reader/full/human-error-probability-assessment-for-functional-control-groups-in-the-process 2/9
17t h Eur opean Annual Conf er ence onHumanDéci si on Maki ng and Manual Cont r o l
T abl e 1 : L ev el s undertaken when designing a
System.
Designphase Level
Concept Goals •
FunctionsTasks
Jobs
• Means
Detailed design Actions HEP
M E T H O D O L O G Y
Elementary modules, further called Functional
Control Groups(FCGs), wth ther Human Error
Probability(HEP)will be identified. Such aF C G
covers a part of theprocessand performs one of
the many fùnctions, which are necessary toaccomplish the overall goal of the System Some
examplesof theFCGsare:
• Level control.
• Steam provision.
• Températurecontrol.
• Flow control.
• Position control.
• Pressure control.
(1) Functional control group analvsis. —
(2) Generate alternative configurations.
(3) Perform Human reiabilitv assessment:This
means determning:
(i) Tasks.(ii) Topeventfs).
(iii) Initiatingevents.
(iv) Operator-actioneventtree.
(v) HumanOperator diagnosis diagram.
(4) H EP for aF C G .
A C L O SE R L O O K A T T H E STEPS
O F T H E M E T H O D O L O G Y
In this paragraph, the steps of the methodology
are briefly described using an example F C G .
(1) Functional control group analvsis:
In this step, identification of FCGs (Functional
Control Groups) will be done Définition of the
physical boundary of aF C G is an importantissue
here and includes the définition of input, output
signaisand disturbances.
Due to the absenceof a detailed layout of the
M M I andof the operator tasksin the early designstage, a mnimum of alarms, controls and
indicators for each F C G will bedefïned.
In this paper, we assume that the error
probabilities of the human actions may be
obtained using the T H E R P (Technique for
Human Error Rate Prediction)-handbook of
Swain & Guttmann9]. Although some of the
valuesare derived for nuclear Systemsand not for
theprocess industry.
Thefollowing methodology has been deveoped
to détermine the HEP of a functional control
group (figure 1):
J
(2) Generate alternative configurations:
For each FCG,différent configurations wth
increasing complexity will be generated.
Environmental, safety and reiability demands
afifect the choice for spécifie components. The
complexity of theFCGs is affected by the use of
différent configurations and by the type of
components used. For instance, the choice of a
pump driven by a steam turbine instead of a
motor-drivenpump will affect the complexity. In
this step the alarms, controls and indicators
(MMI) will alsobe defined using a mnimum of
necessaryéléments.
H E P o I o p e rato r tasks (TH ERP ) & D i a g n o s e d tagrarr
C o n t iou ratio n 1 "— ^
To p e ve n t 1
To p e ve n t n
- i n i t i a tin g e/en t 1 {M H j
j i n i t i a tin g e v e n t 2 ( M F 2 )
• In i t ia t in g even t 3 (M F3]
' l n i t i a t i n g even t n (M Fn î
^ C o n f i g u r a t i o n 2
0 p erato r A c t i o n E v e n t T r e e 1
— O p e r a t o r A c t i o n E v e n t T r e e 2
0 p erato r A c t i o n E v e n t T r e e 3
0 p ar a to r A c t i o n E v e n t T r e e n
(MFS " 10)
(H El P r o b a b i l i t y of top ev en t 1
C o m p ex i t y in c r aas i n g
F i gur e. 1 : Appr oach t o dét erm ne t he HEP of t he f u n c t i o n a l cont r o l gr oups .
- > H E P 1
— H EP 2
- > H E P 3
* - H EP n
170
7/28/2019 Human Error Probability Assessment for Functional Control Groups in the Process Industry
http://slidepdf.com/reader/full/human-error-probability-assessment-for-functional-control-groups-in-the-process 3/9
17t h Eur opean Annual Conf er ence onHumanDéci si onMaki ng a nd Manual Cont r o l
The définition of complexity for the
configurations is important. A good définition of
System complexity doesn't really exist
(Stassen[4). Since we are concentrating on the
control roomOperator actions, it is better to focus
at theTaskDemandLoad(TDL)
I10]
"
[12)
. TheTDLis inhérent to a task and independent of the
human. TheMMI has a strong influence on the
T D L . I 1 3 ] The task complexity (during fault
diagnosis) will be used as a measure for the
complexity of aconfiguration and is based on the
maxmumnumber of consécutive alarms after an
initiating event. The more consécutive alarm
ponts, the more complex a system will be.
Physical robustness of a systemwill reduce the
interaction,and will induce fewer alarms.
Exampleconfiguration o f L L C :
The P&I diagram of the low complexity L L C is
presented in figure 2. It consistsof a tank, a not
controllable pump, a control valve and a leve
Controller. Theliquid could be water or another
substance (not volatile). The following notation
(ISO 3511) in the P&I diagrams is used for a
measured property; F: Flow; L : Leve; S: Speed;
G: Position. For an instrument function the
following notation is used; I: Indicating; C:
Controlling;A: Alarmng.
inpu!
j 0utput
(SIA) (Gl j
F i gur e 2 : L L C wi t h l ow t a s k c ompl ex i t y .
(3) Humanreiabilityassessment̂
In summary, the following have to be
determned:
(i) Tasks.
The définition of the Operator tasks for each
configuration will be done.
(ii) Top eventfs).
The most important top eventsfor theFCGswill
be determned. These are theeventswth a highimpact onsafety or production.
The top event of the example FCG, L L C, could
be an overflowof the tank.
(iii) Initiatingevents.
The identification of initiatingevents. EachFCG
may have several initiatingevents leading to the
sametopevent.For each topevent,a fault treeis
deveoped todétermine the initiatingevents(top-
down approach). These events can have ther
orign wthin a functional control group or
outsde a group. The latter initiatingeventcan be
considered as disturbances.
0 verflow of
tank
[~ Inf townot
' normif
Pump not 1 0 utput valve
wortin g 1 position notnormal
j 0bitruciion in
} tbe ouîflow
0 utputvilve j
LflVftl Controller
noîworking | notworScing
Measurmg
davicR (LI not
working
Convoiter (Li
notworking
F i gur e 3 : Sy s t emf a u l t t r e e f o r l ow c ompl ex i t yLLC.
ExampleF CG , L L C :
Figure 3 displays the fault tree for the low
complexity L L C . In figure 3, the initiatingevents
caused by components outside a FCG are
displayed wth dashed lines. They will not be
treated further here. The term device "X" "not
working" in the figure refers to a mechanical
failure (device "X" "defect") or to a human
Operatorerror.
(iv) Operator-action event tree(OAET)[21.
Derivation of event treesfor the initiatingeventscaused by a mechanical failure (MF) of the
components of a FCG. The Operator Action
Event Tree (OAET) describes the consécutive
actions or lack of actions taken by theOperator.
Each Operator action consists of détection
followed by a fault diagnosis. This set of actions
is referred to asphases. Theevent treeswill be
derivedonly wth the information available for a
F CG , becausethecontentsof the process before
or after aF C G are not known.
System dynamcs détermine the rime betweeneach alarm and thus the possibility of the
Operator reacting to one or more alarms at the
171
7/28/2019 Human Error Probability Assessment for Functional Control Groups in the Process Industry
http://slidepdf.com/reader/full/human-error-probability-assessment-for-functional-control-groups-in-the-process 4/9
17t h Eur opean Annual Conf er ence onHuman Dec i s i on Maki ng and Manual Cont r o l
time. Thesystemdynamcs are not known in this
phase of design and are not taken into account. In
addition, theevent dynamcs itsef are not known,
e.g. a defect pump may stop completey or may
continue at a low rotation speed. Consequently,
all the alarms and the reactions in theeventtreeare considered separatey regardless ther
dynamcs.
ExampleF C G , L L C :
Figure4 displays theOperatorActionEvent Tree
for the initiatingevent "pumpdefect" of thefault
treedisplayed in figure 3.
ThisO A E T of the initiatingevent "pumpdefect"
has three phases. After not detecting the first
alarmor after an unsuccessful fault diagnosis in
phase A, the operator maydetect a second alarminphase B. If the operator performs a successful
fault diagnosis in phase B, full recovery of the
situation occurs. If the operator does not detect
the second alarm or performs the fault diagnosis
unsuccessfully in phase B, than a recovery path
in phase C exists. This pattern of phases is
appliedin all theevent trees.
Note that the operator can make several time
independent errors while perforrmng the task
"humanoperator detectsan alarm low (or high)"
(Detection Error Probability DEP1 to DEP3 in
theeventtree):
(1) Missingan alarm
Due to not attending.
Due to assumng afalsealarm
(2) Seecting a wrong mmc and thus assumng
it is a falsealarm
(3) Detecting wrong alarm high (low) instead of
low (high).
TheFault detection error probabilities (FDEPs)
are determned in the next stepwith a diagnose
diagram
(v) Humanoperator diagnosis diagram.
Diagnosis diagrams are deveoped to describe the
fault diagnosis. After the human operator detects
an alarm several steps will be followed to
diagnose the initiatingevent. Thesestepsare part
of an (assumed) procedure and are described in
the diagnosis diagrams.
Although an operator, after detecting an alarm
would first start wth checking the indicator
associated wth the detected alarm we assume
that the operator always starts at the top of the
diagnosis diagram after detecting an alarm The
advantage of thisapproach is that in every phase
andevent treethesamediagnosis diagram can be
appliedto derive theH E P for the fault diagnosis.
Thedisadvantage is that the BHEP may be too
high because of the "summation" of the
probabilities due to the "or functions" in the
diagnosis diagrams.
ExampleF CG , L L C :
Figure5 displays the diagnosis diagram for the
L L C . The triangular tags labeled "A" in the
diagnosis diagrams refer to figure 6.
i Phase A Phase B Phase C
Detection D iagnosis D etection D iagnosis D etection Diagnosis
Pump
defect
Human operator
detects alarmpump lo w
Fault diagnosis
correct and contactsfield operator
H urn an operator
detects alarm
outflow low
Fault diagnosis
correct and contactsfield operator
H urn an operator
detects alarm Level
tank high
Fault diagnosis
correct and contacts
field operator
Final
outcom e
Su c c e s s ,
Y i/
/
/disturbance
F D E P 1!1
// in output
\11 /
\\
1N DEP1 \
\FDEP2
!
/\
//
\\
D E P2\\
FDEP3
D E P 3
\\
\\ 0 verflow of
tank
F i gur e 4: Event t r e e f o r l ow c ompl ex i t y L L C s t a r t i n g wi t h i n i t i a t i n g event "pump de f ec t '
172
7/28/2019 Human Error Probability Assessment for Functional Control Groups in the Process Industry
http://slidepdf.com/reader/full/human-error-probability-assessment-for-functional-control-groups-in-the-process 5/9
17t h Eur opean Annual Conf erence onHumanDéci si on Maki ng a nd Manual Cont r o l
Ht un
C h i c k o u t p u t
l e * h i gh«OW
A L A R U HI B HTo o lo w
A L A R M LO W D r o p p u i cC h t c k p u m p
m o t i o nToo law
L t v t i f t » t i » l t a r I L O »
M 4>vic »
[ L U D ] ritlact
F i gur e 5 : Di agnos i s di a gr a mf o r t he l owc ompl ex i t y LLC.
Check output:
mcasurementdevice of
controller and indication
Contralier
defect
MeaserementdeWce
defect
F i gur e 6: Di a gno s i s di a gr a m t o déci de bet weena def ect c o n t r o l l e r or meas ur ement devi ce .
The status of a component checked by an
operator isdépendent on the timepassedafter the
initiating event happened. Thus, the text at a
décision pont of the diagnosis diagrams refers to
a trend or a threshold for a component or process
state variable. This is demonstrated in anexample for the initiating event "pump defect"
for the low complexity configuration L L C :
Phase A: The human operator detectsthe alarm
"pump low". The operator starts than wth the
fault diagnosis (figure 5 at the top). Thesuccess
path through the diagnosis diagram todetect that
the pump isdefect:
(1) "Check leve tank". The operator detectsa
not normal value anddécides that the leve is
"rising" in thedécision point.
(2) "Check output flow". The operator detectsa
not normal value anddécides that the output
flow is"dropping" in thedécision pont.
(3) "Checkpump rotation". The operator detects
a too low value and décides that the pump
nn k "ton ]ow, alarm low" in theotation is "too
décision pont,
Phase B: The operator detectsthe alarm "output
flow low". The operator starts again wth the
fault diagnosis (figure 5 at the top). Only pont
(2) is different in this phase: The operator
"checks the output flow" and detects a too low
value and décides that the output flow is "too
low, alarmlow" in thedécision point.
Phase C: The operator detects the alarm "leve
tank high". The operator detectsnow a too high
value (alarm high) for the "leve in the tank" for
pont (1).
Note that the Check Errors CE I to CE3 in the
diagnosis diagrams are the probabilities of a
human operator making an error while checking
an indicator. These probabilities consist of more
than one human error. The human errors for an
operator perforrriingthe task "check thestatusof
an indicator" (CEI) are:
• Seecting wrongmmc.
• Checkreadingerror.
The human errors for an operator performng the
task "check thestatusof indicator 1 and 2" (CE2)
are
• First indicator: seectingwrong mmc.
• First indicator: check readingerror.
• Second indicator: seectingwrong mmc.
• Second indicator: check readingerror.
(v) H E P for a topeventof a configuration:
Calculation of the HEP for a top event by
inserting theHEPs into theevent and fault trees.
A Mechanical Failure rate of one is assumed for
all the initiating mechanical failures in this step.
The Basic Human Error Probabilities (BHEPs)
for the event and diagnose diagrams will be
determned. Weassumethat therequiredtime for
the operators to perform fault diagnosis is 30
mnutes. This is what is often used for a Nuclear
Power Plant (NPP). In theprocess industry there
is not such time defined. The situation where the
operator has 30 mnutes to perform a fault
173
7/28/2019 Human Error Probability Assessment for Functional Control Groups in the Process Industry
http://slidepdf.com/reader/full/human-error-probability-assessment-for-functional-control-groups-in-the-process 6/9
17t h Eur opean Annual Conf er ence onHuman Dec i s i on Maki ng and Manual Cont r o l
diagnosis simulates a normal condition. The
mmmurn time within which weassumea human
operator has to perform a fault diagnosis is set to
5 mnutes and represents a situation under stress.
The BHEP will be determned for both
conditions. The handbook of Swain &Guttmann9 is used to obtain theBHEPs.
DISCUSSION
In this paper, we focussed on two different leves
of complexity for a F C G . The complexity was
defined using the maximum number of
consecutive alarmponts after an initiatingevent.
Note that, using this definition, an increase in the
number of components doesnot always imply an
increase in the task complexity.
The function of a F G C determnes the choce of
the top vent. In this paper, the L L C performs a
buffering function; thus, the top event is
"overflow of tank". For instance, the top event
would be different for a L L C that provides
coolingwater:"no outflow".
The initiatingeventscan have a human or system
orign. The human initiatingevents, eg. anerror
of commssion, require a more detailed
knowledge of the whole process and the working
conditions, which are not known at the
preimnarystageof design. Thus, in this survey
only mechanical failures are considered. In
addition, the initiatingevents, like a rupturedor
blocked pipe (a defect non-return valve) are not
treated in this paper.
The event trees are much more extensivethan
normally in a H R A , becauseeveryalarmthat the
operator doesnot detect has a possible recovery
path. Such recover paths are realistic compared
to the actions performed by an operator in the
control room. For instance, it is possible that an
operator realises due to a second alarm that thefirst fault diagnosis was incorrect. This is only
realistic for a small number of alarms;a twentieth
consecutive alarm provides very little
information to the operator. Note that the
probability of recovery (by detecting a
consecutive alarm) becomes less according to
T H E R P table20-23.
Diagnosis diagrams are flowchart procedures and
are used to determne the probability for not
achieving the top goal in a F C G . The operator
has several options at various ponts in theprocedure (here all two options). Furthermore
the procedures are symptom-based whichenables
the operator to act in a deveoping event
accordingto what symptoms are present.121
We assumed that the operator always starts at the
top of the diagnosis diagram after detecting analarm Another approach is to start at the "check
box" in the diagnosis diagram associated wth the
detectedalarm This doesnot make a difference,
becausethe order of the boxes in the diagnosis
diagrams is interchangeable (or-functions).
A refinement can be done in the diagnosis
diagrams:
(1) Starting at the top of the diagram for an
alarmpont on a "process variable" (indirect
alarm).
(2) Starting at the check box associated wth the
detected alarm for an alarm pont on a
"component" (direct alarm).
The operator only checks the indicator associated
wth an alarm point on a "component" (direct
alarm), thus starting at the top of the diagnosis
diagram is than not realistic. For example, the
pumpin the low complexity L L C (figure 2) has a
direct alarm point. If the operator detects the
pump alarm the operator checks the rotation
indicator of the pump and concludes, that the
pump isdefect wthout checking the indicator of
the outflow and the leve in the tank. The
operator must check other indicators, in caseof
an alarm pont on a "process variable" (indirect
alarm e.g. alarm outflow, figure 2), to perform a
successful fault diagnosis, becausethere are more
components that cancausethis disturbance.
It is possible that the operator seects a wrong
procedure(diagnosediagram) while performng a
fault diagnosis. This is not taken into account,
becausethere is a high probability of recovery.There is also the probability that the operator
performs an error: namey skipping a procedure
step(diagnosediagramstep).This is a very small
error (BHEP=0.001) according to T H E R P [9 ]
table T20-7 item (1) and will not be taken in
account in this paper. In addition, it is assumed
that theH E of not contacting the fied operator is
zero. Following emergency operating procedures
are considered in more detail byMacwanet al.[15i
T H E R P suggests a much higher B H E P for a
humanoperator performng fault diagnosis understress ( 5 mnutes) than was obtained using the
174
7/28/2019 Human Error Probability Assessment for Functional Control Groups in the Process Industry
http://slidepdf.com/reader/full/human-error-probability-assessment-for-functional-control-groups-in-the-process 7/9
17t h Eur opean Annual Conf er ence onHumanDéci si on Maki ng and Manual Cont r o l
diagnosis diagrams (table 2). This can be
explained as follows. First, the modifying factor
of five, that we assumed to obtain a situation wth
stress wth, could be too small. Secondly and
more likey, the diagnosis diagrams are
dépendent on the complexity of the system The
configurations in this paper are small (unlike
THERP) and thus one can expect a smaller
BHEP for fault diagnosis under stress. For
instance in case of the normal condition (30
mnutes), the operator has enough time to
perform a successful fault diagnosis for a small
as wel as for a more complex system Thus, the
BHEP will be thesamefor both Systems. This is
not the case for the condition under stress (5
mnutes). The probability for the operator to
make an error will be higher for the higher
complexity systemthan wth a small system(wth
only 5 mnutes toperforma fault diagnosis).
T abl e 2: BHEP of di agnos i s of a s i n g l e e v enl .
Available B H E P obtained wth
time for T H E R P Diagnose diagram
diagnosis of table 20-1
singleevent
5 mnutes 0.75 0.08 to 0.26
30 mnutes 0.01 0.015 to 0.06
The BHEP obtained from T H E R P should be
corrected for low task complexity Systems by
applyingaPSF. Thus, the diagnose diagrams area good approach to détermine theB H E P of fault
diagnosis.lt is impossible to assessthe effect of
all the PSFs due to the absence of knowledge
about the MMI , situation and human factors.
However, if this method is applied during design
of a chemcal process someof thePSFs can be
determned:
(1) The factor "training" (The Internal PSF's) is
omtted,becauseweassumethat the operator
is skiliedand wel trained.
(2) The influence of the factor "stress" (The
Stressor PSF's)on the control room operator
is taken into account by assumng a higher
stress Ieve for the condition that there are
only 5 mnutes available to perform a fault
diagnosis.
(3) The influence of "task load" (The Stressor
PSF's) is already taken into account in this
methodology by using the diagnose
diagrams.
Table 1 depicts the various leves undertakenduring design of a system However, on which
leve! can the deived methodology be
implemented? On the function leve, the
implementation is expected to be possible by
creating standardised FCGs. TheseFCGs can be
implemented into computer design programmes
as modules. The designer can than 'seect
equipment wth the desired mechanical failure
(MF) rate based on the B H E P associated wth
that equipment as initiatingevent.
A question arises if the implementation of this
methodology is possible on the goal leve. The
goalscan be too global. For a large plant such as
a nuclear power plant this will be thecasefor ail
the goal leves, top goal, goal and sub-goal
level.fl4} Décomposition into sub-goals reveals
the critica! fractions. For instance, a sub-goal
like: "control leve under various normal
conditions" consists of many critical functions,like control nuclear power, neutron flux
distribution, turbine generator system, etc. Such
critical function groups are essentially thesame
as the FCGs addressed in this paper. Thus, îhe
implementing of this methodology is only
possible on the leve of functions.
The only remaining problem on the functional
leve is the unknown mechanical failure rate of
the equipment that détermines the probability of
a topevent. I f the equipment isseected,than the
assocated mechanical failure rates are known.Before this step, it is only possible to work wth
estimated or average mechanical failure rates.
V E R I F I C A T I O N
It was found that the B H E P decreases with
increasing task complexity. This resuit is shown
in table 3 where theBHEPs of the topeventsare
depicted against the maximum number of
consécutive alarm ponts in a configuration. The
table depicts the normal condition (second
column: 30 mnutes to perform fault diagnosis)and the condition under stress (first column: 5
mnutes toperformfault diagnosis).
T abl e 3: T h e BHEP f o r t h e t o p ev e nt s
F CG 5 mnutes 30 mnutes
L ow ComplexityH T C 0.3779 0.0889
(onealarmpont)
HighComplexityH T C 0.1630 0.0081
(two alarmponts)
L ow Complexity L L C 0.1124 0.0055
(threealarmponts)
High Complexity L L C 0.0440 0.0004(four alarmponts)
175
7/28/2019 Human Error Probability Assessment for Functional Control Groups in the Process Industry
http://slidepdf.com/reader/full/human-error-probability-assessment-for-functional-control-groups-in-the-process 8/9
17i h Eur opean Annual Conf er ence onHumanDéci si on Maki ng and Manual Cont r o l
As previous stated we assume the maximum
number of consécutive alarmponts as ameasure
for the task complexity. Thus, the BHEP
decreaseswth an increasing task complexity. In
the higher complexity FCGs, the Operator has
more recovery opportunities due to more
available information.
Table3showsthat theBHEPs of a topevent for
the condition under stress(5 mnutes) decreases
froma very high (unacceptable) BHEP to a more
acceptable one The BHEP of the normal
situation (30 mnutes) decreases from an
acceptable BHEP to a very small BHEP . This
can be explained as follows: The configurations
wth few alarms provide too little information for
the operator incaseof the condition under stress.
Therefore, the operator has not much possibility
to recover froman incorrect fault diagnosis.
Thisconclusion and table 3 do not imply that the
morealarmponts the lower theB H E P . TheH E P
for mssing consécutive alarms above 10 are not
available. It is plausible that an adverseeffect of
the number of alarms on the B H E P can beseen
for large alarm séquences. This suggests that
there exist a mnimum B H E P for a certain
number ofalarmpoints.
T abl e 4. T h e pros a nd c o n s o f t he pres ent ed met hod.
Pro
Information about HE available in an early
designstage.
The designer can balance the choice of a
configuration of a F C G wth the desired H E P
for a topevent.
The possibility of inserting the FCGs into
computer designing programmes for chemcal
processes. Thesélection of the B H E P can be
done than maybe based on the System
dynamcs. Slow dynamcs: normal condition
and fast dynamcs: situation under stress.
No invention of the whee again. A ll the
known information about a FCG can beimplemented in a standardisedF C G and is thus
available for any designer.
Simple method based upon the information
available for a functional System The method
can be applied to any part of a process by
usinga modular set-up.
The BHEP of fault diagnosis is determned
wth a more realisticapproach. T H E R P applies
the same B H E P for fault diagnosis in ail
situations, which is onlydépendent on the time
between theevents. In the approach presented
here the BHEP are dépendent on the timebetween events and on the type of systemby
applyingdiagnose diagrams.
Con
Based upon idéal situation wth idéal Man-
Machineinteraction design.
Implementing Basic HEP into event trees,
becausethe influenceof thePSF's is unknown.
Therefore, the overall H EP of a top event of a
F C G isalsonormative.
The method disregards theeffectsof theevents
outside the F C G that follow on an initiating
event in a F C G . Thecontents of the process
before or after a FC G are not known.
A il the possible functional control groups and
ther différent complex configurations have tobe identified.
Dependencies between human action are not
considered in this survey. This is more
interesting incaseof more operators.
Spécial situations are not considered. For
exampleduringstart-up, there may occur many
falsealarms; thus, the probability of mssing a
real alarmincreases.
The effect of the sizeof a plant is not taken
into account.
C O N C L U S I O N S
A methodology has been presented to incorporate
BHEP associated with operator errors and
functional analysis. The approach consists of
determning the initiatingevents for a top event
of a functional group using a fault treeand then
derivingtheOperator Action Event Tree(OAET)
for thèse events.The fault diagnosis in theO A E Tis done wth the aid of a diagnosis diagram.With
ail the mechanical failureratesequal to one, the
overall BHEP for the top event can be derived
(using the outcomeof theevent trees).
One has to bear inmndthat the probabilities can
be used only as an aid for choosing equipment
layout and applying redundancy. The complète
process is not taken into account, because the
M M I and the dynamcs of the process are notknown in thepreimnarydesignphases.
176
7/28/2019 Human Error Probability Assessment for Functional Control Groups in the Process Industry
http://slidepdf.com/reader/full/human-error-probability-assessment-for-functional-control-groups-in-the-process 9/9
17t h Eur opean Annual Conf er ence onHumanDéci si on Maki ng an d Man ua o n t r o
The results of the example configurations
indicarethat: TheBHEP of a top event decreases
wth increasing task complexity (measure for task
complexity: maximum number of consécutive
alarmponts in a configuration). In a very simple
System too few recovery pathsexist.
The pros and cons of the methodology are
depicted in table 4. Further work needs to be
carried out to derive the best procédure of
implementing the method into the design process.
R E F E R E N C E S
[1] B. Kirwan, L . K . Ainsworth, « Guide to
task analysis », Taylor and Francis,
London, ISBN 0-7484-0058-3, 1992.
[2] B. Kirwan, « A guide to practical human
reiability assessment », Taylor and
Francis, London, ISBN 0-7484-0052-4
(cloth), 0-7484-0052-3(paper), 1994.
[3] G . Johannsen,A . H . Levis,H.G. Stassen, «
Theoretical problems in man-machine
Systemsand ther experimental validation
», Automát i ca 30 ( 2 ) , pp 217 - 231, 1994.
[4] H.G. Stassen, « Hoe complex is een
industriee procès voor een procesoperator
», Inspeen op complexitet, Alkemade
M .J .A . Samson bedrijfsinformatie b.v.,
Alphen aan den Rijn / Zaventem. ISBN
90-14-03883-6,pp184-195, 1992.
[5] J .P. Scanlon, « Guideines for the design
of Man-MachineInterfaces: Leve 0 », tc-
6 (Man-machine communications) of
EWICS, Sintef, division of automatic
control, N-7043 Trondhem NTH
Norway, 1981.
[ 6] J .P. Scanlon, « Guideines for the designof Man-MachineInterfaces: Leve 1 », tc-
6 (Man-machine communications) of
EWICS, Sintef, division of automatic
control, N-7043 Trondhem NTH
Norway, 1981.
[7] J .Wirstad, « Guideines for the design of
Man-Machine Interfaces: Leve 2 », tc-6
(Man-machine communications) of
EWICS, Sintef, division of automatic
control, N-7043 Trondhem NTH
Norway, 1982.
[8] E. van Ravenzwaaij, H. G. Stassen, «
Guideinesfor the design ofMan-Machine
Interfaces: Leve 3 », tc-6 (Man-machine
Communications) of EWICS, Sintef,
división of automatic control, N-7043
Trondhem N T H Norway, 1986.
[9] A.D. Swain, H.E. Guttmann, « Handbook
of Human Reiability Analysis wth
emphass on nuclear power applications »,
NUREG/CR-1278, 1983.
[10] H.G . Stassen, G. Johannsen, N.Moray, «
Internal representation, intemal mode,
human performance mode and mental
workload»,Automática 26, pp 811 - 820,
1990.
[11] S. Bi, G. Salvendy, « Analytical
modeling and experimental study of
human workload in scheduling of
advanced manufacturing systems », The
international joumal of human factors in
manufacturing, vol. 4, pp. 205 - 234,
1994.
[12] Zhi Gang We, Añil P. Macwan, P.A.
Wieringa, « Quantitative degree of
automation », Man-MachineSystemsand
Control, Fac. WbMt, Tu Deft, p 26,
1996.
[13] J .H .M. Andriessen, P.A. Wieringa, «
Influencing complexity by means of the
man-machine interface », Fac. WbMt,
VakgroepM & R , T U Deft, p 15, 1995.
[14] « Design for control rooms of nuclear
power plants », Nen 10964 Ie druk,
november 1989. Nederlandse
Elektrotechnisch Comité (NEC),
NormcommssieN E C 45 "Kerntechnische
instrumentatie", Dutch institution ofNormalisation, Kalfjeslaan 2, Postbox
5059,2600Deft.
[15] A.P. Macwan, P.A.Wieringa, A. Mosleh,
« Quantification of multiple error
expressions in following emergency
operating procedures in nuclear power
plant control room », Preprints of the
PSAM-11, Apostoakis,G.E. andW U , J .S.
San Diego: 2 (1) 066-15 066-20, 1994.
177