Operator ’ s Influence on the Safety of the Controlled Process

An analysis of risks related to controlled process and related hazards identification is an important activity during the development of the safety related control system (SRCS). The mistake of the operational staff during the execution of the safety relevant operations related to controlled process can be the cause of hazard. Influence of the operator on controlled process safety depends on operation mode of the SRCS and on technical safety of the SRCS. This contribution deals with the issue of the safety assessment of the operator effect on the safety of the controlled process.


Introduction
The SRCS is a technological device for controlling of safety-critical process and its role is to replace or supervise a human (operator) in applying the safety-critical operations related to control of the considered process.
The aim of such replacement or supervising is contribute to safety of controlled process so that SRCS eliminates human (operator) errors.So that SRCS is a coupling device between the operator and controlled process.
Functions of the SRCS can be divided into Fig.1: • control functions without influence on the safety; it means functions the failure of which may cause operational problems, but cannot endanger safety of the controlled process, • control functions with influence on the safety; it means functions the failure of which may cause not only operational problems, but can also endanger the safety of the controlled process, • protective functions; it means functions, which do not participate on the process controlling, but their role is to supervise the state of elements that reduce the risk of damage to protected assets (people, environment, property, ...) located in the scope of controlled process.
Protective and controlled functions with influence on the safety are referred as safety functions (SF).SRCS can contain more safety functions; each safety function can be defined with different safety integrity level (SIL) [6].A specific position between SRCS functions have socalled emergency functions (EF), which do not participate on control of the process, but their role is to minimize thread of the controlled process safety due to operator error or failure of interface between the operator and SRCS (so-called Human-machine interface -HMI) during emergency operation (the operation when required safety function is not available).Due to the failure of the HMI can occur to falsification (modifi-cation) of the operator's command.That means the failure of the HMI has the same impact on the safety of controlled process as the operator's error.

Error Rate of the Operator
It is very difficult task to evaluate reliability properties of the operator, because the operator does not behave always equally in the same situation.Moreover, the same traffic situation can be successfully resolved in many cases by the different ways.Human reliability can be described by the analogous parameters such as reliability of technical systems -human error probability (HEP), respectively probability of successful execution of the operation (human success probability -HSP).
There are used different methods in the world to estimate the human error probability.The following methods belong to the most frequently used methods of probabilistic estimation of human reliability [8]: • THERP (Technique for Human Error Rate Prediction), • SLIM (Success Likelihood Index Method), • HRC (Human Cognitive Reliability), • SHARP (Systematic Human Action Reliability Procedure).
Human error probability depends on the operator's behavior mode.Generally we can consider following behavior modes of the operator [9], [10]: • skill-based behavior mode, • rule-based behavior mode, • knowledge-based behavior mode.
There is no clear boundary between these behavior modes and the operator usually combines individual behavior modes.
To minimalize operator error probability means to know causes of the errors occurring.The most frequent causes of the operator's error are: • inattention, • lack of the operator's specialized skills, • work overload or time pressure, • bad management of the operator.

Modelling of the Operator Effect on the Controlled Process Safety
Operator influences controlled process through the SRCS.Therefore influence of the operator on the safety of the controlled process can be evaluated only providing knowledge of functional and technical properties of the SRCS and knowledge of the operator's role in the controlled process.The operator role in the controlled process we can describe using different models.It is desirable to create each model so that describes specific monitored property and there should be respected mutual relations between individual models.

Object Model
The object model (Fig. 2) illustrates static relations between operator, SRCS and controlled process.The observed property is influence of the operator to the safety of the controlled process.For this reason there is not presented object realised functions without safety influence in the figure.
Ideally all commands to the controlled process state change are generated by the logic of the SRCS base on the state information on controlled process (information from sensors) and base on operator's commands.SRCS accepts command from the operator only if cannot the thread of controlled process safety occur and the hazard can arise only due to failure of the safety function (safety functions) of the SRCS.Tolerable intensity of safety function malfunction can be determined based on risk analysis.
In the case of continuous operation control, there is a need to ensure control the process by the operator in the case of partial or total failure of the SRCS too.The operator must supply safety functions which are not available (non-functional functions) and therefore must assume the responsibility for process control in this case.Operator issues safety critical commands based on state information of the controlled process, commands control the actuators.The operator can obtain state information of the process using HMI or by direct process observation.The operator can control actuators either directly or indirectly using emergency function (EF) depending on technical solution of the SRCS and depending on its failure range.SRCS with safety functions with lover SIL (usually SIL 1) enables to operator during the fault-free operation and during the emergency operation interfere with process control without the check of his commands by the SRCS logic (Fig. 3).In this case, the operator is responsible for the safety of the controlled process in entirety.

Sequence -Event Model (Sequence Diagram)
A sequence diagram describes interactions between the operator, SRCS and the controlled process.
In case of failure less operation of the SRCS (Fig. 4) a command entered by the operator (Commd) via HMI is transferred to object realising required safety function.If it is impossible to threat the safety of the controlled process, logic of the SRCS issues the command (S_Commd) for the actuator (actuators).This form of control is marked as o one-stage control.In case of emergency operation using one-stage control (Fig. 5), the command of the operator does not checked by the logic of the SRCS.The command is from HMI transferred directly to the actuator (actuators).In case of multi-stage control (usually double-stage control), the operator must perform more actions in exactly defined sequence to command from the operator be accepted by the logic of the SRCS and then logic issues the order to change the state of the controlled process (through actuators control).Block EF checks correctness of the operator action in issuing the safety relevant command.Sequence diagram shown in Fig. 6 represents double-stage control principle.The SRCS logic (the block realized EF) after receiving command from the operator (T _Commd) backward informs the operator about required activity and asks the operator to confirm the command (message Req_Ack).The EF object subsequently after receiving confirmation sequence will check its accuracy (comparison of logical content of the T _Commd and Ack messages) and issues a command to the actuator (respectively commands to the actuators) [12].

State-Space Model
Different operational situations of the SRCS and the controlled process can be represented by the statespace model (Fig. 7).State space of the controlled process is generally formed by a set of safe states and a set of dangerous states (DSP).Safe states are considered states, in which there is no threat of assets related to control process (people, property, etc.).Dangerous states are considered states, in which occurs a treat to these assets.Similarly the state space of the SRCS is formed by set of: • dangerous states (DSS), • safety states which can be divided concerning of functionality of the SRCS to: states in which the SRCS is fully functional (FSS) -the SRCS has no failure, states in which the SRCS is partial functional (P-FSS) -SRCS has failed, thus there are not available all safety functions; the process is partially controlled by the operator using emergency services, state in which is the SRCS non-functional (N-FSS) -the process is fully controlled by the operator using emergency services.There are exist transitions between these states.Type of transitions and the intensity of these transitions depend on the specific design of the SRCS and on the actual controlled process.Transitions between SRCS state are represented by the dashed line in Fig. 7. Calculation of the probability (respectively intensity) of occurrence of the dangerous state of the controlled process due to SF malfunction is not the main subject of this paper.For this goal we can use information specified e.g. in [2], [3], [4], [5].
The most used method which allows analyzing the influence of multiple factors on the safety of the SRCS is actually Markov analysis.There can be properly used combination of Markov's chains with continuous time (CTMC) for description of stochastic processes and Markov's chains with discrete time (DTMC) for description of deterministic events, as well as for approximation of non-homogenous Markov process to homogenous Markov process [13].
To analyze of the influence of the operator's error on the safety of the controlled process we can accept following assumption: if the SRCS is in dangerous state, then the controlled process is in dangerous state too.There is no need to distinguish between dangerous state of the SRCS (DSS) and dangerous state of the controlled process (DSP) and these two states we can equated.Safe states of the control process are not relevant in terms of the safety analysis.
The dangerous state of the SRCS (DSS) can occur due to following hazards: • failure of the considered safety function, • error of the operator or HMI when entering the safety critical commands during normal (nofailure) operation of the SRCS if the operator controls actuators directly, • error of the operator or HMI and simultaneous EF malfunction (if the SRCS disposes of them) when entering the safety critical commands during emergency operation of the SRCS.
Following transitions between states in Fig. 7 relate with hazards bound to the operator error: • transition between FSS and DSS states; it is the transition which is applied during no-failure operation of the SRCS if the operator can control actuators directly; the intensity of the transition depends on the frequency of issuing such commands and on the operator error or HMI failure probability, • transition between P-FSS and DSS states; it is the transition which is applied in case of partial functional SRCS; transition intensity depends on applied mode of the emergency control (one-stage or double stage control), on the operator respectively HMI failure probability and on frequency of safety critical commands entering, • transition between states N-FSS and DSS; it is the transition which is applied in case of the SRCS malfunction; transition intensity depends on mode of process controlling by the operator (single-stage or multi-stage control), on the operator error or HMI failure probability and on frequency of safety relevant commands entering (frequency of safety critical commands entering is higher than in transition between states P-FSS and DSS).
Safety analysis of the controlled process should be provided individually for each safety function realized by the SRCS.
For practical usable of the procedure described in this paper for safety assessment of the controlled process, it is necessary: • to compile the state-space diagram describing dangerous state occurrence base on good knowledge of the specific SRCS and the controlled process; compiled diagram should respect not only factors influenced the safety of the SRCS (its architecture, reliability, diagnostic . . .), but also the mode of SRCS operation and the role of the operator in control of the process, • to determine the intensities of transitions between individual states of the model.
Determination of the transitions intensity (especially of the transitions related to human error and frequency of issuance of safety critical commands of the operator) is very difficult.It is necessary to use statistical data acquired from operation of such systems.Detailed information regarding human error of the operator and frequency of the safety critical commands used for control of the railway transport process were published in [7].

Conclusion
There is established indirect safety assessment of the controlled process using assessment of the technical measures (safety assessment of the SRCS) and organizational measures (among other things, measures to minimize probability of operator error) applied to eliminate the hazards related to the controlled process.
Operator error rate cannot be a quality criterion of the SRCS.In order to ensure objectivity of the safety assessment of technical design of the SRCS it is necessary to pay attention to the technical measures designed to eliminate potential operator error in an emergency operation.In this evaluation it is necessary to consider a nominal value of the HEP (for example statistically determined value for specific type of the controlled process).
There is not considered intentional threat of the controlled process by the operator in safety assessment of the process.Design of control systems resistant to operator bad motives would result in a significant increase of their price and operability reducing of such system also.Operability reducing would lead to serious problems in the controlling of processes which running cannot be interrupted.

Fig. 2 :
Fig. 2: Control of the process by the operator -SRCS with safety functions with higher SIL.

Fig. 3 :
Fig. 3: Control of the process by the operator -SRCS with safety functions with lower SIL.

Fig. 7 :
Fig. 7: State-space model of the SRCS and the controlled process.