Systematic Human Reliability Analysis (SHRA): A New Approach to Evaluate Human Error Probability (HEP) in a Nuclear Plant

Emergency management in industrial plants is a fundamental issue to ensure the safety of operators. The emergency management analyses two fundamental aspects: the system reliability and the human reliability. System reliability is the capability of ensuring the functional properties within a variability of work conditions, considering the possible deviations due to unexpected events. However, system reliability is strongly related to the reliability of its weakest component. The complexity of the processes could generate incidental situations and the worker appears (human reliability) to be the weakest part of the whole system. The complexity of systems influences operator’s ability to take decisions during emergencies. The aim of the present research is to develop a new approach to evaluate human error probability (HEP), called Systematic Human Reliability Analysis (SHRA). The proposed approach considers internal and external factors that affect operator’s ability. The new approach is based on Nuclear Action Reliability Assessment (NARA), Simplified Plant Analysis Risk Human Reliability (SPAR-H) and on the Performance Shaping Factors (PSFs) relationship. The present paper analysed some shortcomings related to literature approaches, especially the limitations of the working time. We estimated HEP, after 8 hours (work standard) during emergency conditions. The correlations between the advantages of these three methodologies allows proposing a HEP analysis during accident scenarios emergencies. SHRA can be used to estimate human reliability during emergencies. SHRA has been applied in a nuclear accident scenario, considering 24 hours of working time. The SHRA results highlight the most important internal and external factors that affect operator’s ability. KeywordsHuman factors, Environmental factors, Human reliability analysis, Human error probability, Performance shaping factors, Nuclear plant.


Introduction
The complexity of technological evolution has increased the risks related to the management of industrial machines (Harris and Hillman, 2014). Lately, after many accidents situations, the of system reliability (Kim, 2001). According Swain and Guttmann, (1983), HRA methodologies have motivated many activities in research and development (Lundqvist and Gustafsson, 1992).
The targets of present research are: 1) to study the fundamental actions in incidental situations; 2) to analyse the causes of accidents to prevent them. HRA influences maintenance system (Hollnagel, 1996). Maintenance design is a crucial issue consisting of several activities in order to achieve levels of availability and to guarantee the production capacity. The availability of a production system depends on performance and connections of the machines and operators (De Carlo et al., 2013). Maintenance design activities are based on HRA values collected by monitoring the condition of machines and human processes (De Carlo et al., 2014).
In general, the causes that lead to an accident are three: system failures, natural events and human errors (Magnusson et al., 2002).
In recent years, the advanced technology has allowed to create reliability machines. However, the literature analysis shows that most of the accidents occurred in critical infrastructures depends on the human errors. In fact, HRA has been analysed in nuclear plants. Several authors analysed human behaviour in emergency condition. For example, Jung et al. (2007) analyse the performance of the operator in a nuclear plant. Houshyar and Imel (1996) developed a simulation model of human behaviour in a nuclear plant. Literature analysis divides HRA methodologies in three different generations: a) First generation (1970 -1990) focus on the skill and rule of human factor. However, they do not consider impact of context, organisational factors and errors of commission. Some methodologies below to the first generation are: • Systematic Human Action Reliability (SHARP): SHARP considers the integrated man-machine systems (Hannaman and Spurgin, 1984) and it develops the analysis process (Hannaman et al., 1985) in seven steps (Cepin, 2008).
• The Empirical Technique to Estimate the Operator's Error (TESEO): calculates error probability of operator, considering five influential factors on behaviour. The method is simple, but it has a more limited approach related to the uncertainty (Elmaraghy et al., 2008). Bello and Colombari (1980) use this methodology to analyse human factor in the risk analyses of process plant, checking the control room operator.
Accident Sequence Evaluation Program (ASEP): ASEP (Swain and Guttmann, 1983) is a simplified version of the THERP method developed by an author of THERP. ASEP is highly nuclear power oriented. The main goal of its development was to obtain order of magnitude estimates of HEPs without the level of effort required by THERP. ASEP is one of the HRA methods that use time-reliability correlation as the basis for calculating cognitive/decision failure (Williams, 1985;1986).
• Human Cognitive Reliability Correlation (HCR): The HCR method is used to estimate the HEPs of the reference points required by the SLIM. Equations of SLIM for calculating the Success Likelihood Index (SLI) are significantly revised to account for non-linearity of the effect of some PSFs on human performance (Yang et al., 2014) Technique for Human Error Rate Prediction (THERP): THERP (Swain and Guttmann, 1983) was initially developed and used by Sandia National Laboratories (SNL) in 1961 for HRA analyses. WASH-1400WASH- (1975 used THERP to perform HRA in Nuclear Power Plants. To calculate the HEP for a task, THERP provides a number of activities for the analyst to identify the HEP's existence in the tasks of analysis. THERP provides a list of PSFs but gives no specific rules to evaluate the states of these PSFs and their effects on HEPs (Xu et al., 2014).
• Success Likelihood Index Method (SLIM): SLIM is not an HRA method per se, but rather a scaling technique. It has no fixed set of HEPs nor does it have a required set of PIFs/PSFs (Park and Lee, 2008). It was developed under United States Nuclear Regulatory Commission sponsorship in the 1980's to formalize the use of expert judgment in estimating HEP values. It requires minimum data points (e.g., real event statistics) for HEP assessment (Kariuki and Lowe, 2007). While the method has been extensively used in nuclear PRAs, as a computational framework, it can be easily applied to other domains.
• Human error assessment and reduction technique (HEART): HEART (Williams, 1986) was adopted for use in a number of PRAs performed in the United Kingdom nuclear power plants in the early 1990's (He and Van Nes, 2012). Its approach to HEP assessment differs from methods that require task decomposition. "Generic tasks" are defined with corresponding basic HEPs. Each generic task is described by a few sentences that specify the nature of the human action and its context. In order to determine a base HEP, the analyst must first identify the generic task that provides the closest match to the task of interest. Such an approach greatly reduces the effort required for calculating HEP (Kirwan, 1996).
b) Second generation methodologies (1990)(1991)(1992)(1993)(1994)(1995)(1996)(1997)(1998)(1999)(2000)(2001)(2002)(2003)(2004)(2005), integrate internal and external factors affecting human reliability. In second-generation models, the factors that determine PSFs are derived by focusing on the environmental impact on the cognitive level (Kirwan, 1996). Some methodologies below to the second generation are: • Cognitive Reliability and Error Analysis Method (CREAM): CREAM (Hollnagel, 1998) was developed for general applications and is based on the Contextual Control Model (COCOM), which, from the information processing perspective, has emphasized the identification and quantification of so-called "genotype errors" (or cognitive errors) (Colangelo, 2012). Konstandinidou et al. (2006) use CREAM method to realize a fuzzy modelling application of CREAM methodology for HRA. CREAM provides a two-level approach to calculate HEPs: basic level and extended one the basic method is designed for task screening. It provides simple rules to determine the HEP range for a task based on the combined PSFs states.
• A Technique for Human Event Analysis (ATHEANA): ATHEANA is the product of many studies sponsored by the U.S. Nuclear Commission. The initial effort started in 1992 (Pinto et al., 2014). It contains a detailed search process that promises to determine cognitive vulnerabilities in crews that may not be discovered when applying other HRA methods. The publications covering results of this research include (Cooper et al., 1996) ATHEANA was designed to be a full scope HRA method including capability for performing predictive task analysis (or error identification) and retrospective event analysis. It offers a procedure to search for and identify errors based on context analysis.
• Standardized Plant Analysis Risk -Human RA (SPAR-H): SPAR-H (Gertman et al., 2005) was a revision of Accident Sequence Precursor (ASP) method. The revisions were intended to make the characterization of human performance in SPAR more realistic. SPAR-H has been applied to over 70 U.S. nuclear power plants. SPAR-H was originally developing as a screening methodology, but later the method was extnded for full HEP quantification. Rasmussen et al. (2015) try to adapt the HRA to the petroleum industry using the SPAR-H method. SPAR-H is based on an information-processing model of human cognition. The eight PSFs used by the method are: Available time; Stress/Stressors; Complexity; Experience/Training; Procedures; Ergonomics/Human-machine interface; Fitness for duty; and Work processes.
c) In recent years, shortcomings of the second generation HRA methods have led to further developments related to the improvement of pre-existing methods (Di Pasquale et al., 2013). The third generation of HRA uses the modelling and simulation system with a virtual representation of humans to determine situations that may challenge human performance in space missions (Boring, 2005): • Nuclear Action Reliability Assessment (NARA): NARA (Kirwan et al., 2005) is a refinement of the HEART method to (a) have better fit to nuclear contexts, (b) consider errors of commission, (c) have substantial data support, (d) consider long time scale scenarios, and (e) have better guidance on usage. NARA uses the same approach as HEART to calculate HEPs. The main differences between NARA and HEART are (a) the grouping of the generic tasks, (b) the weights of the error producing contexts, and (c) the use of the CORE-DATA human error database in NARA. NARA uses different weights for some of the error producing conditions than HEART. This suggests that the PSFs' weights and perhaps the basic HEPs of the general tasks of HEART and NARA need to be revisited carefully for NASA applications. Boring (2010) proposes a dependence model between the PSFs. In addition to the human behaviour simulation software, there are many geographic software that allows to manage the external environment during an incidental situation. Rauschert et al. (2002) using GIS, geographic interface to manage the emergencies. The research takes into account the external environment and its characteristics (Trucco and Leva, 2007;De Ambroggi and Trucco, 2011). The development of the internet and the social networking has made it very useful this type of application, especially in relation to the flow of information. Even Schafer et al. (2007) manage the planning of emergency management through a geographical software. It examines the geo-spatial maps and develops the plans and the emergency procedures. Currion et al. (2007) develop a simulation tool to manage the coordination during an emergency situation. Another field of emergency management study is on health facilities. Levi et al. (1998) describe experience with developing and implementing the use of simulation software as a drilling technique used by Israeli hospitals. The application was developed using SIMAN/ARENA software. Cowan and Cloutier (1988) describe a required, roleintensive leadership simulation in emergency and disaster medicine management for fourth-year medical students. The simulation exercise is designed to provide an opportunity for Federal medical students to experience a realistic combat or a disaster environment similar to the environments in which they may be required to operate medical support systems. Christie and Levary (1998), use the simulation model, "what-if" analyses to predict the consequences of conceivable scenarios.
The present study starts on the several shortcomings of literature HRA models (Calixto et al., 2013). The proposed model, called Systematic Human Reliability Analysis (SHRA), overcomes the limitations of the most conventional HRA methodologies, merging the advantages of NARA, PSFs and SPAR-H models (Table 1). Furthermore, the present research analysed three limitations related to the NARA model: 1) HEP is limited to the first 8 hours of work; 2) no dependency between relationships of PSFs; 3) failure rate is constant. SHRA model try to overcome these shortcomings

Systematic Human Reliability Analysis (SHRA)
In this section the proposed HRA model is described. The new approach combines three methods of HRA: the NARA methodology, Spar-H methodology and Boring's PSFs dependency.
The human (internal) and the environmental (external) factors that influence the operator's ability are both evaluated in the new approach. The starting model NARA is an upgrade of HEART method. The Boring's PSFs dependency considers the external factors, while the NARA and Spar-H methods consider the internal factors.
The present paper analysed some shortcomings related to literature approaches, especially the limitations of the working time. We estimated HEP, after 8 hours (work standard) during emergency conditions (Duraccio et al., 2015).
The model will be applying during a simulated emergency in nuclear plant, considering 24 hours of working time.
SHRA method is structured in the following steps: Step 1: Preliminary Analysis. An identification of the activities to be simulated. It lists all the activities performed by decision maker while working in nominal conditions and during an emergency. It is important to identify the accident scenarios considering the gravity of the situation, HEP will be associated for each of these activities, where HEP represents the unreliability of the operator. During an emergency, working time is a critical parameter that must be carefully evaluated. For example, Di Pasquale et al. (2015) and Gertman and Blackman (1994) simulate the HEP with the Weibull function while Chiodo et al. (2004) uses a random function to evaluate human performances. Usually, Gauss function is selected during "wear out" phase of components. This phase can be compared to the stress phase of an operator during an accident scenario.
Starting from the above analysis, we have selected Gauss distribution to link HEP and operating time. (1) Step 2: Identification on Human Activities (Internal Factors). In this phase we defined Generic Tasks (GTTs), that represent the internal factors of the operators (Kirwan, 1996). Each GTT follows the Gauss function that represents the "wear out" condition of human operator. Using Gauss distribution, HEP will be calculated. The HEP increase vs. time. The Table 2 describes the NARA GTTs, while k is the human unreliability value to 8th hour of working time (McLoughlin, 1985;Mendonca et al., 2001), λ is the constant value of failure rate, µ is the Mean Time to Failure and σ is the standard deviation. Assuming λ=constant, we obtain: (2) where, f(t) = λ − is the failure probability density function when λ=constant (Table 2). Step 3: Basic Human Error Probability (HEPbasic) The calculation of the basic error probability (influenced by GTTs) follows the Gauss distribution (eq. 1). The nominal distribution is theoretical and do not take into account the external environment factors. HEPbasic takes into account only the k value ( Table 2). The Gauss distribution is selected to describe the human reliability during the "wear out" when the failure rate grows up. The human unreliability value (Table 2) is the input value for equation (1), where µ and σ are calculated using equations (3) and (4). The basic HEPbasic is determined as: The equation (5) considers a working time greater than eight hours, because in several emergencies some operators could work even 24 hours consecutive.
Step 4 (Table 3). Step 5: PSFs Correlation (PSFcor). The PSFcor value is evaluated from the product of all PSFs and their value of independence (table3). The PSFcor represents the external environmental conditions. The PSFi value is individual value of PSFs (proposed by Gertman et al., 2005), where "n" is the total number of PSFS that are considered in the model. The sum of dependence index is the sum of the correlation value of PSFs represented in Table 3. Experts assess the state of each PSF (0<State (PSFi)<1).
Step 6: SHRA Model (HEPSHRA). Starting from NARA and SPAR-H formulations the real HEP is calculated. The combination of human factors and environmental factors returns the HEPSHRA value: The HEPSHRA is the unreliability value of operator during an accident scenario, depending of influencing factors.

Case Study: SHRA Application in a Nuclear Plant
A nuclear plant is considered to validate our model. Figure 1 shows the plant. In particular, the HEP in a control room is analysed (Figure 2).  The nuclear plant is chosen as the consequences of a nuclear accident could cause tragic consequences for the operators and the external environment.
Step 1: Preliminary Analysis The emergency activities of decision maker in the control room of nuclear plant, during a fire, are summarized in four steps: a) Emergency alarm activation: -activate emergency signal; -activate of the protection system; -evacuation of personnel; b) system block -activate external alarm; -insolation damaged area;

c) Internal Emergency Team activation d) Request of external aid
The three simulation scenarios are: a) weak accident: the decision-maker has the situation under control (PSFs value are good); b) medium accident: the decision maker can make bad decisions (PSFs value are average); c) worst accident: likely wrong choice of operator (PSFs value are bad).
Step 2: Identification on Human Activities. The major causes of accidents are to be found in the human unreliability of the decision maker assigned to the control room. The case study focuses on the analysis of human reliability in the control room during emergency conditions. The operator in the control room manages simple and complex actions. The choice of four GTTs (Williams, 1986) was carried out through interviews with an Expert Judgement. Applying eq. (2), (3) and (4) the four GTTs are related to the four activities manage by the decision maker described in step 1 (Table 4). Step 3: Basic Human Error Probability (HEPbasic) Using Equation (6), HEPbasic for four GTTs is calculated. Table 5 describes HEPbasic values, during 24 working hours (Table 5). Step 4: External Factors Definition.
According to an Expert Judgment PSFs values have been selected. The analysis emphasized five fundamental factors (Allen and Seaman, 2007): -Available time: the time needed to receive, check and process the information and make the decision; -Stress: the degree to which you feel overwhelmed or unable to cope as a result of pressures that are unmanageable; -Complexity: the complexity of task performing; -Experience: the competence and seniority of the decision maker; -Procedures: the risk management of nuclear plant. Table 6 describes the PSFs values and Table 7 reports the PSFs correlation (Boring, 2010).  Step 6: SHRA Human Error Probability (HEPSHRA) Applying equation 5, HEPSHRA has been evaluated. combining internal operating conditions (HEPbasic) with external environment conditions with their dependence (PSFcor). Table 8 shows the HEPSHRA values for four GTTs during high hazardous scenario and Figure 3 describes the HEPSHRA trends.  Applying Eq.9: where, HRASHRA is the SHRA human reliability value, the HEPSHRA values have been compared with HRASHRA ones (Table 9).  In Figure.4 we highlighted the SHRA outcomes of the most critic Generic Task (GTT-C2).

Discussion
The operator's choices in emergency conditions depend on many factors. In some cases, the decision maker can take wrong actions. For example, it may make a wrong decision or even not make any decisions. The unreliability of the operator generates high risks for the company. In this condition, HEP is influenced by the human factors and the environmental factors (PSFs).
It is necessary to study HEP of the decision maker in accordance with its internal situation and depending on the environment. Human Unreliability vs Human Realibility (GTT-C2) who works in a control room of a nuclear plant.
HEPSHRA increases with operating time, due to human factors, because the decision maker will be tired during the working time. In fact, HEPSHRA for GTT-A5 in the 2th hour it is 2%, while at the 24th hour it is 10%. However, the human unreliability depends also on the GTTs. For the 24th hour of work the GTT-A5 is 10%, the GTT-A6 is 0.5%, GTT-B5 is 16% and GTT-C2 is 41%. The results highlight that GTT-C2 is the most relevant task (HEP=41%) while GTT-A6 is the less relevant task (HEP=0.5%).
In fact, the "Identification of situation requiring interpretation of complex pattern of alarms/indications" is a more complex task for an expert operator than other analysed tasks, during an emergency situation that could last for 24 working hours.
The approach defines a support to minimize HEP. The outputs show that HEP depends on three factors: time, human factors and environmental factors. The HEPSHRA output highlight the following improves: • improve the work processes e.g.: work breaks, ergonomics, statistical process control, logistic, quality, etc; • improve of reliability system; • improve of safety system; • improve of maintenance system.

Conclusion
The aim of the present paper is to propose a new method to evaluate HEP, called Systematic Human Reliability Analysis (SHRA). This study was done for identifying and evaluating of the human error in control rooms in a nuclear plant. The proposed approach considers all factors that influence decisions and actions of the operator: internal and external factors. GTTS represent internal factors. PSFs represent external factors. HEP is the output. Starting from Gauss distribution, the new approach is based on NARA model and on PSFs dependences. SHRA model output an increasing trend of HEP in relation to the operating time. The outputs are useful to define the improvement strategy of the system and to increase the safety value.
HEPSHRA increases with operating time, due to human factors, because the decision maker will be tired during the working time. In fact, HEPSHRA for GTT-A5 in the 2th hour it is 2%, while at the 24th hour it is 10%. However, the human unreliability depends also on the GTTs. For the 24th hour of work the GTT-A5 is 10%, the GTT-A6 is 0.5%, GTT-B5 is 16% and GTT-C2 is 41%.
Although the SHRA method is a simple and convenient method to evaluate the reliability of human, we find some disadvantages for applying this method. They include an ambiguity and overlap in definitions of the PSFs; expertise requirement; and even biases in experts judgments. Future research aims to investigate how PSFs can change after the normal working hour (8 working hours) and to developed a statistic function to evaluated State (PSFs) without Expert Judgement.