Application of Integrated Human Error Management in Human Factors Engineering Process to Nuclear Power Plant Design

Integrated process of human error management in human factors engineering (HFE) process provides a systematic direction for the design countermeasures development to prevent potential human errors. The process analyzes performance influence factors (PIFs) for crew failure modes (CFMs) and human failure events (HFEvs) in human reliability analysis (HRA). This paper provides applications of the process to the event evaluation for nuclear power plant design, especially PWR. In this application, the HRA/HFE integrated process had specified further detail for PIF attributes which had not been obtained in HRA, and showed further investigations to treat how operators induced their human errors through their cognitive task process in their work environment. This application showed effectiveness of the process in order to provide design countermeasures for preventing potential human errors occurrence based on the extensive PIFs and their error forcing context in HRA.


Introduction
Human Factors Engineering (HFE) process is applied to control room design. Figure 1 shows a typical HFE process applied in control room design (U.S.NRC, 2012). The current practice is to extract important human actions (RIHAs) in the "treatment of important human action" process by applying to risk-importance measures (U.S. NRC, 2007). Riskimportance measures are metrics to measure contributions of risk significance value (i.e., Core damage frequencies (CDFs)) due to particular event (i.e. functions/components failed). Two of different but complementary risk-importance measure are applied; Risk Achievement Worth (RAW) and Fussell-Veselly (FV). The RAW measures the amount that the total risk increases if particular event occurs, and is defined as RAW = (CDFs with A=1)/(CDFs), where CDFs with A = 1 means probability of event A (failure event) occurrence is set to 1. The FV measures the overall percent contribution of containing particular event against the total risk, and is defined as FV = (CDFs with A)/(CDFs), where CDFs with A means all cut set of risks which A are involved. RIHAs are extracted if either of RAW and FV is higher than particular thresholds. However, it is difficult to figure out what operator crew's failure modes (CFMs) or their performance influence factors (PIFs) are involved in particular events. After identifying IHAs, task analysis in HFE process individually performs for IHAs in order to identify PIFs factors and design requirement, such as plant parameters/controllers necessary for task executions.
Human reliability analysis (HRA) aims to calculate human error probabilities (HEPs) tied with probabilistic risk analysis (PRA). For this purpose, HRA consists of two parts; qualitative analysis and quantitative analysis. The qualitative analysis identifies human failure events (HFEvs) in PRA events, then analyzes each HFE to find out operator crew's failure modes (CFMs) and their performance influence factors (PIFs) involved in each HFE. Then the quantitative analysis calculates HEPs by cumulating each HEP in CFMs/PIFs involved in each HFE. HRAs have been enhanced to ensure accuracy and consistency of HEP calculations. The latest HRA methods (U.S.NRC, 2020) introduced a macro-cognitive model which provides a set of cognitive CFM types and their PIFs and detail work scheme/process that allow practitioners to identify comprehensive cognitive errors with their PIFs. Figure 2 shows an example of HRA process (U.S.NRC, 2020). It is effective if HRA assumptions, particulary qualitative analysis results (i.e., CFMs/PIFs) are directly communicated with HFE process (i.e., task analysis) not just by screening with risk importance thresholds, then CFMs/PIFs which are currently used for HEPs calculations, are used for human system interface (HSI) development and procedure development as a design requirement in HFE process in order to minimize potential human error occurrences. The previous study (Boring et al., 2008) provided a possibility and framework to integrate HFE and HRA process.
In order to realize the integration, the current interface between HRA/PRA and HFE process must be modified and demonstrated. This paper provides a study how to integrate HRA and HFE process by employing the latest HRA qualitative process (U.S.NRC, 2020), then demonstrate the integration process with the sample event showing the difference in the current HRA quantitative analysis results.

Integration of HRA in HFE Process
The integration process with HRA quantitative analysis employed is described in Figure 3. Each step is performed with following activities: Step 1: Categorize design countermeasures based on cognitive error types Overall design countermeasures are examined based on cognitive error types and PIFs attributes. Design countermeasures are taken into account from comprehensive aspects; HSI designs (including workplace and work environment design), operating procedures and operator training based on PIF types. Those design countermeasures are still generic means and may already have been addressed by existing HFE design guide.
Step 2: Examine design countermeasures to mitigate potential human errors considering PIFs This step analyzes context descriptions and relations of task sequences and CFMs/PIFs. The step also analyzes task frequency or iteration during events which cause potential human error increase.
From error management point of view, design countermeasures are examined by both of error preventions and mitigations as shown in Figure 4. Mitigations generally mean to minimize hazard expansions but from human factors aspects, error of commissions (EOCs) becomes a major factor to progress/expand error affections after initial human error occurrence. Therefore, the mitigations of hazard, which are caused by human errors, focus on how to minimize EOCs during events. Followings are results from examinations of each error elimination and mitigation process; (a). Error preventions As long as nuclear power plants are operated, hazard causes are not eliminated. Alternatives can be made by appropriate auto/manual allocations based on task analysis. If particular tasks require human capabilities challenging, such as high workload, then automation is recommended. Easiness is to make tasks executions easier considering human cognitive process.
(b). Error mitigations Error detection means include work management tools and methods in operating procedures/training programs, such as, check sheet on procedure steps, three way commutations between operators and supervisors. In case of EOC corrections, third party checks, such as independent plant event diagnosis by technical support staffs and/or computer aids, are effective.
Hazard mitigations are predetermined by plant system designs, then mitigation means are provided and installed in plant site and operating procedure address how those mitigation means are used in accordance with plant conditions. In NPPs, plant event diagnostics are credited by operators. Correction of EOC is a basis toward mitigations.
Step 3: Evaluate human performance using a proto-type simulator Design countermeasures which are examined in Step 1 and 2, are evaluated using a simulator.
Step 4: Evaluate effectiveness of design countermeasures In order to identify design countermeasure effectiveness, comparison checks with design countermeasure implemented or not are performed with the same work environment, scenarios and staffs in order to eliminate the other influence factors or biases. Digital HSIs are relatively easier to switch either of design options in a simulator.

Process Evaluation Using a Sample of Plant Event Integration of HRA in HFE Process
Following sub-sections shows examination result to execute the process. Steam generator tube rapture (SGTR) event was selected to compare HRA/HEF integration results with the original results discussed in the HRA (U.S.NRC, 2020).

Step 1
The sample of examination result is shown in Table 1. The design resolution is allocated to each PIF type but does not specify each specific number of PIF within the same type of PIF. Therefore, design counter measures are allocated in each representative PIF type. Each bold marked line shows major design counter measures. Parentheses show subsidiary means.

Step 2
Step 2 is divided by following sub-steps; Sub-step 2-1: Identification of initial PIFs and CFMs/HFEvs extracted from existing HRA results (U.S.NRC, 2020) executed by following process: (i) Scenario analysis, Perform narrative description development and timeline analysis, then identify HFEvs and initial PIFs.
HFEv analysis, Perform operating sequence analysis, then identify critical tasks. (iii) Perform cognitive tasks analysis, then identify CFMs. Perform task characterizations and precise initial PIFs. (iv) Calculate human error probabilities (HEPs) for each critical task by accumulating human error rates of CFMs/PIFs involved in critical tasks.
There are many information split in HRA so that the first step is to review HRA results, extract necessary information, including initial PIFs and CFMs/HFEvs which are necessary for subsequent analysis steps.
Sub-step 2-2: PIF type in HRA cover broad areas, including HSI, procedures and training. However, HRA focuses on identifying based PIFs or significant PIFs, which largely influence CFMs/HFEvs. Therefore, an additional analysis reviews HRA's identification PIFs and add PIFs considering work system's influence factors, such as HSI, operating procedure, and training which are subsidiary influence factors and may vary due to particular type of control rooms/plants.

Sub-step 2-3:
Operation frequency analysis. HRA performs the analysis based on operating procedure. Human error rate estimation for each PIF is one time action basis. This step reflects operator's behaviors and causal operator's tasks based on plant response during scenarios, which are not always identified from operating procedure based analysis. That is, especially, frequencies of operations for the same actions, which may not be takin into account in HRA and largely, impact on human performance. Therefore, operation frequencies for the same actions are counted and taken into account as additional weight factors.
Sub-step 2-4: Examine design countermeasures from error preventions/mitigations. Error preventions provides pre-design design solutions as error proof and cover HSI design (including work environment), operating procedures, staffing (including organizations and training). Error mitigations focus on providing design solution from how operator acknowledge abnormal situation, then minimize EOC during event. Design solution for error mitigation includes operation support functions using computer aids or communications provided by operation support personnel.
In addition, important/critical operator's actions from deterministic and risk analysis will be determined if plant events are determined due to plant situation progress. Therefore, those operator's important/critical actions are displayed on operating support personnel display screen at real time basis, they may support operators which actions are prioritized for plant responses.
The summary of Step 2 examination is as follows: Results of Sub-step 2-1: Following are the summary extracting necessary information from HRA results for SGTR (U.S.NRC, 2020, Appendix C); (i). Following tasks were identified as HFEvs; HFEv-T1: Fail to isolate the ruptured SG. Following PIFs were identified based on context analysis; Task complexity, Procedures, Multitasking/ interruption/distraction, Stress and time pressure.
(ii). HFEvs analysis Task diagram was developed and two key tasks were identified as shown in Figure 5 (U.S.NRC, 2020). The first task was assigned to automation, then the second was determined as a critical task; Following task characteristics were identified in HFEv1-T1 (Omitting PIFs assigned to "Noimpact").
Special requirements -The task needs to be performed before reaching the SGPORV setpoints. Cue -The cue to start the task is the secondary radiation alarm. Personnel -Adequate well-trained crew. Procedure -EOP-0 and EOP-3 have been implemented in simulator training. The procedures have been optimized based on training feedback.
Following initial PIFs were identified. It is noted that all PIF codes are extracted from the HRA (U.S.NRC, 2020, Appendix B). The description of each PIF code are added after each PIF code.
For example, "C0-No impact" means there is a base task complexity without additional impact;
(iv). HEP estimation Table 2 shows summary of HFEv1, critical task involved in HFEv1, applicable CFMs and PIFs, then calculates HEP based on accumulations of applicable PIF's human error rates.

Results of Sub-step 2-2:
Following are a summary of additional analysis from HFE/HRA perspectives; With the task analysis results, which have comprehensively been performed in HFE process, an extensive analysis was performed to identify following HFEvs and CFMs/PIFs; (a). Check reactor trip & turbine trip CFM1: PIFs-C1, HSI 2, 3, 5, EVN7, FS6, SF0, Inf0; Note) EVN7 (Loud or burst noise) and FS6 (Sudden increase in workload from a long period of low to high) have been selected because a lot of numbers of alarms are initiated at reactor trip (EVN7), and sudden increase of workload is expected at reactor trip from a long period of low workload at a normal operation. HSI 2, 3, and 5 were selected depended on HSI design qualities (2: No sign or indication of technical difference from adjacent sources (meters, indicators), 3: Related information for a task is spatially distributed, not organized, or cannot be accessed at the same time, 5: Poor salience of the target (indicators, alarms, alerts) out of the crowded background). HSI6 (Inconsistent formats, units, symbols, or tables etc.,) was not selected because Step 1 (generic ergonomics design review and applications) eliminate this influence factor. HSI 5 was selected for HEP calculation for safety margin consideration.
(c.) Check Emergency Feed water (EFW) valve alignment CFM1: PSF-C31, HSI2,3,5, FS6, SF0, Inf0 Note) EVN7 was not selected because many additional alarms are not expected to initiate after this step. FS6 was selected because this step is a series of tasks in item a. and b. The other PIFs selections are the same reasons as a. and b.
(d). Control SG level CFM1: PSF-C0, HSI2,3,5, FS8, MT1, SF0, Inf0 CFM4: PSF-C31, HSI2,3,5, FS8, MT1, SF0, Inf0 Note) SF8 (Emotional stress (e.g. anxiety, frustration)) was selected because emotional stress is possibly emerging whereas sudden increase of workload was calmed down after a series of tasks in a., b. and c. MT1 (Distraction by other ongoing activities that demand attention) was selected because operators are required to pay much attentions to manual control of SG level in parallel with the other step executions during SGTR.
(e). Diagnose SG tube rapture CFM1: PSF-C3, HSI2,3,5, FS8, SF0, Inf0 C3 (Detection demands for high attention) was selected because this task (detection) requires operators to carefully monitor the secondary radiation alarm initiation which is a key parameter to diagnose SGTR. This task and subsequent tasks correspond to HFEv1-T1 as identified in HRA. CFM4: PSF-C31, HSI2,3,5, FS2, FS8, SF0, Inf0 (f). Isolate flow from ruptured SG CFM4: PIF-C31, HSI2,3,5, FS2, FS8, SF0, Inf0 (g). Cool down RCS temperature & pressure CFM1: PIF-C0, HSI2,3,5, FS8, MT1, SF0, Inf0 CFM4: PIF-C31, HSI2,3,5, FS8, MT1, SF0, Inf0 MT1 was selected because operators perform RCS cooldown by monitoring subcooling margin and executing the other steps in parallel. Table 3 shows the summary of HFEvs and associated information from HRA/HFE extensive analysis as discussed in this sub-step. By comparing with results from the original HRA based results as shown in Table 2, extensive critical tasks are identified with additional PIFs attribute. It is noted that all critical tasks are categorized in the same HFEv (i.e., HFEv1) in this study since all critical tasks are related to HFEv1. Results of Sub-step 2-3: Item d and g tasks are frequent tasks which require operator to keep attention to plant process and initiate tasks if conditions are met during scenarios. Therefore, numbers of frequencies are set to 10 for item d. and g. whereas the other tasks are set to 1.

Results of Step 2-4:
A sample of results (for item a and e) are summarized in Figure 6. For example, as a design countermeasure, task support display (guidance display) is provided to operators to collect associated plant parameters and components status which are required to be checked operators. This design countermeasure can eliminate HSI2 and 3 influence factors. Also, demarcation (i.e. grouped and placed in dedicated area) of reactor and turbine trip alarms from the other alarms can eliminate HSI5 influence factor. These design counterparts can also eliminate C3 factor (i.e., Monitor many parameters, many types or categories of information to be detected). Regarding error mitigation means, for example, plant computer checks plant parameters and components status with reactor trip status, then display checking results to operators. Also, guidance display which displays associated plant parameters and components and/or plant computer checking result are displayed to plant operation support personnel, then plant operation support personnel can support operators to promote recovery actions, including operator's EOC corrections. Another example is to display important/critical operator's actions (in this case, display "isolate ruptured SG within ten minutes") to plant operation support personnel so that they can support operators to direct goal to achieve safety operation (Figure 7).
Above countermeasures have already been incorporated in plant design based on performance review and/or design resolution examinations to dispose performance challenge using the integrated system validation and operating experience. However, those design resolutions are confirmed effective from human error preventions and mitigations aspect. Those design countermeasures are also identified as recovery factors for HRA, which could improve human error rate.

Step 3
Evaluation of human performance and effectiveness introducing design countermeasures is performed by comparing results with design countermeasures vs without them. In general, workload (WL) and situation awareness (SA) are two major metrics to measure human performance especially for large and complicated human system interaction systems (Kirwan and Ainisworth, 1992). Table 4 summarizes an example of WL and SA evaluation results applying a major SA and WL measurement methods (i.e., five points Likert scales and NASA TLX Hart and Staveland, 1988). It is noted that numerical value in the SA and WL column in the table represent hypothetical values because the purpose aims to verify implementation practices.

Step 4
In this phase, human performance of each operation crew is measured in simulator training program. Critical tasks identified in Step 2 are included in training scenarios. If human failures or finding are identified during scenarios, context describing plant and work situation are tracked. Those contexts are fed back to Step 2 and PIFs are adjusted and design countermeasures are reexamined.

Result
In this application, the HRA/HFE integrated process had specified further detail for PIF attributes which had not been obtained in HRA and showed further investigations to treat how operators induced their human errors through their cognitive task process in their work environment. This application showed effectiveness of the process in order to provide design countermeasures for preventing potential human errors occurrence based on the extensive PIFs and their error forcing context in HRA.

Conclusions
This paper studied how to integrate HRA and HFE process by employing the latest HRA qualitative process, then demonstrate the integration process with the sample event showing the difference in the current HRA quantitative analysis results.
The results show HRA qualitative analysis results (i.e., CFMs/PIFs) are directly communicated with HFE process (i.e., task analysis) not just by screening with risk importance thresholds, then CFMs/PIFs, which are currently used for HEPs calculations, are used for HSI development and procedure development as a design requirement in HFE process in order to minimize potential human error occurrences.