human factor hra techniques

1

© 2011 INSTITUTE OF TECHNOLOGY PETRONAS SDN BHDAll rights reserved. No part of this document may be reproduced, stored in a retrievalsystem or transmitted in any form or by any means (electronic, mechanical, photocopying,recording or otherwise) without the permission of the copyright owner.

CCB4613 Human Factors for Process Safety

HUMAN RELIABILITY ANALYSIS TECHNIQUES

Imag

e fro

m: b

lack

clou

dpro

duct

ions

.com

2

Contents• Recall: A-B-C Behaviour Model

• HRA Techniques – Definition, Characteristics & Application

• Technique for Human Error Rate Prediction (THERP) – (covered in Chapter 7)

• Human Error Assessment and Reduction Technique (HEART)

• Human HAZOP

• A Technique for Human Error Analysis (ATHEANA)

3

A-B-C Model• Antecedents • (trigger behavior)

• Behaviour• (human performance)

• Consequences• (either reinforce or punish behaviour)

4

http://www.hrtwarming.com/his-mistake-cost-the-company-250k-in-repairs-his-bosss-response-was-gold/#

CONSEQUENCES

The ingenious use and management of incentives, rewards,

disincentives, and punishments to motivate workers to work

safe. Consequences follow and motivate human factors.

Management Decision?? (as consequences)

5

Quiz: A-B-C Model

The A–B–C model indicates that external application of stimuli can influence behaviour change.

Discuss possible limitations on this approach.

6

Based on the result of task analysis – breaks a task into number of subtasks

Having identified errors that could occur in the execution of subtasks, these are then represented in the form of an human reliability event tree

Human event tree - right branches represent the erroneous actions and the left branches the successful action

A human error probability (HEP) is allocated for each subtasks

Total of the HEPs in the tree are summed to give an overall HEP

Technique for Human Error Rate Prediction (THERP)

7

d. Operators close valve 2

D. Operators fail to close valve 2

Technique for Human Error Rate Prediction (THERP)

8

a. Consider a typical maintenance task - one technician is to set-up and prepare an equipment so that maintenance can be carrier out on the equipment. By proper set-up and preparatory work, the technician managed to restore the (previous) condition of the equipment. The HEP for the task involved are as given. Determine the overall error probability of the task involved.

THERP – Class Exercise

Description Probability

Erroneous set-up equipment for maintenance

0.01

Fail to restore (previous condition) 0.5

9

b. Comment on the error probability obtained in part (a). The hazards review team suggested that the error probability could be lowered by supervision, usage of checklist and written procedures. Determine the improved error probability if such error reduction strategies are considered in the THERP analysis. THE HEP are as follows:

THERP – Class Exercise

Description Probability

Written procedures are available but not used

0.001

Supervisor fail to check 0.1

Fail to check restoration tasks 0.2

10

HEART was developed by Williams* (1986) to assess how likely a process will fail based on the potential of human error. HEART is a HRA method based on human performance literature that addressing the following questions:

• Which types of human error may occur (e.g. action error,

information retrieval error, communication error, violation)?

• What is estimated probability of such errors being made?

• What factors may influence this probability (e.g. time pressure,

stress, poor working environment, low morale)

• How can the identified human errors be prevented in the design or

how can their impacts be reduced by additional mitigating controls?

*Williams, J.C., HEART – A Proposed Method for Assessing and Reducing Human Error, 1986.

Human Error Assessment and Reduction Technique (HEART)

11

Based upon the principle that every time a task is performed there is a

possibility of failure and that the probability of this is affected by one or more

error producing condition (EPC) to varying degrees

EPC: distraction, tiredness, cramped conditions etc.

Factors which have a significant effect on performance/task are of greatest

interest.

The method essentially takes into consideration a range of important factors

which may negatively affect human performance of a task.

Each of these factors is then independently quantified to obtain an overall

HEP, depending on each of the factors.

HEART

12

1. The first stage of the process is to identify the full range of sub-tasks that a system operator would be required to complete within a given task.

2. Once this task description has been constructed a nominal human unreliability score for the particular task is then determined, usually by consulting local experts. Based around this calculated point, a 5th – 95th

percentile confidence range is established.

3. The EPCs, which are potentially relevant for the given situation, are then considered and the extent to which each EPC applies to the task in question is discussed and agreed, again with local experts.

4. A final estimate of the HEP is then calculated using the EPC scores.

HEART Methodology

13

HEART Methodology

14

HEART Methodology

15

HEART - Generic Task Types (GTTs)

16

HEART - Error Producing Condition (EPC)

17


18


•The assessed proportion of effect was based on an assessment of the conditions and circumstances which may lead the EPC being applicable for the task being considered. •For example, the low workforce morale assessed proportion of effect of 0.3 indicates that there is a 30% chance that the low workforce morale could be a significant EPC. It should be also noted that, for instance, shortage of time available for error detection & correction EPC may have a larger assessed proportion of effect for an operator conducting a complex task requiring numerous repetitions under a quick-paced environment; compared to if another operator was required to perform a similar task in a relaxed environment;

19

HEART – Class Example

20

HEART – Class Exercise

21


22


23


24


25


HEART AnalysisEPC Assessed Effect EPC/Tot %Inexperience 1.80 0.02 12.36Opposite Technique 6.00 0.07 41.21Risk perception 3.40 0.04 23.35Conflict of Objcetives 2.24 0.02 15.38Low Morale 1.12 0.01 7.69Tot EPC 92.12 0.16 100.00

26


Change 6 (max) to 1 (min) for the opposite technique will give the greatest impact

HEART Analysis

EPC Assessed Effect EPC/Tot %

Inexperience 1.80 0.02 18.83

Opposite Technique 1.00 0.01 10.46

Risk perception 3.40 0.04 35.56

Conflict of Objcetives 2.24 0.02 23.43

Low Morale 1.12 0.01 11.72

Tot EPC 15.35 0.10 100.00

Task Type = F = 0.003

Assessed human error probability = F x Tot EPC = 0.046062

27

In a conventional process HAZOP - usually working from a design

represented in P&IDs, backed up by equipment datasheets,

instrumentation cause and effect diagrams, layouts, chemical data

etc – possible malfunction of a process plant before setting up of

equipment in the design stages was recognized/identified

The intention usually describes process conditions such as flows,

temperatures, pressures, levels and the like.

It is from these that we derive the “usual” HAZOP parameters.

Traditional HAZOP will identify much human error potential but could

be modified to direct the technique more closely to identify human

performance problems.

Human HAZOP

28

Conventional HAZOP technique (most of the time) won’t be able to

determine adequate design solutions to those human performance

problem

Typically yield large number of recommendations to overcome errors by

procedures & training which may not be a powerful design solution

Human factor practitioner emphasized on appropriate solution e.g.

improving alarm system configuration or design of specialized.

Hence Human HAZOP approach is proposed as a systematic investigation of

a system, interface or procedure to determine likely forms of human error (in

performance) that could constitute a hazard.

Human HAZOP

29

Essentially uses the same guidewords as HAZOP and applies them to human task analysis to find possible deviations from predefined procedures.

Human HAZOP - Process

30

If we are looking at a human activity, the key is again to get the Design

Intention right.

Needs to understand what operators actually have to do – the intended

activity. These might be represented in operating procedures, start up and

shut down manuals, perhaps emergency shut down procedures,

maintenance procedures or process batch record sheets.

Some examples of simple design intentions:

• Charge 50 20 kg bags of product to vessel through open access cover.

• Set up six manual routing valves for recycle operation around column

• Load individual packages onto rotating belt conveyor at rate of 8 per minute

• Press master stop button on control panel and reduce cooling water flow rate to minimum


31

The task steps generated from a task analysis are each considered in turn. A list of keywords is then applied to each task step with the aim of prompting the group to identify plausible error forms.

Subsequently, the group consider the underlying causes of the error, the possible consequences of the error, the likelihood of the error and, if required, how the error can be mitigated.


32

Typical guidewords applied to the tasks steps are:

– Omission– Action too much– Action too little– Action in wrong direction– Wrong action on right

object– Right action on wrong

object– Wrong action on wrong

object– Extraneous act– Action too late– Action in wrong order– Action repeated

– Unclear information transmitted / recorded

– Information not sought / obtained

– Information not transmitted / recorded

– Incomplete information transmitted / recorded

– Incorrect information transmitted / recorded

– Action too long– Action too short– Action too early

Human HAZOP – Guidewords for Deviation

33

Typical guidewords applied to the tasks steps are:


34

Human-HAZOP Guidewords

Guideword Prompt

NO / NONE Not completed at all

MORE / LESS Too fast / much / longToo slow / little / short

REVERSE In the wrong direction

SOONER / LATER Too early / Too lateAt the wrong timeIn the wrong order

PART OF Partially completed

OTHER THAN On the wrong object

AS WELL AS Wrong task selectedTask repeated


35

Then search for causes based on HF knowledge and performance influencing factors.

Need to think about both possible active and latent failures, as well as possible failure modes based on the various behavioural models.

• Human Error Types

- Omission Not done

- Takes wrong reading

- check on wrong object

- wrong check on right object

- Misreads

• Cognitive error

- has to work it out

• Violation error

- deliberate breach

• Psychological factors- Familiar association- Stereotype takeover- Place losing- Assumption- Forget isolated act- Need for information not

prompted

Human HAZOP – Causes

36

Human HAZOP - Example

37


38


39

Let us go back to one of the examples we used just now:

Design Intent - Load individual packages onto rotating belt conveyor at rate of 8 per minute

Guidewords & Deviation - immediate suggestions:

Human HAZOP - Exercise

No Not loaded

No packages available

Not running belt

More Loads faster

Packages larger

Belt running faster

Less Loads slower

Smaller packages

Belt running slower

Reverse Put package wrong way up

Remove package after loading

Belt running backwards

Part of Damaged package/part missing

As well as Wrapping material on package

Objects placed on belt

Other than Non-standard package

Loads another object

Sooner Loads several close together

Later Loads slower

40

Possible causes based on HF knowledge and performance

influencing factors – include possible active and latent failures, as

well as possible failure modes based on the various behavioural

models.

Causes of “loads faster” might include:

• Miscalculating from the known belt speed

• Thinking he/she is on a different job

• Trying to create spare time by loading all packages as quickly as

possible


41


42


43

Resources required/Information requirements: Team made up of personnel experienced in operating or maintaining the system under scrutiny, human factors specialist, HAZOP chair and scribe. Details of operating procedures, task analysis, system design.

Output:Comprehensive and systematic analysis record detailing identified hazards associated with human error, likelihood of occurrence, existing and proposed controls.

Advantages− Systematic way of ensuring all aspects of a task are analysed− Produces proposed solutions as part of the study

Disadvantages− Time-consuming− Requires a team of analysts (resource intensive)

Human HAZOP

44

Based on a multidisciplinary framework. Considers both:

i. human-centered factors (e.g. PSF/PIF such as human-machine

interface design, procedures content and format, and training)

ii. conditions of plant that give rise to the need for actions and create the

operational causes for human-system interactions (e .g. misleading

indications, equipment unavailability, and other unusual configurations or

operational circumstances).

Incidents – combination of plant state, performance shaping/influencing factors& dependencies led to human error that resulted in accident/incident

Combined effect of PSFs/PIFs and plant conditions that create a

situation in which human error is likely to occur is an "error-forcing

context“

A Technique for Human Error Analysis (ATHEANA)

45

ATHEANA application process flow diagram

46

ATHEANA process steps:

i. Identify human failure event (HFE)

ii. Identify unsafe action associated with the HFE

iii. Identify error forcing context (EFC) associated with unsafe action

– “Non-nominal" accident conditions (i.e., outside the range ofnormal and expected plant conditions) that enhance the likelihoodof human failures; and

– Deficiencies in procedures, training, etc. with respect to theirapplicability to "non-nominal" accidents.

iv. Estimate probabilities of each EFCs

v. Quantification of HFE using estimated EFCs

Non-nominal plant conditions:

• A history of false alarms and indications associated with a component orsystem involved in the response to an accident;

• Shutdown operations with instrumentation and alarms out of normaloperating range and many automatic controls and safety functions disabled;

• Unusual or incorrect valve lineups or other unusual configurations.

ATHEANA application process flow diagram

47

• EFC - represents the combined effect of performance

shaping/influencing factors (PSFs/PIFs) and plant conditions that

create a situation in which human error is likely.

• EFC - represents an unanalyzed plant condition that is beyond

normal operator training and/or procedures - can activate a human

error mechanism related to, for example, inappropriate situation

assessment

• Lead to subsequent mistakes (i.e., errors of commission), and

ultimately, an accident with catastrophic consequences.

• Example of EFC - the plant behaviour is outside the expected range;

the plant's behaviour is not understood; evidence of the actual plant

state and behaviour is not recognized; and prepared plans are not

applicable or helpful.

Error forcing context (EFC)

48

Initiating event: Small-break loss-of-coolant accident (SLOCA) of pressurized water reactor (PWR)

HFE: High pressure injection (HPI) has been inappropriately throttled or inappropriate termination of HPI in a SLOCA (persisting to the point of core damage)

Unsafe Act: Operators turn off operating HPI pumps, given the mistaken belief that the safety injection (SI) termination criteria given in procedures have been satisfied

EFCs: First, a decision point must be identified in standard operating procedures which directs operators to turn off operating HPI pumps. Secondly, plant conditions (including hardware operability and reliability) and PSFs which could convince operators that SLOCA conditions do not exist must be identified. Finally, plant conditions and PSFs which could cause operators to persist in their belief that SLOCA conditions do not exist must be identified

ATHEANA Trial Application

49

The termination criteria for an acceptable termination of SI are all of the following (i.e., if conditions a, b, c, and d are met, then secure HPI):a) RCS Sub-cooling Margin (SCM) > 30°Fb) Secondary Heat Sink:

– Total feed flow to INTACT SGs > 350 GPM

– Narrow range level in at least one intact SG > 9%

c) RCS pressure - stable and increasingd) Pressurizer Level > 11%

Given that all of these criteria are met, operators are directed to SI TERMINATION - Operators are directed to terminate running HPI pumps.


50

Plant Condition #I: Incorrect RCS Pressure Measurement (i.e., false high)

An erroneously high output from the RCS pressure instrumentation would

falsely indicate that both item (c), RCS pressure, and item (a), RCS sub-

cooling margin, were met. Because there are multiple pressure instruments,

two out of four must fail high, perhaps by common cause (e.g. mis-

calibration, drift).

Plant ConditionlPSF #2: Unreliable Pressurizer Level Indication

One alternative is that the SLOCA is the result of a power-operated relief

valve (PORV) being failed in the open position. When a PORV is stuck open,

RCS inventory exiting the pressurizer causes the pressurizer level indication

to read incorrectly.


51

The quantification process was carried out, using the judgment of the

team and supplemented by readily available data. The purpose of the

exercise was to demonstrate how to translate the EFC identified above into

terms that are quantifiable


HFE Probability = 0.5 x 0.01 x 0.15 = 7.5E-4Frequency of core damage from the new scenario involving SLOCA and the newly identified HFE = 7.5E-4 x 2.0E-2 = 1.5E-5

52

Thank you

Self check that, in your own words, you are able to conduct simple human reliability analysis via:

• THERP• HEART• ATHEANA• Human HAZOP

Image from: www.katelrod.com

Presentation Title (acronym) – HRA Techniques;Division – Name/OPU/HCU/BU (acronym) - Chem Eng Dept. UTPName of Presenter – Azizul b Buang 53

Then search for causes based on HF knowledge and performance influencing factors.

Need to think about both possible active and latent failures, as well as possible failure modes based on the various behavioural models.

• Human Error Types

- Omission Not done

- Takes wrong reading

- check on wrong object

- wrong check on right object

- Misreads

• Cognitive error

- has to work it out

• Violation error

- deliberate breach

• Psychological factors- Familiar association- Stereotype takeover- Place losing- Assumption- Forget isolated act- Need for information

not prompted

Human HAZOP – Causes


Let us go back to one of the examples we used just now:

Design Intent - Load individual packages onto rotating belt conveyor at rate of 8 per minute

Guidewords & Deviation - immediate suggestions:


No Not loaded

No packages available

Not running belt

More Loads faster

Packages larger

Belt running faster

Less Loads slower

Smaller packages

Belt running slower

Reverse Put package wrong way up

Remove package after loading

Belt running backwards

Part of Damaged package/part missing

As well as Wrapping material on package

Objects placed on belt

Other than Non-standard package

Loads another object

Sooner Loads several close together

Later Loads slower


Possible causes based on HF knowledge and performance

influencing factors – include possible active and latent failures, as

well as possible failure modes based on the various behavioural

models.

Causes of “loads faster” might include:

• Miscalculating from the known belt speed

• Thinking he/she is on a different job

• Trying to create spare time by loading all packages as quickly as

possible



Resources required/Information requirements: Team made up of personnel experienced in operating or maintaining the system under scrutiny, human factors specialist, HAZOP chair and scribe. Details of operating procedures, task analysis, system design.

Output:Comprehensive and systematic analysis record detailing identified hazards associated with human error, likelihood of occurrence, existing and proposed controls.

Advantages− Systematic way of ensuring all aspects of a task are analysed− Produces proposed solutions as part of the study

Disadvantages− Time-consuming− Requires a team of analysts (resource intensive)

Human HAZOP


Based on a multidisciplinary framework. Considers both:

i. human-centered factors (e.g. Process Shaping/Influence Factor

(PSF/PIF) such as human-machine interface design, content and format of

procedures, and training)

ii. conditions of plant that give rise to the need for actions and create the

operational causes for human-system interactions (e .g. misleadingindications, equipment unavailability, and other unusual configurations or

operational circumstances).

Incidents – combination of plant state, performance shaping/influencing factors

& dependencies led to human error that resulted in accident/incident

Combined effect of PSFs/PIFs and plant conditions that create a situation

in which human error is likely to occur is an "error-forcing context“

A Technique for Human Error Analysis (ATHEANA)


There are seven basic steps to the ATHEANA mythology1. Define and interpret the issue under consideration2. Detail the required scope of analysis3. Describe the Base case scenario including the norm of

operations within the environment, considering actions and procedures.

4. Define Human Failure Events (HFE’s) and/or unsafe actions (UAs) which may affect the task in question

5. Following the identification of the HFEs, they should be further categorised into two primary groups, safe and unsafe actions (UAs). An unsafe action is an action in which the human operator concerned may fail to carry out a task or does so incorrectly and this consequently results in the unsafe operation of the system.

ATHEANA Mythology


6. Search for deviations from the base case scenario in terms of any probable divergence in the normal environmental operating behaviour in the context of the situational scenario.

7. Preparation for applying ATHEANA

In recognition that the environment and the surrounding context may affect the human operator’s behaviour, the next stage of the ATHEANA methodology is to take account of what are known as error-forcing contexts (EFCs), which are then combined with performance shaping factors (PSFs), as identified in the figure provided below [2].

ATHEANA Mythology


ATHEANA Process Flow Diagram


The formulation by which ATHEANA quantifies error is as follows [2]:

P(HFEijr)= P(EFCi) P(UAj|EFCi) P(¯R|EFCi|UAj|Eij)

where:P(HFEijr): the probability of human failure event (HFEijr) occurringP(EFCi): the probability of error-forcing contextP(UAj|EFCi): the probability of unsafe action within a specific context or EFCP(¯R|EFCi|UAj|Eij): the non-recovery probability in the EFC and given the occurrence of the unsafe action and the existence of additional evidence (Eij) following the unsafe action

Error Forcing Context (EFC)


• EFC - represents the combined effect of performance

shaping/influencing factors (PSFs/PIFs) and plant conditions that

create a situation in which human error is likely.

• EFC - represents an unanalyzed plant condition that is beyond

normal operator training and/or procedures - can activate a human

error mechanism related to, for example, inappropriate situation

assessment

• Lead to subsequent mistakes (i.e., errors of commission), and

ultimately, an accident with catastrophic consequences.

• Example of EFC - the plant behaviour is outside the expected range;

the plant's behaviour is not understood; evidence of the actual plant

state and behaviour is not recognized; and prepared plans are not

applicable or helpful.



Identify error forcing context (EFC) associated with unsafe action

• “Non-nominal" accident conditions (i.e., outside the range ofnormal and expected plant conditions) that enhance thelikelihood of human failures; and

• Deficiencies in procedures, training, etc. with respect totheir applicability to "non-nominal" accidents.

Non-nominal plant conditions:

• A history of false alarms and indications associated with acomponent or system involved in the response to an accident;

• Shutdown operations with instrumentation and alarms out ofnormal operating range and many automatic controls and safetyfunctions disabled;

• Unusual or incorrect valve lineups or other unusual configurations.



Initiating event: Small-break loss-of-coolant accident (SLOCA) of pressurized water reactor (PWR)

HFE: High pressure injection (HPI) has been inappropriately throttled or inappropriate termination of HPI in a SLOCA (persisting to the point of core damage)

Unsafe Act: Operators turn off operating HPI pumps, given the mistaken belief that the safety injection (SI) termination criteria given in procedures have been satisfied

EFCs: •First, a decision point must be identified in standard operating procedures which directs operators to turn off operating HPI pumps. •Secondly, plant conditions (including hardware operability and reliability) and PSFs which could convince operators that SLOCA conditions do not exist must be identified. •Finally, plant conditions and PSFs which could cause operators to persist in their belief that SLOCA conditions do not exist must be identified



The termination criteria for an acceptable termination of SI are all of the following (i.e., if conditions a, b, c, and d are met, then secure HPI):a) RCS Sub-cooling Margin (SCM) > 30°Fb) Secondary Heat Sink:

– Total feed flow to INTACT SGs > 350 GPM

– Narrow range level in at least one intact SG > 9%

c) RCS pressure - stable and increasingd) Pressurizer Level > 11%

Given that all of these criteria are met, operators are directed to SI TERMINATION - Operators are directed to terminate running HPI pumps.



Plant Condition #I: Incorrect RCS Pressure Measurement (i.e., false high)

An erroneously high output from the RCS pressure instrumentation would

falsely indicate that both item (c), RCS pressure, and item (a), RCS sub-

cooling margin, were met. Because there are multiple pressure instruments,

two out of four must fail high, perhaps by common cause (e.g. mis-

calibration, drift).

Plant ConditionlPSF #2: Unreliable Pressurizer Level Indication

One alternative is that the SLOCA is the result of a power-operated relief

valve (PORV) being failed in the open position. When a PORV is stuck open,

RCS inventory exiting the pressurizer causes the pressurizer level indication

to read incorrectly.



The quantification process was carried out, using the judgment of the

team and supplemented by readily available data. The purpose of the

exercise was to demonstrate how to translate the EFC identified above into

terms that are quantifiable


HFE Probability = 0.5 x 0.01 x 0.15 = 7.5E-4Frequency of core damage from the new scenario involving SLOCA and the newly identified HFE = 7.5E-4 x 2.0E-2 = 1.5E-5


Thank you

Self check that, in your own words, you are able to conduct simple human reliability analysis via:

• THERP• HEART• ATHEANA• Human HAZOP

Image from: www.katelrod.com

human factor hra techniques

Documents