0 évaluation0% ont trouvé ce document utile (0 vote)
23 vues9 pages
This paper analyses the nature of the problem of the application of procedures. It proposes orientations for further research on the matter. This paper marks a particular stage in the research carried out at the E A lectriciteA de France (EDF) research and Development division.
Description originale:
Titre original
Art_DIEN_Safety and Application of Procedures_1998
This paper analyses the nature of the problem of the application of procedures. It proposes orientations for further research on the matter. This paper marks a particular stage in the research carried out at the E A lectriciteA de France (EDF) research and Development division.
This paper analyses the nature of the problem of the application of procedures. It proposes orientations for further research on the matter. This paper marks a particular stage in the research carried out at the E A lectriciteA de France (EDF) research and Development division.
1 avenue du General de Gaulle, F-92141 Clamart, Cedex, France Abstract Emergency procedures are inescapable aspects of safety. They can be seen as the laws to be respected in an accident situation. But as for all laws, there remains the problem of their application: should strict adherence to procedure be imposed under all circumstances? Is this possible? Are there any potential risks with such a requirement? Or, on the contrary, should application be more `open', more exible, allowing for adaptation to the actual situation? But, what are the potential risks involved in this approach? Are these two approaches to the application of procedures mutually exclusive, or are they complementary? This paper analyses the nature of the problem of the application of procedures and proposes orientations for further research on the matter. # 1998 Elsevier Science Ltd. All rights reserved. 1. Introduction In hazardous industries like the nuclear power industry, the existence and appli- cation of operating procedures are established facts intended to guarantee a high level of safety for the plants. Yet events like the nuclear accidents at Three Mile Island in America and the Soviet nuclear plant at Chernobyl have shown that pro- cedures alone were not an absolute and invariable guarantee of safety. As far as procedures are concerned, are there conditions which encourage a high level of security? Are these conditions linked to the design, location, or use of SAFETY SCIENCE Safety Science 29 (1998) 179187 0925-7535/98/$19.00 # 1998 Elsevier Science Ltd. All rights reserved. PII: S0925-7535(98)00021-6 1 This paper marks a particular stage in the research carried out at the E
lectricite de France (EDF)
Research and Development Division on the design and assessment of emergency and abnormal operating procedures. The opinions expressed are those of the author, and are not to be construed as representing the ocial policy of EDF. * Corresponding author. EDF International Division, 30 rue Jacques IBERT, 75858 Paris, Cedex 17, France. procedures? If these conditions are not met, is there not a risk that the procedures might, on the contrary, be tools working against their very intent, i.e. might their application not reduce the level of safety? This paper analyses the conditions currently stipulated for the use of procedures in French nuclear power plants, puts their validity to the test, and suggests new direc- tions for thinking based on accident and incident situations. 2. The problem In the French nuclear industry procedures are a necessity, especially when an incident or accident occurs. First of all, they are a legal requirement, since before a unit can start up, the governing authorities require a demonstration of safety in the form of the existence of operating procedures in the control room. Designers see procedures as a guarantee of safety because their application enables human error to be avoided; operators are still all too often considered as potential generators of error during operation under emergency conditions (stressful situa- tion, unaccustomed type of operation, etc.). Operators themselves feel the need for procedures to help them diagnose the situation and bring it under control. Without procedures they would have to create an `on-line' strategy to bring the process back to a safe condition (Dien et al., 1992). Operators are aware that these situations are complex and that operation calls for management of interactions between processes, themselves, and the view or repre- sentation they have of the process (Woods, 1988). Without support, in an unfamiliar (Rouse et al., 1984) and potentially stressful situation, the risk of error in diagnosis and/or operation is major. Operators could focus their attention on an irrelevant or minor detail of the situation, or could fail to perform actions or acknowledge information to which they are unaccustomed under normal operating conditions, but which are fundamental for operation in an emergency situation. In this area it is possible to formulate many questions. For example: is the general agreement on the need for procedures based on consensus, i.e. on an identical vision of the role and application of procedures by all those concerned? Are procedures used by operators in the way designers require? If there are divergences, can they aect safety? The reections and opinions about these questions, which are expressed in this paper derive from research carried out concerning accident procedure design, analyses of tests performed on full scale simulators, and analyses of real incidents requiring the implementation of procedures. 3. How procedures should be used: the designer's viewpoint This point of view stems from work concerned with the design of procedures. Interviews were held with procedure designers who explained their viewpoints on the role of procedures and of the role and tasks of operators during accident situations. 180 Y. Dien/Safety Science 29 (1998) 179187 The model of the operator which predominates in the design of procedures can be seen in the way in which designers and, consequently, the executive management and training supervisors would like to see procedures applied. This implicit model is a model of an operator `in the heat of action', in that it describes both the opera- tor and the accident situation. But this view of the operator is both mechanistic and static, as the characteristic principles of the model demonstrate (Dien and Montmayeul, 1992): 1. The operator is regarded as a `guided' being who must apply to the letter and follow step-by-step the written instructions in the procedure. The operator does not need to apply signicant skill and knowledge in order to cope with the accident. 2. The situation to be controlled consists of a series of chronological actions that must be carried out in order to pass from one process state to another in a given situation. Implicitly all the equipment and control loops required are available. 3. The person who has to use the procedure is seen as an `average' operator with a given competence. It must be underlined, however, that there is no explicit competence requirement specied for using the procedures. This mechanistic (operator seen as a guided being, all equipment required for recovery of the accident assumed to be available, etc.) and static (consideration of a given situation, abstraction of process dynamics, etc.) model is in keeping with the denition of procedures generally accepted by designers. The procedureoften seen from the angle of its descriptive aspectis dened from a viewpoint that excludes the operator. Thus, Lind (1979) denes a procedure as follows: ``In general, a procedure is a set of rules (an algorithm) which is used to control operator activity in a certain task. Thus, an operating procedure describes how actions on the plant (manipulation of control inputs) should be made if a cer- tain system goal should be accomplished. The sequencing of actions, i.e. their ordering in time, depends on plant structure and properties, the nature of the control task considered (goal), and operating constraints.'' Procedures are not seen as something for helping the operator control a process, but rather they are supposed to `control' the operator. Furthermore, a procedure is implicitly designed exclusively in accordance with the constraints and characteristics of a process, and overlooks the characteristicsboth strengths and weaknessesof operators. From the point of view of the designer, the use of a procedure requires, at the very most, just the ability to read and understand a text, since (strict) adherence to the instructions in the procedure enables the accident situation to be coped with. Everything that has to be done and the order of actions is laid down in the pro- cedure: a procedure is sucient in itself. The side-eect is that a procedure is addressing a user-specic (and implicit) level of competence and knowledge. Y. Dien/Safety Science 29 (1998) 179187 181 Actions are described with a certain level of detail; the more the actions are laid down with details, the less the competence of the future user is expected to be high (and vice versa). However, a procedure is only the instantaneous and time-frozen reection of theoretical (acquired through studies) and practical (feedback on experience) knowledge of the operation of a process at a given moment. There can, therefore, be a `gap' between some instructions of the procedure and the real situation as it is happening (Dien et al., 1991). For example, the original E
lectricite de France (EDF)
procedure for recovery after the loss of the main power supply called for the primary cooling circuit pumps to be started up again, without consideration of the context. Now studies have shown that for some transient conditions, the start-up of primary pumps could result in unwarranted dilution of the coolant, with the ensuing risk of renewedand uncontrollednuclear reaction. As a result of these studies the pro- cedure was amendedrapidly! The designer viewpoint which considers the operator as no more than an opera- tive remains but is changing. Designers have begun to understand that to use a procedure operators have to rely on considerable competence and even culture. Being able to read a procedure means understanding and doing a certain number of things and demonstrating a certain attitude, aspects which are not explicitly expressed in the procedure (Guilmin, 1987). For example, the cooling requirements in procedures mention only a rate of cooling, yet the rate of cooling depends on the relationships between the extent to which some valves are opened and the pressure of the steam generators, aspects which are not mentioned in the procedures. Application of the required rate of cooling, therefore, calls for this specic knowl- edge on the part of the operators in order to overcome this shortcoming in the procedure. 4. How the procedures should be used: the operator's viewpoint EDF has conducted more than 100 real life tests on full-scale simulators during which teams of operators have to cope with accident situations. All their actions are observed and recorded. After the test, there is a debrieng to ascertain their opinions and additional explanations. What is more, after each real incident, operators are interviewed and they explain, among other things, the contributions and short- comings of the procedures used to recover the situation. The point of view of operators expressed here is derived from these data and reects, therefore, the manner in which they `really' use procedures. It must be stressed that in an accident situation, divergences from strict respect of the procedure are relatively rare, but frequent enough not to be ignored, and result from improper alignmentoften temporaryof the procedure with the situation (Dien et al., 1991, 1992). Such misalignment is either inherent to the procedure used or due to one or more previous operator errors. Several deviations from the pro- cedures' strict appliance were noted in each full-scale simulator exercise, but their consequences were almost always practically nil. 182 Y. Dien/Safety Science 29 (1998) 179187 The ability to manage contingencies is a `plus' operators can provide, and con- stitutes a basis for operation. Operators are often called on to respond to situations or events that are not explicitly featured in the procedure. Theoretically, operators can be called on to manage a process situation which is not wholly covered by a procedure (`quite unlikely' situation). Above and beyond this case, operators are often confronted with minor disturbances (jammed controls, faulty sensor, etc.) to which they must nd a remedy. These disturbances are often not taken into account in the procedure which considers a single route to follow or a limited number of alternatives. In addition, due to the level of detail in the description of the actions to be per- formed, a procedure implicitly calls on a certain level of competence, a certain know-how, on the part of operators. A procedure generally calls on a single level of competence. The skill to which the procedure is addressed is implicitly that which is taken into account by the designer during the procedure-design process. But the level of competence required can vary from one procedure to another. Thus, to achieve the same functional objective, e.g. cooling the core, two dierent procedures could use two extreme approaches: 1. either provide details of the succession of equipment to be operated, sometimes with mention of where the controls are to be found in the control room (calling for a low level of competence); e.g. open the TBS # I valve to X%, then start up the TBS # J pump; or 2. simply indicate the system to be operated (calling for a high level of compe- tence) e.g. use the TBS system for cooling the core. This lack of uniformity can be aggravated by dierences in the level of inter- and intra-individual competence of operators who are, therefore, required to be able to continually adapt to the call for action (presentation of the demand for use of the procedure) and their aptitude (`level of competence') at the time. Finally, some actions required by the procedure may not be totally clear, thereby obliging operators to take real-time initiatives and decisions in order to overcome any ambiguity. For example, in an actual incident (Dien and Peresson, 1990) operators realised that one of the rst actions required by the procedure was a leakage analysis; but the procedure did not specify which type of analysis: was it to be a quick but inexact analysis, or a precise analysis which would necessarily take longer? Further- more, which method was to be used, given that the parameters were not stable? All these aspects show that operators cannot keep strictly to the letter of a pro- cedure at all times, for they have to take independent initiatives, i.e. temporarily divert the procedure in order to: 1. make up for its `oversights'; and 2. compensate for the static aspects of the procedure, operation being funda- mentally dynamic (interactions between process parameters, but also regula- tions, adjustments, and adaptation between members of the team in order to co-ordinate themselves). Y. Dien/Safety Science 29 (1998) 179187 183 5. Towards `intelligent' application of procedures Designers' and operators' views on the application of procedures are apparently contradictory. Does that mean they are irreconcilable? Certainly, if each way of thinking were to be pushed to the extremeto the point of absurdityit would be dicult to reach a compromise. Pushing designers' thinking to the extreme would entail each and every situation being covered, each possible case being taken into account, and an appropriate solution being proposed to the operator. Even if it were technically feasible, this approach would result in a `combinatorial explosion' of cases, consequently making the process complex, extremely cumbersome, and, in the long run, unusable (Dien et al., 1992). In addition, it is to be feared that some changes to procedures could be made post hoc, i.e. after occurrence of an actual event that was not envisaged in the previous version of the procedure. Pushing operators' thinking to the extreme would entail relying wholly on opera- tors, on their competence and know-how, and restricting oneself to giving them a few indications on operation in the form of very specic procedures. The character- istics of operation under emergency conditions are very dierent to those of routine operation. Under emergency conditions people may apply knowledge and behaviour acquired under normal operating conditions which could lead to diculties in the context of emergency operation (Grosdeva et al., 1990). To `correctly operate' under emergency conditions, the rst pre-requisite is to be fully aware that the situation is indeed an emergency condition. It has been seen that operators do not always have a true representation of the actual status of the process and, therefore, of the situation in which they nd themselves. During the Three Mile Island accident in March 1979, operators ran the plant for 2 h 22 min thinking that the primary cooling circuit was intact, whereas, in fact, there was a break; during an incident at the Paluel plant in France in January 1993, operators ran excessive cooling for 1 h 20 min without being aware that they were faced with a steam-line break. Finding a compromise to overcome the contradiction between the two ways of thinking requires operators to adapt procedures so that they can be applied in an intelligent fashion. It is necessary to have a certain `disinvolvement' and distance when applying procedures, if only to become aware of one's own errors, e.g. over- sights or `slips' in reading (Kasbi and Lewkovitch, 1993). Intelligent application of procedures means strict adherence to them as long as they are adapted to the situation, and use of initiative at times when there is a divergence between the actual situation and what is expected by the procedure. This means that operators have to realise when the procedure prescription diverts from reality. Some front-end conditions are necessary for operators to be able to apply pro- cedures in an intelligent fashion. Such conditions deal with the design of procedures, the training of operators, organisation in periods of crisis, provision of advanced tools for assistance in operation, and the behavioural pattern that should be devel- oped in daily activities. The design of procedures must bear in mind the characteristics of operators when dening tasks to be implemented, i.e. it should emphasise tasks where human beings 184 Y. Dien/Safety Science 29 (1998) 179187 have specic skills, like making decisions in a `fuzzy' context, or adaptability, and should reduce tasks where humans reach their limits, like repetitive tasks, or rapid detection of information appearing in random fashion, and which is `drowned out' by other information. The procedure must also be adapted to the diversity of operators and of their expectations which depend on their knowledge, level of stress, etc. This calls for the creation of several levels of reading for every procedure, i.e. presenting the same operation function with several levels of detail which could be an `objective' level, a `task' level, and a blow-by-blow `action' level (Dien et al., 1991). With the example of cooling the core, it would lead to three levels characterised by the following formulation: 1. cool to X
C/h (objective level);
2. use the TBS system to achieve cooling (task level); and 3. open the TBS I valve to X%, then . . . (action level). Operator training must not be restricted to learning the application of procedures, but must also deal with understanding the phenomena that occur under emergency- operation conditions, and with explaining and justifying the actions called for by the procedure. Emergency operation calls for the presence, alongside the operating team, of an independent and redundant structure which performs real-time analysis of the situ- ation. In French nuclear power stations this function is performed by the radiation- protection and safety engineer as well as local and national emergency teams connected to the control room. It is also necessary to provide operators with advanced-technology toolse.g. like computer aids (Mosneron-Dupin and Papin, 1992)to help them in tasks where human capacities are weakest. The know-how developed from routine operation provides the operator with his basis for operation under accident conditions (Grosdeva et al., 1990). Because of this, divergences from procedures must be accepted and ocially recognised in daily operation (Dien et al., 1992). In other terms, what is done must not be judged by the environment (procedure designers, power station superiors) on the basis of results (congratulations for success, reprimand for error), and judge- ment must be independent of whether the procedure was followed or not. It is in routine operation that operators should acquire the habit of being disinvolved, of `standing back' from the procedure. The pre-requisite for acquisition of this habit is the `controlled initiative' they are allowed by their environment. Controlled initiative means that the non-application of a procedure is not systematically reprimanded but assessed according to the motive for non-compliance, and the results. Finally, the procedures are not the only means at our disposal. They are one part of a set of `means' which includes individual know-how (training), collective know-how (team coordination, cooperation), management rules and everyday practices. The existence of this set means that the procedures can be applied in a exible way. Y. Dien/Safety Science 29 (1998) 179187 185 6. Conclusion Society accepts a social regulator in the form of laws, which are applied in accor- dance with the context and personal backgrounds of the victim, defendant, and judge. A law is not intangible, for its text cannot cover all the possible cases of actual application, and it can lag behind social evolution: laws are often drawn up for past events, not for future practice. Laws are necessary for the organisation and survival of a society, but in-context application of laws is accepted as one of the guarantees of social stability, for it allows for adaptation and evolution of laws in real time: this is what we call jurisprudence. Similarly, one of the guarantees of safety is the in-context application of pro- cedures. Strict adherence to procedures can engender quite the opposite to what is intended. It should be noted, however, that the alternative proposedallowance for controlled initiative in applicationis not without risk (operator error). Although legal errors (poor application of a law) seem to be socially acceptable, can the same be said for an error resulting in a nuclear accident? The answer to this question lies in appraisal of the choices that would induce the greatest hazards. Are these situations where the procedure must be followed strictly to the letter (but what do you do if it does not cater for the actual situation?) or, on the contrary, are they situations where the operator can be given room for manoeuvre? What is more, the problem cannot be entirely solved if no answer is given to the question of responsibility in the event of error. Who is responsible: the operator or the designer? Is responsibility common/shared or individual? Finally, real progress will be made when the design of procedures is not just seen from a technical viewpoint, or just centred on the procedure/operator combination, but, rather, integrates the conditions required for the application of procedures (types of skills, type of environment, type of aids required, etc.). References Dien, Y., Peresson, H., 1990. Re fexions sur l'utilisation des consignes incidentelles: e tude d'un cas Chinon B2 (Reections on the Use of Incident Rules: Case Study of Chinon B2). EDF memorandum HT-54/90-48A, D548 NT 13/90. EDF, Clamart. Dien, Y., Montmayeul, R., 1992. Contribution of the ergonomic analysis to the improvement of the design of operating procedures. In: Nuclear Power Plants, Workshop `Work Activity in the Perspective of Organisation and Design', Paris, France, October 1516 1992 EDF-DER-ESF, Clamart. Dien, Y., Montmayeul, R., Bozec, J., Lamarre, J.C., 1991. Conception des consignes de conduite de processus continu pour postes de travail informatise s (Design of rules for conducting continuous pro- cesses from computerised work places). In: Revue Ge ne rale de l'E
lectricite , No. 5/91, Paris.
Dien, Y., Llory, M., Montmayeul, R., 1992. Operators' knowledge, skill and know how during the use of emergency procedures: design, training and cultural aspects. In: IEEE 5th Conference on Human Factors and Nuclear Plants, Monterey, USA, June 711 1992. Grosdeva, T., Lemaitre, P., Bonneau, A., 1990. L'ope rateur, le simulateur, l'accident (The operator, the simulator, the accident). In: E
pure No. 26. EDF-DER, Clamart.
Guilmin, J., 1987. Quelques conside rations ge ne rales sur la transposition en images des proce dures de conduite (Some general considerations for the transposition of operator procedures into pictures). 186 Y. Dien/Safety Science 29 (1998) 179187 In: Montmayeul et al. (Eds.), Contributions to a Guideline for Synthetic Displays Design. Final PWS5A2 Report. CEA-EDF-FRAMATOME-WEREAS EDF, Chatou. Kasbi, C., Lewkovitch, A., 1993. E
tude du suivi de consigne: re sultats d'observations sur simulateur et
proposition d'un mode le d'analyse (Study of Rule-Following: Results of Observations on Simulators and a Proposal for an Analysis Model). EDF-DER memorandum HT-54/93-043A. EDF-DER, Clamart. Lind, M., 1979. The use of ow models for design of plant operating procedures. In: IWG/NPPCI Spe- cialists' Meeting on Procedures and Systems for Assisting an Operator During Normal and Anomalous Nuclear Power Plant Operation Situations, Garching, Federal Republic of Germany, December 57 1979. Mosneron-Dupin, F., Papin, B., 1992. Facteurs humains et conduite des centrales nucle aires: voies de recherches (Human factors and operations in nuclear power stations: research lines). In: Journe es de la SFEN sur `La recherche de veloppement des centrales a eau sous pression'. Paris, France, December 23 1992. Rouse, W.B., Kisner, R.A., Frey, P.R., Rouse, S.H., 1984. A Method for Analytical Evaluation of Computer-Based Decisions Aids. NUREG/CR 3655, NRC, Washington DC. Woods, D.D., 1988. Coping with complexity: the psychology of human behaviour in complex systems. In: Goodstein, L.P., Andersen, H.B., Olsen, S.E. (Eds.), Tasks, Errors and Mental Models. Taylor and Francis, London, pp. 128148. Y. Dien/Safety Science 29 (1998) 179187 187