Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 11
Introduction
THE PANE['S CHARGE
The responsibility of the Nuclear Regulatory Commission
(NRC) for ensuring the safety of nuclear power plants is the basis
for its human factors research program. Events, some of them
near tragic, of the past decade suggest that improvements in that
research program are essential to the health of the nuclear indus-
try and the safety of nuclear plants and the public. Since the
accident in 1979 at the Three Mile Island Unit 2 plant, the nuclear
industry and the NRC have become acutely aware of a fact already
established in many industries, that human error in some form is
responsible for a large proportion of accidents and is a challenge to
system safety and productivity (Meister, 1971; Miller and Swain,
1987~.
The panel was charged by the NRC "tto] identify study areas
in the current and recent programs that may have received inad-
equate attention and to provide guidance to the Once of Nuclear
Regulatory Research, the Nuclear Regulatory Comrn~ssion (NRC),
and other research and development agencies in government, pri-
vate industry, and universities regarding an appropriate research
program in human factors to enhance the safe operation of nuclear
power plants."
THE DEFINITION AND ORIGINS OF HUMAN FACTORS
Human factors is a multidisciplinary field that draws on the
methods, data, and principles of the behavioral and social
11
OCR for page 12
12
sciences, engineering, physiology, anthropometry, biomechanics,
and other disciplines to design systems that are compatible with
the capabilities and limitations of the people who will use them.
Its goal has been to design systems that use human capabilities in
appropriate ways, that protect systems from human frailties, and
that protect humans from hazards associated with operation of
the system. In short, human factors has been an applied science
of people In relation to machines.
Human factors in the United States had its origins in World
War IT, when it was discovered that new technologies were either
misused, or could not be used in ways that would fully exploit
their potential, because human characteristics had not been ade-
quately considered in the design, operation, and maintenance of
the technologies.
The earliest research and development in the field was con-
cerned with how displays and controls should be designed to match
the sensory, perceptual, and motor capabilities of their human
users. Although limited in scope, it was a novel and successful
approach that opened new dimensions and perspectives on sys-
tems engineering. As a result of the application of human factors
knowledge, for example, high performance aircraft that previously
could not be flown safely could be deployed effectively because
cockpits had been redesigned around the capabilities of the pilots
who would fly them.
This early work was greeted with sufficient acclaim to justify
research in other areas of what was called "man-machine system
design. As time progressed, specialists in human factors were
asked to address problems of personnel selection, staffing, train-
ing, design of training equipment, protection from unusual and
dangerous environments, and the many other factors that must be
considered in achieving a habitable environment and a workable
symbiosis between people and machines. However, even with this
expanded scope questions concerned with the larger sociotechni-
cal organization in which a system was embedded were often not
addressed.
In recent years, however, it has become clear that knowI-
edge broader than the traditional scope of human factors must
also guide the design of the sociotechnical organizations in which
individuals and physical systems interact and function. Just as
individual errors can degrade the performance and safety of a
system because of the way the hardware interface is designed or
OCR for page 13
13
because of inadequate operator training, so too can errors in the
design and management of an organization or the regulation of the
overall system degrade system performance.
Because of the historical focus, it was natural that in the
wake of the Three Mile Island accident the industry and the NRC
would look to the operator-plant interface as a potential cause of
operator error that might benefit from redesign. While it is clear
that proper design of this interface ~ critical to safety, conditions
other than the control room interface can also induce error and
increase the level of risk in the operation of a plant. These condi-
tions can arise from the way in which a system including people,
hardware, software, and facilities" is designed to be operated and
maintained, the way in which it is organized, managed, and regu-
lated, and the way it interfaces with the many other elements of
the industry.
Recognizing this early in its deliberations, the panel consid-
ered the term human factors to include those conditions that
affect the performance both of individuals and of organizations.
We believe that to ensure safety of nuclear power plant opera-
tion it is necessary to address the issues associated with human
performance within systems from a view of human factors which
encompasses not only the human-machine interface but also the
larger sociotechnical system in which it is embedded. The panel
used this definition of human factors to assess the long-range hu-
man factors research needs of the NRC and the nuclear industry.
THE PANEL'S APPROACH: NUCLEAR REACTOR
OPERATION AS A SCOIOTECHNICAI SYSTEM
Aside from being the worst commercial nuclear accident in
the United States up to that time, the events of March 28, 1979,
at Three Mile Island axe a case of what Lanir (1986) calls a
Fundamental surprise." A fundamental surprise, in contrast to a
situational surprise, is the sudden recognition of the incompatibil-
ity between one's beliefs and reality what a psychologist would
call cognitive dissonance. Examples of fundamental surprise in-
clude the 1941 attack on Pear} Harbor and the 1957 launching of
Sputnik for the United States, and the 1973 Yom Kippur war for
Israel.
An appropriate adaptive response to a situational surprise can
be derived from existing knowledge. The same is not true, how-
OCR for page 14
14
ever, for an adaptive response to a fundamental surprise. Existing
knowledge may offer neither a full explanation of its causes nor a
proposal for dealing with it in the future. A fundamental surprise
calb for fundamental learning, which occurs in stages rather than
by revelation. Small increments of knowledge are acquired and
small steps are taken to apply the new knowledge. Ultimately,
however, a new knowledge base and belief structure emerge that
are capable of handling future surprises. Fundamental learning
can sometimes be arrested if it ~ believed that partial knowledge
and the solutions derived from it are complete and sufficient. Such
a partial response appears to represent that taken by the NRC
and the industry since the Three Mile Bland accident.
One of the first lessons learned by the industry from Three
Mile Island was that the errors made by operators in a control
room were a significant contributing factor to the accident and
its unsuccessful management. Accident investigations disclosed
that these errors were due to a variety of factors: inadequate
training, a control room poorly designed for people, questionable
emergency operating procedures, and inadequate provisions for
the monitoring of the basic parameters of plant functioning.
As a result of this early learning, a variety of remedial ac-
tivities were undertaken to improve training, encourage the ac-
~ quisition of plant-specific training sunulators, review and improve
the human engineering of control rooms, upgrade procedures, in-
corporate instrumentation for post-accident monitoring, and add
safety parameter display systems to control rooms. In addition,
steps were taken to initiate a human factors research program in
the NRC, - d the Department of Energy laboratories were called
on to support that program.
Some utilities hired human factors specialists. The Electric
Power Research Institute expanded its human factors research
program. It was clear from actions such as these that the first
stage in fundamental learning had taken place. The important
role played in plant operation and safety by plant crews had been
recognized, as had the realization that existing knowledge on this
role was incomplete.
Encouraging as this was in the process of implementing the
lessons learned from Three Mile Island, the actors involved appear
to have come to treat the accident as a mere situational sur-
prise and to apply purely technical solutions to human problems.
This is a reaction that might be expected of a community with a
OCR for page 15
15
strongly established engineering culture. The lesson that was not
yet fully learned was that, in reality, the operation of a nuclear
power system is far more complex than had previously been sup-
posed: it is a technical system embedded within a much larger,
more complex, sociotechnical system of people, organizations, and
regulations that interact with one another in ways that are not yet
understood.
The words "systems and "systems are used in several senses
which should be clear from the context. A Systems in the report
is an interconnected set of parts making up a whole entity which
has a common purpose. Thus, in one context we may speak of
the "emergency core cooling system" meaning all that equipment
which together is designed to cool the reactor core in emergencies.
We may speak of the Human-machine systems and mean the
combination of human and reactor, turbine, etc. which collectively
make up a nuclear power plant. Or we may talk of the man-
agement and organizational system and mean those subgroups of
humans responsible for setting policy, making rules, etc. to govern
the behavior of those who operate the nuclear power plant. By a
"sociotechnical systems we mean the combination of plant hard-
ware whose behavior is governed by physical laws, humans whose
individual behaviors are governed by the laws of biology and psy-
chology of individuals, and the interaction of the social group of
the humans involved in nuclear power plant operation, manage-
ment, and maintenance where the interactions are governed by the
hierarchies, pressures, ant] influences of social forces.
On the other hand, by a Systems approach we mean a way of
looking at a nuclear power plant not as composed of components
whose properties can be examined in isolation, but rather as a
collection of components including human components, each of
whose properties affects and is affected by the others dynamically
from moment to moment, so that to predict the performance of
any component requires that one consider the state of, in general,
many others.
Figure 1 illustrates the principal elements of this sociotechnical
system. The innermost layer represents the physical system the
nuclear power plant. The interface between it and the individuals
who operate and maintain it often called the "human-machine
interface" is represented by Boundary A. This boundary has
been the focus of traditional human factors engineering. The per-
formance of the individuals on one side of this interface and plant
OCR for page 16
16
ENVIRONMENTAL CONTEXT
ORGANIZATIONAUMANAGEMENT
INFRASTRUCTURE
PERSONNEL SUBSYSTEM
TECH N ICAU
B ENGINEERING
| SYSTEM
. | A _
_ C
B
FIGURE 1 Components of an integrative system safety analysis. Adapted
from Shikiar (1985).
OCR for page 17
17
systems on the other is influenced by its design. However, the
display and control interface Is but one piece of the picture be-
cause the performance of these individuals is affected by more
than displays ant! controls. The cognitive processing of operators,
personnel selection policies and methods, training and training
devices, procedures, and the less tangible but potent effects of mo-
tivation, group interaction, boredom, fatigue, stress, and morale
all play a role. These areas are traditionally the realm of industrial
psychology.
As we move out from the center of Figure 1, we see that the
people in the plant (the personnel subsystem) operate in an or-
ganizational environment that results from management decisions
concerning organizational design and structure. There appears to
be a great deal of recognition on the part of the NRC and the
nuclear industry of the crucial role played by management leader-
ship in safe operations. What is less frequently recognized is that
at this level of analysis a number of important research questions
can be posed, the answers to which may result in improvements to
safety.* This level of analysis is the traditional realm of manage-
ment sciences and organizational behavior research.
It is important to recognize that the nuclear power plant and
its personnel and management Al operate within an economic,
political, and social context, as shown in the outer layer of Figure
1. This level of analysis recognizes that safety is influenced by
production and profit pressures, public support or opposition to
the nuclear power plant, relations between the various regulators
and the utility management, as weD as the specific policies and
actions of the regulators. While it is easy to see how this level
of analysis affects public health and safety, it is more difficult to
see how this could be the subject of research. Nevertheless, we
identify it as an important area to be investigated by economists,
political scientists, and lawyers for research approaches that may
be offered by these disciplines to improve safety.
The pane} firmly believes that research that recognizes a sys-
terrls approach, with the "systems broadly defined as in Figure
* In this report to increase safety is to decrease the probability that
people, property, or environment will be harmed by some event arising from
the construction, existence, or operation of a nuclear power plant; to decrease
safety is to increase that probability.
OCR for page 18
18
1, has great potential for delivering results that yield useful rec-
ommendations for safety improvements. Failure to recognize the
effects of the outer layers of Figure 1 on safety may result in
valid improvements to safety being unimplemented or ineffectively
implemented because management or environmental constraints
were ignored. At best, approaches to improving plant safety that
do not recognize these constraints will be incomplete.
The systems approach points out that risk estimates by im-
plication embody a design and operation philosophy for the plant.
These probabilities, at best, can be correct only if the plant is
operated in accordance with the assumptions made by those per-
forming the risk analysis. But those assumptions are not usually
made explicit, or at least they are not explicitly incorporated into
training, the design of operating procedures, and other elements of
plant operation. Unless the assumptions made during risk analysis
are explicit as an operating philosophy, there can be no guarantee
that even the best estimates are valid at any moment. Any changes
in operating practices, maintenance practices, or other functions
must be fed back into a further risk analysis, which in turn should
feed forward into the management and operational philosophy.
The aim of the research program proposed by the pane} in the
report is to suggest such changes in regulation, management, and
operations, which would lead to a formal statement of research
philosophy.
Research will suggest changes in design, procedures, and op-
eration, but by themselves these changes will not guarantee safe
operation, and by itself research cannot guarantee safety. Research
must be used in a coherent philosophical framework. In engineer-
ing it is standard practice to control error by a feedback system.
Controlling human error, and hence human-induced or human-
exacerbated risk, should be done in the same way. Human factors
research should be seen not as an answer to a question about risk,
but as a control signal in a feedback system. Risk analysis sug-
gests aspects of operation that require modification because they
are prone to the effects of human error. Research suggests ways to
change human behavior so as to reduce human error. The results
of these changes alter the values in the risk analysis. Further risk
analysis and task analysis of new methods of operation will sug-
gest further changes in operation or new candidates for sources of
human error and the cycle will repeat.
OCR for page 19
19
In the past, viewing research as the answer to a specific ques-
tion has led to the classic and common mistake that is seen in
the operation of complex systems. The removal or change in value
of a single variable leads not only to a local result but also to
complex interactions that propagate through the system in often
unpredictable ways. This is as true of research on the human
components of a system as it is of any other component. If the
results of research are to lead in a direct and practical way to
the reduction of error and the reduction of risk, then research
must be coupled to reliability analysis and to management, oper-
ations, maintenance, and regulation, so that an effective control
signal is sent through the system. The NRC must conduct regu-
latory research on the problem of coupling the control signals of
research to their reliability and risk analysis so as to optimize the
control operations, not just to answer questions and accumulate
knowledge.
A SCENARIO
To emphasize the need for a sociotechnical approach, consider
a control room crew confronted suddenly by a burst of alarms
indicating that an abnormal transient has occurred. What will
determine whether they are able to handle the emergency?
The quality of displays is of course critical. Their layout
and legibility affect the time required to locate and read them.
Whether they display raw data or derived measures affects the
extent to which short-term memory and complex cognitive pro-
cesses will be demanded of the crew. The layout of controls and
whether they conform to stimulus-response stereotypes affect the
probability that an operator will press the button or activate the
intended switch.
Software and hardware that have desirable properties from the
point of view of engineers and computer specialists may be Biscuit
to use. A crew member may know what information is needed but
be unable to obtain it because of the characteristics of computer
graphics or data bases. How long does the system take to repaint
the screen? At what distance and from what direction can it be
read? Does the display symbology support the way in which the
operator processes information, or is it merely determined by the
way the nuclear engineer describes the physics of the system? Such
matters should influence computer system decisions.
OCR for page 20
20
The operator's ability to deal with an abnormal or emergency
event, even at the level of reading displays, can be affected by
regulation and management style, as much as by the design of
displays. For example, the ability of operators to respond to emer-
gencies is affected by fatigue and motivation. The structure and
organization of shift work will also affect operator efficiency, due to
disruptions in biological circadian rhythms. A management insen-
sitive to comments by operators about their working conditions, or
that penalizes operators for inconsequential infringements in mat-
ters such as dress codes, may obtain obedience to rules but will
not encourage participation in the pursuit of excellence. Civilians
do not adopt "military styles voluntarily and may resent them
if imposed by management. Management, whose experience may
have been predominantly with military systems, may find it hard
to tolerate "civilian" attitudes. An undeserved rebuke for failing
to follow ambiguous directions can destroy morale in an instant
and make it difficult to rebuild for many months.
Now consider another area: plant maintenance. How is it
organized? Are maintenance personnel adequately trained? Are
they encouraged to play an active role in developing good main-
tenance practices, or do they see their role as merely to carry
out commands but show no initiative? Does management fee! di-
rectly responsible for the quality of maintenance and, in return,
encourage maintenance people to fee} a pride in their work? Do
maintenance personnel fee} that they are part of a team with the
operators? Do they communicate with each other? Do mainte-
nance people understand the significance of the details of their
work and its effect on operations? Do the design engineers design
for maintainability? Do they choose components that force the
operator to use them correctly, thus minimizing error? If mainte-
nance is poor, operators will know they cannot trust the hardware
and software, and lack of trust between human and machine can
be expected to have as devastating an effect on their cooperation
as can a lack of trust between people.
THE NEED FOR AN INTERDISCIPLINARY APPROACH
Good hardware with poor management leads to Tow morale,
inefficiency, and errors. Good management with poor hardware
leads to distrustful and stressful operation. Hardware decision
OCR for page 21
21
change the work of operators; manning levels affect training; reg-
ulations affect the designs or design changes, the manning and
training methods, and the work group organization that can in
principle be considered. The eject of a change to any part of a
system may necessitate changes that require inputs from a great
variety of disciplines. Changes to design, operations, and main-
tenance research and proposals for innovation by one discipline
should be planned and reviewed by several disciplines.
The very high rate of change in technology today has already
created a context in which human factors and social science pro-
fessionals work with engineers, computer scientists, and others
to provide complementary research skills required in an age of
information and cognitive science. As the roles of level of automa-
tion, degree of supervisory control, and use of artificial intelligence
and robotics increase, it should become increasingly common for
behavioral scientists to work with mechanical and electrical en-
gineers, since no single discipline has the expertise to solve both
technical and human systems interaction problems.
In a comparable way, there has been a growing realization
that human Interaction In groups and organizations is as central
to safety and efficiency as is the interaction of a human with a
machine. Within small groups, the dynamics of social interaction
can determine whether behavior is cooperative or antagonistic.
The efficiency, content, and style of communication both within
groups such as control room crews and between different levels in
the hierarchy from management downward can have a major im-
pact on safety, on morale, and on the attitudes of supervisors and
workers. Whether the question is how best to integrate the shift
technical advisor into the crew, how to facilitate timely exchange
of information between operators and maintenance crews, how to
encourage personnel to report near-miss incidents in a constructive
way and how to encourage management and the NRC to use such
reports, or how to communicate effectively with regulators and the
public, organizational factors are, in many cases, paramount.
Because of the range of topics that require research, we be-
lieve it is important to open the door to experts from a wider
range of fields than traditional human factors. Consequently, we
see a need to complement human factors work with research activ-
ities in the social and behavioral sciences, including organizational
theory and management science. Research on safety and reliabil-
ity should include human factors and organizational behavioral
OCR for page 22
22
research and should be performed by teams of professionals from
these different disciplines. In Europe the response to the changing
nature of advanced technological systems has already been to in-
clude in research teams representatives from topics as far-ranging
as linguistics and anthropology in an effort to understand the way
in which communication and displays affect decision making and
problem solving.
Today, the knowledge base that can account for the perfor-
mance of the sociotechnical system we describe is at best frag-
mented, weak, and incomplete in many areas. In some respects
its complexity appears to defy description and analysis. Yet, if
the goal of improved nuclear safety is to be realized, the task of
developing an understanding of nuclear power generation as a sm
ciotechnical system must commence. And the initial step in this
process must be informed by a program of research that calls on
the expertise of the many disciplines that can contribute to this
understanding. Before Three Mile Island, a plant was primarily
perceived as a technical entity. After Three Mile Island, this view
was enlarged to include the human-machine interface, primarily in
the control room, and largely directed at measures to strengthen
that interface. This was the first necessary, but not sufficient, step
to achieving the goal of a reliable, safe system of nuclear power
production. To ensure public safety, it is critical that the nuclear
industry use a multidisciplinary approach to establish a research
program to identify and evaluate means of improving safety.
Representative terms from entire chapter:
risk analysis
