Text

DIGITAL I&C SAFETY ASSURANCE AND HUMAN PERFORMANCE OECD NEA HALDEN HUMAN-TECHNOLOGY-ORGANIZATION (HTO) PROJECT ANDREAS BYE, BJØRN AXEL GRAN, SIZARTA SARSHAR, YONAS ZEWDU AYELE

2 Digital Instrument &Control (DI&C) - Human Performance Framework

[1] O'Hara, J.M., Gunther, B., Martinez-Guridi, G., Xing, J.F., &

Barnes, V.E. (2010). The Effect of Degraded Digital Instrumentation and Control systems on Human-system Interfaces and Operator Performance.

Human-System Interface (HSI)

Operator performance in digital vs traditional control room Research question:

Analog HSI may be used as backup for digital HSI in safety systems, e.g., for plant shutdown. What are the effects on the operators when changing between different types of interfaces?

Experimental results:

• Radical HSI transitions did not degrade human performance.

- Less workload and the overall task performance was improved when a digital HSI was substituted with a panel-based HSI during the scenario.

- No observed effects for response time, situation awareness or self-rated performance. No serious impact of the radical HSI transition on expert-rated human performance.

- Two crews considered radical HSI transitions as quite unproblematic

- given a sufficient amount of training. The third crew recognized many benefits of both HSI solutions, but they were generally sceptical to radical HSI transitions (possible acceptance challenges).

3

Diversity in Design 4

Item A1 Performs Function A Item A2 Performs Function A InputsA OutputsA1 OutputsA2 InputsA A1, A2 are diverse, if The same common cause does not degrade the performance of A1, A2, e.g.:

• Latent design defects.

• Unwanted interactions.

• Shared resources.

Assume items A1, A2 are implemented on FPGA Question: Is it technical feasible to achieve a level of assurance at least comparable to current practice without requiring diverse designs?

Challenge: How can we prove nothing will go wrong? If we dont know what can go wrong, how can we prevent it?

Problem: how to specify the requirements and constraints in natural language.

Structured Safety Argumentation Approach (SSAA) 5 Self-defined notation (nodes and reasoning logic)

Specified nodes for different users We developed a prototype tool for structured argument. In this tool, the notation can be self-defined.

The nodes can be specified to different users.

Key messages

• Digital I&C and human performance are closely linked

• Digital systems have the potential improving human performance

• Failures in digital systems may be difficult to handle for humans

• Especially failures in automation systems

• Safety assurance of digital systems is necessary; and evaluation of the roles of new digital systems should be performed together with the evaluation of human performance.