l.

'e~ sets end $ ~ e m 28 0988) ~5-~27

Noah-Holed

115

CASE STUDY
i

~ J Z Z Y I t U M A N ]~EL~I~ILITY A ~ ~ Y b ~ S CH~I~OB~., ACC"~E~

ON

Takel~a OI~SAWA Deparanen~of Bae~ Engineering, gumamoto Universe, 2-3~.I, g u r o ~ , gunmm.oto, 860 Japan Yasushi NISHIWAKI i Division of NuclearSa~y, Intern~tiondAtomic Enemy Agency, A.1400, V~enna,Aus~ia
Received May 1987 R~v~d Ausmt |.~8~
a~ ~f

A~'acI: This paper compares the result ~f ~uzzyreliability analysis using er~o~ po~ibi~i~!l,wi~h
that of p r o b a t e an~ysi~, on the a~deat a~ ~he C~emobyl nuclear power pleat. T~ c.a~e study shows that fuzzy r~|~b~tv anetysls ~ives ~fonn~fion from more points of viev~ than probab~sfi analysis.

Keywords: Human reHab~ty analym; error po~ib~ity; error probab~ty; the Chetatobyl
accident. /

1. b t ~ i ~ t o n The worst nuclear-reactor accident to date occurred at the fourth unit of the Cheraobyl nuclear power station in the Ukraine, Soviet UnioIl~ On April 26 in 1986. Large amounts of the radioactive materials in the reactor ~ r e were spread on a global scale. The accident happened during a test being carried out on a turbogenerator at the time of a normal scheduled shutdown of the reactor. This was int~ded ~o test the aL2ity of the turbogencrator, during the station blackout, to supply electfic~ energy for a short period unt~ the standby diesel generators could supply emergency power. The main cause of the accident was an improper written test procedure from safety point of view and serious vio|ations of basic operating ~ e s by the operators [2, 5]. A p r e | ~ n a r y analysis Of the Chernobyl accident has been performed [I] on the basis of the. probabilistic method of human reliability analysis proposed by Swa~a and Guttmann [4]. Onisawa has proposed error possibility instead of human error probability in human reliability analysis and shown the validity of the proposed ~alc,~od [3]. This possibility is expressed by a f ~ V set on the interval [0, I]. In this paper an analysis of ti~e Chernobyl accident is performel by usi~g error possibility and the result of the ~alysis is compared with the result of probabilistic analysis.
0165-0114/88/$3.50 (~) 1988, E|se~er Science Publishers B.V. (North-Holland)

116 2. Pmbablih~ ~

F. Onisawa, . Nis~i~e~

of the C h e ~ b y | ~~e~t [1]

Outlines of the probabilistic analysis by Hu and Zhang are first introduced in this section. 2.1. Three~umptions Bef~ the anelysis the following gs assumed. (I) Only human errors are considered for discussion. ~11 nuclear power plant personnel act in a manner they believe to be in the be~t interests of the piant. (2) The disfun~on of the system res~dts from human errors. An inherent defect of the system is not considered in ~zis analysis. (3) The operation crew are dependent on each other completely. 2.2. Task analysis According to the above-mentioned assumptions and a report p~'esented by USSR experts [5], six links of human errors are drawn out. They contributed to the accident as follows: A: Durinig the reduction of reactor power, the operator did not enter a 'hold power' request at the required level in transferring unit power control from the l o ~ to the global auto-regulating system, so that the reactor power ran down rapidly to 30 MW instead of the hoped-for target level of 7 0 0 - 1 ~ MW. B: After the reactor fell into the 'iodine well', the operator withdrew many of the control rods, with the motive of conducting the test program, to retrieve the power to 200 MW, despite it being forbidden to operate the reactor at such low level by normal safety procedure. C: Under the low power operational con~tion, in meeting the requirements of
the planned test, two standby main circ~flation pumps were connected to the core,

which resulted in violating the tLienno-hydraulic balance in the core ~oolant system aud some individual pump discharges exceeding the permi~.sibl ~ levels spe~fied in the regulation. This operational mode was a violatiol of normal station procedures. D: L1 order to continue the test without interruption, the operator olock~d tLe trip signals ggsociated with steamdrun~ water !~vel and pressure re:::~ardi~ss the enst~b]~ reactor con~tion. Hence the reactor protection system triggered by heat transfer parameters was completely cut off. E: The operator regulated the s t e ~ n - ~ level with difficulty by means of raising the feedwater flow (there is no such function in the design of the s t e a n l ~ ) for s t a b ' ~ n g the prussic and water level in the drum and creating the adequate condition to begin the test. Meanwhile, more control rods had to be w/thdrawn to compensate the negative reactivity introduced by the above action. At that time, the number of the contrd rods remaining in the core was far less than the min~a| number according to the safety principle. F: lIn order to be able to repeat the test ff necessary, the operator blocked the reactor protection system relying on shut-down signals from both turbogenerators. Consequently, the last possibility of automatic shutdown of the reactor was lost.

Fuzzy human reliability analysis

117

In the view of human reliability analysis, among these human errors, 'A' belongs to an error of omitting a step in a task; while the others belong to errors of administrative control due to the operator's neglecting and violating the safety principles and operating procedures. The human performance models and the human error probabilities on average industrial conditions are shown in Table

1141.
2.3. Development of hur~mn reliability analysisevent tree
A branch of the event tree is developed in the order of the accident process as shown in Figure 1. Here capital letters represent failure and small ones represent
success.

2.4. Effectof the perfomumce shapingfactor

According to [4] and their judgement, the dependence between the actions is assumed as shown in Figure 2(b). Howeve~ in accord~nce with the background of the Chemobyl accident, the following situations are considered. (1) Chemobyl Unit Four used to be a 'flag-ship' unit in the national reactor line because of its previous good operating record. The unit staff took part in the innovation test Mth great enthusiasm; a similar test had already been carried out but failed to meet the required target and, what is more, it was not easy to arrange such a test on the operating plant; so that it became the intensive motivations of the staff to complete the test with all efforts before "May Day'.
Table 1. Human performance models Item 1 Human errors and human error probabilities Omitting a step or an important ~nstruction from a formal or ad hoc procedure: [6 10 -4, : ) -3, 1.5 10-2] Failure of administrative control in carrying out a plant policy or scheduled tasks: [2 x 10-3, 1 x 10-2, 5 x 10 -2] Modification of estimated human errors probabilities for the effects Of very low stress level: x2 Equations for conditional probabilities of failure on task N given failure on previous task N - 1 for different level of dependence

PF(N IN- IIZD) --Er ~ H ,N- 11LD)= (1 + 19 x Er)/20 P~N IN - II MD) = (1 + 6 Er)/7
P~(N I N - lJ HD) = (1 + Er)/2

P~N IN- ~lcm) = 1

where El ~represents the human error probability of task N

118

7".O~awa, . N~Idmdd
A - - - omit entering "hold power"

b ~ _ _ _ " ~

keep the r e s c t o r o p e r a t i n g a t the power of 2 0 0 1 ~

c ~ C - - - connect two standby c i r c u l a t i o n " ~ pumps to the core ~ " ~ block the drum w a t e r l e v e l pressure trip and

- - - r e g u l a t e t h e feedwater flow ~F " - - - block t h e t r i p of " l o s s o f both t u r b o g e n e r a t o r s "

Fig. 1. Branch of Chernobyl accident event ~ee.

(2) The management of the test was not serious and the administrative control was poor. Without necessary safety review of the test program, the test was considered merely as an electrical-technical test with no danger in reactor safety. (3) The operators were overconfident. They gave the test priority while neglecting the safety princip|e and operating procedures. At the event of the abnormal condition, even though the monitoring computer printout had shown that there was not enough reactivity reserve to meet the shutdown requirement, they were still in a very low stress level, and not aware of the potential danger. That brought about successive violations of operating procedures and eventually caused the catastrophe. (4) Some important actions were carded out around midnight (e.g., the action 'A' was performed on April 26, 0:28:~). Because of the fatigue of the operators, the reliability of their- pe;~formance would be reduced. Considering the above situatio~:s the relationship between the actions is changed, that is, the dependence tends to the higher level. The dependence in the Chernobyl accident is assumed as shown in Figure 2(a). 2.5. Joint hlonan error probability Based on the previous analysi~ and Table 1, the joint human error probability is obt~ned as follows. A is an omission error. The upper uncertainty bound of the human error probab~ity is modified by the stress factor: PF(A) = 0.015 x 2 = 0.03.

A ..... B ...... C ..... D ..... m ..... V

ZD

CD

HD
(a)

HD

lid

A' ....

B' ....

C' ....

D' ....

E' ....

F'

ZD

HD

LD

LD

LD

(b) Fig. 2. Dependencebetweenactionsunderdifferentassumptions.

Fuzzy hunum m~,q~y andysi,,

119

B is an error of administrative conez'~l. The human error probab~ty of B estimated as the upper uncertainty bound of the hum~l error probability and gero dependence with A:

P (B IAIXV)--0.05.
T~b|e 2. The estimated hmnan error probabififies

Error Typeof error

Fig. 2(a) A B Omission

Dependence
-

Human error probability 3 i0 -2 a 510-2 a

Failure of administrative control F~lure of administrative control Failme of administrative control Failure of administrative centre| Failure o~ ad~ist.rative comrol

ZD

CD

Hi)

5.05 X 10-1

HD

5.05 X 10 -1

F,

HD

5.05 x 10 -1
1.9 x 10-*

Joim human error probabifity Fig. 2(b) A' B' Omission F~iime of administrative c~mtrol l~ailure of administrative control Failure of administrative contro| Failure of administrative contro| Failure of administrative control ZD

3 10 -3
1 x 10 -2

HD

5.05 x 10 -1

D'

LD

5.95 10 -2

E'

LD

5.95 X 10 -2

F'

LD

5.95 X 10 -2

Joint human error probability a The median of the human emi~r i:~robability is used.

3.19 x 10-9

I~

7'. O n i s ~ , Y. d~tdt~ to be complete dependence:

~'!~e dependence between B and C is ~ s ~ e d Pv(C IB[ CD) ffi I

The human error probability of D is es:~mated as the median of the error probability and high dependence between C and D: ~'F(D I q ~ ) = 0 + 0.01)/2 ffi 0.50:~.

In the same way the human error probaoilities of E and F are estimated as e~(E IDI HV) ffi 0.505, ~ ( F [E~ t i n ) = 0.505.

The joint human error pmbab~ty is e~thnated as P~ = 0.03 0.05 1 0.5053 = 1.9 10-~.

In the situation of Figure 2(b) the joint human error probability is estimated as shown in Table 2:
P~ffi 3.19 10 -~. The human error probability of the accident sequence which would have been extremely unlikely to oco~ is increased by several orders of magnitude due to the effect of the performance shaping factors mentioned in Section 2.4.

3. KeaabU

by

[3]

Only a summary about reliability ~nalysis by error possibility is given in this section. The justification and the m~aning of some definitions may be found

in [3].
3.1.

Errorpo~sibility

Let us consider a fuzzy set E on the interval [0, 1] associated with a possibility distribution E(e) such as 1 E(e) - 1 + 20 x le - Col m ' (1) where m = mL for e ~ eo and m = my for e ~ eo. The parameter m is related to the fewness and eo, called the center of E, gives the maximum grade of E(e). The f u r y set E is called 'er:or possibility' and e is called 'likelihood of error'. I~ this paper eo ,and m are a s s ~ e d to be, derived from the triplet of the error probability [ErL, ErM, Eru], where ErM is the ~ccominended value of the error probability, ErL iS its lower bound and Eru is its upper bound. (i) eo is derived from ErM:

eo=f(ErM) =

1 + ( g x log(l/grM)) 3' ~. 0,

ErM0, Er~ = 0,

(2)

where K is a constant. Table 3 shows th~ c|~sifi~ati6~, of ~o.

Fuzzy human ~ b ~ y

analysis

121

Table 3. Cle~fr.~fion of eo Representative, value of eo

1.0
-

Class
Ca

Bounds of eo
1.0

Bounds of error p r o b a b ~
1.0 7.830 x 10-2.-1.0 1.841 10-2-7.830 10-~ 5.0 10-3-1.841 10 ~ 8.872 10-4-5.0 10-~ 2.225 10-4--8.872 10-4 1.636 10-s-2.225 10-+
7.243 I0-~-1.636 x 10 -s

cz c,
C4

0.~-~.0 0.7-0.9
0.5"0.7

o.95 0.8
0.6

cs
C6 C~

0.3-0.5
O.2"0.3 0.1"0.2

o.4
O.25 0.15

Cs C9
Cto

0.05--0.1 0.0--0.05
0.0

0.075 0.025
0.0

0.0

-7.243 10-7 0.0

In accordance with [4], in this paper K is defined as K = 111og(11s Io-3). (3)

(ii) mL and mu are derived from [ErL, ErM, Eru]. The parameters m~ and mu are together rewritten as m . (1) Define kL = Eru/Er~ and ku = Eru/ErM. The paramete~ kL and ku are together rewrflten as k. (2) Four uncertaJaty bounds are defined such as k ~<3, 3 < k ~<5, 5 < k ~ 10 and 10 < k. For these uncertainty bounds we refer to Table 4, [4]. (3) In the c l ~ C~ define m - 2.0 for k ~< 3, m -- 2.5 for 3 < k ~<5, m = 3.0 for 5 < k ~< 10 and m -- 3.5 for 10 < k, respectively. Let eo~ be the representative value of eo in the class Ci and Ei be the error possibility in the class C such as Ei(eo~)=1 (i = 2, 3 , . . . , 9). (4) Within the same uncertainty bounds the parameter m is obtained so as to

satis
= i=

2, 3,...,

9,

(4)

where e ~ = f ( 1 0 x E r ~ ) when mu is obtained, e~=f(ErMJ10) when mL is obtained, and e~ - f ( E r ~ ) . Table 5 shows the result obtained by the above procedure. However the boldface values are used by referring to Table 4. The parameter m for I0 < k is used when the error probability of a given task is assumed to be ftL~iero

Table 4. General guidelines for estimating uncer~nty bounds for estimated error probab~ty Error probability
0.01 < Er 0.001 < Er < 0.01 Er < 0.001

Lower bound
Er/5 Er/3

Upper bound
2 Ei'-5 Er 3 Er I0 x Er

Er/10

122

T. Onisawa, . Nb~wak~
Table 5. Parameter m
Class C2 Cs m mv mL k~3 2.7 2.7 1.3 3.1 1,9 2.6 2.@ 2.@ 3<k~5 3.3 $,3 1,7 $.8 2.4 3.3 2.5 2.5 5<k~10 4.0 4.0 2.0 4.6 2.9 3.9 3.0 3.0 |0<k 4.? 4.7 2,3 $.4 3.4 &6 3.5 SJ

too
mL

C4

my
mL

Cs
6 C?
Ca

mo
mL

mv
mL

1.6
1.5 I.I 1.2 0.8 0.9 0.5 0.7

1.9
~.9 1.4 1.5 1.0 1.1 0.6 0.8

2.$
2,~ 1.7 L8 1.1 1,4 @.? 1.@

2.7
2o? 1.9 2,1 1.3 1,6 @.9 1,2

my
mL mu mL

C9

my
mL

The error po~ibility in the class Ct is defined as

E(e) ffi 1, e = 1,
0, e~l, and that in the class C,o is defined as
~(e) =

(5)

0, I,

e ~0, e-0.

(6)

3.2. Logical connec~es o] e~or possibdi~es

Two tasks are assumed to be independent of each other. (i) ~ connective. The function F is used as the 'Ato connective' of error possibilities: 1 F(x, y) = 1 + {((1 - x ) l x ) m ~ ~L _y)/y)m},,

0 < x , y ~ 1,

(7)

where ~(o, o) = F(x, o) = F(o, y)= o.

Par~el tasks are eonne~ed by an 'and gate' in a fault tree. The error p o ~ b ~ U e s of paraUe| tasks are opexoated by the ' ~ connective' and the extension prin~ple in order to obt~n the error possib~ty of the whole task. (fi) oR connective. The fun~on G is used as the 'oa connective' of error possibilities:

c(x, Y)=I + { ( ~ / 0 - x ) ) ' + ( y / 0 _y))3)~, where c(1, 1 ) - ~ ( x , 1)= 6(1, y)= 1.

{(x/(1 - x ) ) 3 + (y/(1 _ y))3}~t3

o~x, y <1,

(s)

Fuzzy human rdiabHily ~uudysis

17.3

Series tasks are connected by an 'or gate' in a fault tree. The e~ror possibilities of series tasks are operated by the 'oR connective' and the extension pfindple in order to obtain the error possibility of the whole task. 3.3. Dependence between consecutive tasks Only the depende~ce between parallel tasks as shown m Figure 3 is introduced. The dependen~ between series tasks may ~ found in [3], but it is not considered in our case study. It is assumed that the t,sk B is performed after the task A is done. If a human operator fails in the task A, then he is apt to fail in the task B. If he succeeds in ~ e task A, then he is also liable to succeed in the task B. However ff he succeeds in the task A, he succeeds in the who~e task whether he ~,ucceeds or not in the task B. So it is not necessary to con~der the latter e~e. Let g~ be the error possibility of the task A, En be that of the task B and R be the fuzzy causal relation representing the dependence. (i) The case that the error of the task A influences the error of the task B. Let E~ be thq~error possibility of the task B influenced by the error of the task A. Under logk~ consideration, g~ can be estimated as 'EA AND R'. In this E~ is the error possibility of the whole task:

(ii) The case that the error of the task A does not influence the error of the

task B.
The portion of the e~or possibility of the task A which does not influence the error of the task B is obtained by

(lo)
where E~ is this portion.
The error possibility of the whole task E' in this case is obtained ~y
g ' = F(E , EB).

(11)

(iii) The error possibility E as a whole. The error possibility E is obtained by

E = c(E', (t2)

Fig. 3. Dependence between paraHd tasks.

124

E Onisawa, . Nishiweki

3.4. Evaluation

Let (F.)+ = (e,(~),

Yl =Co.

e d ~ ) ) be an ~ - ~ t of E.

(i) The center eo of E:

03)

(ii) Potentiality for error. Define

J2--

(14)

.~~(1 - 0.5)o: do:

where e2(~) = 0.5. J2 is evaluated when J l ~ 0.5. (iii) Fuzziness of error possibility. Define
~ (e2(~) - eo)~ d ~

J3=

t o ( l - co)o: do:

05)

where 2(o:) ~ eo for o: G [0, 1). (iv) The relative potentiality and the relative fuzziness. Define

$2' -

J :
P

(e2(o:) - 0.5)o: do:

(16)

f:' (e~(~)-o.5)~d~
where eu2(# e) = 0.5, and
~ (e2(a) - eo)~ d ~

J y _-(2(o:) - eo)o:do:

(17)

The denominators in Eqs. (16) and (17) are the evaluation of the standard error possibility E' in the class which e, belongs to. Let (E')~ ---(e~(o:), e~(o:)) be an ~-cut of E'. The standard error possibility E' has the following possibility distribution: 1
E'(e) = I + 20 x le - Col~ '

(18)

where o is the ev~uation J1 end m is the value in the class which eo belongs to. The par~neter m is detemfined by Table 5. Equations (16) and (17) imply the relative evaluation in the class which e, ~longs to. The potentiality and the fuzziness of E are compared with those of E .

Fuzzy human ~el~a~l~ analys~s 4. on tile acd t

~25

In this s e ~ o n the reliability analysis on the Chemobyl accident J~ performed by ,sing error possibility and the result is compared with the result of the probab~stic analysis. The triplet of ~he human error probability for the derivation of the error po~bifity is the s i n e asthe one used in the probabilis~c .~alysis. That is, the ~plet of the human error probability of 'A' is [6 10-4, 3 x 10"s, 1.5 x 10-2] and ~ e triplets of the human error probabilities of the other tgSk8 are each [2 x 10 -3, 10 -2, 5 x 10-2]. The modification by the stre~ factor is performed in Figure 4(a). Figures 4(a) and 4(b) show the fault trees which correspond to Figures 2(a) and 2(b), respectively. Figure 5 shows the fuzzy causal relations in this analysis. Figures 6(a) and 6(b) show the error possibilities of the top events in the fault trees shown in Figures 4(a) and 4(b), respectively. ~ e subscript 1 is given to the result in Figure 6(a) and the subscript 2 is given t~ ~he result in Figure 6(b). Comparing the rt~ult of the ~.3, analysis and that of the probabilistic analysis the following is considered. (1) Jl~ > J12. This result is inferred by the result of the probabilis~ie analysis. (2) El(0) < E2(0). This implies that it is less possible for the human operator :o make an error in the case of Figure 4(b) than ir~ the c~e of Figure 4(a). (3) Et(1) > E2(1). This implies that it is more likely for the human operator to make an error in the case of Figure 4(a) than in the case of Figure 4(b). These results are also inferred by the result of the probabilistic ~r~alysis. From the above consideration the same result as the probabilistic analysis is obtained:
l Failure in Reactivitw_~_n

3~2 R3 4-2 5-2

B C RI

Bt C'

(a)

(b)
Fig. 4. Fault trees.

126
ZI} 1.O

T. OnUses, Y. N~leit,,,aki LD lid CD fl, x = 1,0,

CD R~(x)= It0, O.O~x< 1.0, 0.95~x ~ 1.0, 0,

0.0~: <0.95,

0.6<x~ 1.0,
0.5,~x <0.6,

0.3~x<0.5, 0.0<x <0.3,

o@

. . . .

x 1.0

ZD R~(x)= ~0, 0.0<z ~. 1.0, tl, x=0.0.

Fig, 5, Membership functions of fu~q causal relations.

Hi, nan reliabilityin Figure 4(a) becomes much lower than that in Figure 4(b) due to the effect of the performance shaping facto~ mentioned in Section 2.4. However a small error probability does not necessarily mean a low possibility to make an error. This consideration is found by the following. (4) Though J12 is small, J22 and J32 are not so small. This result shows that the potentialRy for error is not low and that 112 iS not evaluated with confidence. That is to say, small $I does not ",dwaysimply good reliab~ty. (5) J2~ > J2~ and Y3~.>.Y3~ in spite of J11 > Jlz, J21 > J22 and J31 > II32. This alSO SHOWSthat small J | does not always mean good reliability. (6) J2~ and J3~ as well as Jl~ are !arge. This result shows that the potentiality for error is high. However large J3 does not n e c e s ~ l y yield with confidence that the human operator makes an error certainly. If J2, J3, J2' and J'3' are also evaluated, the go|lowing result is obtained: Reliabirlity in Figure 4(b) is not nocessarily much better than that in Figure 4(a). Figure 6(b) shows that the human operator has enough possibility to make an error. 1here is room for improvement of the management and administrative control system even in the case of Figure 4(b). It is found that error possibility can be interpreted from many points of view. It is dimcult to gain such an interpretation in probabilistic ana|ysis.
1 . 0 ~
El
Q. d t~ b~

1.0
Jllffi 0.139 J21= 0.646 J2{= 38.86 J,'~l ffiO. 762

J12= 0.014 J22= 0.421

J2~= 9n.s7
J32= O.538
it4

J31o 4.470
O '3 t~ o0

J3~-- 11.17

1.0 likelihood

'0 cO

of error

likelihood of error

1.3

(a)

(b)
Fig. 6. Error possibilities of the top events in the fault trees.

Fuzzy human rd~bility malysis

127

$, C e r i S e This paper compared the result of fuzzy reliabiliV/ analysis using error possibility with that of probabilistic analysis on the Chemobyl acddent. This ~ s e study showed the following validity of ~ reliability analysis: error possibiHv/ can be interpreted from ~nany points of view and it is difficult to gain such an interpretation in probab~stic analysis. The belief that a small error probab~ty shows good reliability is dangerous in reliability analysis. Some big accidents have shown this consideration. ~i~is paper shows that it is necessary to apply ~ theory to reliability analysis, Refemncu
[1] Z. Hu and J. Zhang, A preliminary human factor analysis on the accident at the Chemobyl nuclear power plant, Private Communication to Prof. Y. Ni~waki, IAEA (1987). [2] International Nuclear Safety AdvBory Group, Summary report oa th post-accide~t review meeting on the Chemobyl accident, Safety Series No. 75-1NSAG-1, International Atomic Energy Agency, Vienna (1986). [9] T. Ontutwa, An approach to human reliability in man-mac|fine system using e~or ~ i b ~ y , Fuzzy Sets and Systems 27 (1988) 87-103. [4] A.D. Swain and H.E. Guttmann, Handbook of Human Reliability Amdysis with Empluisis on Nuclear Power Plant Appficmions (NUREG/CR-1278, 1980). [5] USSR State Committee on the Urination of Atomic Energy, "131eaccident at the Chemobyl nuclear power plant and its consequences, Information compiled for the IAEA experts' meeting, Vienna, 25-29 August (1986).