 |
Hollnagel, E. (1998) Cognitive
Reliability and Error Analysis Method. Oxford: Elsevier Science Ltd. |
No man is an island entire of itself;
John Donne (c. 1572-1631)
Foreword
A
Fable. Once
upon a time a bunch of well-meaning scientists started to get worried about the
many errors that other people made. This was not just the slip of the tongue and
the housewife everyday errors, or not even the many people that killed each
other on the roads. Such things had become commonplace and nobody paid much
attention to them. In particular, the newspapers rarely reported them on the
front page. The scientists were rather concerned about errors in complex
industrial systems where a single person could cause irreparable harm to many
others. These were the kind of events that would grab the headlines and dominate
the news - at least for a day or two.
They
scientists were concerned about what they called the “man at the sharp end”,
by which they meant the people who were caught between the demands from complex
technology and inadequate means they were given to achieve their tasks. Some
scientists wanted to lighten their plight, others just wanted to calculate when
they would fail.
The
well-meaning scientists said to themselves, look we must do something about
this. And since they knew that everything has a cause, they began to look for
causes. This meant that they had to leave their laboratories and go out into the
field.
|
|
When
they came into the field, they looked and found two promontories. One was
a hill called The MINd Field (although it had previously been called the
MINE field) which looked as the results of the forces of nature and the
other was a clearly man-made structure, though somewhat weather worn,
called the HEAP. |
In
addition there was, of course, the whole environment, but being scientists
they paid little attention to that. They were in it, and therefore they did
not notice it.
As many of
the scientists had been trained in psychology, they decided to begin with the
MINd-field. And they started digging. In the beginning work was easy, and they
found lots of little relics in the upper layers. There was also some dirt, which
they kept to themselves and only discussed during conference coffee breaks. But
they did not find the chest with the treasure, i.e., the cause of all things, in
search of which they had started their quest. As they began to dig deeper and
deeper, they ran into rocks and boulders, and the work became very strenuous. So
they held a conference. Some were of the opinion that they should continue
digging and try to remove the boulders or get around them, in the certain
conviction that the answer could be found further down. Others doubted that it
was worth the effort and reasoned that they instead started to dig in the other
place, the HEAP. So the split into two groups, and continued their work.
And here we
are. The two groups are still going at it in different directions. Every now and
then someone from either group will look up from their work and notice the world
around them; and sometimes they will begin to wonder whether the cause of all
things is to be found elsewhere. But soon they will turn their attention to the
unfinished work and keep on digging and analysing.
This book is
about what we found when we tried to dig deeper in the MINd field.
2.
Acknowledgements
There are
two types of acknowledgements, one that refers to the contents and one that
refers to the context. In terms of contents, the ideas described in this book
have been developed over a number of years and have benefited from the
discussions and collaborations with and inspirations from a number of friends
and colleagues. Chapter 1 gives a brief description of the background for the
book in terms of the gradual development of the basic ideas. Here I will confine
myself to thank a small number of people who, in one way or another, have been
very important for the development and realisation of CREAM. It is unfortunately
practically impossible to mention everyone, and it is decidedly unfair to the
rest to single out a few. So with the risk of offending members from both camps,
I will mention three groups that have been particularly important. One group
includes the people, past and present, from the Institute for Systems,
Informatics, and Safety (ISIS) at the Joint Research Centre in Ispra (Italy), in
particular Carlo Cacciabue and
Mauro Pedrali
who were among the first to see the possibilities of the general approach
described by CREAM and the power of the phenotype-genotype distinction. A second
group includes my colleagues at Human Reliability Associates (UK), in particular
Phil Marsden who was instrumental in the first development of the predictive
method and who contributed significantly to the historical perspective. Many of
the practical issues of CREAM were also refined in a constructive interaction
with two customer organisations, the Institute for Nuclear Safety Systems (INSS)
in
Japan
and the Korean Atomic Energy Research Institute (KAERI). A third group includes
the PSA/HRA practitioners, in particular Ed Dougherty Jr., Mike Frank, Tony
Spurgin, and John Wreathall. Their interest has been particularly encouraging
for a poor psychologists who have ventured into the quagmire of the real world
(and survived!). I am also indebted to David Woods who provided me with many
succinct comments and asked more questions - in writing - than I could possibly
answer. Finally, I would like to thank Dr. Singh from EPRI for reference
material on the Method for Addressing Human Error in Safety Analysis.
In terms of
the context, I am thinking of the tolerance, patience, and encouragement that
every author needs from his family. Writing a book is a very egotistical
enterprise where the author can disappear for long periods of time into a
universe that often must seem impenetrable. My dear wife, Agnes, has not only
been infinitely patient but has also provided me with both moral support and
sustenance whenever needed. Without that I would not have been able to complete
this book. Unfortunately, I dare promise that I will never do it again.
Table of Contents
| Foreword |
|
|
A
Fable |
|
| Acknowledgements |
|
| CHAPTER
1: THE STATE OF HUMAN RELIABILITY ANALYSIS |
1.
INTRODUCTION
1.1 The Pervasiveness Of Human Erroneous Actions
1.2 Human Actions As Causes
1.3 Deterministic And Probabilistic Analyses
1.4 Point-To-Point Analyses
1.5 Analysis And Prediction
2.
SHORTCOMINGS OF FIRST-GENERATION HRA
2.1 A Pragmatic Criticism
2.2 A Principled Criticism
2.3 THERP
2.4 Time-Reliability Correlation And Human Cognitive Reliability
2.5 The Reality Of The Human Error Probability
2.6 Consequences Of The Criticism
2.7 PSA-cum-HRA
3.
COGNITIVE RELIABILITY AND ERROR ANALYSIS METHOD
3.1 Cognitive
3.2 Reliability
3.3 "Error"
3.4 Analysis
3.5 Method
3.6 The Scientist And The Engineer
4.
BACKGROUND OF THE BOOK
4.1
Structure Of The Book
|
| CHAPTER
2: THE NEED OF HRA |
1. THE
UBIQUITY OF ERRONEOUS ACTIONS
1.1 Definitions Of "Human Error"
1.2 The Criterion Problem
1.3 Performance Shortfall
1.4 Volition
1.5
Conclusions
2.
THE ROLE OF HRA IN PSA
2.1 The PSA Sequence Model
2.2 The Consequences Of Human Actions
2.3 Data And Quantification
2.3.1 The Decomposition Of Cognition
2.4 The Scope Of HRA
3. THE
MODELLING OF ERRONEOUS ACTIONS
3.1 Omission And Commission
3.2 The Hunting Of The SNARK
3.3 Omission, Commission, And "Cognitive Error"
3.4 Overt And Covert Events
3.5 Phenotypes And Genotypes
3.6 "Cognitive Error" Defined
4.
CHAPTER SUMMARY
|
|
CHAPTER
3: THE CONCEPTUAL IMPUISSANCE
|
1. THE
CLASSIFICATION OF ERRONEOUS ACTIONS
1.1 Cause And Manifestation
2.
TRADITIONAL HUMAN FACTORS APPROACHES
2.1 Descriptions Of Specific Psychological Causes
2.2 Descriptions Of General Psychological Causes
3.
INFORMATION PROCESSING APPROACHES
3.1 Human Information Processing Models
3.1.1 Quantitative Models Of Erroneous Actions
3.1.2 Qualitative Models Of Erroneous Actions
3.2 Pedersen's Classification Of Error In Accident Causation
3.3 Generic Error Modelling System
3.4 Rouse's Operator Error Classification Scheme
3.5 HEAT - Human Error Action Taxonomy
3.6 POET
3.7 NUPEC Classification System
3.8 Summary
4. THE
COGNITIVE SYSTEMS ENGINEERING PERSPECTIVE
4.1 The Joint Cognitive Systems Paradigm
4.2 Contextual Determination
4.3 Socio-Technical Approaches
5.
EVALUATION
5.1 Traditional Human Factors and Ergonomic Approaches
5.2 Information Processing Models
5.3 Cognitive Systems Engineering
6.
THE SCHISM BETWEEN HRA AND PSYCHOLOGY
6.1 Performance Analysis - Explaining The Past
6.2 Performance Prediction - Divining The Future
7.
CHAPTER SUMMARY
|
|
CHAPTER
4: A CONCEPTUAL FRAMEWORK
|
1.
INTRODUCTION
2. THE
NEED TO PREDICT
2.1 Initiating Events And Response Potential
2.2 Prediction For Interactive Systems
3.
METHOD, CLASSIFICATION, MODEL
3.1 Method
3.2 Classification Scheme
3.3 Model
3.4 The MCM Framework
3.5 The Role Of Data
3.6 Data Analysis
4.
MODELLING OF COGNITION
4.1 Modelling Traditions
4.2 Micro-And Macro Cognition
4.3 Cognitive Functions
4.4 Structural Models
4.4.1 The Sequentiality Of Cognition
4.4.2 Context Free Processes
4.5 A Simple Model of Cognition (SMoC)
5.
STANDARD CLASSIFICATION SCHEMES
5.1 Factors Influencing Vulnerability To Error
5.2 Classification In First-Generation HRA
5.3 Classification In Human Information Processing
5.4 Classification In Cognitive Systems Engineering
6.
PERFORMANCE SHAPING FACTORS AND COMMON PERFORMANCE CONDITIONS
6.1 Performance Shaping Factors In THERP
6.2 Classical Performance Shaping Factors
6.3 Error Modes And Error Models
6.4 Specific Effects Of Performance Conditions
6.5 Dependency Of Performance Conditions
7.
CHAPTER SUMMARY
|
| CHAPTER
5: HRA - THE FIRST GENERATION
|
1.
RELIABILITY AND SAFETY ANALYSIS OF DYNAMIC PROCESS SYSTEMS
2.
FIRST-GENERATION HRA APPROACHES
2.1 Accident Investigation And Progression Analysis (AIPA)
2.2 Confusion Matrix
2.3 Operator Action Tree (OAT)
2.4 Socio-Technical Assessment Of Human Reliability (STAHR)
2.5 Technique For Human Error Rate Prediction (THERP)
2.6 Expert Estimation
2.7 Success Likelihood Index Method / Multi-Attribute Utility
Decomposition (SLIM/MAUD)
2.8 Human Cognitive Reliability (HCR)
2.9 Maintenance Personnel Performance Simulation (MAPPS)
3.
CONCLUSIONS
3.1 Method Description
3.2 Classification Schemes
3.3 Operator Models
3.4 Design And Performance Analysis
4. HRA
AND COGNITION: EXTENSIONS
4.1 Cognitive Environment Simulator (CES)
4.2 INTENT
4.3 Cognitive Event Tree System (COGENT)
4.4 EPRI Project On Methods For Addressing Human Error In Safety Analysis
4.5 Human Interaction Timeline (HITLINE)
4.6 A Technique For Human Error Analysis (ATHEANA)
4.7 Conclusions
5.
CHAPTER SUMMARY
|
| CHAPTER
6: CREAM - A SECOND GENERATION HRA METHOD
|
1.
PRINCIPLES OF CREAM
1.1 Method Principles
1.2 Model Fundamentals
2.
MODELS OF COGNITION
2.1 A Simple Model Of Cognition
2.2 Competence And Control
2.3 Four Control Modes
3. BASIC
PRINCIPLES OF THE CLASSIFICATION SCHEME
3.1 Causes And Effects
3.2 A Note On Terminology
4.
CLASSIFICATION GROUPS
4.1 Details Of Classification Groups
4.1.1 Error Modes (Basic Phenotypes)
4.1.2 Person Related Genotypes
4.1.3 Technology Related Genotypes
4.1.4 Organisation Related Genotypes
4.1.5 Summary
5. LINKS
BETWEEN CLASSIFICATION GROUPS
5.1 Consequent-Antecedent Relations In CREAM
5.1.1 Error Modes (Phenotypes)
5.1.2 Person Related Genotypes
5.1.3 Technology Related Genotypes
5.1.4 Organisation Related Genotypes
5.2 The Interdependency Of Consequents And Antecedents
5.3 Direct And Indirect Consequent-Antecedent Links
5.4 Context Dependence Of Classification Groups
5.5 Possible Manifestations And Probable Causes
6.
CHAPTER SUMMARY
|
|
CHAPTER
7: THE SEARCH FOR CAUSES: RETROSPECTIVE ANALYSIS
|
1.
ANALYSIS AND STOP RULES
1.1 Terminal And Non-Terminal Causes
1.2 Analysis Of A Fictive Event
1.3 Analysis Of A Real Event
2.
OVERALL METHOD
2.1 Context Description
2.2 Possible Error Modes
2.3 Probable Error Causes
2.4 Detailed Analysis Of Main Task Steps
2.5 Going Beyond The Stop Rule
3.
EXAMPLE OF RETROSPECTIVE ANALYSIS
3.1 Tube Rupture
3.2 Isolation Of Ruptured Steam Generator - How Soon?
3.3 Event Analysis
3.3.1 Describe Common Performance Conditions
3.3.2 Describe The Possible Error Modes
3.3.3 Describe The Probable Causes
3.3.4 Detailed Analysis Of Main Task Steps
3.3.5 Summary Of Analysis
4.
CHAPTER SUMMARY
|
| CHAPTER
8: QUALITATIVE PERFORMANCE PREDICTION
|
1.
PRINCIPLES OF PERFORMANCE PREDICTION
1.1 Scenario Selection
1.2 The Role Of Context
1.3 Performance Prediction In First-Generation HRA
1.3.1 Pre-Defined Sequence Of Events
1.4 Success And Failure
1.5 The Separation Between Analysis And Prediction
2.
PREDICTIVE USE OF THE CLASSIFICATION SCHEME
2.1 Combinatorial Performance Prediction
2.2 Context Dependent Performance Prediction
3.
PRINCIPLES OF QUALITATIVE PERFORMANCE PREDICTION
3.1 Forward Propagation From Antecedents To Consequents
3.2 Example: The Consequents Of Missing Information
3.3 Discussion
4.
CHAPTER SUMMARY
|
| CHAPTER
9: THE QUANTIFICATION OF PREDICTIONS
|
1. CREAM
- BASIC METHOD
1.1 Construct The Event Sequence
1.2 Assess Common Performance Conditions
1.3 Determine The Probable Control Mode
1.4 The Control Mode For The Ginna Example
2. CREAM
BASIC METHOD: AN EXAMPLE
2.1 Construct Event Sequence
2.2 Assess Common Performance Conditions
2.3 Determine The Probable Control Mode
3. CREAM
- EXTENDED METHOD
3.1 Build A Cognitive Demands Profile
3.2 Identify Likely Cognitive Function Failures
3.3 Determine Failure Probability
3.4 Accounting For The Effects Of Common Performance Conditions On CFPs
4.
EXTENDED CREAM METHOD: AN EXAMPLE
4.1 Build A Cognitive Demands Profile
4.2 Identify Likely Cognitive Function Failures
4.3 Determine Failure Probability
4.4 Incorporating Adjusted CFPs Into Event Trees
5.
CHAPTER SUMMARY
|
| References |
|
|
Index |
|
Back