Safety and Reliability
ISSN: 0961-7353 (Print) 2469-4126 (Online) Journal homepage: https://www.tandfonline.com/loi/tsar20
Heart—A Proposed Method for Achieving High
Reliability in Process Operation by Means of
Human Factors Engineering Technology
J. C. Williams
To cite this article: J. C. Williams (2015) Heart—A Proposed Method for Achieving High
Reliability in Process Operation by Means of Human Factors Engineering Technology, Safety
and Reliability, 35:3, 5-25, DOI: 10.1080/09617353.2015.11691046
To link to this article: https://doi.org/10.1080/09617353.2015.11691046
Published online: 11 Mar 2016.
Submit your article to this journal
Article views: 437
View related articles
View Crossmark data
Citing articles: 2 View citing articles
Full Terms & Conditions of access and use can be found at
https://www.tandfonline.com/action/journalInformation?journalCode=tsar20
5
HEART
A PROPOSED
METHOD FOR
ACHIEVING HIGH RELIABILITY IN PROCESS OPERATION
BY MEANS OF HUMAN FACTORS ENGINEERING TECHNOLOGY
J.
c.
Williams
Central Electricity Generating Board
Abstract
One of the last remaining hurdles to be overcome in the design of safe,
reliable systems is the human being. For some time now safety and
reliability engineers have recognised that they not only need to be able to
assess the likelihood and impact of human unreliability but would benefit
from a working knowledge of ho~ to apply human factors engineering
technology to optimise overall systems design.
Most safety and reliability engineers also appreciate that beyond the
immediate superficial level human engineering principles are not only
difficult to enunciate, understand or evaluate, but are occasionally costly
to apply. Often sub-systems which are manifestly well-engineered from a
human factors standpoint fail to achieve the sort of total reliability
expected when integrated with other sub-systems, to the consternation of
the process and system designer. When this happens the operator finds it
hard to believe that such a mismatch could have occurred because of a high
level failure of human engineering, and will often resort to remedies from
the management ""tool-kit"", rather than the human factors design database.
This paper attempts to minimise the likelihood of such outcomes by
identifying the relevant factors, which from the author's experience, are
considered likely to facilitate thz achievement of high man-machine
system reliability
It demystifies human factors technology by assigning
relative weights to the factors, identifying impacts and suggests a set of
human error data which should assist assessors and designers in the
achievement of high systems reliability.
1.
Introduction
In order to achieve high human reliability it is necessary to know
something about error-likely situations, what sort of error these
might lead to and the strength of the effects. Additionally it is
important to the safety and reliability engineer to have some
indication of the likely magnitude of a potential error so that
together with a knowledge of error-likely situations some remedial
measures can be taken as appropriate.
6
Until recently it has been difficult to obtain either form of
information. Whilst this paper cannot claim to furnish all the
necessary information, it does attempt to provide a simplified set
of guidelines for identifying potential major sources, types and
strengths of human error, assigning nominal probabilities of
error, identifying the impacts of some performance-shaping factors
and it suggests a battery of remedial measures which can be
invoked in order to minimise the impact of human unreliability in
process operation.
The method for conducting this analytical process is based on a
technique, developed by the author over the last 16 years, known
as HEART, the Human Error Assessment and Reduction Technique. The
technique is based p~rely on the author's-experienc; in human
factors engineering and assessment. It is not exhaustive, nor is
it validated. As an initial guide to the safety and reliability
engineer, however, it will probably be more helpful than no
guidance at all. This paper draws heavily on some notes first
prepared for the Materials Working Group of the UKAEA PWR Research
Co-ordination Committee (Williams, 1984).
2.
The Simplified HEART
2.1
Identification of sources of human unreliability
Safety and reliability engineers are concerned with gross changes
in probability of failure within systems e.g. factors of 10, the
proverbial "order of magnitude". The portion of HEART which is
likely to be of most interest to safety and reliability engineers
is concerned with those factors, therefore, which are likely to
produce probability of failure modification in excess of a factor
of 3, and which could possibly threaten system safety or
reliability. In addition to identifying the strengihs of these
factors a great many others will be mentioned, which whilst
failing to satisfy the factor of 3 criterion are important to the
assessor, precisely for this latter reason. Quite a number of
these latter performance-shaping factors are frequently mentioned
in the literature in the context of large changes, but as will be
seen from the assessor's point-of-view their effects are
relatively small and may be ignored for most practical safety and
reliability purposes.
A simplified qualitative guideline for identifying the likely
sources, classes and strengths of human error would look something
like this:-
7
Principal
Classes of
of Error
Strength
of Effect
Impaired System
Knowledge
Substitution
Omission
Insertion
Very great, especially
if a model or stereotype
is violated
Response Time
Shortage
Omission
Substitution
Timing
Insertion
Great, if system is
unforgiving
Poor or ambiguous
System feedback
Omission
Transposition
Substitution
Strong
Significance
judgement required
of operator
Omission
Substitution
Multiple
Mixed
Measurable
Level of alertness
resulting from
duties, ill-health
or environment
Omission
Substitution
Transposition
Comparatively
small
Source of Human
Unreliability
2.2
Relative Strengths of Error-producing Conditions
In general the last two sources of human unreliability do not
matter greatly from a safety snd reliability perspective because
the maximum change in unreliability which might occur will rarely
exceed a factor of 2.
This then is the first part of the HEART screening process. The
assessor should decide whether the possible sources of
unreliability are of the first three types and he can do this by
asking whether any of the following error-producing conditions
exist, assessing how much of any given condition might affect the
operator and determining from the strength of effect shown below
for each factor how much unreliability might change going from
good conditions to bad (excluding extremes such as life or healththreatening conditions).
8
Condition
Maximum predicted nominal
amount by which unreliability
might change going from good
conditions to bad
Unfamiliarity with a situation
which is potentially important
but which only occurs
infrequently or which is novel
X 17
2.
A shortage of time available
for error detection and correction
X 11
3.
A low signal-noise ratio
X
10
4.
A means of suppressing or
over-riding information or features
which is too easily accessible
X
9
s.
No means of conveying spatial
and functional information to
operators in a form which they
can readily assimilate
X
8
6.
A mismatch between an operator's
model of the world and that imagined
by a designer
X
8
7.
No obvious means of reversing
an unintended action
X
8
8.
A channel capacity overload,
particularly one caused by
simultaneous presentation
of non-redundant information
X
6
9.
A need to unlearn a technique
and apply one which requires the
application of sn opposing
philosophy
X
6
10.
The need to transfer specific
knowledge from task to task without
loss
X
5.5
11.
Ambiguity in the required
performance standards
X
5
12.
A mismatch between perceived
and real risk
X
4
13.
Poor, ambiguous or ill-matched
system feedback
X
4
9
Error-producing Condition
Maximum predicted nominal
amount by which unreliability
might change going from good
conditions to bad
X
4
Operator inexperience (e.g. a newlyqualified tradesman, but not an "expert")
X
3
16.
An impoverished quality of information
conveyed by procedures and person/person
interaction
X
3
17.
Little or no independent
checking or testing of output
X
3
14.
No
of
of
be
15.
clear direct and timely confirmation
an intended action from the portion
the system over which control is to
exerted
The following error-producing conditions are presented simply
because they are frequently mentioned in the human factors
literature as being of some importance in human reliability
assessment. To a human factors engineer, who is sometimes
concerned about performance differences of as little as 3%, all
these factors are important, but to safety and reliability
engineers who are usually concerned with differences of more than
300%, they are not very significant. The factors are identified
so that safety and reliability engineers can decide whether or not
to take account of them after the initial screening.
18.
A conflict between immediate
and long-term objectives
X
2.5
19.
No diversity of information
input for veracity checks
X
2.5
20.
A mismatch between the educational
achievement level of an individual
and the requirements of the task
X
2
21.
An incentive to use other
more dangerous procedures
X
2
22.
Little opportunity to exercise
mind and body outside the illllllediate
confines of a job
X
1.8
23.
Unreliable instrumentation (enough
that i t is noticed)
X
1.6
24.
A need for absolute judgements
which are beyond the capabilities or
experience of an operator
X
1.6
10
Error-producing Condition
2.3
Maximum predicted nominal
amount by which unreliability
might change going from good
conditions to bad
25.
Unclear allocation of function and
responsibility
X
1.6
26.
No obvious way to keep track
of progress during an activity
X
1.4
27.
A danger that finite physical
capabilities will be exceeded
X
1.4
28.
Little or no intrinsic meaning in a
task
X
1.4
29.
High-level emotional stress
X
1.3
30.
Evidence of ill-health amongst
operatives, especially fever
X
1.2
31.
Low workforce morale
X
1.2
32.
Inconsistency of meaning of displays
and procedures
X
1.2
33.
A poor or hostile environment (below
75% of health or life-threatening
severity)
X
1.15
34.
Prolonged inactivity or highly
repetitious cycling of low
mental workload tasks
X
1.1
X
1.05
35.
Disruption of normal
work-sleep cycles
X
1.1
36.
Task pacing caused by the
intervention of others
X
1.06
37.
Additional team members over and
above those necessary to perform task
normally and satisfactorily
x
1.03
38.
Age of personnel performing
perceptual tasks
X
1.02
for 1st halfhour
for each hour
thereafter
per
additional
man
Orders of Magnitude of Failure
Having determined whether the three principal sources of human
unreliability, imparted system knowledge, response time pressure
or poor or ambiguous feedback are likely to affect the achievement
11
of high reliability, the assessor is likely to want to determine
the extent of any shortfall.
He can do this by using the second part of the HEART method.
First he should decide what the likely nominal range of human
unreliability might be in relation to the types of task he is
considering. This can be achieved by consulting the following
list to see if any of the task descriptions match those he is
assessing.
Generic Task
(A)
Proposed nominal
Human Unreliability
Totally unfamiliar,
performed at speed
with no real idea of
likely consequences
5th - 95th
Percentile Bounds
0.55
0.35 - 0.97
(B)
Shift or restore system
to a new or original
state on a single
attempt without supervision
or procedures
0.26
0.14 - 0.42
(C)
Complex task requiring
high level of comprehension
and skill
0.16
0.12 - 0.28
(D)
Fairly simple task
performed rapidly or
given scant attention
0.09
0.06 - 0.13
(E)
Routine, highly-practised,
rapid task involving
relatively low level of
skill
0.02
0.007 - 0.045
(F)
Restore or shift a system
to original or new state
following procedures, with
some checking
0.007
0.0008 - 0.0035
(G)
Completely familiar, welldesigned, highly practised,
routine task occurring
several times per hour,
performed to highest possible
standards by highly-motivated,
highly-trained and experienced
person, totally aware of
implications of failure, with
time to correct potential
error, but without the benefit
of significant job aids
0.0004
0.00008 - 0.009
12
Proposed nominal
Human unreliability
(H)
Respond correctly to
system command even when
there is an augmented or
automated supervisory
system providing accurate
interpretation of system
state
0.00002
5th - 95th
Percentile Bound
0.000006 - 0.0009
If none of these task descriptions fit the type of task that
the safety and reliability engineer is considering he may take
the following values as reference points:(M)
Miscellaneous task
for which no description
can be found
0.03
0.008 - 0.11
Now he may proceed to employ the second part of the HEART
principles.
Simply by using the proposed nominal human unreliability from one
of the task descriptions above the safety and reliability engineer
can now assess not only the basic unmodified likelihood of task
failure, but he can examine what might happen to this assessed
value if some or all of the error-producing conditions are present
to any extent.
To calculate the effect of the error-producing conditions all the
assessor need do is estimate using his own judgement, that of a
group or that of a human factors engineer, what proportion of any
given error-producing condition might exist and multiply the basic
task unreliability by the appropriate proportions of the errorproducing conditions.
A safety and reliability engineer wishes to assess the nominal
likelihood of an operative's failing to isolate a plant bypass
route following strict procedures, but when it necessitates a
fairly inexperienced operator's applying an opposite technique to
that which he normally uses to carry out isolations and involves a
piece of plant, the inherent major hazards of which he is only
dimly aware. We shall assume that the man could be in the seventh
hour of the shift, that there is talk of the plant's imminent
closure, that his work may be checked and that the local
management of the company is desperately trying to keep the plant
operational despite the real need for maintenance because of its
fear that partial shutdown could quickly lead to total permanent
shutdown.
13
Using a simplified HEART the safety and reliability engineer's
assessment would look something like this:Nominal Human Unreliability
Type of Task
o.oo7
F
Error-Producing Conditions
lst screening
Factor
Total HEART
Affect
Inexperience
Opposite technique
Risk misperception
Assessed Proportion
of Affect
3
6
0.4
X
X
4
0.8
X
(3-l)
(6-1)
(4-1)
1.0
Assessed
Affect
X
X
X
0.4 + 1 = 1.8
1.0 + 1 a 6.0
0.8 + 1 • 3.4
Assessed nominal likelihood of failure
0.007
X
1.8
X
6
X
3.4 • 0.26
If our engineer took account of the other factors his assessment
could add:Factor
Total HEART
Affect
Conflict of
objectives
Low morale
Assessed Proportion
of Affect
Assessed
Affect
= 2.2
X
2.5
0.8
(2.5-1)
X
0.8 +
X
1.2
0.6
(1.2-1)
X
0.6 + 1 • 1.02
Assessed nominal likelihood of failure
0.007
X
1.8
X
6.0
X
3.4
X
2.2
X
1.02
0.58
Time-on-shift effects would be ignored as there's no indication of
monotony.
Similar calculations may be performed if desired to calculate the
predicted 5th and 95th percentile bounds.
(As a total probability of failure can never exceed 1.00, if the
multiplicstion of factors takes the value above 1.00, the probability
of failure has to be assumed to be 1.00 and no more).
14
The relative contribution made by each of the error-producing
conditions to the amount of unreliability modification is as
follows:Technique unlearning
Misperception of risk
Conflict of objectives
Inexperience
Low morale
42
24
15
12
% contribution made
to unreliability
modification
7
and the conclusions that may be drawn from this assessment (if
correct) should be fairly obvious.
It is totally inappropriate to require the application of an
opposing philosophy to effect this isolation, it is crucial to
alert operators to the hazards associated with this part of the
plant and it is somewhat unreasonable to impose a doctrine of high
availability on an inexperienced worker and his colleagues who may
be placed in a difficult position when trying to perform their
duties.
It should also be apparent that the initial screening was
sufficient to tell us the dominant factors to which the safety and
reliability engineer should attend.
Should we wish to reduce the predicted unreliability without
changing any of the error-producing conditions we would have to
introduce an automated or augmented supervisory system to provide
accurate interpretations of the plant state. The HEART method
predicts that the introduction of such a design modification
(without modification of the assessed error-producing conditions)
should reduce the nominal unreliability to 0.0016.
As the assessed nominal unreliability for an unmodified F-type of
generic task was predicted to be 0.007 we now have· a means of
comparing the cost-benefits associated with (say) modifying this
particular plant isolation system to make it work the same way as
all the other portions of plant, alerting operators to the hazards
associated with this portion of plant etc. versus introducing an
automated or augmented supervisory system. It would seem
reasonable to suppose that these activities would at least be
partially successful and allow us to achieve much higher human
reliability than might otherwise be the case.
If we wished we could explore the possibilities using the same
assessment technique.
2.5
Remedial Measures
It will have become apparent that application of the Human Error
Assessment part of the HEART method suggests possible-errorReduction Techniques that could be employed, either to combat the
predicted effects of the error-producing conditions, or else to
15
minimise the likelihood of human error occurring in a general
sense. Additionally it will be clear that the first four types of
generic task scenario may not be acceptable when high reliability
is required during process operation, so any measures that can be
employed to suppress and control these error-producing tasks would
perhaps be worth exploring.
Some measures that can be taken both to combat error-producing
conditions and tasks are described below:-
Error-Producing Condition
1.
Unfamiliarity
(x 17)
Remedial Measure
Train operators to be aware of
infrequently-occurring conditions,
simulate such situations, and teach
an understanding of the
consequences.
2.
Time shortage
(x 11)
Management must be aware that
shortage of time is likely to
impair the reliability of
decisions, both their own and their
staff's - and try to ensure that
sensitive decisions are not taken
against the clock.
3.
Low S/N ratio
Strenuous efforts must be made to
ensure that such ratios do not
fall to unreasonably low levels
(x 10)
4.
Features over-ride
allowed
(x 9)
S.
Spatial and functional
incompatibility
(x 8)
If the consequence of placing a
system in an inappropriate state is
potentially damaging, suitable
inter-locking and inhibition must
be provided, together with any
suitable time-outs to return
features to their appropriate
quiescent state
Such incompatibilities should not
occur - sufficient is now known
about human engineering for
population stereotypes that the
problem need not arise to any
extent - where doubt exists advice
should be obtained from trained
Ergonomists, who will either know
exactly how to arrange a design for
spatial or functional
compatibility, or how to run an
appropriate experiment to find out
what is required.
16
Error-Producing Condition
Remedial Measure
6.
Model mismatch
(x 8 )
Designers of systems and equipment
aren't always right - operators
sometimes not only often have
better ideas but possess views
about how a system should function
which are contrary to those of
system designers - under pressure,
particularly, operators will revert
to their own perceptions of how a
system should function, often with
undesirable consequences - to
protect against such mismatches
systems designers must try to find
out what their users' expectations
are, and then design these
characteristics into the system,
omitting their own prejudices, as
they do so.
7.
Irreversibility
Obvious means should be provided to
ensure that errors can be reversed
easily, for preference by means of
reversing the actions which created
the error in the first place.
(x 8)
8.
Channel overload
(x 6)
9.
Technique unlearning
(x 6)
It should never be necessary to
monitor more than one information
channel at any one time - single
events should not occur at more
than three per second.
The greatest possible care should
be exercised when new techniques
are being considered to achieve the
same outcome - they should not
involve adoption of opposing
philosophies.
10. Knowledge transfer
(x 5.5)
Reliance should not be placed on
operators' transferring their
previous knowledge without loss of
precision and meaning - if such
perfect transfer is required
suitable job aids must be made
available for reference.
11. Performance ambiguity
(x 5)
The required performance standards
must be tested for
comprehensibility on the user
population to ensure that there is
no ambiguity.
17
Error-Producing Condition
12. Misperception of risk
(x 4)
13. Poor feedback
(x
4)
14. Delayed/incomplete
feedback
(x 4)
15. Inexperience
(x 3)
16. Impoverished information
(x 3)
17.
Inadequate checking
(x 3)
18. Objectives conflict
(x 2.5)
Remedial Measure
It must not be assumed that a
user's perception of risk is the
same as the actual level - if
necessary a check should be made to
ascertain where any mismatch might
exist and what its extent is.
A task analysis will show the
points at which feedback must be
available to operators Ergonomists can advise on the best
form of feedback if doubts should
arise - what one is looking for is
complete "system transparency"
System response times should never
exceed four seconds and there must
always be sufficient information to
enable operators to step
confidently on to the next part of
a task - if doubt exists the
feedback is incomplete.
Personnel criteria should contain
specified experience parameters
thought relevant to the task chances must not be taken for the
sake of expediency.
Procedures should be humanengineered and tested for
operability - it should be assumed
that when personnel are required to
communicate with each other that
very considerable information loss
will occur - procedures must not
rely on accurate verbal transmission
of information for success.
When high reliability is paramount,
independent checks on accuracy
should be made, by people and
systems that do not have any vested
interest in the success or failure
of an individual - blame should not
attach to any inadequacies found at
this level.
Objectives should be tested by
management for mutual compatibility,
and where potential conflicts are
identified these should either be
18
Error-Producing Condition
18. Objectives conflict
(Continued •••••• )
(x
2.5)
19. No diversity
(x
2.5)
20. Educational Mismatch
(x 2)
21. Dangerous incentives
(x 2)
22. Lack of exercise
(x 1.8)
Remedial Measure
resolved to make them harmonious or
made prominent so that a
comprehensive management control
programme can be created to
reconcile such conflicts as they
arise, in a rational fashion.
It should not be assumed that
operators will rely totally on a
single information source for
confirmation of accuracy, and
enquiries should be made to
ascertain what additional sources
are referred to, so that these are
not denied operators, and, if
possible, are enhanced.
The job profile should identify any
potential mismatch of recruits
against requirements - educational
standards should be made explicit;
there should be no ambiguity.
It is intuitively obvious that
people work for rewards of various
natures - if the reward for doing
something quickly is greater than
the reward for doing it accurately,
or the reward for omitting an action
is greater than the reward for
performing it we should not be
surprised if that is, in the main,
what happens - the reward system
must be evaluated carefully,
therefore, to ensure that the
desired behaviour is emitted,
rather than that which might be
construed as being appropriate
simply because facets of the task
are seen to conform to a partial
criterion - if in doubt, seek
advice from Management Scientists
and/or Psychologists.
Frequent rest breaks should be
designed into the job, and the
system made tolerant to personnel
taking breaks as the need arises tuition should be given in
techniques for maintaining high
levels of arousal, such as postural
19
Error-Producing Condition
Remedial Measure
22. Lack of exercise
(Continued •••••• )
(x 2)
change, personal ventilation and
recognition of fatigue symptoms encouragement should be given to
engage in appropriate mild forms of
physical exercise and relaxation
and stress control - on-the-job
refresher training should be given
and frequent exercises to maintain
and enhance levels of competence
and awareness of technical progress
innovation given.
23. Unreliable instruments
Regrettably it is a fact that when
instrumentation is found to be
unreliable operators will cease to
trust its indications to the extent
of ignoring valid information and
preferring to believe their own
interpretations, despite
overwhelming evidence to the
contrary - if instrumentation is
thought likely to be unreliable it
should be withdrawn from service,
and more reliable instrumentation
substituted - no doubts should
exist about its suitability.
(x 1.6)
24. Absolute judgements
required
(x 1.6)
Operators must not be placed in the
position of having to make
judgements about the meaning of
data which are outside their span
of apprehension or experience - a
task analysis will reveal when such
conditions are likely to arise, and
management must plan for such
contingencies, by recognising the
circumstances and taking full
responsibility for actions which
might be taken on their behalf "brain-storming" and problemsolving workshops are helpful to
identify some of the most bizarre
situations in which staff and
management can find themselves- it
is likely that discussion of these
'grey areas' of organisational
behaviour will reinforce mutual
respect, and anticipate future
conflict and/or issues of
culpability at a time of zero
threat.
20
Error-Producing Condition
25. Unclear allocation of
Function
(x 1.6)
26. Progress tracking lack
(x 1.4)
27. Physical capabilities
(x 1.4)
28. Low Meaning
(x 1.4)
Remedial Measure
As with the area above, doubt must
not exist about responsibilities whilst they can, and should, be
stated on paper, joint preparation
of a functional specification will
remove doubts and anxieties, and
lead to the development of healthy
attitudes towards the system design
concepts - Organisational
Development Specialists and/or
Behavioural Scientists should be
involved in facilitating the
preparation of a satisfactory
working protocol.
Various job aids must be supplied
in order to ensure that operators
do not get out of step with the
task in hand - these can range from
checklists through mimics to
electronic monitoring of progress
against targets - if such aids are
introduced they must be piloted to
ensure that they are compatible
with user needs and that there is
an incentive to use them Ergonomists can advise on these job
design aspects.
It should be self-evident that
tasks must not exceed the
operators' capabilities - reference
to Human Factors Standards will
ensure that these capabilities are
not exceeded.
Meaning can be built into a job by
preparing job descriptions with
the staff concerned, showing them
the significance of their
contribution to corporate
objectives, designing variety into
their duties by arranging for job
features such as task rotation to
enhance system awareness, and
holding periodic reviews of working
practices to ensure that symptoms
of alienation are not manifesting
themselves - Behavioural Scientists
can advise on suitable
precautions.
21
Error-Producing Condition
Remedial Measure
29. Emotional stress
(x 1.3)
Management and medical staff must
be vigilant to recognise the onset
of emotional problems which can
manifest themselves via symptoms
such as excessive absence,
persistent lateness, obsessive
behaviour, lack of co-operation and
exceptional fatigue - personal
stress control training programmes
could be considered, and
potentially stressful decisionmaking circumstances identified so
that the conditions can be modified
to limit occurrence of extreme
generalised stress.
30. Ill-health
Until it is pointed out, it is not
apparent that ill-health can have
such deleterious effects on
performance- often the effects of,
say, a cold or 'flu do not manifest
themselves until well into a shift
- by now it should be obvious that
operators and managers who are ill
should not attempt to undertake
work requiring high reliability,
and out of respect for others, for
system integrity and peace of mind
they should stay away, until
recovered - a medical awareness
programme would be helpful.
(x 1.2)
31. Low morale
(x 1.2)
Apart from the more obvious ways of
attempting to secure high morale by
way of financial reward, for
example, other methods involving
participation, trust and mutual
respect, often hold out at least as
much promise - building up morale
is a painstaking process, which
involves a little luck and great
sensitivity - employees must be
given reason to believe in their
employer and themselves - this can
be accomplished by a battery of
activities, such as joint
preparation of work plans and
objectives, maximal delegation of
authority, reward for effort and
results, provision of subsidised
fringe benefits, firmness of
22
Error-producing Condition
31. Low morale (Continued ••• )
(x 1.2)
32. Inconsistency of
Displays
(x
1.2)
33. Poor environment
(x 1.15)
34. Low loading
(x 1.1) 1st\ hr.
(x 1.05) each hour
thereafter
Remedial Measure
resolve and openness -it is not
achieved to any great extent by
appeals to workforces to stick by
management - the respect necessary
to make morale rise is earned not
enforced - a sensitive, caring
management, would be unlikely to
encounter such problems.
Even if the conventions adopted for
display layout and procedure design
are not human-engineered for ease
of use, they must be consistent
within themselves e.g. if a display
is showing an increasing value even
though in an analogue sense the
portion shown is decreasing, this
convention must be adhered to
throughout - even though such a
principle is "wrong" (for
preference such an approach would
not be encouraged, of course)
It should be self-evident that a
poor environment is likely to impair
performance - by and large this
should not occur nowadays with the
introduction of legislation to
control environments - to minimise
any deleterious effects Work
Physiologists, Ergonomists and/or
Architects should be consulted for
details of appropriate parameters.
Prolonged inactivity or highly
repetitious cycling of low mental
workload tasks must be avoided generally when signal frequency
falls below two per minute or
involves little or no variability,
vigilance performance will degrade
- to combat such effects the
introduction of artificial signals
has been found to be helpful, and
job enrichment (with the
in(4oduction of different, more
varied tasks) has been found to
minimise boredom, and better hold
attention - rather than combat
these effects, it is better to
ensure that such conditions do not
arise in the first place i.e.
23
Error-producing Condition
34. Low loading (Continued •• )
(x 1.1 ) 1st
~hr.
(x 1.05) each hour
thereafter
35. Sleep cycle disruption
(x 1.1)
Remedial Measure
observation tasks demanding high
human reliability should never
require sessions of longer than one
hour's concentration and tasks
involving very low signal frequency
should not be designed - if
possible such tasks should be
automated.
Only extreme sleep deprivation will
cause performance degradation - our
major interest, therefore, is in
keeping small amounts of
deprivation to a minimum - this can
be achieved by keeping operators on
a "stable" shift system such that
there are no radical changes to
either the pattern or the time of
day over which such changes occur the frequency with which
changeovers occur should be as low
as can reasonably be achieved advice should be sought from Work
Physiologists.
36. Task Pacing
(x 1.06)
Although all work ultimately
involves some element of pacing,
the unwitting or deliberate
introduction of pacing will lead to
a slight reduction in reliability this can be avoided by checking
work systems to ensure that there
is sufficient 'buffering' such that
operators are not subject to undue
pressure and can work at their own
preferred pace - the one which best
matches their capability.
37. Supernumeraries
Where possible, limit gatherings
of staff at workplaces to those
necessary to perform tasks
satisfactorily.
(x 1.03)
38. Age
(x 1.02)
Monitor perceptual capabilities of
personnel required to perform task
demanding high acuity and
accurate information processing.
24
2.6
Suppression and control of error-producing tasks
Unfamiliar tasks
Plan the training and work programme
so that the likelihood of new,
unfamiliar tasks arising is extremely
small.
Restoration of System
State
As mentioned elsewhere, care should be
taken to ensure that there is a system
of auto time-outs, inhibitions,
defaults etc. to ensure that wherever
possible, responsibility does not rest
on the operator to shift or restore
the system to a new or original state,
without supervision - obviously, where
possible, job aids and supervision
should be available to unburden the
operator.
Complex Task
Clearly the hope is that operators
will be become sufficiently proficient
that the sort of task identified will
not prove to be a complex one,
requiring a high level of
comprehension and skill- if such a
task exists in their repertoire then
the training might be judged to have
failed - this potential problem then
should be removed by training to some
performance criterion.
Simple Task
For high reliability this is what we
need our tasks to amount to in the
minds of our operators, but we must
ensure that they are not performed in
a cavalier fashion -t'herefore whilst
training them with the hope that the
tasks will ultimately appear simple,
an integral part of the training
programme will be to alert operators
to the pitfalls of thinking that
simple tasks can be performed rapidly
in this context, or given scant
attention.
Highly-Practised
Below this level there is little that
can be achieved to control the
production of error - operators will
already be performing at the limits of
their ability - further improvements
can only be achieved by means of
constant rehearsal and training to
appreciate the "cost" of failure or
the introduction of system aiding
and/or increasing amounts of
supervision.
25
3.
Conclusions
By now it should be clear that the safety and reliability engineer
is likely to be in a position to achieve high human reliability
in process operation. Whilst the HEART method is so far
unvalidated, it does at least hold out the hope of indicating the
likely magnitude of potential errors, and identifying some of the
error-likely situations.
The simplified set of guidelines could serve as a means of
identifying potential major sources, types and strengths of human
error, whilst application of the battery of remedial measures
should give some prospect of achieving high human reliability in
process operation.
The perennial problems associated with assessing human
reliability, namely the relative absence of data and validation
have not receded, but there is some hope that data sources may be
found and that the need for validation will be acted upon in the
near future. In the meantime the safety and reliability engineer
must be content with somewhat inadequate tools. However,
inadequate the HEART method may prove to be it is almost certainly
more useful than no guidance at all.
4.
Reference
Williams (1984)
"Guidelines on possible sources of Human Error" PWR
Research Co-ordination Committee, Materials Working Group,
PWR/RCC/MWG/P(84)405, 10 December 1984, UKAEA, Risley,
Warrington.
5.
Acknowledgements
The author would like to thank Miss C Joures for typing this
manuscript.
N.B.
The views expressed in this paper are not necessarily those
of the Central Electricity Generating Board.