Applied Ergonomics1992,23(5),299-318

Human error identification in human

reliability assessment. Part 1: Overview of
approaches
Barry Kirwan
Industrial Ergonomics Group, School of Manufacturing and Mechanical Engineering,
Birmingham University, UK

This paper reviews a number of approaches which can be used to identify human
errors in human-machine systems. These approaches range from simple error
classifications to sophisticated software packages based on models of human
performance. However, the prediction of human behaviour in complex environments
is far from being an easy task itself, and there is significant scope for improvement in
human error identification 'technology'. This first paper in a series of two reviews the
available techniques of human error identification, highlighting their strengths and
weaknesses. The second paper will review the validation of such approaches, and
likely future trends in this area of human reliability assessment.
Keywords: Human error; risk assessment; human reliability assessment

Introduction
The assessment of what can go wrong with largescale systems such as nuclear power plants is of
considerable current interest, given the past decade's
record of accidents attributable to "human error". Such
assessments are formal and technically complex evaluations of the potential risks of systems, and are called
probabilistic risk assessments (PRAs). Today, many
PRAs consider not just hardware failures and environmental events which can impact upon risk but also
human error contributions: accidents ranging from
Bhopal, to the near-misses that occur, such as the
Davis-Besse incident1, justify this inclusion of human
error.
The assessment of the human error contribution to
risk is via the use of human reliability assessment
(HRA) tools. Most papers on HRA are concerned with
the quantification of human error potential, as most
research in HRA has focused on this area. This paper,
however, attempts to bring together a representative
sample of techniques for the identification of human
errors, so that the state of the art and trends/development needs in this area can be assessed. This is
necessary because human error identification (HEI), as
will be argued, is at least as critical to assessing risk
accurately as the quantification of error likelihoods,
and yet is relatively under-developed.
This paper therefore assesses the state of the art of
HEI. Before moving on to the actual techniques,
Vol 23 No 5 October 1 9 9 2

however, the requirements of PRA and HRA need to

be further defined in order to state criteria which can be
used to assess the validity and usefulness of HEI
models. This is achieved by considering firstly the
'PRA perspective', and then HEI as part of the 'HRA
process' in PRA, as described below.

The PRA perspective

During the risk assessment of a new or existing plant
it is critical that the full impact of human error on
system safety is properly evaluated. Probabilistic risk
(or safety) assessments (PRAs or PSAs) consider all
the negative impacts on the safety of a system,
including human error, in order to decide what the risk
is for a particular system, and whether that risk is
acceptable to society.
In the early development period of risk assessment
and reliability technology, when design and safety
engineering capabilities were not as advanced as today,
most system failures were linked to hardware failures
and the unfortunate occurrence of damaging environmental events. Currently, however, as engineering has
overcome many of the problems which beset early
complex systems, and as protection from the environment has improved, the focus of attention in risk terms
has switched to human error. This shift of attention has
been reinforced by a series of accidents in high-risk
technologies whose major cause has been labelled
"human error". In the past decade in particular, with
accidents ranging from Three Mile Island to Chernobyl,

0003-6870/92/05 0299-20 $03.00 (~) 1992 Butterworth-Heinemann Ltd

299

Human error identification in h u m a n reliability assessments. Part 1

there has been increasing demand for the domain of

HRA to help assess the human contribution to risk for
new and existing systems.
The approach of PRA itself (see ref 2 for a fuller
description of PRA tools) is initially to define a set of
undesirable events (eg incidents such as a loss of
coolant accident in a nuclear power plant, as happened
at Three Mile Island). PRA must then identify what
hardware and software failures, environmental events,
and human errors, alone or in concert, can lead to these
events. PRA then, having identified the 'failure paths',
quantifies the likelihood of each failure and each failure
combination, and derives a prediction of how often the
event will occur, along with estimates of its consequences (eg number of fatalities).
The aggregation of the predictions of all defined
undesirable events for a system is called the "risk
picture", and this summation of all reasonably possible
accidental events is then reviewed by decision-making
bodies (eg regulators) to decide whether the plant can
be built or allowed to continue running.
What PRA requires from H R A , therefore, is the
identification of errors and the quantification of their
likelihoods of occurrence and, if the calculated risks are
too high, means of reducing error likelihoods, via the
tools and methodology of H R A . In order to see how
HRA interacts with PRA, and to see how HEI interacts
with other aspects of H R A , it will be necessary to
overview the H R A process. Before doing this, however,
it is worth defining what is (and is not) meant by the
term "human error".
Error itself is an elusive concept 3, but here is
operationally defined as the failure to perform an
action (including inaction if required) within the tolerance limits necessary for adequate and safe system
performance. It should be noted that throughout this
paper, and H R A in general, the term "error" has no
moral connotation of personal failure or blame.
This is partly because blame has no useful place in
PRA, but also because errors are almost always the
product of many factors in the system itself, of which
the human is one component. Allocating blame to
human error is therefore similar to prosecuting an
airplane tyre that burst during take-off. The problem
with blame is that it does not address accident and
incident root causes, and in fact shields them from
further scrutiny and treatment. Blame is therefore a
counter-productive concept in P R A and HRA.

The full H R A process that serves as an input to PRA

is shown in Figure 1 (for more detail, see ref 5). Briefly,
the H R A analyst working alongside other risk analysts
must first scope the problem being addressed. For
example, the analyst must decide whether maintenance
error contributions to the undesirable events will be
considered in the HRA. The analyst then carries out
some form of task analysis to define what the operator
in the scenario under investigation should do: ie how
the operator should act if no error occurs. The task
analysis may also identify key ergonomics aspects of the
operator interface. Next, and central to this review, the
analyst must identify what errors can occur, which can
contribute to the undesirable event of concern.
HEI at its most simple level merely considers that the
operator may fail to achieve the task goals with
sufficient precision, or too late, or may fail to carry out
the task at all, or may carry out an inappropriate task
instead of the one required.
Once such errors have been identified, they must be
represented in a logical and quantifiable framework
along with other related and unrelated contributors to
the undesirable event or accident. PRA mainly uses
two means of representation of human and other
failures: the fault tree and the event tree (see ref 2 for a
detailed description).
The fault tree is a top-down approach starting from a
top (undesirable) event and defining the necessary
combinations of failures which need to occur to cause
it. The event tree starts from an initiating event and
considers other subsequent events which can either
recover the situation or make it worse. Human errors
can be put into both these types of representation,
defined in a binary fashion, whereby an operator either
does something or does not: trying to deal with states
which are in between is more difficult, though not
impossible. Therefore HEI must identify errors which
can then be represented in a fault- or event-tree format,
which usually necessitates an implicit binary description
of success/failure. Failure (or error) in this sense is
usually defined as the failure to perform an act within
the limits (of time, accuracy etc) i'equired for safe
system performance, or else the performance of a nonrequired act which interferes with system performance.
Once errors have been represented, they are then
quantified in terms of their probability of occurrence,
called the human error probability (HEP). The HEP is
calculated as follows:
HEP =

The HRA process

H R A has developed over the past three decades, but
it could be said that only in the past decade has it "come
of age". In particular, since risk assessment is a
quantitative discipline, the major focus of H R A has
also been quantitative in approach. Thus most research
and development has gone into the generation of valid
estimates of how often an error will occur in a task (the
human error probability), and a range of techniques
now exist for doing thisL Quantification, however, is
only part of the H R A process.
300

number of errors observed

number of opportunities for error

The quantification of an error probability should not be

independent of the understanding of its causes. Several
techniques of quantification currently consider human
factors influences on performance to calculate the
HEP, including SLIM 6, H E A R T 7, and HRMS 5. These
influences, called performance shaping factors (PSF),
may be related to available time, the quality of the
interface, the level of training, etc. The identification of
errors should logically also consider such aspects of the
situation, and there is thus potentially a strong link
between error identification and error quantification.
Applied Ergonomics

BARRYKIRWAN

J Problem I
1
definition

"I'ask

I
2

analysis

I
3

Human error
analysis

Error
avoidance

not studied
further

I (
i

Factors
influencing
performance
and error
causes or
mechanisms

Screening

rnl~oving
~. perforrnonce

Quantification

Error
reduction

assessment

+"

No

I
9

Ouality
assurance

t
Documentation

10I

Figure 1 The HRA process5

This link can in theory be further extended into the
main final stage of the HRA process: error reduction.
Error reduction is concerned with reducing error
likelihood should this be desirable, eg if the calculated
risk is too high owing to human error. In such a case,
the PRA fault and event trees can be analysed to find
the dominant contributors to risk, and these are then
targeted for reduction. Such reduction may be achieved
by human factors interventions, such as improving the
quality of training or the interface (by adding alarms or
prioritizing them, for example), or by engineering
means (eg adding an interlock or automating the task in
question). If the former is the error reduction approach,
then clearly any error reduction mechanisms (ERMs)
identified should be based on an understanding of the
Vol 23 No 5 October 1992

causes of the error. Otherwise, the error reduction

measure may be inappropriate and ultimately ineffective.
The HEI stage in the HRA process is not therefore
necessarily an isolated module but can feed forward
both to quantification and error reduction, and the
ability to feed forward in this way is a desirable aspect
of an HEI approach.
A further important aspect of human error identification, often ignored, is the correct recording and
documentation of the analyses and assumptions made
during risk assessments, both for reference and for
possible use later in the operational phase of a plant s.
The 'auditability' of many studies is inadequate in this
301

Human error identification in human reliability assessments. Part 1

respect since operator errors are specified only in their
'external error mode' or manifestation in the fault/
event tree (eg operator fails to respond to alarm). What
will be of interest to operations personnel during the
life of the plant will be the analyst's assumptions as to
why this event could occur (eg too many alarms
present, operator absent, stress levels high) and how
the likelihood could be reduced.
As well as recording what could happen (the external
error mode) and why an error could occur (PSF), it is
useful to estimate how the error would occur 'inside'
the operator: eg, slip of memory, manual variability, or
lack of precision. This is called the psychological error
mechanism, and is highly useful information when
error reduction is required. This is analogous in
hardware reliability terms to knowing what failed (a
pump, for example), what caused the failure (overspeed, for example), and how the failure manifested
itself (eg, pump seizure or cavitation). As will be seen
shortly, all HEI techniques consider the EEM, some
consider PSFs, and a small number also consider
psychological error mechanisms.
Unless such information is recorded H R A s quickly
become opaque in their meaning to potential future
users. This means that the information is lost from the
system's 'corporate memory'. If then in the future the
plant's design or procedures are altered, then error
information that should be considered during such a
change may be omitted. Furthermore, as PRAs are
often carried out periodically, it makes sense to
document the reasoning underpinning all analyses so
that HRAs can easily be repeated and updated, rather
than having to start from the beginning again.
The HEI part of the H R A process is thus interrelated
with all other major parts since task analysis defines the
basic information upon which H E I works; representation methods define the format for the outputs of H E I
error descriptions); quantification should refer to
the nature and causes of errors identified in the HEI
phase; error reduction should logically also refer to
these causes; and the HEI approach should record
error information meaningfully and reproducibly for
future reference.
(ie

Having briefly reviewed the interrelationships

between HEI and other parts of the H R A process,
basic criteria are next developed for HEI approaches.

Basic criteria for a h u m a n error identification

tool
Human error identification is at least as critical as
quantification: if a human error is not identified then it
does not matter how accurate the quantification technique is, since the error will simply not appear in the
risk assessment. If this error is an important contributor
to risk then the risk for a system will be underestimated.
A primary criterion therefore of any error identification tool is that of comprehensiveness, at least with
respect to critical or serious errors. Secondary criteria,
based on the interrelationships between H E I and other
parts of the H R A process, are the ability to support
error reduction, and the adequate documentation of
302

the analysis for future use and for auditability/repeatability purposes.

Although more refined criteria will be given later in
the paper, the above introductory discussion has
suggested three basic criteria for any HEI approach for
use in H R A in PRA.
It must ensure comprehensiveness of error identification and thus the accuracy of PSA/PRA modelling.
It should provide useful and accurate understanding
of potential human errors in case error reduction is
required.
It should ensure that the assessment provides and
remains a useful database during the lifetime of the
plant.
The remainder of this paper consists of reviews of 12
techniques of H E I which can be used in HRAs. Within
each technique description, the basic mechanics are
described, and any particular advantages or disadvantages of the approach are noted, as well as the
degree to which the technique fulfils the three basic
criteria outlined above. A comparative study of the
techniques is reported in the second paper of the pair.
The twelve techniques are:
1 technique for human error rate prediction;
2 human error hazard and operability study;
3 skill, rule, and knowledge-based behaviour
approach;
4 systematic human error reduction and prediction
approach;
5 generic error modelling system;
6 potential human error cause analysis;
7 Murphy diagrams;
8 critical action and decision approach;
9 human reliability management system;
10 influence modelling and assessment system;
11 confusion matrices;
12 cognitive environment simulation.

Technique for h u m a n error rate prediction

(THERP)
The T H E R P approach 9 is the most well-known H R A
technique, mainly for its quantification approach.
However, T H E R P also deals with error identification
in several ways as described below. The simplest
approach is to consider the following possible external
error modes at each step in the procedure defined in
the task analysis:
error of omission - act omitted (not carried out);
error of commission - act carried out inadequately,
act carried out in wrong sequence,
act carried out too early/late,
error of quality (too little/too much);
extraneous error - wrong (unrequired) act
performed.
-

The human reliability analyst can apply this approach

to relatively complex human task situations and derive
error modes. It is rudimentary, but nevertheless can
identify a high proportion of the potential human errors
which can occur, as long as the assessor has a good
Applied Ergonomics

BARRY KIRWAN

knowledge of the task, and a good task description of

the operator/system interactions.
This approach is best used with a systematic taskbehaviour taxonomy such as Berliner et al's 1. In
THERP a very similar behavioural taxonomy is used in
the task analysis to describe the operator tasks. For
each behaviour described it is then possible to consider
whether it could fail (eg operator 'inspects' is a
behavioural component which could be omitted, occur
too early/late, etc). Additionally, in the THERP
manual9 there are many sections which expand on the
types of problem which can occur in a range of
behavioural situations. These sections essentially
imbue the reader with human factors perceptions on
good and poor task and interface design.
The identification of error-recovery paths (ie ways in
which the error can be detected and recovered) is
largely carried out through the judgement of the
analyst. The task analysis should also highlight points in
the sequence at which discovery of an error will be
possible, eg via indications (especially the occurrence
of alarms) and checks or interventions by other
personnel. In addition, the THERP methodology
considers a large range of performance shaping factors
(PSF) which can give rise to human error (eg problems
with the interface; ill health; poor procedures or
training). Lastly, the human-error data tables in the
THERP manual are effectively an expanded human
error taxonomy, ie the result of applying the simple
error taxonomy listed above to a set of behaviours
in the context of nuclear power plant scenarios. For
example the data tables give data for failing to respond
to annunciators, communication errors and misreading
displays. These data descriptions therefore also act as
prompts for the assessor when identifying errors.
In total, the THERP HEI methodology comprises
the following:

error taxonomy (omission, commission, etc);

behavioural taxonomy;
basic human factors engineering perspective;
PSF consideration;
human error tables.

Its disadvantages are its lack of rigorous structure,

which means that there can be considerable variation in
how different assessors identify errors and error
recovery 11, and its failure to consider explicitly the
reasons why errors occur. Thus although PSF are in the
THERP model, they are often not used significantly for
error identification. THERP's principal advantage is
that it is straightforward and simple to use, and yet can
potentially model all errors (with the exception of
failures such as misdiagnosis) that can affect a system.
Theoretically THERP can therefore be fairly comprehensive in error identification, but its elucidation of
why and how errors occur is limited, and hence the
usefulness of its assessments throughout the lifetime of
the plant is limited.

H u m a n error HAZOP (hazard and operability

study)
Another method which has arisen more from the
Vol 23 No 5 October 1992

engineering approach than the psychological domain is

the human error HAZOP approach. This is rooted in
the hazard and operability analysis tradition 12, and can
range from simple biasing of the HAZOP procedure to
pay more attention to the identification of human
errors, to actually altering the format of the HAZOP
procedure itself.
HAZOP is a well-established technique in process
design audit and engineering risk assessment. It is
typically applied in the early design stages but can also
be applied to existing systems or during system
modification, or if design 'retrofits' are being introduced. It harnesses the experience of the HAZOP
chairperson and selected system design and operational
personnel into a powerful and sometimes microscopic
analysis of a new or existing plant design. It is primarily
applied to process and instrument diagrams. Small
sections of plant process equipment and piping lines on
the diagrams are picked out, and a set of guideworks is
applied to each section to detect design flaws; eg
guideworks such as "no flow" or "reverse flow" can be
applied to a piece of piping feeding into a pump, and
"what if?" questions asked. The HAZOP team might
consider, for example, this question: "what if reverse
flow occurred through the valve?", possibly leading to a
recommendation to install a non-return valve if it is
considered that the event of reverse flow could occur
and would have adverse consequences.
Whalley13 usefully relates the traditional HAZOP
guidewords to human error types. The human error
modes derivable from HAZOP are:

not done;
repeated;
less than;
sooner than;
more than;
later than;
as well as;
mis-ordered;
other than;
part of.

An example of the output from a human-errororiented H A Z O P exercise ~4 (from the offshore drilling
sector) is shown in Table 1. It may be noted that in this
exercise additional guidewords were utilized (eg
"calculation error") to facilitate error identification,
and a tabular task analysis format was added to the
HAZOP process to investigate operator errors and
actions more formally.
More generally, analysts' judgement is a useful
resource in error identification. Many risk analysis
practitioners build up experience of identifying errors
in safety studies, either from their operational experience or from involvement in many different safety
analyses. Whilst this is perhaps an 'art' rather than a
science and as such is less accessible to the novice than
a more formal method, its value must not be overlooked. Owing to the specificity of every new safety
analysis carried out, the human reliability practitioner
"standing on the outside" may often be more disadvantaged in terms of error identification than the
303

H u m a n error identification in h u m a n reliability assessments. Part 1

Table 1 Driller's HAZOP examplel4: pipe-handling equipment in tripping operations. Operating sequence: tripping
out. 5A/5D. Lift and set aside kelly. Ensure hook is free to rotate
Study Deviation
ref. no.
5.1

5.2

No movement

Reverse movement

Indication

Causes

Consequences

Actions notes/
Follow-up
questions
comments
recommendations

Kelly valve not

closed

Mud on the drill

floor

A new (mud-saver)
valve was discussed
(A pre-set pressure
valve which prevents flow for
pressure below 200
psi, ie a mud
column equal to
the length of the
kelly assembly)

Forget to open
hook to ensure
free rotations

With stabilizer in
the hole, the drill
string will rotate
when pulled out
which may cause
damage to the
hook
Damaged hoses,
piping etc
Injuries to
operators

Lifting kelly too

high

Q.7 Should sensor

alarms be provided
on guide dolly?
Q.8 How do we
ensure that kelly is
not lifted too high?
Failure of lifting Falling objected R.2 Consider safe
equipment, eg
causing damaged location of driller's
drill line breaks/ equipment and
cabin in designing
new rigs
snaps or operator injuries to
error
operators

hardware reliability analyst who knows the system

details intimately. It is therefore worth while adopting a
hybrid team approach to error identification as well as
the use of formal systematic methods. The adage of
"two heads are better than one" is especially true in the
area of human error identification.
The primary advantages of H A Z O P are that it occurs
at an early design stage, and errors are identified in a
system-knowledge-rich environment (via the hybrid
nature of the HAZOP team members themselves).
This means that errors can be identified early and
rectified with minimal cost to the design project. The
disadvantages are that HAZOP is resources-intensive,
and is only as good as the team and chairperson. It is
also not always effective at resolving human-error
problems if a human factors specialist is not present,
because HAZOPs may 'solve' error problems by
suggesting procedural and training solutions, which will
reduce error but not remove it as a design change could
do. Human factors personnel are more experienced in
knowing when a design change is required, and how to
implement it in such a way that new problems are not
introduced.
In terms of the three basic criteria, the HAZOP
technique can be fairly comprehensive, but the identi304

fication of causes of errors is not the focus of the

technique and so is limited. HAZOP traditionally is
heavily documented, but it is likely that the reasoning
behind the errors identified will be recorded only
superficially, as the main purpose of HAZOP recording
is to ensure that all actions arising out of HAZOP
sessions are implemented. HAZOP is a useful tool
therefore, but would benefit from further tailoring for
HEI purposes.

The SRK (skill, rule and knowledge-based

behaviour) approach
The well-known work by Rasmussen et a115 produced
an influential taxonomy of error classifications, and
paved the way for several techniques described later.
The logical extension of the SRK model itself to derive
a predictive tool has, however, not apparently arisen,
at least in the shape of an effective tool. One attempt 16,
called simply "work analysis method", appeared
promising but also highly resource-intensive.
The essence of the approach is that human behaviour
is seen as hierarchical. The simplest level of behaviour
(skill-based behaviour) occurs in situations requiring
highly practised and essentially 'automatic' behaviour,
Applied Ergonomics

BARRY KIRWAN

developed to be predictive, and in fact several models

considered later stem from this approach.

with only minimal conscious control (eg driving along a

familiar route in a car). The second level of behaviour
(rule-based behaviour)occurs when the situation
deviates from normal but can be dealt with by the
operator consciously applying rules which are either
stored in memory or are otherwise available in the
situation (eg emergency operating procedures). The
highest level of behaviour (knowledge-based behaviour)
is when the operator has no useful rules to apply, and
must diagnose the situation via problem-solving skills
and knowledge of the system mechanics and characteristics. The SRK model and subsequent approaches
suggest that different types of error can occur in
different levels of behaviour/cognitive processing.

As far as the practitioner is concerned, probably the

most useful aspect of the SRK model for predictive
HEI is the flowchart shown in Figure 2, which can be
used to derive the psychological mechanism of human
malfunction. If this flowchart is used predictively, the
assessor must then define the external error modes
which will actually appear in the PSA: eg stereotype
fixation may be described in the PSA as "operator fails
to detect deviant condition". Even if the assessor never
utilizes the SRK system in a practical way the SRK
paradigm is sufficiently influential that it should be
reasonably familiar (in more detail than can be
included here) to any serious practitioner in the field of
human reliability.

Approaches based on the SRK model need to

determine not only what could go wrong, the 'external
mode of malfunction' (eg error of omission, such as
failing to respond to an alarm), but what the "internal
human malfunction" would be (eg detection failure)
and the 'underlying mechanism of human malfunction'
(eg 'stereotype fixation', or failing to realize the
situation has deviated from routine). While this can be
achieved for incidents which have happened, it is much
more difficult to be predictive given the large number
of possible combinations of the three variables. Hence
the effort needed to derive a 'tractable' human error
analysis is high. Nevertheless, the SRK model could be
I

In terms of the three basic criteria, the SRK model

was not intended to be used predictively, although it
could be developed to be a HEI tool (especially if
computerized), and would be expected to be reasonably comprehensive. It is included here primarily
because several of the models below draw upon SRK
ideas. SRK in theory could be used for HEI but would
probably be resource-intensive, although it could
provide information useful for error reduction and can
be fully documented.
J The act is not performed
with adequate precision,
" 7 (time,force, spatial,accuracy)

Start

The situation is a

Yes

routine situation
for which the operator
has highly skilled
routines ?

__J But the operator j

executes a skilled

t No

--J The act is performed at wrong

"~ place, component in spite of
proper intention

No

J The situation deviates

from normal routine does operator respond
to the change
Yes
Operator realizes and
responds to changes.
Is the situation

Stereotype
fixation
_J Does operator

q realize this ?

covered by normal

work know-how or
planned procedures ?

- ~

Manual variability

...~ Topographic
misorientation

I Does other highly skilled

~_
Stereotype
oct oractivity interfere
takeover
with task ?
I~ Yes ~but fails during execution

Yes

~
~

Does operator
respond to proper I
per task-defining I
information ?
J

Does operator
I recall procedure
I correctly ?
J

Forgets isolated act

Familiar pattern
not recognized

~ No
The situation is

unique, unknown and

call for op's functional
analysis and planning.
Does op. realize this ?

J Operator responds
to familiar cue
~-~ which is incomplete ~
I part of available
information

No

I Yes

Familiar association
short cut

~ . Information not seenor sought

J Doesthe operator
correctly collect the
information available
for his analysis ?

~Yes
I Are functional onolysis
and deduction property

performed ?

r Yes

J Other~ specify

_N~

ide effects or conditions

not adequately considered

Figure 2 SRK error flowcharts15

Vol 23 No 5 October 1992

305

Human error identification in human reliability assessments. Part 1

Table 2 SHERPA classification of psychological error mechanisms 17

1 Failure to consider special circumstances

2 Short cut invoked
3 Stereotype takeover
4 Need for information not prompted
5 Misinterpretation

6 Assumption

7 Forget isolated act

8 Mistake among alternatives

9 Place losing error
10 Other slip of memory
11 Motor variability

12 Topographic or spatial orientation

inadequate

A task is similar to other tasks but special circumstances

prevail which are ignored, and the task is carried out
inappropriately.
A wrong intention is formed based on familiar cues which
activate a short cut or inappropriate rule.
Owing to a strong habit, actions are diverted along some
familar but unintended pathway.
Failure of external or internal cues to prompt need to search
for information.
Response is based on wrong apprehension of information
such as misreading of text or an instrument, or misunderstanding of a verbal message.
Response is inappropriately based on information supplied
by the operator (by recall, guesses, etc) which does not
correspond with information available from outside
Operator forgets to perform an isolated item, act or
function, ie an act or function which is not cued by the
functional context, or which does not have an immediate
effect upon the task sequence. Alternatively it may be an
item which is not an integrated part of a memorized
structure.
A wrong intention causes the wrong object to be selected
and acted on, or the object presents alternative modes of
operation and the wrong one is chosen.
The current position in the action sequence is mis-identified
as being later than the actual position.
(As can be identified by the analyst).
Lack of manual precision, too big/small force applied,
inappropriate timing (including deviations from "good
craftmanship").
In spite of the operator's correct intention and correct recall
of identification marks, tagging etc, he unwittingly carries
out a task/act in the wrong place or on the wrong object.
This occurs because of following an immediate sense of
locality where this is not applicable or not updated, perhaps
due to surviving imprints of old habits etc.

Systematic human error reduction and

prediction approach
Another method for human error analysis is embedded within the systematic human error reduction
and prediction approach (SHERPA) 17. This human
error analysis method consists of a computerized
question/answer routine which identifies likely errors
for each step in the task analysis. The error modes
identified are partly based on the SRK model, and the
generic error modelling system 18'19. Table 2 shows the
psychological error mechanisms underlying the
SHERPA system.
An example of the tabular output from a SHERPA
analysis is shown in Table 320. This 'human error
analysis table' has similarities to certain reliability
engineering approaches to identifying the failure modes
of hardware components. One particularly useful
aspect of this approach is the determination of whether
errors can be recovered immediately, at a later stage in
the task, or not at all. This information is useful if error
reduction is required later in the analysis. This particular
tabular approach also attempts to link error reduction
306

measures to the causes of the human error, on the

grounds that treating the 'root causes' of the errors will
probably be the most effective way to reduce error
frequency.
The method comprises a set of flowcharts and
questions which can be computerized to lead the
assessors through a task analysis to identify the principal
external error modes and psychological error mechanisms for a scenario. In practice the assessor needs to be
highly familiar with the task context and the meanings
of the psychological error mechanisms.
SHERPA's principal advantage is that it gives the
assessor a means of carrying out a detailed analysis
which has a high resolution of external error modes
(see ref 16 and Table 4), and has a reasonable
expansion of psychological error mechanisms. Since it
utilizes task analysis and an H E A tabular format, it
represents a useful in-depth analytical tool. Its disadvantage is that, despite its title, it is not clear that it is
systematic in that it may not be reliably used by two
different assessors.
Applied Ergonomics

B A R R Y KIRWAN

Table 3 SHERPA HEA table2. Terminate supply and isolate tanker (sequence of remotely operated valve operations)
Task E r r o r
step type

Recovery Psychostep
logical
mechanism

Causes, consequences
and comments

Action
too late

No recovery

Place-losing
error

Overfill of tanker
Operator
resulting in dangerous estimates
circumstance
time/records
amount loaded

2.1

Action
omitted

2.4

Slip of
memory

Feedback when
attempting to close
closed valve. Otherwise alarm when
liquid vented to vent
line

2.2

Action
too early

2.2

Place-losing
error

Alarm when liquid

drains to vent lines

Action
omitted

2.2

Slip of
memory

As above and
possible overpressure of tanker
(see step 2.3)

Action
too early

No reeovery

Place-losing
error

If valve closed before

tanker supply valve
overpressure of
tanker will occur

Action
omitted

2.6

Slip of
memory

Automatic closure on
loss of instrument air

2.4

Action
omitted

2.2

Slip of
memory

Audio feedback when

vent line opened

Action
omitted

No recovery

Slip of
memory

Latent error

2.3

Table 4 SRK external

e r r o r m o d e s 16

Action omitted
Action too early
Action too late
Action too much
Action too little
Action too long
Action too short
Action in wrong direction
Right action on wrong object
Wrong action on right object
Misalignment error
Information not obtained/transmitted
Wrong information obtained/transmitted
Check omitted
Check on wrong object
Wrong check
Check mistimed

Vol 23 No 5 October 1992

Recommendations
Procedures

Training

Equipment

Explain conse- Fit alarm-timing

quences of over- volume/tanker
filling
level
Mimic of valve
configuration

Specify time for Operator to

count to deteractions
mine time
Mimic of valve
configuration

Stress importante of sequence and

explain consequences

Interlock on
tanker vent
valve

Mimic of valve
configuration
Explain
meaning of
audio feedback
Add check on
final valve
positions before
proceeding to
next step

Mimic of valve
configuration
Mimic of valve
configuration

In terms of the three basic criteria, S H E R P A is

potentially highly comprehensive although not for
diagnostic failures, and is definitely useful in supporting
error reduction. The H E A tabular format for recording
the analysis, together with the use of task analysis,
means that the analysis is well documented, auditable,
and can be used through the life of the system if
desired.

Generic error modelling system (GEMS)

Developed by Reason m'19"21, this is a model which
assists the analyst in understanding the errors which
may occur, particularly when the operator moves into
the rule-based and knowledge-based behavioural
domains.
GEMS is classifies errors into two categories, those
of slips (eg. inadvertently operating the wrong push
button) and lapses (eg. forgetting to press a push
button) at one level, and mistakes (eg, misdiagnoses as
307

H u m a n error identification in h u m a n reliability assessments. Part I

in TMI) at the other level (lately Reason has been

considering rule violations as a separate and additional
category of error). It further postulates that 'slip' type
errors occur most frequently at the skill-based level,
whereas mistakes usually occur at the higher, rule- and
knowledge-based, levels. In this context a slip or lapse
can be considered unintentional, whereas a mistake (or
rule violation) could in broad terms be thought of as an
error of judgement or risk perception, and in either
case results in an error of intention, which makes error
recovery more difficult.
The technique gives guidance on the types of 'errorshaping factors' which are likely to apply to the above
two categories of error, such as mind-set, overconfidence, or an incomplete mental model. In total
these amount to 17 factors for all three categories of
action. However, it is very much left up to the analyst's
insight and experience to ascribe particular errorshaping factors to any individual task step, and then to
propose measures by which these negative factors may
be overcome.
The GEMS approach is a necessary 'partner' tool for
use with SHERPA (although it may now be superseded
by CADA, described later), since S H E R P A was only
designed for skill- and rule-based errors. GEMS is
instead largely concerned with cognitive errors, ie the
knowledge-based behavioural domain in Rasmussen's
terms. GEMS, as has already been noted, is basically a
classification system (later Reason has suggested that it
Table 5 GEMS error-shaping factors ~s
Performance level Error-shaping factors
Skill-based

Rule-based

1. Recency and frequency of

previous use
2. Environmental control signals
3. Shared schema properties
4. Concurrent plans
1. Mind set ("It's always worked
before")
2. Availability ("First come best
preferred")
3. Matching bias ("like relates to
like")
4. Over-simplification (eg
"halo effect")
5. Over-confidence ("I'm sure I'm
right")

Knowledge-based 1. Selectivity (bounded rationality)

2. Working memory overload
(bounded rationality)
3. Out of sight out of mind
(bounded rationality)
4. Thematic 'vagabonding' and
'encystment'
5. Memory cueing/reasoning by
analogy
6. Matching bias revisited
7. Ineompletefincorrect mental
mode

308

can be computerized as a model, although it is not clear

how this would actually be done). GEMS is therefore
still treated largely as a taxonomy, and its error-shaping
factors are shown in Table 5. The full explanation of
GEMS is beyond the scope of this paper, and the
reader is referred to ref 19.
GEMS is useful in that it defines a set of cognitive
error modes including biases in judgement, which may
affect human performance in error-sensitive scenarios
such as misdiagnosis during abnormal events or incident
sequences. As with a good number of techniques in this
area, however, the guidance on how to choose these
underlying errors is quite limited, ultimately relying on
the assessor. Nevertheless, the full GEMS approach
arguably offers a broader set of error modes for
cognitive error analysis than the SRK model, and so is
useful to the practitioner.
The comprehensiveness of any of the models in the
area of misdiagnosis is difficult to determine, although
the current GEMS approach explores a significant
number of different types of cognitive failure. The
usefulness of GEMS is also difficult to judge, owing to
the inherent complexity of the errors being assessed.
For example, the solution to an 'inadequate mental
model' is not a simple affair, since it will involve
changes to training and procedures, and possibly design
as well. The documentability of GEMS is also not clear,
as its use in actual assessments has not yet been
published, to the knowledge of the author.

Potential h u m a n error cause analysis

(PHECA)
Developed by Whalley 13, this technique, as with
others, requires a prior task analysis to be carried out.
It also needs a personal computer to carry out the
assessment, for reasons that will become clear.
The method requires that each task step be classified
as follows:
task type (seven categories of mental involvement);
response type (seven categories of action type);
error types (using H A Z O P - t y p e keywords: see
earlier).
Each of these classifications maps through to a possible
38 error causes (Figure 3) or, as some other methods
call them, psychological error mechanisms. Therefore
each error type, and each task and response type, is
related to a particular subset of error causes. Only
those causes selected by all three mappings (ie the
intersection of the causes relevant to the task, response,
and error type in the scenario) are considered relevant.
A printout is then obtained showing these in order of
potential importance. These error causes are then
linked to a list of some 187 performance shaping factors
(eg, lighting, noise, training), and once again a listing is
obtained showing the relevant PSFs in order to importance.
The P H E C A method is unique in that it lists the
PSFs relevant to each error as an aid to formulating
preventive measures. However, although it is relatively
comprehensive, the links established between the
Applied Ergonomics

BARRY KIRWAN
Cl
~'Z Doubling
nTunnelling
c3
Hyperactivity
MI
C4
-- Stressors
Unplanned response
(35 Freeze
C6
C8
""n
- - M i n d set
I~" Indec=slo
c7
I c9
.
Short cuts
~--,, Persisrence
MZ

Deficient mental model ---~1-~, Mental set

t~.,,
c ~ zt Misinterpreta tion

-Heterogeneous

Cl3
M3

L ~

Misd iagnosis

cFl4Reduced capabilities

Demands ~Insufficient demands

mismatch Ic15
[ - - - Over- demanding
c16
C~ Forget exit point
M4

Disturbance/interruption

I~- Forget target

.4Ci8
~ Erratic response

c2o
I_-. Forget stage
r- Stereotype mismatch

Human error- -- Exogenous

I cz,

M5System

interface

~C2~ction prevented
~ / d entificafion prevented

Perception prevented
C24
~ . Conscious vs subconscious
M6

--Endogenous

ICZ5
Random fluctuations ~
Motor coordination
IC~C~5
C27

M7
Absent
minded

Mental blocks
r~Substifution
i--Unintentional activation
F~lForget

Intrusions

c31

F" Underestimate demand

ICaZ
j-~3Overestimate
abilities
Risk taking-~--~-~Rule contravention
i~o,.t

Me

C ~ 3 . R i s k recognition
L~Risk

tolerance

Figure 3 PHECA causes13

initial categorizations and error causes and between the

latter and performance-shaping factors have not been
validated.
P H E C A is also interesting in that it links the various
error causes to potential error modes in their task
contexts, and to PSF. In so doing, it limits the error
modes and mechanisms generated, and thus is one of
the few approaches that is more discriminating about
which errors are identified, rather than a pure taxonomic approach which generates a large potential set of
error modes which must be reduced in some way by the
analyst. Its disadvantages are a lack of validation of
these linkages, and its usage of such a large set of PSF
as to render the error-reduction possibilities burdensome (it is not uncommon for 20 PSF to be implicated
for an error, which is a very large set to tackle if error
reduction is required). P H E C A can therefore be
comprehensive if the links are correct, useful to an
extent, and is highly documentable.
Vol 23 No 5 O c t o b e r 1992

Murphy diagrams
Developed by Pew et a122 as part of a study
commissioned by the Electric Power Research Institute
in the USA, Murphy diagrams are named after the
well-known axiom "if anything can go wrong, it will".
Essentially they are pictorial representations, following the pattern of logic trees, which show the error
modes and underlying causes associated with cognitive
decision-making tasks (based to an extent on the SRK
model).
Each stage of the decision-making process is represented separately:

activation/detection of system state signal;

observation and data collection;
identification of system state;
interpretation of situation;
definition of objectives;
evaluation of alternative strategies;
309

Human error identification in human reliability assessments. Part 1

procedure selection;
procedure execution.

'rule-based' diagnosis, or conversely those tasks that

require operators to apply their experience and understanding of the plant and process to arrive at a
'knowledge-based' diagnosis. As such, it could be said
to complement SHERPA which, as pointed out above,
is not structured to deal with such situations. The
method requires that a detailed task analysis be carried
out beforehand in order that those task activities that
involve a critical decision-making component may be
identified.

In each diagram the 'top event' is the failure to carry

out the task stage correctly (eg "fails to detect signal"),
while the immediately following intermediate events
are the higher-level error causes (eg "signal obscured").
These are followed by lower-level causes which consist
of either 'hardware deficiencies' (eg control room
layout) or in some cases psychological mechanisms (eg
distraction). Within Murphy diagrams the terminology
employed for these three levels of event is outcome
(top/left), proximal sources (intermediate) and distal
sources (bottom/right). See Figure 4 for an example.

C A D A is primarily designed to be applicable to tasks

currently being carried out on operational plant, as
much of the input is meant to be derived from the
actual operators themselves. However, with some
modification it could be used at the procedural design
stage, especially if the operational team has had an
opportunity to review and understand the content of
the task and perhaps relate it to similar operations
within their experience. It is claimed that the analyst
need not be an expert in human factors or psychology.
In essence the technique involves applying a structured
questionnaire/checklist which is divided into the stages
through which an operator must pass during any
decision-making process.

As a technique for representing decision-making

errors it is relatively easily followed. While it is easy to
use for the analysis of incidents, its predictive utility as
a HEI tool is uncertain, again because there is little in
the published literature on such applications. Its
comprehensiveness could probably be improved by
updating it in the light of developments such as GEMS.
Its usefulness is potentially high, however, owing to its
analysis of root (distal) causes, and its documentability
would be expected to be high because of its use of logic
trees.
The Murphy diagrams approach is again related to
the SRK model. Although it has limitations in predictive
usefulness and is potentially resource-intensive, it could
be highly useful for HEI if suitably developed.

Critical action and decision approach (CADA)

CADA is a recently developed technique 23'24 which
expands upon the underlying principles of Murphy
diagrams. It is used for systematically examining tasks
that require the operator to undertake a procedural
Activity

Outcome

The analyst uses the questionnaire to elicit from the

operators the possibility of errors occurring at each of
the above-mentioned stages, and this is achieved by
examining the likely specific error modes (eg operator
omits a check). Should such a potential error mode be
identified, possible causes are already listed on the
questionnaire. Reference is then also made to a
subsidiary list of questions. The answers obtained
enable the analyst to particularize the analysis to the
situation under consideration and to assess the likelihood of error at each stage of the decision making

Distal sources

Proximo I sources

_1 _
I

Detect signal- - - @

D i s p l a y design deficiency

Signal intermittent~ E q u i p m e n t

malfunction

or non- specific
~

Activation

detection

/
/

Controlroomdesigndeficiency

Signal
". . . .parhally
. '
. ~_______~ Control boarddesigndeficiency
/or totallyooscureo
~ D
isplay designdeficiency

Inexperiencedoperator
Fail to
detectsignaI

,,~
~/

Monitoring
procedure~f"
not followed

-- Training deficiency

Figure 4 Murphy diagrams example22

310

Applied Ergonomics

BARRY KIRWAN

Table 6 CADA questionnaire example: observation/data collection24

Possible failure mode is: Operator(s) could aquire insufficient data to characterize the plant
You should consider this failure as probable if you answer "yes" to any of the following questions
Y/N

a. Is it likely that the data aquired by the operator is not relevant to establishing the plant state?
Possible reasons for this failure include:
Operator is inexperienced
A procedure is not followed
Operator searches for common pattern of data
More than one abnormal plant conditions exists
Relevant questions are: Q10, Q l l
Relevant conditions are: C1, C6

Y/N

b. Is it likely that too little data will be acquired?

Possible reasons for this failure include:
Equipment malfunction
Operator stops data gathering assuming he knows plant state
Operator stops data gathering through competing activity
More than one abnormal plant condition exists
Relevant questions are: Q6, Q7, Q10
Relevant conditions are: C4

Y/N

c. Is it likely that the data acquired will give conflicting results?

Possible reasons for this failure include:
More than one abnormal plant condition exists
Equipment malfunction
Existence of a design deficiency in the display
Relevant question is: Q6
Relevant condition is: C4
Table 7 Example of CADA tabular results u
Errors

Decisionmaking
stage

Failure
modes

Possible
reasons

Fail to act
on alarms

Activation

Fail to
notice or
delayed
detection

Failure to follow 1, 2, 3, 4, 5 1
procedure
Alarms inter6
2
mittent
Alarms obscured 7
3

Leave check Observation Acquire insufficient

valve open
data
Attempt to
blow check
valve shut

Task
definition

Acquire irrelevant 10,11

data
Acquire too
6, 7 10
little data
Select an in- Data gives con6
appropriate flicting results
strategy
Fail to know all
12, 12, 20
possible plant
21
states
Fail to evaluate
12, 13, 18,
known plant states 19
completely

process. An example from a C A D A analysis questionnaire is shown in Table 6, and an example of CADA
tabular results in Table 7, taken from ref 24.
CADA is interesting in that it is rooted in the SRK
domain but gives the analyst more guidance as to the
Vol 23 No 5 October 1992

CADA
questions

Remarks
CADA
conditions

Incident

Alarms/indicators
warned that
systems were unavailable

1, 6
4
4
1,6
1,4

reasons for possible failures, and hence can lead to

error-reduction suggestions. To use it predictively the
system would need to be altered and would require a
good deal of judgement as to what the underlying
causes were likely to be. It is not clear however, at this
early stage in its development, that all potential
311

Human error identification in human reliability assessments, Part 1

psychological error mechanisms have in fact been dealt

with, nor that all relevant PSF-related questions have
been asked.
CADA therefore is a technique that could be made
comprehensive, and is potentially highly useful owing
to its structured approach which aids error reduction,
and potentially makes the system highly documentable.
It remains to be seen whether CADA is further
developed to become a useful predictive tool.

Human reliability management system

(HRMS)
HRMS 8 contains a HEI module which is used by
the assessor following the prior development of a task
analysis. Figure 5 shows the basic inter-relationship of
all the HRMS modules, of which only the HEI module
is briefly described below. Prior to carrying out HEI a
linear or tabular task analysis must be carried out, the
latter format being used for describing tasks with a
diagnostic component.

Task analysis
module

Task analysis

t
Human error
analysis

Task
classification

Sequence driven
scenario

Human
error
dentificatiol
module

Genericaccident I
sequence event
tree

Cognitive
error
potential

Human
error
identif ication

Cognitive
]
error analysis
j/

Human error ]
analysis table
Generic
logic tree
library

Representation
Representation ~ , ~
guidelines

Q uantification
module

f
I analysis
Sens't'tY1

Re-evaluation

--D-I Error- reduction ]

module
J

Documentation and
quality assurance

Quantification

Error
reduction

Documentation
and quality
assurance

Figure 5 Overall HRMS framework8

312

Applied Ergonomics

BARRY KIRWAN

The human error identification module has the

following components within it:
A task-classification module This module helps the
user to identify whether or not there is a knowledgebased component to the task. If and only if there is,
then the cognitive error submodule is selected prior
to the normal error module. The task-classification
module primarily uses Rasmussen's and GEMS' type
classifications to formulate a set of questions. The
answers to these questions, via a simple algorithm,
determine whether a knowledge-based or cognitive
error (such as misdiagnosis) could occur. The classification module errs on the conservative side by
identifying all knowledge-based and rule-baseddiagnostic tasks as having cognitive error potential.
A cognitive error analysis submodule This submodule is aimed at detecting any possible cognitive
errors in the whole scenario. A set of ten questions
are asked of the assessor looking for potential
misdiagnoses due to various cognitive psychological
error mechanisms.
A human error analysis submodule This submodule
aims to identify all potential errors for a task
(excluding cognitive errors). As for the previous
submodule, about 30 questions are asked individually, the user attaching the error, via menu selection,
to one or more of the sequential task steps. As each

error mode is selected by the assessor, a menu

selection of related psychological error mechanisms
appears, and the assessor must select the most
appropriate one for the scenario in question.
Also provided is a representation table, based on the
task description and errors identified during this
module. This table encapsulates the information gained
so far and allows the user to identify error-recovery
points in the scenario, and dependences between
identified errors. This table will also allow the user to
note which error descriptions are redundant, ie those
which, owing to the heterarchical structure of the HEI
module, have been identified more than once, or errors
which are incredible, or do not contribute to the top
event of interest. Such errors will not be represented in
the logic trees nor quantified. This table, and/or the
listing of human errors, can be printed out as hard
copy.
The HRMS HEI module is based upon a combination of the SRK, SHERPA and GEMS type models
with the addition of extra psychological error mechanisms. Table 8 shows the format of the representation
tabular output. Figure 6 shows a generic event tree for
identifying the basic types of error impact in an
accident event sequence, which the assesor can use as a
prompt both in checking the comprehensiveness of the
analysis, and as a basic structure for developing an
event tree for a scenario.

Table 8 HRMS representation analysis output: human error screening report

Assessor:
Task:
Safety case:
File name:

B I Kirwan
Fan failure scenario
Cooling fan system
007 FAN

Step No. 1
Error No 01090
Error mechanism
Recovery
Dependency/exclusivity
Screening
Comments

Detect and acknowledge VDU alarms

Control room operator (CRO) fails to respond to all signals
Cognitive/stimulus overload
SS/hardware alarm/other alarms

Step No. 2
Error No. 07090
Error mechanism
Recovery
Dependency/exclusivity
Screening
Comments

Respond to hardwired alarms

CRO fails to detect hardwired alarms amongst others
Discrimination failure

Step No 3.2
Error No. 13010
Error mechanism
Recovery
Dependency/exclusivity
Screening
Comments

CRO suggests fan failure as scenario

CRO/SS fail to identify scenario in time
Cognitive/stimulus overload
SS, emergency procedures

Vol 23 No 5 October 1992

Highly likely to be recovered by shift supervisor (SS)

Sub
Hardwired alarm very salient, 'copied' to SS console. Subsumed by error number
01090: alarm quantification module quantifies total response to alarm set

This error is used to refer to the failure to identify the recovery route of preventing
boiling by achieving recirculation via changing valve status

313

Human error identification in human reliability assessments. Part 1

The HEI process in HRMS relies on a high degree of

assessor expertise and judgement in deciding which
errors are likely and which of the possible psychological
error mechanisms will be the principal cause. Ideally
HRMS could consider PSF and/or the type of task to
aid the assessor in deciding these parameters, but the
developer believes this is not yet feasible given the state
of knowledge available. Hence rather than risk ruling
out errors based on (currently) ad hoc theory, the
system allows a large proportion of errors to be
identified. Thus a trade-off is implicit in the system in
favour of comprehensiveness rather than resourceseffectiveness.

relationships between different events and indications,

eg in a central control room in a nuclear power plant.
For example, during a particular scenario various
alarms may occur, which could be interpreted in
different ways by the operators depending on factors
such as what happened prior to the event, the reliability
of the alarms, or the relative frequencies of various
events. IMAS, via verbal protocol analysis and interviews, explores the operators' perceived causal and
consequential links between different indications and
events (eg "if alarm A occurs in the presence of alarm B
and alarm C, then event X is probably occurring, else
alarm A is probably false"). An example of the type of
representation gained from an IMAS assessment is
shown in Figure 725 .

HRMS has been developed only relatively recently

and insufficient evidence has been gained with its usage
in practice to determine its effectiveness. Given its
identification of psychological error mechanisms, it can
feed forward to error-reduction measures. It is highly
documentable, as all assessor decisions during the
analysis are recorded and printed out. The remaining
and significant questions with this system are whether it
is too resource-intensive, and whether different
assessors will use it consistently.

It is not clear whether IMAS has yet actually been

used in a real assessment, but once a mental map has
been derived then potential misdiagnoses can be
derived as a function of the likely set and sequence of
indications in the scenario under investigation. Thus, if
it is known that certain alarms will occur in a particular
scenario, then other possible diagnoses can be explored.
Also, the effects of partial or complete loss of
instrumentation (as often happens in severe situations)
on the ease of achieving correct diagnosis can be
reviewed.

Influence modelling and assessment system

The IMAS approach 25 is a mental mapping system
which can be used in the identification of cognitive
(knowledge-based) errors. It constructs, via a computer
program, an operator's mental model of the inter-

Prior to

Event

event

sequence I

Event

sequence
detection
commencesI

IMAS represents a resource-intensive approach to

error identification, but would appear to offer promise
in what is a difficult assessment area. Its comprehensive-

Response
Response
Situations
identification implementation worsens
(Caused by
I

I enew
errors)
vents failures'
or

Fino I
recovery
actions

Outcome

Deals with
compiicotory factors

/I
Latent

errors

/~

Operator

initiators

//Operator actions
/ " worsenevent
Z

/ Responseinadequateaction errors
Misdiagnosisor
decision error

///

Fail to determine response

Success

IF(~ailstodeal
with new situation

Failure

Adequatelyhandles
(~ent sequence

Success

Fails to resolve

Failure

situation in time
Recovery

JN~orecovery from
~ action errors

Success

Failure

JO

Partial success

(~i(~)

Failure
Partial success
Failure

Fail to detect event

Failure

Figure 6 Generic accident sequence event tree s. L: latent errors of maintenance, calibration etc especially with respect to
instrumentation and safety systems, can affect every node in the tree. 1: if misdiagnosis can lead to more severe consequences, a
second event tree must be developed accordingly. 2: resolution to a safe state, even though responses have largely been
inappropriate or incomplete, is still feasible depending on the system, eg if rapid (safe) shutdown is possible throughout the
scenario as on some chemical plants
314

Applied Ergonomics

BARRY KIRWAN

o..or

vo,ve )
closed
( Monuo,

consequence

I-

I plant
'o0'oo'o
stateo'

i abnormal (damp:fine) )

(~Bh~l~c~ne k

I VDu
I \.
I Line pressure

I Linepressur

(VDU

I\l:,,0,
-

problem

~ _

Autovalveclosed )
1]

[indicated on
J alarm log

( .0o.0n,,r.n
)
supply

( ~lline~/~ k

I: ow

Nitrogensupply
exhausted
II
Levelindicator
on tank

Loose clipson

/ ~ (

Rotaryvalve rubber
sleeve loose

( Air leekooe

Rotary valverubber
sleeveburst
_ i

[ Highoxygenreading
~ fromanolyser

I Oxy~ level I J,

vooII

J = High

~
I .ater a

l
/

/
FDCfiltercompletely.
blocked and full

!isTill~nl~wcOde?n1

~ --~

oxygen analyser
,oo,,,

J T

~'~

~
)

lineinterrupted

ff

,,]

flexible hose

~
~

J digital display

FDCfilter blocked
and filling
II
Printout
J
Mossdiscrepancy[

I g ~ o % n

noted

/ Fnot'"t.rO
r
)
closedcorrectly

'

..
/

"x-,,x

No material transferring
fromhopperto slurry-'
m~x vesset

J[

VDU
I
No mass change

Figure 7 IMAS example25

ness is difficult to determine, as its use has not been
well documented. Potentially it could consider errors
due to scenarios being potentially confusible, and also
due to inadequate mental models of the operators. The
usefulness of the technique could be high, since errors
in operator understanding could be detected quickly,
and the need for clearer or back-up information sources
could be established. The documentability could be
made high, and would represent useful information for
the future life of the plant, if only for training purposes.

Confusion matrices
Potash et a126 proposed the use of confusion matrices
in order to help analysts to identify potential misdiagnoses. The approach entails, first, generating a list
of the likely abnormal events anticipated for a system
(eg a nuclear power plant). These scenarios are then
assessed by experienced personnel (eg experienced
operators or simulator trainers) in terms of their
relative similarity of indications. Each scenario is
therefore rated in terms of confusibility with respect to
each other scenario. These ratings are then represented
in a confusion matrix (see Table 9). The human
reliability analyst can then predict likely misdiagnoses
for each scenario.
The approach is conceptually simple, although in
Vol 23 No 5 October 1992

practice it requires a good deal of analysis of the

various scenarios, and their likely sequences of indications. Swain 2~ cites two uses of this approach in PRAs
in the USA, suggesting that it is a useful approach if
appropriate experts are used. The comprehensiveness
of confusion matrices is difficult to judge, however,
since it only considers diagnostic failures related to the
problem of similarity: techniques such as GEMS and
even SRK would suggest that other types of failure are
possible (eg inadequate mental model; failure to
consider side-effects). This technique would therefore
only be expected to derive a subset of all possible
misdiagnoses. The technique's usefulness is probably
limited to error reduction through training and
procedures recommendations. Its documentability,
similarly to IMAS, can be made relatively high, if the
rationales of the experts are recorded, and if the
analyst's choice of potential misdiagnoses is logical
given the matrix ratings, and is appropriately recorded.
Such information would be of use to existing and future
training departments.

Cognitive environment simulation (CES)

The CES has been developed in the USA in the
nuclear power field 29'3, arguably one of the more
complex operator-machine environments in existence,
315

CO

Reactor trip
Partial loss of secondary heat removal
Reduction in feedwater flow
Turbine trip
Excessive feedwater flow

Loss of primary flow

Loss of condenser vacuum
Total loss of main feedwater
Loss of single a.c. bus
Loss of single d.c. bus

Loss of offsite power

Inadvertent safety injection actuation
Charging system malfunction
Steam generator tube rupture
Inadvertent opening of main steam relief valves

1.
2.
3.
4.
5.

6.
7.
8.
9.
10.

11.
12.
13.
14.
15.

L/N

L/N

M/R M/N

IdR

10

11

12

13

15

H/RIdR

14

16

L/R

17

19

20

21

L/R

M/NUN M/N

L/R

H/R

M/N

H/R

H/R

H/R L/R L/R L/R

M/R

18

22

24

H/R

L/N

L/R

M/N

L/R L/R

23

26

L/N

L/N L/N

25

27

L/R

H/R
L/N

M/N

28

L = low level of scenario confusion; M = medium level of scenario confusion; H = high level of scenario confusion; R = impact on subsequent operator actions; N = negligible impact on subsequent
operator actions

26. Loss of service water

27. ATWS
28. No diagnosis

21. Small LOCA

22. Inadvertent closure of all main steam
isolation valves (MSIV)
23. Medium LOCA
24. Large LOCA
25. Loss of component cooling

16. Isolable LOCA

17. Core.power excursion
18. Small steam/feed line break
(inside containment)
19. Large steam/feed line break
(inside containment)
20. Large steam/feed line break
(outside containment)

Initiating events
(in descending order of frequency)

T a b l e 9 C o n f u s i o n m a t r i x e x a m p l e 27. S e a b r o o k o p e r a t o r s ' p l a n t status c o n f u s i o n m a t r i x (5 to 15 m i n after an i n i t i a t i n g e v e n t )

t~

g~

BARRY KIRWAN

particularly when things go wrong. CES is a simulation

of the mind of the operator, based on an expert system.
CES is linked to a real-time simulation of a nuclear
power plant which can 'run' anticipated abnormal
events and generate, in parallel, information on a set of
alarms/indicators presented on the V D U like that
which would be available to the operator in the control
room. The 'operator' simulation in CES 'receives' these
inputs and attempts to interpret what is happening in
the (simulated) nuclear power plant. Furthermore, the
'operator' does not receive information passively, but
directs attention towards particular indications,
depending on the data received so far, and the
hypotheses it is trying to confirm/disconfirm. Thus, the
'operator' has a 'strategic focus' within the simulation.
The CES represents a highly sophisticated tool for
investigating cognitive errors. It can identify where
potential misdiagnoses (hypotheses which should later
be disconfirmed/rejected) may commence, and at what
point they would optimally be rejected. Errors caused
by lack of information, and errors caused by incorrect
assumptions of the relative likelihoods of different
events, can also be predicted with CES.
CES is still being developed and evaluated, but
currently represents the pinnacle of H R A research into
misdiagnosis. Its comprehensiveness is as yet uncertain.
The one area that it may not yet fully address is the
GEMS-type errors which are more to do with the
inappropriate use of problem-solving heuristics (eg
over-simplification of the scenario). Potentially the
CES is a useful approach, as it can lend support to
reduction measures based on design (eg with respect to
alarms and indications) as well as training and
procedures. Its documentability is also potentially very
high, as all parts of the simulation are recordable in real
time. Resource usage, however, is currently high, and
CES is still at the prototype stage of development.

Summary
This paper has described twelve approaches of HEI,
some basic and some sophisticated, one no longer
available (PHECA), and some still at the prototype
stage of development (eg CES). An initial assessment
of each has been made in terms of defined basic criteria
of comprehensiveness, usefulness for error prediction
and reduction, and documentability. Part 2, to follow,
will compare the techniques against a more detailed set
of relevant, detailed attributes, providing guidance for
tool selection in H R A , and will report on an H E I tool
validation study.

References
1 USNRC 'Loss of main and auxiliary feedwater at the
Davis--Besse Plant on June 9, 1985' Nureg 1154 (1989)
2 Green, A E Safety systems reliability Wiley (1983)
3 Reason, J T 'A framework for classifying errors' in
Rasmussen, J, Duncan, K D and Leplat, J (eds) New
technology and human error Wiley (1987)
4 Kirwan, B, Embry D E and Rea, K 'The human
reliability assessors guide' Report RTS 88/95Q, NCSR,
UKAEA, Culcheth, Cheshire (1988)

Vol 23 No 5 October 1992

5 Kirwan, B 'Human reliability assessment' in Wilson, J R

and Corlett, N (eds) Evaluation of human work Taylor &
Francis, London (1990) pp 706-754
6 Embry, D E, Humphreys, P C, Rosa, E A, Kirwan, B
and Rea, K 'SLIM-MAUD: An approach to assessing
human error probabilities using structured expert judgement' NUREG/CR-3518, US Nuclear Regulatory Commission, Washington, DC 20555 (1984)
7 Williams, J C 'A data-based method for assessing and
reducing human error to improve operational performance' Proc IEEE Fourth Conf on Human Factors and
Power Plants Monterey, California (5-9 June 1988) pp
436-450
8 Kirwan, B and James N J 'The development of a human
reliability assessment system for the management of
human error in complex systems' in Reliability 89
Brighton Metropole (June 1989) pp SA/2/1-SAJ2/ll
9 Swain, A D and Guttmann, H E A handbook of human
reliability analysis with emphasis on nuclear power plant
applications USNRC-Nureg/CR-1278, Washington, DC
20555 (1983)
10 Berliner, D C, Angelo, D and Shearer, J 'Behaviours,
measures and instruments for performance and evaluation
in simulated environments' Presented at Symposium on
the Quantification of Human Performance, Albuquerque,
New Mexico (17-19 August 1964)
11 Brune, R L, Weinstein, M and Fitzwater, M E 'Peer
review study of the draft handbook for human reliability
analysis' SAND-82-7056, Sandia National Laboratories,
Albuquerque, New Mexico (1983)
12 Kletz, T 'HAZOP and HAZAN - notes on the identification and assessment of hazards' Institute of Chemical
Engineers, Rugby (1974)
13 Whalley, S P 'Minimising the cause of human error' in
Libberton, G P (ed) lOth Advances in Reliability Technology Symposium Elsevier (1988)
14 Comer, P J, Fitt, J S and Ostebo, R A driller's H A Z O P
method Society of Petroleum Engineers, SPE 15867
(1986)
15 Rasmussen, J, Pedersen, O M, Carnino, A, Griffon, M,
Mancini, C and Gagnolet, P 'Classification system for
reporting events involving human malfunction' Riso-M2240, DK-4000, Riso National Laboratories, Denmark
(1981)
16 Pedersen, O M 'Human risk contributions in the process
industry' Riso-M-2513, Riso National Laboratories, DK4000 Roskilde, Denmark (1985)
17 Embry, D E 'SHERPA: a systematic human error
reduction and prediction approach' Paper presented at the
International Topical Meeting on Advances in Human
Factors in Nuclear Power Systems, Knoxville, Tennessee
(April 1986)
18 Reason, J T 'Generic error modelling system: a cognitive
framework for locating common human error forms' in
Rasmussen, J, Duncan, K and Leplat, J (eds) New
technology and human error Wiley (1987)
19 Reason, J T Human error Cambridge University Press
(1990)
20 Kirwan, B and Rea, K 'Assessing the human contribution
to risk in hazardous materials handling operations' Paper
presented at the First International Conference in Risk
Assessment of Chemicals and Nuclear Materials, Robens
Institute, University of Surrey (22-26 September 1986)
21 Reason, J T and Embery, D E 'Human factors principles
relevant to the modelling of human errors' Report for the
European Atomic Energy Community (1985)
22 Pew, R W, Miller, D C and Feehrer, C S 'Evaluation of
proposed control room improvements through analysis of
critical operator decisions' NP 1982, Electric Power
Research Institute, Palo Alto, CA (1981)

317

Human error identification in human reliability assessments. Part 1

23 Gall, W 'Error analysis' SRD Human Reliability Course
Notes, UKAEA, Culcheth, Cheshire (1988)
24 Gall, W 'An analysis of nuclear incidents resulting from
cognitive error' Paper presented at the 1lth Advances in
Reliability Technology Symposium, University of Liverpool (April 1990)
25 Embry, D E 'Approaches to aiding and training
operators' diagnoses in abnormal situations' Chem Ind
Vol 7 (1986) pp 454--459
26 Potash, L M, Stewart, M, Dietz, P E, Lewis, C M and
Dougherty, E M 'Experience in integrating the operator
contribution in the PRA of actual operating plants' Proc
ANS/ENS Topical meeting on PRA American Nuclear
Society (1981) pp 1054-1063

318

27 'Seabrook station probabilistic safety assessment' Pickard,

Lowe and Garrick Inc, PLG-03300 Washington DC
(1983)
28 Swain, A D Comparative evaluation of methods for human
reliability analysis GRS-71, Gesellschaft fiir Reaktorsicherheit (GRS) mbH, Koln (1989)
29 Woods, D D, Roth, E M and Pople, M 'An artificial
intelligence based cognitive model for human performance assessment' Nureg/CR 4862, USNRC, Washington
DC (1987)
30 Woods, D D, Pople, H E and Roth, E M 'The cognitive
environment simulation as a tool for modelling human
performance and reliability' Nureg/CR-5213, USNRC,
Washington DC (1990)

Applied Ergonomics