Safety and application of procedures, or `how do

`they' have to use operating procedures in

nuclear power plants?'
1
Y. Dien*
E

lectricite de France, Direction des E

tudes et Recherches, Departement E

tudes de Surete et de Fiabilite,

1 avenue du General de Gaulle, F-92141 Clamart, Cedex, France
Abstract
Emergency procedures are inescapable aspects of safety. They can be seen as the laws to be
respected in an accident situation. But as for all laws, there remains the problem of their
application: should strict adherence to procedure be imposed under all circumstances? Is this
possible? Are there any potential risks with such a requirement? Or, on the contrary, should
application be more `open', more exible, allowing for adaptation to the actual situation? But,
what are the potential risks involved in this approach? Are these two approaches to the
application of procedures mutually exclusive, or are they complementary? This paper analyses
the nature of the problem of the application of procedures and proposes orientations for
further research on the matter. # 1998 Elsevier Science Ltd. All rights reserved.
1. Introduction
In hazardous industries like the nuclear power industry, the existence and appli-
cation of operating procedures are established facts intended to guarantee a high
level of safety for the plants. Yet events like the nuclear accidents at Three Mile
Island in America and the Soviet nuclear plant at Chernobyl have shown that pro-
cedures alone were not an absolute and invariable guarantee of safety.
As far as procedures are concerned, are there conditions which encourage a high
level of security? Are these conditions linked to the design, location, or use of
SAFETY SCIENCE
Safety Science 29 (1998) 179187
0925-7535/98/$19.00 # 1998 Elsevier Science Ltd. All rights reserved.
PII: S0925-7535(98)00021-6
1
This paper marks a particular stage in the research carried out at the E

lectricite de France (EDF)

Research and Development Division on the design and assessment of emergency and abnormal operating
procedures. The opinions expressed are those of the author, and are not to be construed as representing
the ocial policy of EDF.
* Corresponding author. EDF International Division, 30 rue Jacques IBERT, 75858 Paris, Cedex 17,
France.
procedures? If these conditions are not met, is there not a risk that the procedures
might, on the contrary, be tools working against their very intent, i.e. might their
application not reduce the level of safety?
This paper analyses the conditions currently stipulated for the use of procedures in
French nuclear power plants, puts their validity to the test, and suggests new direc-
tions for thinking based on accident and incident situations.
2. The problem
In the French nuclear industry procedures are a necessity, especially when an
incident or accident occurs. First of all, they are a legal requirement, since before a
unit can start up, the governing authorities require a demonstration of safety in the
form of the existence of operating procedures in the control room.
Designers see procedures as a guarantee of safety because their application enables
human error to be avoided; operators are still all too often considered as potential
generators of error during operation under emergency conditions (stressful situa-
tion, unaccustomed type of operation, etc.).
Operators themselves feel the need for procedures to help them diagnose the
situation and bring it under control. Without procedures they would have to create
an `on-line' strategy to bring the process back to a safe condition (Dien et al., 1992).
Operators are aware that these situations are complex and that operation calls for
management of interactions between processes, themselves, and the view or repre-
sentation they have of the process (Woods, 1988). Without support, in an unfamiliar
(Rouse et al., 1984) and potentially stressful situation, the risk of error in diagnosis
and/or operation is major. Operators could focus their attention on an irrelevant or
minor detail of the situation, or could fail to perform actions or acknowledge
information to which they are unaccustomed under normal operating conditions,
but which are fundamental for operation in an emergency situation.
In this area it is possible to formulate many questions. For example: is the general
agreement on the need for procedures based on consensus, i.e. on an identical vision
of the role and application of procedures by all those concerned? Are procedures
used by operators in the way designers require? If there are divergences, can they
aect safety?
The reections and opinions about these questions, which are expressed in this
paper derive from research carried out concerning accident procedure design,
analyses of tests performed on full scale simulators, and analyses of real incidents
requiring the implementation of procedures.
3. How procedures should be used: the designer's viewpoint
This point of view stems from work concerned with the design of procedures.
Interviews were held with procedure designers who explained their viewpoints on the
role of procedures and of the role and tasks of operators during accident situations.
180 Y. Dien/Safety Science 29 (1998) 179187
The model of the operator which predominates in the design of procedures can be
seen in the way in which designers and, consequently, the executive management
and training supervisors would like to see procedures applied. This implicit model
is a model of an operator `in the heat of action', in that it describes both the opera-
tor and the accident situation. But this view of the operator is both mechanistic
and static, as the characteristic principles of the model demonstrate (Dien and
Montmayeul, 1992):
1. The operator is regarded as a `guided' being who must apply to the letter and
follow step-by-step the written instructions in the procedure. The operator
does not need to apply signicant skill and knowledge in order to cope with the
accident.
2. The situation to be controlled consists of a series of chronological actions that
must be carried out in order to pass from one process state to another in a
given situation. Implicitly all the equipment and control loops required are
available.
3. The person who has to use the procedure is seen as an `average' operator with
a given competence. It must be underlined, however, that there is no explicit
competence requirement specied for using the procedures.
This mechanistic (operator seen as a guided being, all equipment required for
recovery of the accident assumed to be available, etc.) and static (consideration of a
given situation, abstraction of process dynamics, etc.) model is in keeping with the
denition of procedures generally accepted by designers. The procedureoften seen
from the angle of its descriptive aspectis dened from a viewpoint that excludes
the operator. Thus, Lind (1979) denes a procedure as follows:
``In general, a procedure is a set of rules (an algorithm) which is used to control
operator activity in a certain task. Thus, an operating procedure describes how
actions on the plant (manipulation of control inputs) should be made if a cer-
tain system goal should be accomplished. The sequencing of actions, i.e. their
ordering in time, depends on plant structure and properties, the nature of the
control task considered (goal), and operating constraints.''
Procedures are not seen as something for helping the operator control a process, but
rather they are supposed to `control' the operator. Furthermore, a procedure is
implicitly designed exclusively in accordance with the constraints and characteristics
of a process, and overlooks the characteristicsboth strengths and weaknessesof
operators.
From the point of view of the designer, the use of a procedure requires, at the
very most, just the ability to read and understand a text, since (strict) adherence to
the instructions in the procedure enables the accident situation to be coped with.
Everything that has to be done and the order of actions is laid down in the pro-
cedure: a procedure is sucient in itself. The side-eect is that a procedure
is addressing a user-specic (and implicit) level of competence and knowledge.
Y. Dien/Safety Science 29 (1998) 179187 181
Actions are described with a certain level of detail; the more the actions are laid
down with details, the less the competence of the future user is expected to be high
(and vice versa).
However, a procedure is only the instantaneous and time-frozen reection of
theoretical (acquired through studies) and practical (feedback on experience)
knowledge of the operation of a process at a given moment. There can, therefore, be
a `gap' between some instructions of the procedure and the real situation as it is
happening (Dien et al., 1991). For example, the original E

lectricite de France (EDF)

procedure for recovery after the loss of the main power supply called for the primary
cooling circuit pumps to be started up again, without consideration of the context.
Now studies have shown that for some transient conditions, the start-up of primary
pumps could result in unwarranted dilution of the coolant, with the ensuing risk of
renewedand uncontrollednuclear reaction. As a result of these studies the pro-
cedure was amendedrapidly!
The designer viewpoint which considers the operator as no more than an opera-
tive remains but is changing. Designers have begun to understand that to use a
procedure operators have to rely on considerable competence and even culture.
Being able to read a procedure means understanding and doing a certain number of
things and demonstrating a certain attitude, aspects which are not explicitly
expressed in the procedure (Guilmin, 1987). For example, the cooling requirements
in procedures mention only a rate of cooling, yet the rate of cooling depends on the
relationships between the extent to which some valves are opened and the pressure
of the steam generators, aspects which are not mentioned in the procedures.
Application of the required rate of cooling, therefore, calls for this specic knowl-
edge on the part of the operators in order to overcome this shortcoming in the
procedure.
4. How the procedures should be used: the operator's viewpoint
EDF has conducted more than 100 real life tests on full-scale simulators during
which teams of operators have to cope with accident situations. All their actions are
observed and recorded. After the test, there is a debrieng to ascertain their opinions
and additional explanations. What is more, after each real incident, operators are
interviewed and they explain, among other things, the contributions and short-
comings of the procedures used to recover the situation. The point of view of
operators expressed here is derived from these data and reects, therefore, the
manner in which they `really' use procedures.
It must be stressed that in an accident situation, divergences from strict respect of
the procedure are relatively rare, but frequent enough not to be ignored, and result
from improper alignmentoften temporaryof the procedure with the situation
(Dien et al., 1991, 1992). Such misalignment is either inherent to the procedure used
or due to one or more previous operator errors. Several deviations from the pro-
cedures' strict appliance were noted in each full-scale simulator exercise, but their
consequences were almost always practically nil.
182 Y. Dien/Safety Science 29 (1998) 179187
The ability to manage contingencies is a `plus' operators can provide, and con-
stitutes a basis for operation. Operators are often called on to respond to situations
or events that are not explicitly featured in the procedure. Theoretically, operators
can be called on to manage a process situation which is not wholly covered by a
procedure (`quite unlikely' situation).
Above and beyond this case, operators are often confronted with minor
disturbances (jammed controls, faulty sensor, etc.) to which they must nd a
remedy. These disturbances are often not taken into account in the procedure which
considers a single route to follow or a limited number of alternatives.
In addition, due to the level of detail in the description of the actions to be per-
formed, a procedure implicitly calls on a certain level of competence, a certain
know-how, on the part of operators. A procedure generally calls on a single level of
competence. The skill to which the procedure is addressed is implicitly that which is
taken into account by the designer during the procedure-design process. But the
level of competence required can vary from one procedure to another. Thus, to
achieve the same functional objective, e.g. cooling the core, two dierent procedures
could use two extreme approaches:
1. either provide details of the succession of equipment to be operated, sometimes
with mention of where the controls are to be found in the control room (calling
for a low level of competence); e.g. open the TBS # I valve to X%, then start
up the TBS # J pump; or
2. simply indicate the system to be operated (calling for a high level of compe-
tence) e.g. use the TBS system for cooling the core.
This lack of uniformity can be aggravated by dierences in the level of inter- and
intra-individual competence of operators who are, therefore, required to be able to
continually adapt to the call for action (presentation of the demand for use of the
procedure) and their aptitude (`level of competence') at the time.
Finally, some actions required by the procedure may not be totally clear, thereby
obliging operators to take real-time initiatives and decisions in order to overcome any
ambiguity. For example, in an actual incident (Dien and Peresson, 1990) operators
realised that one of the rst actions required by the procedure was a leakage analysis;
but the procedure did not specify which type of analysis: was it to be a quick but
inexact analysis, or a precise analysis which would necessarily take longer? Further-
more, which method was to be used, given that the parameters were not stable?
All these aspects show that operators cannot keep strictly to the letter of a pro-
cedure at all times, for they have to take independent initiatives, i.e. temporarily
divert the procedure in order to:
1. make up for its `oversights'; and
2. compensate for the static aspects of the procedure, operation being funda-
mentally dynamic (interactions between process parameters, but also regula-
tions, adjustments, and adaptation between members of the team in order to
co-ordinate themselves).
Y. Dien/Safety Science 29 (1998) 179187 183
5. Towards `intelligent' application of procedures
Designers' and operators' views on the application of procedures are apparently
contradictory. Does that mean they are irreconcilable? Certainly, if each way of
thinking were to be pushed to the extremeto the point of absurdityit would be
dicult to reach a compromise.
Pushing designers' thinking to the extreme would entail each and every situation
being covered, each possible case being taken into account, and an appropriate
solution being proposed to the operator. Even if it were technically feasible, this
approach would result in a `combinatorial explosion' of cases, consequently making
the process complex, extremely cumbersome, and, in the long run, unusable (Dien et
al., 1992). In addition, it is to be feared that some changes to procedures could be
made post hoc, i.e. after occurrence of an actual event that was not envisaged in the
previous version of the procedure.
Pushing operators' thinking to the extreme would entail relying wholly on opera-
tors, on their competence and know-how, and restricting oneself to giving them a
few indications on operation in the form of very specic procedures. The character-
istics of operation under emergency conditions are very dierent to those of routine
operation. Under emergency conditions people may apply knowledge and behaviour
acquired under normal operating conditions which could lead to diculties in the
context of emergency operation (Grosdeva et al., 1990). To `correctly operate' under
emergency conditions, the rst pre-requisite is to be fully aware that the situation is
indeed an emergency condition. It has been seen that operators do not always have a
true representation of the actual status of the process and, therefore, of the situation
in which they nd themselves. During the Three Mile Island accident in March 1979,
operators ran the plant for 2 h 22 min thinking that the primary cooling circuit was
intact, whereas, in fact, there was a break; during an incident at the Paluel plant in
France in January 1993, operators ran excessive cooling for 1 h 20 min without
being aware that they were faced with a steam-line break.
Finding a compromise to overcome the contradiction between the two ways of
thinking requires operators to adapt procedures so that they can be applied in an
intelligent fashion. It is necessary to have a certain `disinvolvement' and distance
when applying procedures, if only to become aware of one's own errors, e.g. over-
sights or `slips' in reading (Kasbi and Lewkovitch, 1993).
Intelligent application of procedures means strict adherence to them as long as they
are adapted to the situation, and use of initiative at times when there is a divergence
between the actual situation and what is expected by the procedure. This means that
operators have to realise when the procedure prescription diverts from reality.
Some front-end conditions are necessary for operators to be able to apply pro-
cedures in an intelligent fashion. Such conditions deal with the design of procedures,
the training of operators, organisation in periods of crisis, provision of advanced
tools for assistance in operation, and the behavioural pattern that should be devel-
oped in daily activities.
The design of procedures must bear in mind the characteristics of operators when
dening tasks to be implemented, i.e. it should emphasise tasks where human beings
184 Y. Dien/Safety Science 29 (1998) 179187
have specic skills, like making decisions in a `fuzzy' context, or adaptability, and
should reduce tasks where humans reach their limits, like repetitive tasks, or rapid
detection of information appearing in random fashion, and which is `drowned out'
by other information.
The procedure must also be adapted to the diversity of operators and of their
expectations which depend on their knowledge, level of stress, etc. This calls for the
creation of several levels of reading for every procedure, i.e. presenting the same
operation function with several levels of detail which could be an `objective' level, a
`task' level, and a blow-by-blow `action' level (Dien et al., 1991). With the example
of cooling the core, it would lead to three levels characterised by the following
formulation:
1. cool to X

C/h (objective level);

2. use the TBS system to achieve cooling (task level); and
3. open the TBS I valve to X%, then . . . (action level).
Operator training must not be restricted to learning the application of procedures,
but must also deal with understanding the phenomena that occur under emergency-
operation conditions, and with explaining and justifying the actions called for by the
procedure.
Emergency operation calls for the presence, alongside the operating team, of an
independent and redundant structure which performs real-time analysis of the situ-
ation. In French nuclear power stations this function is performed by the radiation-
protection and safety engineer as well as local and national emergency teams
connected to the control room. It is also necessary to provide operators with
advanced-technology toolse.g. like computer aids (Mosneron-Dupin and Papin,
1992)to help them in tasks where human capacities are weakest.
The know-how developed from routine operation provides the operator with
his basis for operation under accident conditions (Grosdeva et al., 1990). Because
of this, divergences from procedures must be accepted and ocially recognised in
daily operation (Dien et al., 1992). In other terms, what is done must not be
judged by the environment (procedure designers, power station superiors) on
the basis of results (congratulations for success, reprimand for error), and judge-
ment must be independent of whether the procedure was followed or not. It is in
routine operation that operators should acquire the habit of being disinvolved, of
`standing back' from the procedure. The pre-requisite for acquisition of this habit
is the `controlled initiative' they are allowed by their environment. Controlled
initiative means that the non-application of a procedure is not systematically
reprimanded but assessed according to the motive for non-compliance, and
the results.
Finally, the procedures are not the only means at our disposal. They are one
part of a set of `means' which includes individual know-how (training), collective
know-how (team coordination, cooperation), management rules and everyday
practices. The existence of this set means that the procedures can be applied in a
exible way.
Y. Dien/Safety Science 29 (1998) 179187 185
6. Conclusion
Society accepts a social regulator in the form of laws, which are applied in accor-
dance with the context and personal backgrounds of the victim, defendant, and
judge. A law is not intangible, for its text cannot cover all the possible cases of
actual application, and it can lag behind social evolution: laws are often drawn up
for past events, not for future practice. Laws are necessary for the organisation and
survival of a society, but in-context application of laws is accepted as one of the
guarantees of social stability, for it allows for adaptation and evolution of laws in
real time: this is what we call jurisprudence.
Similarly, one of the guarantees of safety is the in-context application of pro-
cedures. Strict adherence to procedures can engender quite the opposite to what is
intended. It should be noted, however, that the alternative proposedallowance for
controlled initiative in applicationis not without risk (operator error). Although
legal errors (poor application of a law) seem to be socially acceptable, can the same
be said for an error resulting in a nuclear accident?
The answer to this question lies in appraisal of the choices that would induce
the greatest hazards. Are these situations where the procedure must be followed
strictly to the letter (but what do you do if it does not cater for the actual situation?)
or, on the contrary, are they situations where the operator can be given room for
manoeuvre?
What is more, the problem cannot be entirely solved if no answer is given to the
question of responsibility in the event of error. Who is responsible: the operator or
the designer? Is responsibility common/shared or individual?
Finally, real progress will be made when the design of procedures is not just seen
from a technical viewpoint, or just centred on the procedure/operator combination,
but, rather, integrates the conditions required for the application of procedures
(types of skills, type of environment, type of aids required, etc.).
References
Dien, Y., Peresson, H., 1990. Re fexions sur l'utilisation des consignes incidentelles: e tude d'un cas
Chinon B2 (Reections on the Use of Incident Rules: Case Study of Chinon B2). EDF memorandum
HT-54/90-48A, D548 NT 13/90. EDF, Clamart.
Dien, Y., Montmayeul, R., 1992. Contribution of the ergonomic analysis to the improvement of the
design of operating procedures. In: Nuclear Power Plants, Workshop `Work Activity in the Perspective
of Organisation and Design', Paris, France, October 1516 1992 EDF-DER-ESF, Clamart.
Dien, Y., Montmayeul, R., Bozec, J., Lamarre, J.C., 1991. Conception des consignes de conduite de
processus continu pour postes de travail informatise s (Design of rules for conducting continuous pro-
cesses from computerised work places). In: Revue Ge ne rale de l'E

lectricite , No. 5/91, Paris.

Dien, Y., Llory, M., Montmayeul, R., 1992. Operators' knowledge, skill and know how during the use
of emergency procedures: design, training and cultural aspects. In: IEEE 5th Conference on Human
Factors and Nuclear Plants, Monterey, USA, June 711 1992.
Grosdeva, T., Lemaitre, P., Bonneau, A., 1990. L'ope rateur, le simulateur, l'accident (The operator, the
simulator, the accident). In: E

pure No. 26. EDF-DER, Clamart.

Guilmin, J., 1987. Quelques conside rations ge ne rales sur la transposition en images des proce dures
de conduite (Some general considerations for the transposition of operator procedures into pictures).
186 Y. Dien/Safety Science 29 (1998) 179187
In: Montmayeul et al. (Eds.), Contributions to a Guideline for Synthetic Displays Design. Final
PWS5A2 Report. CEA-EDF-FRAMATOME-WEREAS EDF, Chatou.
Kasbi, C., Lewkovitch, A., 1993. E

tude du suivi de consigne: re sultats d'observations sur simulateur et

proposition d'un mode le d'analyse (Study of Rule-Following: Results of Observations on Simulators
and a Proposal for an Analysis Model). EDF-DER memorandum HT-54/93-043A. EDF-DER,
Clamart.
Lind, M., 1979. The use of ow models for design of plant operating procedures. In: IWG/NPPCI Spe-
cialists' Meeting on Procedures and Systems for Assisting an Operator During Normal and Anomalous
Nuclear Power Plant Operation Situations, Garching, Federal Republic of Germany, December 57
1979.
Mosneron-Dupin, F., Papin, B., 1992. Facteurs humains et conduite des centrales nucle aires: voies de
recherches (Human factors and operations in nuclear power stations: research lines). In: Journe es de la
SFEN sur `La recherche de veloppement des centrales a eau sous pression'. Paris, France, December 23
1992.
Rouse, W.B., Kisner, R.A., Frey, P.R., Rouse, S.H., 1984. A Method for Analytical Evaluation of
Computer-Based Decisions Aids. NUREG/CR 3655, NRC, Washington DC.
Woods, D.D., 1988. Coping with complexity: the psychology of human behaviour in complex systems.
In: Goodstein, L.P., Andersen, H.B., Olsen, S.E. (Eds.), Tasks, Errors and Mental Models. Taylor
and Francis, London, pp. 128148.
Y. Dien/Safety Science 29 (1998) 179187 187