Table of Contents
A Quantitative Assessment of Organizational Factors
Affecting Safety using a System Dynamics Model
Moosung Jae”
Department of Nuclear Engineering, Hanyang University
Jaekook Yu and Namsung Ahn
Korea Electric Power Research Institute
Abstract
The purpose of this study is to develop a system dynamics model for the assessment of the
organizational and human factors in a nuclear power plant which contribute to nuclear safety. Previous
studies can be classified into two major approaches. One is the engineering approach using tools such as
ergonomics and Probability Safety Assessment (PSA). The other is the socio -psychology approach. Both
have contributed to find organizational and human factors and to present guidelines to lessen human error
in plants. Ho wever, since these approaches assume that the relationship among factors is independent they
do not explain the interactions among the factors or variables in Nuclear Power Plants. To overcome these
restrictions, a system dynamics model, which can show cause and effect relationships among factors and
quantify the organizational and human factors, has been developed. Handling variables such as the degree
of leadership, the number of employees, and workload in each department, users can simulate various
situations in nuclear power plant organization. Through simulation, users can get insights to improve
safety in plants and to find managerial tools in both organizational and human factors.
Introduction
While managing Nuclear Power Plants (NPP), it is important to supply power with stability and to
continuously keep the highest standards of safety. In order to secure NPP safety, massive investment in
R&D (research and development) and equipment has been made for several decades. However, interest in
management issues has been relatively neglected. Recently, the IAEA & OECD/NEA have stressed
organizational culture, and examine organizational factors that may affect the NPP safety. It is well
recognized that considerable accidents or incidents in NPP have been caused by human error. Therefore,
models in which human error is quantified have been developed in order to develop strategies to reduce
human error and to assess the effects of human factors on plant hardware safety.
Despite these endeavors, there are many restrictions to systemically assess NPP safety, especially in
organizational terms. Assessment of safety of NPP hardware is critical. However, considering that NPP
safety can be guaranteed not only by technology and hardware, but also by the people who manage it, we
need to expand our view of safety to include human resources and managerial organization, not only
hardwar{1]Je. The purpose of this study is to develop a system dynamics model to assess NPP safety from
an organizational perspective by modeling general NPP organization including operations, maintenance,
and engineering. The model can give plant managers much insight to develop management strategies to
reduce human error and finally to improve NPP safety. To develop a system dynamics model of general
NPP organization and to find factors or variables which can affect safety, we conducted interviews with
employees and managers and conducted a survey. After understanding the workflow, information path
and function of each department in a NPP, we dre w a causal loop and a stock and flow diagram which can
quantify safety along with the typical steps of the system dynamics model.
Previous research related to human and organization factors in NPP have been mainly conducted in
two ways[2]. The engineering approach based on ergonomics and probability contributes to quantify
human and organizational factors and to present a logical process of events or accidents. Since this
approach researches the level of the individual, there are difficulties in understanding relationships
between organization factors and human ones. For example, this approach cannot adequately explain and
consider how organizational factors such as human resource management policies such as pay, job
security and promotion affect human perfo rmance. Especially in the case of the probability method, there
are some criticisms that 1) it is static, 2) it breaks down events into success and failure, and 3) it has an
assumption of independence among the variables.
The other is the socio-psychological approach. It has been mainly practiced by organizational
theorists or psychologists. It has been interested in motivation or the organizational structure's effect on
human or organizational performance. The approach has included both the level of the individual and the
organization. Since a socio-psychological approach usually utilizes an index evaluation method using a
checklist or verifies the significance using statistical methods among selected variables, a socio-
psychological approach also has restrictions such as difficulty in operational definition and the
assumption of independence among items in a checklist survey. The proposed model in this study can
compensate for the restrictions or limitations as stated above. We tried to connect the relationship among
hardware, individuals and the organization. The Model can demonstrate how management policies affect
“To whom correspondence should be addressed. jae@hanyang.ac.kr
individual performance such as productivity, quality of work, and most importantly NPP safety[3,4].
Modeling Organizational Factors
Causal Loop Diagram
In order to develop a model, we tried to grasp the structures and functions of plant organization. Most
NPPs are commonly composed of major four departments: operations, maintenance, coordination, and
engineering. The connection and cooperation of each department's functions can make it possible for a
plant to eliminate defects which are directly related to safety. First interviews, surveys and observations
are conducted in order to select the major factors and to draw an initial causal loop diagram. Figure 1. is a
high-level causal loop diagram of plant safety.
Wa a>
‘Number of potential problems
Avallable resources
Atty jardware cfadition
:
Ext inonaon
ae Secinionnetae
Eras ce ee err wel
a ‘someon
Tring pra
Exunif
Figure 1. High-Level Causal Loop Diagram
If hardware conditions and the quality of work is high, it may mean that the plant has minimal
problems and keeps a high level of safety. When generation capacity or plant performance is sustained, a
plant can be profitable. Profits are reinvested in hardware such as equipment improvement, procurement
of parts and technical importing. It can then enable a plant to maintain good hardware conditions
<hardware investment loop> as shown in Figure 1. Profits or available resources can also be thought of as
reinvested human resources. Investment in human resources can improve the quality of work by giving
staff chances to get education and training. Although investment in hardware can eliminate defects in old
equipment or parts by replacing them, in the end, it is the individual employee who discovers defects,
identifies them, and repairs them <human investment loop 1,2>. This fact means that human resources at
NPP are also a key factor to maintain safety standards. If NPP safety is low, regulatory concerns will
increase. Regulatory concems positively aid to improve procedures and the quality of operation by
offering information and skills which NPPs do not maintain <normal regulatory action loop>. However,
the more regulatory concerns produced, the more additional parasite work to satisfy regulatory
requirements. Since regulatory concerns may make an increase in total workload for staff to deal with, it
can negatively affect the quality of operation. Excessive regulatory concerns may bring about increasing
workload <excessive regulatory action loop>.
The operator's training is an important factor to sustain safety or to improve it. Operators can gain
knowledge through either the inside or outside path. Inside learning is an activity to analyze problems
which happen in the node of <analysis process loop> in Figure 1. The more potential problems there are
the greater the need for analysis. Analysis demand affects safety in two directions. One is a positive effect
for operators to gain knowledge, and the other is a negative one to increase workload. Workload over
optimum quantity can lower the quality of analysis work, <quality of analysis loop>. Both knowledge and
workload usually affect the quality of workers. While additional knowledge can improve the quality of
operation, an excessive workload can decrease the quality of operation, <adding workload loop>. On the
other hand, outside learning can also help staff accumulate knowledge related to their work. Accumulated
knowledge inside or outside the plant can contribute to improvement of an emergency operation
capability which is the most important factor in emergency cases. Employees seek to discover problems,
analyze them and solve problems with adequate procedures and methods. As employees discover more
problems, there is a greater workload and greater demand for problem solving <problem solving loop &
problem identifying loop>. Finally, the operator's total added workload associated with external
information processing demand, additional parasite work and analysis demand must be reconciled in
limited time. The amount of allocated time for analyzing problems plays a role in determining the quality
of the operator, <analysis process loop>.
Stock and Flow Diagram
After the CLD was developed, a Stock and Flow Diagram (SFD) was added to quantify the model.
That is, the task of each department and the attributes of human and organizational behavior were
quantified in the SFD. Since the tasks of each department are different, tasks are categorized as presented
in <Table 1>. In the model, plant levels are broken into three groups: top managers, middle managers, and
employees. Moreover, as the task of each department is different, it needs to be classified into several
subcategories presented in the model as a type of subscipt variable in Vensim.
Table 1. Types of Task
Level of Hierarchy Types of Task
Top managers Unexpected work, Planning, Administration, Supervision
Operation Unexpected work, Planning, Administration, Supervision
Engineering Unexpected work, Planning, Administration, Supervision
Middle managers — - -
Maintenance Unexpected work, Planning, Administration, Supervision
Coordination Unexpected work, Planning, Administration, Supervision
Operati Normal operation, Emergency Operation, Procedures
peraion’ improvement, Maintenance test, Preventive maintenance test
a Unexpected work, Maintenance Engineering, Regulation
Engineering : i f
Employees engineering, Information process, plant improvement
Repair Maintenance, Preventive Maintenance,
Maintenance Repair Maintenance Administration, Emergency Maintenance,
Preventive Maintenance A dministration
Coordination Unexpected work, Regulation, Planning, Information
Since human performance results from various attributes are commonly coupled with each other,
more specific factors were added to the SFD[5-7]. Table 2 shows the factors list affecting attributes such
as organizational culture, staff capacity, plant condition, and workload. The Stock and Flow Diagram
(SFD) can make it relatively easier to quantify the relations among attributes or factors than the causal
loop diagram. As seen in Figure 2, attributes of the plant are composed of various factors which can
change the status of other factors. Not only hard data such as the number of staff is reflected in the model,
but also soft data such as the lookup function of stress and performance, While hard data can be gotten
Table 2. List of Factors affecting attributes of each level and department
Levaet Organizational Atos Plant
Hierarchy Calace Staff's Capacity Condition Workload
Attitude Productivity Number of Defects | Spent time to
Top Managers Leadership Quality of work Defect generation | dealt with
Morale Skill level rate
on
Middle Managers Attitude Spent Time to Parts task
(MM) Supervision dispose of task Etc. Maintenance task
(Operation, Time allocation Etc.
Number of MM
Maintenance Education
Coordination) Etc.
Employees Attitude
(Operation Workload
Engineering Supervision
Maintenance Support from other
Coordination) departments
Number of staff
Education
Etc.
Organization
Management Policy >| Culture <
> a
Regional Environment Attitude
5 Morale
Number of Staff
National Environment >| Workload \
Staff's
< on Safety
Operation Capability
Regulatory Concems j;———>} Maintenance Productivity
Engineering Quality of Work
Coordination |
Plant Condition
—_>
Number of Defects
Outage
Figure 2. Overview of the relationship among attributes
Plant safety is affected by a staff's capability and plant condition. Safety affects organizational culture
which is composed of attitude, morale, and the number of staff. Organizational Culture repeatedly
impacts on staff capability. Besides these attributes, management policy, the regional or national
environment, and the regulatory concerns can affect organizational culture and workload. However, in
this model such an attribute is dealt with as extemal variables. SFD concerning hardware condition is
shown in Figure 3. Since it is impossible for staff to discover all defects, defects can be classified into 1)
identified defects and 2) unidentified defects. Defect discovery is also made by human activities through
two paths. One is Preventive Maintenance (PM), and the other is unexpected discovery. Whatever the
discovery path is, once defects are identified, maintenance staff tries to repair them with support from
other departments. Since total defects impact on NPP safety, the quick discovery and elimination of
defects is key to ensure safety.
-<Defects Discovery from PM> <Maintenance Task Completion>
Unidentifies Identified
Defects
Defects hefects Discovery
-<Defects Generation> [Defects Elimination
Initial Unidentified Defects
-<iyfial Identified Defects>
-<initial MT per Defect Discovery>
Initial Total Defects
Figure 3. SFD of Defects Sector
Simulation and Results
The CDF (Core Damage Frequency) concept was borrowed from PSA (Probabilistic Safety
Assessment) for a clearer definition of safety. In PSA, paths to core damage are logically modeled with
the event tree method. Using a PSA model, the CDF is calculated. CDF is computed by the MCS
(Minimum CutSet) which is defined as the set with the highest frequency of the core damage event and
composed of several basic events. The basic event, which may result in core damage, can be broadly
categorized into hardware failures and human errors. Since MCS and basic events contian a massive
amount of data, exte mal functions were developed to run the model more efficiently. External functions
were defined to multiply the frequency of basic events related to human error by the quality of work and
the frequency of basic events related to hardware failure by normalized total defects. The value calculated
by the external function is returned to the system dynamics model. Figure 4 depicts the structure of the
macro model to calculate safety with external functions. In this model, safety is calculated in the form of
a relative fraction of the CDF, which was normalized by operating the original CDF Value. What the
relative fraction of the CDF is high means that safety is low. The higher the relative fraction of the CDF,
the lower the level of safety.
Interview PSA Data
& ¥
Survey Basic Event / MCS
> External Function a
Quality of work Minimum
Plant Total defects Cutset
Data x
(number of staff etc.)
SD Model
l z
Figure 4. Structure of the macro model
Simulation
following case studies of both 1) education and training effects and 2) hiring and layoff effects were
carried out to comprehend the effects on safety: Before showing simulation results, the simulation
conditions of each case study are described in <Table3>.
Table 3. Conditions of Case Studies
Case Study Data set Description
Case 1: Routine Normal Status
Education effects
heation erect High Edu Degree of Edu. & Training : +20% of the normal status
Low Edu Degree of Edu. & Training : - 20% of the normal status
Case 2:
Layoff effects Routine | Normal Status
Pro 20 Hiring : + 20% of normal status at time 120 day
Layoffs 20 | Layoff: - 20% of normal status at time 120 day
Time Unit 1800 Days (about 5 years)
Time step 0.25 day
Generally, a site has two plants. In this model, a site with two power plants was also applied. Since
each plant has one preventive maintenance time about once per year, a site with two plants is overhauled
twice a year. During the overhaul period the plant is usually shut down to refuel and replace old
equipment. Therefore, workload per staff usually increases during overhaul periods. Because of the two
overhauls, safety levels change periodically. The safety level of the routine dataset showing normal status
without any change of variables is presented in <Figure 5>.
Relative Fraction of CDF
2
1.75
Plant1 Overhaul
15 Plant2 Overhaul
0 180 360 540 720 900 1080 1260 1440 1620 1800
Time (Day)
Relative Fraction of CDF : Routine Index
Figure 5. Simulation in Normal Status
First, education and training effects on safety are simulated. Although the degree of education or
training is increased, safety is rarely affected. That is, a high degree of education does not ensure a high
degree of safety (line 2 : High Edu). On the other hand, a low degree of training can decrease safety (line
3: Low Edu). Figure 6 shows that a low degree of education or training may result in low performance
for an overhaul period, while there is little difference between a low degree of education and a higher one
in the normal period. This reveals that managers may not decrease the level of education or training
programs even if these seem to be of no significant effect. The effects of hiring and layoffs are also shown
in <Figure 7>. Hiring staff does not necessarily ensure the improvement of safety. Even if plants hire new
employees, they might not have the skills required to operate or maintain a plant. Time is needed for them
to obtain skills. Even if they obtain new skills and accumulate knowledge, the effect on safety is not high
(line 2: pro20). If a plant lays staff off, gradually, it impacts on safety. For a period after the laying off of
staff, there is little difference between normal status and layoff status. However, as time goes by, safety
becomes worse. It may not retum to normal status. While layoffs have little effect on safety during
normal times, during overhaul time, it has a greater effect on safety by reducing staff capabilities such as
productivity and quality of work resulting from the increased workloads.
Relative Fraction of CDF
2 |]
1.75
15 |
1.25
1
0 180 360 540 720 900 1080 1260 1440 1620 1800
Time (Day)
Relative Fraction of CDF : Routine Index
Relative Fraction of CD.
Relative Fraction of CD.
Figure 6. Education and Training Effects on Safety
10
Relative Fraction of CDF
0 180 360 540 720 900 1080 1260 1440 1620 1800
Time (Day)
Relative Fraction of CDF : Routine Index
Relative Fraction of CDF : pro2¢ Index
Relative Fraction of CDF : Layoff{22-—-——>>——__ Index
Figure 7. Hiring and Layoff Effects on Safety
Conclusion
Since this model is a general model of plant organization, if specific plant data is reflected in the
model, it could be utilized as an individual model on the basis of that specific data. The following are
possible areas of the model's application. First, this model can be applied to review NPP safety in t erms of
organization. While previous models for assessment are static and only examine the short-term basis, the
system dynamics model is dynamic and can be applied on a long-term basis. When considering situations
where managers are periodically changed, managers can coherently execute their policies using this
model.
Second, this model can make it easy to communicate with employees and managers. While
developing a model, employees may discuss gaps of recognition with each other. It may help employees
correctly recognize the system status and system structure. Third, the model may help managers and
employees correct or expand their understanding of the organizational system in the process of the
analysis of variables. Each individual at the NPP may get not only knowledge of the plant, but also
correct the reference plant during the process of developing the model. A developed model can be also be
applied to high-hazard organizations such as the aviation and chemical industry. It can give managers
information about safety through simulation of their management policies. Simulation results give
managers insights to help improve safety, performance and support to make better decisions conceming
safety.
11
References
1. PRA PROCEDURES GUIDE, Final Report, Vol.1,2 NUREG/CR-2300, U. S. Nuclear Regulatory
Commission, 1982.
2. J. Holmberg, K. Hukki, L. Norros, U. Pukkinen, and P. Pyy, “An Integrated approach to human
reliability analysis -decision analytic dynamic reliability model,” Reliability Engineering & System Safety,
Volume 65 (3), 239-250, 1999.
3. J. W. Forrester, “Industrial Dynamics,” The MIT Press, Cambridge, MA, 1981.
4. Philadelphia Electric Company, Probabilistic Risk Assessment, Limerick Generating Station, Docket
Nos. 50-352, 50-353, U. S. Nuclear Regulatory Commission, Washington, Washington, D. C., 1981.
5. D. P. Wagner, C. L. Cate, and J. B. Fussell, 1981, The Fault Tree as a Tool in a Safety Analysis in
Nuclear Power Plants, INFO -0036, Atomic Energy Control Board, Ottawa.
6. R. B. Worrell and D. W. Stack, 1977, Common-cause Analysis Using SETS, SAND77-1832, Sandia
National Laboratories, Albuquerque, N. M.
7.R.B. Worrell and D. W. Stack, 1980, “A Boolean Approach to Common Cause Analysis,” Proceedings,
Annual Reliability and Maintainability Symposium, San Francisco, CA, PP. 363-366, 1980.
12
Back to the
CC BY-NC-SA 4.0