Design for safety: A cognitive engineering approach to the control and management of nuclear power plants

This paper presents an analytical approach to design for safety that is based on 30 years of experience in the field of Human-centered design. This field is often qualified as governing safety–critical systems where risk management is a crucial issue. We need to better understand what the main facets of safety are that should be taken into account during the design and development processes. There are many factors that contribute to design for safety. We propose some of these factors and an articulation of them from requirement gathering and synthesis to formative evaluations to summative evaluations. Among these factors, we analyze complexity, flexibility, stability, redundancy, support, training, experience and testing. However, we cannot design a safe and reliable product in one shot; design is incremental. A product and its various uses become progressively mature. When we deal with new products, issues come from the fact that practice features emerge from the use of the product and are difficult, even impossible, to predict ahead of time. The automation within is an important portion of this maturity, and must be understood well. This is why design for safety is not possible without anticipatory simulations and a period of tests in the real world, such as operational testing in nuclear power plants. In addition, designing for safety is not finished when the product is delivered; experience feedback, or human-in-the-loop simulation (HITLS) is an important part of the overall global design process. The AUTOS pyramid approach can assist in simplifying the understanding, and improving the design of a complex system by describing and relating Artifacts, Users, Tasks, Organizations, and Situations.

► Complexity must be understood and handled well in order to design for safety.
► Complexity can be reduced during design by using the AUTOS pyramid model.
► Procedures are human automation, much as software is machine automation.
► Identifying emergent behaviors reduces procedure accumulation.
► Human-in-the-loop-simulations help to understand emergent behaviors.