The area included in 2005 three research projects: Interaction approach to development of control rooms (IDEC), Software qualification – error types and error management in software life-cycle (QETES) and Influence of Whiskers to Reliability of Electronics, Prestudy (WHISKE). This area has a close connection to the ASDES project and one subproject of the PPRISMA in the area of Risk-informed safety management. Additionally, the work done beyond SAFIR in Finland in the projects related to the renewal of existing control rooms and in connection of the new unit as well as work in some international projects has been discussed and reported in the reference group.
2.4.1 Interaction approach to development of control rooms (IDEC)
The project aims at formulating a scientifically founded method for the evaluation of human-system interfaces of complex industrial systems. In the project a method and a set of indicators and evaluation criteria will be created. Both the resulting human-system interface and the design process are tackled. In IDEC project the evaluation method, indicators and criteria will be developed in connection with NPP control room design cases in control room modernisation situations. The method is also tested in design studies and experiments that consider new interface design approaches.
56
So far in the project, an evaluation framework and the indicators and criteria have been created. The method has been labelled the Contextual Assessment of Systems Usability (CASU, Figure 2.25). The basis of the method lies in the existing standards and literature about the evaluation and design of user interfaces of complex systems. It is completed by own innovations that aim at improving the generalisability of the validation results, and creating a comprehensive activity-oriented evaluation approach that we call systems usability. The systems usability approach improves the usability concept both by providing methods to concretise the established generic usability objectives, by deepening the usability concept itself, and by demonstrating that achieving high usability involves prolonged collaboration among designers and users and co-evolution of tools and usage practices. Hence, in connection to defining the criteria for a good control room interface we also must consider the criteria for good practices of process control. An appropriate interface should impose good practices and their development on the users.
IDEC project cooperates with and is partly funded by Halden Reactor project. It also collaborates with University of Toronto and Electricité de France. IDEC work is reported and commented in COST-294 action "Maturation of usability". IDEC also interacts with the Finnish TEKES project "Ecology of intelligent environments".
Specific Goals in 2005
1. Development of the method
In this task the indicator theory has been strengthened. Theoretical justification for the proposed structure, indicators and criteria of the method were developed and compared with corresponding methods. Literature was used and own empirical results reflected.
The appropriateness of the CASU version 1 was tested in a benchmark design in which two different design concepts, the Ecological Interface Design (University of Toronto) and functional design (EdF) are tested in HRP HAMLAB. The IDEC analysis tool kit and indicators were used in the tests parallel to Halden methods. The task continues in 2006.
2. Testing of CASU-indicators in design cases
A study on the operational significance of changing from analog to digital automation and control room technology was accomplished. It consisted of a literature study and a small scale interview study among conventional power plant operators. A first manuscript of a scientific paper was prepared.
The CASU-method was also used in design cases. This task focused on the Loviisa control room modernisation. We accomplished interviews with designers to define and evaluate the design rationale of the control room modernisation. A report was written on first results. The data was planned to be completed with future interview and document data to allow also comparison between design cases.
CASU-method was tested in the analysis of simulator runs of disturbance situations. Full control room crews participated. A comprehensive data collection took place and detailed analysis were carried out on the usage of process information in different control tasks, on interface features and the nature of secondary tasks, on communication and collaboration within the crew. The analyses and results demonstrated the use of CASU in an integrated validation task. The achieved results may also be utilised as reference against which the
57
human-system interaction in the forthcoming modernised control room can be compared.
A comprehensive research report was prepared.
3. Design workshop
This task facilitates the aim of relating the CASU evaluation tool to the needs of the design process. Designers and users of both plants and power companies, and representatives of the regulator, participated.
4. OECD/NEA SEGHOF participation
The Finnish delegate participated in one WG-meeting and acts in a new task on future control stations and operator practices. A workshop on CR design is been prepared.
Deliverables in 2005
• 1 scientific paper in an international journal was published.
• A paper presented at the next Enlarged Halden Project Meeting in September 2005.
• Several conference papers on systems usability and its background theory were given.
• Several working papers prepared to be developed into scientific papers.
• A comprehensive research report on simulator with CASU was prepared.
• Active Participation at OECD/NEA Special Expert Group in Human and Organisat- ional Factors.
• Deepening collaboration with OECD HRP Hamlab
58
General Work Domain Modelling
Core-Task Modelling
Scenario Modelling
Scenario Select ion
D efinition and selection of measures and criteria
Orientat ion interview
Observation of actions, simulator/normal
Task load/
complexity rating
Stimulated process tracing interview
(Chronological) Analysis of
actions
Analysis of process performance: logs,
trends
Analysis of practices,
based on reasoning Analysis of human- system interactions
Process results compared to expert judgement success
criteria
Practice profiles compared to baseline
practice profiles
Number, type and severity of interface problems Functional
breakdown
Core-Task demands
Audio interview
data
Audiovisual data
Filled in questionnaires
Audiovisual data, notes
Course of action description
Process performance
results
Practice Profiles
Interaction breakdowns
Acceptance based on process
measures
Acceptance based on interface quality Modelling Data Collection Data analysis
Assessment of System Usability Identification of sufficient
support for good practice
Acceptance based on ability to promote appropriate practice
Measures and criteria to be applied in the test Functional situation models
for test scenarios, complexity
Process recording
Logs, trends, user inputs
Analysis of experienced appropriateness of
the system
Trust, U tilisation of
functionality UI interview
Audio interview
data General Work
Domain Modelling
Core-Task Modelling
Scenario Modelling
Scenario Select ion
D efinition and selection of measures and criteria
Orientat ion interview
Observation of actions, simulator/normal
Task load/
complexity rating
Stimulated process tracing interview
(Chronological) Analysis of
actions
Analysis of process performance: logs,
trends
Analysis of practices,
based on reasoning Analysis of human- system interactions
Process results compared to expert judgement success
criteria
Practice profiles compared to baseline
practice profiles
Number, type and severity of interface problems Functional
breakdown
Core-Task demands
Audio interview
data
Audiovisual data
Filled in questionnaires
Audiovisual data, notes
Course of action description
Process performance
results
Practice Profiles
Interaction breakdowns
Acceptance based on process
measures
Acceptance based on interface quality Modelling Data Collection Data analysis
Assessment of System Usability Identification of sufficient
support for good practice
Acceptance based on ability to promote appropriate practice
Measures and criteria to be applied in the test Functional situation models
for test scenarios, complexity
Process recording
Logs, trends, user inputs
Analysis of experienced appropriateness of
the system
Trust, U tilisation of
functionality UI interview
Audio interview
data
Figure 2.25. The Contextual Assessment of Systems Usability evaluation process.
2.4.2 Software qualification – error types and error management in software life-cycle (QETES)
The main objective of the research is to create recommendations for inspections of documents and other application artefacts of the software intensive I&C systems. The recommendations is in order to base on the following two means of evaluation under regulators and standards instructions: 1) to determine faults types of application software documents, 2) to clarify effectiveness of error management methods for determined error types. Software faults are divided according to linguistic concepts to syntactic, semantic and pragmatic errors. This classification will lead the way to a new possibility to assess qualification material, that is, designs, tests, analyses, and operating experiences (YVL 5.5).
Main goals for 2005
The main goals for 2005 contained the following items: preliminary classification of fault types of application artifacts and other artefacts of software life-cycle phases into syntactic, semantic and pragmatic faults, and determination of error management methods for avoiding the new fault types occurring or propagating to system level failures.
The software documents that users receive from suppliers of the I&C systems are usually textual documents and semi-formal graphs, for instance, requirements specifications are function diagrams, and design documents are logical diagrams. The error types of typical
59
application software documents were determined in order to systematise qualification of the software of I&C systems.
Deliverables
• The scope of the classification of new fault types are as determined in the project plan in user’s perspective to find out how prone the artifacts are to errors.
• Initial hyphoteses were established for the new software fault types, that is, syntactic, semantic, and pragmatic faults (SSP-faults) in order to make comparisons with aschieved results at the end of the project.
• Definition of new software fault types was made in respect of language, domain, models, and interpreters.
• The most important software factors quality in development phases were determined and realted to the SSP-faults.
• Software SSP quality was determined and reflected to error management methods.
• Analysis of accidents caused by software faults were performed, and the results of analysis were compared with SSP-faults.
• An important case for analysing CCF due to software faults defined in new way were made.
• Views, viewpoints and perspective reading were introduced in order to support critical reviews and other manual inspections of SSP-faults and their consequenses.
• Verification and validation methods were considered in order to more exactly determining error management methods for avoiding, detecting and tolerating SSP- faults. Suppliers and manufactures have automatic checking tools, review processes for especially critical reviews, and testing techniques with large bases of checklists for analysing quality factors and errors. These methods and techniques usually are of a different degree specified for supplier’s environment. For example, different error management methods are used in different phases of software development life-cycle:
software verification (reviews and inspections, automatic checks, testing), diversity, self-diagnostic.
• Two Working Reports were written: Software qualification, New fault types in software life-cycle, Part 1, and Software qualification, Error management methods for new fault types, Part 2.
2.4.3 Influence of Whiskers to Reliability of Electronics, Prestudy (WHISKE)
The target of this prestudy was to study the reasons of the whisker growth in metals like tin (Sn) and zinc (Zn), the influences of the manufacturing process and environment during operation to this growth and the impact of whiskers on the reliability of electronics.
60
Whiskers are electrically conductive, crystalline structures of one metal that sometimes grow from surfaces where this metal is used as a final finish. Whiskers have been observed to grow to lengths of several millimeters (mm) and in rare instances to lengths up to 10 mm. Whiskers are not a new phenomenon. Indeed, the first reports of zinc, cadmium and tin whiskers date back to the 1940s.
A single accepted explanation of the whisker growth mechanisms has not been established.
But according to the literature and many recent observations, whisker growth might be driven by two key factors: Formation of intermetallic compounds, which is accompanied by a build-up of bi-axial microstress in the metal layer, and the ability of such metal layers to release this stress by pathways different from whisker growth. The amount of intermetallics is mainly a property of the substrate. It will therefore be determined how much intermetallic is formed depending on time, temperature, and substrate.
With the introduction of legislation, the RoHS-directive (Directive on the restriction of the use of certain hazardous substances in electrical and electronic equipment, 2002/95/EU), the date of lead-free electronics is now fixed as 1 July 2006. The change from tin/lead compounds to lead-free ones creates a potential reliability risk at electronics.
Specific Goals in 2005
1. The influence of whiskers on the reliability of electronics
The influence of whiskers on the reliability of electronics has studied by collecting information from Finnish and international research projects. At the same time the changes of materials in electronics due to the RoHS-directive has studied. This has partly done with participation in international conferences.
2. Participation in IEC TC45 standardisation work
The development of the new IEC-standard, IEC 62342: Nuclear power plants – Management of aging of nuclear power plant instrumentation and control and associated equipment (45A/441/NP), has continued.
Deliverables
Palmén, H., Turtola, A., Hossi, H. Influence of Whiskers to Reliability of Electronics (in Finnish), VTT research report, NRO VTT-R-00856-06, Espoo, 31.1.2006, 15 p.
IEC 62342 Ed. 1.0 B CCDV Nuclear power plants – Instrumentation and control important to safety – Management of aging.
PNW 45A-597 Ed. 1.0 E PNW Methods for nuclear power plants – I&C systems important to safety – Management of aging of electrical cable systems.