Diversity and Importance of Ergonomics - Two Examples
The author acknowledges the assistance of Mr. E. Messer and Prof. W. Laurig for their contribution to the biomechanical and design aspects, and to Prof. H. Stein and Dr. R. Langer for their help with the physiological aspects of the polishing process. The research was supported by a grant from the Committee for Research and Prevention in Occupational Safety and Health, Ministry of Labor and Social Affairs, Israel.
The design of manually operated work benches and working methods in the diamond polishing industry has not changed for hundreds of years. Occupational health studies of diamond polishers have identified high rates of musculoskeletal disorders of the hands and arms, specifically, ulnar neuropathy at the elbow. These are due to the high musculoskeletal demands placed on the upper body in the practice of this manually intensive profession. A study conducted at the Technion Israel Institute of Technology addressed itself to the investigation of the ergonomic aspects and occupational diseases relating to safety issues among craftsmen in the diamond polishing industry. The tasks in this industry, with its high demands for manipulative movements, include movements that require frequent, rapid hand exertions. An epidemiological review conducted during the years 1989-1992 in the Israeli diamond industry has pointed out that the manipulative movements experienced in diamond polishing very often cause serious health problems to the worker in the upper extremities and in the upper and lower back. When such occupational hazards affect workers, it produces a chain reaction that eventually affects the industry’s economy as well.
For thousands of years, diamonds have been objects of fascination, beauty, richness and capital value. Skillful craftsmen and artists have tried, through the ages, to create beauty by enhancing the shape and values of this unique form of hard carbon crystal formation. In contrast to the continuing achievements of artistic creation with the native stone and the emergence of a great international industry, very little has been done to improve some questionable working conditions. A survey of the diamond museums in England, South Africa and Israel allows one to draw the historical conclusion that the traditional polishing workplace has not changed for hundreds of years. The typical diamond polishing tools, working bench and work processes are described by Vleeschdrager (1986), and they have been found to be universally common to all polishing setups.
Ergonomic evaluation performed at diamond manufacturing setups points to a great lack of engineering design of the polishing workstation, which causes back pain and neck and arm stress due to working posture. A micromotion study and biomechanical analysis of motion patterns involved in the diamond polishing profession indicate extremely intense hand and arm movements that involve high acceleration, rapid movement and a great degree of repetitiveness in short-period cycles. A symptom survey of diamond polishers indicated that 45% of the polishers were younger than 40 years of age, and although they represent a young and healthy population, 64% reported pain in the shoulders, 36% pain in the upper arm and 27% pain in the lower arm. The act of polishing is performed under an extensive amount of “hand on tool” pressure which is applied to a vibrating polishing disk.
The first known description of a diamond polishing workstation was given in 1568 by the Italian goldsmith, Benvenuto Cellini, who wrote: “One diamond is rubbed against another until by mutual abrasion both take a form which the skilled polisher wishes to achieve.” Cellini’s description could have been written today: the role of the human operator has not changed over these 400 years. If one examines the working routines, hand tools and the nature of the decisions involved in the process one can see that the user-machine relationship has also hardly changed. This situation is unique among most industries where enormous changes have occurred with the entry of automation, robotics and computer systems; these have completely changed the role of the worker in the world today. Yet the polishing work cycle has been found to be very similar, not only in Europe where the polishing craft started, but in most industries all over the globe, whether in advanced facilities in the United States, Belgium or Israel—which specialize in fancy geometry and higher-value diamond products—or the facilities in India, China and Thailand, which generally produce popular shapes and mid-value products.
The polishing process is based on grinding the fixed rough diamond over diamond dust bonded to the polishing disk’s surface. Owing to its hardness, only grinding by friction against similar carbon material is effective in manipulating the diamond’s shape to its geometric and brilliant finish. The workstation hardware is composed of two basic groups of elements: workstation mechanisms and hand-held tools. The first group includes an electric motor, which rotates a polishing disk on a vertical cylindrical shaft, perhaps by a single direct drive; a solid flat table which surrounds the polishing disk; a bench seat and a source of light. The hand-held operating tools consist of a diamond holder (or tang) which houses the rough stone during all polishing phases and is usually held in the left palm. The work is magnified with a convex lens which is held between the first, second and third fingers of the right hand and viewed with the left eye. This method of operation is imposed by a strict training process which in most cases does not take handedness into account. During work the polisher assumes a reclining posture, pressing the holder to the grinding disk. This posture requires the support of the arms on the working table in order to stabilize the hands. As a result, the ulnar nerve is vulnerable to external lesions due to its anatomical position. Such an injury is common among diamond polishers and has been accepted as an occupational disease since the 1950s. The number of polishers worldwide today is around 450,000, of whom approximately 75% are located in the Far East, primarily India, which has dramatically expanded its diamond industry in the last two decades. The act of polishing is done manually, with each of the diamond facets being produced by polishers who are trained and skilled with respect to a certain part of the stone’s geometry. The polishers are a clear majority of the diamond craft force, composing about 80% of the overall industry’s workforce. Therefore, most of the occupational risks of this industry can be addressed through improving the operation of the diamond polishing workstation.
Analysis of the motion patterns involved in polishing shows that the polishing routine consists of two subroutines: a simpler routine called the polish cycle, which represents the basic diamond polishing operation, and a more important one called the facet cycle, which involves a final inspection and a change of the stone’s position in the holder. The overall procedure includes four basic work elements:
Two of the elements—polishing and inspection—are performed in relatively static working postures while so-called “hand to polish” (H to P) and “hand to inspect” (H to I) actions require short and fast movements of the shoulder, elbow and wrist. Most of the actual movements of both hands are performed by flexion and extension of the elbow and pronation and supination of the elbow. Body posture (back and neck) and all other movements except wrist deviation are relatively unchanged during normal work. The stone holder, which is constructed of a square cross-sectional steel rod, is held so that it presses on blood vessels and bone, which can result in a reduction of blood flow to the ring and little fingers. The right hand holds the magnifying glass all during the polishing cycle, exerting isometric pressure on the three first fingers. For most of the time the right and left hands follow parallel movement patterns, while in the “hand to grind” movement the left hand leads and the right hand starts moving after a short delay, and in the “hand to inspect” movement the order is reversed. Right-hand tasks involve either holding the magnifying glass to the inspecting left eye while supporting the left hand (elbow flexion), or by putting pressure on the diamond holder head for better grinding (elbow extension). These fast movements result in rapid accelerations and decelerations that end up in a very precise placing of the stone on the grinding disk, which requires a high level of manual dexterity. It should be noted that it takes long years to become proficient to the point where work movements are almost embedded reflexes executed automatically.
On the face of it, diamond polishing is a simple straightforward task, and in a way it is, but it requires much skill and experience. In contrast to all other industries, where raw and processed material is controlled and manufactured according to exact specifications, the diamond in the rough is not homogeneous and each diamond crystal, large or small, has to be checked, categorized and treated individually. Apart from the needed manual skill, the polisher has to make operational decisions at every polishing phase. As a result of the visual inspection, decisions must be made on such factors as angular spatial correction—a three-dimensional judgment—amount and duration of pressure to be applied, angular positioning of the stone, contact point on the grinding disk, among others. Many points of significance have to be considered, all in the average time of four seconds. it is important to understand this decision-making process when improvements are designed.
Before one can advance to the stage at which motion analysis can be used for setting better ergonomic design and engineering criteria for a polishing workstation, one has to be aware of yet further aspects involved in this unique user-machine system. In this post-automation age, we still find the production part of the successful and expanding diamond industry almost untouched by the enormous technological advances made in the last few decades. While almost all other sectors of industry have undergone continuing technology change that defined not only production methods but the products themselves, the diamond industry has remained virtually static. A plausible reason for this stability may be the fact that neither the product nor the market have changed through the ages. The design and shapes of diamonds have in practice remained almost unchanged. From the business point of view, there was no reason to change the product or the methods. Furthermore, since most of the polishing work is done by subcontracting to individual workers, the industry had no problem in regulating the labour force, adjusting the flow of work and the supply of rough diamonds according to market fluctuations. As long as the production methods do not change, the product will not change either. Once the use of more advanced technology and automation are adopted by the diamond industry, the product will change, with a greater variety of forms available in the market. But a diamond still has a mystic quality that sets it apart from other products, a value that may well decrease when it comes to be regarded as merely another mass-produced item. Recently though, market pressures and the arrival of new production centres, mainly in the Far East, are challenging the old established European centres. These are forcing the industry to examine new methods and production systems and the role of the human operator.
When considering improving the polishing workstation, one must look upon it as part of a user-machine system that is governed by three main factors: the human factor, the technology factor and the business factor. A new design that takes account of ergonomic principles will provide a springboard to a better production cell in the broad sense of the term, meaning comfort over long working hours, a better quality product and higher production rates. Two different design approaches have been considered. One involves a redesign of the existing workstation, with the worker given the same tasks to perform. The second approach is to look at the polishing task in an unbiased manner, aiming at an optimal, total station and task design. A total design should not be based on the present workstation as input but on the future polishing task, generating design solutions that integrate and optimize the needs of the three above-mentioned system factors.
At present, the human operator performs most of the tasks involved in the polishing act. These human-performed tasks rely on “filling” and working experience. This is a complex psychophysiological process, only partially conscious, based on trial and error input which enables an operator to execute complex operations with a good prediction of the outcome. During periodic daily work cycles of thousands of identical movements, “filling” manifests itself in the human-automatic operation of motor memory executed with great precision. For each of these automatic motions, tiny corrections are made in response to feedback received from the human sensors, like the eyes, and the pressure sensors. In any future diamond polishing workstation these tasks will continue to be performed in a different way. As to the material itself, in the diamond industry, by contrast with most other industries, the relative value of the raw material is very high. This fact explains the importance of making maximal use of the rough diamond’s volume (or stone weight) in order to get the largest net stone possible after polishing. This emphasis is paramount throughout all the stages of diamond processing. Productivity and efficiency are not measured by reference to time only, but also by the size and precision achieved.
The four repetitive work elements—“polish”, “hand to inspect”, “inspect” and “hand to polish”—as performed in the polishing act, can be classified under the three main task categories: motor tasks for motion elements, visual tasks as sensing elements, and control and management as decision-content elements. Gilad and Messer (1992) discuss design considerations for an ergonomic workstation. Figure 1 presents an outline of an advanced polishing-cell. Only the general construction is indicated, since the details of such a design are guarded as a professionally restricted “know-how”. The term polishing cell is used since this user-machine system includes a totally different approach to polishing diamonds. In addition to ergonomic improvements, the system consists of mechanical and optoelectronic devices that enable the manufacture of three to five stones at the same time. Parts of visual and control tasks have been transferred to technical operators and management of the production cell is mediated via a display unit which provides momentary information about geometry, weight and optional operation moves in order to support optimal operating acts. Such a design takes the polishing workstation a few steps ahead into modernization, incorporating an expert system and a visual control system to replace the human eye in all routine work. Operators will still be able to intervene at any point, set up data and make human judgements on machine performance. The mechanical manipulator and the expert system will form a closed-loop system capable of performing all polishing tasks. Material handling, quality control and final approval will still reside with the operator. At this stage of an advanced system, it would be appropriate to consider the employment of higher technology such as a laser polisher. At present, lasers are being used extensively to saw and cut diamonds. Using a technologically advanced system will radically change the human task description. The need for skilled polishers will diminish until they will deal only with polishing larger, top-valued diamonds, probably with supervision.
Figure 1. Schematic presentation of a polishing-cell
The causes of the 1986 Chernobyl disaster have been variously attributed to the operating personnel, the plant management, the design of the reactor and the lack of adequate safety information in the Soviet nuclear industry. This article considers a number of design faults, operational shortcomings and human errors that combined in the accident. It examines the sequence of events leading up to the accident, design problems in the reactor and cooling rods, and the course of the accident itself. It considers the ergonomics aspects, and expresses the view that the main cause of the accident was inadequate user-machine interaction. Finally, it stresses the continuing inadequacies, and emphasizes that unless the ergonomics lessons are fully learned, a similar disaster could still occur.
The full story of the Chernobyl disaster is yet to be disclosed. To speak candidly, the truth is still veiled by self-serving reticence, half-truths, secrecy and even falsehood. A comprehensive study of the causes of the accident appears to be a very difficult task. The main problem faced by the investigator is the need to reconstruct the accident and the role of the human factors in it on the basis of the tiny bits of information that have been made available for study. The Chernobyl disaster is more than a severe technological accident, part of the reasons for the disaster also lie with the administration and the bureaucracy. However, the chief aim of this article is to consider the design faults, the operational shortcomings and the human errors that combined in the Chernobyl accident.
Who is to blame?
The chief designer for the pressure tube large power boiling water reactors (RBMK) used at the Chernobyl nuclear power plant (NPP), in 1989, presented his view on the causes of the Chernobyl accident. He attributed the disaster to the fact that the personnel failed to observe the correct procedures, or “production discipline”. He pointed out that the lawyers investigating the accident had arrived at the same conclusion. According to his view, “the fault lies with the personnel rather than some design or manufacturing failings.” The research supervisor for the RBMK development supported this view. The possibility of ergonomic inadequacy as a causative factor was not considered.
The operators themselves expressed a different opinion. The shift supervisor of the fourth unit, A.F. Akimov, when dying in a hospital as a result of receiving a dose of radiation of more than 1,500 rads (R) in a short period of time during the accident, kept telling his parents that his actions had been correct and he could not understand what had gone wrong. His persistence reflected absolute trust in a reactor that was supposedly completely safe. Akimov also said that he had nothing to blame his crew for. The operators were sure that their actions were in accord with regulations, and the latter did not mention the eventuality of an explosion at all. (Remarkably, the possibility of the reactor’s becoming dangerous under certain conditions was introduced into the safety regulations only after the Chernobyl accident.) However, in light of design problems revealed subsequently, it is significant that the operators could not understand why inserting rods into the core caused such a terrible explosion instead of instantly stopping the nuclear reaction as designed. In other words, in this case they acted correctly according to the maintenance instructions and to their mental model of the reactor system, but the design of the system failed to correspond to that model.
Six persons, representing only the plant management, were convicted, in view of the human losses, on the grounds of having violated safety regulations for potentially explosive facilities. The chairman presiding over the court said some words to the effect of proceeding with the investigations as regards “those who failed to take measures to improve the plant design”. He also mentioned the responsibility of department officials, local authorities and medical services. But, in fact, it was clear that the case was closed. Nobody else was held responsible for the greatest disaster in the history of nuclear technology.
However, it is necessary to investigate all causative factors that combined in the disaster to learn important lessons for safe future operation of NPPs.
Secrecy: The information monopoly in research and industry
The failure of the user-machine relationship that resulted in “Chernobyl-86” can be attributed in some measure to the policy of secrecy—the enforcement of an information monopoly—that governed technological communication in the Soviet nuclear energy establishment. A small group of scientists and researchers were given an exhaustive right to define the basic principles and procedures in nuclear power, a monopoly reliably protected by the policy of secrecy. As a result, reassurances by Soviet scientists as regards the absolute safety of NPPs remained unchallenged for 35 years, and secrecy veiled the incompetence of the civil nuclear leaders. Incidentally, it became known recently that this secrecy was extended to information relating to the Three Mile Island accident as well; the operating personnel of Soviet NPPs were not fully informed about this accident—only selected items of information, which did not contradict the official view on NPP safety, were made known. A report on the human engineering aspects of the Three Mile Island accident, presented by the author of this paper in 1985, was not distributed to those involved with safety and reliability of NPPs.
No Soviet nuclear accidents were ever made public except for the accidents at the Armenian and Chernobyl (1982) nuclear power plants, which were casually mentioned in the newspaper Pravda. By concealing the true state of affairs (thus failing to make use of lessons based on the accident analyses) the leaders of the nuclear power industry were setting it straight on the path to Chernobyl-86, a path that was further smoothed by the fact that a simplified idea of the operator activities had been implanted and the risk of operating NPPs was underestimated.
As a member of the State Expert Committee on the Consequences of the Chernobyl accident stated in 1990: “To err no more, we have to admit all our errors and analyse them. It is essential to determine which errors were due to our inexperience and which ones were actually a deliberate attempt to hide the truth.”
The Chernobyl Accident of 1986
Faulty planning of the test
On 25 April 1986, the fourth unit of the Chernobyl NPP (Chernobyl 4) was being prepared for routine maintenance. The plan was to shut the unit down and perform an experiment involving inoperative safety systems totally deprived of power from normal sources. This test should have been carried out before the initial Chernobyl 4 startup. However, the State Committee was in such a hurry to start up the unit that they decided to postpone indefinitely some “insignificant” tests. The Acceptance Certificate was signed at the end of 1982. Hence, the deputy chief engineer was acting according to the earlier plan, which presupposed a wholly inactive unit; his planning and timing of the test proceeded according to this implicit assumption. This test was in no way carried out on his own initiative.
The programme of the test was approved by the chief engineer. The power during the test was supposed to be generated from the rundown energy of the turbine rotor (during its inertia-induced rotation). When still rotating, the rotor provides electric power generation which could be used in an emergency. Total loss of power at a nuclear plant causes all mechanisms to stop, including the pumps which provide for the coolant circulation in the core, which in turn results in core meltdown—a grave accident. The above experiment was aimed at testing the possibility of using some other available means—the inertial rotation of the turbine—to produce power. It is not forbidden to perform such tests at operating plants provided that an adequate procedure has been developed and additional safety precautions have been worked out. The programme must ensure that a back-up power supply for the whole test period is provided. In other words, the loss of power is only implied but never actualized. The test may be performed only after the reactor is shut down, that is, when the “scram” button is pushed and the absorbing rods are inserted in the core. Prior to this, the reactor must be in a stable controlled condition with the reactivity margin specified in the operating procedure, with at least 28 to 30 absorbing rods inserted in the core.
The programme approved by the chief engineer of the Chernobyl plant satisfied none of the above requirements. Moreover, it called for the shutting off of the emergency core cooling system (ECCS), thus jeopardizing the safety of the plant for the whole test period (about four hours). When developing the programme, the initiators took into account the possibility of triggering the ECCS, an eventuality which would have prevented them from completing the rundown test. The bleed-off method was not specified in the programme since the turbine no longer needed steam. Clearly, the people involved were completely ignorant of reactor physics. The nuclear power leaders obviously included similarly unqualified people as well, which would account for the fact that when the above programme was submitted for approval to the responsible authorities in January 1986, it was never commented on by them in any way. The dulled feeling of danger also made its contribution. Owing to the policy of secrecy surrounding nuclear technology the opinion had formed that nuclear power plants were safe and reliable, and that their operation was accident-free. Lack of official response to the programme did not, however, alert the director of the Chernobyl plant to the possibility of danger. He decided to proceed with the test using the uncertified programme, even though it was not permitted.
Change in the test programme
While performing the test, the personnel violated the programme itself, thus creating further possibilities for an accident. The Chernobyl personnel committed six gross errors and violations. According to the programme the ECCS was made inoperative, this being one of the gravest and most fatal errors. The feedwater control valves had been cut off and locked beforehand so that it would be impossible even to open them manually. The emergency cooling was deliberately put out of action in order to prevent possible thermal shock resulting from cold water entering the hot core. This decision was based on the firm belief that the reactor would hold out. The “faith” in the reactor was strengthened by the comparatively trouble-free ten years’ operation of the plant. Even a serious warning, the partial core meltdown at the first Chernobyl unit in September 1982, was ignored.
According to the test programme the rotor rundown was to be carried out at a power level of 700 to 1000 MWth (megawatts of thermal power). Such a rundown should have been performed as the reactor was being shut down, but the other, disastrous, way was chosen: to proceed with the test with the reactor still operating. This was done to ensure the “purity” of the experiment.
In certain operating conditions, it becomes necessary to change or turn off a local control for clusters of absorbing rods. When turning off one of these local systems (the means of doing this are specified in the procedure for low-power operation), the senior reactor control engineer was slow to correct the imbalance in the control system. As a result, the power fell below 30 MWth which led to fission-product reactor poisoning (with xenon and iodine). In such an event, it is next to impossible to restore normal conditions without interrupting the test and waiting a day until the poisoning is overcome. The deputy chief engineer for operations did not want to interrupt the test and, by means of shouting at them, forced the control-room operators to begin raising the power level (which had been stabilized at 200 MWth). The reactor poisoning continued, but further power increase was impermissible owing to the small operating reactivity margin of only 30 rods for a large power pressure-tube reactor (RBMK). The reactor became practically uncontrollable and potentially explosive because, in trying to overcome the poisoning, the operators withdrew several rods needed to maintain the reactivity safety margin, thus making the scram system ineffective. Nevertheless, it was decided to proceed with the test. Operator behaviour was evidently motivated mainly by the desire to complete the test as soon as possible.
Problems due to the inadequate design of the reactor and absorbing rods
To give a better understanding of the causes of the accident, it is necessary to point out the major design deficiencies of the absorbing rods of the control and scram system. The core height is 7 m, while the absorbing length of the rods amounts to 5 m with 1 m hollow parts above and below it. The bottom ends of the absorbing rods, which go under the core when fully inserted, are filled with graphite. Given such a design, the control rods enter the core followed by one-metre hollow parts and, finally, come the absorbing parts.
At Chernobyl 4 , there were a total of 211 absorbing rods, 205 of which were fully withdrawn. Simultaneous reinsertion of so many rods initially results in reactivity overshoot (a peak in fission activity), since at first the graphite ends and hollow parts enter the core. In a stable controlled reactor such a burst is nothing to worry about, but in the event of a combination of adverse conditions, such an addition may prove fatal since it leads to prompt neutron reactor runaway. The immediate cause of initial reactivity growth was the initiation of water boiling in the core. This initial reactivity growth reflected one particular drawback: a positive steam void coefficient, which resulted from the core design. This design deficiency is one of the faults which caused operator errors.
Grave design faults in the reactor and the absorbing rods actually predetermined the Chernobyl accident. In 1975, after the accident at the Leningrad plant, and later on, specialists warned about the possibility of another accident in view of deficiencies in core design. Six months before the Chernobyl disaster, a safety inspector at the Kursk plant sent a letter to Moscow in which he pointed out to the chief researcher and chief designer certain design inadequacies of the reactor and the control and protection system rods. The State Supervising Committee for Nuclear Power, however, called his argument groundless.
The course of the accident itself
The course of the events was as follows. With the onset of the reactor coolant pump cavitation, which led to reduced flow rate in the core, the coolant boiled in the pressure tubes. Just then, the shift supervisor pushed the button of the scram system. In response, all the control rods (which had been withdrawn) and the scram rods dropped into the core. However, first to enter the core were the graphite and hollow ends of the rods, which cause reactivity growth; and they entered the core just at the beginning of intensive steam generation. The rise of the core temperature also produced the same effect. Thus there were combined three conditions unfavourable for the core. Immediate reactor runaway began. This was due primarily to gross design deficiencies of the RBMK. It should be recalled here that the ECCS had been made inoperative, locked and sealed.
The subsequent events are well known. The reactor was damaged. The major part of the fuel, graphite and other in-core components were blown out. Radiation levels in the vicinity of the damaged unit amounted to 1,000 to 15,000 R/h, although there were some more distant or sheltered areas where radiation levels were considerably lower.
At first the personnel failed to realize what had happened and just kept on saying, “It is impossible! Everything was done properly.”
Ergonomics considerations in connection with the Soviet report on the accident
The report presented by the Soviet delegation at the International Atomic Energy Association (IAEA) meeting in summer 1986 evidently gave truthful information on the Chernobyl explosion, but a doubt keeps on returning as to whether the emphasis was put in the right places and whether the design inadequacies were not treated much too gently. The report stated that the behaviour of the personnel was caused by the desire to complete the test as soon as possible. Judging from the facts that the personnel violated the procedure for preparing and carrying out tests, violated the test programme itself, and were careless when performing the reactor control, it would seem that the operators were not fully aware of the processes taking place in the reactor and had lost all feeling of danger. According to the report:
The reactor designers failed to provide safety systems designed to prevent an accident in the case of deliberate shut-off of the engineered safety means combined with violations of the operating procedures since they regarded such a combination as unlikely. Hence the initial cause of the accident was a very unlikely violation of the operating procedure and conditions by the plant personnel.
It has become known that in the initial text of the report the words “plant personnel” were followed by the phrase “which showed the design faults of the reactor and the control and protection system rods”.
The designers considered the interference of “clever fools” in plant control unlikely, and therefore failed to develop the corresponding engineered safety mechanisms. Given the phrase in the report stating that the designers considered the actual combination of events unlikely, some questions arise: Had the designers considered all possible situations associated with human activity at the plant? If the answer is positive, then how were they taken into account in the plant design? Unfortunately, the answer to the first question is negative, leaving areas of user-machine interaction undetermined. As a result, onsite emergency training and theoretical and practical training were carried out mainly within a primitive control algorithm.
Ergonomics was not used when designing computer-assisted control systems and control rooms for nuclear plants. As a particularly serious example, an essential parameter indicative of the core state, that is, the number of the control and protection system rods in the core, was displayed on the control board of Chernobyl 4 in a manner inappropriate for perception and comprehension. This inadequacy was overcome only by operator experience in interpreting displays.
Project miscalculations and ignoring human factors had created a delayed-action bomb. It should be emphasized that the design fault of the core and the control system served as a fatal basis for further erroneous actions by operators, and thus the main cause of the accident was the inadequate design of user-machine interaction. Investigators of the disaster called for “respect to human engineering and man-machine interaction, it being the lesson Chernobyl taught us.” Unfortunately, it is difficult to abandon old approaches and stereotyped thinking.
As early as 1976, academician P.L. Kapitza seemed to foresee a disaster for reasons that might have been relevant to preventing a Chernobyl, but his concerns were made known only in 1989. In February 1976, US News and World Report, a weekly news magazine, published a report on the fire at the Browns Ferry nuclear facility in California. Kapitza was so concerned about this accident that he mentioned it in his own report, “Global problems and energy”, delivered in Stockholm in May 1976. Kapitza said in particular:
The accident highlighted the inadequacy of the mathematical methods used to calculate the probability of such events, since these methods do not take into account the probability due to human errors. To solve this problem, it is necessary to take measures to prevent any nuclear accident from taking on a disastrous course.
Kapitza tried to publish his paper in the magazine Nauka i Zhizn (Science and Life), but the paper was rejected on the grounds that it was not advisable “to frighten the public”. The Swedish magazine Ambio had asked Kapitza for his paper but in the long run did not publish it either.
The Academy of Sciences assured Kapitza that there could be no such accidents in the USSR and as an ultimate “proof” gave him the just published Safety Rules for NPPs. These rules contained, for example, such items as “8.1. The actions of the personnel in case of a nuclear accident are determined by the procedure for dealing with the consequences of the accident”!
As a direct or indirect consequence of the Chernobyl accident, measures are being developed and put into effect to ensure safe operation of current NPPs and to improve the design and construction of future ones. In particular, measures have been taken to make the scram system more fast-operating and to exclude any possibility of its being deliberately shut off by the personnel. The design of the absorbing rods has been modified and they have been made more numerous.
Furthermore, the pre-Chernobyl procedure for abnormal conditions instructed operators to keep the reactor operating, while according to the current one the reactor must be shut down. New reactors that, basically speaking, are in fact inherently safe are being developed. There have appeared new areas of research which were either ignored or non-existent before Chernobyl, including probabilistic safety analysis and experimental safety bench tests.
However, according to the former USSR Minister of Nuclear Power and Industry, V. Konovalov, the number of failures, shutdowns and incidents at nuclear power plants is still high. Studies show that this is due mainly to the poor quality of the delivered components, to human error and to inadequate solutions by design and engineering bodies. The quality of construction and installation work leaves much to be desired as well.
Various modifications and design changes have become common practice. As a result, and in combination with inadequate training, qualifications of the operating personnel are low. The personnel have to improve their knowledge and skills in the course of their work, based on their experience in plant operation.
Ergonomics lessons are still to be learned
Even the most effective, sophisticated safety control system will fail to provide for plant reliability if human factors are not taken into account. Work is being prepared for the vocational training of personnel in the All-Union Scientific and Research Institute of NPPs, and there are plans to considerably enlarge this effort. It should be admitted, however, that human engineering still is not an integral part of plant design, construction, testing and operation.
The former USSR Ministry of Nuclear Power replied in 1988 to an official inquiry that in the period 1990-2000 there was no need for specialists in human engineering with secondary and higher education as there were no corresponding requests for such personnel from nuclear plants and enterprises.
To solve many of the problems mentioned in this article it is necessary to carry out combined research and development involving physicists, designers, industrial engineers, operating personnel, specialists in human engineering, psychology and other fields. Organizing such joint work entails great difficulties, one particular difficulty being the remaining monopoly of some scientists and groups of scientists on “truth” in the field of nuclear energy and the monopoly of the operating personnel on the information concerning NPP operation. Without available comprehensive information, it is impossible to give a human engineering diagnosis of a NPP and, if necessary, propose ways to eliminate its shortcomings as well as to develop a system of measures to prevent accidents.
In the NPPs of the former Soviet Union the current means for diagnosis, control and computerization are far from accepted international standards; plant control methods are needlessly complicated and confusing; there are no advanced programmes of personnel training; there is poor support of plant operation by designers and highly outdated formats for operating manuals.
In September 1990, after further investigations, two former Chernobyl employees were freed from prison before the end of their terms. Some time later all the imprisoned operating personnel were freed before the appointed time. Many people involved with the reliability and safety of NPPs now believe that the personnel had acted correctly, even though these correct actions resulted in the explosion. The Chernobyl personnel cannot be held responsible for the unexpected magnitude of the accident.
In an attempt to identify those who were responsible for the disaster, the court mainly relied on the opinion of technical specialists who, in this case, were the designers of Chernobyl nuclear power plant. As a result of this one more important Chernobyl lesson is learned: As long as the main legal document that is used to identify responsibility for disasters at such complicated establishments as NPP is something like maintenance instructions produced and changed exclusively by designers of these establishments, it is too technically difficult to find the real reasons for disasters, as well as to take all the necessary precautions to avoid them.
Further, a question still remains as to whether operating personnel should strictly follow the maintenance instructions in the case of disaster or whether they should act according to their knowledge, experience or intuition, which may even contradict the instructions or be unconsciously associated with the threat of severe punishment.
We must state, regrettably, that the question “Who is guilty of the Chernobyl accident?” has not been cleared up. Those responsible should be sought among politicians, physicists, administrators and operators, as well as among development engineers. Convicting mere “switchmen” as in the Chernobyl case, or having clergymen sanctify NPPs with holy water, such as was done with the incident-plagued unit in Smolensk in 1991, cannot be the correct measures to ensure safe and reliable operation of NPPs.
Those considering the Chernobyl disaster merely an unfortunate nuisance of a sort which will never happen again, have to realize that one basic human characteristic is that people do make mistakes—not only operating personnel but also scientists and engineers. Ignoring ergonomic principles about user-machine interactions in any technical or industrial field will result in more frequent and more severe errors.
It is therefore necessary to design technical facilities such as NPPs in such a way that possible errors are discovered before a severe accident can happen. Many ergonomic principles have been derived trying to prevent errors in the first place, for instance in the design of indicators and controls. However, still today these principles are violated in many technical facilities all over the world.
The operating personnel of complex facilities need to be highly qualified, not only for the routine operations but also in the procedures necessary in the case of a deviation from normal status. A sound understanding of the physics and the technologies involved will help the personnel to react better under critical conditions. Such qualifications can only be attained through intensive training.
The constant improvements of user-machine interfaces in all kinds of technical applications, often as a result of minor or major accidents, show that the problem of human errors and thus of user-machine interaction is far from being solved. Continuous ergonomic research and the consequent application of the obtained results aimed at making user-machine interaction more reliable is necessary, especially with technologies that bear a highly destructive power, such as nuclear power. Chernobyl is a severe warning of what can happen if people—scientists and engineers, as well as administrators and politicians—disregard the necessity of including ergonomics in the process of designing and operating complex technical facilities.
Hans Blix, Director General of the IAEA, has stressed this problem with an important comparison. It has been said that the problem of war is much too serious to be left solely to generals. Blix added “that the problems of nuclear power are much too serious to leave them solely to nuclear experts”.