Joint 8th IEEE HFPP / 13th HPRCT
MERMOS : an extended second generation HRA
method
Patrick Meyer , Pierre Le Bot , Helene Pesme
Industrial Risk Management Department, EDF R&D, Clamart, France
patrick-c.meyer@edf.fr, pierre.le-bot@edf.fr, helene.pesme@edf.fr,
Abstract— MERMOS is the reference method used by Electricite
de France (EDF) for Human Reliability Assessment (HRA), to
assess the emergency operation of nuclear reactors during
incidents and accidents for Probabilistic Safety Assessments
(PSA). When type N4 reactors were designed, the previous
method used for Human Reliability Evaluation (based on the
THERP methodology and on data-gathering using a simulator,
known as FH6) required development, as it proved largely
unworkable for managing incidents and accidents using
computerized procedures. Designing MERMOS has been an
opportunity to redefine the concepts used in assessing human
reliability. EDF is currently extending MERMOS to use for
assessing behaviour before an accident and during a fire, as well
as for the assesment of Human Factors missions planned as part
of the Level 2 Probabilistic Safety Evaluations (that take into
account the release of effluent once the core begins to melt down).
The objective is to standardize the methods used and to make best
use of the MERMOS method, by adapting it to meet the
engineering constraints associated with the analyses for Human
Reliability Evaluation. This paper presents the initial defined
stages of the methodology, and the principles on which this section
of the work is based.
I. INTRODUCTION
In addition to deterministic safety studies made to justify the
design and operation dimensioning choices of its nuclear power
plants, Electricité de France (EDF) is developing its own PSA
(probabilistic safety assessment) for each type of unit and its
own PHRA methods (Probabilistic Human Reliability
Assessment). The first method of human failure evaluation,
developed by EDF and named “ FH6”, was based on the
THERP method (Technique for Human Error Rate Prediction)
and data collected on its own simulators.
A level 1 PSA (used for estimate the frequency of the core
meltdown) dedicated to the French unit type named N4, has led
EDF to create a new second-generation method called
“MERMOS”, assessment Method for the Performance of Safety
Operation (Méthode d'Evaluation et de Réalisation des Missions
Opérateurs pour la Sûreté) [1]. Developing this method allowed
new concepts to be defined for modelling the reliability or
performance of operating teams in a nuclear unit during an
accident. The method initially developed for N4 unit type has
been extended to be applied at all French nuclear unit types. In
this way, MERMOS has become the reference HRA method
used by EDF for assessing operator tasks in accidental
situations.
1-4244-0306-5/07/$20.00 ©2007 IEEE. 276
Today, because of the use of PSA and the need to assess new
risks, EDF will continue developing HRA methods. So as to
take advantage of the concepts put in place for the MERMOS
method, and the advantages it provides for modelling
applications, and in order to standardise as far as possible the
HRA methods used in particular contexts and studies, the
process for developing methodologies has consisted in
extending, or where necessary adapting, the MERMOS
reference method in order to meet the new modelling
requirements and possible engineering constraints related to
implementation of HRA studies. In this document, we will first
present a brief summary of the concepts and stages of
implementation of the MERMOS method, and then describe
their use and past or future developments in relation to new risk
assessments that require an evaluation of human performance.
These new fields also include Probabilistic Event Analysis, fire
risk modelling, evaluation of human actions related to Level 2
PSA (assessment of the frequency of discharge of radioactive
effluent following the core meltdown) or related to the
maintenance or operation of the plant in normal conditions.
II. THE MERMOS METHOD: SUMMARY OF FAILURE
CONCEPTS AND MODELLING PROCESS
MERMOS, Assessment Method for the Performance of
Safety Operation ("Méthode d'Evaluation de la Réalisation des
Missions Opérateurs pour la Sûreté "), developed for the HRA
in the post-accidental phase, offers a qualitative and
quantitative framework for the analysis of failures of Human
Factor missions (HF missions) modelled in the PSA. It is based
on concepts and tools available to HRA analysts which help
them to understand and describe emergency operations and
analyse the mechanisms that lead to mission failures.
A. Concepts applied
1) Subject of study and assessment reference
In a PSA for each initiating event (equivalent to an incidental
or accidental situation), a functional analysis is used to
determine the tasks to be carried out in order to bring the reactor
back into safe conditions or to prevent any further deterioration
of the situation. Some of these – called Human Factor (HF)
missions – correspond to safety-critical actions carried out in
the control room. The aim of the MERMOS method is to model
and assess failures of these missions, which are assigned not to
one operator, but to an operating system that includes the
 Joint 8th IEEE HFPP / 13th HPRCT
control room team, the procedures they can apply, and the man elements in the situation, just like any other: human errors are
machine interface. MERMOS considers that the performance of not alone responsible for a mission failure.
HF mission is the responsability of a system we call Because they are defined at system level and are extremely
“ emergency operations system ” (EOS). It is therefore intended contextual, CICAS do not need to be represented explicitely in
first of all to assess the performance of the operating system in the mind of the crew’s members. Examples of CICAs are given
comparison with a reference that defines the required functional in Pesme's paper[4].
and safety objectives. Consequently, MERMOS defines
operating system failure, toward the system safety requirement, 4) Failure modelling
and not (as was the case with certain first-generation methods) The task for MERMOS is to:
as a departure from procedure. In particular, this makes it - identify the configurations and orientations (CICA) which, in
possible (whatever the accidental situation under consideration) a particular situation, can cause the system to fail to carry out
to assess system performance relative to the desired safety an HF task,
optimum. - assess their probability of occurrence.
2) Breakdown of failure management into sub-functions To do this, MERMOS analyses the properties of system
To meet the objective, which is to carry out the HF missions, components, and the interactions between these components
the operating system must be able to: and their environment that could cause CICAs to appear, and
- detect whether the situation requires human intervention, does this by identifying “situation features”. It is the
- determine the level of urgency relative to the overall situation interrelations between these elements that provide an
and for current actions, understanding of the internal logic that guides the system and
- select the appropriate response, make it possible to identify the orientations and configurations
- define an action plan and carry it out. that are not suitable for the particular situation in which the
These requirements can be described for three main functions system finds itself. The situation is described by “structural”
applied in carrying out the missions. These are: Action - features (inherent in the design of the plant, the related
Diagnosis - Strategy (referred to as the SAD [2] model for procedures etc.), and “contextual” features, which can vary
accident management): from one situation to another and from one mission to another.
- “Action” is the function that changes an installation from one The HRA analyst applying the MERMOS method has to give
status to another, qualitative and quantitative descriptions of the failure in the
- “Diagnosis” is the function that examines the status of the form of failure scenarios [5] (“little stories”) (see Figure 1).
installation and the situation in general, using the data and
previous knowledge available for the system,
- “Strategy” is the function that selects the target status to be
achieved and the appropriate set of actions in order to obtain it.
To make it easier to describe the HF mission failure, the
required emergency operation is therefore detailed for each
function, and the failure of the EOS related to each one, for
various failure modes.
3) Failure in an emergency operation system that is acting
consistently
The theoretical failure model is the result of retrospective
analyses of real accidents [3], which have led us to consider
that, when managing incidental situations, the actual
functioning of the system might be described as a series of
configurations and orientations in response to the situation to be
managed, and which the EOS adopts and maintains for a certain
period of time. This form of operation is also consistent, and is
in line with the inherent logic of the EOS.
The systemic CICA concept (Configurations Importantes de
la Conduite Accidentelle: important configurations of
emergency operations) has been introduced in order to describe
these configurations and orientations, and is used to define the
type of system operation adopted for a given time in response to
incident or accidental situations. MERMOS is thus based on the
principle that the failure of the EOS occurs when the system
maintains configurations and orientations too long, and these
prevent it from deploying the response required by the situation
and from using the multiple redundancies provided. This
approach does not exclude human errors, but considers these as

277
 Joint 8th IEEE HFPP / 13th HPRCT
The qualitative analysis process combines a “top down”
Scenario (deductive) approach, from the required functions (strategy,
action, diagnostics) to failures that can lead to failure of the HF
Requirement Give priority to completion of feed and bleed mission, and a “bottom-up” (inductive) approach from the data
Mission Implementation of Feed an Bleed in available to the analyst concerning emergency operations, to
under 50 minutes. failure scenarios of the HF missions.
The deductive approach:
SAD function Strategy ⊗ starts from the input HF mission,
Failure mode Incorrect strategy ⊗ identifies the corresponding requirement,
⊗ adapts this requirement according to the three SAD
Scenario The system, hoping to recover the AFW, at functions,
times delayed the transition to open feed ⊗ systematically takes into account the failure
for too long. modes for each of these functions,
Non-satisfaction mode Priority to restarting the AFW ⊗ identifies which requirement is not
Probability of non reconfiguration met in each of these modes.

PROBABILITIES The inductive approach:

OF CICAS
∅ starts from existing data (observations on simulator, expert
1. CICAS judgements, etc.),
∅ identifies the characteristics of the situation (structural
1. Suspension of the transition to and contextual) that lead to CICAs,
Feed and Bleed as the AFW ∅ project or build failure scenarios where CICAs are
appears recoverable implemented and remain in place, leading to emergency
2. Focus on AFW restoration operation other than the one required.
The two approaches are complementary, and are used to
PROBABILITIES guide and ‘automate’ the search for failure scenarios, CICAs,
OF PROPERTIES and the associated situation features.
2. Situation features For the purposes of application, the qualitative analysis is
assisted by a data base containing the results of analyses already
1. The information originating locally, or completed. This data base allows the analyst to apply the
the team troubleshooting, instil a belief “delta” approach between the particular mission to be studied
that the AFW might be recovered soon and the mission analyses present in the data base.
2) Quantification principles
2. The shift supervisor is assumed from
Quantification takes account of all elements identified by the
the organizational point of view to
qualitative analysis. The total probability of failure of the HF
monitor restoration actions closely
mission is defined as the sum of all probabilities of
3. The shift supervisor is involved occurrence of all failure scenarios identified, plus the residual
heavily in restoration actions probability Pr , representing possible unforeseen scenarios:
Total failure probability of an HF mission:
4. The Safety engineer arriving late does
P(HF mission failure) =
not prejudice the team strategy and
neither does it accelerate ∑ scenarios identified
P(scenario i) + Pr
Figure 1 : Qualitative example of a failure scenario for the feed and bleed
mission after the lost of the Auxiliary Feed Water system The full detailed quantification proceeds, failure scenario by
B. Process for modelling and assessment of EOS failure failure scenario, for each of the failure modes of each of the
SAD functions. The probability of a failure scenario is the
1) Qualitative approach product of:
MERMOS qualitative analysis is systematic and structured: It - probability of simultaneous occurrence of the situation
is largely supported by the SAD model, and the CICA and features associated with the scenario,
situation concepts already described. It is intended to: - probability of occurrence of the CICA(s) identified, when it
- explain the possible reason for failure of the HF mission, is known that the situation features are present,
- search the possible failure scenarios (a scenario consists of - probability of non-reconfiguration of the emergency
the path that could lead to mission failure), operation system, when it is known that the CICAs are present
- take account of all scenarios that may lead to failure of the (i.e. probability that CICAs will be maintained too long).
mission, Each probability is justified, and the data used[3] for
- track all the above elements. quantifying the elements (situation features, CICAs, and

278
 Joint 8th IEEE HFPP / 13th HPRCT
scenarios) can be taken from observations on the simulator,
objective data on the equipment, expert evaluations, sites... The
method guides the analyst in searching and processing the data,
and suggests a process for quantification by expert judgements
[7].
III. APPLICATION OF THE MERMOS METHOD TO PARTICULAR
SITUATIONS OR STUDIES
A. Probabilistic event analysis
1) Objectives
This type of analysis is based on the use of PSA to identify
scenarios that might lead to unacceptable consequences starting
from real events:
- how could the event have degenerated into an
accident with much more serious consequences?
- is it possible to create a measurement of the gap
between the end of the incident and a potential accident with
unacceptable consequences?
One of the particular objectives of the process is to obtain an
assessment of the seriousness of an event starting from an
evaluation of the potential consequences given in PSA, and thus
arrange events in a hierarchy. This type of analysis also allows
the various lines of defence to be examined in the light of the
event, as well as providing an assisted decision-making tool for
processing experience feedback.
2) Probabilistic Event Analysis and PHRA
For these studies the purpose of the probabilistic event
analysis is to provide, in relation to the PHRA, tools and
methods that can be used to refine existing HRA analyses and
so produce a more accurately related context based on an event
taken from experience feedback (REX). For example, an
evaluation of the potential impact of an event on the risk of core
meltdown could, for HRA purposes, consist in assessing the
impact of the latent unavailability of a technical system that
would be necessary in order to mitigate an accident, in HF
missions, or the potential impact of an initiating event (if the
causes are known) on accident mitigation.
3) Inputs from the MERMOS method to the Probabilistic
Event Analysis
By providing a qualitative description of the failure, and in
particular by modelling the accident context in which it is
liable to occur, MERMOS makes it easy to compare a
particular context and assess its potential impact on the
performance of the EOS. This can be done using the delta
approach described previously. Starting from an existing HRA
analysis, which is often based on a general context, the analyst
can take into account a more accurate context and then refine
or modify the existing analysis.
For example, if the mission consists in starting up a system
from the control room, and if one wishes to take account of the
fact that the operating system has to perform local recovery of
a latent alignment error before starting up, the delta approach
through the MERMOS method can be used to model this
situation precisely and explicitly, in order to assess its impact
on failure of the mission.
279
In general, after taking account of a different accident context,
the analyst may decide to:
θ modify (or adapt) the requirement for the HF mission
This stage in the process of taking account of the context of
an event can be attached to the “deductive” approach described
previously. Starting from the event, this involves:
• determining the way in which the event affects
adaptation of the requirement selected for the reference
mission (in the case of an alignment error, this would
involve local recovery of the latent error, then
performing the system start-up)
• identifying the new requirements to be created, or
modifications to those already modelled.
• creating/justifying the new failure scenarios (or the
absence of new failure scenarios) as a result of
modification or variation of the requirement.
θ add new contextual or ‘behavioural’ elements 1
This stage in the process of taking account of the context of
an event can be attached to the “inductive” approach described
previously. For the analyst, this means identifying new
contextual or behavioural elements relative to the event, which
will allow him to model new failure scenarios using the
MERMOS method, or to justify removal of existing scenarios.
θ impact/modify the justifications used for reference
quantification.
After taking account of the event context, the analyst may
decide to revise the justifications given for quantification of the
reference mission.
B. Fire situation
A fire PSA requires a specific process based on Level 1 PSA,
which models the impact of internal event, to assess the
consequences of a fire in plant buildings. The first phase of
PHRA consists in assessing the reliability of fire-specific
management in the control room (for example, creation of a cut-
off plan) and in re-assessing the emergency operations to take
account of possible situations accumulating subsequent to a fire.
1) HRA modelling and specificities
In principle, because of the underlying structure of the
analyses and concepts, the MERMOS method can be adapted to
all incidental/accidental contexts in a nuclear plant. For the
purpose of HRA modelling, therefore, fire-specific operations
from control room are assessed using the reference MERMOS
method, and the existing missions are adapted to the degraded
situations accumulating a fire by taking account of the specific
context (as indicated in the previous paragraph) and using the
delta approach.
Thus, HRA modelling of control room fire management is
based on application of the reference MERMOS method, and its
1
In relation to the principles of MERMOS, these are
knowledge elements related to the operating system (team-
procedure-interface)
 Joint 8th IEEE HFPP / 13th HPRCT
main specificities are found in the data and knowledge bases to
be acquired into the operating system and its environment.
Certain specificities have already been registered and will soon
be integrated:
• Particular organisational structure of the operating
system
• Incorporation of new operating procedures
• Possible presence of parameters that could hamper
operations (unavailability due to fire), and presence of
spurious alarms
• Relations with operatives external to the control room
(fire fighters)
• …
2) Continuing development
Beyond the control room operations, overall management of
a nuclear unit affected by a fire involves carrying out certain
fire management actions such as:
• fire detection and immediate responses (alarm,
confirmation, fire containment),
• fire-fighting after confirmation of the fire, possibly
involving the use of human and technical resources
external to the site.
Research work is now in progress at EDF for the purpose of
developing HRA methodologies for modelling these aspects of
fire management. The initial research has been mainly
concerned with setting up data and knowledge bases on the
nuclear sites regarding the management of these situations.
IV. NEW DEVELOPMENTS: SEVERE ACCIDENT MANAGEMENT
As part of the modelling of the risk of radioactive discharge
following the core meltdown, HRA methods have to be
developed in order to determine, within a Level 2 PSA, the
contribution from the National Crisis Organisation and
decision-making or technical support personnel located outside
the control room, for the purpose of ensuring containment. With
the initial developments completed, the first applications are
now being made in order to extend the process and validate it
for use in all associated Level 2 PSA and HF missions.
A. Proposed modelling process
The process for Severe Accident HRA studies is based on the
principles of the MERMOS method. The specificities of the
Level 2 PSA from a “HRA point of view” (few missions to
analyse compared with Level 1 PSA) make it possible to take
account of the fact that the process is based on the adapting of
generic mission models to a specific context.
The Level 2 PSA attempts to assess the frequency of
radioactive discharge resulting from the degraded fuel situations
identified in the Level 1 PSA. To do this, the Level 2 PSA
creates a group of degraded situations so that it can also include
their particular initiating events (PDS, Plant Damage State).
This group is then used to define a degraded envelope situation
(which is very often conservative) for all of the situations in the
group.
The HRA analysts then have to create a process based on the
delta approach of the MERMOS method, using a knowledge
280
base derived from the generic missions available. One of the
aims is that these missions should always correspond to an
accidental context more serious than the one examined by the
analyst in his study; and this might help limit the number of
specific studies required.
1) Modelling principles
θ Systemic approach
To determine the contribution of the National Crisis
Organisation and decision-making and technical personnel
located outside the control room we have enlarged the
emergency operation system for the purpose of analysis from
the point of view of reliability. The purpose is then to analyse
the reliability of an operating system which includes:
Control room operating team – Local decision-making
teams – National technical support teams - Procedures –
Interfaces
The enlargement of the system is based on a trade-off
between the reasons for taking account of the response and
decision ‘centres’ involved in operations (with the response or
decision-making resources etc.), and the difficulty of integrating
all the operatives involved in managing a Severe Accident.
θ Functional breakdown
The SAD model used by MERMOS has been modified. The
functional breakdown is used particularly to provide a
simplified view of system functioning. In particular, the
‘mission’ of the new EOS is to analyse and assess the situation
relative to plant operation, and determine the possible
developments. We are thus considering that a mission failure
could be compared with a failure in the Prognosis function. The
Prognosis function is defined as the function that shows the
status of the installation at a set time (calculated or not, and with
systems + barriers), and the safety functions, taking into account
a possible aggravating factor.
⇒ PSAD Model
Therefore, it is the No Prognosis and Erroneous Prognosis
failure modes that are to be taken into account for the EPFH
analysis in the same way as the other existing failure modes for
the Strategy, Action and status Diagnostics functions.
2) Process detail and specificity
Figure 2 shows a model of the initial process to be carried out
when the study of an HF mission in a Severe Accidental
situation makes no reference to any existing generic mission.
When analysis of the generic mission is complete, its variations
are decided by the analyst according to the different accidental
contexts (particular contexts are taken into account). In
principle, the generic mission very often corresponds to the
most unfavourable context (transient dynamics, resources
available, etc.).
 Joint 8th IEEE HFPP / 13th HPRCT
A. Stage 1
a) Identification and definition of
the generic mission using the MERMOS
method
Generic variation of the requirement
according to functions of the Severe
Accident model
A. Stage 2
b) Qualitative analysis and
quantification of generic missions
Qualitative analysis – identification of failure
scenarios (inductive and deductive process)
Quantification of scenarios by the MERMOS
method and using existing numerical data or
interviews with experts in Severe Accident
management
no
Adaptation of the
End of analysis -
generic mission to
Conservative
accident contexts?
model
yes
Delta approach
Figure 2. Initial process
Stage 2 aims to be as exhaustive or conservative as possible
when defining the mission, adapting the requirement, and
identifying the scenarios in order to assist the analyst as far as
possible in the following stage. The “delta” approach in Level 2
is therefore intended as a context describing process, rather than
an adaptation or transposition process.
Another Stage 2 objective is to form the basis for future HRA
studies on the mission concerned. It is therefore intended to
provide ‘technical’ validation of the analysis and failure model,
281
by indicating as far as possible the Level 2 expert 2 assessments
and assumptions used to identify and quantify the failure
scenarios. The identified knowledge elements can be re-used,
adapted or modified in future stages or studies. The analyst can
then use this general level of analysis and adapt it according to
the requirements of the study.
This stage can also be linked with the HRA data collection
phase, particularly for the purpose of technical validation or
collection of the associated evaluation data. To assess
emergency operation during Severe Accident, the analyst has
less HRA data available than for the HRA studies for the Level
1 PSA (no real cases observed, and few simulations related to
the existing method for accidental/incidental situations, etc.).
The main data source for assessing human reliability analyses is
therefore the expert evaluation data base, which can be adapted
or identified within the generic missions.
This aspect is specific to Severe Accidents, and since the
analyst has no simulations available (for example, training on a
full-scale simulator), this evaluation made or validated by
experts forms an important part of the human reliability data.
3) Advantages of the proposed process
Till now, HF missions in the Severe Accident context were
evaluated where necessary by assigning fixed discrete values,
which depended particularly on the time available after the
accident occurred. As a result, assessments could be affected by
the threshold effects on variations when the available times
were short. Quantification by assigning an expert evaluation as
recommended by the MERMOS method is less susceptible to
threshold effects due to variations in time. It also makes it
possible, depending on the situation, to evaluate more
accurately the availability of technical or decision-making
resources (particularly by applying a situation feature indicating
that they are absent or unavailable).
Finally, the proposed process allows:
• a more detailed definition of specificities related to the
accident context, by providing a qualitative description
of this context within the failure scenarios
• where necessary, concurrent or tacit objectives to be
taken into account by the emergency teams, in order to
perform the necessary action identified by the PSA
(consistent and systematic modelling of Severe Accident
operations by using CICAs and having the operating
system take account of national or local technical support
resources).
V. REQUIREMENTS AND INITIAL DEVELOPMENT WORK ON
LATENT ERROR MODELS
The need for HRA development work on ‘pre-accident’
failure modelling (i.e. latent failures, or failures that occur prior
to an accident) is due both to the need for R&D, to make the
existing pre-accident method (the “FH7”) more consistent with
the post-accident MERMOS method, and the need for
2
In particular, these include Severe Accident experts (accident
management and physical analysis), emergency operations
experts, PSA experts, members of the crisis organisation, etc.
 Joint 8th IEEE HFPP / 13th HPRCT
operational units to be able to go beyond the limitations of the
existing FH7 method, and particularly so they can evaluate the
existing organisational barriers and use the available experience
feedback.
A. Limitations of the FH7 method
FH7 is a ‘consensus’ method: it uses numerical values based
on a consensus of experts from the EDF and the Safety
Authority (SA). The method, the ‘data’, and the numerical
failure probability values are not separated. Also, FH7 is based
on the principle of evaluating the probability of non-recovered
individual human error (i.e. a second individual human error),
as was the FH6 method, which preceded MERMOS for post-
accident situations. It is limited to errors of omission or
incorrect execution of basic actions, as are the first-generation
HRA methods, which were focussed on individual human error.
It is therefore out of alignment with MERMOS a second-
generation method. Finally, the elementary nature of FH7 does
not allow evaluation of the organisational arrangements that
EDF believes are important for certain situations pointed out in
some of the safety analyses.
B. Possible future developments
1) Use of experience feedback
When preparing the FH7 method, EDF did not have
sufficient experience feedback information to allow it to apply a
statistical approach, for example in order to estimate the
probability of latent unavailability of a system due to human
error, all the more the equipment taken into account in the PSA
is safety-related and very often requires special attention. A
forward study based on experience feedback has demonstrated
the feasibility of using experience feedback for a pre-accident
HRA method, on several conditions:
• Select a suitably representative level of sampling:
equipment or equipment group if relevant (for example,
manual valves); the grouping level must be given
special attention and be validated retrospectively by
experience feedback;
• Choose a period that is as large as possible (for
examining the feedback), but which represents an
organisation structure that is comparatively stable
relative to the function being examined: this should be
determined by expert appraisal, on a case-by-case basis;
• Extrapolate the time ratio (cumulative) for when there is
incorrect configuration of the equipment (due to human
error and making the function concerned unavailable),
with the required operating time, representing the
probable unavailability of the equipment.
• Check that the data collected allow a satisfactory
confidence interval to be defined.
2) Absence of relevant experience feedback
If it is necessary to use the available experience feedback,
using this alone for making certain estimates means that several
conditions must be set, including in particular the availability of
sufficient homogeneous data. In certain cases, the analyst does
not have this data available, for example to take account of a
new organisation structure or a new equipment maintenance
strategy. Consequently, experience feedback will not always be
282
sufficient for evaluating the organisation structure of a nuclear
unit. Therefore, field surveys have been conducted, where the
occurrence of an event has caused the unavailability of a
system, in order to determine whether the concepts produced by
MERMOS could be extended, for example, to maintenance
activities. These surveys must be continued, but initial
conclusions have allowed us to establish that certain concepts
could be extended to the pre-accident area:
• Not focussed on individual human error
• ‘Systemic’ reasoning: performance is evaluated at the
design process level to ensure safety, and not
specifically at human level. The subject of evaluation is
therefore the system, including the general personnel
structure and its interactions with its environment and
tools.
• Importance of the situation: system behaviours that lead
to failures are consistent, but not adapted to the
requirement because of particular situations. 3
• Failure probability is determined by qualitative analysis
of failure scenarios quantified individually using plant
data or expert appraisals. Failure probability is therefore
the sum of all the failure scenarios foreseen by the
analyst.
• The overall failure mechanism is based on the non-
reconfiguration of the active system, along with a certain
inertia of the configuration and an orientation 4 that leads
to choices not adapted to the situation.
The aim of the further research will be to define an HRA
method that can be used to assess the impact of organisational
choices on safety [6] during the pre-accident and post-accident
phases, and which will meet the requirements of operational
units that wish to evaluate specific safety-related arrangements
where necessary.
VI. CONCLUSION
Originally designed to meet HRA requirements related to the
modelling of nuclear reactor operations during an incident or
accident situation for theN4 unit type, and go beyond the
concepts of the first-generation methods, the MERMOS method
has since been applied to Probabilistic Safety Assessments for
all types of nuclear units. The ‘industrial’ application of a
second-generation HRA method has made it possible both to
test the concepts of the method from this point of view, and to
3
As stated in ATHEANA (NUREG-1624, page 1-9):
“ Previous HRA methods have implicitly focused on
addressing the question, “What is the chance of random
operator error (e.g. operator fails to…) under nominal accident
conditions ?” …. On the basis of review of the operating
experience in several industries, a more appropriate question to
pursue is, “What is the chance of an error-forcing-context
occurring so that operator error is very likely?”
4
In MERMOS, defined by the CICAs
 Joint 8th IEEE HFPP / 13th HPRCT
create a related knowledge base and data base to assist future
model updates, and to be used for new human reliability
analyses [3]. We are now in the process of extending the
method to meet other tasks, such as probabilistic event analysis,
and fire or Severe Accident management. Initial developments
and test cases have shown us that the principles of the method,
such as systemic reasoning, importance of the situation, failure
modelling, and analysis structuring, were able to contribute to
an evaluation of the performance of safety processes where
there is human involvement, beyond the situations analysed by
the Level 1 PSA. If the methodologies developed using the
MERMOS method are possible, their uses must also be based
on knowledge and data that do not form an integral part of the
method. To ensure that relevant use is made of human reliability
assessments in order to meet the various requirements, it is also
important to set up data or knowledge bases for the various
processes being examined.
REFERENCES
[1] Bieder C., Le Bot P., Desmares E., Cara F, Bonnet J-L,
“MERMOS: EDF’s New Advanced HRA Method, International
283
Conference on Probabilistic Safety Assessment and Management,
Springer Verlag London Limited, 1998.
[2] E. Desmares, F. Cara, P. Le Bot, C. Bieder, J-L. Bonnet,
“MERMOS : New Issues on Human Failure in Emergency
Operations of Nuclear Power Plants”, Probabilistic Safety
Assessment and Management, Springer Verlag London Limited,
1998.
[3] P. Le Bot Human reliability data, human error and accident
models—illustration through the Three Mile Island accident
analysis
Reliability Engineering & System Safety, Volume 83, Issue
2, February 2004, Pages 153-167
[4] H.Pesme, P. Le Bot, P. Meyer, EDF R&D “Little stories to explain
Human Reliability Assessment : a practical approach of the
MERMOS ”, IEEE/HPRCT 2007, Monterey CA.
[5] C. Bieder, « What does a MERMOS analysis consists of ? », Proc.
PSA ’99, Washington, DC, August 22-25, 1999, American Nuclear
Society, La Grange park, Illinois (1999).
[6] A. Voicu, P. Le Bot “Exploratory study of the impact of
organisational factors on safety using Probabilistic Safety
Assessments”, Proc. International Topical Meeting on Probabilistic
Safety Analysis, PSA'05, September 11-15, 2005 , San Francisco
[7] H.Pesme, P.Meyer “Guide for the application of human reliability
assessment method MERMOS” EDF R&D 2002, HT-54/02/20/A
(to be published in english).