ML20086R328

From kanterella
Jump to navigation Jump to search
Human Interactions Evaluation Failure to Isolate Incorrect Valve Alignment During Shutdown
ML20086R328
Person / Time
Site: Wolf Creek Wolf Creek Nuclear Operating Corporation icon.png
Issue date: 07/31/1995
From: Quilici M
NUS CORP.
To:
Shared Package
ML20086R326 List:
References
NUDOCS 9507310105
Download: ML20086R328 (26)
v  d  e


Text

_.

HUMAN INTERACTIONS EVALUATION FAILURE TO ISOLATE INCORRECT VALVE ALIGNMENT DURING SHUTDOWN l

l Prepared for:

Wolf Creek Nuclear Operating Corporation i

July 1995 Marc D. Quilici l

@NUS

=, = =..

S PDR

j TABLE OF CONTENTS i

Section East 1.0 Overview

...................................................................................................WC-1 2.0 Meth od ology................................................................................................... WC-2 1

2.1 Post-Accident Human Interactions (Type C)...........................................WC-3 2.1.1 Estimation of Cognitive / Procedural Error Probability (Ps)..........WC-5 l

2.1.2 Estimation of the Crew Non-Response Probability (P )..............WC-6 2

2.1.3 Estimation of the Logarithmic Standard Deviation (e).................WC-7.

2.1.4 Estimation of the Manipulative Error Probability (Pa)...............WC-10 2.1.5 Dependencies in Type C Actions.............................................WC-11 3.0 Q u antification................................................................................................ WC-12 3.1 Short Term Blowdown isolation...........................................................WC-12 3.1.1 Estimation of Cognitive / Procedural Error Probability (Pi)........WC-12 i

3.1.2 Estimation of the Crew Non-Response Probability (P )............WC-12 2

3.1.3 Estimation of the Manipulative Error Probability (Pa).................WC-13 3.2 Long Term Blowdown isolation............................................................ WC-13 3.2.1 Estimation of Cognitive / Procedural Error Probability (P,)........WC-13 3.2.2 Estimation of the Crew Non-Response Probability (P )............WC-14 2

3.2.3 Estimation of the Manipulative Error Probability (Pa)................WC-15 3.3 U n ce rtainty........................................................................................... WC-1 5 4.0 Results

.................................................................................................WC-15 5.0 References

.................................................................................................WC-16 i

i h

July 1995 WCNOC-HLDOC

i 4,

UST OF TABLES 1

i IBble Pene 1

Determination of P, Values........................................................................ WC-17 2

Type C Human Interactions Development Parameters..............................WC-18 3

Type C Human Interactions Calculation Summary of P Parameter..........WC-19 2

i 4

Type C Human interactions Development Summary.................................WC-20 i

. 1 i

T t

t i

f i

t I

k

(

i July 1995 WCNOC-HLDOC i

WC-ii g

1 1

i l.,

i LIST OF FIGURES i

EhhLrg Eggg l

' 1 Generali7.ed Representation of Human Interactions...................................WC-21

{

2 Decision Tree for Selection of Sigma for P2...............................................WC-22 t

5 P

i t

h l

i t

F f

i i

f C

i i

t July 1995 WCNOC-Hl. DOC

[

WC-lii b

e

~

{

,1 HUMAN INTERACTIONS EVALUATION FAILURE TO ISOLATE INCORRECT VALVE ALIGNMENT DURING SHUTDOWN i

I i

1.0 OVERVIEW On September 17, 1994 an operational event occurred at Wolf Creek in which an l

inappropriate alignment of the Residual Heat Removal (RHR) system was made which resulted in the rapid transfer of approximately 9200 gallons of reactor coolant system (RCS) water to the refueling water storage tank (RWST). The valve alignment was corrected in 66 seconds and the event was terminated. Subsequent analysis indicates that if the realignment had not been completed within about five minutes, the RCS could have been voided to the loop piping elevation, potentially resulting in the failure of all ECCS. If not isolated within 25 to 30 minutes, core uncovery could occur. A preliminary Accident Sequence Precursor (ASP) analysis of the

)

operational event has been performed by Oak Ridge National Laboratory (ORNL, Ref.1). The j

analysis identifies four potential scenarios which could result had the event not been terminated, two of which would result in no core damage and two which are projected to lead to core damage. The two core damage scenarios (Sequences 3 and 4) are dominated by g

human errors for failure to isolate the blowdown and are defined as follows:

{

Sequence 3 RCS blowdown with failure of isolation within 5 minutes, successful isolation prior to core uncovery, and failure of reflux steam generator

{

cooling.

Sequence 4 RCS Blowdown with failure of isolation within 5 minutes and failure to isolate prior to core uncovery.

The treatment of human interactions in probabilistic risk assessment studies is a key to the realistic understanding of accident sequences and their relative importance. This report describes the treatment and modeling of these two important human interactions. The ASP analysis employed a time reliability correlation (TRC) model. The EPRI Systematic Human Action Reliability Procedure (SHARP, Ref. 2) has been used in several PSA analyses, both j

domestic and intomational, to date and has had extensive review and acceptance. The-l SHARP methodology has been used here to quantitatively evaluate the human error i

probabilities (HEPs) associated with these two important human interactions.

i I

1 July 1995 WCNOC-Hl. DOC W C-1 i

.)

\\

d This report is structured as follows: Section 1 provides an overview of the scenarios being examined, Section 2 discusses the general methodology used to examine the human interactions, Section 3 discusses the quantification of the two specific human interactions of 1

interest. Section 4 summarizes the results of the human interaction analysis and their impact l

to the ASP calculation of conditional core damage frequency, and Section 5 provides the list of i

references.

l 2.0 METHODOLOGY l

l The EPRI Systematic Human Action Reliability Procedure (SHARP, Ref. 2) is a well structured framework designed to incorporate the human-hardware interactions into the PSA in a scrutable manner. SHARP has been used as the basis for the human interactions analysis presented here. ~ SHARP consists of seven activities, each identified and discussed below.

l Due to the focused scope of this analysis, not all of the seven activities are required. Those j

items not required are noted.

)

1. Definition. Identifies human interactions in the event tree and fault tree logic models. These human interactions are then classified into three categories as j

shown below.

t i

Type A: Pre-accident human interactions l

Type B: Operator actions causing an initiating event i

Type C: Post-accident human interactions l

Since the events to be examined are defined by the scope of this analysis, this

]

activity is not required.

The two events are classified as-Type C human j

interactions. The Type A and B human interactions are not discussed further. The methodology for quantifying the human error probabilities for the Type C human interactions are discussed in subsequent sections.

2. Selection. Screens the human interactions, determining the ones significant to the operation and safety of the plant. This activity is not required due to the scope of the analysis.
3. Breakdown. Develops a detailed description of the important human interactions by defining the key factors and timing influencing the action and the model.

July 1995 WCNOC-Hl. DOC WC-2

4. Representation. Selects and applies techniques for modeling the important human interactions appearing in the logic models.
5. Impact Assessment. Assesses how the reprasentation of the significant human interactions is best incorporated into the system logic models. This sometimes leads to a redefinition of the human interactions identified in Step #1 above. This activity is not required due to the scope of the analysis.
6. Quantification. Applies appropriate estimates, models, orjudgment to the specific.

model technique used. Quantification methods result in assigning probabilities for the various interactions examined, determining sensitivities, and establishing uncertainty ranges.

7. Documentation. Describes all the necessary information for the human interaction assessment to be traceable, understandable, and reproducible.

These activities are structured to achieve a thorough human interactions analysis.

As previously discussed, due to the focused nature of this analysis, many of the above activities are not required.

For the two important human interactions detailed analyses, using SHARP activities #3 through

  1. 7, are performed as needed. This process consists of evaluating the specific steps and timing involved with the key actions, selecting and applying a HRA model for the task, and quantifying the model.

The two human interactions of interest are both Post-Accident Human Interactions (Type C) and the methodology associated with their quantification is discussed below, j

l 1

2.1 Post-Accident Human Interactions (Type C)

Post-accident human interactions (Type C) are the most complex of the three main classifications of human interactions, requiring a more detailed analysis. Unlike the Type A analysis, where generalized human error probability values can often reasonably be applied, Type C interactions are usually site specific, depending on the initiating event, hardware availability, and timing. In order to account for these variations, the human error probability for each event is quantified by first calculating the following three probabilities.

July 1995 WCNOC-Hl. DOC j

WC-3

V

. o r

r j

1 C

P-Coonitive/ Procedural Error Probabilitv. The probability that the operator fails '

'l S

to correctly diagnose the problem and thus' fails to enter the. correct procedure to correct tho' problem.

P-Crew Non-Response Probability. The probability that the operator is in the

{

- correct ' procedure, but does not progress quickly enough.to. reach and complete the needed actions.

j 1

P-Manioulative Error Probability. The probability that the operator fails to tum the right switch or operate the correct valve that is specified in the' procedure.

These probabilities are combined to quantify the total human error probability for each event.

.l The specific method used in the development of the above generalized probabilities is presented in this subsection, and is applicable to both power and non-power operations. The'-

i application of these probabilities to Type C human interactions is provided in the quantification

{

discussion in Section 3.0.

i The basic framework for the analysis of the human interactions looks like an' event tree (Rgure i

1) with four sequences on it, three of which have unfavorable outcomes.- The top sequence -

]

represents the operator successfully recognizing the problem, and having enough time to see it through to completion, successfully manipulating the required swdches, pumps,- or.

component. The next branch (Pa) represents a successful start to the problem. The problem I

is correctly identified and the following operator responses are correct in accordance with the applicable procedure. However, a non-recoverable manipulative slip occurs resulting in failure

]

of the human interaction. The third branch (P ) models correct recognition of the problem, but

]

2 failure to process information in a timely manner. The final branch (Ps) represents cognitive i

mistakes, failing to recognize the situation or failing to recognize the correct action to take.

)

The principal motivation for using this representation is that it provides a natural vehicle to-model observed operator behavior. The human cognitive reliability (HCR) corrstation provides a characterization of the variation in time over which a correct diagnosis and decision is made.

The human cognitive reliability correlation, when used to evaluate a probability to fail to respond (Pa) does so conditionally on the operators being on the correct cognitive path.

However, it is possible that no matter how long the operators had, they would never make the correct decision. This is represented by the first-branch (P ) and serves to act as' an S

July 1995 WCNOC-Hl. DOC I

W C-4

m..,

I asymptotic cut-off. This probability includes failure to reach the correct cognitive path due to misdiagnosis.

)

H The third element of the representation addresses the possibility that, having successfully identified the correct strategy, the crew makes a non-recoverable slip in carrying out the necessary actions, with probability Pa.

Thus, the generalized model has three elements. it is not always necessary to consider all l

three elements. For example, time is not necessarily the driving factor in determining failure for actions in a step requiring the operator to maintain a variable parameter below, at, or within specific limits. Also, since this step is modeled on the assumption that the crew is already using the correct procedure, the first branch of the generalized model is unnecessary in this case. For this type of human interaction therefore, the representation reduces to a single branch point representing slips or mistakes in completing the required actions.

in other cases, while the three branches are in principle relevant, there is reason to suspect that only one branch dominates the overall failure probability. This idea is useful in classifying i

human interactions as time-critical or non-time-critical. A time-critical human interaction is one in which the second branch point failure probability dominates the overall human error probability. A non-time-critical human interaction is one where it does not. In these cases, the basic representations of the human interaction can be modified by deleting the appropriate i

branch (es). An example of a time-critical human interaction is the switchover to sump recirculation during a large LOCA.

2.1.1 Estimation of Cognitive / Procedural Error Probability (P )

i l

The errors which reflect non-recoverable mistakes in recognizing which procedure is required could be due to a number of causes. For example, wrong detection, misdiagnosis, problems with procedures, plant interface difficulties, and lack of adequate training / experience in certain areas are all possible causes. All these items suggest that the probability of this type of error is strongly plant dependent (e.g., quality of EOPs, symptom-based versus event-based EOPs, training, operating philosophy, etc.) and therefore, it is extremely difficult to extrapolate data from one plant to another, or to come up with a " generic" estimate reflecting the probability of procedural errors. Limited data on such errors exist, but the limited data confirms that the errors made by crews depend on the plant, procedures, and training. Although an estimate of procedural error probabilities can not be produced at present based on any of these data bases, one can observe that (in general) the probability of procedural diagnosis errors is small.

4 July 1995 WCNOC-HLDOC a

W C-5

~,-,

--mm,

_.,mm-,,--

-,n-

A plant-specific emergency procedure validation program, simulating a wide spectrum of scenarios involving all EOPs has been performed for Pennsylvania Power & Light (PP&L).

This program provided a tool to produce high quality validated EOPs and also produced estimates on procedural errors. They reported an estimate smaller than 1E-3 for procedural errors for their operating crews based on zero errors in 1600 procedural steps. It is important to note that the contribution of cognitive errors to crew non-success is strongly reduced by the development and implementation of the symptom-based EOPs as shown by PP&L data.

Training and addition of operator aids, such as a Safety Parameter Display System and EOP Tracking System could also reduce the contribution of P.

i Parameter P is a fundamental parameter of the general model discussed previously. While i

there is no direct statistical evidence for the evaluation of this parameter, some conclusions can be drawn. The value of P is sequence / scenario dependent. It depends on the clarity with i

which the need for response is indicated. The indication may be a written step in a procedure, an alarm, or a trend in a plant parameter. The key questions here are whether the indication is strong, or whether there is a likelihood of it being masked. Another factor of importance is whether training had emphasized the scenario. Finally, the time available to recover from cognitive slips is also an important factor.

For this analysis, generic values (Table 1) are used for the P contribution to the human error i

probability. These values are based on the engineering judgment of human reliability analysis experts following a review of data from operator simulator experiments.

2.1.2 Estimation of the Crew Non-Response Probability (P )

2 The crew non-response probability represents the probability that an operating crew, while making the correct decision, takes too long a time in comparison with the time available to respond. This contribution to the crew overall non-success (non-response) can be particularly important for situations where a relatively fast response to an initiator must be made.

The method for estimating P uses a time reliability curve represented by operator reliability 2

experiments / human cognitive reliability (ORE /HCR) correlation (Ref. 3). While it can be argued that parameters P and P represent different parts of the same cognitive process, this i

2 distinction is necessary because of the way data is used to calibrate the human cognitive reliability model for evaluation of P as discussed below.

2 July 1995 WCNOC-HLDOC W C-6

I The ORE /HCR correlation is a representation of the probability of crew non-response as a i

function of normalized time (the normalized time is a dimensionless unit which reflects the ratio of time available to crew median response time). Each non-response curve is characterized by two crew response time parameters: A crew median response time (Tm ) and a logarithmic standard deviation of normalized time (a). With these two parameters, the probability of crew non-response in a time window (Tw) is given as follows.

[

i P = 1 - e [In(T/Tm)/e]

where:

i i

is the standard normal cumulative distribution (refer to standard normal distribution tables) i in is the naturallogarithm (base e)

[

T

= T. - T.

T. is the time window available T. is the manipulation time, the time required to complete the needed actions once they are identified Tm is the median crew response time e

is the logarithmic standard deviation The o corresponds to the variabifrty in operator response, and is estimated as described below.

It must be noted that P in the equation is derived based on the assumption that time window (Tw) is a constant (i.e., no uncertainty). The time windows used in the quantification of the human error probabilities are based on the ASP analysis and plant specific thermal / hydraulic analyses.

2.1.3 Estimation of the Logarithmic Standard Deviation (e).

The lognormal e represents the crew-to-crew variability in responding to a specific cue. This deviation stems from a range of different factors such as cue response structure, diagnostic difficulty, degree and kind of procedural guidance, level of. operator experience, communications between crew members, and different response strategies. Unfortunately in the quantification of e, there is no all-encompassing, validated data base available for human reliability applications. The approach in this analysis is based on the use of the decision tree shown in Figure 2. To use the decision tree, the analyst needs a detailed understanding of the July 1995 WCNOC-Hl. DOC W C-7 m --,,.'

~

-,v.,-

- + -,.

,m-

9 type of cue response; i.e., what causes an operator to respond. The decision tree and points have been derived based on judgment coupled with insights from simulator training.

The paths taken on the decision tree are based on the analyst's review of the emergency procedures, and through the qualitative data obtained through discussions with the operating staff and simulator trainers. The analyst must also ascertain whether multiple strategies are possible at the plant.

A basic assumption behind the decision tree is that following an initiating event, as the accident proceeds further into the response, one can expect to see larger deviations in crew response times. A laroe o can be indicative of difficult diagnosis, the need for deriving diagnostics by monitoring meters /afarms, safety parameter display system (SPDS), or use of different response strategies. Thus, the o is indicative of how demanding and stressful the scenario is to the operators. The basis for defining the decision tree endpoints (the e-values) has been a review of available operator reliability experiments data and derivation of correlation between the calculated e-values and the scenario descriptions coupled with observations (event chronologies). The tree has been used previously in the human reliability analysis of two U.S. PWR PRAs.

The decision tree has four headings which address the human interaction boundary (cue response), procedures, training, and stress, respectively. These headings are applicable to a PWR with emergency procedures based on the Westinghouse Owners Group Guidelines. For each heading, questions are asked and generally if the answer is a "yes", the "yes (up) r1th" of the decision tree is followed. Analyst judgment is required to select a path in the tree if all questions at a particular branch can not all be answered "yes" or "no". The set of questions associated with the decision tree is given below.

Branch #1: Separation of Actions That are Memorized as Oooosed to Procedure Directed Skill-based versus rule-based or knowledge-based actions. This relates to the type of cue-response at hand. The following questions are asked, and if either is yes, then the up branch is taken.

is the crew response concemed with immediate actions that are essentially leamed actions and could be regarded as skill-based (part of the reactor trip procedure)?

July 1995 WCNOC-Hl. DOC W C-8 l

7 Are the required operator actions primarily concemed with assessment of need for manual back-up actions to automated safety functions?,

l Branch #2: Procedural Guidance j

1 This branch point is concemed with the extent of procedural guidance and the cues available.

For example, whether the procedure itself is sufficient to guide the operator or whether he/she also has to monitor meters, position indicators, etc. The following questions are asked.

j Is the procedure guidance simple / explicit enough; e.g., one step, clearly defined (is it unnecessary to monitor meters / alarms to make the correct decision)?

Are the indications / alarms clear enough to support a decision, or is it necessary to take additional observations to reach a correct decision?

Is the diagnostic straightforward without the need for consulting SPDS or bringing in additional crew members?

Branch #3: OperatorTrainina issuer 2 From simulator experiments it has been shown that in highly practiced actions different crews will perform consistently. The questions here relate to the type of training, frequency of training, and overall familiarity with the transient.

Is the action highly practiced (through regular simulator training or/and actual experience) and simple to implement?

Is coordination among crew members unimportant in responding to cue?

Is no conscious planning required by operator to execute action?

Branch #4: Control Room Situation / Stress Level 1

This brarch is intended to address a situation where several parallel actions have to be taken, or situations of potentially higher stress. This may cause communication problems and the shift supervisor and other on-shift personnel may become locked in a procedure loop.

~

is there only one critical alarm / annunciator present?

July 1995 WCNOC-Hl. DOC WC-9

~..

l ls the timing of operator response not critical (i.e., long system time-window)?

Decision Tree Endooints I

Branches 1 through 4 represent relatively _ simple actions that are backed by. memorized procedures. For highly practiced actions, the crew-to-crew variability in responding to a cue can be expected to be relatively minor; i.e., the e-value is small. As the potential distractions (e.g., large number of more-or-less simultaneous alarms, several actions to be take in parallel) in the control room mount, the e-value can be expected to become larger. Branches 5 through 12 represent actions of moderate to high complexity. Insights from simulator training indicate that in instances where there are clear alarms / annunciators, crews tend to perform consistently; i.e., approach the cue-response pattom of, say, branches 1 and 2. Whenever there is the need for basing a decision on the correct interpretation of meter indications, the crew-to-crew variability tends to assume large e-values. The values given in the tree are indicative of the range of values that can be expected to be derived from a detailed simulator measurements program.

2.1.4 Estimation of the Manipulative Error Probability (P )

l This part of crew response to accident initiations reflects the probability that the operators either make a slip which is'not recovered in the available time or do not complete the procedural steps / tasks in time even though there is sufficient time to do so initially. This part could also be important from a time-dependency to cognitive part (i.e., P ) vi'WPoint. This 2

means that for human interactions involving a series of manipulations or procedural steps, the time spent on these actions reduces the time available for the crew to make a cognitive response. The manipulative control actions can be represented by either a simple binary state (i.e., failure / success) or a logic tree (i.e., fault / event tree) depending on the number and complexity of actions. For simple single push-button actions, the former method is sufficient while for multi-step actions outlined in the procedures a logic tree representation is preferred.

For the two human interactions of interest in this analysis, the Pa actions involve only one manipulative action, represented by simple binary states.

As stated earlier in this section, the available time for the crew to diagnose the problem and initiate the action is the physical time window (govemed by the transient conditions and i

progression) minus the time required to perform the manipulative actions. It is noted that the "minus" here means a probabilistic operation because the time to complete the manipulations July 1995 WCNOC-HLDOC WC-10 a

r-

.---,,.<-----y, e

is, in principal, a random variable. The treatment of this type of time dependency is discussed in the next section. For the case of a simple, single push-button action the manipulation time

~

is minimal. However, for the multi-step tasks (e.g., backup to automatic switchover from injection to recircultuon in a large LOCA event) _the manipulation time could have an impact on j

the time availabie for diagnosis. The manipulation time also includes the time taken by the l

crew to get to proper control locations.

2.1.5 Dependencies in Type C Actions Two types of dependencies are addressed for the Type C human interactions. The first is related to the effect on the time available for performing an human interaction, and the second is the question of cognitive dependency between sequential, or parallel, human interactions, i

EmeDependence At the single human interaction level, a dependence occurs between the time allowable for recognition and decision making, and the time needed to perform the action. The time window is evaluated on the basis for the completion of the human interaction, thus the time available for the operators to recognize the appropriate action to take is dependent on the time it takes to perform the action. The time window (Tw) is determined by subtracting from it the mean time to complete the action, and using this modified time window in the ORE /HCR correlation.

When a subsequent action is performed following failure of an action, the time spent during the first action has a direct impact on the time available for the subsequent action and must be accounted for. In the case of this analysis the time window for the second action is reduced by the time window of the first action.

t Coonitive Dependence When two or more human interactions are performed either sequentially, or in parallel, and are part of the same general procedure, or are the same action examined during two different time frames, they are cognitively correlated. In this case the error represented by the probability for Ps is used only once to correctly account for the dependency of the events July 1995 WCNOC-Hl. DOC WC-11

p i

3.0 QUANTIFICATION The quantification of the two important human interactions are discussed in detail in the following sections.' The human action for short term (5 minute) blowdown isolation, ISO-S, is discussed in section 3.1.

The long term (25 - 30 minute) blowdown isolation human interaction, ISO-L, is discussed in section 3.2. The detailed quantification and the results of i

the quantification are summarized in Tables 2,3, and 4 for both the short and long term human error events.

i 3.1 Short Term Blowdown isolation - ISO-S As discussed above, the overall human error probability is composed of three portions, P, P,

S 2

and Pa. The estimation of these three parameters for event ISO-S are discussed below:

l 3.1.1 Estimation of Cognitive / Procedural Error Probability (P )

l i

The estimation of the cognitive / procedural error probability is determined from Table 1. The event involves identifying the blowdown source and isolating the necessary valve. Since this event actually occurred, significant information can be gathered from the event itself. The indications of the problem (high RWST level alarm, clearing of the pressurizer level high annunciator, " pegged low" pressurizer level instrumentation, and loud flow and water hammer noise) were clear and not masked by other indications. Since the event occurred during shutdown there was not significant competition from other actions as in the case of a plant trip from power. The event is not stressed in training, however the correct response was i

performed due to the operating practice to reclose a valve when unexpected flow and noise result from opening it. There is a short time for correction of cognitive slips, however a cognitive slip is obvious and immediately known. The response to the event is in line with the standard operating practice as discussed and is not counter-intuitive. Based on the above I

items and the information in Table 1, the Cognitive / Procedural Error Probability (P ) is i

estimated to be 1E-4 since two conditions from the table are met, however mitigating l

circumstances as discussed above exist.

l 3.1.2 Estimation of the Crew Non-Response Probability (P )

1 i

The estimate of the crew non-response probability requires identification of critical time related parameters and the variability in operator response (identified as the logarithmic standard deviation, o). The critical time parameters are the time window available, the manipulation July 1995 WCNOC-Hl. DOC WC-12

~

time, and the median crew response time. The time window is defined by the event as 5 minutes (300 seconds). The manipulation time is conservatively estimated to be 30 seconds based on a 15 second specified stroke time and an assumed 15 second time to reach the component controls. The median crew response time is more difficult to define. Based on the event itself, for which isolation actually occurred after 66 reconds, the response time was less than 51 seconds based on the 15 second stroke time. Since the desired value is median crew response time and a variability will exist, it is assumed based on engineering judgment that the median response time is on the order of 60 seconds.

The variability in operator response, i.e. the Logarithmic Standard Deviation (c) is estimated based on Figure 2 and the associated text in section 2. The response is considered to be skill-based. Since the operators are not trained on this specific scenario, the NO branch in Figure 2 is conservatively selected although the response is within good operating practices in place at the plant. Initially the stress levelin the control room would be expected to be relatively low and indication is clear. The YES branch in Figure 2 was selected although the operator response is time critical since it was felt that the selection of the NO branch in addition to the previous NO branch would be overly conservative. As can be seen in Figure 2 these branches result in a o value of 0.6.

3.1.3 Estimation of the Manipulative Error Probability (P )

3 l

The action requires only one manipulation, to close the valve.

The manipulative error probability assigned to this action is 3E-3 which is the basic human error probability suggested in NUREG/CR-1278, Handbook of Human Reliability Analysis With Emphasis on Nuclear Power Plant Applications (Ref. 4) for a single action.

3.2 Long Term Blowdown isolation -ISO-L As discussed above, the overall human error probability is composed of three portions, P, P,

i 2

and Pa. The estimation of these three parameters for event ISO-L are discussed below:

3.2.1 Estimation of Cognitive / Procedural Error Probability (P,)

The estimation of the cognitive / procedural error probability is determined from Table 1. The event involves identifying the blowdown source and isolating the necessary valve within a 25 to 30 minute time frame. Since this event has never actually occurred nor is there simulator experience to gather information from, much of the estimate must be based on engineering July 1995 WCNOC-Hl. DOC WC-13

^

I Judgment. The indications of the problem (high RWST level alarm, clearing of the pressurizer level high annunciator, " pegged low" pressurizer level instrumentation, and loud flow and water hammer noise) were clear and not masked by other indications in the short term, however in the long term as the plant condition worsens there is a potential for the situation to l

become less clear and more competition from other actions. The event is not stressed in training, however the correct response was performed due to the operating practice to reclose a valve when unexpected flow and noise result from opening it. There is a relatively long time for correction of cognitive slips. The response to the event is in line with the standard operating practice as discussed and is not counter-intuitive. Based on the above items and the information in Table 1, the Cognitive / Procedural Error Probability (P ) is estimated to be S

1E-4 since two conditions from the table are met, however mitigating circumstances as discussed above exist. This portion of the event is considered to represent a dependency with the ISO-S term which will fail both actions.

3.2.2 Estimation of the Crew Non-Response Probability (P )

2 The estimate of the crew non-response probability requires identification of critical time related parameters and the variability in operator response (identified as the logarithmic standard deviation, c). The critical time parameters are the time window available, the manipulation time, and the median crew response time. Since the overall time window may vary between 25 and 30 minutes from the time that blowdown begins and core uncovery is predicted, several cases were evaluated using varying time windows to evaluate the impact of the different time windows. The time windows defined for the event were 20 minutes (25 minutes - 5 minutes for ISO-S) (1200 seconds) and 25 minutes (30 minutes - 5 minutes for ISO-S) (1500 seconds). In addition two cases were evaluated for 30 and 35 minute time windows to illustrate the decreasing dependency of the human error probability on time as the window expands. The manipulation time is conservatively estimated to be 30 seconds based on a 15 second specified stroke time and an assumed 15 second time to reach the component controls. The median crew response time is more difficult to define. Based on engineering judgment it is estimated that the median response time is on the order of 5 minutes (300 seconds).

The variability in operator response, i.e. the Logarithmic Standard Deviation (c) is estimated based on the Figure 2 and the associated text in section 2. The progression through the event tree in Figure 2 is similar to the case for ISO-S with a few exceptions. The response is considered to be skill-based. Since the operators are not trained on this specific scenario, the NO branch in Figure 2 is conservatively selected although the response is within good operating practices in place at the plant. Initially the stress level in the control room would be July 1995 WCNOC-H1 DOC l

I l

WC-14 l

i

y J

' expected to be relatively low and indication is clear, however as the water level continues to

- drop and additional alarms occur, the stress level is expected to increase. The NO branch in' Figure 2 was selected since the operator response is still time critical although not as j

significantly as for the ISO-S case. As can be seen in Figure 2 these branches result m a a value of 0.8.

{

3.2.3 Estimation of the Manipulative Error Probability (Ps) '

l The action requires only one manipulation, to close the valve, therefore the basic human error probability of 3E-3 from Ref. 4 is applied. However sufficient time exists to correct the slip. A j

conservative recovery probability of 0.5 is assumed based on engineering judgment yielding a manipulative error probability for this action of 1.5E-3.

3.3 Uncertainty -

A quick assessment of the uncertainty associated with the P parameter for event ISO-S using 2

j the method suggested in Ref. 3, Table 3-1 and the resultant bounds were examined for _

comparison of the ASP calculated values. As shown in Table 3, the 95% upper bound is calculated to be 4.4E-2. The 5% lower bound is negligible. The ASP calculated value of SE-2 is slightly above the 95% bound calculated using the ORE /HCR correlation.

a 4.0 RESULTS l

As identified in the ASP model (Ref.1), the conditional core damage probability (CCDP) l associated with the operational event is the sum of Sequences 3 and 4 of Ref.1 Figure A-1.1.

Stated in equation form:

l CCDP = [ ISO-S * (1 - ISO-L)

  • REFLUX] + [ ISO-S
  • ISO-L]

i t

As identified for the calculation of the P, probability for event ISOL-L, the cognitive term is dependent between both human error events. Therefore the CCDP equation is modified to calculated by the following:

CCDP = [(ISO-S - Pi) * (1 - ( ISO-L - P,))

  • REFLUX] + [(ISO-S - P,) * (ISO-L - Ps)] + P, Substituting the values for the variables yields:

i a

July 1995 WCNOC-Hl. DOC WC-15

)

i

7, 3

CCDP(25) ' = [(9.1E-3) * (1 - 4.7E-2)

  • 7.0E-4) + [(9.1E-3) * (4.7E 2)] + 1E-4

= 6.1E 6 + 4.3E-4 + 1E-4

= 5.3E-4 (for the 25 min. long time window)

CCDP(30) = [(9.1E-3) * (1 - 2.6E-2)

  • 7.0E-4) + [(9.1E-3) * (2.6E-2)] + 1E-4

= 6.2E-6 + 2.4E-4 + 1E-4

= 3.5E-4 l

(for the 30 min. long time window) l

5.0 REFERENCES

{

l 1.

Preliminary Accident Seouence Precursor (ASP) Analvsis. Oak Ridge National l

Laboratory J

2.

G.W. Hannarnan and A.J. Spurgin, Systematic Human Action Reliability Procedure

]

(SHARP). Electric Power Research institute (EPRI),1984, NP-3583.

3.

An Aporoach to the Analysis of Operator Actions in Probabilistic Risk Assessment.

Electric Power Research Institute (EPRI), June 1992, Project 2847-01, EPRI TR-100259.

)

4.

A.D. Swain and H.E. Guttman, Handbook of Human Reliability Analysis With -

Emohasis on Nuclear Power Plant Aeolic.etions. NUREG/CR-1278,1983 i

l July 1995 WCNOC-Hl. DOC WC-16

i

~

TABLE 1 DETERMINATION OF Ps VALUES.

(Developed from Ref. 2)

,JVALUE7 %n,,s-.

_, [ CONDITIONS W f;

,w

,/>

,u m ~e

.~,,,

0.5 - 0.1 Indications for actions are weak (masked by other indications) or instructions not clear, and competition from other actions, Pnd not stressed in training, and relatively little time for correction of cognitive slips and counter-intuitive action 10"-10-2 All but one of the above conditions met 102 -10" All but two of the above conditions met for 10-2; d

to only one of the above conditions met for 10 10"-104 d

Only one of the above conditions met for 10 ;

4 to the following set of conditions for 10 indications clear, well-practiced, 1

and ample time for recovery 1

1 l

l I

l July 1995 WCNOC-Hl. DOC WC-17

e i

+

TABLE 2 TYPE C HUMAN INTERACTIONS DEVELOPMENT PARAMETERS i

i

Event.

. No..of

. _ Time i j Time for ? _ liTime,j f.Skillf. Procedur Trainin::

Stress Toj l

Identifier

! Acts l Window. Manipulatio

. Median 1 Rule

  • 3 e;l

?g5

^

ni:

jy ISOL-S 1

5 Min.

30 Sec.

60 Sec.

Y-Skill n/a N

Y 0.6 ISOL-L 1

25-30 30 Sec. 300 Sec.

Y-Skill n/a N

N 0.8 Min.

i l

i t

i July 1995 WCNOC-Hl. DOC WC-18

8 TABLE 3 Type C Human Interactions Calculation Summary of P: Parameter 1

o Tew Tu Tw Tw Norm. Time e

Pa (sec.)

(sec.)

(sec.)

(sec.)

Window ISOL-S - 5 Minute action Observed 0.6 300 30 36 l 270 7.5 0.9996 3.92E 04 Best Estimate 0.6 300 30 60 270 4.5 0.9939 6.09E-03 95% Bound 0.88 300 30 60 270 4.5 0.9563 4.37E-02 5% Bound 0.26 300 30 60 270 4.5 1.0000 negligible

. ISOL-L (Case 1)- 20 Minute action ( 25 min. - 5 min. for ISOL-S)-:

Best Estimate l 0.8 l 1200 l 30 l 300 l 1170 l 3.9 l 0.9555 l 4.45E-02 ISOL-L (Case 2) - 25 Minute action ( 30 min. - 5 min. for ISOL-S)

Best Estimate l 0.8 l 1500 l 30 l 300 l1470l 4.9 l 0.9765 l 2.35E-02 ISOL-L (Case 3) - 30 Minute action ( 35 min. - 5 min. for ISOL-S).

Best Estimate l 0.8 l 1800 l 30 l 300 l 1770 l 5.9 l 0.9867 l 1.33E-02 ISOL-L (Case 4) - 35 Minute action ( 40 min. - 5 min. for ISOL-S) :

Best Estimate l 0.8 l 2100 l 30 l 300 l 2070 l 6.9 l 0.9921 l 7.88E-03 i

t i

i i

l l

i July 1995 WCNOC-Hl. DOC WC-19

l 4

TABLE 4 TYPE C HUMAN INTERACTIONS DEVELOPMENT

SUMMARY

m? Event 96 sAssociated

,'>/

Mean Values ',

~.'e

@$EMN [DusM{$$$}

i$$ M(iTisiaingi

- '[

,f~

e'

f IdentifiedI! p 1 ' o' iiff s ^ ~ + h.kN!hhd$. @dbNN$$ KIN 3$hk l$$N$UL ' $$$$I$$ sp$U3/ [gHEPJ, k ISOL-S isolation of 5 Minutes 1.0E-4 6.1 E-3 3.0E-3 9.2E-3 blowdown flow to RWST within 5 minutes ISOL-L isolation of 25 Minutes 1.0E-4 4.5E-2 1.5E-3 4.7E-2 blowdown flow to RWST within 25 to 30 minutes given failure to isolate in 5 minutes 30 Minutes 1.0E-4 2.4E-2 1.5E-3 2.6E-2 i i July 1995 WCNOC-Hl. DOC WC-20

O' ,G - w wnaLilED MTEC11m/DIa6-M TECTIOe/ Dias-maqual ACTiot S P FEMEMwfaitcu tF MD515/ECf 510% 8CSIS/WC15 ION

  1. aM180E. AT!wE E

Ewa. D EOP-SaSE D COGn PROC Falltst 2 S.Ip5 speen INTRACT!W F40C N!5f aKE5 8"Ef** ore tu a O M IPTtst S MN 5 TrurLv uav MI Pg Pp P1 5 = Success F = Failure M4 = hon-m sponse set at 5 success "U 502 w3P3 F e SLIP 5 I ~ N I g P (2) S03 MIP2 F NR IN fitE Sa8 T $"E ..o R. 8 5a yE P ut so4 n!,, r e ursiaxEs b2 a-C% k 3.d b. S: uh FIGURE 1 GENERALIZED REPRESENTATION OF HUMAN INTERACTIONS July 1995 WC-21 WCNOC-Hl. DOC i .~ J

O. 'e $) SELECTION OF SKILL-e ASED PROCEtwaL UPERAYDR STRESS LEWEL to S P Stoma Fan Plff VERSUS SUIDANCE TRAINTMS CGITROL ROOM / E SESUENCE D semaN tutERActIOM RAE/ccM EDGE aND CUES ISSLES TI4E ava!LastE GUANTIFICATION BASED COGN FOR MCDUERv 0 N IPitpl 5 NN N-G G SIGMA 3 2 3 4 'ES S03 SIGMA 03 vfS NO SO2 $1GMA4 3.5 SKILL 45 503 SIGMA 3 0.6 40 NO $04 SIGMA 34 0.8 YES SOS SIGMA t 0.3 YES s NO Sc6 Sl*JMA l 4 0.4 ) VES 'ES I S07 $1GMat3 0.5 a ? E = SOS SIEMA134 0.5 E{ 'ES sos SIsMata

0. 7 vES El NO
  • d 310 SIGMAlI4 0.0

$B 0 di 'ES 3: S:t $1eMas23 0.9 I5 F = Si, S qAi,3. i.. 3v 3: st FIGURE 2 DECISION TREE FOR SELECTION OF SIGMA FOR P July 1995 -}}

Retrieved from "https://kanterella.com/w/index.php?title=ML20086R328&oldid=4347603"