ML20141K168
| ML20141K168 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 05/07/1997 |
| From: | Kerch S, Roth E, Selim Sancaktar WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML20141K158 | List: |
| References | |
| OCS-GEH-030, OCS-GEH-30, WCAP-14651, WCAP-14651-R02, WCAP-14651-R2, NUDOCS 9705280352 | |
| Download: ML20141K168 (25) | |
Text
RE@lJPL4!!!Elseg l !Ph;;;pr g= -
- me**91 %.aWf%
$ =y=4y
"' ~ '1 y-5 Lj; KS n , ,
$; 4. ?
dE$hd ag e'm >J1A - 1 ma 4
---f 'T ,- s-~- j'(gMggg ,) . :
se aN9%
k IN k $
i f), .
I urij Ojl 't*
p HRP by@.~ l
,(f
=- -
7p.
WV+ r j,
g"w~g_:${ {Ps .1 .
1 5
_ d.
u ., 6- -
1 l
kIS$@kk. [ l; %
I ggg:t
. mrwr- -
- g f 415
.y-(. ~ [p ' s,.;
, i
, ... ,j - .
f
'{i n:
-t. , ,,
hp u .
4; x
'-[
~ T __ _
nR ul
.' j
[ !
_. y g( 1~J; wa - y. , >
j L ., g ig y
p- 2 '
i g
{e L g
?g:a"p4 q.
.m- ..
a t 7 k 4gg .. .
2 .
,, b;j L [ -
l 1 l .
NBt -- - -
- g. 9 ,7
.A.g a
%j>
_ s j ..r- fy fjejSt 6
2 m F 1
1 %)_ '
-2 hk obh ob200003 7
PDR ylh 5 gq .
' ~
J! }g l@ j i 1 .
, me%n <
i Westinghouse Non-Proprietary Class 3 '
WC AP-14651
$$$$ $ $$$ , Revision 2 w
Integration of Human Reliability 7 Analysis With -
Human Factors Engineering Design Implementation Plan 0
Westinghouse Energy Systems
, i 1L { i
__ --- 1
AP600 DOCUMENT COVER SHEET TDC: !
IDS: I S 1 Form 58202G(5/94) AP600 CENTRAL FILE USE ONLY:
0058.FRM RFS#: RFS ITEM 8: l AP600 DOCUMENT NO. REVISION NO. ASSIGNED TO OCS-GEH-030 2 Page 1 of
. ALTERNATE DOCUMENT NUMBER: WCAP-14651, Rev. 2 WORK BREAKDOWN #: 3.3.2.4.5 ;
DESIGN AGENTORGANIZATION: WEST;NGHOUSE ELECTRIC '
TITLE: Integration of Human Reliability Analysis and Human Factors Engineyng Design Implementation Plan j
i ATTACHMENTS: DCP #/REV. INCORPORATED IN THIS DOCUMENT REVISION:
1 CALCULATION / ANALYSIS
REFERENCE:
i ELECTRONIC FILENAME ELECTRONIC FILE FORMAT ELECTRONIC FILE DESCRIPTION 3637w.wpf Wordperfect a
(C) WESTINGHOUSE ELECTRIC CORPORATION 199Z
~
' 0 WESTINGHOUSE PROPRIETARY CLASS 2 This document contains information proprietary to Westinghouse Electric Corporation: ft is subrnhted in confidence and is to be used solely for the purpose for which it is fumished and returned upon request. This document and such informato1is not to be reproduced, transmitted, d'Sciosed or i
used otherwise in whole or in part without prior wntten authorization of Westinghouse Electric Coiporation, Energy Systems Business Unit, subject to
- the legends contained hereof.
O WESTINGHOUSE PROPRIETARY CLASS 2C This document is the property of and contains Proprietary information owned by Westinghouse Electrle Corporstion and/or its subcontractors and 4 suppliers. It is transmitted to you in confidence and trust, and you agree to treat this document in stnct accordanc4 with the terms and conditions of the agreement under which it was provided to you.
! O WESTINGHOUSE CLASS 3 (NON PROPRIETARY) 1 i
COMPLETE 1 IF WORK PERFORMED UNDER DESIGN CERTIFICATION QS COMPLETE 2 IF WORK PERFORMED UNDER FOAKE.
10 DOE DESIGN CERTIFICATION PROGRAM - GOVERNMENT LIMITED RIGHTS STATEMENT ISee page 2]
g Copyright statement: A license is reserved to the U.S. Govemrnent under contract DE-ACO3-90SF18495.
kDOE CONTRACT DELIVERABLES (DELIVERED DATA)
Subject to specified exceptions, disclosure of this data is restricted until September 30,1995 or Design Certification under DOE contract DE-ACO3-90SF18495, whichever is later. I EPRICONFIDENTIAL: NOTICE: 1 2 3 4 5 CATEGORY: A B C D EO F0 2 0 ARC FOAKE PROGRAM - ARC LIMITED RIGHTS STATEMENTISeepage2) i Copyright statement: A license is reserved to the U.S. Govemment under contract DE-FCO2-NE34267 and subcontract ARC 93-3-SC-001.
l 0 ARC CONTRACT DELIVERABLES (CONTRACT DATA)
S,Joject to specified exceptions, disclosure of this data is restricted under ARC Subcontract ARC-93-3-SC-001.
ORIGINATOR SIGNATU3E/DA S. P. Kerch h, I'r )f/M/j7 /ff7 AP600 RESPONSIBLE MANAGER SIGNATURE
- APPROVAL DATE D. J, Vaglia ff. /*f,4y f /f f 7
- Approval of the responsible manager signifies that document is comple6tl required reviews are complete, electronic file is attachwd and document is r: leased for use.
l
AP600 DOCUMENT COVER SHEET Page8 j Form 58202G(5/94) LIMITED RIGHTS STATEMENTS DOE GOVERNMENT UMITED RIGHTS STATEMENT (A) These data are submitted with limited rights under govemment contract No. DE-ACO3-90SF18495. These data may be reproduced and used by the govemment wrth the express hmitation that they will not, without written permission of the contractor, be used for purposes of manufacturer nor dicciosed outside the government; except that the govemment may disclose these data outside the govemment for the following purposes, if any, provided that the govemment rnakes such disclosure subject to prohibition against further use and disclosure:
(1) This
- Proprietary Data
- may be disclosed for evaluation purposes under the restrictions above. .
(II) The
- Proprietary Data
- may be disclosed to the Electric Power Research Institute (EPRI), electric utihty representatives and their direct consultants, excluding direct commercial competLrs, and the DOE National Laboratories under the prohibitions and restnctions above.
(B) This notice shall be marked on any reproduction of these data, in whole or in part.
ARC UMfTED RIGHTS STATEMENT:
This proprietary data, fumished under Subcontract Number ARC-93-3-SC-001 with ARC may be duplicated and used by the govemment and ARC, subject to the limitations of Article H-17.F. of that subcontract, with the express limitations that the propnetary data may not be disclosed outside the govemment or ARC, or ARC's Class 1 & 3 members or EPRI or be used for purposes of manufacture without prior permission of the Subcontractor, except that further disclosure or use rnay be made solely for the following purposes:
This proprietary data ma, be disclosed to other than commercial competitors of Subcontractor for evaluation purpcses of this subcontract under the restriction that the proprietary data be retained in confidence and not be further disclosed, and subject to the terms of a norMissclosure agreement between the Subcontrtetor and that organization, excluding DOE and its contractors.
DEFINITIONS CONTFtACT/DEUVERED DATA - Consists of docurnents (e.g. specifications, drawings, reports) which are 1 generated under the DOE or ARC contracts which contain no background proprietary data.
EPRI CONFIDENTIALITY / OBLIGATION NOTICES NOTICE 1: The data in this document is subject to no confidentiality obligations.
NOTICE 2: The dat.: in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. It is forwarded to recipient under an obligation of Confidence ano Trust for hmited purposes only. Any use, disclosure to unauthonzed persons, or copying of this document or parts thereof is prohibited except as agreed to in advance by the Electric Power Research Institute (EPRI) and Westinghouse Electric Corporation. Recipient of this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the information contained herein that are permitted.
NOTICE 3: The data in this documentis etary and confidential to Westinghouse Electric Corporation and/or its Contractors. It is forwarded to recipient under an obligation of Confi and Trust for use only in evaluation tasks specifically authorized by the Electric Power Research Institute (EPRI). Any use, disclosure to unauthorized persons, or copying thrs document or parts thereof is prohibited except as agreed to in advanco by EPRI and Westinghouse Electric Corporation. Reapient of this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the information contained herein that are permitted. This document and any copies or excerpts thereof that may have been generated are to be returned to Westinghouse, directly of through EPRI, when requested to do so.
NOTICE 4: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. It is being revealed in confidence and trust only to Employees of EPRI and to certain contractors of EPRI for hmited evaluation tasks authorized by EPRI.
Any use, disclosure to unauthonzed persons, or copying of this document or parts thereof is prohibited. This Document and any copies or excerpts thereof that rnay have been generated are to be retumed to Westinghouse, directly or through EPRI, when requested to do so.
NOTICE 5: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. Access to I this data is given in Confidence and Trust only at Westinghouse facilities for hrruted evaluation tasks assigned by EPRt. Any use, disclosure i to unauthonzed persons, or copying of this document or parts thereof is prohibited. Neither this document nor any excerpts therefrom are to be removed from Westinghouse facilities.
EPRI CONFIDENTIALITY / OBLIGATION CATEGORIES \
l CATEGORY *A"- (See Delivered Data) Consists of CONTRACTOR Foreground Data that is contained in an issued reported.
CATEGORY 'B"- (See Delivered Data) Consists of CONTRACTOR Foreground Data that is not contained in an issued report, except for ,
computer programs.
CATEGORY 'C"- Consists of CONTRACTOR Background Data except for computer programs.
CATEGORY 'D"- Consists of computer programs developed in the course of performing the Work.
CATEGORY *E"- Consists of computer programs developed prior to the Effective Date or after the Effective Date but outside the scope of the Work.
CATEGORY T"- Consists of administrative plans and adrninistrative reports.
i i
f WESENGHOUSE NON-PROPRIETARY CLASS 3 i I
WCAP-14651 Revision 2 l
i
. Integration of Human Reliability !
Analysis with Human Factors Engineering Design Implementation Plan S. P. Kerch j E. M. Roth S. Sancaktar
( AP600 DesignCertification Project May1997 l
l 1
l I
I l
1 1
l i
l.
Westinghouse Electric Corporation !
EnergySystem Business Unit P.O. Box 355
- Pittsburgh, PA 15230-0355 l
C 1997 Westinghouse Electric Corporation AllRights Reserved 3637w.wpf.lb-050697 j
C iii P
1 TABLE OF CONTENTS t I
i 1
s Section Title l ,
East j l
J
' LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' ii l- LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v. . . . . . . . . .
g . LIST OF ACRCNYMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi i
1 1
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 I l 1.1 Scope and Objective of Implementation Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1~ ;
1.2 Use of HRA/PRA Insights to Guide HFE Design . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 !
2 a'
- PRA/HRA IDENTIFICATION OF CRITICAL HUMAN ACTIONS ,
l AND RISK-IMPORTANT TASKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 I 2.1 Critical Human Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 !
2.2 Risk-Importan t Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 3 I TASK ANALYSES FOR CRITICAL HUMAN ACTIONS AND RISK-IMPORTANT TASKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.1 Input to Operational Sequence Task Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.2 Confimung/ Refining HRA Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 l
4 RE-EXAMINATION OF CRITICAL HUMAN ACTIONS AND RISK-IMPORTANT TASKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 5 VALIDATION OF HRA PERFORMANCE ASSUMI'rIONS . . . . . . . . . . . . . . . . . . . . . . . 5-1 6- REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 I
APPENDIX A ' EXAMPLES OF CRITICAL HUMAN ACTIONS AND RISK-IMPORTANT TASKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 1
1 1
l t
l l l l.
5
- 4 s
4 1- l 1
4
! l Integration of Human Reliability Analysis with Human Factors Revision 2 l 4
mA3637w.wpf:1b4150697 May 1997 i l
I i ,
I
+ ~ , . , - - - - , - , , , . - , -
, iv :
4 LISTOFTABLES l Table A-1 Risk-Important Tasks for Internal Events During Power Opera tion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 i .
l I i
I t
1 l
l Integration of Human Reliability Analysis with Human Factors Revision 2 m:\3637w.wpf:1bN g 3997 y
g v
LISTOF FIGURES Figure 1-1 Overview of How HRA Activities are Integrated in the HFE Progra m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 I
l l
I
- Revision 2 l Integration of Human Reliability Analysis with Human Factors May 1997 m:\3637w.wpf:1b450697
_ - _ _ _ _ _ _ _ _ _ - - - - - - - - - - ~~~
vi LISTOFACRONYMS i ADS Automatic DepressurizationSystem CDF Core DamagdFrequency COL Combined License CVS Chemicaland Volume ControlSystem DAS Diverse Actuation System -
HFE Human Factors Engineering HRA Human Reliability Analysis HSI Human SystemInterface IRWST In-Containment Refueling Water Storage Tank LOCA Loss-of-CoolantAccident LRF LargeReleaseFrequency /
MMI Man-MachineInterface M-MIS Man-MachineInterface System MLOCA Medium LOCA MOV Motor-Operated Valve MTIS Maintenance, Inspection, Test and Surveillances PMS Protection and Safety Monitoring System PRA ProbabilisticRiskAssessment RAW Risk Achievement Worth RRW Risk Reduction Worth RCS Reactor CoolantSystem RNS NormalResidualHeatRemoval SG Steam Generator SGTR Steam GeneratorTube Rupture SLOCA Small LOCA SSC Systems, Structures, and Components THERP Technique for Human Error Rate Prediction V&V Verification and Validation l Integration of Human Reliability Analysis with Human Factors m:\3637w.wpf:1N7 Revision 2 May 1997
}
1-1 1 INTRODUCTION This document provides an implementation plan for the integration of Human Reliability Analysis (HRA) with Human Factors Engineering (HFE) design. It describes the interrelation
- among the activities conducted by the Man-Machine Design group, the Procedures Development group, and the HRA and Probabilistic Risk Assessment (PRA) group.
1.1 Scope and Objective ofImplementation Plan l The objective of theIntegration ofHRA with HFE Design Implementation Plan enables- 1
=
the HRA activity to integrate the results of the HFE design activities
=
the HFE design activities to address risk-important tasks and human error mechanisms in order to minimize the likelihood of personnel error and to provide for error detection and recoverycapability This document does not cover HRA methodology. HRA methodology and results are described as part of the AP600 PRA Study, Reference 7.
1.2 Use of HRA/PRA Insights to Guide HFE Design 1
The AP600 design draws on lessons learned from existing plant experience and results of past HRAs and PRAs to reduce the potential for human error and increase safety. In response, one approach to increase plant safetyin the AP600 has been to simplify the plant design and reduce the number of human actions required.
l This Integration ofHRA with HFE Design Implementation Plan describes the process by which insights from HRA/PRA are used to improve the HFE design and limit the risk to humans and the risk of errors.
Figure 1-1 provides an overview of how HRA activities are integrated within the HFE program.
There are three primary points ofinteraction:
- 1. Task Analysis: Results of HRA/PRA analyses are t. sed to identify risk-important tasks and performance requirements as input to HFE Wk analysis activities.
- 2. Human System In':erface (HSI) Design and Procedure Development: Results of the HSI design and procedure development activities are used to confirm and/or refine HRA assumptions. Tasks that are identified in the HRA/PRA that pose serious challenges to plant safety and reliability are re-examined by task analysis, HSI design and procedure l
l Integration of Human Reliability Analysis with Human Factors Revision 2
. m:\3637w.wpf;1b-050607 May 1997 l
12 l
I development identifies changes to the operator task, procedures, or the control and display environment to minimize the likelihood of operator error and provide for error detection and recovery capability.
- 3. HFE Verification and Validation (V&V): HRA performance assumptions (e.g., actions to be performed; time within which they are completed) are validated as part of the HFE Integrated System Validation.
While training is an important contributor to human reliability, it is not explicitly addressed in I this implement ation plan because training program development is a Combined License (COL) applicant responsibility. Westinghouse will provide the COL applicant with +he AP600 PRA Study documentation that includes the description of HRA assumptions and results relevant to training. In addition, insights relevant to the training program are provided in a report following the HFE V&V. This report includes a list of critical human actions (if any), risk-important human actions, the performance requirements for those actions (e.g., response time) and any insights gained during the V&V that relate to training requirements for risk-important human actions (see Section 13.2.1 of the AP600 SSAR).
l Integration of Human Reliability Analysis with Human Factors Revision 2 m;\3637w.wpf:1M50697 May 1997
1-3 h
Functional
%nt & System E - Analysis &
Design " ' Probabilistic Allocation Risk m E Assessment if Ak l i
haw / )
W Guidelines l
CriticalHuman Actions; yf 1I 1I Risk-Imponant Tasks; Performance Requirements Human Tas 2 ysis ------> Ili'Y M Anal 3k M MC?
I fl f lf i
l l Procedure h m m M. MIS I I Development -
Design l l M M ConfirmfRefine I
HRA Assumptions t -
- - - - - - - - - - - - l l
1I Test Scenarws: l m '
Performance A ssumptions g Verification g
& Validation ------------
Validation ofPerformance Assumptions i
Figure 1 'l Overview of How HRA Activities are Integrated in the HFE Program l Integration of Human Reliability Analysis with Human Factors Revision 2 m:\3637w.wpf:1b450697 May 1997
2-1 2 PRA/HRA IDENTIFICATION OF CRITICAL HUMAN ACTIONS AND RISK-IMPORTANTTASKS i
. 1 In order to enable human actions and tasks (that are important to plant safety) to be explicitly l
, addressed as part of the HFE design effort, the results of the HRA are used to identify critical human actions (if any) and risk-important tasks. The human actions and tasks identified are used '
I as input to task analysis and HFE design activities.
- The following subsections provide the criteria applied to identify the critical human actions and risk-important tasks. Appendix A provides examples that are based upon AP600 PRA studies j available September 1996. '
2.1 CriticalHuman Action
- Two alternative criteria define critical human actions
4 i
Determmistic Criteria: Any human action that is required to prevent core damage or severe
- release in licensing design basis accidents (Ref.1).
or PRA Criteria: Any human action (as identified from those baseline PRA studies with quantitative 2
results) that,if failed, would result in total core damage frequency equal to or greater than IE-4 4
(1x10 ) or severe release frequency equal to or greater than 1E-5 (1x10~5).
The baseline PRA studies include internal at-power events, intemal shutdown events, and fire,
! flood,and seismic events.
l 2.2 Risk-ImportantTasks i
Risk-important tasks that involve human actions will be identified using two risk-important measures that are commonly used in PRA studies:
~
- 1. Risk-Increase Measure: This measure examines the increase in risk that would result if the probability of failing to take human action were set to l.0. The objective of this measure is to identify human actions that, if failed to be taken, would result in a significant increase in risk. These tasks would be included in the task analyses and integrated V&V activities to ensure that they are adequately supported by the Man-Machine Interface System (M-MIS), so as to minimize the potential for error.
l l Integration of Human Reliability Analysis with Human Factors Revisim 2 m:\3637w.wpf;1b Os0697 May 1997
2-2
- 2. Risk-Decrease Measure: This measure examines the decrease in risk that would result if the probability of failing to take the human action were set to 0. The objective of this measure is to identify human actions, that if executed correctly, would result in a significant reduction in risk. These tasks would be included in the task analyses and integrated V&V activities to ensure that they are adequately supported by the M-MIS, so as to maxinuze the potential for correct performance.
- PRA studies are performed for: ,
'i Internal at-power events (core damage and severe release)
Internal shutdown events (core damage and severe release)
=
Fire, flood events (only core damage bounding assignment is being performed)
Seismic events (seismic margins only)
In addition, a focused PRA sensitivity study is performed to provide input to regulatory treatment of nonsafety systems. In this study, no credit is taken for nonsafety-related systems in the calculation of core damage and severe release frequencies. Credit is only taken for safety-related systems. The focused PRA sensitivity study is performed for:
i e Internal at-power events
. Internalshutdownevents l
=
Fire and flooding events (core damage bounding assignment only) -
The results of these PRA studies are exammed to identify risk-important tasks. i
- Quantitative criteria used in identifying risk-important tasks, in cases where quantitative measures of risk-increase and risk-decrease are available, are described below. The qualitative criteria used to identify risk-important tasks are also described. The qualitative criteria are applied !
to each of the PRA studies listed above.
Quantitative Criteria for Risk-Importamt Tasks
' A task is defmed to be risk-importanf if its importance, as calculated by one of these two measures, -)
is above a risk threshold associated with that measure. -
The two measures are formally quantified as follows: .l
- 1. Risk-Increase Measure: This measure provides the importance of a human action for core ;
damage and severe release with respect to maintaining the existing risk level. For this l purpose, the core damage and severe release is requantified for each human action by l setting its failure probability to l.0. The risk-importance of a human action is then defined l a s the percentage increase in core damage and severe release frequency. For example, a l Integration of Human Reliability Analysis with Human Factors Revision 2
' m:\3637w.wpElb450697 May 1997
i 2-3 :
risk-importance of 100 is the same as doubling the base core damage frequency or severe release frequency (dependent upon whether the PRA study being examined is a core damage or severe release study) when the task failure probability is set equal to 1.0. The l larger the percentage, the more important the human action is in maintaining the existing i risklevel. f
. ?
The risk-increase importance threshold used for AP600 is 200 percent for internal events, at-power and shutdown, for both core damage and severe release. This is equivalent to a i riski
- byement worth (RAW) of 3.0. Any value below this is deemed to be too small to l l- red as worthwhile to pursue.
I In the case of the focused PRA sensitivity study, the risk-increase importance threshold l used is 100 percent (a RAW value equivalent to 2.0). !
- 2. Risk-Decrease Measure: This measure provides the importance of a human action for l core damage and severe release with respect to reducing the existing risk level. For this ,
i
. purpose, the core damage and severe release is requantified by setting each operator action failure probability to zero. The importance of a human action is then defined as the j percent decrease in core damage and severe release frequency. For example, a risk-decrease value of 10 percent indicates that the maximum benefit that can be obtained by j j
improving task failure probability is 10 percent. The larger the percent decrease, the more important the human action is in potentially reducing the existing risk. ;
1 The risk-decrease importance threshold used for AP600 is 10 percent for internal events, -l at-power, and shutdown, for both core damage and severe release. This is equivalent to a l risk reduction worth (RRW) of about 1.1. Any value below this is deemed to be too small j to be considered as worthwhile to pursue.
In the case of the focused PRA sensitivity study, the risk-decrease importance threshold j used is 5 percent (RRW of about 1.05). j t
The definition of risk-important tasks provided above utilizes well-recognized and quantifiable !
concepts of ris.-mcrease and risk-decrease measures, which take into account different aspects of j risk-importance. Defining risk-important tasks in terms of risk-incrk and risk 4ecrease is !
consistent with the risk-importance measures used for other appWs, such as the NRC l maintenance rule. A uniform definition of risk-importance across airrerent application areas ;
allows consistency, as well as efficiency, since importance tables created for basic events may be :
. used for different applications. ;
i l Integration of Human Reliability Analysis with Human Factors Revision 2 i mA3637w.wpf:ll>450697 May 1997 6
-._-. +._, . ._ .. -,-- - , . , , - -
~
2-4 Qualitative Criteria for Risk-Important Tasks In addition to quantitative measures, qualitative criteria for identifymg risk-important tasks are applied to the PRA studies. An expert panel representative of HRA/PRA, systems engineerin design, HSI design, and HFE apply the criteria and identify the associated risk-important tasks.
Criteria used to identify risk-important tasks include:
1.
Operator actions that estimate the time to completion is close to the time window available for completion 2.
Operator actions where the nature of the operator activities, or demands placed upon operators are complex, unique, or potentially challenging 3.
Operator actions just below the threshold values for critical human actions (as defined in Section 2.1) and the threshold values for risk-important tasks (as defined in Section 2.2) are re-evaluated for inclusion as a risk-important task 4.
Operator actions needed to prevent a situation where conflicting safety goals may result 5.
Operator actions that are deemed to be risk-important by the panel members based upon history and the panel's expert cpinion Qualitative Criteria for Risk-Important Maintenance, Inspection, Test, and Surveillances
- Qualitative criteria are used to identify risk-important maintenance, inspection, test, and surveillances (MTIS). Risk-important MTIS are identified by examuung " risk-significant" Systems, Structures, and Components (SSC). The criteria used to identify " risk-significant" SSCs are provided in SSAF.16.2, " Reliability Assurance Program." A subset of these " risk-significant" SSCs and a representa 6ve set of the associated MTIS are selected by an expert panel. This to be comprised of representatives with expertise from relevant groups in the design process, such as systems engineering, reliability engineering, PRA, HFE, and HSI design. Criteria used to identify risk-impor tant MTIS tasks include 1,2,4, and 5 listed above. The set of MTIS tasks identified through the expert panel process are defined to be risk-important and exannned in task analysis procedures, HSI design, and V&V activities.
l Integration of Human Reliability Analysis with Human Factors m:\3637w.wpfib-050697 Revision 2 May 1997
3-1 3 TASK ANALYSES FOR CRITICAL HUMAN ACTIONS AND RISK-IMPORTANTTASKS The HRA/PRA group specify human actions and task sequences to be used as input to the task analyses performed as part of the HFE program. This includes all critical human action 3 (if any) and risk-important human actions.
3.1 Input to Operational Sequence Task Analyses The human actions and tasks identified by HRA activities are included in the set of tasks examined using operational sequence task analyses. The inputs to the task analyses include a specification of the task sequences performed, as well as any performance requirements, such as time windows within which an action needs to be completed. This input guides the design of the HSI and the development of the procedures so as to adequately support these risk-important tasks.
The HSI and procedures groups submit results of their analyses (e.g., function-based task analyses; operational sequence task analyses) and design activities (e.g., emergency response guidelines (ERGS), functional requirement documents; display descriptions) to the HRA group for review and comment.
3.2 Confirming / Refining HRA Assumptions HRAs conducted early in the design process, necessarily make assumptions about function allocation, human actions performed, and the quality of the HSI design, procedures, and related performance-shaping factors, that are confirmed or refined as the design effort progresses.
Once man-machine function allocation becomes finalized, and initial HSI designs and procedures are completed, it becomes possible to perform more detailed sequential task analyses that more accurately reflect details of the design. At this point it becomes possible to examine the impact of advanced digital technology, and the details of the HSI design and procedures, on the operator actions to be performed, the demands they place on the operator, and the estimated duration time to complete them. .
When initial HSI designs and procedures are completed, more detailed operational sequence task and workload analyses are performed to obtain more accurate estimates of workload and task completion times for the set of tasks identified by the HRA/PRA group. (These more detai1e d operational sequence task analyses are referred to as OSA-2 in the description of AP600 Task Analysis Activities, SSAR subsection 18.5.2.3.) The results are documented in a report, and provided to the HRA/PRA group.
l Integration of Human Reliability Analysis with Human Factors Raision 2 May 1997 m:\3637w.wpElt>450697
.3-2' l-The HRA/PRA group then reviews the HFE design and analysis documents for potenti on HRA assumptions.
i l
l Integration of Human Reliability Analysis with Human Factors Revision 2 m:\3637w.wpf:1NMiO697 May 1997 l
4-1 4 RE-EXAMINATION OF CRITICAL HUMAN ACTIONS AND RISK-IMPORTANTTASKS If a critical human action or risk-important task is determined to be a potentially significant contributor to risk, based on the results of Section 3, it is re-examined by task analysis, HSI design, and procedure development. This is to identify changes to the operator task or the control and display environment, to reduce the likelihood of operator error and provide for error detection and recovery capability, e
Revision 2 l Integration of Htunan Reliability Analysis with Human Factors May 1497 m:\3637w.wpf:1b450697
l 5-1 5 VALIDATION OF HRA PERFORMANCE ASSUMPTIONS Validation of HRA operator performance assumptions is performed as part of the Integrated HFE System Validation.
The HRA/PRA group identifies scenarios that involve critical or risk-important human actions that are included as part of the set of scenarios used in the Integrated HFE System Validation. i The HRA/PRA group identifies specific performance assumptions to be confirmed as part of the validation exercises. Examples of these assumptions are: that particular actions to be performed are satisfactorily completed, and completed within the time-window specified in the PRA.
The scenarios indicated by the HRA/PRA group are included as part of the Integrated HFE i System Validation, and perfonnance measures are collected to support confirmation of the HRA performance assumptions. The results of the analyses are provided to the HRA/PRA group.
No attempt is made to validate the quantitative HRA probabilities.
After reviewing the results of the Integrated HFE System Validation, the HRA/PRA group determines whether any changes need to be made to the HRA modeling assumptions and whether any changes are required to the HRA quantification. If necessary, the HRA is modified, and theimpact on the PRAis assessed.
As part of the process determuung whether HRA requantification is necessary, the HRA/PRA group assesses whether the technique for human error rate prediction (THERP) error frequency database currently employed to generate error probability estimates continues to be the most appropriate source for HRA quantification, or whether new error quantification databases, that more closely match the AP600 modeling assumptions and are accepted by the NRC, have become available.
A report is generated documenting the results of the exercises intended to validate the HRA performance assumptions, and the impact on HRA/PRA quantification, if any. This report is submitted to the NRC for review and constitutes the analysis results report for Element 6 of the Human Factors Engineering Program Review Model (NUREG-0711).
l Integration of Human Reliability Analysis with Human Factors Revision 2 m:\3637w.wpf:1b 050697 May 1997 l
. - . . - - - . . - - .~ - - _ - . . . - .
6-1
< 6' REFERENCES I
- 1. AP600 Standard Safety Analysis Report, Volume 8, Chapter 15 Accident Analysis
- 2. AP600 PRA Study: Core Damage Frequency Quantification, February 1996
- 4. AP600 PRA Study: Severe Release Frequency Quantification, September 1996
- 5. AP600 PRA Study: Low Power and Shutdown Assessment, June 1995
- 7. AP600 PRA Study: Human Reliability Analysis, June 1996 f
i i
i I
I i
l . Integration of Human Reliability Analysis with Human Factors Revision 2 l m:\3637w.wpf;1b4s0697 May 1997
i l
APPENDIX A EXAMPLES OF CRITICAL HUMAN ACTIONS AND RISK-IMPORTANTTASKS l
l l
l l
i i
l Integration of Human Reliability Analysis with Human Factors Revision 2 m:\3637w.wpf.ItW50697 May 1997 l
i
A-1 APPENDIX A EXAMPLES OF CRITICAL HUMAN ACTIONS AND RISK-IMPORTANT TASKS ti This Appendix provides examples of critical human actions and risk-important tasks, as identified from the AP600 PRA Study results, available as of September 1996. These examples are a result of applying only the quantitative criteria described in Sections 2.1 and 2.2 of this document. Since the qualitative criteria have not been applied, these examples represent only a subset list.
These examples are provisional and may change as PRA studies are updated and the qualitative assessments are performed. The examples are provided as illustration of the methodology for identifying critical human actions and risk-important tasks.
A.1 Critical Human Actions Based on the results of the AP600 PRA Study, as of September 1996, there are no critical human actions (as defined by the criteria of Section 2.1) for the AP600 plant.
A.2 Risk-Important Human Tasks In this section, examples of risk-important tasks obtained by quantitative risk measures for intemal events during power operation and during shutdown are provided.
A.2.1 Internal Events During Power Operation l
For internal events during power operation, quantitative rankmg of operator actions modeled in the PRA are available for the base case and the focused PRA, both for plant core damage frequency (CDF) and the plant large release frequency (LRF). References 2,3, and 4 provide this information. Using the quantitative criteria of Section 2.2, the risk-important tasks are identified and are listed in Table A-1. The table also shows the source (e.g., base or focused PRA; core damage or large release; risk increase or risk decrease). >
In Table A-1, the quantitative risk measures for each selected action are given in terms of their
. RAW and/or RRW values. The cutoffs used for these values, as described in Section 2.2 of the report are repeated here for the convenience of the reader:
l Integration of Human Reliability Analysis with Human Factors Revision 2 m:\3637w.wpf 1t>450697 May 1997 I
J
M E' g >
h
, E. Table A-1 Risk-Important Tasks for Internal Events During Power Operation 40 Co Base PRA Focused PRA CDF LRF CDF LRF h Basic Event Description RAW RRW RAW RRW RAW RRW RAW RRW W
g 1 ADN-MAN 01 Operator fails to manually actuate ADS 4.6 -
6.8 -
3.5 -
2.8 -
h 2 ATW-MANO3 Operator fails to manually trip reactor via PMS -
1.05 4.5 1.24 6.7 1.45 5.7 1.34 4
3 ATW-MAN 04C Operator fails to manually trip reactor via DAS - - -
1.23 - - - -
q 4 ADV-MANOS Operator fails to manually trip reactor via PMS - -
8.5 - - - - -
5' g 5 CIB-MAN 00 Operator fails to diagnose SGTR event 5.5 -
6.5 - - -
2.9 -
5 6 CIB-MAN 01 Operator fails to closc MSIV for failed SG - -
4.4 - - -
2.9 -
lt
@ 7 LPM-MAN 01 Operator fails to recognize need for RCS - -
5.6 -
3.5 -
2.6 -
g depressurization (SLOCA/ transient)
[ 8 LPM-MAN 02 Operator fails to recognize need for RCS 3.6 - - - - - - -
o depressurization (MLOCA)
El 9 REC-MANDAS Operator fails to actuate a system using DAS - - -
1.18 - - - -
REC-MANDASC only 10 REN-MANO3 Operator fails to open IRWST valves to flood - -
5.4 - - - - -
reactor cavity 11 REN-MAN 04 Operator fails to actuate containment sump 5.0 - - - - - - -
recire. after level signal fails 12 RTN-MAN 01 Operator fails to perform controlled shutdown 3.7 - - - - - - -
(OTII-SDMAN) b a
sw
- - - - _ _ _ - . . . . . _ . . - - - _____---_-_-_w__.-_- _ - _ - - . - _ - _ _ _ - - _ _ _ _ . - _ _ _ - n --- ___----_a- - - - -
i l A-3 l
l l
l
1' ,
l FromTable A-1,it is observed that 12 human actions / tasks are identified as risk-important for .
l internal events during power operation.
A.2.2 Internal Events During Shutdown ,
i f
For internal events during shutdown, quantitative risk measures for only CDF are available.
i Applying the quantitative criteria of Section 2.2 to the CDF results of the base case and the '
l focused PRA, the risk-important tasks are identified below. The risk-important tasks for LRF for l shutdown events can be later identified using qualitative criteria.
l=
l Base PRA When the risk-important measures and threshold values are applied to the output of the AP600
- CDF for shutdown events (Ref. 5) a total of three risk-important tasks result from the application of risk-increase and risk-decrease measures. These ere
- <
. Operator fails to recognize a need for Reactor Coolant System (RCS) depressurization (LPM-MAN-05)
- Operator fails to open two in-containment refueling water storage tanks (IRWSTs) motor- ,
- operated valves (MOVs) (IWN-MAN-00) !
I
- Operator fails to recognize the need to open normal residual heat removal (RNS)
MOV-V023(RHN-MAN-05) ,
Initiating events are also examined to determine whether there are any cases where operator l actions substantially contribute to the frequency of the initiating event. Three initiating events ;
were identified that met the criteria for risk-increase and/or risk-decrease and where -
assumptions of a human error substantially contributed to the frequency of the initiating event.
. Theseinitiating events are:
. RCS overdrain during drainage to midloop condi on initiating event occurs
. Loss-of-coolant accident (LOCA) due to inadvertent opening of RNS-V024 initiating c event occurs-hot / cold shutdown i
l Integration of Human Reliability Analysis with Human Factors Revision 2 m:\3637w.wpf;1b-Os0697 May 1997
- _ _ --J
A-4 f
a' LOCA due to inadvertent opening of RNS-V024 initiating event occurs - RCS drained i
There are three operator actions identified that substantially contribute to these initiating events !
and are therefore considered risk-important tasks: I a *
. Failure to align the RNS to provide a diversion path to the IRWST during cold shutdown, ,
and terminate the event by reclosing the valve Failure to observe failure of the hot-leg-level instruments and failure to close the air-operated valves chemical and volume control system (CVS)-V045 and V047 to preclude >
- initial overdrairung of the RCS, during draining of the system to mid-loop .
. ilure to detect failu ce of automatic closure of air-operated valves CVS-V045 and V047, ad failure to mam : ly close the valves, when low hot-leg-level is reached during l draining of thesystemto midloop I
Focused PRA i When the results of the focused PRA sensitivity study for CDF are examined (Ref. 6), using a risk- )
increase threshold of 100 percent and a risk-decrease threshold of 5 percent, no new risk-important ;
tasks are identified for shutdown events. A total of one risk-important task results from the application of risk-increase and risk-decrease measures to the focused PRA sensitivity study for shutdown events.Thisis. ;
1 Operator fails to open two IRWST MOVs (IWN-MAN-00)
Note this operator action was already identified to be risk-important based on the base shutdown PRA.
l i
4 i
- l Integration of I'luman Reliability Analysis with Human Factors Revision 2 j m:\3637w.wpf:1b450697 May 1997 l
. . - . .