ML22070A155
| ML22070A155 | |
| Person / Time | |
|---|---|
| Issue date: | 05/13/2016 |
| From: | Chang Y, Jing Xing NRC/RES/DRA/HFRB |
| To: | |
| Xing, Jing - 301 415 2410 | |
| References | |
| Download: ML22070A155 (37) | |
Text
The General Methodology of an Integrated Human Event Analysis System (IDHEAS-G)
Y. James Chang, Jing Xing US Nuclear Regulatory Commission 1
Presentation to EHPG, May 8-13, 2016, Norway
HRA in the NRCs regulatory decision process
- Bases for orders and generic issues
- Rulemaking
- Oversight
- Licensing
- Event analysis 2
NRCs HRA research activities Scientific foundation -
Cognitive Basis for HRA HRA data -
SACADA and others HRA method improvement -
IDHEAS HRA variability and uncertainty -
Improved methods, data foundation, guidance for expert judgment 3
HRA applications-Fire HRA, MCR abandonment, FLEX
HRA method improvement - Development of IDHEAS (An Integrated Human Event Analysis System)
Cognitive basis for HRA (NUREG-2114) 4 IDHEAS General Methodology (IDHEAS-G) for nuclear-related applications (NUREG-2198)
IDHEAS Internal At-power Application (NUREG-2199)
Other application-specific HRA models (e.g., Ex-CR actions)
Scientific Literature
IDHEAS-G key features 5
- A general methodology - IDHEAS-G models the full cycle of cognitive process underlying human actions and it is application-independent.
- Enhanced guidance for qualitative analysis
- A Basic Quantification Structure - with a basic set of cognitive failure modes, a comprehensive list of performance influencing factors (PIFs), and cognitive mechanisms
- Application-specific quantification models derived from the Basic Quantification Structure
- A built-in interface with human performance data
Overview of IDHEAS-G Task 1 HFEs CRD and critical tasks PRA scenario Cognitive failure modes (CFM)
- Wrong detection criteria were used
- Data misleading or not available
- Critical data misperceived HFE 1 HFE 2 HFE 3 PIFc and HEP Task 2 Task 3 CFM Operational narrative Analyze scenario context and develop operational narrative Identify, define, and assess HFEs Basic Quantification Structure Develop application-specific quantification model to calculate HEP:
- Compute or estimate HEPs of the CFMs Perform integrative analysis Identify and analyze critical tasks of a HFE 6
PIFc 1 PIFc 2 PIFc 3 PIFc 4
Step 1: Scenario Analysis and Operational Narrative Develop a baseline scenario include the following elements:
- Initial condition
- Initiating event
- Consequences of the initiating event
- Operational narrative and timeline Perform high-level scenario context analysis:
- System Context: To understand the system responses and operational constraints.
- Crew Context: To aware the conditions that may adversely affect human performance at the scenario level.
- Task context: To understand the task flows and identify the limiting factors, e.g., time criticality or operation limitations.
7
Step 2: HFE Identification, Definition, and Feasibility Analysis
- Identify the initial set of human failure events (HFEs) from the baseline scenario
- Work with PRA analysts to specify and define the event tree top events
- Ask what-if questions to populate the event sequences and top events
- Perform HFE feasibility analysis 8
Step 3: Task Analysis
- Develop the crew response diagram (CRD) to represent the expected crew responses for success of the HFE
- Identify the critical tasks and cognitive activities required for the tasks
- Perform time analysis and time uncertainty analysis of each HFE
- Estimate uncertainty distributions of T(Required) and T(Available)
- Provide basis to calculate Pt[T(Available) > T(Required)]
9 1
2 3
4 Identify sLOCA Transfer to E-1 from E-0 Transfer to ES 1.2 Initiation of cooldown at step 7 of ES 1.2 Success
Step 4, 5, & 6: Quantification Step 4: Basic Quantification Structure - The HEP formula, a basic set of cognitive failure modes (CFMs),
cognitive mechanisms, and a comprehensive list of PIFs Step 5: Guidelines for developing application-specific quantification models Step 6: HFE dependency analysis and uncertainty analysis 10
Cognitive process Macrocognitive functions 11 D1-Establish acceptance-criteria for information D2 - Prepare tools needed D3 - Identify and attend to sources of information D4 - Perceive information D5-Verify / modify detection D6-Retain or communicate the information Detection Understanding Decision making Action Teamwork Operator task Basis of HEP Quantification:
Macrocognitive functions and cognitive processes
12 Cognitive failure mode Cognitive Mechanism PIF Proximate Cause 1
- CFM 1-1
- CFM 1-2
- CFM 1-3 Macrocognitive function Overview of Basic Quantification Structure
13 Pc = Pc(Critical Taski)
Basic Quantification Structure 1) - The HEP formula
Cognitive process for Detection Failures of the process (Proximate causes)
Behaviorally observable CFMs 14 D1-Establish acceptance-criteria for information D2 - Prepare tools needed D3 - Identify and attend to sources of information D4 - Perceive information D5-Verify / modify detection D6-Retain or communicate the information PC1-Fail to establish acceptance-criteria PC2 - Fail to prepare tools PC3 - Fail to attend to the correct source of information PC4 - Fail to correctly perceive the information PC5-Fail to verify or modify detection results PC6-Fail to retain or communicate Information Three types of CFMs:
Unable to do it Didnt do it Did it wrong D4-1 Primary information is not available D4-2 Key alarm or alert not attended to D4-3 Key parts of information not perceived or monitored D4-4 Information misperceived (information Incorrectly perceived, fail to discriminate weak signals, reading errors)
D4-5 Parameters incorrectly monitored Basic Quantification Structure 2) - A basic set of CFMs
Basic Quantification Structure 3) - Cognitive mechanisms 15 Cognitive process CFMs Challenges to cognitive mechanisms D4-Perceive information D4-1 Primary information is not available D4-2 Key alarm or alert not attended to D4-3 Key parts of information not perceived or monitored D4-4 Information misperceived (information Incorrectly perceived, fail to discriminate weak signals, reading errors)
D4-5 Parameters incorrectly monitored
- Loss of vigilance Attention is not focused on cues
- Expectation is wrong or biased
- Working memory failure (overflow, degraded with time, or not consolidated, or memorizing wrong information )
Cognitive mechanisms make the cognitive process working reliably.
Errors occur when the capacity limits or vulnerabilities of the cognitive mechanisms are challenged.
Every proximate cause /CFMs is associated with a set of cognitive mechanisms.
16 General PIF categories:
- System - plant condition, information, event evolution, system responses
- Crew - staffing, crew, work environment, infrastructure of communication and coordination, organizational factors
- Task - workload, task complexity, available time
- Job assistance for crew - Human-system interface (HSI), tools, procedures, training, fitness-for-duty A PIF is characterized by observable and assessable traits, e.g.
Workload - Unfamiliar scenario, multitasking, unpredictable dynamics HSI - Alarm saliency, distribution of relevant information, display format Training - Perceived urgency, frequency of training, training on failure modes Basic Quantification Structure 4) - A comprehensive list of PIFs
Modeling the effect of PIFs on HEP based on cognitive research
- 1) A comprehensive list of PIFc
- 2) Two types of PIFs that affect HEPs differently - Error contributing factors and error modification factors
- 3) Links between PIFs - cognitive mechanisms - proximate cause /
- 4) References (from cognitive literature and operational events) demonstrating the effect of PIF on macrocognitive functions or CFMs 17
PIF model: 1) A comprehensive list of PIFs Most PIFs identified were reported in the literature or human event reports; A few PIFs were inferred from studies of cognitive mechanisms The PIFs in existing HRA methods were included.
Unfamiliar scenarios Multitasking Distraction / Interruption Unpredictable system dynamics Mental fatigue (time at work, long-working hours)
Examples of PIFs:
Complexity for action execution:
o Number of related action sequences o
Number of control actions o
Durations of action sequences o
Number of exceptions o
Variety of action types o
Relation among action steps 18
PIF model: 2) Two types of PIFs Error contributing factors Related to the quality of information and specificity of the criteria by which the task is judged as correctly performed.
directly contribute to the HEPs; a single PIF can change the HEP across several orders of magnitude.
Error modification factors Usually do not alone lead to human errors; e.g., time pressure can increase the likelihood of errors, but the factor alone usually does not cause errors if other PIFs are in nominal status.
modifies HEP in a relatively small range, typically less than a factor of 10 between the nominal and very poor status of a PIF.
Error contributing factors 1.0 0
HEP Modification factors
PIF model: 3) Link between PIF - cognitive mechanisms - Proximate cause /PIFs Every proximate cause is associated with a set of cognitive mechanisms.
Every PIF challenges one or several cognitive mechanisms.
The cognitive mechanisms serve as the basis for identifying and assessing PIFs.
Example: links between PIFs and cognitive mechanisms:
Decision-making: Manage the goal Cognitive mechanisms: A-Incorrect goals selected. B-Incorrect prioritization of goals. C-Incorrect judgment of goal success.
Mechanism PIFs AB Conflict goals: choosing one goal (or option) will block achieving the other goals; Multiple competing goals cannot be prioritized C
Competing strategies: Multiple strategies can achieve the end goal but with different benefits and drawbacks ABC Organizational complexity in decision-making (too many levels of authorities, inter-locked authority entities, variety of entities involving in decision-making)
A No procedure/guidance available for making the decision 20
21 Example: The effect of long working-hours (mental fatigue)
Day 2 Day3 Full feedback 4.2 5.5 No feedback 4.5 6
Solo 6
8 Team 4.5 5.5 REF: Effects of sleep loss on team situation assessment (JV Baranski, 2015)
Task: Team makes judgment of threat on a military surveillance task (situation assessment)
CFMs: Incorrectly assess situation PIF: Long working-hour; Feedback information, Supervision and peer-checking Results: Sleep loss affects assessment accuracy and time needed.
Data:
Assessment error rate (%)
PIF model 4): References demonstrating the effect of PIFs on proximate causes / CFMs
Summary of IDHEAS Generic Methodology
- Based on the Cognitive Basis for HRA (NURE-2114)
- Expanded scope to address:
- Broad spectrum of human actions
- Coordination and cooperation among multiple entities
- Complicated decision-making
- Performance influencing factors in severe conditions (e.g., radiation)
- Adaptable to broad applications such as:
- Level 2 and 3 PRA
- Reactor shutdown operations
- External events
- Fuels, materials, by-product 22
23
IDHEAS-G for Human Event Analysis -
Demonstration with the Fukushima Daiichi Event Jing Xing, James Chang US Nuclear Regulatory Commission 24 Presentation to EHPG, May 8-13, 2016, Norway
Lessons, lessons, lessons, learned from Fukushima Daiichi accident To prevent severe accidents from occurring, it is important to understand how past severe accidents occurred and learn lessons from the accidents.
Background:
300+ reports, conference papers, presentations; most involve human performance and digital instrument & control (DI&C)
Purpose:
Consolidate the information regarding human performance and DI&C into one coherent story - What, How, Why Method: Document and analyze information using IDHEAS-G 25
Overview of IDHEAS-G Task 1 HFEs CRD and critical tasks PRA scenario Cognitive failure modes (CFM)
HFE 1 HFE 2 HFE 3 PIF and HEP Task 2 Task 3 CFM Operational narrative 26 PIF 1 PIF 2 PIF 3 PIF 4 CFM 1 CFM 2 CFM 3 CFM 1 CFM 5 CFM 6
Operational narrative (Unit 1 only) 27 Initial condition: Unit 1 was operating at the licensed power level; the staffing level met the normal operation requirements.
Initiating event: An earthquake followed by a beyond-design-basis tsunami flooded portions of the plant site, damaged pumps, equipment, electrical distribution panels, batteries, and emergency diesel generators, and resulted in the loss of AC and DC power.
Consequences of the event:
Unit 1 lost AC and DC power shortly after the tsunamis arrival. Once power was lost, the control rooms lost lighting, indicators, instrument readouts, and controls.
The Ucondenser (IC) and high-pressure coolant injection system (HPCI) failed due to loss of power.
nit 1 reactor automatically scrammed as designed.
Offsite AC power to the site was lost. Following the offsite AC power loss, the main steam isolation valves (MSIVs) in Unit 1 closed automatically to isolate the reactors.
27
Timeline operational narrative for the baseline scenario - Example Time Event evolution Notes T=0 Earthquake 41-51min Tsunami arrival; Loss of onsite AC and DC power Damaged the site. The main control room lost instrumentation.
51-60min I&C failed, HPCI unavailable; reactor shutdown; RPV depressurized.
Estimated time of core damage was between four hours and seven hours.
Estimated time of reaching max containment pressure/design pressure was about 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
9.7h ~ 24h Containment venting preparation 24.8h Hydrogen explosion
+15.0 - +28.8 h Initial injection of freshwater/
seawater into the reactor
29 Information availability Indicators and displays in MCR were damaged or did not work due to loss of power; gathering and interpreting the information became very difficult:
Primary sources of information were not available; Secondary sources of information were not reliable; Personnel lacked training, guidance, or experience in using secondary sources of information; Personnel did not know how to trust and verify secondary sources of information.
Personnel were not aware that some I&C information was misleading.
Additional information:
Unit 1 lost instrumentation readouts and the safety parameter display systems; the onsite ERC and offsite center (OFC) were unable to obtain timely information about the condition of the reactor and Units 1-4 spent fuel pools. MCR personnel reported basic reactor parameters to the onsite ERC using fixed-line telephones. This information was manually recorded on whiteboards to share information within the ERC.
With no power for instrumentation or controls, the Unit 1 operators lost the ability to monitor plant indicators from the control room. Most critically, they were unable to check the status of the isolation condenser valves or to actuate them from the MCR.
Context analysis - Crew context
30 Parallel activities and responsibilities Multiunit interactions - Multiunit interactions complicated the accident response.
The units competed for physical resources and attention and/or services of the onsite staff, e.g., the competition for fire trucks to pump water into the Units 1, 2, and 3 reactors.
Recovery actions such as cleaning debris of working areas and connecting cables.
Emergency evacuation.
Environmental factors Environmental factors, such as smoke, flood, noise, ambient lights, high wind, radiation, seismic, extreme cold or hot temperature, impacted personnels capability:
Visibility - Work in dark places Mobility - Obstacles and debris spread around the field Accessibility or habitability - Personnel could not access the work site or they could momentarily access the site but could not stay there to complete the work.
Personnel physical condition - Work performed wearing protective clothing in high dose environment; radiation indications were not reliable; lack of food, coldness, and wetness.
Safety limits - Environmental factors exceeded the safety limits.
Context analysis - Crew context (Cont.)
Context analysis - Crew context (cont.)
31 Other crew context Coordination infrastructure and effectiveness Decision-making infrastructure (Decision-makers, authorities and hierarchy, use of innovate solutions)
Staffing - availability and qualification for required skills Procedures and Guidance Training and experience Equipment and tools Work site accessibility and habitability
Demonstration of task analysis: A simplified Crew Response Diagram HFE: Cooldown Unit 1 reactor Use IC Assess other strategies 32 Assess system and component status Success Fail Success Decide the strategy Implement the strategy Fail Develop new strategy Success Implement new strategy Success Cues HFE no longer feasible or beneficial HFE Timeline T=0
Task analysis - use a fire truck to inject water into the reactor 33 Task context Description Task narrative Unit 1 isolation condenser (IC) was not working and it would only take a few hours to uncover the core. The two procedure-recommended strategies did not work; the ERC ordered the use of fire trucks to inject water into the reactor.
Goal Inject a sufficient amount of water into the reactor to cool the core Cues The two procedure-recommended strategies did not work.
Cognitive activities Plan to use innovative solution Prepare the tools Execute the action - negotiate with subcontractors, get the fire trucks, find and connect hose connectors, inject seawater into the reactor Procedure No procedure or guidance available Personnel ERC team, shift team, subcontractors equipment Fire trucks, hose connectors Locations Debris delayed the arrival of external fire trucks (and other equipment), and also created significant obstacles to movement within the plant.
Environmental factors Visibility, Mobility, Accessibility or habitability, Radiation, Noise
Identification of cognitive failure modes (CFMs) 34 Cognitive function Example CFMs Detection Unable to monitor status Failure to access to sources of information - Attempts to check the status of the valves in the field were unsuccessful because of access limitations and high radiation fields.
Understanding Failure to assess the situation - Operators did not understand at first that the isolation condenser had stopped functioning Incorrect team understanding - Operators and ERC staff had different understandings of IC status Decision-making Inappropriate prioritization of the goals - The site superintendent directed onsite ERC staff to give priority to restoring plant indicators, particularly reactor water level and pressure.
Action execution Failure of command and control - The Unit 1 operators asked the onsite ERC to provide batteries so that the safety relief valves could be opened from the control room.
However, the ERC team member who received this request did not understand its urgency.
Teamwork Miscommunication - between the onsite ERC, headquarters ERC, and the Nuclear and Industrial Safety Agency (NISA)
Poor coordination of systems and equipment in monitoring, protection and decontamination Lack of coordination - between shift team and firefighters because neither understood the responsibility given to them by the site superintendent
35 Cognitive function PIFs Detection HSI was limited with respect to the cues, indications, and controls available Operator activities associated with detection and monitoring of cues and indications was distributed between the MCR and other locations in the plant under degraded environmental conditions (cold, noise, radiation, visibility, etc.)
Understanding Operators and decision-makers were unfamiliar with the scenarios, therefore, they did not have an existing mental model to fully understand the situation Degraded sensors and indicators may be misleading Sources of information may inherit great uncertainties Procedures were not applicable to the situations so they did not help in diagnosing problems Decision-making Decision-making complexity: Involvement of multiple teams Information for decision-making may not be available Difficulty in planning - A clear approach is needed from EOPs to SAMGs and the extended damage management guidelines (EDMGs)
Decision-making during multi-unit events, including understanding effects such as MCR configuration (common control rooms vs. separate control rooms) and distance of separation of the units Difficult to prioritize limited resources Distributed locations of decision-making Unclear responsibility, accountability and authority for decision-making in a crisis Identification of Performance Influencing factors for the CFMs
36 Action execution HSI for action execution is limited and distributed in multiple locations in the plant under degraded environmental factors (heat, cold, noise, radiation, visibility, etc.)
Equipment and tools are limited Manual actions needed for degraded / damaged automation More and different types of communication than if all of these activities took place in the MCR are required Action scripts need to be developed (skills-of-the-craft)
Operators lack of knowledge of IC functions and lack of experience in its operation Operators are unfamiliar with the facilities Lack of instructions and coordination Staffing is inadequate either in the number of personnel or the types of personnel with special skills Inadequate drills and exercises to manage long-hour accident management actions Teamwork Complex communication configuration Lack of communication requirements / strategies / protocols -
Unclear personnel responsibility on communication Lack of redundancies for communication technologies shared by all organizations Lack of mechanisms to maintain required communication linkages when communication technology fails Difficult communication between off-site and on-site - Lack of common operational picture and lack of coordination model Critical Infrastructure - the on-site center may not function because no water supply, no power supply, sheltering indoors, exhaustion, and radiation.
Command & control may not function as expected Lack of clarity in roles and responsibilities within the onsite ERC Identification of Performance Influencing factors for the CFMs (cont.)
Summary The documentation provides a systematic understanding of human performance in the accident:
The operational narrative describes what occurred from an operational perspective; The context analysis elucidates situational factors challenging human performance; The task analysis delineates how personnel perform tasks for the required human actions; The failure modes of the human actions and the associated performance influencing factors manifested by the context of how and why personnel may fail to perform required actions.
Together these constitute the basis for applying lessons learned to improving design of plant systems, structures, and components, as well as procedures and training.
37