ML23067A201

From kanterella
Jump to navigation Jump to search
2023 Hmit & PSA Conference Paper IDHEAS-ECA Application for Digital I&C Control Room Modernization
ML23067A201
Person / Time
Issue date: 07/17/2023
From: Chang Y, Jing Xing
NRC/RES/DRA/HFRB
To:
References
Download: ML23067A201 (1)
v  d  e


Text

Application of Human Reliability Analysis to DI&C Control Room Modernization Jing Xing, Y. James Chang U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, USA jing.xing@nrc.gov, james.chang@nrc.gov ABSTRACT Many operating U.S. plants are planning modernization projects to replace their analog instrumentation and control systems and human-system interfaces with new digital systems. Nuclear power plant control room modernization introduces digital instrumentation and control (DI&C) systems and digital human-system-interfaces to operators.

These new systems expectedly will offer functions and capabilities that are vital for performance and plant safety.

Although digital technology potentially can improve operational performance, there are challenges to using this technology. Moreover, introducing new technologies to control rooms would introduce new operator actions, change existing operator actions, and change the context of actions. The impact of such changes on operator performance and plant safety should be evaluated as new technologies are being introduced. This paper describes the process and two case studies of applying the NRCs human reliability method, the Integrated Human Event Analysis System for Event and Condition Analysis (IDHEAS-ECA), to the analysis of changing operator actions with the introduction of control room digital systems. The process with the case demonstration can be used along with human factors engineering process to systematically identifying and analyze potential risks associated with DI&C control room modernization.

This paper also demonstrates the applicability of IDHEAS-ECA in human reliability analysis of DI&C working environment.

Keywords: Human reliability analysis, IDHEAS-ECA, digital instrument and control, digital modernization

1. INTRODUCTION Nuclear power plant (NPP) control room modernization introduces digital instrumentation and control (DI&C) systems and digitized human-system-interfaces to operators. The DI&C systems sense basic parameters, monitor the plants processes and various barriers that prevent release of radioactive material, and adjust operations as needed. Employing these techniques will introduce more intricate control of plant systems and processes. DI&C systems also support increased automation and new forms of automation that make greater use of interactions between personnel and automatic functions. DI&C systems interact with plant personnel through various human-system-interfaces such as soft controls, advanced displays, alarm systems, computerized procedures, and advanced communication systems.

DI&C may increase sensing capabilities, information-processing support, intelligent agents, automation, and software-mediated interfaces. This extends the distance between personnel and the physical plant by adding many processes between plants physical signals and operators that respond to the physical signals and manipulate plant status. Although these technologies potentially are beneficial, they add to complexity for personnel operating and maintaining the plant, and thus adversely affect the human-system-interfaces and operator performance. Thus, it is important to perform human factors engineering on DI&C systems to ensure human performance and to perform risk assessment to identify and prevent human errors in digital working environment.

The U.S. Nuclear Regulatory Commission (NRC) uses probabilistic risk assessment (PRA) technology in its regulatory and licensing activities. The risk-informed approach complements the NRCs deterministic approach and supports the NRCs traditional defense-in-depth philosophy [1]. PRA models the reliability

of systems and personnel to mitigate a system abnormality and prevent it from developing undesired consequences. It addresses three key questions: what can go wrong, how likely is it to go wrong, and what are the consequences [2]. Human reliability analysis (HRA) is an essential part of PRA. HRA is an engineering approach that systematically analyzes human performance for events or specified conditions.

The Integrated Human Event Analysis System for Event and Condition Assessment (IDHEAS-ECA) is a HRA method developed by the NRC staff to support risk-informed decisionmaking [3]. IDHEAS-ECA analyzes human events and estimates human error probabilities (HEPs) for use in PRA applications.

IDHEAS-ECA method is based on the General Methodology of an Integrated Human Event Analysis System (IDHEAS-G) (NUREG-2198) [4]. IDHEAS-G and IDHEAS-ECA were developed because, in recent years, the scope of application of HRA has expanded into situations beyond the scope of existing HRA methods. The application scope of IDHEAS-ECA is broad. The method has a set of cognitive failure modes to model failures of any human tasks. IDHEAS-ECA models human actions in a PRA (i.e., human failure events) using five macrocognitive functions: Detection, Understanding, Decisionmaking, Action Execution, and Interteam Coordination. The failure of a human action is caused by the context that challenge human performance. IDHEAS-ECA uses a comprehensive set of performance-influencing factors (PIFs) that model the context of a human event. The method covers all the PIFs in existing HRA methods and the factors reported in the broad literature, including studies on traditional human-machine interfaces and new technologies powered by advanced human-system-interfaces and digital instrument and controls. Because IDHEAS-ECA is cognition-centred with the comprehensive PIF structure, IDHEAS-ECA can model the context of human events inside and outside the control room of a NPP, and it is technology-neutral. In principle, the method can be used for HRA of human actions with DI&C technologies in advanced control rooms and DI&C modernization. This paper analyzes IDHEAS-ECA application in DI&C environment and demonstrate the use with two examples of human actions in control room DI&C upgrades.

2. OVERVIEW OF IDHEAS-ECA METHOD 2.1. IDHEAS Macrocognition Model A human action or a critical task involves performing cognitive activities, which demand brain resources.

IDHEAS-ECA models the cognitive demands of a task using five macrocognitive functions, which are the high-level brain functions that must be successfully accomplished to achieve a task. IDHEAS-ECA uses the following macrocognitive functions:

Detection (D) is noticing cues or gathering information in the work environment.

Understanding (U) is the integration of pieces of information with a persons mental model to make sense of the scenario or situation.

Decisionmaking (DM) includes selecting strategies, planning, adapting plans, evaluating options, and making judgments on qualitative information or quantitative parameters.

Action Execution (E) is the implementation of the decision or plan to change some physical component or system.

Interteam Coordination (T) focuses on how various teams interact and collaborate on a critical task.

The first four macrocognitive functions (D, U, DM, and E) may be performed by an individual or a team, and Interteam Coordination is performed by multiple groups or teams.

With the macrocognition model, IDHEAS-ECA provides a set of five cognitive failure modes (CFMs) to model failure of a task. Each CFM represents the failure of a macrocognitive function demanded to accomplish the task. The CFMs are defined as follows:

CFM1 - Failure of Detection CFM2 - Failure of Understanding CFM3 - Failure of Decisionmaking

CFM4 - Failure of Action execution CFM5 - Failure of Interteam coordination IDHEAS explains the process of achieving each macrocognitive function, and the elements of the process are referred to as processors. Thus, a human error made to a processor can be viewed as a detailed failure mode or an error mechanism for the CFM. IDHEAS-ECA guidance recommends that HRA analysts use the processors to verify the selection of the applicable CFMs and distinguish between the CFMs. Table 1 shows the processors associated with each CFM, respectively.

Table 1: IDHEAS-ECA Cognition Model: Macrocognitive Function Processors D - Detection U - Understanding DM -

Decisionmaking E - Action Execution T - Interteam Coordination D1 - Initiate detection D2-Select, identify, and attend to sources of information.

D3 - Perceive, recognize, and categorize information.

D4 - Verify and modify the outcomes of detection.

D5 - Retain or communicate the outcomes.

U1 -

Assess/select data.

U2 - Select/

adapt /develop the mental model.

U3 - Integrate data with the mental model U4 - Verify and revise the understanding U5 - Export the outcome.

DM1 - Select decisionmaking model.

DM2 - Manage the goals and decision criteria.

DM3 - Acquire and select data for decisionmaking.

DM4 - Make decision DM5 - Evaluate the decision or plan.

DM6 - Communicate and authorize the decision.

E1 - Assess action plan and criteria.

E2-Develop or modify action scripts.

E3 - Coordinate and command action implementation.

E4 - Implement action scripts.

E5 - Verify and adjust execution outcomes.

T1 - Establish or adapt interteam coordination T2 - Manage information T3 - Maintain shared situational awareness.

T4 - Manage resources T5 - Plan interteam collaborative activities T6 - Implement decisions and commands 2.2 PIF Structure IDHEAS-ECA process begins with analyzing a scenario and searching for the context that challenges or facilitate human performance. The method uses 20 PIFs and the associated attributes to model the scenario context. The IDHEAS PIF structure is composed of the following: 1) PIF category, (2) PIFs, and (3) PIF attributes. PIFs are categorized into the four categories of event context: environment and situation, system, personnel, and task. They are described as follows:

1)

Environment and situation context This consists of conditions in personnels work environment and the situation in which actions are performed. It includes the weather, radiation or chemicals in the workplace, and any extreme operating conditions.

2)

System context Systems are the objects of the HFEs. The actions objectives are achieved through systems, which include operational systems, supporting systems, instrumentation and control (I&C),

physical structures, human-system interface (HSI), and equipment and tools.

3)

Personnel context Personnel are the people who perform the action. Personnel includes individuals, teams, and organizations. The personnel context describes who the personnel are; their qualifications, skills, knowledge, abilities, and fitness to perform the action; how they work together; and the organizational measures that help personnel work effectively.

4)

Task context The task context describes the cognitive and physical task demands for personnel and special conditions in the scenario that make tasks difficult to perform. An action may consist of one or more discrete tasks.

IDHEAS-ECA uses PIFs to characterize the contexts. IDHEAS-ECA has 20 PIFs in the four context categories as shown in Table 2. This list of PIFs covers all PIFs in existing HRA methods and factors reported in the literature and nuclear human event databases.

Table 2 PIFs in IDHEAS-ECA Environment and situation System Personnel Task

  • Work location accessibility and habitability
  • Workplace visibility
  • Noise in workplace and communication pathways
  • Cold/heat/humidity
  • Resistance to physical movement
  • System and I&C transparency to personnel
  • Human-system interfaces
  • Equipment and tools
  • Staffing
  • Procedures, guidelines, and instructions
  • Training
  • Teamwork and organizational factors
  • Work processes Information availability and reliability Scenario familiarity Multi-tasking, interruption and distraction Task complexity Mental fatigue Time pressure and stress Physical demands A PIF is characterized with a set of attributes. A PIF attribute is an assessable characteristic of a PIF and describes a way the PIF increases the likelihood of error in the macrocognitive functions. HEP estimation of a CFM is based on the assessment of PIF attributes applicable to the CFM. Appendix B of IDHEAS-ECA report [1] lists all the attributes for IDHEAS PIFs. Table 3 shows the attributes for PIF Human-System Interface as an example.

Table 3. Attributes of PIF Human-System Interface Human-System Interface This PIF models the impact of the HSI on human performance. Poorly designed HSIs can impede task performance in unusual event scenarios. Even a well-designed HSI may not support human performance in specific scenarios that designers or operational personnel did not anticipate. HSIs may also become unavailable or unreliable in hazardous scenarios.

HSI0 - No impact - well designed HSI supporting the task HSI1 - Indicator is similar to other sources of information nearby HSI2 - No sign or indication of technical difference from adjacent sources (meters, indicators)

HSI3 - Related information for a task is spatially distributed, not organized, or cannot be accessed at the same time HSI4 - Un-intuitive or un-conventional indications HSI5 - Poor salience of the target (indicators, alarms, alerts) out of the crowded background HSI6 - Inconsistent formats, units, symbols, or tables HSI7 - Inconsistent interpretation of displays HSI8 - Similarity in elements - Wrong element selected in operating a control element on a panel within reach and similar in design in control room HSI9 - Poor functional localization - 2 to 5 displays / panels needed to execute a task HSI10 Ergonomic deficits Controls are difficult to maneuver Labeling and signs of controls are not salient among crowd Inadequate indications of states of controls - Small unclear labels, difficult reading scales Maneuvers of controls are un-intuitive or unconventional HSI11 Labels of the controls do not agree with document nomenclature, confusing labels HSI12 Controls do not have labels or indications HSI13 Controls provide inadequate or ambiguous feedback, i.e., lack of or inadequate confirmation of the action executed (incorrect, no information provided, measurement inaccuracies, delays)

HSI14 Confusion in action maneuver states (e.g., automatic resetting without clear indication)

HSI15 Unclear functional allocation (between human and automation)

3. ANALYSIS OF IDHEAS-ECA APPLICABILITY TO DI&C ENVIRONMENT Analysis of IDHEAS-ECA applicability to DI&C needs a description of DI&C features with respect to human performance. Presley et al [5] developed a template to organize human performance information relevant to the use of digital technologies in control rooms. Because the HRA performance influencing factors correlate closely with design elements associated with human factors engineering, Presley et al used HFE design elements as the basis for organizing DI&C features for HRA data collection. Using the human factors engineering design elements allows data from diverse sources to be compared and evaluated via a common lens. As a preliminary effort, we used this taxonomy to show that IDHEAS-ECA is capable of modeling human performance aspects of the DI&C human factors design elements. Table 4 demonstrates a portion of the analysis. The first and middle columns are the design elements and their associated class types from Presleys et al. The third column shows some examples of IDHEAS-ECA PIF attributes that are more likely being affected by the DI&C elements compared to the traditional analog systems. This list is for proof of concepts. It is not exclusive and the PIFs may come to play important roles for specific design elements and class types.

Table 4: Proposed Taxonomy of Design Element Categories and Associated Classes Design Elements Classes Examples of IDHEAS-ECA PIF attributes potentially affected Multi-User Display Individual user workstation (or display)

Fixed, Dynamic, or Mixed Information Selection;
System, Function Display level; Integrated Process Status Overview; Information Sharable Function PIF Information availability and reliability INF1 - Information is temporarily incomplete or not readily available INF2 - Information unreliable or uncertain PIF Task complexity C1 - Detection overload with multiple competing signals C2 - Detection is moderately complex PIF Human-system-interface HSI5 - Poor salience of the target (indicators, alarms, alerts) out of the crowded background HSI9 - Poor functional localization - multiple (2~5) displays / panels needed to execute a task PIF Teamwork factors TF2 - Poor command & control TF3 - Poor information management in multiple-team tasks PIF Multitasking, Interruption, and Distraction MT1 - Distraction by other on-going activities that demand attention Soft Control Systems Cursor-based, Touchscreen, Keyboard PIF Task complexity C39 Unlearn or break away from automaticity of trained action scripts PIF Human-system-interface HSI13 - Controls provide inadequate or ambiguous feedback HSI14 - Confusion in action maneuver states (e.g., automatic resetting without clear indication)

HSI15 - Unclear functional allocation (between human and automation)

Alarm Systems Static Binary, State-based/mode-based; Computer/Funct ion Based; Voice Alarm Output PIF Human-system-interface HSI1 - Indicator is similar to other sources of information nearby HSI5 - Poor salience of the target (indicators, alarms, alerts) out of the crowded background PIF Task complexity C1 - Detection overload with multiple competing signals (in analog control room operators group alarms in spatial patterns while digital based alarms may not allow to use spatial patterns).

Computer-based Procedures PDF; Advisory; Shared; Automated; Dynamic Info/Integrated Controls in Step, Digital coordination (joint, independent)

PIF Human-system-interface HSI13 - Controls provide inadequate or ambiguous feedback, i.e., lack of or inadequate confirmation of the action executed (incorrect, no information provided, measurement inaccuracies, delays)

HSI14 Confusion in action maneuver states (e.g., automatic resetting without clear indication)

HSI15 - Unclear functional allocation (between human and automation)

PIF Procedures, Guidance, and Instructions PG6 - No verification in procedure for verifying key parameters for detection or execution PG7 - No guidance to seek confirmatory data when data may mislead for diagnosis or decisionmaking Decision Support Systems Monitoring; Diagnostic; Prognostic Systems PIF Multitasking, Interruption, and Distraction MT1 - Distraction by other on-going activities that demand attention C13 -

Understanding complexity - Requiring high level of comprehension C16 -

Conflicting information, cues, or symptoms Overall Design Human-Automation Interaction Manual (operator hands on), Shared, Automatic or Autonomous Control PIF System and I&C Transparency SIC1 - System or I&C does not behave as intended under special conditions SIC2 - System or I&C does not reset as intended SIC3 - System or I&C is complex or non-transparent for personnel to predict its behavior SIC4 - System or I&C failure modes are not transparent to personnel Next we analyzed more detailed design features using IDHEAS-ECA cognitive failure modes and PIF attributes. HRA uses failure modes to generalize or categorize various human errors made in performing tasks. Thus, identifying failure modes needs to first define the tasks that the design features serve. For demonstration, we did not perform task analysis of the digital systems. Instead, we used the generic tasks associated with various DI&C human-system-interfaces in control rooms by OHara et al [6]. The taxonomy of the generic tasks is similar to the macrocognitive functions in IDHEAS. For example, the task for using alarm systems is to receive and respond to alarms. This corresponds to the macrocognitve function of Detection. We then evaluated the processors of Detection and identified potential ways that personnel could make errors to the processor in digital environment. IDHEAS General Methodology [4] defines a set of generic errors to the processors and refers those as detailed failure modes. Digital design features change the characteristics of personnels tasks, therefore may incur different detailed failure modes that traditional analog systems would not incur [7].

We demonstrate the potential detailed failure modes and PIF attributes for the example design features from Presley et al, as shown in the first column of Table 5 below. The second column shows the potential detailed failure modes that are more likely contribute to the CFM due to the characteristics of human tasks in using the design feature; The right-most column shows the PIF attributes that could be potentially affected by the design feature.

Table 5. IDHEAS-ECA Failure Mode And PIF Analysis Of Digital Design Features Digital design features Potentially incurred detailed failure modes Potentially affected PIF attributes Alarm - Information salience (e.g., scroll list, visual panels)

D2-Not attending to sources of information.

D3 - Incorrectly categorizing / responding to the alarm HSI3 - Related information for a task is spatially distributed, not organized, or cannot be accessed at the same time HSI5 Poor salience of the target (indicators, alarms, alerts) out of the crowded background Alarm complexity and priority functioning:

D1 - Incorrectly prioritizing alarms C4 - Detection criteria are highly complex

- multiple criteria to be met in complex logic,

(e.g., alarm reduction logic; grouping; historical retrieval)

D2-Incorrectly identifying the alarms for response

- Information of interest must be determined based on other pieces of information Workstation - Support for degraded HSI/I&C conditions / Signal validation U1 - Incorrectly assessing the data /

signals U2 - Not having or selecting the wrong mental model for degraded signals.

HSI3 - Related information for a task is spatially distributed, not organized, or cannot be accessed at the same time SIC4 - System or I&C failure modes are not transparent to personnel C15 -

Ambiguity associated with assessing the situation

- Key information is cognitively masked

- Pieces of key information are intermingled Workstation - data calculation/interpretation D3 - Incorrectly recognizing / interpreting the perceived data U3 - Integrate data with the mental model C4 -

Detection criteria are highly complex

- Information of interest must be determined based on other pieces of information C12 -

Relational complexity

- Relations involved in a human action are very complicated for understanding

- Need to integrate multiple relations Workstation -

Design (structure, size, and number of screens)

Ease of getting to the information D2-Attending to wrong sources of information E4 - Incorrectly execute action with soft control Implement action scripts.

E5 - Not verifying execution outcomes.

HSI9 - Poor functional localization - 2~5 displays /

panels needed to execute a task HSI10 - Ergonomic deficits - maneuvers of controls are un-intuitive or unconventional HSI13 - Controls provide inadequate or ambiguous feedback, i.e., lack of or inadequate confirmation of the action executed 2nd checker; MCR crew functions and responsibilities; concept of operations D4 - Not verifying the outcomes of detection.

E5 - Not verifying and adjusting execution outcomes.

TF3 -

Poor information management in multiple-team tasks TF4 -

Poor communication capabilities between teams WP1 - Lack of practice of self-or cross-verification (e.g., 3-way communication)

WP2 - Lack of or ineffective peer-checking With the preliminary analysis, we demonstrate that IDHEAS-ECA is capable of identifying and modeling human errors in DI&C design elements and features. Because the CFMs are based on the five macrocognitive functions, they are technically neutral and applicable to any human tasks. DI&C and traditional analog systems may be prone to human errors in different processors or error mechanisms of the same CFM. Similarly, While IDHEAS-ECA PIFs are comprehensive and are capable of modeling the design elements and features of DI&C and traditional analog systems, DI&C design may affect different attributes of the same PIF from those attributes that are more likely being affected by analog systems.

4. TWO CASE STUDIES OF HUMAN EVENT ANALYSIS IN DI&C ENVIRONMENT IDHEAS-ECA has eight steps to perform HRA of a human event. The purpose of the case studies here is to demonstrate the applicability of IDHEAS-ECA to DI&C events, thus the paper only presents a portion of the full HRA analysis with the focus on cognitive failure modes, performance influencing factors, and recovery of human errors. The two cases analyzed are for demonstration and they were modified from real DI&C events. Both events are human actions maintaining or operating DI&C systems, not control room actions for operating reactors. The recover analysis is for recovering the human errors made in the events, not the recovery later on by control room operators operating the reactor. The IDEHAS-ECA analysis of the two cases are presented in Table 6 and Table 7.

Table 6. Case Study 1 Operational narrative During a normal maintenance, a replacement network switch configured for Unit 2 was installed in Unit 1. While reconfiguring the switch for Unit 1, a command of "NO VLAN20" was entered on the switch. This command would not normally be entered at a peripheral switch. Entry of this command was propagated to all other switches participating in the Unit 2 Virtual local area network (VLAN20). This resulted in deletion of VLAN20 from all active VLAN databases on the PDN. All communication for Unit 2 devices on the PDN is via VLAN20. Deletion of this VLAN resulted in inability of Unit 2 devices to communicate via the PDN. Operators noticed the error; the systems were restored to normal without leading to unsafe consequences.

Human failure event Personnel incorrectly reconfigures Unit 1 network switch in a normal maintenance.

Context System context: Multiunit interaction through the PDN is not transparent to the personnel.

Crew context: No peer checking or close supervision for reconfiguring the switch. The work instructions procedures may not have the details requiring that personnel should check the status and reset the parameters of the network switch before replacement.

Task context: The personnel may experience some level of interruption and distraction in specific event. This analysis assumes that there was no interruption/distraction during a normal maintenance.

Task analysis and applicable cognitive failure modes The critical task in the human action is to reconfigure Unit 1 LAN network. The personnel entered the command of "NO VLAN20" that command would not normally be entered at a peripheral switch. Moreover, the command was entered on a switch that was previously configurated for Unit

2. Performing the critical task requires macrocognitive function of Action Execution processors:

E2: Assess or interpret the action plan (e.g., personnel allocation, equipment / tool preparation, or coordination)

E4: Execute the action steps E5: adjust action by monitoring, measuring, and assessing outcomes The applicable cognitive failure modes for the human action is CFM4: Failure of Action Execution.

Performance influencing factors (PIFs):

SF2 Unfamiliar elements in the scenario - nonroutine, infrequently performed tasks (This command would not normally be entered at a peripheral switch cited in Operational Narrative)

HSI13 Controls provide inadequate or ambiguous feedback, i.e., lack of or inadequate confirmation of the action executed HSI14 Confusion in action maneuver states (e.g., automatic resetting without clear indication).

SIC2 System or I&C does not reset as intended.

SIC3 System or I&C is complex or nontransparent for personnel to predict its behavior.

WP2 Lack of or ineffective peer checking or supervision PG1 Procedure design is less than adequate - graphics or symbols not intuitive Recovery of human error IDHEAS-ECA credits recovery of human errors under four criteria: Existing recovery path, existing cues indicate the human error, adequate manpower, and adequate time performing recovery. In this event, the system most likely does not provide a recover path. Even it does, there is no cue indicating the human error, and there is no time between the completion of entering the command and the occurrence of the consequence (loss of Unit 2 VLAN). Therefore, recovery is not creditable.

Table 7. Case Study 2 Operational narrative Following the installation of the digital turbine control system, a change request notice (CRN) was approved to change the load drop anticipatory (LDA) disarm logic to monitoring Crossover Pressure (50 psi), which previously is disarmed itself when Turbine Load Setpoint was <50%

turbine load. To reset the armed value a dead band value was needed. Since 50 was the previous reset value, the programmer selected 50 as the new reset value. However, this programming value was in pressure (psi) and not % turbine load. In addition, the previous LDA armed light was removed from the control room panel (>50% FLOW), while the new HMI design provided the

operators the actual crossover pressure values. The new HMI screens did not provide any positive indication of LDA arming/disarming.

The unit was commencing the down power maneuver. There was a sudden loss of turbine load at 25% reactor power. At 25% reactor power, the generator megawatts unexpectedly reduce to zero, with no operator action. This occurred because the turbine intercept and control valves closed automatically because of the load drop anticipatory (LDA) logic actuation. The LDA is a protective feature that is designed to actuate when megawatt load is <20% while low pressure turbine inlet pressure is still greater than 50% load (based on low pressure turbine inlet steam pressure). The circuit is designed to disarm at less than 50% load. The system setpoints for this 50% load did not disarm the circuit as expected. The turbine control system received the megawatt load <20% signal, and then actuated the LDA logic.

Human failure event Personnel failed of correctly performing the planned design change by entering wrong programming value to the LDA.

Context System context: The digital system/component failed because Initial Load Drop Anticipatory logic for LP inlet pressure used wrong reset value. The system required entering 50% of the pressure instead of 50 psi. This was different from what personnel had been doing before. The design change also had the removal of the LDA system armed lights on the human-system-interface.

Crew context: There was no peer checking or close supervision on programming value. A Human Factors Evaluation following the design change did not test the programming value. The procedures were not modified to reflect the fact that the operator needs to monitor the turbine crossover pressure to verify that the system is not armed.

Task context: The task is simple. No human performance challenge is identified.

Task analysis and applicable cognitive failure modes The task / activities required by the human action is to enter the 50% LP programming value to LDA system. The task is planned, straightforward action execution. The task requires the macrocognitive function of Action Execution processors:

E4 - Implement action scripts.

E5 - Verify and adjust execution outcomes.

The applicable CFM is CFM4 Failure of Action Execution.

Applicable PIFs The PIFs applicable to CFM4 are evaluated against the context and task analysis of the human action. The following PIF attribute are applicable:

SF2 Unfamiliar elements in the scenario (The maintenance crew might not be familiar with the new system that required different unit in data entry.)

C39 Unlearn or break away from automaticity of trained action scripts HSI10 Ergonomic deficits - maneuvers of controls are unintuitive or unconventional.

HSI13 Controls provide inadequate or ambiguous feedback, i.e., lack of or inadequate confirmation of the action executed PG3 Procedure lacks details (Procedures may havent updated to alert operators the removal of the LDA lights.)

WP2 Lack of or ineffective peer checking or supervision Recovery of human errors IDHEAS-ECA credits recovery of human errors under four criteria: Existing recovery path, existing cues indicate the human error, adequate manpower, and adequate time performing recovery. Both post-change testing and human factors evaluation should have provided the cue indicating the wrong programming value. However, the removal of the LDA system armed lights and the opacity of DI&C human-system-interface may obscure the cue, therefore recovery of the human error is less likely.

The two case studies involve simple, straightforward action execution in DI&C environment. Performing such simple human actions is highly reliable with traditional analog systems using physical components such as dials, knobs, indicators. However, using soft controls of DI&C human-system-interfaces, personnel lose feedback of action manipulation through visual and touch senses, and peer-checking is either lost or less effective. In addition, DI&C system behaviors may be less transparent to personnel. The associated PIF attributes can increase the likelihood of human errors. Moreover, while DI&C systems

have the advantage of processing information faster and simplifying human actions, it leaves less opportunities for personnel to detect the error made and recover the error because the error leads to undesired consequences.

Because the two cases were made generic for demonstration without the specific context of a read event, we were not able to evaluate many PIFs in IDHEAS-ECA. For example, DI&C systems may have advantages to traditional analog systems by reducing personnel workload (e.g., the removal of the indication lights in Case Study 2 was intended to reduce operator workload of monitoring the lights),

simplifying human actions, and possibly reducing interruptions / distractions personnel experience during performing an action. Such positive context could mitigate negative PIF attributes thus increase human reliability. Therefore, the overall impact of DI&C systems on human reliability depends on the contexts that challenge and facilitate human performance.

5. CONCLUSIONS It has been questioning whether traditional HRA methods, largely developed for analog control rooms, are applicable to digital control rooms. IDHEAS-ECA was developed as a technology-neutral HRA method, and it was based on state-of-art research and human error data in traditional analog and advanced digital work environment. It should be, in principle, applicable to digital systems inside and outside control rooms. This paper presents a preliminary analysis of the applicability and demonstrates the applicability with two case studies. The study shows that IDHEAS-ECA can be used for understanding the impact of digital interfaces on crew reliability. A more thorough validation of the applicability is a continuous process as more human performance data with DI&C systems become available.
6. REFERENCES

[1]

U.S. Nuclear Regulatory Commission, Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities; Final Policy Statement, U.S. Nuclear Regulatory Commission, Federal Register, Vol. 60, p. 42622 (60 FR 42622), Aug. 1995.

[2]

S. Kaplan and B. J. Garrick, On the Quantitative Definition of Risk, Risk Anal., vol. 1, no. 1, pp. 11-27, Mar. 1981.

[3]

J. Xing, Y. J. Chang, and J. DeJesus, The General Methodology of an Integrated Human Event Analysis System (IDHEAS-G) U.S. Nuclear Regulatory Commission, NUREG-2198 (ADAMS Accession No. ML19235A161), 2019.

[4]

J. Xing, Y. J. Chang, and J. DeJesus, "Integrated Human Event Analysis System For Event and Condition Assessment (IDHEAS-ECA)". U.S. Nuclear Regulatory Commission, NUREG-2256, ADAMS Accession Number: ML22165A282, 2022

[5]

M. Presley, R. Boring, T. Ulrich. et. al., A Taxonomy and Meta-Analysis Template for Combining Disparate Data to Understand the Effect of Digital Environments on Human Reliability.

Proceedings l2021 International Topical Meeting on Probabilistic Safety Assessment and Analysis (PSA 2021), Pages 1033-1042, 2021

[6] O'Hara, J.M., Gunther, B., Martinez-Guridi, G., Xing, J.F., & Barnes, V.E., The Effect of Degraded Digital Instrumentation and Control systems on Human-system Interfaces and Operator Performance, BNL--93951-2010-CP, 2010

[7]

Electrical Power Research Institute, Data to Support HRA for Digital Environments: Data and Analysis from Korean Simulator Studies. EPRI 3002020751, 2021

Retrieved from "https://kanterella.com/w/index.php?title=ML23067A201&oldid=3780435"