ML23067A201

From kanterella
Jump to navigation Jump to search
2023 Hmit & PSA Conference Paper IDHEAS-ECA Application for Digital I&C Control Room Modernization
ML23067A201
Person / Time
Issue date: 07/17/2023
From: Chang Y, Jing Xing
NRC/RES/DRA/HFRB
To:
References
Download: ML23067A201 (1)
v  d  e


Text

Application of Human Reliability Analysis to DI&C Control Room Modernization Jing Xing, Y. James Chang U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, USA jing.xing@nrc.gov, james.chang@nrc.gov ABSTRACT Many operating U.S. plants are planning modernization projects to replace their analog instrumentation and control systems and human-system interfaces with new digital systems. Nuclear power plant control room modernization introduces digital instrumentation and control (DI&C) systems and digital human-system-interfaces to operators.

These new systems expectedly will offer functions and capabilities that are vital for performance and plant safety.

Although digital technology potentially can improve operational performance, there are challenges to using this technology. Moreover, introducing new technologies to control rooms would introduce new operator actions, change existing operator actions, and change the context of actions. The impact of such changes on operator performance and plant safety should be evaluated as new technologies are being introduced. This paper describes the process and two case studies of applying the NRCs human reliability method, the Integrated Human Event Analysis System for Event and Condition Analysis (IDHEAS-ECA), to the analysis of changing operator actions with the introduction of control room digital systems. The process with the case demonstration can be used along with human factors engineering process to systematically identifying and analyze potential risks associated with DI&C control room modernization.

This paper also demonstrates the applicability of IDHEAS-ECA in human reliability analysis of DI&C working environment.

Keywords: Human reliability analysis, IDHEAS-ECA, digital instrument and control, digital modernization

1. INTRODUCTION Nuclear power plant (NPP) control room modernization introduces digital instrumentation and control (DI&C) systems and digitized human-system-interfaces to operators. The DI&C systems sense basic parameters, monitor the plants processes and various barriers that prevent release of radioactive material, and adjust operations as needed. Employing these techniques will introduce more intricate control of plant systems and processes. DI&C systems also support increased automation and new forms of automation that make greater use of interactions between personnel and automatic functions. DI&C systems interact with plant personnel through various human-system-interfaces such as soft controls, advanced displays, alarm systems, computerized procedures, and advanced communication systems.

DI&C may increase sensing capabilities, information-processing support, intelligent agents, automation, and software-mediated interfaces. This extends the distance between personnel and the physical plant by adding many processes between plants physical signals and operators that respond to the physical signals and manipulate plant status. Although these technologies potentially are beneficial, they add to complexity for personnel operating and maintaining the plant, and thus adversely affect the human-system-interfaces and operator performance. Thus, it is important to perform human factors engineering on DI&C systems to ensure human performance and to perform risk assessment to identify and prevent human errors in digital working environment.

The U.S. Nuclear Regulatory Commission (NRC) uses probabilistic risk assessment (PRA) technology in its regulatory and licensing activities. The risk-informed approach complements the NRCs deterministic approach and supports the NRCs traditional defense-in-depth philosophy [1]. PRA models the reliability

of systems and personnel to mitigate a system abnormality and prevent it from developing undesired consequences. It addresses three key questions: what can go wrong, how likely is it to go wrong, and what are the consequences [2]. Human reliability analysis (HRA) is an essential part of PRA. HRA is an engineering approach that systematically analyzes human performance for events or specified conditions.

The Integrated Human Event Analysis System for Event and Condition Assessment (IDHEAS-ECA) is a HRA method developed by the NRC staff to support risk-informed decisionmaking [3]. IDHEAS-ECA analyzes human events and estimates human error probabilities (HEPs) for use in PRA applications.

IDHEAS-ECA method is based on the General Methodology of an Integrated Human Event Analysis System (IDHEAS-G) (NUREG-2198) [4]. IDHEAS-G and IDHEAS-ECA were developed because, in recent years, the scope of application of HRA has expanded into situations beyond the scope of existing HRA methods. The application scope of IDHEAS-ECA is broad. The method has a set of cognitive failure modes to model failures of any human tasks. IDHEAS-ECA models human actions in a PRA (i.e., human failure events) using five macrocognitive functions: Detection, Understanding, Decisionmaking, Action Execution, and Interteam Coordination. The failure of a human action is caused by the context that challenge human performance. IDHEAS-ECA uses a comprehensive set of performance-influencing factors (PIFs) that model the context of a human event. The method covers all the PIFs in existing HRA methods and the factors reported in the broad literature, including studies on traditional human-machine interfaces and new technologies powered by advanced human-system-interfaces and digital instrument and controls. Because IDHEAS-ECA is cognition-centred with the comprehensive PIF structure, IDHEAS-ECA can model the context of human events inside and outside the control room of a NPP, and it is technology-neutral. In principle, the method can be used for HRA of human actions with DI&C technologies in advanced control rooms and DI&C modernization. This paper analyzes IDHEAS-ECA application in DI&C environment and demonstrate the use with two examples of human actions in control room DI&C upgrades.

2. OVERVIEW OF IDHEAS-ECA METHOD 2.1. IDHEAS Macrocognition Model A human action or a critical task involves performing cognitive activities, which demand brain resources.

IDHEAS-ECA models the cognitive demands of a task using five macrocognitive functions, which are the high-level brain functions that must be successfully accomplished to achieve a task. IDHEAS-ECA uses the following macrocognitive functions:

  • Detection (D) is noticing cues or gathering information in the work environment.
  • Understanding (U) is the integration of pieces of information with a persons mental model to make sense of the scenario or situation.
  • Decisionmaking (DM) includes selecting strategies, planning, adapting plans, evaluating options, and making judgments on qualitative information or quantitative parameters.
  • Action Execution (E) is the implementation of the decision or plan to change some physical component or system.
  • Interteam Coordination (T) focuses on how various teams interact and collaborate on a critical task.
  • The first four macrocognitive functions (D, U, DM, and E) may be performed by an individual or a team, and Interteam Coordination is performed by multiple groups or teams.

With the macrocognition model, IDHEAS-ECA provides a set of five cognitive failure modes (CFMs) to model failure of a task. Each CFM represents the failure of a macrocognitive function demanded to accomplish the task. The CFMs are defined as follows:

  • CFM1 - Failure of Detection
  • CFM2 - Failure of Understanding
  • CFM3 - Failure of Decisionmaking
  • CFM4 - Failure of Action execution
  • CFM5 - Failure of Interteam coordination IDHEAS explains the process of achieving each macrocognitive function, and the elements of the process are referred to as processors. Thus, a human error made to a processor can be viewed as a detailed failure mode or an error mechanism for the CFM. IDHEAS-ECA guidance recommends that HRA analysts use the processors to verify the selection of the applicable CFMs and distinguish between the CFMs. Table 1 shows the processors associated with each CFM, respectively.

Table 1: IDHEAS-ECA Cognition Model: Macrocognitive Function Processors D - Detection U - Understanding DM - E - Action T - Interteam Decisionmaking Execution Coordination D1 - Initiate U1 - DM1 - Select E1 - Assess action T1 - Establish or detection Assess/select decisionmaking plan and criteria. adapt interteam D2- Select, identify, data. model. E2- Develop or coordination and attend to sources U2 - Select/ DM2 - Manage the modify action T2 - Manage of information. adapt /develop goals and decision scripts. information D3 - Perceive, the mental criteria. E3 - Coordinate T3 - Maintain recognize, and model. DM3 - Acquire and and command shared situational categorize U3 - Integrate select data for action awareness.

information. data with the decisionmaking. implementation. T4 - Manage D4 - Verify and mental model DM4 - Make decision E4 - Implement resources modify the outcomes U4 - Verify and DM5 - Evaluate the action scripts. T5 - Plan interteam of detection. revise the decision or plan. E5 - Verify and collaborative D5 - Retain or understanding DM6 - Communicate adjust execution activities communicate the U5 - Export the and authorize the outcomes. T6 - Implement outcomes. outcome. decision. decisions and commands 2.2 PIF Structure IDHEAS-ECA process begins with analyzing a scenario and searching for the context that challenges or facilitate human performance. The method uses 20 PIFs and the associated attributes to model the scenario context. The IDHEAS PIF structure is composed of the following: 1) PIF category, (2) PIFs, and (3) PIF attributes. PIFs are categorized into the four categories of event context: environment and situation, system, personnel, and task. They are described as follows:

1) Environment and situation context This consists of conditions in personnels work environment and the situation in which actions are performed. It includes the weather, radiation or chemicals in the workplace, and any extreme operating conditions.
2) System context Systems are the objects of the HFEs. The actions objectives are achieved through systems, which include operational systems, supporting systems, instrumentation and control (I&C),

physical structures, human-system interface (HSI), and equipment and tools.

3) Personnel context Personnel are the people who perform the action. Personnel includes individuals, teams, and organizations. The personnel context describes who the personnel are; their qualifications, skills, knowledge, abilities, and fitness to perform the action; how they work together; and the organizational measures that help personnel work effectively.
4) Task context The task context describes the cognitive and physical task demands for personnel and special conditions in the scenario that make tasks difficult to perform. An action may consist of one or more discrete tasks.

IDHEAS-ECA uses PIFs to characterize the contexts. IDHEAS-ECA has 20 PIFs in the four context categories as shown in Table 2. This list of PIFs covers all PIFs in existing HRA methods and factors reported in the literature and nuclear human event databases.

Table 2 PIFs in IDHEAS-ECA Environment and situation System Personnel Task

  • Work location
  • System and
  • Staffing
  • Information availability accessibility and I&C
  • Procedures, and reliability habitability transparency to guidelines, and
  • Scenario familiarity
  • Workplace visibility personnel instructions
  • Multi-tasking,
  • Noise in workplace and
  • Human-system
  • Training interruption and communication pathways interfaces
  • Teamwork and distraction
  • Cold/heat/humidity
  • Equipment and organizational
  • Task complexity
  • Resistance to physical tools factors
  • Mental fatigue movement
  • Work processes
  • Time pressure and stress
  • Physical demands A PIF is characterized with a set of attributes. A PIF attribute is an assessable characteristic of a PIF and describes a way the PIF increases the likelihood of error in the macrocognitive functions. HEP estimation of a CFM is based on the assessment of PIF attributes applicable to the CFM. Appendix B of IDHEAS-ECA report [1] lists all the attributes for IDHEAS PIFs. Table 3 shows the attributes for PIF Human-System Interface as an example.

Table 3. Attributes of PIF Human-System Interface Human-System Interface This PIF models the impact of the HSI on human performance. Poorly designed HSIs can impede task performance in unusual event scenarios. Even a well-designed HSI may not support human performance in specific scenarios that designers or operational personnel did not anticipate. HSIs may also become unavailable or unreliable in hazardous scenarios.

HSI0 - No impact - well designed HSI supporting the task HSI1 - Indicator is similar to other sources of information nearby HSI2 - No sign or indication of technical difference from adjacent sources (meters, indicators)

HSI3 - Related information for a task is spatially distributed, not organized, or cannot be accessed at the same time HSI4 - Un-intuitive or un-conventional indications HSI5 - Poor salience of the target (indicators, alarms, alerts) out of the crowded background HSI6 - Inconsistent formats, units, symbols, or tables HSI7 - Inconsistent interpretation of displays HSI8 - Similarity in elements - Wrong element selected in operating a control element on a panel within reach and similar in design in control room HSI9 - Poor functional localization - 2 to 5 displays / panels needed to execute a task HSI10 Ergonomic deficits

- Controls are difficult to maneuver

- Labeling and signs of controls are not salient among crowd

- Inadequate indications of states of controls - Small unclear labels, difficult reading scales

- Maneuvers of controls are un-intuitive or unconventional HSI11 Labels of the controls do not agree with document nomenclature, confusing labels HSI12 Controls do not have labels or indications HSI13 Controls provide inadequate or ambiguous feedback, i.e., lack of or inadequate confirmation of the action executed (incorrect, no information provided, measurement inaccuracies, delays)

HSI14 Confusion in action maneuver states (e.g., automatic resetting without clear indication)

HSI15 Unclear functional allocation (between human and automation)

3. ANALYSIS OF IDHEAS-ECA APPLICABILITY TO DI&C ENVIRONMENT Analysis of IDHEAS-ECA applicability to DI&C needs a description of DI&C features with respect to human performance. Presley et al [5] developed a template to organize human performance information relevant to the use of digital technologies in control rooms. Because the HRA performance influencing factors correlate closely with design elements associated with human factors engineering, Presley et al used HFE design elements as the basis for organizing DI&C features for HRA data collection. Using the human factors engineering design elements allows data from diverse sources to be compared and evaluated via a common lens. As a preliminary effort, we used this taxonomy to show that IDHEAS-ECA is capable of modeling human performance aspects of the DI&C human factors design elements. Table 4 demonstrates a portion of the analysis. The first and middle columns are the design elements and their associated class types from Presleys et al. The third column shows some examples of IDHEAS-ECA PIF attributes that are more likely being affected by the DI&C elements compared to the traditional analog systems. This list is for proof of concepts. It is not exclusive and the PIFs may come to play important roles for specific design elements and class types.

Table 4: Proposed Taxonomy of Design Element Categories and Associated Classes Design Classes Examples of IDHEAS-ECA PIF attributes potentially affected Elements Multi-User Fixed, PIF Information availability and reliability Display Dynamic, or INF1 - Information is temporarily incomplete or not readily available Mixed INF2 - Information unreliable or uncertain Individual Information PIF Task complexity user Selection; C1 - Detection overload with multiple competing signals workstation System, C2 - Detection is moderately complex (or display) Function PIF Human-system-interface Display level; HSI5 - Poor salience of the target (indicators, alarms, alerts) out of the crowded Integrated background Process HSI9 - Poor functional localization - multiple (2~5) displays / panels needed to Status execute a task Overview; PIF Teamwork factors Information TF2 - Poor command & control Sharable TF3 - Poor information management in multiple-team tasks Function PIF Multitasking, Interruption, and Distraction MT1 - Distraction by other on-going activities that demand attention Soft Cursor-based, PIF Task complexity Control Touchscreen, C39 Unlearn or break away from automaticity of trained action scripts Systems Keyboard PIF Human-system-interface HSI13 - Controls provide inadequate or ambiguous feedback HSI14 - Confusion in action maneuver states (e.g., automatic resetting without clear indication)

HSI15 - Unclear functional allocation (between human and automation)

Alarm Static Binary, PIF Human-system-interface Systems State- HSI1 - Indicator is similar to other sources of information nearby based/mode- HSI5 - Poor salience of the target (indicators, alarms, alerts) out of the crowded based; background Computer/Funct PIF Task complexity ion Based; C1 - Detection overload with multiple competing signals (in analog control Voice Alarm room operators group alarms in spatial patterns while digital based alarms may Output not allow to use spatial patterns).

Computer- PDF; Advisory; PIF Human-system-interface based Shared; HSI13 - Controls provide inadequate or ambiguous feedback, i.e., lack of or Procedures Automated; inadequate confirmation of the action executed (incorrect, no information Dynamic provided, measurement inaccuracies, delays)

Info/Integrated HSI14 Confusion in action maneuver states (e.g., automatic resetting without Controls in clear indication)

Step, Digital HSI15 - Unclear functional allocation (between human and automation) coordination PIF Procedures, Guidance, and Instructions (joint, PG6 - No verification in procedure for verifying key parameters for detection independent) or execution PG7 - No guidance to seek confirmatory data when data may mislead for diagnosis or decisionmaking Decision Monitoring; PIF Multitasking, Interruption, and Distraction Support Diagnostic; MT1 - Distraction by other on-going activities that demand attention Systems Prognostic C13 - Understanding complexity - Requiring high level of comprehension Systems C16 - Conflicting information, cues, or symptoms Overall Manual PIF System and I&C Transparency Design (operator hands SIC1 - System or I&C does not behave as intended under special conditions Human- on), Shared, SIC2 - System or I&C does not reset as intended Automation Automatic or SIC3 - System or I&C is complex or non-transparent for personnel to predict its Interaction Autonomous behavior Control SIC4 - System or I&C failure modes are not transparent to personnel Next we analyzed more detailed design features using IDHEAS-ECA cognitive failure modes and PIF attributes. HRA uses failure modes to generalize or categorize various human errors made in performing tasks. Thus, identifying failure modes needs to first define the tasks that the design features serve. For demonstration, we did not perform task analysis of the digital systems. Instead, we used the generic tasks associated with various DI&C human-system-interfaces in control rooms by OHara et al [6]. The taxonomy of the generic tasks is similar to the macrocognitive functions in IDHEAS. For example, the task for using alarm systems is to receive and respond to alarms. This corresponds to the macrocognitve function of Detection. We then evaluated the processors of Detection and identified potential ways that personnel could make errors to the processor in digital environment. IDHEAS General Methodology [4] defines a set of generic errors to the processors and refers those as detailed failure modes. Digital design features change the characteristics of personnels tasks, therefore may incur different detailed failure modes that traditional analog systems would not incur [7].

We demonstrate the potential detailed failure modes and PIF attributes for the example design features from Presley et al, as shown in the first column of Table 5 below. The second column shows the potential detailed failure modes that are more likely contribute to the CFM due to the characteristics of human tasks in using the design feature; The right-most column shows the PIF attributes that could be potentially affected by the design feature.

Table 5. IDHEAS-ECA Failure Mode And PIF Analysis Of Digital Design Features Digital design features Potentially incurred Potentially affected PIF attributes detailed failure modes Alarm - Information D2- Not attending to HSI3 - Related information for a task is spatially salience (e.g., scroll list, sources of information. distributed, not organized, or cannot be accessed at the visual panels) D3 - Incorrectly same time categorizing / responding HSI5 Poor salience of the target (indicators, alarms, to the alarm alerts) out of the crowded background Alarm complexity and D1 - Incorrectly C4 - Detection criteria are highly complex priority functioning: prioritizing alarms - multiple criteria to be met in complex logic,

(e.g., alarm reduction D2- Incorrectly - Information of interest must be determined logic; grouping; identifying the alarms for based on other pieces of information historical retrieval) response Workstation - Support U1 - Incorrectly HSI3 - Related information for a task is spatially for degraded HSI/I&C assessing the data / distributed, not organized, or cannot be accessed at the conditions / Signal signals same time validation U2 - Not having or SIC4 - System or I&C failure modes are not transparent selecting the wrong to personnel mental model for C15 - Ambiguity associated with assessing the degraded signals. situation

- Key information is cognitively masked

- Pieces of key information are intermingled Workstation - data D3 - Incorrectly C4 - Detection criteria are highly complex calculation/interpretation recognizing / interpreting - Information of interest must be determined the perceived data based on other pieces of information U3 - Integrate data with C12 - Relational complexity the mental model - Relations involved in a human action are very complicated for understanding

- Need to integrate multiple relations Workstation - D2- Attending to wrong HSI9 - Poor functional localization - 2~5 displays /

Design (structure, size, sources of information panels needed to execute a task and number of screens) E4 - Incorrectly execute HSI10 - Ergonomic deficits - maneuvers of controls are Ease of getting to the action with soft control un-intuitive or unconventional information Implement action scripts. HSI13 - Controls provide inadequate or ambiguous E5 - Not verifying feedback, i.e., lack of or inadequate confirmation of the execution outcomes. action executed 2nd checker; MCR crew D4 - Not verifying the TF3 - Poor information management in multiple-team functions and outcomes of detection. tasks responsibilities; concept E5 - Not verifying and TF4 - Poor communication capabilities between teams of operations adjusting execution WP1 - Lack of practice of self- or cross-verification outcomes. (e.g., 3-way communication)

WP2 - Lack of or ineffective peer-checking With the preliminary analysis, we demonstrate that IDHEAS-ECA is capable of identifying and modeling human errors in DI&C design elements and features. Because the CFMs are based on the five macrocognitive functions, they are technically neutral and applicable to any human tasks. DI&C and traditional analog systems may be prone to human errors in different processors or error mechanisms of the same CFM. Similarly, While IDHEAS-ECA PIFs are comprehensive and are capable of modeling the design elements and features of DI&C and traditional analog systems, DI&C design may affect different attributes of the same PIF from those attributes that are more likely being affected by analog systems.

4. TWO CASE STUDIES OF HUMAN EVENT ANALYSIS IN DI&C ENVIRONMENT IDHEAS-ECA has eight steps to perform HRA of a human event. The purpose of the case studies here is to demonstrate the applicability of IDHEAS-ECA to DI&C events, thus the paper only presents a portion of the full HRA analysis with the focus on cognitive failure modes, performance influencing factors, and recovery of human errors. The two cases analyzed are for demonstration and they were modified from real DI&C events. Both events are human actions maintaining or operating DI&C systems, not control room actions for operating reactors. The recover analysis is for recovering the human errors made in the events, not the recovery later on by control room operators operating the reactor. The IDEHAS-ECA analysis of the two cases are presented in Table 6 and Table 7.

Table 6. Case Study 1 Operational During a normal maintenance, a replacement network switch configured for Unit 2 was installed narrative in Unit 1. While reconfiguring the switch for Unit 1, a command of "NO VLAN20" was entered on the switch. This command would not normally be entered at a peripheral switch. Entry of this command was propagated to all other switches participating in the Unit 2 Virtual local area network (VLAN20). This resulted in deletion of VLAN20 from all active VLAN databases on the PDN. All communication for Unit 2 devices on the PDN is via VLAN20. Deletion of this VLAN resulted in inability of Unit 2 devices to communicate via the PDN. Operators noticed the error; the systems were restored to normal without leading to unsafe consequences.

Human Personnel incorrectly reconfigures Unit 1 network switch in a normal maintenance.

failure event Context System context: Multiunit interaction through the PDN is not transparent to the personnel.

Crew context: No peer checking or close supervision for reconfiguring the switch. The work instructions procedures may not have the details requiring that personnel should check the status and reset the parameters of the network switch before replacement.

Task context: The personnel may experience some level of interruption and distraction in specific event. This analysis assumes that there was no interruption/distraction during a normal maintenance.

Task The critical task in the human action is to reconfigure Unit 1 LAN network. The personnel entered analysis and the command of "NO VLAN20" that command would not normally be entered at a peripheral applicable switch. Moreover, the command was entered on a switch that was previously configurated for Unit cognitive 2. Performing the critical task requires macrocognitive function of Action Execution processors:

failure E2: Assess or interpret the action plan (e.g., personnel allocation, equipment / tool preparation, modes or coordination)

E4: Execute the action steps E5: adjust action by monitoring, measuring, and assessing outcomes The applicable cognitive failure modes for the human action is CFM4: Failure of Action Execution.

Performance SF2 Unfamiliar elements in the scenario - nonroutine, infrequently performed tasks (This influencing command would not normally be entered at a peripheral switch cited in Operational Narrative) factors HSI13 Controls provide inadequate or ambiguous feedback, i.e., lack of or inadequate (PIFs): confirmation of the action executed HSI14 Confusion in action maneuver states (e.g., automatic resetting without clear indication).

SIC2 System or I&C does not reset as intended.

SIC3 System or I&C is complex or nontransparent for personnel to predict its behavior.

WP2 Lack of or ineffective peer checking or supervision PG1 Procedure design is less than adequate - graphics or symbols not intuitive Recovery of IDHEAS-ECA credits recovery of human errors under four criteria: Existing recovery path, human error existing cues indicate the human error, adequate manpower, and adequate time performing recovery. In this event, the system most likely does not provide a recover path. Even it does, there is no cue indicating the human error, and there is no time between the completion of entering the command and the occurrence of the consequence (loss of Unit 2 VLAN). Therefore, recovery is not creditable.

Table 7. Case Study 2 Operational Following the installation of the digital turbine control system, a change request notice (CRN) narrative was approved to change the load drop anticipatory (LDA) disarm logic to monitoring Crossover Pressure (50 psi), which previously is disarmed itself when Turbine Load Setpoint was <50%

turbine load. To reset the armed value a dead band value was needed. Since 50 was the previous reset value, the programmer selected 50 as the new reset value. However, this programming value was in pressure (psi) and not % turbine load. In addition, the previous LDA armed light was removed from the control room panel (>50% FLOW), while the new HMI design provided the

operators the actual crossover pressure values. The new HMI screens did not provide any positive indication of LDA arming/disarming.

The unit was commencing the down power maneuver. There was a sudden loss of turbine load at 25% reactor power. At 25% reactor power, the generator megawatts unexpectedly reduce to zero, with no operator action. This occurred because the turbine intercept and control valves closed automatically because of the load drop anticipatory (LDA) logic actuation. The LDA is a protective feature that is designed to actuate when megawatt load is <20% while low pressure turbine inlet pressure is still greater than 50% load (based on low pressure turbine inlet steam pressure). The circuit is designed to disarm at less than 50% load. The system setpoints for this 50% load did not disarm the circuit as expected. The turbine control system received the megawatt load <20% signal, and then actuated the LDA logic.

Human Personnel failed of correctly performing the planned design change by entering wrong failure programming value to the LDA.

event Context System context: The digital system/component failed because Initial Load Drop Anticipatory logic for LP inlet pressure used wrong reset value. The system required entering 50% of the pressure instead of 50 psi. This was different from what personnel had been doing before. The design change also had the removal of the LDA system armed lights on the human-system-interface.

Crew context: There was no peer checking or close supervision on programming value. A Human Factors Evaluation following the design change did not test the programming value. The procedures were not modified to reflect the fact that the operator needs to monitor the turbine crossover pressure to verify that the system is not armed.

Task context: The task is simple. No human performance challenge is identified.

Task The task / activities required by the human action is to enter the 50% LP programming value to analysis and LDA system. The task is planned, straightforward action execution. The task requires the applicable macrocognitive function of Action Execution processors:

cognitive E4 - Implement action scripts.

failure E5 - Verify and adjust execution outcomes.

modes The applicable CFM is CFM4 Failure of Action Execution.

Applicable The PIFs applicable to CFM4 are evaluated against the context and task analysis of the human PIFs action. The following PIF attribute are applicable:

SF2 Unfamiliar elements in the scenario (The maintenance crew might not be familiar with the new system that required different unit in data entry.)

C39 Unlearn or break away from automaticity of trained action scripts HSI10 Ergonomic deficits - maneuvers of controls are unintuitive or unconventional.

HSI13 Controls provide inadequate or ambiguous feedback, i.e., lack of or inadequate confirmation of the action executed PG3 Procedure lacks details (Procedures may havent updated to alert operators the removal of the LDA lights.)

WP2 Lack of or ineffective peer checking or supervision Recovery of IDHEAS-ECA credits recovery of human errors under four criteria: Existing recovery path, human existing cues indicate the human error, adequate manpower, and adequate time performing errors recovery. Both post-change testing and human factors evaluation should have provided the cue indicating the wrong programming value. However, the removal of the LDA system armed lights and the opacity of DI&C human-system-interface may obscure the cue, therefore recovery of the human error is less likely.

The two case studies involve simple, straightforward action execution in DI&C environment. Performing such simple human actions is highly reliable with traditional analog systems using physical components such as dials, knobs, indicators. However, using soft controls of DI&C human-system-interfaces, personnel lose feedback of action manipulation through visual and touch senses, and peer-checking is either lost or less effective. In addition, DI&C system behaviors may be less transparent to personnel. The associated PIF attributes can increase the likelihood of human errors. Moreover, while DI&C systems

have the advantage of processing information faster and simplifying human actions, it leaves less opportunities for personnel to detect the error made and recover the error because the error leads to undesired consequences.

Because the two cases were made generic for demonstration without the specific context of a read event, we were not able to evaluate many PIFs in IDHEAS-ECA. For example, DI&C systems may have advantages to traditional analog systems by reducing personnel workload (e.g., the removal of the indication lights in Case Study 2 was intended to reduce operator workload of monitoring the lights),

simplifying human actions, and possibly reducing interruptions / distractions personnel experience during performing an action. Such positive context could mitigate negative PIF attributes thus increase human reliability. Therefore, the overall impact of DI&C systems on human reliability depends on the contexts that challenge and facilitate human performance.

5. CONCLUSIONS It has been questioning whether traditional HRA methods, largely developed for analog control rooms, are applicable to digital control rooms. IDHEAS-ECA was developed as a technology-neutral HRA method, and it was based on state-of-art research and human error data in traditional analog and advanced digital work environment. It should be, in principle, applicable to digital systems inside and outside control rooms. This paper presents a preliminary analysis of the applicability and demonstrates the applicability with two case studies. The study shows that IDHEAS-ECA can be used for understanding the impact of digital interfaces on crew reliability. A more thorough validation of the applicability is a continuous process as more human performance data with DI&C systems become available.
6. REFERENCES

[1] U.S. Nuclear Regulatory Commission, Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities; Final Policy Statement, U.S. Nuclear Regulatory Commission, Federal Register, Vol. 60, p. 42622 (60 FR 42622), Aug. 1995.

[2] S. Kaplan and B. J. Garrick, On the Quantitative Definition of Risk, Risk Anal., vol. 1, no. 1, pp. 11-27, Mar. 1981.

[3] J. Xing, Y. J. Chang, and J. DeJesus, The General Methodology of an Integrated Human Event Analysis System (IDHEAS-G) U.S. Nuclear Regulatory Commission, NUREG-2198 (ADAMS Accession No. ML19235A161), 2019.

[4] J. Xing, Y. J. Chang, and J. DeJesus, "Integrated Human Event Analysis System For Event and Condition Assessment (IDHEAS-ECA)". U.S. Nuclear Regulatory Commission, NUREG-2256, ADAMS Accession Number: ML22165A282, 2022

[5] M. Presley, R. Boring, T. Ulrich. et. al., A Taxonomy and Meta-Analysis Template for Combining Disparate Data to Understand the Effect of Digital Environments on Human Reliability.

Proceedings l2021 International Topical Meeting on Probabilistic Safety Assessment and Analysis (PSA 2021), Pages 1033-1042, 2021

[6] O'Hara, J.M., Gunther, B., Martinez-Guridi, G., Xing, J.F., & Barnes, V.E., The Effect of Degraded Digital Instrumentation and Control systems on Human-system Interfaces and Operator Performance, BNL--93951-2010-CP, 2010

[7] Electrical Power Research Institute, Data to Support HRA for Digital Environments: Data and Analysis from Korean Simulator Studies. EPRI 3002020751, 2021

Retrieved from "https://kanterella.com/w/index.php?title=ML23067A201&oldid=3590186"