|
|
| Line 16: |
Line 16: |
|
| |
|
| =Text= | | =Text= |
| {{#Wiki_filter:NUREG-1624 Technical Basis and Implementation Guidelines for A Technique for Human Event Analysis (ATHEANA) i Draft Report for Comment U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research 8/ | | {{#Wiki_filter:}} |
| l
| |
| $&W c a ,.
| |
| | |
| AVAILABILITY NOTICE l Availability of Reference Mater:als Cited in NRC Publications Most do :uments cited in NRC publications will be available from one of the following sources:
| |
| : 1. The NRC Public Document Room, 2120 L Street, NW., Lower Level, Washington, DC 20555-0001
| |
| : 2. The Superintendent of Documents, U.S. Government Printing Office, P. O. Box 37082, Washington, DC 20402-9328
| |
| : 3. The National Technical Information Service, Springfield, VA 22161-0002 Although the listing that follows represents the majority of documents cited in NRC publica-tions, it is not intended to be exhaustive.
| |
| Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda; NRC bulletins, circulars, information notices, inspection and investigation notices; licensee event reports; vendor reports and correspondence; Commission papers; and applicant and licensee docu-ments and correspondence.
| |
| The following documents in the NUREG series are available for purchase from the Government Printing Office: formal NRC staff and contractor reports, NRC-sponsored conference pro-ceedings, international agreement reports, grantee reports, and NRC booklets and bro-chures. Also available are regulatory guides. NRC regulations in the Code of Federal Regula-tions, and Nuclear Regulatory Commission Issuances.
| |
| Documents available from the National Technical Information Service include NUREG-series reports and technical reports prepared by other Federal agencies and reports prepar ed by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
| |
| Documents available from public and special technical libraries include all open literature items, such as books, journal articles, and transactions. Federal Register notices, Federal and State legislation, and congressional reports can usually be obta ned from these libraries.
| |
| Documents such as theses, dissertations, foreign reports and translations, and non-NRC con-forence proceedings are available for purchase from the organization sponsoring the publica-tion cited.
| |
| Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Office of Administration, Distribution and Mail Services Sectio'n , U.S. Nuclear Regulatory Commission, Washington DC 20555-0001.
| |
| Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, Two White Flint North,11545 Rockville Pike, Rock-ville, MD 20852-2738, for use by the public. Codes and standards are usually copyrighted ,
| |
| and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018-3308. !
| |
| | |
| l l
| |
| NUREG-1624 1 Technical Basis and Implementation Guidelines for A Technique for Human Event Analysis (ATHEANA) l l
| |
| Draft Report for Comment Manuscript Completed: April 1998 DatePublished: May 1998 Probabilistic Risk Analysis Br:nch Division of Systems Technology ,
| |
| Omce of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 l
| |
| pY %
| |
| . _ - _ _ _ - _ _ _ - - _ _ _ . _ _ _ _ _ . ____a
| |
| | |
| ABSTRACT This report introduces a new, second-generation human reliability analysis (HRA) method called "A Technique for Human Event Analysis,"(ATHEANA), NUREG-1624. ATHEANA is the result of development efforts sponsored by the Probabilistic Risk Analysis Branch in the U.S. Nuclear Regulatory Commission's (NRC)'s Office of Nuclear Regulatory Research. ATHEANA was developed to address limitations identified in current HRA approaches by addressing' errors of commission and dependencies, more realistically representing the human-system interactions that have played important roles in accident response, and integrating advances in psychology with engineering, human factors, and PRA disciplines. The report is divided into two parts. Part I introduces the concepts upon which ATHEANA is built and describes the motivation for following this approach. Part 2 provides the practical guidance for carrying out the method. Appendix A to this report describes a trial demonstration of ATHEANA at a pressurized water reactor nuclear power plant and includes discussions of the training, results, evaluation of the process and tools, and recommendations for changes to ATHEANA training and tools. The demonstration provided confidence that the process can identify the kinds of unsafe act/ error-forcing context combinations that have been observed in serious accidents and provide a useful structure for understanding and improving human performance in operational events.
| |
| i III NUREG-1624, Draft i
| |
| l f
| |
| I w_______
| |
| | |
| TABLE OF CONTENTS AB STRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii EXECUTIVE SUMM ARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv FOREWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix j ' ACKNOEEGEMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
| |
| : 1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 - 1 1.1 Report Purpose and Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 1.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 -2 1.3 Motivation for a New Approach to Human Reliability Analysis . . . . . . . . . . . 1-4 1.4 An Overview of ATHEANA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 1.4.1 Psychological Principles of the ATHEANA Method . . . . . . . . . . . . . 1-8 1.4.2 The Process of ATHEANA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 1.4.2.1 Search Process for HFEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 1.4.2.2 Comprehensive or Focused Analysis . . . . . . . . . . . . . . . . . . . 1-13 1.4.2.3 Error-Forcing Context (EFC) . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 1.4.2.4 Quantification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 -14 1.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 - 15 PART 1. PRINCIPLES AND CONCEPTS UNDERLYING THE ATHEANA HRA METHOD
| |
| : 2. GENERAI, DESCRIPTION OF THE ATHEANA HRA METHOD . . . . . . . . . . . . . . . . 2-1 2.1 A Multidisciplinary HRA Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.1.1 Error-Forcing Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.1.2 Human Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.1.3 PRA Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . 2-4 2.2 An Approach for Modeling: ATHEANA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 2.3 Re ferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
| |
| : 3. THE IMPORTANCE OF CONTEXT IN OPERATIONAL EXPERf NCE . . . . . . . . . . . 3-1 3.1 Human Errors Are Driven by Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.2 Context in Retrospective Event Analyses Using the Framework . . . . . . . . . . 3-3 3.3 Other Analyses of Operational Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 3.4 Re ferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 -7
| |
| ' 4. PRINCIPLES BASED ON A BEHAVIORAL SCIENCE PERSPECTIVE . . . . . . . . . . . 4-1 4.1 Analysis of Operator Cognitive Performance . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.1.1 Situation Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 i 4.1.2 Monitoring and Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 4.1.3 Response Planning . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 4-5 4.1.4 Response implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 l
| |
| y NUREG-1624, Draft a
| |
| | |
| TABLE OF CONTENTS (Cont'd) 4.2 Cognitive Factors Affecting Operator Performance . . . . . . . . . . . . . . . . . . . . 4-6 4.2.1 Knowledge Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 4.2.2 Processing Resource Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 j 4.2.3 Strategic Factors . . . . ........................ ........... 4-9 l 4.3 Failures in Operator Cognitive Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 l 4.3.1 Failures in Monitoring / Detection . . . . . . . . . .................4-10 l 4.3.2 Failures in Situation Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . 4- 1 1 4.3.3 Failures in Response Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14 !
| |
| 4.3.4 Failures in Response Implementation . . . . . . . . . . . . . . . . . . . . . . . . 4-17 4.4 Conclusions . . . .............................................. 4-17 4.5 Re ferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4- 1 8 4.6 Bibliography of Cognitive Psychology Literature Relevant to ATHEANA . 4-18
| |
| : 5. OPERATIONAL EXPERIENCE ILLUSTRATING ATHEANA PRINCIPLES . . . . . . . 5-1 5.1 Humans and Error-Forcing Context Contributions in Past Operational Experience . . . . . . ........ ...... ........................... 5-2 5.2 Analysis of Error-Forcing Context . . . . . . . . . . . . . . . . . . . .............. 5-3 5.2.1 Error-Forcing Context and Unsafe Actions .................... 5-4 5.2.1.1 Error-Forcing Context in Detection . . . . . . . . . . . . . . ..... 5-5 5.2.1.2 Error-Forcing Context in Situation Assessment ........... 5-5 5.2.1.3 Error-Forcing Context in Response Planing . . . . . . . . . . . . . 5-9 5.2.1.4 Error-Forcing Context in Response Implementation . . . . . . . 5-10 5.2.2 Performance Shaping Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13 5.2.3 Important Lessons from Events Analyses . . . . . . . . . . . . . . . . . . . . 5-14 5.3 An Operational Event Example Illustrating Dependency Effects . . . . . . . . . 5-21 5.4 S umm ary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -2 7 5.5 Re ference s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -2 7 PART 2. APPLICATION OF PRINCIPLES AND CONCEPTS TO ATHEANA
| |
| : 6. FACTORS AND CONDITIONS CAUSING OPERATOR FAILURES . . . . . . ...... 6-1 6.1 The Model ofInformation Processing in a PRA-HRA Context . . . . . . . . . . . 6-1 6.2 Searching for Reasons for Unsafe Actions . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 6.2.1 Failures in Situation Assessment . . . . . . . ..... .............. 6-3 6.2.2 Failures in Response Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6 6.2.3 Failures in Response Execution . . . . . . . ................. .... 6-7 6.3 Integration and Prioritization ...... .............................. 6-8 6.4 Relationships Between Search Process, Quantification, and Incorporation i nto P RA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9 6.5 Re feren ces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... .... .. 6-9
| |
| : 7. S EARC H PROCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7- 1 7.1 Preparation for Applying ATHEANA ...... ... . . .. . ... 7-2 l 7.1.1 Step #1: Select the Overall Scope of the Analysis . . . . . . . . . . . . . . 7-2 NUREG-1624, Draft vi
| |
| | |
| l TABLE OF CONTENTS (Cont'd) i 7.1.2 Step #2: Assemble and Train the Multidisciplinary Team . . . . . . .. . . 7-3 i 7.1.3 Step #3: Collect Background Information . . . . . . . . . . . . . . . . . . . . . 7-5 7.1.3.1 Review and Collection of Anecdotal Experience . . . . . . . . . . 7-7 7.1.3.2 Additional Plant-Specific Information Needed for ATH EANA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7- 12 7.1.3.3 Other Information Needed Later in ATHEANA . . . . . . . . . . 7-13 7.1.4 Establish Priorities for the Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14 .
| |
| 7.1.4.1 Step #4: Establish Priorities for Examining Different Initiators and Event Trees . . . . . . . . . . . . . . . . . . . . . .. . . . . . 7-15 7.1.4.2 Step #5: Prioritize Plant Functions / Systems Used to Define Candidate Human Failure Events'. . . . . . . . . . . . . . . . 7-19 7.2 Identification of HFEs and Unsafe Actions Using Plant / System Knowledge 7-22 7.2.1 Step #6: Identify Candidate HFEs . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22 7.2.2 Step #7: Identify Unsafe Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27 7.2.3 Step #8: Repeat Steps #6 and #7 for Support Systems . . . . . . . . . . . 7-33 7.3 Identify Most Likely Causes of Unsafe Actions . . . . . . . . . . . . . . . . . . . . . . 7-33 7.3.1 Step #9: Two Classes of Causes - Two Separate Search Paths . . . . 7-34 7.3.2 Path A: Mistakes and Circumventions . . . . . . . . . . . . . . . . . . . . . . . . 7-35 7.3.2.1 Step 10A: Identify Relevant Rules . . . . . . . . . . . . . . . . . . . . . 7-37 7.3.2.2 Step 11 A: Identify How Unsafe Actions Could Occur Using
| |
| " Rule s" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . 7-46
| |
| - 7.3.2.3 Step 12A: Under What Conditions Could the Operator Believe That the Unsafe Action Is the "Right Thing" to D07 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 9 7.3.2.4 Step 13A: How Could the Operator Believe th UA is the "Right Thing" to D0? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-53 7.3.2.5 Step 14A: Operators Persist in Believing That the Unsafe Action is the "Right Thing" to Do . . . . . . . . . . . . . . . . . . . . . 7-54 7.3.3 Path B: Slips and Lapses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' 7-55 7.3.3.1 Step #10B: Identify If the Slip / Lapse Is " Unrecoverable" . . 7-55
| |
| - 7.3.3.2 Step #11B: Identify If the Slip / Lapse Can Induce a M istake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 6 7.3.3.3 Step #12B: Identify the Psychological Causes of Slips /
| |
| Lapses . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 6 ;
| |
| 7.3.3.4 Step #13B: Identify the Contextual Factors that Can :
| |
| l Cause Slips / Lapses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-56 L 7.4 Re ferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 8 i 1
| |
| : 8. QUANTIFICATION . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . 8- 1 8.1 Testing for Adequacy of the Error-Forcing Context . . . . . . . . . . . . . . . . . . . . 8-2 ;
| |
| 8.2 Formulation of Quantification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 i 8.3 Quantification Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 8.3.1 Quantification of EFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 ,
| |
| 8.3.1.1 Plant Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 ]
| |
| vii NUREG.1624, Draft i
| |
| | |
| TABLE OF CONTENTS (Cont'd) !
| |
| 8.3.1.2 Performance Shaping Factors . . . . . . . . . . . . . . . . . . . . . . . . 8-1 I i 8.3.2 Quantification of Unsaf: Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13 8.3.3 Quantification of Recovery Actions . . . . ... . . . . . . . . . . . . . . . . . . . . 8-16 8.4 Representation of Uncertainties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18 8.5 Re ferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 -20
| |
| : 9. INCORPORATING ATHEANA SCENARIOS INTO PRA . . . . . . . . . . . . . . . . . . . . . . . 9-1 9.1 Scope of the ATHEANA Guidance for PRA Incorporation . . . . . . . . . . . . . . 9-1 9.2 Goals of PRA Incorporation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 i 9.3 Defining HFEs as PRA Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 l
| |
| 9.4 Refinement of HFE Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 9.5 Impact on the PRA Logic Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0-4 ,
| |
| 9.5.1 Overview of the Typical PRA Model . . . . . . . . . . . . . . . . . . .... 9-5 9.5.2 Treatment of Human Failure Events in Existing PRAs . . . . . . . . . . . . 9-6 ,
| |
| 9.5.3 Incorporating ATHEANA Human Failure Events in the PRA l M odel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9- 1 0 9.6 S ummary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9- 13 l
| |
| : 10. INSIGHTS FROM ATHEANA FOR RISK MANAGEMENT . . . . . . . . . . . . . . . . . . . 10-1 !
| |
| 10.1 Overview of the Risk Management Implications of the Results From the ATHEANA Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 10.2 Insights from ATHEANA Regarding Risk Management Using PRA . . . . . 10-3 10.2.1 Possible Plant-Specific Iasights and Subsequent Improvements . . . . 10-3 10.2.2 Possible Insights of Value to the NRC and Industry As a Whole . . . 10-4 10.3 Insights Regarding Additional Qualitative Benefits from Using ATHEAN A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 10.4 Generallnsights .............................................. 10-5 APPENDIX A DEMONSTRATION OF ATHEANA AT A PRESSURIZED WATER REACTOR NUCLEAR POWER PLANT . . . . . . . . . . . . . A.1-1 A.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.1 - 1 A. l .1 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.1 -2 A.2 Process and Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.2-1 A.3 Description of Training ........................................ A.3-1 A.4 Screening Process and Definition of Scenarios . . . . . . . . . . . . . . . . . . . . . . . A.4-1 A.4.1 Identification and Prioritization ofInitiators and Event Trees . . . . . . A.4-1 A.4.2 Prioritization of Plant Functions / Systems Used to Define Candidate H FE s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.4 -2 A.4.3 Identification of HFEs and UAs Using Plant / System Knowledge . . . A.4-2 A.4.3.1 Identification of Candidate HFEs . . . . . . . . . . . . . . . . . . . . A.4-3 A.4.3.2 Identification of Unsafe Actions . . . . . . . . . . . . . . . . . . . . . A.4-4 A.4.4 Identification of Most Likely Causes of Unsafe Actions (i.e, Identification of EFCs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.4-4 A.4.5 Definition of Accident Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.4-5 NUREG-1624, Draft viii
| |
| | |
| -TABLE OF CONTENTS (Cont'd)
| |
| A.4.5.1 HFE #1 - Inappropriate Termination of Makeup . . . . . . . . A.4-5 A.4.5.2 HFE #2 - Inappropriate Depletion of Resources . . . . . . . . . A.4-5 A.4.5.3 HFE #3 - Failure to Shut Down (Temporarily) a Diesel Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.4-6 A.5 - Use of the Plant Simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.5-1 A.5.1 Purpose of Performing the Simulation . . . . . . . . . . . . . . . . . . . . . . . . A.5-1 A.5.2 Overview of the Simulator Scenario . . . . . . . . . . . . . . . . . . . . . . . . . A.5-1 A.5.3 Simulation Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.5-3 A.5.4 Post-Simulation Debrief with the Crew . . . . . . . . . . . . . . . . . . . . . . . A.5-7 A.5.5 Conclusions As to the Usefulness of the Simulation . . . . . . . . . . . . . A.5-9 A.6 Quantification of the HFEs . . ................................... A.6-1 A.6.1 Establishing the Expressions to be Quantified . . . . . . . . . . . . . . . . . . A.6-1 ,
| |
| A.6.1.1 HFE #1 - Inappropriate Termination of Makeup . . . . . . . A.6-1 A.6.1.2 HFE #2 - Inappropriate Depletion of Resources . . . . . . . . . A.6-2 A.6.1.3 HFE #3 - Failure to Shut Down (Temporarily) a Diesel Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.6-3 A.6.2 Additional Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.6-5 A.6.2.1 MLOCA 3,y ..................................... A.6-5 A.6.2.2 P(failure of 2 wide-range RCS pressure indications) . . . . . A.6-6 A.6.2.3 P(crew shuts offinjection (at least three out of four pumps per the PRA)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.6-6 A.6.2.4 P(injection is not restored before core damage) . . . . . . . . . A.6-6 A.6.2.5 P(high-head pumps are not yet configured for recirculation) .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.6-7 A.6.2.6 P(RWST " empty" alarm fails) . . . . . . . . . . . . . . . . . . . . . . A.6-7 A.6.2.7 P(crew does not stop the pumps in time) . . . . . . . . . . . . . . A.6-7 A '6.2. 8 LO S P,,q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.6- 8 A.6.2.9 P(PORV demand) and P(PORV sticks open) . . . . . . . . . . . A.6-8 A.6.2.10 P(DGA-OOS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.6-8 A.6.2.11 P(DGB cooling fails) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.6-8 A.6.2.12 P(operator does not shut down DGB) . . . . . . . . . . . . . . . . . A.6-8 A.6.2.13 P(non-recovery of power) . . . . . . . . . . . . . . . . . . . . . . . . . . A.6-9 A.6.3 Results from Quantification of HFEs . . . . . . . . . . . . . . . . . . . . . . . . A.6-9 A.6.3.1 Quantification Results for HFE #1 -Inappropriate Termination of Makeup . . . . . . . . . . . . . . . . . . . . . . . . . . . A.6-9 A.6.3.2 Quantification Results for HFE #2 - Inappropriate i Depletion of Resources . . . . . . . . . . . . . . . . . . . . . . . . . . A.6-16 A.6.3.3 Quantification Results for HFE #3 - Failure to Shut Down (Temporarily) a Diesel Generator . . . . . . . . . . . . . A.6-22 l
| |
| A.6.4 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.6-3 3 A.7 Findings and Recommendations from Demonstration . . . . . . . . . . . . . . . . . . A.7-1 A.7.1 Evaluation Against Demonstration Goals and Success Criteria . . . . A.7-1 A.7.1.1 Did the FOR manual and the IG " work"? . . . . . . . . . . . . . . A.7-1 A.7.1.2 Was the Training Effective? . . . . . . . . . . . . . . . . . . . . . . . . A.7-2 lx NUREG-1624, Draft j
| |
| | |
| TABLE OF CONTENTS (Cont'd) j A.7.1.3 Did the Process identify Demanding Scenarios l Involving EOCs? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.7-4 l A.7.1.4 Did the Use s Suggest Improvements in the ATHEANA Process and Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.7-6 A.7.2 ~ Important Methodological Findings Obtained From Simulator Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.7-7 A.7.2.1 The Importance of Crew Characterization . . . . . . . . . . . . . A.7-7 A.7.2.2 Other Specific Uses of Simulator Exercises . . . . . . . . . . . A.7-10 ,
| |
| . Attaciunent A.1 Demonstration Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Att. A.1-1 l f I A.l.1 ATHEANA Demonstration Team . . . . . . . . . . . . . . . . . . . . . . . Att. A.1-1 !
| |
| A.I.2 ATHEANA Development Team . . . . . . . . . . . . . . . . . . . . . . . .. Att. A.1-1
| |
| - Attachment A.2 Questionnaires Used in Demonstration . . . . . . . . . . . . . . . . . . . . . . . Att. A.2-l A.2.1 Questionnaire for initial Training . . . . . . . . . . . . . . . . . . . . . . . . Att. A.2-1 l A.2.2 Questionnaire Addressing Overall Training . . . . . . . . . . . . . . . . Att. A.2-4 l i
| |
| A.2.3 Questionnaire Addressing the Implementation Guideline . . . . . . Att. A.2-8 A.2.4 Questionnaire Addressing the Frame-of-Reference Manual . . . Att. A.2-11 A.2.5 Questionnaire Addressing the ATHEANA Method and
| |
| ~ Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Att. A.2- 12 Attachment A.3 ATHEANA Demonstration Documentation Tables . . . . . . . . . . . . . . Att. A.3-1 APPENDIX B REPRESENTATIONS OF SELECTED OPERATIONAL EVENTS FROM f l AN ATHEANA PERSPECTIVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.1-1 B.! Three Mile lsland 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.1 - 1 i
| |
| B.2 Crystal River Unit 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.2-1 B.3 North Anna 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B .3 - 1 B.4 S al em 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B .4- 1 ,
| |
| B.5 Wol f Creek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.5 - 1 B.6 Davis-Besse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B .6- 1 APPENDIX C ATHEANA DOCUMENTATION TABLES . . . . . . . . . . . . . . . . . . . . C-1 ,
| |
| APPENDIX D FORMULATION OF QUANTIFICATION . . . . . . . . . . . . . . . . . . . . D-1 i
| |
| APPENDIX E GLOSSARY OF GENERAL TERMS FOR ATHEANA . . . . . . . . . . . E-1 l
| |
| ' NUREG-1624, Draft x I
| |
| I
| |
| | |
| LIST OF FIGURES Figure Eage 1.1 Plant-Operator Interaction. . . . . ........... ... ....................... 1-7 1.2 Overview of ATHEANA Process. . . . . ................................1-11 1.3 Steps in ATHEANA Process. . . . . . . . . . . . . . . . . . . . . . ............ ...... 1-12 2.1 Multidisciplinary HRA Framework. . . . . ............................. 2-2 !
| |
| 4.1 Major Cognitive Activities Underlying NPP Operator Performance. . . . . . . . . . . . . 4-2 5.1 Oconee 3 Loss of Cooling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23 5.2a Event information. . . . . . . . . . . . . . . . . ..... ..... ..... ............. 5-24 5.2b Summary of Human Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25 >
| |
| 5.2c Event Dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . ................5-26 6.1 How Psychological Factors and Plant Conditions Combine to Form Error-Forcing Context. . . .................. ..... . .... ...... ......... 6-2 6.2 Simplified View of the M~'l for Information Processing. . . . . . . . . . . . . . . . . . . 6-4 6.3 Simplified ATHEANA Fram ark. . . . . . . . .......................... 6-9 9.1 Overview of PRA Modeling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 9.2 Overview of PRA Modeling with HFE Interfaces Shown. ... ............... 9-7 9.3 Illustration of HFEs in Event Trees. . . . . . . . . ...................... ..... 9-8 9.4 Illustration of HFEs in Fault Trees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9 9.5 Illustration of" Failure-to-Recover" Events in Cut Sets. . . . . . . . . . . . . . . . . 9-10 9.6 Illustration ofIncorporating an ATHEANA HFE in an Event Tree. . . . . . . . . . . . 9-12 A.6.1 Event Tree Representation of Eqn A.6 MLOCA-HFE #1 . . . . . . . . . . . . . . . A.6-12 A.6.2 Fault Tree Representation of P(failure of 2 wide-range RCS pressure ind i cations) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . 6- 13 A.6.3 Fault Tree Representation of P(crew shuts offinjection (at least 3 of 4 pumps per th e P R A)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.6- 14 A.6.4 Fault Tree Representation of P(injection is not restored before core damage). . . A.6-14 A.6.5 Event Tree Representation of EQN A.6 MLOCA-HFE #2. . . . . . . . . . . . . . . A.6-18 A.6.6 Fault Tree Representation P(high-head pumps not yet configured for recirculation). ................................................A.6-19 A.6.7 Fault Tree Representation of P(RWST " empty" alarm fails). . . . . . . . . . . . . . . A.6-19 A.6.8 Fault Tree Representation of P(crew does not stop the pumps in time). . . . . . . . A.6-20 A.6.9 Event Tree Representation of Eqn A.6 LOSP-HFE#3 (Severe Weather Induced LOS P). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.6-2 5 A.6.10 Event Tree Representation of Eqn A.6-3-LOSP-HFE#3 (Non-Severe Weather Induced LOSP). . . . . . . . . . . . . . . . ............ ..... . ...... ...... A.6-26 A.6.11 Fault Tree Representation of P(PORV demanded). . . . . . . . . . . . ..... A.6-27 A.6.12 Fault Tree Representation of P(PORV sticks open). . . . . . . . . . . . . . . . . . . . . . A.6-27 A.6.13 Fault Tree Representation of P(DGA-OOS) for Short Time Period. . . . . . . . . . A.6-28 A.6.14 Fault Tree Representatiori of P(DGA-OOS) for Long Time Period. . . . . . . . . . . A.6-28 A.6.15 Fault Tree Representation of P(DGB cooling fails). . . . . . . . . . . . . . . . . . . . . . A.6-29 A.6.16 Fault Tree Representation of P(operator does not shut down DGB) Given that the Other DG's OOS Unavailability is for the Short Term. . . . . . . . . . . . . . . . . . . . A.6-29 l
| |
| xi NUREG4624, Draft l l;
| |
| I
| |
| | |
| LIST OF FIGURES (Cont'd) !
| |
| Page !
| |
| Eigne i A.6.17 - Fault Tree Representation of P(operator does not shut down DGB) Given f that the Other DG's 005 Unavailability is for the Long Term. . . . . . . . . . . . . . . A.6-30 l A.6.18 Fault Tree Representation of P(non-recovery of power) Given Severe Wcather. A.6-30 l l
| |
| - A.6.19 Fault Tree Representation of P(non-recovery of power) Given Severe Weather. A.6-31 I 1
| |
| l 1
| |
| i l
| |
| 1 i
| |
| i i
| |
| i i
| |
| l l
| |
| NUREG-1624, Draft sii I
| |
| l
| |
| | |
| LIST OF TABLES Inhls East
| |
| - 5.1 Examples of Detection Failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 5.2 Examples of Situation Assessment Failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 5.3 Examples of Response Planning Failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11 - i 5.4 Examples of Response Implementation Failures. . . . . . . . . . . . . . . . . . . . . . . . 5-13 5.5 Examples of PSFs on Cognitive and Physical Abilities . . . . . . . . . . . . . . . . . . . 5-15 5.6 Characteristics of Serious Accidents and Event Precursors . . . . . . . . . . . . . . . . 5-18 5.7 Factors Not Normally Considered in PRAs . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19 7.1. ATHEANA-Suggested Characteristics of High Priority Initiators or Accident Sequences....................................................... 7-16 7.2 Sources of Priority Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17 7.3 Example Documentation of Prioritization Performed in Step #4 . . . . . . . . . . . . 7-18 7.4 ATHEANA-Suggested Characteristics of High Priority Systems / Functions . . . 7-20 7.5 Example Documentation of the Prioritization Performed in Step #5 . . . . . . . . . 7-21 7.6 ' Functional Failure Modes Based Upon PRA Requirements . . . . . . . . . . . . . . . 7-25 7.7 Examples of Likely Human Failures and Human Failure Modes by PRA Functional Failure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-26 7.8a Possible EOCs for Systems / Equipment that Automatically Start or Stop . . . . . 7-29 7.8b Possible EOCs for Continuation of Operation or No Operation of Systems / .
| |
| Equipment ....................................................'.7-30 7.8c Possible EOCS/EOOS for Manual Actuation and Control of Systems /
| |
| Equipment ..................................................... 7-31 7.8d Possible EOOS for Backup (i.e., Recovery) of Failed Systems / Equipment . . . . 7-32 7.8e Possible EOCS/EOOS for Failures of Passive Systems / Components' . . . . . . . . 7-32 '
| |
| 7.9 High-Level Reasons for Unsafe Actions - Mistakes and Circumventions, ,
| |
| Based Upon Information Processing Failures, " Rules," and Contextual Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 6 7.10 Failures in Situation Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-38 7.11 Failures in Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-40 7.12 Failures in Response Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-41 7.13 Examples ofInformation (i.e., " Transmit") Problems . . . . . . . . . . . . . . . . . . . . 7-42 7.14 Examples of" Rules" Used by Operators and to be Identified in the ATHEANA l Search Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-43 7.15 Physics Algorithms in Instruments That Can Confuse Operators . . . . . . . . . . . 7-50 '
| |
| 7.16 Examples of Plant Conditions in Which the Plant Physics / Behavior Can Confuse Operators . . . . . . , , , , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-51 7.17 Other Plot Conditions that Can Confuse Operators . . . . . . . . . . . . . . . . . . . . . 7-52 7.18. Failures in Response Implementation . . . . . . . . . . . . . . . . . . . . : . . . . . . . . . . . 7-57 8.1 Characteristics ofNUREG/CR-6208 Simulator Tests: Test ISLOCA1. . . . . . . . 8-4 8.2' Characteristics of NUREG/CR-6208 Simulator Tests: Test ISLOCA2 . . . . . . . . 8-5 1 8.3 Characteristics of NUREG/CR-6208 Simulator Tests: Test LHS1 . . . . . . . . . . . 8-6 l 8.4 Characteristics of NUREG/CR-6208 Simuk. tor Tests: Test LHS2 . . . . . . . . . . . 8-7 I I
| |
| xiii NUREG-1624, Draft ,
| |
| i
| |
| | |
| LIST OF TABLES (Cont'd) l Eage Table 8.5 HEART Generic Task Failure Probabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14 HEART Performance Shaping Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15 i 8.6 8.7 Potential Recovery Opportunities, Oconee 1991 . . . . . . . . . . . . . . . . . . . . . . . . 8- 17 8.8 Recovery Opportunities vs. Actions Taken . . . . . . . . . . . . . . . ...... ..... 8-19 l j
| |
| A.2.1 Process Activities, Training, and Team Meeting Date for ATHEANA Demon strati on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.2- 1 l ATHEANA Initial Training Topics for Each Day and Presentation Mode . . . . A.3-2 l A.3.1 I A.4.1 Prioritization of Functions by Initiating Event . . . . . . . . . . . .............. A.4-3 A.S.1 Simulation Timeline Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A.5-4 A.6.1 Cut Set Quantification and Uncertainty Results for HFE #1 . . . . . . . . . . . . . A.6-15 A.6.2 Cut Set Quantification and Uncertainty Results for HFE #2 . . . . . . . . . . . . . .. A.6-21 A.6.3 Cut Set Quantification and Uncertainty Results for HFE #3 . . . . . . . . . . . . . . A.6-32 A.Att-3.1 Documentation ofInformation Used to Identify and Prioritize Initiators and Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Att. A.3- 1 A.Att-3.2a Documentation ofInformation Used to Prioritize Plant Functions /
| |
| Systems to Define Candidate HFEs for Initiator MLOCA (Medium Att. A.3-7 LOCA).................................................
| |
| A.Att-3.2b Documentation ofInformation Used to Prioritize Plant Functions / Systems to Define Candidate HFEs for Initiator: LOSP-SBO (Loss of Offsite Power - Station Blackout) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Att. A . 3 - 8 A.Att-3.2c Documentation ofInformation Used to Prioritize Plant Functions / Systems to Define Candidate HFEs for Initiator: ATWS: (AMFW - ATWS with Main Feedwater Available) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Att. A.3-9 A.Att-3.3a Documentation of Functional Failure Mode (FFM) Categories for Initiator Category: LOCA - Subcategory (s): Medium . . . . . . . . . . . . . . . . . . . . . . Att. A.3-10 A.Att-3.3b. Documentation of Functional Failure Mode (FFM) Categories for Initiator Category: LOSP Subcategory (s): Station Blackout . . . . . . . . . . Att. A.3-11 A.Att-3.4a Identified UAs for MLOCA Priority: High . . . . . . . . . . . . . . . . . . . . . . Att. A.3-12 A.Att-3.4b Identified UAs for LOSP-SBO Priority High . . . . . . . . . . . . . . . . . . . . . Att. A.3-17 A.Att-3.5 Summary Documentation of Most Likely Causes of UAs . . . . . . . . . . . Att. A.3-21 A.Att-3.6 Summary Documentation of Mast Likely Causes of UAs . . . . . . . . . . . . Att. A.3-23 A.Att-3.7 Summary Documentation of Most Likely Causes of UAs . . . . . . . . . . Att. A.3-25 C.1 Documentation ofInformation Used to Identify and Prioritize Initiators and Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C- 1 C.2 Documentation ofInformation Used to Prioritize Plant Functions / Systems to Defime Candidate HFEs for Initiator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2 l C.3 Documentation of Final Prioritization Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-3 C.4 Documentation of Functional Failure Mode (FFM) Categories for {
| |
| Initiator Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-4 C.5 Identified UAs for Initiatm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-5 ;
| |
| l C.6 Summary Documentation of Most Likely Causes of UAs ..................C-6 J
| |
| NUREG-1624, Draft xiv j l
| |
| I
| |
| | |
| EXECUTIVE
| |
| | |
| ==SUMMARY==
| |
| l This report introduces a new, second-generation HRA method called "A Technique for Human Event Analysis," (AThdANA). ATHEANA is the result of development efforts sponsored by the .
| |
| 1 Probabilistic Risk Analysis Branch in the NRC's Office of Nuclear Regulatory Research.
| |
| ATHEANA has been developed to address limitations identified in current HRA approaches by:
| |
| I
| |
| . addressing errors of commission and dependencies, J I'
| |
| . more realistically representing the human-system interactions that have played important roles in accident response, and
| |
| . integrating advances in psychology with engineering, human factors, and PRA disciplines.
| |
| This report describes the basic process for implementing ATHEANA. It describes how to
| |
| . select and organize the ATHEANA team,
| |
| . perform and control the structured search processes for human failure events and unsafe acts, along with the reasons that such events occur (i.e., the elements of error-forcing context),
| |
| . use the knowledge encoded in the PRA along with the specialized knowledge and experience of the ATHEANA team to focus the searches on those events and reasons that are most likely to affect the risk, and l
| |
| . quantify the error-forcing contexts and the probability of each unsafe act, given its context.
| |
| Thus, this report is the step-by-step guidebook for applying the method. It is divided into two main I parts. ;
| |
| . Part 1 (Sections 2-5) introduces the concepts upon which ATHEANA is built and describes the l motivation for following this approach. l
| |
| . Part 2 (Sections 6-10) provides the practical guidance for carrying out the method.
| |
| Section 1 discusses the background and motivation for developing a new HRA method and provides an overview of the method. The next four sections (Part 1) provide the technical basis for ATHEANA: l l . Section 2, General Description of the ATHEANA HRA Method, presents the multidisciplinary
| |
| ; framework that underlies ATHEANA and outlines the principles underlying the prospective I search process.
| |
| - Section 3, The Importance of Context in Operational Experience, discusses analyses of accidents and serious incidents that precipitated the identification, development, and ultimate confirmation of the principles underlying ATHEANA.
| |
| xv NUREG-1624, Dra ft
| |
| {
| |
| w ________
| |
| | |
| Executive Summary
| |
| . Section 4, Principles Based on a Behavioral Science Perspective, presents a model of operator cognitive performance that addresses the relationship between unsafe actior.s, human error mechanisms, and error-forcing contexts. The information processing model serves as a tool to be used in the application of ATHEANA, particularly in the determination of error-forcing contexts.
| |
| * Section 5, Operational Experience Illustrating ATHEANA Principles, discusses / represents selected operational events from the ATHEANA perspective in order to help users learn ATHEANA's basic principles and concepts and support application of the method.
| |
| The first section in Part 2 (Section 6, Factors and Conditions Causing Operator Failures) serves as bridge between the technical basis for ATHEANA presented in Part 1 and the step-by-step guidance for applying the method presented in Sections 7 - 9. In particular, the theoretical model of human information processing is adapted to the PRA-HRA context in Section 6. The next three sections in Part 2 walk the analyst through the ATHEANA process:
| |
| * Section 7, Search Process, describes a detailed step-by-step search process for setting priorities and identifying the PRA human failure events, the specific unsafe acts that can lead to those human failure events, and the most significant reasons (error-forcing context) that can push the plant staff towards those unsafe acts. A basic assumption of ATHEANA is that people act rationally, given what they know and understand at the time. Therefore, ATHEANA is primarily a search for classes of challenging plant conditions and troublesome human context that effectively " set up" the operator, causing them to act in ways that become detrimental to safety.
| |
| * Section 8, Quantification, describes an approach that blends systems analysis techniques with judgment by operators and experienced analysts to quantify the probability of a specific class of error-forcing context and the probability of the unsafe act, given that context. In the end, the overall approach must be an iterative one (i.e., define an error-forcing context and unsafe act, attempt quantification considering recovery, refime the context, etc.).
| |
| * Section 9, Incorporating ATHEANA Scena< ios in PRA, explains how the resuhs of ATHEANA can be integrated into an existing PRA.
| |
| The final section in Part 2 (Section 10, Insights from ATHEANA for Risk Management) discusses risk management implications of the results from the ATHEANA process and other benefits that can be derived through application of the method.
| |
| Caution is recommended when using ATHEANA. It is important that the analysis team be constituted as described in the report to ensure that the requisite expertise be included. Of course, i
| |
| this is no different than for any other complex analysis project. To make this task easier, Part 1 of this report provides a minimum overview ofinformation from the behavioral sciences to enable the l team to be confident that they can carry out the analysis with proper consideration of the subtle i factors involved in the multidisciplinary study of human performance in technological environments.
| |
| NUREG-1624, Draft xvi I
| |
| | |
| I Executive Summary l l
| |
| Appendix A to this report describes a trial demonstration of ATHEANA at a pressurized water reactor nuclear power plant. The analysis team for this work included one PRA practitioner not involved in ATHEANA development and four members of the plant staff, two from the PRA section and two from training and operations. In addition to carrying out the full ATHEANA process on a subset of the PRA event trees, the team developed a scenario for use in the plant simulator to test their ability to develop cognitively demanding scenarios and to pique the interest and imagination of operators, helping them offer new ideas to the ATHEANA analysis team. Appendix A describes the demonstration project, including training, results, evaluation of the process and tools, and recommendations for changes to ATHEANA training and tools.
| |
| The report finds that the ATHEANA demonstration project was quite successful as measured against its previously defined goals:
| |
| - The guidance documents " worked,'' in that a group of analysts / operators was able to use them successfully to carry out their project.
| |
| * The training was effective and the participants suggested ways to improve it further.
| |
| * The process did identify cognitively demanding scenarios asjudged by plant operators, trainers, and PRA personnel.
| |
| . The users suggested improvements in the ATHEANA process and tools to make the process more effective.
| |
| Improvements to the ATHEANA process is in progress. The demonstration provided confidence that the process can develop the kinds of unsafe act/ error-forcing context combinations that have been observed in serious accidents. However, many potential improvements were identified that can make it a much more useful and effective method. These range from improvements in efficiency to more thorough plant-specific processes for identifying the most likely human elements that can impact performance.
| |
| ATHEANA can provide useful plant-specific insights and subsequent improvements in the human contribution to safety and, as plant-specific PRA studies using ATHEANA are completed and analyzed, new insights into the significant factors affecting risk should allow :
| |
| . Identification of new vulnerabilities (particularly regarding human-machine interfaces), l
| |
| = Identification of weaknesses in current training program requirements and identification of new paradigms for training, l . Identification of changes in operator qualification exams, l
| |
| l xvii NUREG-1624, Draft
| |
| | |
| . Identification of additional factors to be considered when evaluating the significance of actual i
| |
| events (i.e., considering those factors that relate to human performance and inducing possible error-forcing contexts),
| |
| l
| |
| . ' Development ofinput to the NRC's Maintenance Rule identifying instruments for high ' prio maintenance (i.e., high reliability requirements and prompt corrective action, because of their.
| |
| imponance to human reliability), and
| |
| . Identification of areas where the risk from human failure events are low (not risk significant from both ATHEANA and previous HRA perspectives); thereby, providing potential for regulatory relief.
| |
| ATHEANA provides a useful structure for understanding and improving human performance in operational events. As described in this report, ATHEANA originates from a study ofoperational events and from an attempt to reconcile observed human performance in the most serious of these events with existing theories of human cognition and human reliability models, within the context of plant design, operation, and safety. ATHEANA provides useful structures for accomplishing several tasks associated with the analysis of human performance:
| |
| . Retrospective analysis of operational events,
| |
| . Proactive search for human failure events, unsafe actions, and error-forcing contexts, and
| |
| . Root cause analysis.
| |
| i 1
| |
| NUREG-1624, Draft will
| |
| | |
| i l
| |
| l FOREWORD The mo:ivation for the work described in this report lies in the history of operational events. The NRC reported the occurrence of at least 14 events between December 1991 and May 1995 in which j engineering safety features (ESFs) at nuclear power plants were inappropriately bypassed or defeated. All were recovered without serious safety consequences, but the events are precursors which show how human intervention could be an importantfailure mode contributing to power plant risk. In particular, evaluations of these events by the NRC led to the following three conclusions:
| |
| (1) Existing guidance and procedures did not adequately address situations where safety systems should be throttled, bypassed, turned off, or reconfigure.
| |
| (2) Operators were not always fully knowledgeable of emergency operating procedures, their bases, and appropriate ESF control practices.
| |
| (3) Poor communications, shift turnovers, control board walkdowns, verification of automatic actions, and response to alarms contributed to inappropriate ESF defeats and delayed their recognition and recovery.
| |
| Examination of these events reveal, in varying degrees, examples of failure to follow normal practices, misunderstood or confusing plant conditions, and lack-of complete knowledge of plant status by the necessary operational staff (all similar to the characteristics discussed above). Other event analyses have identified similar errors of commission involving ESF bypasses and have shown that complicating factors in events can lead humans to take unexpected actions. These complications involve hardware and instrumentation failures, unfamiliar configurations, and deficiencies in performance shaping factors such as procedures and trainirg under the specific conditions for an incident.
| |
| l This experience and the related characteristics of failing to follow normal practices (sometimes intentionally) followed by ill-understood conditions and confusing plant status information, rever.1 the need to consider context as an error-driving factor. Further, this information leads to the need to consider human errors of commission generally not addressed in existing nuclear power plant risk assessments.
| |
| These considerations inspired the NRC to fund an expansion of human reliability analysis which has resulted in the ATHEANA process and this ATHEANA reference document. Use of A'l HEANA and the reference document are intended to focus on the above characteristics of concern in an i I
| |
| attempt to uncover potentially risk-significant human failures not addressed by current HRA techniques. In carrying out the ATHEANA process, the user will find that many of the initial steps of the process use plant knowledge to understand how plant conditions can result in ill-understood l or confusing situations. This search for such plant conditions makes use of existing knowledge of the plant operations and training staff. However, using ATHEANA, this knowledge is retrieved and organized in ways to best uncover potentially risk-significant human failure situations. Hence, much of the process should not be seen as requiring talents that are foreign to the plant staff, or that l
| |
| xix NUREG-1624, Draft L------------___
| |
| | |
| Foreword Instead, ATHEANA, through everyone must become a " human performance specialist."
| |
| bninstorming approaches, makes use of this existing plant knowledge to achieve the desired result ofidentifying potentially risk-significant human failures that as yet have net been identified.
| |
| Public Comment The NRC welcomes comments on this report, and such ccannents should be directed to the undersigned. We would like to receive them no later than 180 days from the publication date of this document.
| |
| L. o.
| |
| Mark A. Cunningh Chief, Probabilistic Risk Analysis Branch Division of Systems Technology Office of Nuclear Regulatory Research l
| |
| l NUREG-1624, Draft 3, i
| |
| l
| |
| | |
| i l
| |
| ACKNOWLEDGMENTS l
| |
| Seldom is the development of an answer to a difficult problem the work of any single individual.
| |
| Such is the case with developrnent of ATHEANA. The authors especially wish to express their appreciation to:
| |
| i
| |
| * 'NRC managers (past and present) Warren Minners, Joseph Murphy, and Mark Cunningham for having the courage and vision to support an effort to predict errors of commission when conventional wisdom said it could not be done; e our colleagues in the U.S. and the international community who offered debate, criticism, advice, wisdom, suggestions, encouragement, and perspectives that aie such an important part of any development effort;
| |
| * industry representatives who helped with the development of ATHEANA, especially Kenneth Kiper, Joseph Dalton, Steven Kessinger, and Edward Spader, whose expertise and cooperation were vital to the successful conduct of the pilot application of ATHEANA; and,
| |
| * the many other contributors to the program, especially John Taylor (BNL), Allen Camp (Sandia National Laboratories), James Reason (University of Manchester), and Emilie Roth (Westinghouse).
| |
| The ATHEANA team:
| |
| Michael Barriere, formerly at Brookhaven National Laboratory Dennis Bley, Buttonwood Consulting, Inc.
| |
| Susan Cooper, Science Applications International Corp.
| |
| John Forester, Sandia National Laboratories Alan Kolaczkowski, Science Applications International Corp.
| |
| William Luckas, Brookhaven National Laboratory Gareth Parry, formerly at NUS-Haliburton Ann Ramey-Smith, Nuclear Regulatory Commission Catherine Thompson, Nuclear Regulatory Commission Donnie Whitehead, Sandia National Laboratories John Wreathall, John Wreathall & Company, Inc.
| |
| . xxi NUREG-1624, Draft ;
| |
| i
| |
| | |
| 1 INTRODUCTION 1.1 Report Purpose and Organization This report introduces a new, second-generation human reliability analysis (HRA) method called "A Technique for Human Event Analysis"(ATHEANA). ATHEANA is the result of development efforts sponsored by the Probabilistic Risk Analysis (PRA) Branch in the U.S. Nuclear Regulatory Commission (NRC), Office of Nuclear Regulatory Research (NRR). ATHEANA was developed to address limitations identified in current HRA approaches by:
| |
| . addressing errors of commission and dependencies
| |
| . more realistically representing the human-system interactions that have played important roles in accident response
| |
| . integrating advances in psychology, engineering, human factors, and PRA disciplines This report describes the basic process for implementing ATHEANA:
| |
| . Select and organize the ATHEANA team.
| |
| . Perfcrm and control the structured search processes for human failure events and unsafe acts, along with the reasons why such events occur (i.e., the elements of error-forcing context).
| |
| * Use the knowledge encoded in the PRA along with the specialized knowledge and experience of the ATHEANA team to focus the searches on events and reasons that are most likely to affect l the risk.
| |
| . Quantify the error-forcing contexts and the probability of each unsafe act, given its context. !
| |
| This report is the step-by-step guidebook for applying the ATHEANA method. It is anticipated that practitioners of ATHEANA will be most concerned with the guidelines for applying ATHEANA principles and concepts provided in Part 2 of this report. However, the team must include members who are thoroughly familiar with the knowledge base of theoretical material and operational events described in Part 1 of this report. Thus, this report also summarizes the technical bases of ATHEANA. Theoretical material from the behavioral sciences explains the factors involved in human error. Application of theoretical models to real nuclear power plant events clarifies which factors are most often involved in significant events. Together, these expositions lead to formalisms >
| |
| for retrospective analysis of events and prospective analysis of human reliability.
| |
| This report is organized in two parts:
| |
| (1) (Part 1, Principles and Concepts Underlying the ATHEANA HRA Method begins with Section 2, which provides a general description of the ATHEANA method. Section 3 discusses the importance of context in operational experience. Section 4 discusses 1-1 NUREG-1624, Draft
| |
| : 1. Introduction ATHEANA principles from a behavioral science perspective (i.e., the lessons of the "real world" and the theoretical knowledge developed through analysis and experimentation). Part I closes with Section 5, which retums to operational experience to illustrate the ATHEANA concepts previously presented.
| |
| 1 (2) Part 2, Application of Principles and Concepts to ATHEANA begins with Section 6, which maps the principles and concepts described in Part I to specific factors and conditions that are analyzed and modeled with ATHEANA in Part 2, which have been found to cause operator failures. Sections 7,8, and 9 provide step-by-step guidelines for the ATHEANA method including the search process, quantification, and incorporation of ATHEANA scenarios in the PRA. Section 10 closes Part 2 by describing the insights from ATHEANA for risk management on the basis of both direct observation and expectations of future developments as the method is applied to additional specific cases.
| |
| This report also includes five appendices:
| |
| (1) Appendix A, Demonstration of ATHEANA at a Pressurized Water Reactor Nuclear Power Plant, describes the process and results of the first test trial of ATHEANA (beyond the development group).
| |
| (2) Appendix B, Representation of Selected Operational Events from an ATHEANA Perspective, describes several actual events in terms of the ATHEANA approach.
| |
| (3) Appendix C, ATHEANA Documentation Tables, are the worksheets analysts use when performing the ATHEANA search process.
| |
| (4) Appendix D, Formulation ef Quantification, provides a mathematical development of the quantification process described in Section 8.
| |
| (5) Appendix E, Glossary of General Terms for ATHEANA, provides definitions of '
| |
| important ATHEANA terms.
| |
| | |
| ===1.2 Background===
| |
| PRA has become an important tool in nuclear power plant (NPP) operations and regulation. In l particular, the NRC has been using PRA methods as a basis for regulatory programs and analyses for over 2 decades. The NRC published.SECY-95-126 (Ref.1.1) providing the final policy statement on the use of PRA in NRC regulatory activities. In a memorandum from the NRC Executive Director for Operations to the Commissioners dated June 6,1994 (Ref.1.2), at least 12 j i
| |
| major licensing and regulatory programs were identified that are strongly influenced by PRA studies.
| |
| These programs include the following activities:
| |
| e licensing reviews of advanced reactors
| |
| * screening and analysis of operational events NUREG-1624, Draft I-2
| |
| : l. Introduction
| |
| . inspections of facilities e analysis of generic safety issues e facility analyses e reviews of high-level waste repositories HRA is a critical element of PRAs since it is the tool used to assesr. the implications of various aspects of human performance on risk. Although all of these current programs require an understanding of the human contribution to risk, current HRA methods are limited in their ability to represent all of the important aspects of human performance, constraining the extent to which NRC can rely on the results of PRA studies for decision making processes.
| |
| Limitations in the analysis of human actions in PRAs are always recognized as a constraint in the application of PRA results. For example, in its review of the first comprehensive nuclear plant PRA, the Reactor Safety Study (WASH-1400, Ref.1.3), the Lewis Conunission (NUREG/CR-0400 Ref.
| |
| 1.4) identified four fundamental limitations in the methods used in the evaluation of " human factors"just 6 months before the Three Mile Island accident (Ref.1.5). The four fundamental limitations are as follows:
| |
| (1) insufficient data (2) methodological limitations related to the treatment of time scale limitations (3) omission of the possibility that operators may perform recovery actions (4) uncertainty concerning the actual behavior of people during accident conditions In 1984, NRC again reviewed the technology of PRA, in NUREG-1050 (Ref.1.6), and recognized that several of the HRA limitations listed above were still relevant. This review led to the following conclusion:
| |
| ...the depth of the [HRA] techniques must be expanded so that the impact of changes in design, procedures, operations, training, etc., can be measured in terms of a change in a risk parameter such as the core-melt frequency. Then tradeoffs or options for changing the risk profile can be identified. To do this, the methods for identifying the key human interactions, for developing logic structures to integrate human interactions with the system-failure logic, and for collecting data suitable for their quantification must be strengthened.
| |
| Most of these deficiencies continue to persist in HRA methods today. For example, in the NRC's final policy statement on the use of probabilistic risk assessment methods in nuclear regulatory activities (SECY-95-126, Ref.1.1), errors of commission (EOCs) are specifically identified as an example of a human performance issue for which HRA and PRA methods are not fully developed.
| |
| In addition, NRC's final policy statement asserts that "PRA evaluations in support of regulatory decisions should be as realistic as practicable." Without incorporating the aspects of human performance seen in serious accidents and incidents, a PRA's omission of context-driven hn. nan failures cannot be considered " realistic."
| |
| l-3 NUREG-1624, Draft L
| |
| : l. Introduction Previous efforts in this project examined human performance issues specific to shutdown operation (NUREG/CR-6093, Ref.1.7) and developed a multidisciplinary HRA framework to investigate errors of commission and human dependencies (NUREG/CR-6265, Ref.1.8). To support ATHEANA, the " Human-System Event Classification Scheme (HSECS) Database" (Ref.1.9) has been developed as a more comprehensive data analysis approach and database for the review of operating experience. Most recently, NUREG/CR-6350 (Ref.1.10) describes the preliminary technical basis and methodological description of ATHEANA.
| |
| The summary material presented in the following sections introduces the reader to ATHEANA and answers the following relevant questions when considering ATHEANA for the first time:
| |
| . Is a new method really needed for human reliability analysis?
| |
| . What is ATHEANA?
| |
| 1.3 Motivation for a New Approach to Human Reliability Analysis The record of significant incidents in NPP operations shows a substantially different picture of human performance than that represented by human failure events modeled in PRAs. The latter typically represent failures to perform required procedure steps. In contrast, human performance problems identified in real operational events often involve operators perfonning actions that are not required for accident response and, in fact, worsen the plant's condition (i.e., EOCs). In addition, accounts of the role of operators in serious accidents, such as those that occurred at Chernobyl 4 (NUREG-1250, Ref.1.11 and NUREG-1251, Ref.1.12), and Three Mile Island 2 (TMI-2, Ref.1.5),
| |
| frequently leave the impression that the operator's actions were illogical and incredible.
| |
| Consequently, the lessons learned from such : vents of*en are perceived as being very plant-specific or event-specific.
| |
| As a result of the TMI-2 event, there were numerous modifications and backfits implemented by all NPPs in the United States, including symptom-based procedures, new training, and new hardware.
| |
| After the considerable expense and effort to implement these modifications and backfits, the types of problems which occurred in this accident would be expected to be " fixed." However, there is increasing evidence that there may be a persistent and generic human performance problem which was revealed by TMI-2 (and Chernobyl) but not " fixed." This performance problem is a result of errors of commission involving the intentional operator bypass of engineered safety features (ESFs).
| |
| In the TMI-2 event, operators inappropriately terminated high-pressure injection, resulting in reactor core undercooking and eventual fuel damage. NRC's Office of Analysis and Evaluation of Operation Data (AEOD) published " Operating Events with Inappropriate Bypass or Defeat of Engineered Safety Features," AEOD/E95-01, July 1995, (Ref.1.13), identifying 14 events over the previous 41 months in which an ESF was inappropriately bypassed. The AEOD/E95-01 repon concluded that these events, and other similar events, show that this type of " human intervention may be an important failure mode." Events analyses performed to support the ATHEANA development (NUREG/CR-6265, Ref.1.8) and the HSECS database (Ref.1.9)) also have identified several errors of commission resulting in the inappropriate bypass of ESFs.
| |
| NUREG-1624, Draft 1-4
| |
| | |
| I. Introduction In addition, event analyses of power plant accidents and incidents, performed for this project, show that real operational events typically involve a combination of complicating factors which are not addressed in current PRAs. The following examples illustrate the factors that may complicate operators' responses to events:
| |
| . multiple equipment failures and unavailabilities (especially those that are dependent or human-caused)
| |
| . instrumentation problems e plant conditions not addressed by procedures Unfortunately, the fact that real events involving such complicated factors frequently are interpreted only as an indication of plant-specific operational problems, rather than a general cause for concern for all plants.
| |
| The purpose of ATHEANA is to develop an HRA quantification process and PRA modeling interface that can accommodate and represent human performance found in real NPP events.
| |
| On the basis of observations of serious events in the operating history of the commercial nuclear power industry, as well as experience in other technologically complex industries, the underlying basis of ATHEANA is that significant human errors occur as a result of a combination ofinfluences associated with plant conditions and specific human-centered factors that trigger error mechanisms in the plant personnel. These error mechanisms are often not inherently bad behaviors but are usually mechanisms that allow humans to perform skilled and speedy operations. For example, people often diagnose the cause of an occurrence on the basis of pattem matching. Physicians often diagnose illnesses using templates of expected symptoms to which patients' symptoms are matched.
| |
| This pattem-matching process is a way to make decisions quickly and usually reliably. If physicians had to revert to first principles with each patient, treatment would be delayed, patients would suffer, and the number of patients who could be treated in a given time would be severely limited.
| |
| However, when applied in the wrong context, these mechanisms can lead to inappropriate actions that can have unsafe consequences. Continuing the medical analogy, the patterns of symptoms for diagnoses that have been well practiced in Westem countries may not be so reliable if applied blindly in tropical, third-world countries.
| |
| Given this basis for the causes of human error, a process is needed for the development of an improved HRA method to identify the likely opportunities for inappropriately triggered mechanisms to cause errors that can have unsafe consequences. The starting point for this search is a framework (described in Section 2) that describes the interrelationships between error mechanisms, the plant conditions and performance shaping factors that set them up, and the consequences of the error mechanisms in terms of how the plant can be rendered less safe. The framework also includes t perspective elements from plant operations and engineering, PRA, human factors engineering, and behavioral sciences. All of these elements contribute to the understanding of human reliability and l
| |
| its associated influences, and have emerged from the review of significant operational events at NPPs by a multidisciplinary project team representing all of these disciplines. The elements l
| |
| I-5 NUREG-1624, Draft l
| |
| l
| |
| : 1. Introduction included are the minimum necessary set to describe the causes and contributions of human errors in, for example, major NPP events.
| |
| The human performance-related elements of the framework (i.e., those requiring the expertise of the human factors, behavioral science, and plant engineering disciplines) are performance shaping factors, plant conditions, and error mechanisms. These elements are representative of the level of understanding needed to describe the underlying causes of unsafe actions and hence, explain why a person may perform an unsafe action. The elements relating to the PRA perspective, namely the human failure events (HFEs) and the scenario definition, represent the PRA model itself. The unsafe action and HFE elements represent the point ofintegration between the HRA and PRA model. The PRA traditionally focuses on the consequences of the unsafe action, which it describes as a human error that is represented by an HFE. The HFE is included in the PRA model associated with a particular plant state which defines the specific accident scenarios that the PRA model represents.
| |
| The framework has served as the basis for the retrospective analysis of real operating event histories (NUREG/CR-6903 (Ref.1.7), NUREG/CR-6265 (Ref.1.8), the HSECS database (Ref.1.9), and NUREG/CR-6350 (Ref.1.10)). That retrospective analysis has identified the context in which severe events can occur; specifically, the plant conditions, significant performance shaping factors (PSF), and dependencies that " set up" operators for failure. Serious events appear to involve both unexpected plant conditions and unfavorable PSFs (e.g., situational factors) that comprise an error-forcing context. Figure 1.1 clarifies the term " plant conditions" and depicts the relationship between plant conditions and the operator. Plant conditions include the physical condition of the NPP and its instruments. Plant conditions, as interpreted by the instruments (which may or may not be functioning as expected), is fed to the plant display system. Finally, the operators receive information from the display system and interpret that information (i.e., make a situation assessment) using their mental model and current situation model. The operator and display system form the human-machine interface (HMI).
| |
| On the basis of the operating events analyzed, the error-forcing context typically involves an unanalyzed plant condition that is beyond normal operator training and procedure-related PSFs. For example, this error-forcing condition can activate a human error mechanism related to an inappropriate assessment of the situation (e.g., a misdiagnosis). This can lead to the refusal to believe or recognize evidence that runs counter to the initial misdiagnosis. Consequently, mistakes (e.g., errors of commission), and ultimately, an accident with catastrophic consequences can result.
| |
| These ideas lead to another way to frame the observations of serious events that have been reviewed:
| |
| . The plant behavior is outside the expected range.
| |
| l
| |
| . The plant's behavior is not understood.
| |
| . Indications of the actual plant state and behavior is not recognized. ,
| |
| . Prepared plans or procedures are not applicable nor helpful. l From this point of view, it is clear that key factors in these events have not been within the scope of existing PRAs/HRAs. If these events are the contributors to severe accidents that can actually occur, NUREG-1624, Draft I-6
| |
| : 1. Introduction then expansion of the PRA/HRA to model them is essential. Otherwise a PR A may not include the dominant contributors to risk.
| |
| 1 Instrument
| |
| _____________3 ,
| |
| --_____________s -______________s i I I 1 l l Pmcessor l i Opstor 4 Display 4 4 Plant i ,
| |
| I l l l
| |
| \_______________/ \_______________/
| |
| Human-MachineInterface PlantConditions Figure 1.1. Plant-Operator Interaction Previous HRA methods have implicitly focused on addressing the question, "what is the chance of random operator error (e.g., operator fails to...) under nominal accident conditions?" Even when performance shaping factors are included, they are typically evaluated for the nominal event sequence or, at best, for particular cut sets. The analyses have not looked beyond the hardware modeled in the PRA for specific conditions that could complicate operator response. On the basis of review of the operating experience in several industries, a more appropriate question to pursue is, "what is the chance of occurrence of an error-forcing-context such that operator error is very likely?"
| |
| The systematic structuring of the different dimensions influencing human-system interactions that is provided by the multidisciplinary HRA framework, along with the search for cognitively demanding context that is driven by consideration of the elements of cognitive information processing, brings a degree of clarity and completeness to the process of modeling human errors in the PRA process. The absence of this systematic approach in existing HRA methods has limned the ability to incorporate human errors in PRAs in a way that could satisfy both the engineering and the behavioral sciences. The consequence has been a lack of credibility of the results of PRAs in terms of their representation of the contribution of human errors to power-plant safety, particularly when compared with the experience of major NPP accidents and incidents.
| |
| l 1.4 An Overview of ATHEANA 1 The ATHEANA method is built around a series of very simple premises:
| |
| I l
| |
| l-7 NUREG-1624, Draft 1
| |
| . _ _ _ _ _ _ _ _ _ _ _ _ _____J
| |
| | |
| I. Intro (fuction
| |
| . When required to respond to abnormal conditions in NPPs, the operators' actions are based logically on their understanding of the conditions in the plant.
| |
| . The operators' understanding of conditions in the plant are produced by the evidence presented to them through the man-machine interfaces, their awareness of plant activities, and their knowledge of the behavior of plant systems.
| |
| . The operators' understanding of the state of the plant can be mi., led by combinations of plant conditions and weaknesses in the man-machine interface or gaps in job aids such as the training and procedures under those plant conditions.
| |
| . The operators' misunderstanding of the plant state can lead them to take inappropriate actions, which can include actions to terminate operating equipment.
| |
| . This can involve a series of actions under dependent conditioning, despite a series of cues that otherwise could not be missed.
| |
| Identifying, and assessing the likelihood of, these inappropriate actions are the primary goals of the ATHEANA method.
| |
| The underlying steps for the ATHEANA method are summarized as follows:
| |
| . Identify event sequences during which operators may inappropriately disable operating safety equipment or fail to actuate necessary equipment (i.e., the types of unsafe acts ofinterest), and thereby, create potentially important contributions to plant risks of core damage or containment failure.
| |
| . Identify the combinations of plant conditions and weaknesses in the human-machine interface or gaps in job aids that could mislead the operators into inappropriately acting on operating safety equipment under those plant conditions.
| |
| - Estimate the likelihood of these combinations of plant conditions and weaknesses.
| |
| . Estimate the likelihood of operators performing the unsafe acts of interest under those conditions.
| |
| . Incorporate the effects of these inappropriate operator actions into the plant's PRA logic models l and quantification process. l l
| |
| 1.4.1 Psychological Principles of the ATHEANA Method ]
| |
| i Work in the behavioral sciences has contributed to the understanding of the interactive nature of l
| |
| human errors and plant behaviors that characterize the accidents that have occurred. This l
| |
| i understanding suggests that it is essential to analyze both the human-centered factors (with NUREG-1624, Draft 1-8 l
| |
| l
| |
| : l. Introduction consideration of such performance shaping factors as man-machine interface design, procedural content and format, and training), and the conditions of the plant that call for actions and create the operational causes (such as misleading indications, equipment unavailabilities, and other unusual configurations or operational circumstances). This is in contrast to the existing HRA methods that consider principally the human-centered causes, with only an a:knowledgment of plant influences through such simplistic measures as " time available for action."
| |
| The human-centered factors and the influence of plant conditions are not independent of each other.
| |
| In major accidents particular (" unusual") plant conditions create the need for operator actions.
| |
| Moreover, under those " unusual" plant conditions, deficiencies in the human-centered factors lead to errors on the part of people responding to the unusual plant conditions.
| |
| Therefore, typical evaluations performed in HRA assessments ofperformance shaping factors, such as the layout ofindicators or control switches, may not identify critical problems unless the whole range of possible plant conditions under which the controls or indicators may be required is considered. In other words, a particular layout o rindicators and controls may be perfectly adequate for the nominal conditions assumed for a PRA scenario. However, it is possible that there are other conditions that could arise during the same PRA scenario that would cause the layout to have an influence on the occurrence of operator errors in the accident response. For example, under the nominal conditions of an accident scenario, an operator may be required to perform a series of actions at locations en several control boards. The control board layout may prove adequate provided that the actions can be well separated in time. However, it is possible that under some subset of plant conditions for the same scenario, the dynamics of the plant require the actions be taken almost simultaneously. In this case, the layout is inadequate and might result in failure to perform the actions in time.
| |
| Unless the analysis of PSFs is performed recognizing that plant conditions can vary significantly within the definition of a single PRA scenario, and that some of those plant con 6tions can be much more demanding of operators (both in terms of the plant conditions themselves and the limitations in PSFs like procedures and training under those conditions), the analysis may fail to identify the most likely conditions leading to operator failure.
| |
| Simply stated, operator failure in a PRA scenario is perhaps as likely, or more likely, to result from "off-normal" plant conditions during the scenario as it is to result from a random " human error" during the nominal conditions. Analyses of power-plant accidents and near-misses indicate that the influence of off-normal plant conditions appears to dominate over " random" human errors.
| |
| 1 This evidence from incident analyses is consistent with experience described by training personnel j who have observed that operators can be "made to fail" in simulator exercises by creating l l inappropriate combinations of plant conditions ud operator mind set. Examples of difficulties in operator performance in challenging simulator-training situations have been demonstrated by Roth,
| |
| ; et al, in NUREG/CR-6208 (Ref.1.14).
| |
| l 1-9 NUREG-1624 Draft
| |
| : 1. Introduction Therefore, to provide an effective tool for measuring and cor. trolling risk, PRA must be able to realistically incorporate those human errors that are caused by off-normal plant conditions, as U as those that occur " randomly" during nominal accident conditions. However, to incorporate errea caused by off-nonnal plant conditions, PRA must be able to identify contexts that can " force" human errors in order to estimate how likely these conditions are and what are the likely consequences in terms ofinappropriate human actions or inactions.
| |
| The identification of these error-forcing contexts must be on the basis of an understanding of the types of psychological mechanisms that cause human errors that are " set up" by particular plant
| |
| . conditions that lie within the PRA definitions of accident scenarios. Without this understanding, the search for these error-forcing contexts is limited to searches for " repeat events" that are simply duplicates of earlier incidents where people had failed. It is important to find the more general class of events represented by these particular instances if a real understanding of the error is to occur and if" fixes" are to be effective. For example, an incident occurs and a human error is attributed to a ,
| |
| deficient procedure. A particular fix is to change that procedure to remove the immediate and direct l cause of the error. To fix the broader class would involve analyzing why the procedure was deficient. Was there an insufficient review? Were the conditions under which the procedure was to l be used not described fully or accurately? What programmatic changes could remove not only that one particular flaw but remove other similar but undiscovered flaws in that and other procedures? l The search for why implies a set of" root causes" that can be evaluated for their contribution to the deficient procedure. In the case of procedure writing, the programmatic process to ensure good procedures is reasonably well defined and root causes can be described. To analyze human errors, there must be a set of corresponding root cause descriptions of why errors can occur. Without these descriptions of the underlying error mechanisms and an understanding of the contexts that can force them to occur, the search for these error-forcing contexts will be limited to the particular event level.
| |
| For the purposes of risk assessment and risk management, this level would not adequately identify potentially significant accident scenarios and their more likely causes before they occur. In other words, in order to yield a practical wt of tools, this HRA project must guide user-analysts in the search for conditions under which risk-important human errors are likely to occur in an efficient and effective way.
| |
| 1.4.2 The Process of ATHEANA l
| |
| The purpose of this section is to transform the framework-based process for retrospective event analysis into a prospective process for performing HRA. Figures 1.2 and 'l.3 portray, in flow-chart form, the application process of the ATHEANA method. The steps in this process are briefly ;
| |
| described in the following subsections and in significantly more detail in Section 7. That process addresses several specific areas on the basis ofinsights from the analysis of operating events and review of existing HRA methods.
| |
| NUREG-1624, Draft 1-10
| |
| | |
| 1 i
| |
| : 1. Introduction Prepare to Apply ATHEANA (Steps 1 through 5)
| |
| V Identify HFEs and UAs (Steps 6 through 9)
| |
| V Identify UA Causes (Steps 10 through 15)
| |
| (Section 7)
| |
| V Quantify HFEs (Sectian 8)
| |
| V Incorporate HFE into PRA (Section 9)
| |
| Figure 1.2. Overview of the ATHEANA Process.
| |
| l I
| |
| l-11 NUREG-1624, Draft
| |
| | |
| {E s
| |
| s E E) F )
| |
| F 8 A9 Hn o Rn yi H.
| |
| ;. iP o f t c . od ine t
| |
| aS vt e vni S Q
| |
| u(
| |
| w(
| |
| > )
| |
| 7 le s
| |
| o 8b 1 a 8
| |
| 2 8
| |
| 3 , u t
| |
| t 1 r 1 1 c
| |
| * e 8 ev #
| |
| la e 8 e o S tuap ns
| |
| . c s /
| |
| pu (
| |
| d l
| |
| Yet lid e l
| |
| cT hiecla e
| |
| r n
| |
| x ca tet
| |
| " Snk U t g s e a/ L s
| |
| " f Int a yo s n othitp C iyais u f
| |
| i cM s e
| |
| f ti lo nh C a css yo esr F
| |
| E tne e c y f S es a
| |
| - it lpT T ds dp a I P n aa t cu I L d
| |
| IeFC d
| |
| e c
| |
| u d d .
| |
| n e s I
| |
| r s A
| |
| o f e A 1
| |
| A 2 rh t A 3 in D
| |
| o ud o e c
| |
| o g?
| |
| i t
| |
| a 1 ss o
| |
| 1 n t s
| |
| t s # t i g e u.
| |
| a sd nl u aRo r
| |
| t s io c r v
| |
| Uor g?.osn e pi "s D C
| |
| e s tc tc irA *tsUg P lee wCu c e e o Pe gi n Rlu o sc i
| |
| it d o On UAt "g y r _.h A
| |
| HnO R n f a .T f
| |
| it yR yi o o I n
| |
| Cei vh n to_
| |
| a t h
| |
| N n
| |
| e f t tic nA C wit e r _
| |
| e,Rig R, A d
| |
| I d
| |
| e ole HB p,
| |
| O " C s E i ~ F E H T
| |
| A e
| |
| ht e 7 8 9 n s te s s d n
| |
| a A
| |
| s eshc Tease r
| |
| 8 s
| |
| i s
| |
| A d a s s U uS s p U E A # /s la e d
| |
| n d
| |
| ns oE F
| |
| H U 6W.
| |
| s p
| |
| E I a es at h C
| |
| S t
| |
| a CF I f T I f oT Sr te& J, I H F 9 hCt f o r a E
| |
| F s f e
| |
| yH t U
| |
| o s % t is L
| |
| t a 7 foS f t
| |
| o sp ee-sS s
| |
| aP A
| |
| U s
| |
| 3 H
| |
| r e e p# is 1 d L lao y
| |
| lt i
| |
| R e CwT e n r e
| |
| id u
| |
| g
| |
| ; i F
| |
| )
| |
| 7 2 n m o in a ae m id T T r
| |
| a e y e S d r T (
| |
| na A an elp i
| |
| I N d o A t
| |
| E mo ed H T
| |
| st slu A AM A
| |
| N 4 s A is i 3 r s 4 s eo 5e E s s #
| |
| fotn e . #b ser e l
| |
| y h . i r
| |
| H lel n ,
| |
| . o r a en e o reT o n
| |
| n Fy O vA e d g het n n P % 4, P e p e ode n r 0 le
| |
| %, lwT d v s
| |
| p eh ht I o cT I PgEn/ I tot 4, l ev1 A S o s L t f tc o n hs ru a osr en n t
| |
| o e
| |
| r e
| |
| p SW e
| |
| le K
| |
| E
| |
| *mt t
| |
| a exheu tsErt I
| |
| A R
| |
| P e
| |
| F o
| |
| tc n
| |
| i u
| |
| o r
| |
| F P
| |
| 2 I# -
| |
| : 1. Introduction 1.4.2.1 Search Process for Human Failure Events (HFEs)
| |
| A process is needed to search for potentially risk-significant HFEs, especially for errors of commission and dependencies not previously identified in PRAs, but also for the more commonly modeled errors of omission because results to date have not been consistent across PRAs (NUREG- l 1560, Ref.1.15). M e existing HRA methods allow the HFEs to fall naturally out of the review of emergency operating procedures, primarily by asking, do the operators carry out the actions that their procedures demand'! Severe, seemingly inexplicable enors, such as turning off operating safety )
| |
| systems, bypassing start signals, defeating interlocks are not generally modeled. However, such j errors have occurred, and often for the best of reasons given operators' beliefs concerning the state of the plant and its likely response. The search for HFEs is initially a PRA or systems-related problem. It is a structured top-down approach. The first step in the search process is to use the PRA i model to identify those functional failure modes that could be caused by rational human behavior.
| |
| The definitions of HFEs may initially be given at a very high level (e.g., " Operator fails Safety Injection"). However, more specific HFEs can be identified by linking HFEs with specific equipment failure modes. For example, " Operator fails ESi'AS" can be decomposed into the unsafe acts " Operator bypasses ESFAS" and " Operator terminates ESFAS carly." In principle, such decompositions can be determined a priori since the failure modes for equipment are the same whether from human or other causes. Generally, post-accident EOCs will result from one of the following ways that operators can fail plant functions:
| |
| . by turning off running equipment
| |
| . by bypassing the signals for automatically starting equipment
| |
| . by changing the plant configuration such that interlocks, or other defenses that are designed to prevent equipment damage are defeated
| |
| . by excessive depletion or diversion of plant resources (e.g., water sources)
| |
| - by inappropriate initiation of a system
| |
| . by incret. sing / decreasing control of the system impact (e.g., over/under-cooling) 1.4.2.2 Comprehensive or Focused Analysis An emphasis on comprehensiveness can be fatal if the level of effort is to be controlled and if the best thinking is to be directed on the most important problems. The search process defined in Section 7 shows how to nanow the scope of the HRA by focusing on the highest priority issues first.
| |
| 1.4.2.3 Error-Forcing Con: ext (EFC)
| |
| Although a few existing methods flag the importance of context, none provides a practical search process for identifying and quantifying the EFCs. Because of the importance now attached to EFC, this point alone means that a new method is required. That perception ofimponance is on the basis of the simple observation that every serious event in the operating histories analyzed involves both an error-forcing plant context (plant configuration) and an error-forcing human factors context (negative PSF). The search for EFCs is similar to a hazard and operability study (HAZOP, Ref.
| |
| 1-13 NUREG-1624, Draft
| |
| : 1. Introduction I 1.16) that uses questioning on the basis afinsights from the retrospective study of operating even to walk the analyst through a range of possible reasons (e.g., error mechanisms, PSFs, dependent l
| |
| effects, plant conditions). The structure for this questioning process and the tools for applying the l pmcess (e.g., structured tables ofinformation) are described in Section 7 and are summariz l In setting priorities and quantifying the probabilities of the HFEs, whether they are defined at a h level or at the level of an unsafe act, the HRA analyst will need to identify the potentially different j
| |
| EFCs that can result in a specific unsafe act. For example, " operator terminates ESFAS early" can occur for a variety of different reasons that can be logically explained and described by the combination of error mechanisms and error-forcing contexts. t The approach for identifying EFCs is on the basis of two complementary perspectives: 1 (1) an understanding of error mechanisms and their causes to identify under what conditions people may be expected to fail (with a high likelihood) and how plant-specific activities and systems could give rise to the error mechanisms (2) plant engineering and operations to identify particular activities and syrtems of the plant where vulnerabilities may result in core damage Parallel to the characterization of the search for HFEs as a human-centered failure modes and analysis (FMEA), this search process for the error-forcing context can be characterized as a human-centered HAZOP analysis.
| |
| To that end, the search process is formalized into a set of questions that an analyst can use as the basis for a systematic identification of HFEs, unsafe acts, and EFCs that is on the basis of the theoretical concepts and experience that has been described earlier. This technique of asking a series of questions to structure the search is quite similar to the HAZOP approach (Ref.1.16) developed in the chemical process industry. The HAZ,OP uses a multidisciplinary team to examine every aspect of a plant's design by asking questions on the basis of a set of" guide words" that are established to test every conceivable deviation from design intent. The new HRA cpproach focuses the questions directly on the identification of EFCs, rather than on error mechanisms. The former are directly observable, whereas the latter are not. The error mechanisms have been used to develop tools to help identify the factors that should define the EFCs of concern and are part of the justification of using EFCs as surrogates for error causes.
| |
| I 1.4.2.4 Quantification In this new formulation, quantification becomes a question of evaluating how likely specific EFCs are within the wide range of attemative conditions. The chance of error given the EFC is fairly high and must be evaluated byjudgment tempered by available evidence, including the knowledge and i experience of plant operators and trainers. QuantificaGn details are provided in Section 8.
| |
| NUREG-1624, Draft 1-14
| |
| | |
| i l
| |
| : 1. Introduction l
| |
| 1.5 References 1.1. U.S' . Nuclear Regulatory Commission, Final Policy Statement on the Use ofProbabilistic Risk Assessment Methods in Nuclear Regulatory Activities, SECY-95-126, Washington, DC, May 16,1995.
| |
| 1.2 J. M. Taylor, Summary ofNRC Uses ofRisk Assessmentfor Committee on Risk Analysis, Memo to Commissioner G. de Planque from the Executive Director of Operations, U.S.
| |
| Nuclear Regulatory Commission, Washington, DC, June 6,1994. j 1.3 U.S. Atomic Energy Commission, Reactor Safety Study - An Assessment ofAccident Risks in U.S. Commercial Nuclear Power Plants, WASH-1400 (NUREG 75/014), Washington,
| |
| ' DC,1975.
| |
| 1.4 U.S. Nuclear Regulatory Commission, Risk Assessment Review Group Report to the U.S.
| |
| Nuclear Regulatory Commission, H.W. Lewis, et al., Ad Hoc Risk assessment Review Group, NUREG/CR-0400, Washington, D.C., September 1978.
| |
| 1.5 Rogovin, M., and G. Frampton, Three Mile Island - A Report to the Commissioners and to the Public. Special Inquiry Group, Nuclear Regulatory Commission, Washington, DC, January 1980.
| |
| 1.6 U.S. Nuclear Regulatory Commission, Probabilistic Risk Assessment Reference Document,:
| |
| NUREG-1050, Washington, DC, September 1984.
| |
| l.7 -M. T. Barriere, W. J. Luckas, D. W. Whitehead, and A. M. Ramey-Smith, Brookhaven National Laboratory: Upton, NY and Sandia National Laboratories, An Analysis of Operational Experience During LP&S and A Plan for Addressing Human Reliability AssessmentIssues, NUREG/CR-6093 Albuquerque,NM, June 1994.
| |
| 1.8 M. T. Barriere, W. J. Luckas, J. Wreathall, S. E. Cooper, D. C. Bley, and A. M. Ramey-Smith, Brookhaven National Laboratory, Multidisciplinary Frameworkfor Analyzing Errors ofCommission and Dependencies in Human Reliability Analysis, NUREG/CR-6265, Upton, NY, August 1995.
| |
| 1.9 S. E. Cooper, W. J. Luckas, and J. Wreathall, Human-System Event Classification Scheme ,
| |
| (HSECS) Database Description, BNL Technical Report No. L2415/95-1, Brookhaven National Laboratory, Upton, NY, December 1995.
| |
| L 1.10 S. E. Cooper, A. Ramey-Smith, J. Wreathall, G. W. Parry, D. C. Bley, J. H. Taylor, W. J.
| |
| l Luckas, Brookhaven National Laboratory, A Technique for Human Error Analysis I (ATHEANA), NUREG/CR-6350, Upton, NY, April 1996.
| |
| l-15 NUREG-1624, Draft i
| |
| : 1. Introduction 1.11 U.S. Nuclear Regulatory Commission, Report on the Accident at the Chernobyl Nuclear Power Station, NUREG-1250, Washington, DC, December 1987.
| |
| 1.12 U.S. Nuclear Regulatory Commission, Implications ofIhe Accident at Chernobylfor Safety Regulation ofCc <mercial Nuclear Power Plants in the UnitedStates, NUREG-1251, Vols.
| |
| I and 2, Final Ry ort, Washington, DC, April 1989.
| |
| 1.13 Office of Analysis and Evaluation of Operational Data (AEOD), U.S. Nuclear Regulatory Commission, Engineering Evaluation - Operating Events with Inappropriate Bypass or I
| |
| Defeat ofEngineeredsafety Features, AEOD/E95-01, Washington, DC, July 1995.
| |
| I E. M. Roth, R. J. Mumaw, and P. M. Lewis, Westinghouse Science and Technology Center, l 1.14 An Empirical Investigation ofOperator Performance in Cognitively Demanding Simulated Emergencies, NUREG/CR-6208, Pittsburgh, PA, July 1994.
| |
| 1.15' Division of Systems Technology - Office of Nuclear Regulatory Research, US Nuclear Regulatory Commission, Individual Plant Examination Program: Perspectives on Reactor Safety and Plant Performance, Volumes 1 and 2, NUREG-1560, Washington, D.C., October 1996.
| |
| 1.16 R. E. Knowlton, An Introduction to Hazard and Operability Studies: The Guide Word Approach, Chemetics International,1992.
| |
| l l 1 I
| |
| NUREG-1624, Draft 1-16 1
| |
| | |
| i i
| |
| PART1 PRINCIPLES AND CONCEPTS UNDERLYING THE ATHEANA HRA )
| |
| METHOD l l
| |
| l t
| |
| | |
| 2 GENERAL DESCRIPTION OF THE ATHEANA HRA METHOD 1
| |
| l The ATHEANA method is an extension of previous HRA approaches. It is organized around a i multidisciplinary framework that is directly applicable to the retrospective analysis of operational events and provides the foundation for the prospective analysis for HRA. This section explains the HRA framework in some detail and outlines the principles underlying the prospective search process.
| |
| 2.1 A Multidisciplinary HRA Framework As reported in NUREG/CR-6265 (Ref. 2.1), a multidisciplinary HRA framework was established to guide the development of ATHEANA. This section briefly overviews the framework, emphasizing those aspects particularly relevant to ATHEANA. Appendix B of NUREG/CR-6350 (Ref. 2.2) gives a more detailed description of this framework. The framework has also been used extensively to provide a systematic structure for analyzing the human-system interactions in operational events, including the causes and consequences of EOCs (e.g., NUREG/CR-6265, Ref. 2.1).
| |
| The fundamental concept of the multidisciplinary HRA framework is that human errors result (for the most part) from combinations of plant conditions and associated PSFs which trigger error mechanisms in plant personnel. In addition, the framework provides a means for using the knowledge and understanding from the disciplines that are relevant to risk-significant human perfccmance in NPP accidents including plant operations and engineering, PRA, human factors, and behavioral science. Existing HRA methods address some, but not all, of these disciplines. In addition, the HRA framework developed for ATHEANA establishes relationships between these disciplines and new terminology to bridge the gap between them. In existing HRA methods, each discipline was considered mostly in isolation of the others, thereby limiting insights into human performaxe.
| |
| Figure 2.1 shows the graphic description of the framework which includes elements from plant operations and engineering PRA, human factors engineering, and behavioral sciences perspectives.
| |
| All of these contribute to our understanding of human reliability and its associated influences and have emerged from the review of significant operational events at NPPs by a multidisciplinary project team representing all of these disciplines. The following are the framework elements:
| |
| * error-forcing context
| |
| - performance-shaping factors
| |
| = plant conditions
| |
| . human error
| |
| . error mechanisms e unsafe actions e human failure events
| |
| = PRA model
| |
| . scenario definitions 2-1 NUREG-1624, Draft
| |
| | |
| i
| |
| : 2. General Description of the ATHEANA HRA Method i i
| |
| i 1
| |
| - Eb i
| |
| - ~ ~ ~ -'
| |
| ^
| |
| Forcing Human Error PRA ]
| |
| Context .
| |
| Model I
| |
| Pi nt oesesn *" ' ' i '
| |
| Human Failure .
| |
| Error Unsafe I
| |
| opershons 4 Mechanisms 4 Actions W Events + wt Decisions and (
| |
| Factors i g _ -
| |
| db
| |
| .j Plant Scenano
| |
| ; - Conddons O O Defincon
| |
| * * * " * ^ ~
| |
| Figure 2.1 Multidisciplinary HRA Framework )
| |
| l These combined elements create the minimum necessary set that describes the causes and coneutions of human errors in major NPP events. Figure 2.1 illustrates the inter-relationships between these elements.
| |
| The human-performance-mlated elements of the framework (i.e., those requiring the expertise in the human factors, behavioral science and plant engineering disciplines) are reflected by the boxes on the leftside of the figure; namely, performance-shaping factors, plant conditions, and error mechanisms. These elements represent the understanding needed to describe the underlying causes (e.g., influences) of unsafe actions, and hence, explain why a person'may perform an unsafe action.
| |
| The elements on the right side of the figure, namely, the HFEs and the scenario definition represent ,
| |
| the PRA model. The unsafe action and human failure event (HFE) elements represent the point of l integration between the HRA and PRA model. The PRA traditionally focuses on the consequences of the unsafe action, which it describes as a human error that is represented by an HFE.
| |
| The HFE is included in the PRA model associated with a particular plant state which defines the specific accident scenarios that the model represents.
| |
| 2.1.1 Error-Forcing Context An EFC is the combined effect of PSFs and plant conditions that create a situation in which human
| |
| . error is likely. Analyses of NPP operating events reveal that the error-forcing context typically involves an unanalyzed plant condition that is beyond normal operator training and procedure-related PSFs. The unanalyzed riant condition can activate a human error mechanism related to, for example, inappropriate situation assessment (i.e., a misunderstood regime). Consequently, when NUREG-16?A, Draft 2-2
| |
| | |
| i
| |
| : 2. General Description of the ATHEANA HRA Method these plant conditions and associated PSFs trigger internal psychological factors (i.e., error mechanisms), they can lead to the refusal to believe evidence that runs counter to the initial misdiagnosis', or a failure to recognize that evidence, resulting in subsequent mistakes (e.g., errors of commission) and ultimately a catastrophic accident.
| |
| ~ PSFs represent the human-centered influences on human performance. To date, the PSFs primarily used in this project are those identified in the Human Performance Investigation Process (HPIP)
| |
| (NUREG/CR-5455, Ref 2.3):
| |
| . procedures e training
| |
| .- communications
| |
| . supervision
| |
| . staffing a human-system interface
| |
| . organizational factors e stress e environmental conditions An example of a PSF is a procedure whose content is incorrect (e.g., wrong sequence of steps),
| |
| incomplete (e.g., situation not covered), or misleading (e.g., ambiguous directions) which influences a failure in situation assessment or response planning.
| |
| Plant conditions include plant configuration; system, component, instrumentation and control availability and reliability; process parameters (e.g., core reactivity, power level, and reactor coolant system temperature, pressure, inventory); and other factors (e.g., non-nominal and/or dynamic conditions) wrdch result in unusual plant configurations and behavior. The following examples illustrate some non-nominal plant conditions:
| |
| . history of false alarms and indications associated with a component or system involved in the response to an accident i = shutdown operations with instrumentation and alarms out of normal operating range and many automatic controls and safety functions disabled l
| |
| 1
| |
| . unusual or incorrect valve lineups or other unusual configurations 2.1.2 Human Error Human error can be characterized as a divergence between an action performed and an action that should have been performed, which has an effect or consequence that is outside specific (safety) tolerances required by the particular system with which the human is interacting.
| |
| 23 NUREG 1624, Draft
| |
| | |
| l
| |
| : 2. General Description of the ATHEANA HRA Method In the PRA community, the term human error has usually been used to refer to human-caused failures of a system or function. The focus is on the consequence of the error. In the behavioral l' sciences, the focus is on the underlying causes of the error. For the purpose of developing ATHEANA and to fully integrate with the requirements of the PRA, the framework representation 1
| |
| of human error encompasses both the underlying mechanisms of human error and the consequences l of the error mechanism, which is the observable unsafe action.
| |
| Error mechanisms are psychological mechanisms causing human errors that can be " triggered" by particular plant conditions and PSFs that lie within the PRA definitions of accident scenarios. Thes error mechanisms often are not inherently " bad" behaviors but are mechanisms that generally allow humans to perform skilled and speedy operations. However, when applied in the wrong context, these mechanisms can lead to inappropriate actions with unsafe consequences. Different error mechanisms are influenced by different combinations of PSFs and plant conditions.
| |
| Unsafe actions are those actions inappropriately taken, or not taken when needed, by plant personnel that result in a degraded plant safety condition. The term " unsafe action" does not imply that the human was the root cause of the problem. Consequently, this distinction avoids any inference of blame and accommodates the assessment, on the basis of the analysis of operational events that people are often " set up" by circumstances and conditions to take actions that were unsafe. In those circumstances, the person did not knowingly commit an error; they were performing the " correct" action as it seemed to them at the time.
| |
| While not all unsafe actions identified in the analysis of operational events correspond to HFEs as defined in PRAs, in some cases, there is a direct correspondence. For example, operators terminating operation of needed engineered safety features would be an unsafe action, and should be incorporated as an HFE in PRAs. More commonly though, unsafe actions represent a " finer" level of detail than most HFEs defined in existing PRAs.
| |
| i 2.1.3 The PRA Model ;
| |
| 'Ihe PRA modelidentified in this HRA framework is no different from those used in existing PRA methodologies. However, for the purposes of this project, the PRA model is an "end-user" of the HRA process. The PRA model is a means of assessing the risk associated with the NPP operation.
| |
| It has as its basis logic models which consist of event trees and fault trees that are constructed to identify the scenarios that lead to unacceptable plant accident conditions, such as core damage. The PRA model is used to estimate the frequencies of the scenarios by converting the logic model into a probability model. To achieve this aim, estimates must be obtained for the probabilities of each event in the model, including human failure events. When human performance issues are analyzed to support the PRA, it is in the context of HFEs applicable to a specific accident scenario defined by the plant state and represented by a PRA logic model. 2 HFEs are modeled in the PRA to represent the failure of a function, system, or component as a result l of unsafe human actions that degrade the plant's safety condition. An HFE reflects the PRA systems analysis perspective, and hence, can be classified as either an EOC or an error of omission (EOO).
| |
| NUREG-1624, Draft 2-4 1
| |
| I
| |
| : 2. General Description of the ATHEANA HRA Method An EOO typically represents the operator's failure to initiate a required safety function. An EOC represents either the inappropriate termination of a necessary safety function or an initiation of an inappropriate system. Examples of HFEs include the inappropriate termination of safety injection during a loss-of-coolant accident (an EOC) and the failure to initiate standby liquid coolant during an accident transient without scram (an EOO).
| |
| A basic event in the PRA model represents an uncorrected change in the status of the equipment affected within the context of the event definitions in the event tree model. To reflect the fact that the changes of a plant's state caused by human failures may not occur instantaneously, the HFEs are defined to represent not only the committing of an error, but the failure of the plant personnel to identify that an error has been made; thereby, inhibiting corrective action before the change to the plant state (within the definition of the event tree success criteria) has occmred. Depending cn what the HFE is supposed to represent, HFEs may be associated with an event tree sequence or with specific minimal cut sets generated by the solution of a PRA model. The appropriate level of )
| |
| decomposition of the scenarios is that which is necessary to support the unique definition of an HFE with respect to the impact of the plant state on the probability of the HFE. Deciding on the appropriate level of definition is very much an iterative process.
| |
| PRA scenario definitions provide the minimum descriptions of a plant state required to develop the PRA model and define appropriate HFEs. The following examples illustrate typical elements of the PRA scenario definition:
| |
| . initiating event (e.g., transients, small-break loss-of-coolant accident, loss of offsite power, etc.)
| |
| . operating mode -
| |
| . decay heat level (for shutdown PRAs)
| |
| . function / system / component status or configuration The level of detail to which scenarios are defined can vary and include the following:
| |
| . functionallevel
| |
| * system level
| |
| . component state level (i.e., component successes or failure, or using the terminology of system analysts, cut sets) 2.2 An Approach for Modeling: ATHEANA Other sections in this document identify important human performance issues which must be addressed in the ATHSANA HRA method to make the needed improvements in HRA/PRA. As illustrated by past operational events, the issues which represent the largest departures from those addressed by current HRA methods all stem from the need to better predict and reflect the "real world" nature of failures in human-system interactions. Real operational events frequently include post-accident EOCs, which are minimally addressed in current HRA/PRAs and are strongly influenced by the specific context of the event (e.g., plant conditions and performance-shaping 2-5 NUREG-1624, Draft
| |
| | |
| 1 General Description of the ATHEANA HRA Method factors). In turn, the specific context of an event frequently departs from the nominal plant conditions assumed to prevail during at-power operations at NPPs.
| |
| Consequently, the HRA modeling approach adopted for ATHEANA significantly differs from current approaches. To be consistent with operational experience, the fundamental premise of ATHEANA is that significant post-accident HFEs, especially errors of commission, represent l
| |
| situations in which the context of an event (e.g., plant conditions, PSFs) virtually forces operators l to fail. ATHEANA's definition of HFEs and their quantification is on the basis of the error-forcing l j
| |
| context of the event. This premise is a significant departure from that of traditional HRA methods l l in which HFEs are defined and quantified as being the result ofrandom operator failures which occur under nominal operating conditions.
| |
| The ATHEANA modeling approach must involve, more than simply, a new quantification model.
| |
| In particular, it must provide better, and more comprehensive approaches to identifying and defining appropriate HFEs and placing them in the PRA model. As a result, new HRA activities will be required when applying ATHEANA, which will focus upon identifying HFEs not previously included in PRAs, together with unsafe actions and their associated error-forcing contexts. HRA
| |
| ) analysts will identify combinations of off-normal conditions and performance shaping factors, rather than nominal conditions, which strongly increase the probability of unsafe actions. Analysts will be assisted by the understanding of the causes of human failures extracted from psychological literature and analyses of operational experience. In addition, these identification activities will require more interactions between HRA analysts, other PRA analysts, and plant experts. Finally, quantification of the probabilities of corresponding HFEs will be on the basis of estimates of how likely or frequently the plant conditions and PSFs which comprise the error-forcing contexts occur, rather than upon assumptions of randomly occurring human failures.
| |
| In general, ATHEANA will involve the same tasks which typically define an HRA. In terms of the functional elements of the PRA/HRA proces, the following six tasks are listed generally in the sequence in which they are performed (with the understanding that the definition of the HFEs is usually an iterative process):
| |
| (1) plant familiarization and information collection (2) identification and definition of HFEs (3) incorporation of HFEs into the logic model (4) screening analysis (5) detailed HRA quantification, including uncertainty analysis (6) documentation of the process and its results i
| |
| When applying ATHEANA to a PRA, the representation of post accident HFEs which are EOCs will be similar to the representation of EOOs already addressed by existing HRA methods (i.e., they will j be identified and defined in terms of failed plant, system, or component functions). However, i definitions of EOOs are on the basis of failures of manual operator actions to initiate or change the state of plant equipment. Therefore, EOO def'mitions typically are phrased, for example, as
| |
| " Operator fails to start pumps." EOCs must be defined differently since, generally, post-accident NUREG-1624, Draft 2-6
| |
| : 2. General Description of the ATHEANA HRA Method EOCs result from one of the following ways by which operators fail plant, system, or component functions:
| |
| * by turning off running equipment a' by bypassing signals for automatically startug equipment by changing the plant configuration so it defeats interlocks that are designed to prevent damage to' equipment
| |
| = by excessive depletion or diversion of plant resources (e.g., water sources)
| |
| For PRA models, the ATHEANA premise is to include only the HFEs for which a plausible and likely reason can be determined. An HFE may result from one of several unsafe actions.
| |
| Application of ATHEANA involves, for each HFE, identifying and defining unsafe actions and associated error-forcing contexts. The identified error-forcing contexts (e.g., plant conditions and associated PSFs), and their underlying error mechanisms, are the means of characterizing the causes of human failures. An unsafe action could result from one of several different causes.
| |
| Implicit in the definition of the HFEs and unsafe actions is the recognition that, because of operational characteristics of NPPs, there is generally time for the operators to monitor the changes they have initiated which allows them opportunities to recognize and correct errors.
| |
| When applying ATHEANA, the prioritization of HFEs will be on the basis of the probabilities of the contributing unsafe actions, and these in turn are on the basis of probabilities of the EFCs.
| |
| Therefore, quantification of an HFE using ATHEANA is on the basis of answering the following
| |
| . questions:
| |
| = What unsafe action (s) can result in the HFE for which the probability is being quantified?
| |
| . What error-forcing context (s) can result in committing each of the initial unsafe actions?
| |
| = What error-forcing context (s) can result in a failure to recover from each of the initial unsafe actions?
| |
| * How likely are these error-forcing contexts to occur?
| |
| The prospective search process was outlined in Section 1 and Figures 1.2 and 1.3. The details of this search process for HFEs, unsafe actions (UAs), and EFCs is presented in Section 7. The approach for.quantification and consideration of recovery is presented in Section 8.
| |
| 2.3 References 2.1 M. T. Barriere, W. J. Lucas, J. Wreathall, S. E. Cooper, D. C. Bley, and A. M. Ramey-Smith, Brookhaven National Laboratory, Multidisciplinary Frameworkfor Analyzing Errars of Commission and Dependencies in Human Reliability Analysis, NUREGICR-6265, Upton, NY, August 1995.
| |
| 2-7 NUREG-1624, Draft
| |
| | |
| i i
| |
| : 2. General Description of the ATHEANA HRA Method 2.2 Cooper, S. E., A. M. Ramey-Smith, J. Wreathall, G. W. Parry, D. C. Bley, W. J. Luckas,l 1
| |
| J. H. Taylor, and M. T. Barriere, A Techniquefor Human Error Analysis (ATHEANA), j NUREG/CR-6350, BNL-NUREG-52467, May 1996. !
| |
| 2.3 M. Paradies, L. Unger, P. M. Haas, and M. Terranova, System Improvements, Inc.,
| |
| Development ofthe NRCs Human Performance Investigation Process (HPIP), NUREGICR-5455, Aiken, SC, October 1993.
| |
| l l
| |
| l l
| |
| l I
| |
| 1 1
| |
| l i
| |
| I NUREG-1624, Draft 2-8 l
| |
| | |
| )
| |
| 3 THE IMPORTANCE OF CONTEXT IN OPERATIONAL EXPERIENCE The analyses of accidents and serious incidents performed in this project have precipitated the identification, development, and ultimate confirmation of the principles underlying ATHEANA. In addition, independent analyses from other projects confirm and reinforce these principles. Since the basis of ATHEANA is fundamentally different from previous HRA methods, such confirmation also will be necessary to help future users of ATHEANA make the transition from focusing upon
| |
| " random" human errors under nominal conditions to errors which result from en or-forcing contexts comprised of non-nominal conditions and associated PSFs.
| |
| 3.1 Human Errors Are Driven by Context l Recent work in the behavioral sciences (including Refs. 3.1 and 3.2) has contributed to the understanding of the interactive natt.re of human errors and plant behavior that characterize the accidents that have occurred in high-technology industries. This understanding suggests that it is essential to analyze both the human-centered factors (e.g., performance shaping factors such as l
| |
| human-machine interface design, procedures content and format, and training) and the conditions of the plant that call for actions and create the operational causes for human-system interactions (e.g.
| |
| misleading indications, equipment unavailabilities, and other unusual configurations or operational l circumstances). This is in contrast to first-generation HRA methods that consider principally the l human-centered causes, with only the acknowledgment of plant influences through relatively simple measures as the " time available for action" or event-tree level plant state.
| |
| The human-centered factors and the inf uence of plant conditions are not independent of each other.
| |
| In many major accidents particular (" unusual" or "non-nominal") plant conditions create the need for operator actions and, under those " unusual" plant conditions, deficiencies in the human-centered factors lead people to make errors in responding to the incident.
| |
| Therefore, typical evaluations performed in HRA as ments of performance-shaping factors (e.g.,
| |
| procedures, human-machine interface and training) way not identify critical problems unless the whole range of possible plant conditions under which the controls or indicators may be required is considered. To identify the most likely conditions leading to failure, the analysis of PSFs must recognize that plant conditions can vary significantly within the event-tree / fault-tree definition of a single PRA scenario. Moreover, some plant conditions can be much more demanding of operators.
| |
| Both the conditions themselves, and the limitations in PSFs, such as procedures and training, can affect the operator's performance during an accident.
| |
| For example, a particular layout ofindicators and controls may be perfectly adequate for the nominal !
| |
| conditions assumed for a PRA scenario. However, other conditions possibly may arise during the ]
| |
| same PRA scenario such that the layout would influence the occurrence of operator errors in the accident response. So, if under the nominal conditions of an accident scenario, an operator is l required to perform a series of actions that are located on several control boards but are well-separated in time, the layout may be adequate. However, under some subset of plant conditions for j the same scenario, the dynamics of the plant could require that actions be taken almost simultaneously. Then, the control board layout may be inadequate and might result in an operator failing to perform the actions in time.
| |
| 3-1 NUREG-1624, Draft
| |
| : 3. The Importance of Context in Opertional Experience Simply stated, operator failure associated with a PRA scenario is perhaps more likely to result from the " unusual" plant conditions represented within the def'mition of that scenario, as it is to result from a random human error that might occur under the nominal conditions generally assumed by PRA analysts. Analyses of power plant accidents and near misses support this perspective, indicating that the influence of non-nominal plant conditions is much more significant than random human errors.
| |
| (NUREG/CR-1275, Volume 8, Ref. 3.3, Ref. 3.1, NUREG/CR-6093, Ref. 3.4, NUREG/CR-6265, Ref. 3.5, and NUREG/CR-6350, Ref. 3.6).
| |
| This evidence from incident analyses is consistent with experience described by training personnel who have observed that opetators can be "made to fail" in simulator exercises by creating particular combinations of plant conditions and operator mindset. Examples of difficulties in operator performance in challenging simulator training situations were demonstrated by NUREG/CR-6208 (Ref. 3.7).
| |
| Therefore, to provide an effective tool for measuring and controlling risk, a PRA must be able to incorporate realistically those human errors that are caused by off-normal plant conditions, as well as those that occur randomly during nominal accident conditions. However, for a PRA to incorporate errors caused by off-normal plant conditions, .t is necessary to identify the contexts that can force human errors, estimate how probable tney are, and estimate the likely consequences in terms ofinappropriate human actions or inactions.
| |
| The identification of error-forcing contexts, as described above, must be on the basis of on an understanding of the kinds of psychological mechanisms causing human errors that can be " set up" by particular plant conditions that lie within the PRA definitions of accident scenarios. One theory is that human errors mostly occur from a result of combinations ofinfluences associated with the plant conditions and its human-factors characteristics. For example, people often diagnose the cause of an occurrence on the basis of pattem matching. In NPPs, if operators had to analyze every scenario in a lengthy analytical manner, responses would be delayed past the onset of plant damage.
| |
| It is the fact that people (with the aid of proper training and procedures) can take short cuts in problem analysis and solution generation that normally result in speedy and reliable actions.
| |
| However, errors can result when the scenario does not exactly match the rules or when fatigue or workload predispose excessive "short-cutting." In other words, many error mechanisms occur when operators apply normally useful cognitive processes that, in the particular context, are defeated or when they are misled by a particular combination of plant conditions and PSFs.
| |
| Error mechanisms are not observable by themselves alone; only their consequences as human errors can be observed. However, without an understanding of error mechanisms, the search for error-forcing contexts would be limited to searches for " repeat events" that were simply duplicates of earlier incidents where people had failed. It is important to find the more general class of events represented by these particular instances, if a real understanding is to occur and " fixes" are to be effective. For example, an incident occurs and a human error is attributed to a deficient procedure.
| |
| A particular fix is to change that procedure to remove the immediate and direct cause of the error.
| |
| To fix the broader class would involve answering the following questions to analyze why the procedure was deficient:
| |
| NUREG-1624, Draft 3-2
| |
| : 3. The Importance of Context in Opertional Experience j
| |
| = Was there an insufficient review?
| |
| . Were the conditions under which the procedure was to be used not described fully or accurately?
| |
| . What programmatic changes could remove not only that one particular flaw but remove other similar but undiscovered flaws in that and other procedures?
| |
| The search for why implies a set of" root causes" that can be evaluated for their contribution to the deficient procedure. In the case of procedure writing, the programmatic process to ensure good pmcedures is reasonably well defined and root causes can be described. To analyze human errors, there must be a set of corresponding root cause descriptions of why errors can occur. Without these descriptions of the underlying error mechanisms and an understanding of the contexts that can force them to occur, the search for these error-forcing contexts will be limited to the particular event level.
| |
| This would not be adequate for risk assessment and risk management (i.e., to identify potentially significant accident scenarios and their more likely causes before they occur).
| |
| When developing an improved HRA method, a process is needed to identify the likely opportunities for inappropriately triggered mechanisms to cause errors that can have unsafe consequences. The staning point for this search is an HRA framework that describes the interrelationships between error mechanisms, plant conditions, and the performance shaping factors thet set them up and also the consequences of the error mechanisms in terms of how the plant can be rendered less safe through human interactions. In addition, a practical set of tools for applying an HRA method to model post-accident operator actions must be provided, especially because error mechanisms are not observables.
| |
| As indicated above, since error mechanisms are not observables, additional explanations of how humans behave are needed to provide auditable factors for HRA analysts to use in identifying human errors and their associated error forcing contexts to model as post-accident HFEs in the PRA model.
| |
| Behavioral models can provide this additional explanation and connect the concepts of human error, error-forcing context, and error mechanisms with post-accident operator actions.
| |
| For a more detailed perspective of the behavioral science background and models used in support of ATHEANA. see Section 4.
| |
| 3.2 Context in Retrospective Event Analyses Using the Framework Many events, including some non-nuclear power plant events, were reviewed in developing ATHEANA. These analyses used the multidisciplinary HRA framework as a guide to the imponant factors influencing human performance. In some cases, the events were analyzed in detail, using ,
| |
| event reports, and have been recorded in the HSECS database (Ref. 3.8). In other cases, relevant information was extracted and used to support the development work.
| |
| Reviews of four events are used to illustrate the insights which were gleaned from event analyses.
| |
| All four involve important post-accident human errors, which are the focus of ATHEANA:
| |
| l l
| |
| 3-3 NUREG-1624, Draft
| |
| : 3. The Importance of Context in Opertional Experience (1) TMI-2 (Refs. 3.9 and 3.10): On March 3,1979, a loss of feedwater transient (as a result of personnel errors outside the control room) and a reactor trip occurred. The emergency feedwater (EFW) pumps started automatically but misaligned valves prevented flow to the steam generators. A maintenance tag obscured the operators' view of an indicator showing that these valves were closed. A relief valve opened automatically, in response to increasing pressure and temperature, and stuck open. However, the control room indicator showed that the relief valve was closed. Operators failed to recognize that the relief valve was open for more than two hours, resulting in water loss from the reactor vessel. In addition, operators reduced high-pressure I injection flow to the reactor vessel for 3 % hours because of concerns of flooding the core and
| |
| " solid" reactor coolant system conditions, resulting in significant core undercooking. Serious core damage resulted from the open relief valve and reduced coolant flow. The event was terminated after a shift change of personnel, who discovered the open relief valve.
| |
| (2) Crystal River 3 (Ref 3.11): On December 8,1991, a reactor coolant system (RCS) pressure transient occurred during startup following a reactor power increase. A pressurizer spray valve opened automatically and stuck open. However, the control room indicator showed that the spray valve was closed. Operators failed to recognize that the spray valve was open. Believing the drop in pressure was as a result of an unexplained cooldown, the operators pulled rods to increase power. They expected that increasing RCS temperature would create in-surge into the pressurizer, which in turn would restore pressure. However, RCS pressure continued to decrease, resulting in a reactor trip. After the reactor trip, RCS pressure continued to decrease, reaching setpoints for arming the engineered safety features (ESP) system. Circumventing procedural guidance, the operators bypassed ESF for six minutes, in anticipation of terminating the transient. The control room supervisors directed operators to take ESF out of bypass and the high pressure injection system automatically started. RCS pressure was controlled with high pressure injection. The pressure transient was terminated after the pressurizer spray line isolation valve was closed, on the suggestion from a supervisor that it might be helpful.
| |
| (3) Salem 1 (Ref 3.12): On April 7,1994, a loss of circulating water, a condenser vacuum transient, and an eventual reactor trip occurred due to a severe grass intrusion at the circulating water intake structure. A partial (i.e., only train A) erroneous safety injection (SI) signal was generated because of a pre-existing hardware problems after the reactor trip, requiring operators to manually position many valves that normally actuate automatically. Operators failed to control the high-pressure injection (HPI) flow to the reactor vessel. After more than 30 minutes passed, the pressurizer filled solid and the pressurizer relief valves actuated repeatedly. The operators then terminated the HPl. As a result of operator inattention and pre-existing hardware failures, the steam generator pressure increased concurrently with the pressurizer level, causing the steam generator's safety relief valves to open. Following this, a rapid depressurization occurred, followed by a second SI actuation and more pressurizer relief valve openings.
| |
| (4) Oconee 3 (Ref 3.13 and 3.14): On March 8,1991, decay heat removal was lost for about 18 minutes during shutdown because of a loss of RCS inventory. The RCS inventory was diverted to the emergency sump via a drainpath created by the combination of a blind flange installed on the wrong sump isolation line and sump isolation valve stroke testing. Operators aligned NUREG-1624, Draft 3-4
| |
| : 3. The importance of Context in Opertional Experience residual heat removal pumps to the refueling water storage tank (RWST) in an attempt to restore reactor vessel level. When the vessel level did not rise, operators isolated the RWST and sent an auxiliary operator to close the sump isolation valve. A total of approximately 14,000 gallons of coolant was drained to the sump and spilled onto the containment floor (i.e.,9,700 gallons of RCS inventory and about 4,300 gallons of RWST inventory).
| |
| Elements of each of these events illustrate the importance of the concepts underlying ATHEANA.
| |
| For example, three of these events involved post-accident EOCs. In TMI-2, the throttling of high-pressure injection was an EOCthat resulted in serious core damage. In Crystal River 3, the bypass of ESF was an EOC, preventing automatic injection of coolant into the reactor core. However, this operator action was recovered without core . damage occurring. In Oconee 3, the alignment to the RWST, before isolating the drainpath to the sump, resulted in additional coolant being lost.
| |
| Consequently, this action was an EOC which also was recovered before the event was terminated.
| |
| In addition, three of these events (Crystal River 3, Salem 1, and Oconee 3) involved EOCs which either occurred just before the reactor trip or caused the reactor trip.
| |
| Context played an important role in all of these events. In TMI-2, plant conditions which contributed to the event included the pre-existing misalignment of EFW valves and the stuck open relief valve.
| |
| They combined with negative performance shaping factors, including the maintenance tag obstructing position indication for the EFW valve, misleading relief valve position indication, and lack of procedural guidance for the event-specific conditions. Other indications of the open relief valve were either misinterpreted or discounted by operators. In addition, operator training emphasized the dangers of " solid" plant conditions, causing operators to focus on the wrong problem. The Crystal River 3 incident involved similar factors, especially the open spray valve and the associated misleading position indication. There was no procedural guidance to support the diagnosis and correction of a loss of RCS pressure control. In the Oconee 3 event, operators did not have position indication because the isolation valve (which ultimately created the drainpath) was
| |
| " racked out" for stroke testing. Also, the erroneously installed blind flange was a temporary obstruction which remained undiscovered despite several independent checks. On the one hand, various instrumentation (e.g., reactor vessel-level indication and alarms) indicated a lowering vessel level of the reactor in the Oconee 3 event which operators discounted until field reports from technicians in the containment confirmed that the level was falling and radiation levels were increasing. On the other hand, the Salem I event involved different contextual factors, principally the partial, erroneous SI signal which was generated by pre-existing hardware problems and which required the operators to manually align several valves. Also, there was no procedural guidance regarding appropriate actions in response to a disagreement with the SI train logic.
| |
| Applying the information processing model concepts to these events reveals that situation assessment was critical in all of them. In TMI-2, operators did not recognize that the relief valve was open and that the tcmeter core was overheating. In Crystal River 3, operators did not recognize that the pressurizer spray valve was open and causing the pressure transient. In the Salem 1 event, operators failed to recognize and anticipate the pressurizer overfill, steam generator pressure increases, and the rapid depressurization following steam generator safety valve openings. Finally,in Oconee 3, operators did not recognize that a drainpath to the sump existed until eyewitness reports were 3-5 NUREG-1624, Draft l
| |
| l- )
| |
| : 3. The Importance of Context in Opertional Experience provided. These situation assessment problems involved either the sources ofinformation (e.g.,
| |
| instrumentation) or their interpretation. In TMI-2, operators misread the relief valve drain pipe temperature indication twice; thus, attributing the high in-core and RCS loop temperatures to faulty instrumentation. They also were misled by the control room indicator's position for the status of the relief valve. Also, some key indications were located on back panels and the computer printout of plant parameters ran more than 2 hours behind the event. In Crystal River 3, operators initially conjectured that the pressure transient was caused by RCS shrinkage. Unconnected plant indications, as well as the misleading spray valve position indication and (unsuccessful) cycling of the spray valve control, were taken as support of this hypothesis. In Oconee 3, operators suspected that decreasing reactor vessel level indication was as a result of faulty operation. Two sump high-level alarms were attributed to possible washdown operations. As noted above, field reports eventually convinced operators to believe that their instrumentation was functioning correctly.
| |
| 3.3 Other Analyses of Operational Events Several independent studies of accidents, including those cited above. support the principles underlying ATHEANA. In addition, discussions with those who have analyzed transportation and aviation accidents (Ref. 3.15) and reviews of accidents at chemical plants (Ref. 3.16) indicate that an error-forcing context is most often present in serious accidents involving human operational control in these industries. Reason (Ref. 3.1) identified important contextual factors in several major accidents, including the accident at TMI-2 and the Challenger shuttle explosion in January 1986.
| |
| Analyses of NPP incidents in Volume 8 of NUREG-1275 (Ref. 3.3) identified non-nominal plant conditions, and associated procedural deficiencies for these conditions, as strongly influencing 8 of 11 events which were significantly impacted by human actions. Of the 11 events,6 involved EOCs.
| |
| The NRC AEOD report " Operating Events with Inappropriate Bypass or Defeat of Engineered Safety Features" (AEOD/E95-01, Ref. 3.17) identified 14 events over that past 41 months in which ESF was inappropriately bypassed, all of which are EOCs. NUREG/CR-6208 (Ref. 3.7) identified situation assessment and response planning as important factors in simulator experiments involving cognitively demanding situations (i.e., situations not fully covered by procedures or training because of the plant conditions for the specific, simulated event being different from the nominal). Also, in the Electric Power Research Institute (EPRI)-sponsored Operator Reliability Experiment (ORE) program, 70 percent of the operating crew errors or near-misses observed in the simulator experiments, regardless of plant type, were categorized as "information processing or diagnosis and decision-making" errors (Ref. 3.18).
| |
| NUREG-1624, Draft 3-6
| |
| : 3. The importance of Context in Opertional Experience 3.4 References 3.1 J. Reason, Human Error, Cambridge University Press, Cambridge, England,1990.
| |
| 3.2 E. Hallnagel, Reliability ofCognition: Foundations ofHuman Reliability Analysis, Plenum
| |
| . Press, New York, NY,1993.
| |
| 3.3 . U.S. Nuclear Regulatory Commission, Operating Experience Feedback Report - Human Performance in Operating Events, NUREG-1275, Vol. 8, Washington, DC, December 1992.
| |
| 3.4 M. T. Barriere, W. J. Luckas, D. W. Whitehead, and A. M. Ramey-Smith, Brookhaven National Laboratory, An Analysis ofOperational Experience During LP&S and A Planfor Addressing Human Reliability Assessment Issues, and Sandia National Laboratories, NUREG/CR-6093, Albuquerque, NM, Upton, NY, June 1994.
| |
| 3.5 M. T. Barriere, W. J. Luckas, J. Wreathall, S. E. Cooper, D. C. Bley, and A.M. Ramey-Smith, Brookhaven National Laboratory, Multidisciplinary Frameworkfor Analyzing Errors
| |
| ' ofCommission and Dependencies in Human Reliability Analysis, NUREGICR-6265, Upton, NY, August 1995.
| |
| 3.6 S. E. Cooper, A. Ramey-Smith, J. Wreathall, G. W. Parry, D. C. Bley, J. H. Taylor, W. J.
| |
| Luckas, Brookhaven National Laboratory, A Technique for Human Error Analysis
| |
| . (ATHEANA), NUREG/CR-6350, Upton, NY, April 1996.
| |
| 3.7 E. M. Roth, R. J. Mumaw, and P. M. Lewis, Westinghouse Science and Technology Center:,
| |
| An EmpiricalInvestigation ofOperator Performance in Cognitively Demanding Simulated Emergencies, Pittsburgh, PA, NUREG/CR-6208, July 1994.
| |
| 3.8 S. E. Cooper, W. J. Luckas, and J. Wreathall, Human-System Event Classi/lcation Scheme (HSECS) Database Description, BNL Technical Report No. L2415/95-1, Brookhaven National Laboratory, Upton, NY, December 1995.
| |
| 3.9 1. Kemeny, The Needfor Change: Report ofthe President's Commission on the Accident at Three Mile Island, Pergamon Press, New York, NY,1979.
| |
| 3.10 ; M. Rogovin, and G. Frampton, Special Inquiry Group, Nuclear Regulatory Commission Three Mile Island - A Report to the Commissioners and to the Public, Washington, DC, January 1980.
| |
| 3.11 U.S. Nuclear Regulatory Commission, AEOD (Human Factors Team) Report, Crystal River, Unit 3 - December 8,1991, On-Site Analysis ofthe Human Factors ofan Event (Pressuri:er Spray Valve Failure), January 1992.
| |
| 3-7 NUREG-1624, Draft
| |
| | |
| i
| |
| : 3. The importance of Context la Opertional Experience 3.12 U.S. NRC, Augmented Inspection Team Report, Salem Unit 1, April 7,1994, Loss of Condenser Vacuum (and Loss of Pressure Control - RCS Filled Solid), Report No. 50-272/94-80 and 50-311/94-80, Washington, DC,1994.
| |
| 3.13 ' U.S. Nuclear Regulatory Commission, Augmented Inspection Team Report, No. 50-287/91-008, Oconee, Unit 3, Loss ofRHR (March 9.1991), Augmented Inspection Team Report, April 10,1991.
| |
| 3.14 U.S. Nuclear Regulatory Commission, AEOD (Human Factors Team) Report, Oconee, Unit 3 - March 9,1991, On-Site Analysis ofthe Human Factors ofan Event (Loss ofShutdown Cooling), May 1991.
| |
| l 3.15 National Transportation Safety BoardSafety Study: A Review ofFlight Crew-involvedin Major Accidents of U.S. Air Carriers,1978-1990, NTSB/SS-94/01,1994.
| |
| 3.16 T. A. Kletz, What Went Wrong? Case Histories ofProcess Plant Disasters, Gulf Publishing
| |
| . Company, Houston, TX,1985.
| |
| 3.17 U.S. Nuclear Regulatory Commission, Engineering Evaluation - Operating Events with inappropriate Bypass or Defeat of Engineered Safety Features, 0flice of Analysis and Evaluation of Operational Data (AEOD), AEOD/E95-01, Washington, DC, July 1995.
| |
| 3.18 A. N. Beare, A. N., C. D. Gaddy, G. W. Parry, and A. J. Singh, An Approachfor Assessment of the Reliability ofCognitive Responsefor Nuclear Power Plant Operating Crews, in G.
| |
| Apostolakis (Ed.) Probabilistic Safety Assessment & Management (PSAM), Elsevier Science Publishing Co., New York, NY,1991.
| |
| NUREG-1624, Draft 3-8
| |
| | |
| 4 PRINCIPLES BASED ON A BEHAVIORIAL SCIENCE PERSPECTIVE As discussed in Sections 2 and 3 of this repmt, one part of the framework underlying the ATHEANA method is the relationship between unsafe actions, error mechanisms, and error-forcing contexts.
| |
| The information required to describe this relationship is provided by two parallel and complementary sources including (1) an understanding ofhuman failures derived from models of human behavior created within the behavioral-sciences discipline and (2) an analysis of operational events.
| |
| There have been many attempts over the past 30 years to better understand the causes of human error. The main conclusion from these works is that few human errors represent random events; instead, most can be explained on the basis of the ways in which people process information in complex and demanding situations. Thus, it is important to understand the basic cognitive processes associated with plant monitoring, decision-making, and control, and how these can lead to human error. A number of good discussions of the cognitive factors associated with human performance and error in complex dynamic tasks are available in the literature (listed in the bibliography in I
| |
| Section 4.6). The main purpose of this section is to describe the relevant models in the behavioral sciences, the mechanisms leading to failures, and the contributing elements of error-forcing contexts in power-plant operations. The discussion is largely on the basis of the work of Woods, Roth, Mumaw, and Reason. (Refs. 4.1 - 4.5)
| |
| The basic model underlying the work described in this section is the information processing model that describes the range .of human activities required to respond to abnormal or emergency conditions. The model, in the form used in this application, considers actions in response to abnormalities as involving basically four cognitive steps:
| |
| (1) situation assessment (2) monitoring / detection (3) response planning (4) response implementation 4.1 Analysis of Operator Cognitive Performance Figure 4.1 illustrates the major cognitive activities, listed above, that underlie operator performance, and the remainder of this subsection discusses these four cognitive activities.
| |
| 4.1.1 Situation Assessment When confronted with indications of an abnormal occurrence, people actively try to construct a ceherent logical explanation to account for their observations. This process is referred to as situarian assessment. Situation assessment involves developing and updating a mental reprmatation of the factors known, or hypothesized, to be affecting plant state at a given point in time. The mental representation resulting from situation assessment is referred to as a situation model. The situation model is the person's understanding of the specific current situation, and the situation model is constantly updated as new information is received.
| |
| 1 4-1 NUREG-1624, Draft
| |
| : 4. Principles Based on a Behavioral Science Perspective
| |
| | |
| ===Response===
| |
| implementation n
| |
| If Human-System .., Monitoring / Situation Response Interface Detection Assessment Planning n ,
| |
| V I & C System 9*
| |
| Situation Model Mental Model (Plant Automation)
| |
| Intemal to Operators Figure 4.1 Major Cognitive Activities Underlying NPP Operator Performance Situation assessment is similar in meaning to " diagnosis" but is broader in scope. Diagnosis typically refers to searching for the cause(s) of abnormal symptoms. Situation assessment encompasses explanations that are generated to account for normal as well as abnormal conditions.
| |
| Operators use their general knowledge and understanding about the plant and how it operates to perform situation assessment and generate a situation model. Operator knowledge takes the form l of relatively permanent memory representations that are built upon through training and experience.
| |
| Operator knowledge can range from detailed knowledge of specific events to relatively abstract, generalizable principles that are applicable to a broad class of situations. Types of knowledge that are significant to performance include the following:
| |
| - Episodic knowledge refers to detailed memories of specific past events, including events the individual has experienced personally as well as events he or she has heard about.
| |
| - Stereotypic knowledge refers to knowledge about " typical" or " textbook" cases, as opposed to knowledge of specific past cases. Stereotypic knowledge can be developed by forming an abstract representation on the basis of the general aspects of specific similar past events that are '
| |
| representative of a class of situations. This type of knowledge is also gained from training and exercises in simulators. Using this type of knowledge, for example, operators may diagnose a LOCA event though the specific situation they are confronted with is not exactly the same as one {
| |
| j experienced during training.
| |
| - Mental models refer to mental representations that capture a person's understanding of how a l system works. A key feature of a mental model is that it is "runable." A mental model enables NUREG-1624, Draft 42 i J
| |
| : 4. Principles Based on a Behavioral Science Perspective plant examples include using knowledge of the physical interconnections among plant systems to predict flow paths (e.g., considering piping and valve interconnections to figure out how water from one system could get into another), and using knowledge of mass and energy changes in one system to predict the effect on a second system (e.g., predicting the effect of cooldown in the primary system on secondary side steam generator level behavior).
| |
| Procedural knowledge addresses strategies for dealing with events. This includes knowledge of procedures and how and when to use them, knowledge of formal processes and practices for responding to situations, as well as knowledge ofinformal practices for responding to situations.
| |
| This type of knowledge can also exist in nearly episodic form (i.e., knowledge of limited generalizability which addresses a specific step-by-step sequence which can be used so long as nothing deviates from the episodic representation of the situation). Procedural knowledge can also be quite abstract such that it can be applied broadly and can be used to adapt or generate new response plans should the specific conditions deviate from the ideal.
| |
| Long-term knowledge is drawn apon when generating and updating a situation model. It is important to note that operator knowledge may not be fully accurate or complete. For example, mental models often include over-simplifications or inaccuracies. Limitations in knowledge will result in incomplete or inaccurate situation models or response plans.
| |
| Situation models are constantly updated as new information is received and as a person's understanding of a situation changes. In power-plant applications, maintaining and updating a situation model entails the tracking of changing factors that influence plant processes, including faults, operator actions, and automatic system responses.
| |
| Situation models are used to form expectations, which include the events that should be happening at the same time, how events should evolve over time, and effects that may occur in the future.
| |
| People use expectations in several ways. Expectations are used to search for evidence to confirm the current situation model. People also use expectations they have generated to explain observed symptoms. If a new symptom is observed that is consistent with their expectations, they have a ready explanation for the finding, giving them greater confidence in their situation model.
| |
| When a new symptom is inconsistent with their expectation, it may be discounted or misinterpreted in a way to make it consistent with the expectations derived from the current situation model. For example, there are numerous examples where operators have failed to detect key signals, or detected them but misinterpreted or discounted them, because of an inappropriate understanding of the situation and the expectations derived from that understanding.
| |
| However, if the new symptom is recognized as an unexpectedplant behavior, the need to revise the situation model will become apparent. In that case, the symptom may trigger a situation assessment activity to search for a better uplanation of the current observations. In turn, situation assessment may involve developing a hypothesis for what is occurring and then searching for confirmatory evidence in the environment.
| |
| 4-3 NUREG-1624, Draft
| |
| : 4. Principles Based on a Behavioral Science Perspective Thus, a situation assessment can result in the detection of abnormal plant behavior that might not otherwise have been observed, the detection of plant symptoms and alarms that may have otherwise been missed, and the identification of problems such as sensor failures or plant malfunctions.
| |
| The importance of situation models, and the expectations that are a result of them, cannot be overemphasized. Situation models not only govern situation assessment, but also play an important l role in guiding monitoring, in formulating response plans, and in implementing responses. For example, people use expectations generated from situation models to anticipate potential problems and in generating and evaluating response plans.
| |
| 4.1.2 Monitoring and Detection Monitoring and detection refer to the activities involved in extracting information from the environment. They are influenced by two fundamental factors including (1) the characteristics of the environment and (2) a person's knowledge and expectations.
| |
| Monitoring that is driven by characteristics of the environment is often referred to as data-driven monitoring. Data-driven monitoring is affected by the form of the information, its physical salience (e.g., size, color, loudness, etc.). For example, alarm systems are basically automated monitors that are designed to influence data-driven monitoring by using aspects of physical salience to direct attention. Characteristics such as the auditory alen, flashing, and color coding are physical characteristics that enable operators to quickly identify an important new alarm. Data-driven monitoring is also influenced by the behavior of the information being monitored such as the bandwidth and rate of change of the information signal. For example, observers more frequently monitor a signal that is rapidly changing.
| |
| Monitoring can also be initiated by the operator on the basis of his or her knowledge and expectations about the most valuable sources ofinformation. This type of monitoring is typically referred to as knowledge-driven monitoring. Knowledge-driven monitoring can be viewed as
| |
| " active" monitoring in that the operator is not merely responding to characteristics of the environment that " shout out" like an alarm system does, but is deliberately directing attention to areas of the environment that are expected to provide specific information.
| |
| Knowledge-driven monitoring typically has two sources. First, purposeful monitoring is often guided by specific procedures or standard practice (e.g., control panel walk-downs that accompany shift tumovers). Second, knowledge-driven monitoring can be triggered by situation assessment or response planning activities and is, therefore, strongly influenced by a person's current situation model. The situation model allows the operator to direct attention and focus monitoring effectively.
| |
| However, knowledge-driven monitoring can also lead operators to miss important information. For example, an incorrect situation model may lead an operator to focus his attention in the wrong place, fail to observe a critical finding, or misinterpret or discount an indication.
| |
| Typically, in power plants an operator is faced with an information environment containing more variables than can realistically be monitored. Observations of operators under normal operating NUREG-1624, Draft 4-4
| |
| : 4. Principles Based on a Behavioral Science Perspective i
| |
| conditions, as well as emergency conditions, make clear that the real monitoring challenge comes from the fact that there are a large number of potentially relevant things to attend to at any poi it in time and that the operator must determine what information is worth pursuing within a constaatly changing environment. In this situation, monitoring requires the operator to decide what to momtor and when to shift attention elsewhere. Thes: decisions are strongly guided by an operator's current situation model. The operator's ability to develop and effectively use knowledge to guide monitoring relies en the ability to understand the current state of the process.
| |
| Under normal conditions, situation assessment is accomplished by mapping the information obtained in monitoring to elements in the situation model. For experienced operators, this comparison is relatively effonless and requires little attention. During unfamiliar conditions, however, the process is considerably more complex. The first step in realizing that the current plant conditions are not consistent with the situation model is to detect a discrepancy between the information pattern representing the current situation and the information pattern detected from monitoring activities.
| |
| This process is facilitated by the alarm system that helps to direct the attention of a plant operator to an off-normal situation.
| |
| When determining whether or not a signal is significant and worth pursuing, operators examine the signal in the context of their current situation model. They form judgments with respect to whether the anomaly signals a real abnormality or an instrumentation failure. They will then assess the likely cause of the abnormality and evaluate the importance of the signal in determining their next course of action, if action is needed.
| |
| 4.1.3 Response Planning Response planning refers to the process of making a decision as to what actions to take. In general, response planning involves the operator's using their situation model of the current plant state to identify goals, generate alternative response plans, evaluate response plans, and select the most appropriate response plan relevant to the current situation model. While this is in the basic sequence of cognitive activities associated with response planning, one or more of these steps may be skipped or modified in a panicular situation. For example, in many cases in NPPs, when written procedures are available andjudged appropriate to the current situation, the need to generate a response plan in real-time may be largely eliminated. However, even when written procedures are available, some aspects of response planning will still be performed. For example, operators still need to perform the following four steps:
| |
| (1) Identify appropriate goals on the basis of their own situation assessment.
| |
| (2) Select the appropriate procedure.
| |
| (3) Evaluate whether the procedure defined actions are sufficient to achieve those goals.
| |
| (4) Adapt the procedure to the situation if necessary.
| |
| It is important for operators to monitor the effectiveness of the response plan even when described by established procedures. Response plan monitoring includes evaluating the consequences of panicular procedure actions and evaluating the appropriateness of the procedure path for achieving 4-5 NUREG-1624 Draft
| |
| : 4. Principles Based on a BehavioralScience Perspective identified goals. This enables operators to detect when procedures are not achieving the desired goals, when procedures may contain errors, or when errors were made in carrying out procedure steps.
| |
| Another cognitive activity included under response planning is response plan adaptation. This includes filling in gaps in a procedure, adapting a procedure to the specific situation, and redirecting the procedure path.
| |
| 4.1.4 Response Implementation Response implementation refers to taking the specific control actions required to perform a task. It may involve taking discrete actions (e.g., flipping a switch) or it may involve continuous control ,
| |
| activity (e.g., controlling steam generator level). It may be performed by a single person, or it may require communication and coordination among multiple individuals.
| |
| The results of actions are monitored through feedback loops. Two aspects of NPPs can make response implementation difficult (1) time response and (2) indirect observation The plant processes cannot be directly observed, instead it is inferred through indications, and thes, errors can occur in the inference process. The systems are also relatively slow to respond in comparison to other types of systems such as aircraft. Since time and feedback delays are disruptive to response execution performance (because they make it difficult to determine that control actions are having their intended effect), the operator's ability to predict future states using mental models can be more important in controlling responses than through feedback.
| |
| In addition, response implementation is related to the cognitive task demands. When the response demands are incompatible with response requirements, operator performance can be impaired. For example, if the task requires continuous control over a plant component, then performance may be impaired when a discrete control device is provided. Such mismatches can increase the chance of errors being made. Another factor is the operator's familiarity with the activity. If a task is routine, it can be executed automatically, thus requiring little attention.
| |
| 4.2 Cognitive Factors Affecting Operator Performance i
| |
| Three classes of cognitive factors affect the quality of output of the major cognitive activities; therefore, affecting operator performance. They are know! edge, processing resource, and strategic factors. Errors arise when there is a mismatch between the state of these cognitive factors (i.e., the cognitive resources available to the operator) and the demands imposed by the situation. This section addresses how these cognitive factors affect the operator's cognitive performance.
| |
| t NUREG-1624, Draft 4-6 l
| |
| : 4. Principles Based on a Behavioral Science Perspective 4.2.1 Knowledge Factors In considering the influence of knowledge factors on performance, two types of problems need to
| |
| ]
| |
| be considered (1) content and (2) access. Information content was discussed above with respect to I an operator's knowledge. As noted, the operator's knowledge is not necessarily accurate nor I complete, and at times, it can be oversimplified. However, even when knowledge is available, it must be accessed by operators and be applied to situation assosment and response planning.
| |
| This is known as the memory retrieval process which is high v context-dependent. That is, contextual cues facilitate the retrieval of information from memory. The more retrieval cues available, the greater the probability that information can be retrieved. Retrieval cues, for example, can be a pattern ofinformation that the operator recognizes as a particular event or situation.
| |
| There are other knowledge factors that influence the information retrieval process making some information more likely to be recalled:
| |
| Recency - information pertaining to situations that have recently been experienced or mentioned, Frequency / familiarity - information pertaining to situations that happen frequently or are familiar (e.g., because they are practiced in training),
| |
| Similarity /Representativeness - information pertaining to situations that share significant characteristics with the current situation. If the current situation includes elements that are representative of a " classic" event' (i.e., displays the signature symptoms of a LOCA) then that classic event is likely to be recalled.
| |
| These factors may lead to the recall ofinfonnation that is not entirely appropriate to the situation.
| |
| For example, if a situation includes features that are similar to an event that recently occurred, an operator might recall that recent event, and interpret the current situation to be the same.
| |
| Additionally, relevant information that the operator may possess may not be recalled. For example, if a situation that rarely occurs has features in common with an event that is more familiar, operators may fail to recognize the rare event when it occurs, because they interpret the information as q indicative of the familiar event. I 4.2.2 Processing Resource Factors
| |
| ; Tasks that operators perform use cognitive processing resources. However, people do not have an l infinite amount of cognitive resources, such as attention and memory. Instead, there is a limited amount that must be distributed between the tasks that operators are performirig. Tasks differ in i tenns of their demands for processing resources. If one task requires a great deal of attention and memory resources, then there is little available to perform other tasks. If a set of tasks uses up most I of the available processing resources, then new tasks will have to be delayed until resources become 4-7 NUREG-1624, Draft
| |
| : 4. Prir.ciples Based on a rehavioral Science Perspective I available. If a task requires more resources than are available, then its performance may suffer and may be slow, inaccurate, or error prone.
| |
| In general, tasks that operators are familiar with and well trained on require fewer resources tha tasks that are unfamiliar and novel. Operators may perform routine procedure-based tasks almost effortlessly using little of the processing resources available. However, when operators are confronted with a cognitively demar. ding situation in which the information provided by indications is confusing or contradictory (and where it may be unclear how weil the available procedures are addressing the situation), a great deal of processing resources will be expended to analyze the situation and plan appropriate responses. In such situations, the resource limitations can considerably limit the operator's capabilities to monitor, reason, and solve problems.
| |
| It is also important to note that whe.1 operators are performing familiar, well-trained tasks, their infonnation processing capabilities appear almost automatic, with little processing effort, and large amounts of information are processed in parallel. In contrast, when confronted with unfamiliar situations, the effects of information processing resource limitations become more apparent.
| |
| Operators no longer respond in an automatic mode and instead become slow, deliberate, serial processors ofinformation. Information processing comes under much more conscious control. This type of analytic processing rapidly drains resources. To cope with such demanding cognitive situations, operators tend to use cognitive shortcuts that bypass careful, complete information analysis. These shortcuts, called " heuristics," are cognitive methods reduce the expenditure of cognitive effort and resources, and reduce the uncertainty of unfamiliar situations. An example is to do only enough analysis to form .m initial hypothesis about the cause of the current situation.
| |
| Once the partial analysis leads to a diagnosis, the information analysis is terminated. The potentia!
| |
| problem with this type of heuristi c is that a more detailed analysis ofinfonnation may have revealed the situation to be a similar, but less familiar one. In this exarr ote, the incomplete situation analysis may lead to an inaccurate situation model and inappropriate reoponse plans.
| |
| In summary, when confronted with situations that are highly demanding, the following problems can occur:
| |
| l
| |
| . slow information procer sing becoming serial and effortful, leading to the use of processing shortcuts in the face oflimited resources
| |
| . failure to perceive or process critical information about the situation in a timely manner and failure to properly integrate the information, which results in poor situation awareness and an inadequate situation model
| |
| . failure to revise incorrect situation assessments or courses of action even when opportunities l I
| |
| to do so arise
| |
| . failure to integrate multiple interacting symptoms and, instead, independently treating the j symptoms.
| |
| NUREG-1624, Draft 4-8
| |
| : 4. Principles Based on a Behavioral Science Perspective 4.2.3 Strategic Factors l Strategic factors influence decisions of choice under uncertain, potentially risky conditions. This can include situations where there are multiple conflicting goals, time pressure, and limited resources.
| |
| People often are placed in situations where they have to make choices and tradeoffs under conditions of uncertainty and risk. Situations often involve multiple interacting or conflicting goals that require considering the values or costs placed on different possible outcomes. An example relates to the decision of when to terminate a safety injection. Safety injection is required to mitigate certain types of accidents. On the other hand, if safety injection is left operating too long, it can lead to over filling of the pressurizer. This creates a conflict situation where multiple safety-related goals must be weighed in determining an appropriate action.
| |
| One factor impacting these tradeoffs is the actual perception of risk. Using their knowledge and experience, operators estimate the risk that is associated with various situations. However, there is a common tendency to underestimate risk in low-probability, risk-significant situations in which operators have experience and when they perceive themselves to be in control.
| |
| Since their perception of risk is optimistic, plant operators do not expect significant abnormal situations to occur. Thus, they rely on redundant and supplemental information to confirm the unusual condition. Upon verification of several confirmatory indicators, the operator can accept the information as indicating an actual off-normal condition (compared with a spurious .ondition).
| |
| However, this process still creates a conflict between the cost to productivity for falsely taking an action that shuts down the reactor versus the cost for failing to take a warranted action.
| |
| The above example illustrates another factor that operators often must consider (i.e., the consequences ofdifferent types oferrors). For example, under conditions of uncertainty an operator may have to weigh the consequences of failure to take an action that turns out to have been needed against the consequences of taking an action that tums out to be inappropriate.
| |
| There are also tradeoffs on when to make the commitment to a particular course of action. Within the constraints of processing resource limitations and available time, operators have to decide whether to take corrective action early in a situation on the basis oflimited information, or whether to delay a response until more information is available and a more thorough analysis can be conducted. On the one hand, in dynamic, potentially high consequence (to risk or productivity) situations, the costs of waiting can be high. On the other hand. the costs ofincorrectly making a decision can be high as well.
| |
| In summary, operators in abnormal events can be confronted with having to make decisions while facing uncertainty, risk, and the pressure oflimited resources (e.g., time pressure, multiple demands for the same resources). The factors that influence operators' choices in such situations include goal tradeoffs, perceived costs and benefits of different options, and perceived risk. When considering the decisions that operators are likely to make, it is necessary to explicitly consider the strategic 4-9 NUREG-1624, Draft
| |
| : 4. Principles Based on a Behavioral Science Perspective factors that are likely to affect performance including the presence of multiple interacting goals, the tradeoffs being made, and the pressures present that shift the decision criteria for these tradeoffs.
| |
| : L 4.3 Failures in Operator Cognitive Activity In this section, we consider how each of the major cognitive activities (monitoring / detection, situation assessment, response planning and response implementation) can lead to cognitive failures.
| |
| In cognitively demanding situations, a typical problem-solving sequence may assume the following four steps:
| |
| (1) Initial scanning is started by signals from the alarm system or other indicator, and the operator's attention is divided among a variety of data-gathering activities.
| |
| (2) The operator focuses in on a specific group ofindicators and makes an initial situation assessment.
| |
| (3) The operator now structures attentional resources to seek data confirming the hypothesis.
| |
| (4) The operator may become fixated on the hypothesis and can fail to notice changes in the plant's state or new developments.
| |
| The operator eventually may become aware of subsequent changes, but the process is hampered by attention being directed toward the current hypothesis and the overall processing limitations. !
| |
| Cognitive errors stem from limitations in knowledge, access to knowledge, processing resources, and strategic factors.
| |
| 4.3.1 Failures in Monitoring / Detection The primary error during monitoring and detection is the failure to detect / observe a plant state indication (e.g., parameter value and valve position). In general, the probability of ,
| |
| detecting / observing a given indication will be a function of the following:
| |
| = the salience of the indication (i.e., how much it alerts you resulting in data-driven detection)
| |
| - whether monitoring that parameter is " standard practice," called out in a procedu e, etc.
| |
| - the perceived relevance (e.g., priority, value) of the indication (i.e., whether you have some
| |
| " knowledge-driven" reasons to look at that indication)
| |
| ]
| |
| = the relative perceived priority of monitoring that parameter as opposed to performing other activities competing for available attentional resources (an example of strategic factors influencing monitoring choices)
| |
| NURI:G-1624, Draft 4-10 1
| |
| . _ _ _ _ ___ _ . .-i
| |
| : 4. Principles Based on a Behavioral Science Perspective e the availability of attentional resources, which has two components:
| |
| arousal / alertness level (which brings in issues of boredom, vigilance, etc.)
| |
| - overall workload As discussed above, monitoring is onen knowledge-driven. Where operators choose to look is determined by their current situation model, and the information perceived to be relevant to support current situation assessment, response p'anning, and response implementation activities.
| |
| One bias that enters into decisions as to where to look for evidence is referred to as the confirmation bias. This bias refers to the tendency to look for evidence to confirm the hypothesis currently being considered (i.e., plant indications that should be observed if the hypothesis is correct) rather than evidence that negates the hypothesis. As a consequence, if a plant indication is not perceived to be relevant for confirming a hypothesis that is currently being considered, it is less likely that the person will decide to look at it. As a result, unless the indication is vexy salient, operators may fail to obsen'e ::.
| |
| 4.3.2 'lailures in Situation Assessment The primary error during situation asseasment is the failure to correctly interpret an observation.
| |
| When a plant indication is observed, three " checks" are likely to be made to determine whether the indication needs to be pursued further:
| |
| (1) Is this observation consistent with my current understanding of the plant state (i.e., the current situation model)? Is it expected? Is it readily explained by the situation model? If the answer to any of these is yes, the person is likely to be satisfied that he/she can account for the observation, and will not search further for an explanation.
| |
| (2) is this observation likely to be spurious (i.e., invalid)? If the answer is yes, the operator is not likely to search further for an explanation of the fmding.
| |
| (3) Is this observation " normal" given the current plant mode or does it signal a plant abnormality that needs to be responded to? If the operator determines that the observation is " normal" then it will not be pursued further.
| |
| If the person determines that an observation is valid and unexpected then situation assessment is initiated to come up with an explanation for the observation. In emergency situations where there are procedures available to guide perfctmance, situation assessment activity will be subordinate to procedure-guided response, but is likely to be engaged in as a " background" activity performed as resources permit (i.e., mental workload and availability of additional personnel).
| |
| There are four types ofinterpretation failures:
| |
| (1) failure to recognize that the indication is Sbnormal" 4-ti NUREG-1624, Draft
| |
| : 4. Principles Based on a Behavioral S:lence Perspective (2) discounting or explaining away an indication by deciding it is " invalid" or spurious (3) discounting or explaining away an indication by deciding that it can be accounted for on the basis of the person's " current understanding" of the plant state (i.e., their situation model) i (4) engaging in situation assessment activity to try and come up with an explanation for the indication but coming up with the " wrong" situation assessment (i.e., wrong situation model)
| |
| An individual may incorrectly conclude that an observation is " normal" for the following reasons:
| |
| l
| |
| . poor displays that do not indicate targets, limits, and set points, requiring operators to retrieve and integrate values to determine whether something is normal (These memory retrieval and j information integration requirements are subject to memory retrieval, working memory limits, l and computational processing limitations.)
| |
| . lack of knowledge or incomplete knowledge e impact of processing limitation factors, exacerbated in situations where the workload is high, or i alertness levelis low An individual may incorrectly conclude that an observation is " expected" as a result of the following factors:
| |
| . lack of knowledge or incomplete knowledge (In complex accident situations, such as severe accidents, the phenomena may be less understood, and people may not be familiar with what plant dynamics to expect.)
| |
| . working memory and computational processing limitations that make it difficult for people to keep in mind all relevant parameters, and accurately " compute" what plant behavior should be expected (In complex situations, it may be difficult for people to perform the mental computations required to detect that observed plant behavior deviates either quantitatively or qualitatively from what would be expected.)
| |
| i e impact of processing limitation factors, exacerbated in situations where the workload is high or alenness level is low An individual may incorrectly conclude that an observation is " spurious" as a result of the following factors:
| |
| I
| |
| . history of" spurious" indications
| |
| . mental model that could explain how a spurious signal could be generated
| |
| . indication inconsistent with the person's current situation model !
| |
| l NUREG-1624, Draft 4-12
| |
| : 4. Principles Based on a Behavioral Science Perspective An individual may engage in situation assessment activity, but decide on an incorrect explanation for the observation:
| |
| . The person may generate the wrong explanation for the observation. Explanations that are more likely to be used are a result of the following:
| |
| l i - representativeness-(events for which this observation is a " classic" symptom
| |
| - frequency (events that happen frequently, or are familiar, e.g., due to training
| |
| - recency (events that have occurred recently
| |
| . The person may reject a correct explanation as implausible. An explanation's perceived plausibility is a function of the following:
| |
| the perceived likelihood of occurrence
| |
| - the number ofindications it can account for l . - There will be a tendency to search for evidence that is consistent with the hypothesis that is first called to mind.
| |
| . There is a tendency to try to explain future observations in terms of that hypothesis, and discount evidence inconsistent with that hypothesis.
| |
| . These tendencies will be more likely when demands on processing resources are high:
| |
| -- high workload (e.g., other demands competing for atte'ntional resources) high computational demands (e.g., when the correct explanation requires integrating evidence across space and time).
| |
| ' Several factors can influence how a person interprets a given observation. One set has to do with memory retrieval processes. Some explanations for a given finding are likely to come to mind more readily than others. As discussed above, the principles of " recency," " frequency," and "representativeness," affect those explanations which are more likely to be called to mind.-
| |
| ' Errors are likely when processing resources are limited because operators overutilize cognitive processes that serve to simplify complex information tasks by applying previously established l heuristics. Three heuristics used by operators to retrieve information from memory exert a strong influence on human performance. These heuristics are based on the use of these memory-retrieval processes (representativeness, similarity, and frequency) in place of more thorough cognitive analysis. Under high demand situations, operators attempt to match a perceived information pattem (such as a pattem ofindicators) with an already existing known pattem in the memory. The operator cognitively tries to establish a link because once accomplished, previously identified successful or l trained response-sequences are identified. This saves the operator the effort of knowledge-based I
| |
| reasoning that is resource intensive. When the perceived infonnation is only partially linked to well-4-13 NUREG-1624, Draft
| |
| | |
| ' 4. Principles Based on a Behaviorat Sdence Perspective know patterns, the discrepancy may be resolved by identifying the situation as the one most frequently used in the past.
| |
| . The following five heuristics may account for many human errors:
| |
| (1) errors reflecting the undue influence of salient features of the current situation (resulting in premature identification of the situation) or the intention / expectation of the operator (resulting in a bias to see only confirmatory data)
| |
| (2) errors reflecting the fact that, in ill-defined situations, the most frequently performed action will often be selected (3) errors reflecting the processing limitations of memory and attention which can cause important information to be lost (4) errors reflecting the fact that operators will generally favor heuristics over knowledge-based processing because they act to minimize cognitive effort and strain (5) errors reflecting incomplete or incorrect knowledge A second set of factors has to do with situation assessment processes. People are prone to search for an explanation for an observation that is consistent with their current situation model. This is related to the principle of confirmation bias. Once a hypothesis is generated to explain a set of findings, new findings are likely to be explained in terms of that initial hypothesis or to be discounted. A failure to revise situation assessment, as new evidence is introduced is called a fixation error.
| |
| 4.3.3 Failures in Response Planning The primary error during response planning is the failure to follow the correct response plan.
| |
| Response planning involves establishing goals, developing a response plan, which in turn may involve identifying and following a predefined procedure, and monitoring that the actions taken are achieving the goals that have been established. Response planning also includes respc,nse plan adaptation that involves modifying procedures in cases where it is determined that the procedures l are not achieving the desired goals.
| |
| Failures in response planning arise from any of the four elements involved. Specifically, operators may commit the following actions:
| |
| (1) Establish the wrong goal or incorrectly prioritize goals for any of the following reasons:
| |
| . an incomplete or inaccurate situation model i
| |
| . incomplete or inaccurate knowledge
| |
| ! = inaccurate perceptions of risk NUREG-1624, Draft 4 14 l
| |
| : 4. Principles Based on a Behavioral Science Perspective (2) Select an inappropriate procedure to follow or fail to recognize that the procedure is not applicable to the situation as result of the following problems:
| |
| . . an incomplete or inaccurate situation model (missed elements of a situatiori that make the procedure not fully applicable)
| |
| = lack of knowledge, incomplete or inaccurate knowledge in relation to the plant or the L procedure being followed (e.g., the goals, assumptions, and bounds of application of the
| |
| ! procedure) l l-
| |
| . computational processing limitations that result 'in a failure to anticipate violated l precondit ions, side effects of actions, or the existence of multiple goals that need to be l satisfied (3) Attempt to develop a response plan that turns out to be inadequate in cases where procedures l
| |
| are unavailable or am evaluated to be inappropriate to the situation which can be caused by l' the following problems:
| |
| . an incomplete or inaccurate situation model,
| |
| ; . . a failure to recognize that preconditions are not met, or
| |
| . a failure to :.nticipate side effects.-
| |
| '(4) Incorrectly decide to deviate from procedures in any of the following ways:
| |
| l (a) taking an action that is not explicitly specified in the procedures
| |
| ! (b) not taking an action that is specified in the procedures -
| |
| l (c) changing the order of actions from that specified in the procedures -
| |
| l '(d) delaying an action that is specified in the procedures as a result of the following problems:
| |
| . an incomplete or inaccurate situation model
| |
| . lack of knowledge, incomplete or inaccurate knowledge in relation to the plant or the procedum being followed (i.e., the goals, assumptions, and bounds of application of the procedure)
| |
| . computational processing limitations that result in a failure to anticipate potential L negative consequences e the existence of multiple conflicting goals F
| |
| e inaccurate perceptions of risks 4-15 NUREG-1624, Draft i
| |
| I~
| |
| L_____________-_____=___
| |
| | |
| r
| |
| : 4. Principles Based on a Behavioral Science Perspective Situations where multiple conflicting goals must be weighed may lead operators to significantly delay or totally avoid taking an action specified in a procedure, as illustrated by the following examples:
| |
| . taking action may violate standard operating practice (e.g., take the operator out of the usual operating band) -
| |
| e taking action may lead to reduced availability of safety systems, equipment, or instruments e taking action may have a potential negative effect on some other safety function (e.g., lead to overfill of pressurizer)
| |
| . significant uncertainty or unknown risk is associated with taking the action (e.g., PORV after being opened may stick open)
| |
| = taking the action will adversely affect aseas within plant and further burden recovery (e.g.,
| |
| actions may contaminate auxiliary building) e taking the action will have severe consequences associated with cost (e.g., plant will be shut down for major cleanup after bleed and feed)
| |
| = taking the action will release radiation to environment The tendency to delay an action, or not take the action, will be more likely if the potential for negative consequences is perceived to be small, as in the following possible examples:
| |
| . The action is not relevant or constitutes " overkill" under the particular circumstances.
| |
| * The undesirable action can be delayed without negative consequences (i.e., with negligible probability of negative consequences).
| |
| * The criterion for taking action is overly conservative.
| |
| . The process can be monitored and action taken if the situation degrades.
| |
| * Delaying the action would buy needed time to rectify the situation by alternative means.
| |
| * The action is violated routinely without negative safety consequences (resulting in perception that the probability of negative safety consequences from failure to take action is extremely small).
| |
| * The criterion for taking action is ambiguous or difficult to determine and/or requires a judgment I
| |
| call.
| |
| t NUREG-1624, Draft 4-16 l
| |
| l
| |
| : 4. Principles Based on a BehavioralScience Perspective 4.3.4 Failures in Response Implementation The primary error during response implementation is the failure to execute actions as required.
| |
| Response implementation refers to taking the specific control actions required to perform a task. In considering errors ofimplementation, it is assumed that the individual intends to take the correct action but because of a memory lapse or unintended action fails to take the action (i.e., an EOO),
| |
| unintentionally takes a difTerent " wrong" action (i.e., an EOC), or executes the action incorrectly
| |
| . (e.g., timing problem, overshooting, undershooting a value).
| |
| Several factors that can contribute to implementation errors:
| |
| * An operator may forget to take an action because of a memory lapse. This may occur in the following cases:
| |
| - Other actions of greater importance or greater urgency that are taken earlier.
| |
| - The procedure is written to allow significant flexibility for sequencing of actions (e.g., words such as "as time permits...").
| |
| - The action cannot be executed immediately because there is a need for another criterion to be satisfied first (e.g., wait till a parameter reaches value x).
| |
| * An operator may inadvertently take the wrong action because of a " slip." This may occur in the following cases:
| |
| - The required action deviates from a typical response.
| |
| The required action is similar to, but difTers in critical respects from, an action sequence that l the operator routinely performs. j
| |
| * An operator may inadvertently take the wrong action, or execute an action incorrectly as a result i of sensory-motor errors (e.g., lose his or her place in the procedure; hand literally slips). ,
| |
| * An operator may inadvertently take the wrong action because of communication errors.
| |
| 4.4 Conclusions This section has described the characteristics of human behavior that can result in unsafe actions and human failure events. There exists a body of knowledge developea in the behavioral sciences that allows the analyst to understand what kinds ofinfluences can lead the operators to misunderstand the conditions in the plant or failing to prepare an adequate response that result in plant damage.
| |
| Such failures are not random but are shaped by the contexts in which the operators are placed (i.e.,
| |
| the plant conditions and the performance shaping factors). The influence of these contexts and their interaction with plant personnel are discussed in Section 7.
| |
| 4 17 NUREG-1624, Draft
| |
| : 4. Principles Based on a BehavioralScience Perspective 4.5 References.
| |
| 4.1 J.T. Reason, Human Error, Cambridge University Press, Cambridge, MA,1990.
| |
| 4.2 D.D; Woods, H.E. Pople, and E.M. Roth, Westinghouse Electric Corp., The Cognitive Environment Simulation (CES) as a Toolfor Modeling Human Performance and Reliability, NUREG/CR-5213, Pittsburgh, PA,1990.
| |
| 4.3 D.D. Woods, L.J. Johannesen, R.I. Cook, and N.B. Sarter, Behind Human Error: Cognitive Systems, Computers, andHindsight, Crew System Ergonomics Information Analysis Center (CSERIAC), The Ohio State University, Wright-Patterson Air Force Base, Columbus, OH, December 1994.
| |
| 4.4 . E.M. Roth, R.J. Mumaw, and P.M. Lewis, An Empirical Investigation of Operator Performance in Cognitively Demanding Simulated Emergencies, NUREG/CR-6208, 7 Westinghouse Science and Technology Center, July 1994.
| |
| 4.5 J. Wreathall. and J. Reason, Human Errors and Disasters, Proceedings of the 1992 IEEE Fifth Conference on Human Factors and Power Plants, June 7-11, 1992, Monterey, California, New York,1992.
| |
| 4.6 - Bibliography of Cognitive Psychology Literature Relevant to ATHEANA General Treatment of the Cognitive Basis for Human Error Holinagel, E. (1993). Human Reliability Analysis Context and Control. London: Academic Press.
| |
| Mumaw, R.J., Swatzler, D., Roth, E.M. , and Thomas, W.A. (1994). Cognitive Skill Trainingfor Decision Making. NUREG/CR-6126, U.S. Nuclear Regulatory Commission, Washington, D.C.
| |
| Norman, D. (1988). The Psychology ofEveryday Things. New York, NY: Basic Books.
| |
| Rasmussen, J. (l986). Information Processing and Human-Machine Interaction. New York, NY:
| |
| North Holland.
| |
| Reason, J. (1990). Human Error. Cambridge, England: Cambridge University Press.
| |
| Woods, D.D., Johannesen, L.J. , Cook, R.L and Sarter, N.B. (1994). Behind Human Error Cognitive Systems, Computers and Hindsight, CSERIAC State-of-the-Art Report. j i
| |
| Woods, D.D. and Roth, E.M. (l986). Models of Cognitive Behavior in Nuclear Power Plant Personnel, NUREG/CR-4532, U.S. Nuclear Regulatory Commission, Washington, D.C.
| |
| I 5
| |
| I NUREG-1624, Draft 4 18 j
| |
| l
| |
| __m
| |
| : 4. Principles Based on a Behavioral Science Perspective Related Works on the Concepts Discussed in this Section Adams, M.J., Tenney, Y.J., and Pew, R.W. (1991). State-of the-Art Report: Strategic Workloadand Ihe Cognitive Management ofAdvanced Multi-Task Systems (CSER1AC 91-6).
| |
| Bransford, J.D. (l979). Human Cognition: Learning, Understanding and Remembering, Wadsworth Publishing Company, Belmont, CA.
| |
| DeKeyser, V. and Woods, D.D. (1990). Fixation errors: Failures to revise situation assessment in dynamic and risky systems.' In A.G. Colombo and A. Sr.iz de Bustamente (Eds.), System Reliability Assessment (pp. 231-251). The Netherlands: Kluw' Academic.
| |
| Dorner, D. (1983). Heuristics and cognition in complex systems. In R. Groner, M. Groner, and W.F. Bischof(Eds.), Methods ofheuristics. Hillsdale, NJ: Lawrence Erlbaum, Inc.
| |
| Endsley, M.R. (1995). Towards a theory of situation awareness in dynamic systems. Human Factors, 37,65-84.
| |
| Hukki, K. and Norros, L. (1993). Diagnostic orientation in control of disturbance situation.
| |
| Ergonomics, 36, 1317-1328.
| |
| Hutchins, E. (1990). The Technology of Team Navigation. In J. Galegher, R. Kraut, and C. Egido (Eds.). Intellectual Teamwork: Social and Technical Bases ofCollaborative Work. Hillsdale, NJ:
| |
| Lawrence Erlbaum, Inc.
| |
| Kahneman, D., Slovic, P. and Tversky, A. (1982). Judgment under uncertainty: Heuristics and biases. London: Cambridge University Press.
| |
| Kauffman, J.V., Lanik, G.F., Trager, E.A. and Spence, R.A. (1992). Operating Experience Feedback Report - Human Performance in Operating Events, NUREG-1275, Off1ce for Analysis and Evaluation of Operational Data. Washington, D.C: U.S. Nuclear Regulatory Conunission.
| |
| Klein, G.A. and Calderwood, R. (1991). Decision Models: Some Lessons from the Field,1EEE Transactions On Systems, Man, and Cybernetics, 21,1018-1026.
| |
| Lindsay, P.H. ar.d Norman, D.A. (1977). Human informationprocessing. New York: Academic
| |
| ' Press.
| |
| Montgomery, J.C., C.D. Gaddy, R.C. Lewis-Clapper, S.T. Hunt, C.W. Holmes, A.J. Spurgin, J.L.
| |
| Toquam, and A. Bramwell (1992). Team Skills Evaluation Criteriafor Nuclear Power Plant Control Room Crews (Draft). Washington, D.C: U.S. Nuclear Regulatory Commission.
| |
| ( ' Moray, N. (1986). Monitoring behavior and supervisory control. In K. Boff, L. Kaufman, & J.
| |
| [ Thomas (Eds.), Handbook ofhumanperception andperformance. New York: Wiley,
| |
| ' 4 19 NUREG-1624, Draft
| |
| | |
| - - - _ _ - - _ _ _ - _ _ _ _ _ _ - _ - _ _ - _ _ _ - _ _ _ _ _ . .__ _- - - - _ _ _ _ _ __= . _ _ _
| |
| l
| |
| : 4. Principles Based on a Behavioral Science Perspective Mumaw, R.J., Roth, E.M., Vicente, K.J. and Bums, C.M. (1995). Cognitive Contributions to Operator Monitoring During Normal Operations. AECB Project No. 2.376.1, Atomic Energy Control Board, Ottawa, Canada.
| |
| O'Hara, ,(l994). AdvancedHuman-System 1nterface Design Review Guideline: Volume 1: General Evaluation Model, Technical Development, and Guideline Description. (NUREGICR-5908).
| |
| Washington, D.C.: U.S. Nuclear Regulatory Commission.
| |
| Orasanu, J. (1993). Decision-making in the cockpit. In E.L. Weiner, B.G. Kanki and R.L.
| |
| Helmreich (Eds.) Cockpit Resource Management. San Diego, Academic Press.
| |
| Perrow, C. (1984). Normal Accidents. Living with High-Risk Technologies, Basic Books.
| |
| Rasmussen, J. (1969). Man-machine communication in the light of accident records (S-1-69).
| |
| Roskilde, Denmark: Electronics Dept., Danish Atomic Energy Commission.
| |
| : Rasmussen, J. (1976). Outlines of a hybrid model of the process operator. In T.B. Sheridan and G.
| |
| Johannsen (Eds.), Monitoring Behavior and Supervisory Control (pp. 371-383). New York:
| |
| - Plenum.
| |
| Rasmussen, J. (l986). Information processing and human-machine interaction: An approach to cognitive engineering. New York: North-Holland.
| |
| Roth, E.M., Mumaw, R.J., and Lewis, P.M. (1994). An EmpiricalInvestigation of Operator Performancein CognitivelyDemandingSimulatedEmergencies. NUREGICR-6208, U.S. Nuclear Regulatory Commission, Washington, D.C.
| |
| Sarter, N. and Woods, D.D. (1994). Pilot Interaction with Cockpit Automation II: An Experimental Study of Pilots' Model and Awareness of the Flight Manage;nent System. The InternationalJournal ofAviation Psychology,4 (1),1-28.
| |
| Sarter, N.B. and Woods, D.D. (1991). Situation Awareness: A Critical but Ill-defined Phenomenon.
| |
| International Journal ofA viation Psychology,1 (1), 43-55.
| |
| Simon, H. (1957). Models ofman (Social andrational). New York: Wiley.
| |
| Wagenaar, W. and Groeneweg, J. (1987). Accidents at Sea: Multiple Causes and Impossible Consequences. International Journal ofMan-Machine Studies, 27, 587-598.
| |
| . Wickens, C. (1984). Engineering Psychology and Human Performance. Columbus, OH: Merrill Publishing Company.
| |
| Wickens, C.D. and Flach, J.M. (1988). Information processing. In E.L. Weiner and D.C. Nagel (eds.), Humanfactors in aviation. New York: Academic Press.
| |
| NUREG-1624, Draft 4-20 i
| |
| __ __..____._______.__..__._________J
| |
| : 4. Principles Based on a Behavioral Science Perspective l Woods, D.D. (1992a). The alarm problem and directed attention (Technical Report TR-01).
| |
| Columbus, OH: Cogr.itive Systems Engineering, Ohio State University. .
| |
| Woods, D.D. (l992b). Cognitive activities and aiding strategies in dynamicfault management (Technical Report CSEL 92-TR-05). Columbus, OH: Cognitive Systems Engineering Laboratory, The Ohio State University.
| |
| Woods, D.D., Pople, H.E. and Roth, E.M. (1990). The Cognitive Environment Simulation as a Tool for Modeling Human Performance and Reliability, NUREGICR-5213, U.S. Nuclear Regulatory Commission, Washington, D.C.
| |
| Woods, D.D., Roth, E.M. and Pople, H.E. (l987). Cognitive Environment Simulation: An Artificial Intelligence System for Human Performance Assessment, NUREGICR-4862, U.S. Nuclear Regulatory Commission, Washington D.C.
| |
| 4-21 NUREG-1624, Draft
| |
| | |
| 5 OPERATIONAL EXPERIENCE ILLUSTRATING ATHEANA PRINCIPLES Reviews and analyses of operational events have been used throughout the development and demonstration of ATHEANA. As discussed in Section 2, operational experience was used iteratively in the development of the ATHEANA framework. Reviews ofoperational events assisted in the fomtulation of the ATHEANA perspective, beginning with the early work documented in NUREG/CR-6093 (Ref. 5.1), NUREG/CR-6265 (Ref. 5.2), and NUREG/CR-6350 (Ref. 5.3). The behavioral sciences principles and concepts described in Section 4 were confinned using examples from operational experience. The process for applying ATHEANA incorporates insights from operational event analyses (i.e., those documented in Appendix B), both th'se performed in the development of ATHEANA and its application aids, and those that might be performed by future, potential users of ATHEANA. The preliminary training materials developed for ATHEANA and used in the demonstration, documented in Appendix A include a brief tutorial on how to analyze events from the ATHEANA perspective and hands-on experience in operational event analysis.
| |
| Finally, the success of the ATHEANA demonstration (Appendix A) was due, in part, to the ability of the demonstration team to relate examples of past operational experience to potential future failure paths.
| |
| Event analyses using the ATHEANA perspective have been documented in several places. Early reviews of NPP events are documented in NUREG/CR-6093, NUREG/CR-6265, and NUREG/CR-6350. Reviews of events from other industries have been performed to illustrate the broader usefulness of basic ATHEANA principles. A more mature analysis method and database structure for NPP events was eventually developed and documented as the " Human-System Event Classification Scheme (HSECS)"(Ref. 5.4). Recently, refinements to the HSECS structure and additional event analyses have been performed. Eventually, an expanded structure and method that can accommodate both nuclear and non-nuclear events will be developed and implemented.
| |
| This section is provides excerpts of selected event analyses to illustrate:
| |
| (1) how operational experience confirms the ATHEANA perspective on serious accidents (2) the importance and usefulness of the behavioral science concepts discussed in Section 4 (3) what unsafe actions are (through use of examples), including errors of commission (4) how unsafe actions occur and the role of error-forcing contexts in their occurrence (5) unsafe actions and error-forcing context elements from actual events Consequently, the event excerpts provided in this section are intended to be used by ATHEANA users not only in learning ATHEANA's basic principles and concepts but also in applying ATHEANA. However, the examples given in this section are simply illustrative models of the types ofinformation that could be useful in trying to apply ATHEANA. Section 7, which describes the ATHEANA application process directs ATHEANA users to identify other event analyses (e.g., the HSECS database), and plant-specific events that would be relevant to review.
| |
| In particular, the most difficult task in applying the ATHEANA HRA approach is the identification of UAs and associated EFCs for defined HFEs. The excerpts from operational event analyses 5-1 NUREG-1624, Dra ft
| |
| : 5. Operational Experience lilustrating ATHEANA Principles provided in this section attempt to establish a connection between UAs and EFCs and the observable influences on human performance. These observable influences are the error-forcing context elements (i.e., the plant conditions and associated performance shaping factors). Consequently, the event analysis categorization terminology used in this section differs from the breakdown of the ,
| |
| different information processing stages described in Section 4 since they are based upon observables j
| |
| (while much of the behavioral science breakdowns are not). In addition, by being based upon observables from past operational experience, these categorizations can be used as the auditable j factors in the HRA information gathering process that are necessary if predictions about likely human errors are to be made.
| |
| i Section 5.1 discusses how analyses of operational events provide future users of ATHEANA with basic information on human and error-forcing context contributions in past operational experience.
| |
| Section 5.2 gives some insights from operational event analyses about operator performance and associated potential EFCs. Section 5.2 also provides some illustrative examples of UAs and EFCs taken from operational event analyses. Section 5.3 uses an operational event example to illustrate how the dependent effects of performance shaping factors and plant conditions can cause an ,
| |
| incorrect, initial situation assessment (or mindset) to persist.
| |
| 5.1 Hurnans and Error-Forcing Context Contributions in Past Operational Experience Event analyses discussed in Section 3.2.1 demonstrated that EFCs played significant roles in serious accidents in the nuclear power, as well as other industries. For instance, analyses of the TMI-2 accident revealed that plant conditions and negative PSFs created an EFC which eventually led to l
| |
| I unrecoverable human errors. The Crystal River 3 incident involved poor environmental factors and ergonomics and unfamiliar plant conditions and/or situations.
| |
| In TMI, the two plant conditions that contributed to the event were the preexisting misalignment of EFW valves and the stuck open relief valve. They combined with the negative PSFs, including the maintenance tag obstructing position indication for the EFW valve, misleading relief valve position indication, and lack of procedural guidance for the event-specific conditions. Operator training emphasized the dangers of " solid" plant conditions, causing operators to focus on the wrong problem. In the Crystal River 3 (CR3) event, the open spray valve and the associated misleading l position indication created an EFC. There was no procedural guidance to support the diagnosis and correction of a loss of RCS pressure control. In the Oconee 3 event, operators did not have position indication because the isolation valve (which ultimately created the drainpath) was " racked out" for stroke testing. Also, the erroneously installed blind flange was a temporary obstruction which remained ur. discovered despite several independent checks. However, the Salem I event involved
| |
| ! different contextual factors, principally the partial, erroneous SI signal which was generated by preexisting hardware problems and required the operators to manually align several valves. Also, there was no procedural guidance regarding appropriate actions in response to the SI train logic disagreement.
| |
| l NUREG-1624, Draft 5-2 1 - - - - _ _ - _ _ _ _ - - ________-
| |
| : 5. Operational Experience Illustrating ATilEANA Principles Analysis of these events reveals that situation assessment and situation model update were critical.
| |
| The analysis indicates that operators were quite good in discounting information which did not fit expectations. The discounting can result in incorrect situation assee.sment and prevent timely situation model updating. In TMI-2, operators did not recognize that the relief valve was open and that the reactor core was overheating and the situation model was not updated. In Crystal River 3, operators did not recognize that the pressurizer spray valve was open and causing the pressure t
| |
| 1 sient. The information contrary to this was discounted. In the Salem I event, operators failed
| |
| . recognize and anticipate the pressurizer overfill, steam generator pressure increases, and the rapid depressmization following steam generator safety valve openings. Finally, in Oconee 3, operators
| |
| , did not recognize that a drainpath to the sump existed until eyewitness reports were provided. These situation assessment and situation model updating problems involved either the sources of information (e.g., instrumentation) or their interpretation. In TMI-2, operators misread the relief valve drain pipe temperature indication twice, thus attributing the high in-core and RCS loop temperatures to f aulty instrumentation; they also were misled by the control room position for the relief valve. Also, some key indications were located on back panels and the computer printout of plant parameters ran more than 2 hours behind the event. In Crystal River 3, operators initially conjectured that the pressure transient was caused by RCS shrinkage. Unconnected plant indications, as well as the misleading spray valve position indication and (unsuccessful) cycling of the spray valve contrcl, wem taken as support of this hypothesis. In Oconee 3, operators suspected that decreasing reactor vessel level indication was as a result of faulty operation. Two sump high-level alarms were attributed to possible washdown operations. As noted above, field reports eventually convinced operators to believe their instrumentation.
| |
| 5.2 Analysis of Error-Forcing Context While the HFE definition specifies what consequences are experienced at the plant, system and component level, the definition of UA correlates with specific failure modes of systems and components, including the timing of failures (e.g., early temiination of ESF without recovery versus termination of ESF when needed). As described in Section 7, definitions of both HFE and UAs can be developed in a straightfonvard manner from the understanding of plant, system, and component success criteria (including timing), failure modes, plant behavior and dynamics, and accident sequence descriptions.
| |
| In contrast, relationships between a UA and a specific error-forcing context are very difficult to define and require the synthesis of psychological and " hardware" causes. (Recall that, as described in Section 3, several different EFCs can result in the same UA, as can different UAs result in the same HFE.) In order to establish relationships between a UA and EFCs, various EFCs and EFC elements should be analyzed to determine their impact on execution of UAs. It should be noted that although only two types of EFC elements, namely plant conditions and PSFs, are identified, these elements themselves can be very complicated.
| |
| The analyses of the events listed below provide examples of specific UAs and EFCs and links between them. Section 5.2.1 discusses important EFC elements which should be addressed by HRA/PRA. Section 5.2.2 lists PSFs which were important in events enalyzed in ATHEANA.
| |
| 5-3 NUREG-1624, Draft
| |
| : 5. Operational Experience illustrating ATilEANA Principles Analyses of three at-power events and two shutdown events provided the basis for these sections.
| |
| The two shutdown evems, Prairie Island 2 (2/20/92) and Oconee 3 (3/8/91), were selected because they had been previously analyzed in earlier phases of the project and were known to contain many examples of factors which adversely affected human performance. The three at-power events, Crystal River 3 (12/8/91), Dresden 2 (8/2/90), and Ft. Calhoun (7/3/92), were selected primarily as a result of their similarity to the small-break loss-of-coolant accident (SLOCA) scenario which was chosen for the trial application discussed in NUIEG/CR-6350 (Ref. 5.3). In panicular, both the Dresden 2 and Ft. Calhoun events were LOCAs and the key features of the Crystal River 3 event (e.g., decreasing reactor coolant system pressure, increasing RCS temperature, the need for high pressure injection) were similar to a SLOCA scenario. The event analyses provided in Appendix B provide further illustrations of ATHEANA principles and concepts.
| |
| 5.2.1 Error-Forcing Context and Unsafe Actions The five events identified above provided insights on UAs and EFC elements. This section will focus on how EFC elements (PSFs and plant conditions) impacted the four stages ofinformation processing described in Section 4. EFC elements were identified for each of the stages (i.e.,
| |
| detection, situation a;sessment, response planning, and response implementation). As stated in the introduction to Section 5, these categorizations differ from those given in Section 4 because they are based upon observable factors, while the psychological error mechanisms in Section 4 most often are not observable. In addition, some elements (especially PSFs) were identified as being important but appeared to generally impact human performance, probably influencing multiple stages in information processing.
| |
| For each information processing stage (except detection), categories of UAs are described in Tables 5.1 through 5.5. The descriptions are on the basis of the analyses of operational events. While a complete categorization scheme was not created (because it was dependent upon the events selected as examples), the categories shown in Tables 5.1 through 5.5 give some additional means for discriminating between the different ways in which humans have failed in particular information processing stages. To illustrate how such failures could occur, specific EFC elements from actual i
| |
| l events which created the context, or some part thereof, for each category of failure have been identified. The results show examples of these EFC elements which include problems with unusual plant conditions (e.g., high decay heat, N2 overpressure, instrumentation problems) and problems with PSFs (e.g., deficient procedures, training, communications, human-systems interface (HSI),
| |
| l l supervision, and organizational factors and time constraints). In many cases, the importance of plant l conditions was usually implied by the specific problems (e.g., instrumentation failed because of plant conditions, or procedural guidance not applicable to specific plant conditions).
| |
| Since there was more than one UA in most of the events analyzed, the different specific EFC elements used to illustrate one category of failure for one event may actually be associated with different unsafe actions. For example, in Table 5.2, the first two EFC elements identified from the Dresden 2 event which cause operators to develop a wrong situation model of the plant are associated with one UA, while the third and fourth EFC elements are associated with another UA.
| |
| NUREG-1624, Draft 5-4
| |
| : 5. Operational Experience Illustrating ATIIEANA Principles 5.2.1.1 Error-Forcing Context in Detection i
| |
| Potential failures in detection include the following:
| |
| . operators unaware of actual plant state e operators unaware of the severity of plant conditions a operators unaware of continued degradation in plant conditions Instrument failures are c cpected to be the predominate cause of detection failures. For example, reactor vessel (RV) level instrumentation failing high off-scale, and redundant RV level instrumentation readings requiring correction through hand calculations can cause operators to fail to detect abnormal RV level behaviors.
| |
| In general, problems in the detection of an accident or accident conditions are expected to be rare.
| |
| As shown in Table 5.1, only one (the Prairie Island 2 event) of the five events analyzed included detection problems. Because of the number of alarms and other indications typically available during at-power operations, the likelihood of operators not being aware of the fact that something is wrong and that sorre actions are needed is low.
| |
| For the Prairie Island 2 event, minimal indications were available since this event took place during shutdown operations during a drain down to mid-loop. As indicated by the contextual factors noted in Table 5.1, instrumentation problems (both failures and unreliability) and procedural deficiencies conspired to make it difficult for dmin down operators to detect that they were actually over draining the vessel. In addition, unusual plant conditions (especially the high N2overpressure) exacerbated the instrumentation and procedural problems.
| |
| 5.2.1.2 Error-Forcing Context in Situation Assessment A situation assessment failure can cause operators to develop wrong situation models of the plant state and plant behavior. As indicated in Table 5.2, instrumentation or interpretation problems are the predominant influences in situation assessment problems. Other factors can also contribute to situation assessment failures. For instance, human interventions with the plant and its equipment (either immediately before or during the event and with or without the knowledge of control room operators) can mask accident symptoms or cause them to be misinterpreted.
| |
| Table 5.2 illustrates possible causes for situation assessment problems, especially during the initial development of wrong situation models. In the Oconee 3 shutdown event, an undiscovered pre-accident human failure led to the draining of the RCS to the sump which occurred when the sump isolation valve was stroke-tested. The failure of a technician to communicate to the control room when he was starting to stroke the valve further distorted the operators' situation models of the plant's configuration. As shown by the third and fourth factors for the Dresden 2 event, the operators' lack of training and experience are the likely causes for their inability to predict how the plant behaved in response to their inappropriate " corrective" actions.
| |
| 5-5 NUREG-1624, Draft
| |
| : 5. Operational Experience Illustrating ATIIEANA Principles l
| |
| l Table 5.1 Examples of Detection Failures Detection failure Contestual Influences Event Operators unaware of (1) Reactor vessel (RV) level instrumentation failed high Prairie Island 2 actual plant state, its off-scale as a result of unusual plant conditions (i.e., (2/20/92), loss of RCS severity, and continued high N 2overpressure). inventory and shut-degradation in conditions. down cooling during (2) Redundant RV levelinstrumentation readings require shutdown.
| |
| correction through hand calculations (and are performed incorn:ctly).
| |
| (3) Procedures did not specifically address the high N2
| |
| ; overpressure which existed at the time of the event,
| |
| ) did not contain stop points in the draindown to allow static readings, did not specify the frequency oflevel readings, did not require that a log of time, tygon tube and calcula6ed level readings to be maintained (to establish level trends, etc.). did not specify the re-quired accuracy of calculations for correcting level readings for overpressure, did not adequately specify what instrumentation was required to be operable before the draindown, and did not describe how to control N 2overpressure or what the overpressure should be at various points during the draindown (some decreasing trend in overpressure was implied).
| |
| Wrong situation models can be strengthened by irrelevant information or the effects of(unknown) hardware failures. As shown by EFCs for the Crystal River 3, Dresden 2, and Ft. Calhoun events, wrong situation models are frequently developed as a result ofinstrumentation problems, especially undiscovered hardware failures. Instrumentation also plays an important role in confirming wrong .
| |
| situation models and rejecting information which is contrary to wrong situation models. Wrong situation models can persist in the face of contrary (and true) evidence. Once operators develop a situation model, they typically seek confirmatory evidence (Ref. 5.5). As shown in Table 5.2, when this model is wrong, several issues regarding confirmatory information arise and can further degrade human performance:
| |
| l
| |
| . mformation can be erroneous or misleading (e.g., field reports in the Crystal River 3 event) 1
| |
| . plant indicaters can be misinterpreted (e.g., sump alarms in the Oconee 3 event)
| |
| . plant or equipment behavior can be misunderstood (e.g., switch cycling in the Crystal River 3 event and SRV set point in the Dresden 2 event)
| |
| NUREG-1624, Draft 5-6
| |
| \ _ _ _ _ _ _ _ _ _ _
| |
| : 5. Operational Experience Illustrating ATHEANA Principics Table 5.2 Examples of Situation Assessment Failures Situation Assessment Failure Contextual Influences Event Operators develop wrong mental (1) Pressurizer (PRZR) spray valve position indication Crystal River 3 model (or cannot explain) plant inconsistent with actual valve position (because of (12/8/91), RCS state and behavior, pre-existing hardware failure and design). pressure transient during startup.
| |
| (2) No direct indication of PRZR spray flow provided.
| |
| (1) Safety relief valve position indicating lights show the Dresden 2 (8/2/90),
| |
| valve closed (although it has failed open). LOCA (stuck open reliefvalve).
| |
| (2) Operators generally unaware of generic industry problems involving Target Rock safety relief valves (e.g., spurious opening and tendency to stick open after actuation) until after the event occurred.
| |
| (3) Operators had no understanding of the effect of auxiliary steam loads on the reactor pressure vessel cooldown rate and of the effect of the combination of the open safety relief valve, auxiliary steam loads, and opening turbine bypass velves.
| |
| (4) Operators surprised by the rate ofincrease in torus temperature.
| |
| (1) Computer displays normally used for containment Ft. Calhoun (7/3/92),
| |
| temperature and RCS subcooling parameters were inverter failure malfunctioning and operators had difficulty obtaining followed by LOCA required information. (stuck open relief valve).
| |
| (1) Blind flange installed on wrong residual heat removal Oconee 3 (3/8/91),
| |
| (RHR) sump suction line despite two independent loss of RCS and shut-checks and one test. down cooling during shutdown.
| |
| (2) As a result of miscommunication, technician racked out then strokes RHR sump suction isolation valve (creating a drainpath from the RCS to the sump through the mistakenly open sump suction line) without telling control room operators.
| |
| 5-7 NUREG-1624, Draft
| |
| : 5. Operational Experience Illustrating ATilEANA Principles Table 5.2 Examples of Situation Assessment Failures (Cont'd.)
| |
| Situation Assessment Failure Contextual influences Event Operators unable to distinguish (1) Evolution in progress to increase reactor power (basis Crystal River 3 between results of their own for the erroneous conjecture that RCS over-cooling (12/8/91), RCS actions and accident progression. occurred). pressure transient during startup.
| |
| (2) Field operators report plant behavior associated with ~
| |
| the evolutions in progress (erroneously taken as confirmation of RCS over-cooling hypothesis).
| |
| (1) Operators were reducing power from 87 percent (723 Dresden 2 (8/2/90),
| |
| MWe) at a rate of 100 MWe per hour, a frequent LOCA (stuck open night shift evolution because of decreasing network reliefvalve).
| |
| load demand during the late night and early morning hours.*
| |
| Operators misinterpret (1) Erroneous report from technicians that one bank of Crystal River 3 information or are misled by PRZR heaters are at 0 percent power. (12/8/91), RCS wrong information, confirming pressure transient their wrong mental model. (2) Cycling of switch for PRZR spray valve does not during startup.
| |
| terminate the transient (because valve is broken).
| |
| (1) Reactor pressure vessel pressure is less than the Dresden 2 (8/2/90),
| |
| safety relief valve (SRV) setpoint (coupled with LOCA (stuck open position indicating lights showing the SRV to be reliefvalve).
| |
| closed)."
| |
| (1) liigh-level alarm from reactor building normal sump Oconee 3 (3/8/91),
| |
| (interpreted as being the result of washdown loss of RCS and shut-operations). down cooling during shutdown.
| |
| Operators reject evidence which (1) Strip chart recorders show PRZR level increasing Crystal River 3 contradicts their wrong mental (which is inconsistent with RCS over-cooling and (12/8/91), RCS model, associated inventory shrinkage) but are not pressure transient monitored. during startup.
| |
| (2) Recollection of information passed during shift turnover concerning a problem with PRZR spray valve indication (discounted because of unsuccessful valve cycling).
| |
| In the Dresden event, the evolution in progress did not appear to play an important role in the operators' ability to perform, although it probably did trigger the spurious safety relief valve opening that started the event.
| |
| In the Dresden event, the wrong situation assessment regarding the SRV was temporary - within about I minute after actuation of the back panel annunciator, the shift control room engineer decides that the SRV must be open, and continues on a course of action associated with that correct situation assessment.
| |
| NUREG-1624, Draft 5-8
| |
| : 5. Operational Experience Illustrating ATilEANA Principles l
| |
| Table 5.2 Examples of Situation Assessment Failures (Cont'd.)
| |
| Situation Assessment Failure Contextual Influenees Event (1) Indication of increased SRV tailpipe temperature Dresden 2 (8/2/90),
| |
| (310*F)." LOCA (stuck open relief valve).
| |
| (2) Back panel acoustic monitor shows red "open" light."
| |
| Operators reject evidence which (1) Reactor vessel (RV) level reading at 20 in. and Oconee 3 (3/8/91),
| |
| contradicts their wrong mental decreasing. (Erroneous operation of the RV wide loss of RCS and shut-model (cont'd.). range level transmitter suspected.)* down cooling during shutdown.
| |
| (2) Health physics technician in reactor building verifies reduction in RV level and increasing radiation, (3) Operating low pressure injection (LPI) pump A current fluctuating downward. (Pump was stopped and isolation valves to borated water storage tank suction line were opened to provide injection to RCS.)
| |
| (4) Evidence that RCS was not being filled and health physics technician notifies control room that there is 6-12 in. of water on the floor near the emergency sump in the reactor building."
| |
| Furthermore, operators often develop rational but wrong explanations for discounting evidence which is contrary to their wrong situation model. Table 5.2 provides some examples of such
| |
| " rational" explanations for discounting or failing to recognize information which could lead to a more appropriate situation model of the plant state and behavior. Those " rational" explanations can result from indications that are not monitored (e.g., Crystal River 3), undiscovered hardware failures (e.g., Crystal River 3), and erroneous hypotheses that indications are not operating correctly (e.g.,
| |
| Oconee 3). Operators also tend to misinterpret indications of actual plant behavior consistently with their wrong situation model, for example, confusing the effects of concurrent activities or the delayed effects of previous actions, with actual plant behavior (e.g., Crystal River 3 and Dresden 2).
| |
| 5.2.1.3 Error-Forcing Context in Response Planning Failures in response planning result when operators fail to select or develop the correct actions required by the accident scenario. Major contributors in response planning failures, in addition to
| |
| *This information, probably combined with previous evidence, ultimately caused operators to change their situation assessment to the correct one.
| |
| "In the Dresden event, the wrong situation assessment regarding the SRV was temporary - within about I minute after actuation of the back panel annunciator, the shift control room engineer decides that the SRV must be open, and continues on a course of action associated with that correct situation assessment.
| |
| 5-9 NUREG-1624, Draft
| |
| | |
| l
| |
| : 5. Operational Experience Illustrating ATHEANA Principles wrong situation model, are procedure deficiencies and poor training. Past experience has shown that five categories of response planning problems could occur and are shov.n in Table 5.3:
| |
| (1) operators selected non-applicable plans j
| |
| (2) operators follow prepared plans which are wrong or incomplete (3) operators do not follow prepared plans (4) prepared plans do not exist so operators rely upon knowledge-based behavior (5) operators inappropriately give priority to one plant function over another The first category is illustrated by the unusual plant conditions (e.g., high N2 overpressure) in the Prairie Island 2 event. The Ft. Calhoun event illustrates the procedural deficiencies r oresented by the second category. Three different deficiencies were revealed in this event, possibly all the result of a recent revision to plant procedures. The Crystal River 3 event illustrates the third category, in which the operators' search for the cause of the RCS pressure transient was directed by their erroneous situation assessment, thereby excluding procedural guidance which could have terminated the event sooner. Operators also inappropriately used procedural steps (intended for shutdown) for bypassing emergency safeguards features actuation system (ESFAS) and automatic actuation of HPI.
| |
| The justification for this bypass was that it was reversible and the set point was set conservatively (i.e., operators had a little more time to reverse the decreasing RCS pressure). The fourth category of response planning problems is illustrated in the Dresden 2 event in which both procedural and training deficiericies caused operators to have difficulty responding to a simpler event (i.e., transient with successful reactor trip and stuck open relief valve) than the event addressed by procedures and training (i.e., anticipated transient without scram (ATWS) with a stuck open relief valve). The last category of respotise planning problems, as shown in Table 5.3, is illustrated by two events (1)
| |
| Crystal River 3 and (2) Dresden 2. In the Crystal River 3 event, operators terminated HPI (without procedural guidance) too early because of concerns that the pressurizer would be filled " solid." In the Dresden 2 event, operators caused an excessive cooldown rate as a result of their misplaced concems about rising torus temperature, as a result of a lack of procedural guidance and their lack of experience and training.
| |
| 5.2.1.4 Error-Forcing Context in Response Implementation The major contributors to response implementation failures are PSFs, although plant conditions also can irppact an operator's general performance. Table 5.4 shows three categories of response implementation problems identified in analyzed events.
| |
| (1) important procedure steps are missed (2) miscommunication (3) equipment failures hinder operators' ability to respond The Crystal River 3, Dresden 2, and Ft. Calhoun events illustrate each of these problems, respectively. In the Crystal River 3 event, operators transitioned from one procedure to another before completion of the section that would have directed them to take actions which would have terminated the event. However, operators are trained to know that it is good practice to check all remaining sections of a procedure for relevant steps before transferring to another. In the Dresden 2 event, supervisors gave vague directions to board operators who, in tum, took actions which were not appropriate. Finally, operators in the Ft. Calhoun event were hindered by hardware failures and design features which made it difficult to perform the appropriate response actions.
| |
| NUREG-1624, Draft 5-10
| |
| : 5. Operational Experience Illustrating ATHEANA Principles Table 5.3 Examples of Response Planning Failures Response Planning Failure Contextual Influences Event l
| |
| Operators follow prepared plans (1) Draindown procedure assumed a lower N 2 Prairie Island 2 (e.g., procedures), but these overpressure; therefore, RV level conversion (2/20/92), loss of plans direct operators to take calculations, time for draindown, etc., were different RCS inventory and actions which are inappropriate than assumed in procedure. shutdown cooling for specific situation. during shutdown.
| |
| Operators follow prepared plans (1) Procedure deficiency, resulting from recent Ft. Calhoun (e.g., procedures), but these procedures revisions, regarding the re-start of reactor (7/3/92), inverter plans are wrong and/or incom- coolant pumps (RCPs) without offsite power. failure followed by plete (resulting in inappropriate (Wrong actions not taken because operator's prior LOCA (stuck open actions). knowledge and experience.) reliefvalve).
| |
| (2) Procedure does not contain sufficient detail regarding the tripping of condensate pumps - results in complete loss ofcondensate flow.
| |
| (3) Early in event, procedures directed operators to close pilot-operated relief valve (PORV) block valves in series, making the PORVs unavailable as relief protection. (Later, during plant cooldown, operators recognize situation and re-open block valves.)
| |
| Operators do not explicitly use (1) Search for cause of pressure transient is on the basis Crystal River 3 prepared plans (e.g., proce- of a wrong situation assessment and open PRZR (12/8/91), RCS dures) c.nd take actions which spray valve is not discovered. pressure transient are inappropriate. during startup, (2) Operators increase reactor power (more than once) without understanding the cause of RCS pressure transient.
| |
| (3) Operators bypass ESFAS and HPI for 6 minutes without understanding cause of RCS pressure transient and without prior approval (i.e.,
| |
| acknowledgment) from supervisors.
| |
| 5-11 NUREG-1624, Draft
| |
| | |
| 5.~ Operational Experience Illustrating ATHEANA Principles Table 5.3 Examples of Response Planning Failures (Cont'd.)
| |
| l Response Planning Failure Contextual influences Event !
| |
| (1) Abnormal operating procedure for relief valve failure Dresden 2 (8/2/90),
| |
| Operators forced into knowl- LOCA (stuck open edge-based (wrong) actions be- did not contain some of the symptoms for this type of cause prepared plans (e.g., event (e.g., decrease in MWe, steam flow / feed flow reliefvalve).
| |
| procedures) are incomplete or mismatch, decrease in steam flow, difficulties in do not exist. maintaining the i psi differential pressure between drywell and the torus).
| |
| (2) Emergency - operating procedures for primary I
| |
| {
| |
| contamment control and reactor control do not '
| |
| provide guidance for pressure control with one stuck open reh:f valve.
| |
| (3) Classroom and simulator training typically used stuck open relief valve as the initiating event for an A'IWS. Operators had not been trained for simpler event which occurred (i.e., stuck open safety relief )
| |
| valve followed by successful scram).
| |
| Operators give priority to one (1) Operators terminate HPI (without procedural Crystal River 3 )
| |
| accident response goal (or . guidance) because of concerns regarding filling the (12/8/91), RCS j safety function) at the expense PRZR and lifting safety valves, but RCS pressure at pressure transient of another or disregard the termination and the continued decreasing pressure during startup.
| |
| importance of the safety func- trend was not adequate for maintaining sub-cooling tion, margin (and HPl had to be tumed on again).
| |
| (1)Because of inexperience, lack of training and Dresden 2 (8/2/90),
| |
| procedural guidance, the shift engineer overreacts to LOCA (stuck open rising torus temperature and opens turbine bypass reliefvalve).
| |
| valves to reduce heat load, resulting in an unnecessary challenge to the reactor pressure vessel
| |
| .(RPV) pressure control safety function (i.e.,
| |
| excessive cooldown rate).
| |
| (2) Operators were generally unconcemed with the RPV cooldown rate because they assumed the technical specificatim cooldown rate limit would have been exceeded anyway.
| |
| NUREG-1624, Draft 5-12
| |
| : 5. Operational Experience Illustrating ATHEANA Principles Table 5.4 Examples of Response Implementation Failures l
| |
| i
| |
| | |
| ===Response===
| |
| l Implementation Failure Contextual Influences Event Operators do not check all (1) Operators exit abnormal response procedure because SI Crystal River 3 i
| |
| applicable sections of termination criteria were met, so they miss the procedural (12/8/91), RCS procedure before exiting - directions for closing the isolation valve for the (failed) pressure transient results in o.nission of open PRZR spray valve. during startup.
| |
| important actions.
| |
| Miscommunication results (1) Suppression pool cooling was not irCially maximized, as Dresden 2 (8/2/90),
| |
| i in inappropriate or less than required by procedure. LOCA (stuck open optimal actions. reliefvalve).
| |
| (2) Operator was not given specific instructions as to the number of turbine bypass valves to be opened, the l desired pressure at which the valves should be closed, or I
| |
| the desired rate of depressurization.
| |
| Equipment problems hinder (1) Failure of the safety valve created LOCA from the PRZR Ft. Calhoun operators' ability to respond that could not be isolated. (7/3/92), inverter l to event. failure followed by (2) Control of HPl during event was hindered by the fact that LOCA (stuck open l
| |
| the relevant valve controls were located on a panel 8-10 reliefvalve).
| |
| i feet away from the panel with the HPI flow and pressure indications. Hence, two operators were required, one at each panel, in order to perform appropriate HPI control actions.
| |
| : l. (3) HPI valves were not designed as throttle valves, making it difficult to control flow and creating the need for monitoring HPI flow and pressure.
| |
| 5.2.2 Performance Shaping Factors From the events analyses carried out above, it is evident that plant conditions played significant roles in all events. In addition, negative PSFs contributed to deteriorated human performance. As l
| |
| discussed in Section 5.1, poor environmental factors and ergonomics, unfamiliar plant conditions i and/or situations, and inexperience, impacted operator performance. The list below represents PSFs that have negatively influenced operator performance in the five events that were previously discussed. Table 5.5 elaborates on this list of PSFs, and also provides the more traditional PSF terms.
| |
| . (1) human performance capabilities at a low point (2) time constraints (3) excessive workload
| |
| .(4) unfamiliar plant conditions and/or situation (5) inexperience l (6) non-optimal use of human resources (7) environmental factors and ergonomics 5-13 NUREG-1624, Draft l
| |
| u __ _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| | |
| 1
| |
| : 5. Operational Experience lilustrating ATHEANA Principles In some of the analyzed events, PSFs had an important impact on human performance, particularly in relation to the plant conditions at the time of the events (e.g., excessive workload and poor use of human resources in Dresden 2, inexperience and "new" unfamiliar conditions in Prairie Island 2).
| |
| In other events, it is not clear that the factors shown in Table 5.5 strongly influenced the outcome of the events. Though the likelihood of PSFs trigger human error by themselves is very low, this table illustrates that such factors can distract operators from critical tasks or drastically hinder or inhibit their ability to perform.
| |
| 5.2.3 Important Lessons from Events Analyses From event analyses, such as those documented in Appendix B and the excerpts given in Tables 5.1 through 5.5, some overall operational experience insights were developed and documented in Tables 5.6 and 5.7.
| |
| Table 5.6 is a list of characteristics that were commonly found in the serious accidents and event precursors reviewed using the ATHEANA perspective - both nnclear and non-nuclear. This list can be used as a kind of template in the ATHEANA search for unsafe actions and associated error-forcing contexts.
| |
| Table 5.7 is a list ofimportant aspects of real operational events which are typically overlooked or dismissed in current PRAs. This list, in addition to being "blindspots" in PRAs, also can be used to identify operational situations that are potentially troublesome to operators.
| |
| Together, the two tables provide lessons leamed that can be used to give a broader perspective in the ATHEANA search for unsafe actions and associated error-forcing contexts. The lessons leamed provided by these two tables were important in developing the guidance given in the next section.
| |
| Most important, however, is their usefulness in overcoming the mindset pervading current HRAs.
| |
| Even amongst the ATHEANA development team, these lessons, representing the evidence from past operational events, were an effective counter to the (apparently well-trained) tendency to argue "that can't happen!"
| |
| . Both tables of lessons leamed also highlight the importance of correct instrument display and interpretation in operator performances. Two of the characteristics listed in Table 5.6 are directly related to instrumentation problems. The first six factors shown in Table 5.7 are all related to instrumentation problems and how such problems can impact operators and their situation
| |
| . assessment. This observation conforms with the theoretical consideration that the situation assessment and situation model updating are critical phases ofinformation processing. Table 5.7 also includes factors important to response planning and response implementation. Other factors in Table 5.7 are related to the creation of unusual plant conditions which can cause plant equipment to fail, creating additional tasks for operators, and otherwise hindering the operators' ability to respond to an accident.
| |
| NUREG-1624, Draft 5-14
| |
| : 5. Operational Experience Illustrating ATHEANA Principles 1
| |
| Table 5.5 Examples of PSFs on Cognitive and Physical Abilities
| |
| ; [ PSF
| |
| * Contextual Influences Event Human performance (1) Significant actions during the event took place Crystal River 3 (12/8/91), RCS capabilities at a low between 3:00 a.m. and 4:00 a.m. (Effect of duty pressure transient during star-point. (Environ- rhythm is expected to impact cognitive capabilities tup.
| |
| mental conditions) more than skill- or rule-based activities.)
| |
| (1) Event occurred at 1:05 a.m. Dresden 2 (8/2/90), LOCA (stuck open relief valve).
| |
| (1) Event occurred at 11:35 p.m. Ft. Calhoun (7/3/92), inverter failure followed by LOCA (2) Event occurred at the beginning of the shift, when (stuck open relief valve).
| |
| awareness is typically high.**
| |
| (1) Event occurred at i1:10 p.m. Prairie Island 2 (2/20/92), loss of RCS inventory and shut-down cooling during shutdown.
| |
| Human performance (1) Plant dyne:?ics provided limited time (i.e.,18 Crystal River 3 (12/8/91), RCS negatively impacted minutes between detection ofRCS pressure decrease pressure transient during star-by time constraints. and reactor trip) for investigation, analysis, and tup.
| |
| (Stress) decision-making.
| |
| Aspect of the plant or (1) First time electronic reactor vessel level instru- Prairie Island 2 (2/20/92), loss its operation is "new" mentation was used - its operation and design are of RCS inventory and shut-and unfamiliar to not understood. down cooling during shutdown.
| |
| operators. (Training)
| |
| (2) First time draindown was performed with such a high N2overpressure.
| |
| (3) First time draindown was performed without experienced SE to support draindown operators.
| |
| (4) Decay heat high (~6 MW) because only 2 days after shutdown.
| |
| Operators inexperi- (1) Operators relatively inexperienced in responding to Crystal River 3 (12/8/91), RCS enced (T;aining, unplanned transients (and may need closer pressure transient during star.
| |
| Procedure) supervision of their interpretation of transients, tup.
| |
| increasing reactor power, use of bypass controls, and use of procedures).
| |
| (1) Operators and assisting system engineer performing Prairie Island 2 (2/20/92), loss draindown were inexperienced. of RCS inventory and shutdown cooling during shutdown.
| |
| The term in parathesis is the more traditional PSF.
| |
| ** Positive, rather than negative, factor in event and on operators' response.
| |
| 5-15 NUREG-1624, Draft
| |
| : 5. Operational Experience Illustrating ATHEANA Principles Table 5.5 Examples of PSFs on Cognitive and Physical Abilities (Cont'd)
| |
| Contentual Influences Event PSF (1) The shift control room engineer (SCRE) was Dresden 2 (8/2/90), LOCA Excessive workload (stuck open relief valve).
| |
| interferes with oper- completely occupied with filling out event notifi-ators ability to per- cation forms and making the required notifications form. ' (Organi- to state and local officials and the NRC.
| |
| zationalfactors) Consequently, the SCRE was not able to perform his shiA technical advisor (STA) function of oversight, advice, and assistance to the shift engineer (SE) and, potentially, rt suited in some loss of continuity in control room supervision's familiarity with the event circumstances.
| |
| (2) The ability of the SE to function as emergency director in response to the event was impaired because he was diverted by the need to direct plant operators. (if the plant foremen had remained in the control room, they couM have performed t hese
| |
| ~
| |
| activities. See " resources below.)
| |
| (1) In addition to problems directly related to the Ft. Calhoun (7/3/92), inverter initiator and stuck open relief valve, operators failure followed by LOCA experienced problems in plant support systems (e.g., (stuck open reliefvalve).
| |
| fire (false) alarms in two areas of the plants, running air compressor shutdown, toxic gas alarms shifted control room ventilation, turbine plant cooling water flow gauge ruptured and caused minor local flood-ing, PRZR heaters developed grounds as a result of the LOCA in the containment, temporary total loss of condensate flow when pumps tripped on SI signal, component cooling water - to RCPs temporarily isolated when CCW pumps were sequenced) during the early stages of the event.*
| |
| (1) System engineer assigned to assist in draindown also Prairie Island 2 (2/20/92), loss had the responsibility of functionally testing the new of RCS inventory and shut-electronic level instrumentation (probably why he down cooling during shutdown.
| |
| left control room during draindown to investigate potential problems with this instrumentation),
| |
| leaving inexperienced operators without support.
| |
| * Although each of the support system problems required additional operator attention and time, operators appeared to be able to overcome or compensate for these distractions in this event.
| |
| NUREG-1624, Draft 5-16
| |
| : 5. Operational Experienee litustrating ATHEANA Principles Table 5.5 Examples of PSFs on Cognitive and Physical Abilities (Cont'd)
| |
| PSF Contextual Influences Event Non-optimal use of (1) When the SE arrives in the control room, he relieves Dresden 2 (t/2/90), LOCA human resources. the SCRE, who was in the control room when the (stuck open relief valve).
| |
| (Organizational SRV opened and who diagnosed the open SRV, so factors) that the SCRE can fulfill the STA role. After this change of duties, the SCRE was completely occupied with other activities (see " workload" above) so he was not able to perform bis STA func- I I
| |
| tion of oversight, advice, and assistance to the SE and, potentially, resulted in some loss of continuity in the control room supervision's familiarity with the event circumstances.
| |
| l (2) Both shift foremen, for Units 1 and 2, were sent into the plant to perform local valve manipulations an'd other activities and, therefore, were not available to review, assess, and evaluate response to the event.
| |
| Both foremen were in the control room when the SRV opened. (Shift clerks or equipment operators could have performed the activities assigned to the shift foremen.)
| |
| (1) Normal control room operating crew and Prairie Island 2 (2/20/92), loss supervisors were busy with duties related to outage of RCS inventory and so (inexperienced) draindown operators received shutdown cooling during only occasional supervision which also did not shutdown.
| |
| increase to compensate for the absence of the system engmeer.
| |
| Environmental fac- (1) Poor lighting in the area of the tygon tube made Prairie Island 2 (2/20/92), loss tors interfere with taking readings difficult. of RCS inventory and operators ability to shutdown cooling during perform. (Human. (2) Because of view obstructions, it was difficult to take shutdown.
| |
| system interface) tygon tube readings from the local observation position level.
| |
| 5-17 NUREG 1624, Draft
| |
| : 5. Operational Experience Illustrating ATHEANA Principles Table 5.6 Characteristics of Serious Accidents and Event Precursors Characteristic Example Seasonal grass intrusions in Salem I event, earth-(1) Extreme and/or unusual conditions quakes, unusual plant configurations, high nitrogen pressure during shutdown at Prairie Island 2.
| |
| (2) Pre-existing conditions that complicate response, Failed auxiliary feedwater (AFW) system in TMI-2, instruments miscalibrated, etc.
| |
| diagnosis, etc.
| |
| (3) Misleading or wrong information PORV position indication in TMI-2, typgon tubes with high nitrogen pressure in Prairie Island 2 shutdown event, temporary and wrong labels in Oconee 3 event.
| |
| Core exit thermal couples in TMI-2, sump level (4) Information rejected or ignored alarms in Oconee 3 shutdown event, multiple evolutions whose effects cannot be separated).
| |
| Davis Besse loss of feedwater event, TMI-2).
| |
| l (5) Multiple hardware failures Prairie Island 2 shutdown event - draining down; (6) Transitions in progress Crystal River 3 - startup).
| |
| (7) Symptoms similar to frequent and/or salient Symptoms of going " solid"in TMI-2).
| |
| events NUREG-1624, Draft 5-18
| |
| . _ _ _ - _ _ _ _ _ _ _ _ _ ~
| |
| | |
| t l
| |
| l
| |
| : 5. Operational Experience litustrating ATHEANA Prlaciples Table 5.7 Factors Not Nonnally Considered in PRAs Factors Examples
| |
| + indication is high, low, lagging, stuck or (1) Instrumentation fails (or is caused to be failed) and failsin many ways miscalibrated
| |
| + pre-accident failures (human and hardware-caused)
| |
| + unavailable because of maintenance, testing, etc.
| |
| . does not exist (2) Instrumentation problems that cause operators to + recent or persistent history of reliability /
| |
| not use them availability problems
| |
| - inconsistent with other indications and/or initial operator diagnosis of plant status and behavior
| |
| - lack of redundant instrumentation to confirm information
| |
| . not conveniently located
| |
| . redundant, backup indication which is not
| |
| ; typically used 1
| |
| (3) The instrumentation used by operators is not
| |
| * multiple, alternate (although, perhaps, not necessarily all that is available to them or what equivalent) front panel indications (but one designers expect them to use. indicator may be preferred or more typically used by operators) (Crystal River 3 (12/8/91) - strip chart recorders ignored)
| |
| . redundant or alternate indicators available on back panels (but their use is perceived as inconvenient or unnecessary) (Dresden 2 (8/2/90)
| |
| - back panel acoustic monitor) e indicators used outside their operating ranges (e.g., reactor vessel level indications during mid-loop operations at shutdown (Prairie Island 2 (2/20/92))
| |
| (4) Operators typically will believe valve position
| |
| * PORV fails open (as indicated by tailpipe indicators in spite of contradictory indications. temperature indications), while valve position indicator showing valve as shut (Crystal River 3 (12/8/91); Dresden 2 (8/2/90))
| |
| . RCS drain path through an open RHR valve (that was being locally stroke-tested) during shutdown (Oconee 3,(3/8/91))
| |
| (5) Operators can misunderstand how Instruments-
| |
| * misunderstand the location of a sensor or what is tion & Control (l&C) systems work resulting in sensed (e.g., valve stem position versus erroneous explanations for their operation and controller position).
| |
| indication. . misunderstand how what is sensed is translated into an instrument reading (e.g., RVLIS system, PR 7R nr =mre le nnt "real" remile an alenrieken)
| |
| ?
| |
| 5-19 NUREG-1624, Draft
| |
| : 5. Operational Experience Illustrating ATIIEANA Principles Table 5.7 Factors Not Normally Considered in PRAs (Cont.)
| |
| Factors Examples (6) A history of false / spurious / automatic actions will a previous spurious reactor water cleanup result in operator " conditioning" to expect these (RCWU) system isolations in LaSalle 2 events (especially when reinforced by management directives); thereby overriding the (4/20/92) and a manaEement directive formal diagnosis required for a "real" event. regardm.g such isolations lead to an erroneous bypass of automatic RCWU isolation a spurious main feedwater pump trips in Davis Besse loss of feedwater resulted in MFW being in manual control at the time of reactor trip (7) One plausible explanation can create a " group
| |
| * belief that RCS overcooling was the mindset" for an operating crew. cause of the pressure transient in Crystal River 3 (which involved a 6 minute bypass of automatic HPI start) when an stuck open PRZ spray valve was the actual cause (8) Operators will persist in the recovery of failed + the alternatives have negative consequences systems a recovery is imminent (in the operators' opinion) they were the cause of the system failure (i.e.,
| |
| recoverable failure)
| |
| (9) The recovery of" slips" may be complicated + Align unexpected I&C re-setting difficulties (problems starting AFW in the Davis-Besse loss of feedwater event)
| |
| (10) Management decisions regarding plant + scheduling of maintenance and testing activities configurations can result in defeated plant
| |
| * on-line corrective maintenance and entering defenses and additional burdens on operators Limiting Condition for Operation (LCO) state-ments in technical specifications
| |
| +
| |
| special configurations or exceptions from Technical Specifications to address persistent hardware problems (11) Multi-train (or "all-train") mair.tenance has been tierformed.
| |
| (12) Systems do not always fail at t=0 in accident sequence (i.e., simultaneous with initiating event)
| |
| (13) Systems and components are not truly binary + They can experience a range of degraded state conditions between optimal performance and entxtrnnhic fnihire I
| |
| l NUREG-1624, Draft 5-20
| |
| : 5. Operational Experience lilustrating ATHEANA Principles Table 5.7 Factors Not Normally Considered in PRAs Factors Examples (1) Instrumentation fails (or is caused to be failed)
| |
| - indication is high, low, lagging, stuck or and fails in many ways miscalibrated
| |
| . pre-accident failures (human and hardware-caused)
| |
| . unavailable because of maintenance, testing, etc.
| |
| . does not exist (2) Instrumentation problems that cause operators to . recent or persistent history of reliability /
| |
| not use them availability problems
| |
| . inconsistent with other indications and/or initial operator diagnosis of plant status and behavior
| |
| . lack of redundant instrumentation to confirm information
| |
| . not conveniently located
| |
| . redundant, backup indication which is not typically used (3) The instrumentation used by operators is not . multiple, alternate (although, perhaps, not necessarily all that is available to them or what equivalent) front panel indications (but one designers expect them to use. indicator may be preferred or more typically used by operators) (Crystal River 3 (12/8/91) - strip chait recorders ignored)
| |
| . redundant or alternate indicators available on back panels (but their use is perceived as inconvenient or unnecessary) (Dresden 2 (8/2/90)
| |
| - back panel acoustic monitor)
| |
| . indicators used outside their operating ranges (e.g., reactor vessel level indications during mid-loop operations at shutdown (Prairie Island 2
| |
| , 2/20/92))
| |
| (
| |
| (4) Operators typically will believe valve position . IGRV fails open (as indicated by tailpipe indicators in spite of contradictory indications. temperature indications), while valve position indicator showing valve as shut (Crystal River 3 (12/8/91); Dresden 2 (8/2/90)) ,
| |
| I
| |
| . RCS drain path through an open RHR valve (that was being locally stroke-tested) during shutdown (Oconee 3,(3/8/91))
| |
| (5) Operators can misunderstand how Instruments- . misunderstand the location of a sensor or what is tion & Control (l&C) systems work resulting in sensed (e.g., valve stem position versus erroneous explanations for their operation and controller position) indication. . misunderstand how what is sensed is translated into an instrument reading (e.g., RVLIS system, PR7R nrecmre it nnt "real"- reallv an alonrithm) i i
| |
| I 5-19 NUREG-1624, Draft L_____-___-__________--_-.
| |
| | |
| I
| |
| : 5. Operational Esperience lilustrating ATHEANA Principles i
| |
| Table 5.7 Factors Not Normally Considered in PRAs (Cont.) J
| |
| \
| |
| Factors Examples (6) A history of false / spurious / automatic actions will
| |
| * previous spurious reactor water cleanup result in operator " conditioning" to expect these (RCWU) system isolations in LaSalle 2 events (especially when reinforced by (4/20/92) and a management directive management directives); thereby overriding the . .
| |
| formal diagnosis required for a "real" ever.t.
| |
| regarding such tsolations lead to an erroneous bypass of automatic RCWU isolation
| |
| * spurious main feedwater pump trips in Davis Besse loss of feedwater resulted in MFW being in manual control at the time of reactor trip (7) One plausible explanation can create a " group -* belief that RCS overcooling was the mindset" for an operating crew. cause of the pressure transient in Crystal River 3 (which involved a 6 minute bypass of automatic HPI start) when an stuck open PRZ spray valve was the actual cause (8) Operators will persist in' the recovery of failed - the alternatives have negative consequences systems
| |
| * recovery is imminent (in the operators' opinion)
| |
| + they were the cause of the system failure (i.e.,
| |
| recoverable failure)
| |
| (9) The recovery of" slips" may be complicated
| |
| * Align unexpected I&C re-setting difficulties (problems starting AFW in the Davis-Besse loss of feedwater event)
| |
| (10) Management decisions regarding plant - scheduling of maintenance and testing activities configurations can result in defeated plant + on-line corrective maintenance and entering defenses and additional burdens on operators Limiting Condition for Operation (LCO) state-ments in technical specifications a special configurations or exceptions from Technical Specifications to address persistent hardware problems (11) Multi-train (or "all-train") maintenance has been performed.
| |
| (12) Systems do not always fail at t=0 in accident sequence (i.e., simultaneous with initiating event)
| |
| (13) Systems and components are not truly binary
| |
| * They can experience a range of degraded state conditions between optimal performance and catmetrnnhic failure NUREG-1624, Draft 5-20
| |
| | |
| l S. Operational Experience Illustrating ATHEANA Principles !
| |
| fable 5.7 Factors Not Normally Considered in PRAs (Cont.)
| |
| Factors Examples (14) Pre-existing, plant-specific operational . history of spurious high steam flow signals due to quirks can be important in specific accident design problem (causing spurious Si signals)-
| |
| sequences. Salem I (4/7/94)
| |
| > recent history of spurious main feedwater pump trips so feedwater was controlled manually at time l of trip (Davis Besse (6/9/85)
| |
| (15) " Sneak circuits" can exist.
| |
| (16) Selective tripping failures are possible.
| |
| (17) Dependencies can occur across systems (as well as within systems).
| |
| (18) Plant power at the time of trip may be < 100 percent.
| |
| (19) Technical specification requirements
| |
| * May not be met at the time of plant trip.
| |
| (20) The specific, detailed causes ofinitiating events (especially those caused by humans) can be important to accident response.
| |
| 5.3 An Operational Event Example Illustrating Dependency Effects
| |
| 'Ihe impact of complicating plant conditions and performance shaping factors on operator situation assessment and, hence, performance can best be appreciated by example. An event sequence that occurred at Oconee 3 during a shutdown period in 1991 (Ref. 5.6) has been selected because it is fairly simple to describe and understand and because the diagnosis log for this event provides striking illustration that a powerful amount of contrary evidence is required to break through a strong mindset because of a mistaken situation model. Figure 5.1 shows the decay heat removal system at Oconee 3. In preparation for testing of low-pressure injection sump suction valve 3LP-19, a maintenance technician set out to install a blank flange on line LP-19. By mistake, the blank was installed on line LP-20. Some two weeks later, an operator was sent to perform an independent check that the blank flange was properly installed. He reported that it was. At that time, a reactor operator and an I&C technician were authorized to perform the test. Because the flange was installed on the wrong line, stroking the valve initiated a loss of coolant. A significant amount of time was required to identify the source ofleakage. Many alternatives were investigated before it was recognized that stroking the valve 3LP-19 opened a path to the sump.
| |
| l Figure 5.2 (a,b,c) provides an analysis of this event using the HSECS format and coding scheme (see Ref. 5.4). The first sheet,5.2a, summarizes plant conditions before and during the event sequence.
| |
| Sheet 5.2b analyzes the three UAs and the recovery act in terms of the performance shaping factors affecting each act. Finally, sheet 5.2c describes the dependencies among the four acts. These 5-21 NUREG-1624, Draft
| |
| : 5. Operational Esperience Illustrating ATHEANA Principles dependencies explain why the diagnosis log (sheet 5.2c) can show that apparently six different cues could be ignored, before the seventh cue finally forced the operators to investigate the test as the source of the problem. When an HRA analyst considers the separate cues as independent, they cannot help but conclude that failure is nearly impossible. However, recognizing the dependency among elements of evidence, failure remains a distinct possibility.
| |
| NUREG-1624, Draft 5-22
| |
| | |
| l
| |
| : 5. Operational Experience Illustrating ATHEANA Principles j l
| |
| * Domc Hot 3LP-1 3LP-2
| |
| -3 D v v v., -
| |
| E k To RV ST -D4- -
| |
| fa v n Epx 1
| |
| r, o ,d r, 8
| |
| "~"
| |
| mb w = @@
| |
| n b 'l- F'# -
| |
| W r1 3LP-20 3IPls Figure 5.1 Oconee 3 Loss of Cooling
| |
| ; 5-23 NUREG-1624, Draft l
| |
| w--_____-___
| |
| : 5. Operational Experience lilustrating ATHEANA Principles Plant Name Oconce 3 Event Date: 3/8/91 Event Tvpt: Loss ofRCSinventory Event Time: 08:48 Secnadary Event: Loss o/SDC Plant Type: PWR/
| |
| Description Loss ofdecay heat removalfor ~ l8 min. because ofa loss ofRCSinventory via drainpath to emergency sump created by combination ofblackfange installed on wrong line and isolation valve stroke testing.
| |
| INITIAL CONDITIONS ACCIDENT CONDITIONS Other Unit Status Other Unit Status:
| |
| BCS Conditions- RCS Conditions Power: Colds /D Power: Colds'D Temperature (*F): 94 Temperature (*F): 117 Pressure: (headog) Pressure: (head off)
| |
| RV Level: 12p. above core (76 in. on wide RV RV Level: 4p. above core wide range leveltransmitter)
| |
| Other: Other:
| |
| * Loss of 9.700 gal. ofRCS Plant Conditions Plant Conditions-
| |
| * 24th day ofrefueling outage
| |
| * I4.000 gal. spilled via drainpath to sump (RCS & BWST)
| |
| * Refueling complete
| |
| * Loss ofSDC
| |
| * Radiation dose rate maximum - 8 rem'hr
| |
| * Localevacuation ofareas in RB Plant Configuration: Automatic Equipment Response-Availahie: .
| |
| * Various alarms (sumps & RVlevel)
| |
| * LPIpump A & ilXB operating
| |
| * LPIpump C
| |
| * RCS temperature indication via LPI
| |
| * RVlevelindication via dp instrument w/ CR indication
| |
| * Equipment & personnel hatches closed Unavailable: Hardware Failures:
| |
| * LPIpump B (racked out)
| |
| * Incore instrumentation (e g., RCS temperature)
| |
| * RB radiation monitors
| |
| * Containment open FINAL STATUS
| |
| | |
| ==SUMMARY==
| |
| l U '-? fS/F/11N): L Significance-Corrective Actions-(5) Operator aids improved; stenciled labels added to sump suction lines (8) Maintenance procedure modified: add requirementsfor proper identspcation and labeling offanged connections j
| |
| Comments: AEOD report and LER used as sources ofinformation Figure 5.2a Event Information NUREG-1624, Draft 5-24 I
| |
| l
| |
| : 5. Operational Experience Illustrating ATHEANA Principles Event Tianeline-PRE-ACCIDENT INITIATOR POST-ACCIDENT I
| |
| \ A / I a U1 U2 U3 i R1 Umsafe Actions (U)-
| |
| Ul. BlindflangeforLPIsumpsuctioninstalledon wrongline U2. Subsequent checkingfailed to detect incorrectflange installation U3. RCSdrainedthrough unblankedsumpline Ew Em Ew gggjg L,,,,,,,
| |
| hh Activity lype PSFs (+/-)
| |
| No. Effset Mede Type UI latent EOC Mistake R ex<R Mamicnance Mmmenance -1 MMI(labels LTA): poor visibehty & access
| |
| -2 Procedures (mcompletc): did nat regare penetration ID #
| |
| -3 Tramms (LTA): mcorrect use of drawag 4 Trmmns (LTA): une of mfurmallabel 5 Org factors (lack of control) enstance of informallabels 4 Org factors: mcomplete procedures U2 Latent EOO Mistake R ex-CR N!.O Operations 1,-4 5 U3 Imtiator EOC Mestake K ex<R l&C, RO Testmg 4 in-CR 7 Procedure (mcomplete); did not specify coordmation or testmg activities
| |
| -8 Communicatmn (no repeat back)-
| |
| misunderstandag between I&C and RO l
| |
| Other Events (Non-Human Error) fE. H. or R)-
| |
| RI. Operators isolate drainpath, restore RCSlevel, and restore SDC (includingpump venting)
| |
| E Effset . Sat /K Recovery Time ','y Personnel Type PSFs & Defenses (+/-)
| |
| . RI Recovery R&K 23 nunutes m<R, RO 47,-8 ex<R +9 Procedure Imss of DHR was usefulin response
| |
| +10 Trammg-
| |
| +11 Commumcations: HP in RB on RCS level drop
| |
| * Sump alarms
| |
| * In-CR RV level mdicator figure 5.2b Summary of Human Actions 5-25 NUREG.1624, Draft
| |
| - - - - _ _ - - _ _ - - _ - _ _ . - _ _ _ _ - = - _ _ _ . . . . - . . - . - _ . - - . . .
| |
| : 5. Operational Experience Hlastrating ATHEANA Principles HARDWARE DEPENDENCIES Swataantal Revolved: Interfacing Systems-LPI RCS I
| |
| Ceananmentin) Involved: Spatial Dependencies:
| |
| LPIsumline isolation valu (3LP 19) .
| |
| BWSTsuction line isolation valves (3LP-21 & 22)
| |
| BWST HUMAN DEPENDENCIES Actions Dependence Mechanism Description U1,U2 Common PSFs MMI(labeling), training (use ofinformal label)
| |
| Ul, U2 . Common organt:ationalfactors Existence ofinformellabel Ul,U3 Common organi:ationalfactors Incompleteprocedures (Ul&U2), U3 Cascading efect (ie., setup) . Planneddefense defeated (UI, U2, U3), R1 Suboptionalresponse due to CR perceptiod Positin PSFs & defensesprovided reality mismatch created byprevious actions justupcationfor the break with mindset requiredfor response ACCIDENT DIAGNOSIS LOG Accident Symptoms Response RB emergency sump high-levelalarm
| |
| * None RVlent reading at 20* and decreasing
| |
| * Erroneous operation ofRV wide range leni transmitter suspected RB normalsump high levelalarm
| |
| * Washdown operations suspected RV ultrasonic level alarm (i.e., no water in HL pipe
| |
| * Instigation ofcause begun naale)
| |
| * Entered AP/3/All700/07, Loss ofLPIin DHR mode HP in RB verifles reduction in RVlevel & increasing
| |
| * None radiation LPIpum A currentfluctuating downward
| |
| * Stoppedpump
| |
| * Opened BWSTsuction isolation valves Evidence that RCS was not beingfilled
| |
| * Reclosed BWSTisolation valves
| |
| * NLO sent to close 3LP-19 or-20 HP no <fies CR that 6-12 gallons ofwater on RBfloor near enrgency sump Figure 5.2c Event Dependencies <
| |
| NUREG-1624, Draft 5-26
| |
| : 5. Operational Experience Illustrating ATHEANA Principles 5.4 Summary -
| |
| In summary, the above discussion demonstrated that analyses of operational events can be used in two ways when applying ATHEANA:
| |
| (1) Provide illustrative examples of UAs, EFCs, and other human performance factors (i.e.,
| |
| anecdotes).
| |
| (2) Assist in the development of generalized categories of UAs that can be used to search for UAs and associated EFCs to model in a PRA.
| |
| l l .In both cases, such examples derived from event analyses are used to gu eid HRA analysts in t applying ATHEANA.
| |
| l The understanding of operator performance developed through events analyses also laid foundations for ATHEANA application and procedure development. It is evident, from the events analyses previously discussed that UAs are likely to be caused, at least in part, by actual instrumentation problems or misinterpretation of existing indications. The associated EFCs, therefore, are more likely to exist when instrumentation failures or interpretation errors are combined with deficient procedures (probably triggered or revealed by specific plant conditions). This knowledge supported the development of the search aids for EFC and UAs and was used in performing the ATHEANA demonstration documented in Appendix A.
| |
| 5.5 References
| |
| ~
| |
| 5.1 M. Barriere, W. Luckas, D. Whitehead, A. Ramey-Smith, D. Bley, M. Donovan, W. Brown, J. Forester, S. Cooper, P. Haas, J. Wreathall, and G. Parry, An Analysis of Operational Experience during Low Power andShutdown and a Planfor Addressing Human Reliability Assessment Issues, NUREG/CR-6093, June 1994.
| |
| 5.2 M. Barriere, J. Wreathall, S. Cooper, D. Bley, W. Luckas, and A. Ramey-Smith, Multidisciplinary Frameworkfor Human Reliability Analysis with an Application to Errors ofCommission andDependencies, NUREG/CR-6265, August 1995.
| |
| 5.3 S. Cooper, W. Luckas, J. Wreathall, G. Parry, D. Bley, W. Luckas, J. Taylor, and M.
| |
| Barriere, A Techniquefor Human Error Analysis (ATHEANA), NUREGICR-6350, May 1996.
| |
| 5.4 S. Cooper, A. Ramey-Smith, W. Luckas, and J. Wreathall, Human-System Event Classification Scheme (HSECS) Database Description, BNL Technical Repont L-2415/95-1, December,21,1995.
| |
| l 5.5 J. Reason, Human Error, Cambridge, England; Cambridge University Press,1990.
| |
| 5-27 NUREG-1624, Draft
| |
| | |
| ---------------------------------'l
| |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ - - - - - -
| |
| r - - - -- - - ------- - - ---- - - - - - - - -
| |
| : 5. Operational Experience lilestrating ATHEANA Principles 5.6 U.S. Nuclear Regulatory Commission, Augmented Inspection Team Report, Oconee, Unit 3, Loss ofRHR (March 9,1991), No. 50-287/91-008, April 10,1991.
| |
| l l
| |
| NUREG-1624, Draft 5 28
| |
| | |
| i j
| |
| PART2 APPLICATION OF PRINCIPLES AND CONCEPTS TO ATHEANA I
| |
| l l
| |
| 1
| |
| | |
| 1 6 FACTORS AND CONDITIONS CAUSING OPERATOR FAILURES This section summarizes the factors and conditions that can lead to failures by the operators when responding in the post-initiator phase of an accident sequence. Section 7 provides, in the form of specific search tables, guidance on factors to be considered in identifying specific error-forcing contexts on a case-by-case basis for failures in situation assessment. The purpose of this section is to provide a bridge from the more theoretical bases discussed in the previous sections to the specific search tables in Section 7, and to provide guidance on identifying opportunities for failures in response planning and response execution. In order to build this bridge, it is necessary to adapt the theoretical model ofinformation processing in this section to the probabilistic risk assessment-human reliability analysis (PRA-HRA) context.
| |
| A basic premise of the method called "A Technique for Human Events Analysis," (ATHEANA) is that operators act " rationally." Ergo, unsafe acts occur when operators are following rules that they believe are appropriate for the situation. These rules can be formal (e.g., emergency operating
| |
| ! procedures) or infonnal (e.g., "believe your indications"). As indicated in Figure 6.1, problems arise when psychological factors and plant conditions combine to set the operator up for failure. These factors can lead operators to select inappropriate or less effective rules, or can create the impression that good rules are met when, in fact, they are not. The following discussion begins with the psychological factors, and demonstrates how to structure the ideas from Section 4 to support the HRA process. The discussion then moves on to consider plant conditions and configurations.
| |
| 6.1 The Model ofInformation Processing in a PRA-HRA Context Identifying the causes of unsafe acts using ATHEANA requires relating the underlying principles of behavior discussed in Section 4 with a knowledge of plant operations and possible conditions.
| |
| This in turn requires some adaptation of the ideas in Section 4. Therefore, the serial event tree model displayed in Figure 6.2 presents an alternative form of Figure 4.1. In Section 4, the central activity of the information processing model is situation assessment. TLauation model developed during I situation assessment exists at all times-before the initiating event of the PRA and at all times after it. De situation model finds its basis on (1) the operator's mental model of the plant (the model that includes the operators knowledge of the plant, its design, operation, and associated physics) and, (2) the operator's interpretation ofinformation about the plant state and behavior in the specific event.
| |
| The situation model is continuously updated.
| |
| De attemative representation of the model for information processing shown in Figure 6.2 begins with three discrete states of the situation model:
| |
| (1) The initial situation model is correct (i.e., the situation model immediately following the ;
| |
| initiating event adequately accounts for the conditions at hand).
| |
| l (2) The initial boundary conditions (the initial state of significant plant equipment and parameters) are correct, but the expectations are wrong (i.e., the operator's projection of future plant behavior is incorrect).
| |
| (3) Both the initial boundary conditions and the expectations are wrong.
| |
| 6-1 NUREG-1624, Draft
| |
| : 6. Factors and Conditions Causing Operator Failures -
| |
| Howmies can appeartobe satis 6ed l
| |
| PsychologicalFactors Plant C=iitims Intapretatim Monitoring Hardware Plant ' Instmments Functional Physics Failums (plant specific)
| |
| Information Figure 6.1 How Psychological Factors and Plant Conditions Combine to Form Error-Forcing Context The information processing model continues with the event tree showing the possibility of success (up branch) or failure (down branch) in each succeeding step. The response planning stage develops
| |
| - plans for actions and for monitoring activities. Next, the response implementation stage carries out
| |
| - the action plan. Finally, monitoring is considered. It should be noted that, even with an incorrect l
| |
| - action plan or implementation, effective monitoring could lead to an update of the situation'model that can correct the response and salvage the plant. However, when the operator's expectations are wrong, it is less likely that monitoring will be effective, because its focus will be wrong. Its focus
| |
| - will be wrong because in most cases, operators will be searching for information that " confirms" Ltheirinterpretation.
| |
| The serial event tree view permits the display of key problem areas. ATHEANA seeks to identify those information processing failures from which recovery is especially difficult. For example, as l- described in Section 4, when the initial situation model is seriously flawed (i.e., initial bour.dary
| |
| . NUREG-1624, Drah 6-2 l
| |
| 1 l
| |
| l
| |
| : 6. Factors and Conditions Causing Operator Failures conditions wrong and initial expectations wrong--the bottom branch in the event tree), it is highly likely that all subsequent activities will be flawed. Therefore, even effective updating of the situation model is unlikely. This condition is illustrated in the event tree by the guaranteed failures along the bottom bmnch an,d the dashed "up" branch at monitoring. It must be pointed out, however, that this is a simplification; the only time a bad initial situation model leads directly to an unsafe act is when the error-forcing contexts are severe enough that cognitive recovery does not occur within the time constraints of the plant physics.
| |
| The focus thus far has been on uncorrected failures in situation assessment. However, failures in the other stages can also lead to operator failures. For example, initial failures in monitoring can lead to the operators being unaware of the existence of a condition requiring response. Failures in response planning can cause the operators to put in place a response that is entirely ineffective for the cause. However, if operators have an appropriate situation model, then appropriate monitoring should (but not always will) lead to the recognition that the response strategy is ineffective. This is equally true ifthe failure is in the response implementation phase. The exception to these conditions occurs when feedback is nonexistent or the failure is unrecoverable. One example of an unrecoverable action would be an inappropriate initiation of the automatic depressurization system (ADS) for a boiling water reactor (BWR). It is not possible to restore the plant to the pre-ADS state once the relief valves have opened and the reactor begins to depressurize. In the event of an anticipated transient without SCRAM (ATWS) condition, this failure would (in almost all cases) lead to core damage iflow-pressure coolant injection were to occur.
| |
| 6.2 Searching for Reasons for Unsafe Actions This section describes the process of using the information processing model to search for reasons for unsafe actions.
| |
| 6.2.1 Failures in Situation Assessment Focusing on the situation model and considering the event tree model of the information processing model in Figure 6.2, there are two basic reasons why the situation model can be wrong:
| |
| (1) The initial situation model is correct, but errors in response planning or response implementation unexpectedly change the plant condition so that the situation model is no longer correct and the operator fails to update the situation model correctly.
| |
| (2) The initial situation model is wrong (either the initial boundary conditions or the l
| |
| ~ expectations or both are wrong) and the operator fails to update the erroneous part of the situation model correctly.
| |
| 6-3 NUREG-1624, Draft u_
| |
| : 6. Factors and Conditions Causing Operator Failures Response Planning Situation Response Monitoring Assessment Implementat. ion Action Monitoring O.K.
| |
| Corrected. O.K.
| |
| Unsafe Act.
| |
| O.K.
| |
| Unsafe Act.
| |
| Corrected. O.K.
| |
| Unsafe Act Unsafe Act O.K.
| |
| Unlikely to Initial Boundary Correct Conditions O.K. Unsafe Act
| |
| " Unlikely to Correct Unsafe Act initial Boundary Unlikely to Conditions and Correct Expectations Unsafe Act Wrong Figure 6.2 Simplified View of the Model for Information Processing The reasons for each case are discussed as follows: problems in information transmission, problems in interpretation (information reception), and problems in monitoring (failure to update).
| |
| Figure 6.1 reflects errors in information as psychological factors because of their direct impact on interpretation and monitoring, even though they are most often problems in hardware or plant conditions. This is one of several areas where the distinction between plant conditions and psychological factors is a bit unclear. The tables of Section 7 expand the possible reasons for problems in information, interpretation, and raonitoring. These reasons are developed down to the i
| |
| NUREG-1624, Draft 6-4 i
| |
| i
| |
| : 6. Factors and Conditions Causing Operator Failures level of elements of error-forcing context. As stated throughout this report, the error-forcing contexts ofinterest are those that combine psychological factors and plant conditions.
| |
| Figure 6.1 shows how plant conditions (including configurations) can be an important cause of unsafe actions. ATHEANA provides guidance, including several tables in Section 7, to help the analyst develop the plant condition elements of error-forcing contexts. There are several ways in which functional failure of plant hardware can interfere with proper interpretation and monitoring, (introducing unanticipated plant configurations, disrupting instrument readings, and overloading operators). Three categories of plant conditions or configurations issues that can confound operator performance include: hardware status, plant physics, and instrument algorithms. Issues related to {
| |
| instrument status are addressed in a table in Section 7.
| |
| Regarding plant physics, the specific transient or accident may occur in difTerent ways or in different j environments than anticipated by emergency operating procedures and training. The occurrence l introduces differences in timing that are incompatible with procedures, and creates unanticipated
| |
| . situations. Another particular area of concern is called instrument physics. In many casies, the instrument readouts are not on the basis of direct measurement of the indicated parameter.
| |
| Sometimes, this simply means that physics algorithms relate the measured parameter to the indicated ,
| |
| parameter. Sometimes operators may assume that a measured and indicated parameter infers another (e.g., if a pump is supplied with electricity, it is delivering flow). Sometimes an indication is a complex function of the time history of the parameter ofinterest. Section 7 contains tables which list these as well as other plant conditions which can confuse operators.
| |
| The tables in Section 7 develop the reasons for errors in stages of the information processing model, down to the level of elements of error-forcing context. These psychological factors and plant conditions lead to unsafe acts when they challenge the operator's ability to choose the cormet " rules" or to see if their correct "mles" are properly fulfilled. A key step in the ATHEANA search process is to determine which rules, ifincorrectly applied, could lead to specific unsafe acts. " Rules" can guide or influence operators in three ways. First, operators use formal or informal rules to identify andjustify specific interactions with the plant which, in ATHEANA; am to be identified and defined as s2fe or unsafe actions. Second, procedures (i.e., formal rules), training, experience, and other factors guide the operators in how to monitor and interpret information provided to them during the
| |
| ! course of an accident. Third, the operators' general knowledge and understanding of how the plant L works (i.e., their mental model of the plant) serve as " rules" of plant behavior regarding how the j operators try to understand the current plant condition and configuration in a specific accident !
| |
| scenario. Section 7 also contains a table providing examples of such rules.
| |
| Figure 6.2 shows how failures in monitoring and related muses, in addition to their relationship with the failures in situation assessment discr sed above, can cause the operators to be unaware of the onset of an operational problem or to fail to detect an inappropriate response.
| |
| In addition, failures in the response planning and resporse iraplementation phases can exist.
| |
| 6-5 NUREG-1624, Draft
| |
| : 6. Factors and Conditions Causing Operator Failures
| |
| '6.2.2 Failures in Response Planning Response planning can fail in three generally applicable ways in which: a wrong goal or priority can be selected, an incorrect or inadequate procedure can be used. or operators may inappropriately ,
| |
| choose to deviate from a procedure.
| |
| i As discussed in Section 4.3.3 three primary reasons form the basis of the conditions leading to the j selection of an inappropriate goal or priority; these are wrong situation assessment, incomplete knowledge or an inaccurate perception of the risks. A description of factors influencing a wrong situation assessment is found earlier in this section. Incomplete knowledge can lead to the selection of wrong goals or priorities under circumstances where operators are in conditions where their training is difficult to recall or where it is difficult to interpret the plant conditions at the time of the event. Important influences that can lead to this are "high-tempo" events for which the operators have received little " hands-on" simulator training--in other words their responses are based on actions that have only been considered in theoretical settings such as classroom conditions and for which limited direct instructions are provided.
| |
| Inaccurate perceptions of risks (such as giving a disproportionate weight to economic as opposed to plant-damage concerns) are often the result ofincomplete information or significant uncertainties 1
| |
| as to the likely outcomes of alternative choices. It is recognized that operating personnel will identify safety as a priority in abstract settings, but in practice decisions are rarely so clear cut. The factors influencing the weights given to difTerent priorities are largely the result of management and organization influences that are beyond the present scope of ATHEANA. However, the analysts j should be aware that such biases do exist. Not all perceptions involve balancing safety versus economic priorities. Operators can face situations where priorities of a fixed resource can be in i conflict. For example, often in the case of pressurized water reactor (PWR) plants, the same source of water, the refueling water storage tank (RWST), is used as a source ofinjection water for both the containment spray (CS) systems and the high-pressure injection (HPI) . systems. Operators can be in the position of having to decide whether or not to terminate automatically initiated CS operation to preserve resources for extended HPI operation. In this and similar cases, the analyst must examine the potential for competing demands on a limited resource and identify, where possible, those factors that could influence an operator in deciding to withhold or consume a resource inappropriately. The primary influences of concern would be emphases given in formal or informal training.
| |
| The second category of inappropriate response planning involves operators following an l inappropriate procedure. First, the operators can identify and implement the wrong procedure. The l most likely cause of this deviation is an incorrect situation model (discussed earlier), particularly in j the case of emergency operating procedures. In the case of other types of procedures, again an l incorrect situation model can be the cause. Another cause involves the recent use of a similar procedure to the one intended, where the operator inadvertently implements the more familiar procedure. It should be noted that for an unsafe action to occur, it is not necessary for operators to i complete the use of the wrong procedure, only that they reach an action that, in the context of the l accident scenario, causes the plant to become less safe.
| |
| NUREG-1624, Draft 6-6
| |
| | |
| t
| |
| : 6. Factors and Conditions Causing Operator Failures l Another reason for following an inappropriate procedure is when the procedure is the ' correct' procedure but does not completely apply to the situation. A.ll procedures are written and evaluated against a range of plant situations. Some procedures apply to all potential plant conditions--for example a response to an ATWS event. However, in other cases, there may be conditions under which the procedures should not be followed verbatim: most utilities recognize that such conditions can exist and instruct operators that when they encounter such conditions, the operators' judgement should take priority. In ATHEANA analyses, the analyst should search for situations where the plant condition could be beyond the assumptions implicit in the development of the procedures.
| |
| The third category of failure in response planning occurs when operators decide to deviate from procedures inappropriately. These deviations can include taking an inappropriate action, omitting a needed action, or performing an action at an inappropriate time. For example, taking an action at an inappropriate time could involve delaying an action that operators may be reluctant to perform in the hope of recovering preferred but failed equipment. Delaying feed-and-bleed operations in the hope of restoring some kind of secondary flow in a PWR would be a prime example, if the delay leads to plant damage. Alternatively conditions could exist when operators may wish to begin a stressful or demanding plant evolution "early" to avoid uncertainty as to whether it will be accomplished successfully. If such an early action ould lead to piant damage (such as starting a pump that may draw from an inadequate source) : en becomes an unsafe action.
| |
| 6.2.3 Failures in Response Execution There are several different ways in which failures can occur in the response-execution phase including: other actions compete for resources (cognitive or manual); operators make slips or lapses; and there are communication failures between operators.
| |
| In many cases during the post-initiator phase, operators caa feel a need to prioritize actions because of a perceived shortness of time or urgency of a situa: ion. In these cases, it is possible for people to be in situations where they need to remember sequences of activities, as in cases where they may say "First we'll take care of"x", then move onto situation "y", then .... ." Such planning can be well made and correspond with appropriate priorities (inappropriate priorities are discussed under failures in response planning in Section 6.2.2). However, humans are prone to forgetfulness, particularly under highly stressed conditions, and it is possible for operators to simply omit an action or set of actions from simple lapses in memory. Additionally, operators may incorrectly recall the memorized actions and perform an inappropriate action (for example, opening valve "CXD70231" instead of "CXD70321"). Any situation in which operators may be required to remember more than even a small number ofitems (three or four items for example) under stressful conditions can be prone to memory failures. i l
| |
| There are other circumstances that might lead to action items being forgotten. For example, I procedures may require a delay before an action is taken, such as when an action is contingent upon a parameter reaching some value or when an action is allowed to be taken "when time permits."
| |
| Again, memorization of other items may " push" these delayed actions out of the list of things to do. j i
| |
| 6-7 NUREG-1624 Draft L__________-____-
| |
| : 6. Factors and Conditions Causing Operator Failures Actions involving several operators in coordination (particularly ex-control-room actions) can involve failures in the communication between the operators, or there may be insufficient operators readily available at the time the action needs to be taken. Miscommunications can lead to unsafe actions (e.g., the garbling of such items as valve numbers or other equipment identifiers).
| |
| ATHEANA analysts need to be cognizant of areas in the plant where communications are known to be difYicult and to recognize the potential for failures in ex-control-room actions in those areas.
| |
| Slips are " actions performed not as intended." An example of a typical slip in response execution is the selection of a wrong switch on a control panel because it is similar to an adjacent intended switch. Sections 13 and 14 of NUREG/CR-1278 (Ref. 6.1) provide sources of human-factors guidance on designs that are more prone to slips. Ref. 6.2 includes human-factors review of power-plant control rooms. Extensive upgrades have been made to most power-plant control rooms in order to reduce the opportunities for slip :cading to significant unsafe actions. However, ex-control-room areas have not all been subjected to similar upgrades and may retain the potential for such slips.
| |
| 6.3 Integration and Prioritization Unsafe acts can occur during any stage of processing information. The unsafe acts occur because the operator inappropriately applies a formal or informal rule for action. Identifying these rules serves as a screen for rationality; that is, ATHEANA assumes that operators act rationally and the rules provide the basis for acting. When the possible applicable rules for action are found, the analyst identifies the stages of processing information in which errors associated with each rule can occur, and associates that rule with the appropriate stage (i.e., situation assessment, response planning / implementation, and monitoring). The analyst must then identify the information required to carry out the rule (i.e., the information that must be wrong, interpreted wrong, or incorrectly monitored to improperly apply the rule), the plant conditions that could lead to improper application of the rule, and the PSFs that could induce improper application of the rule. For each of the items ofinformation, plant condition, and PSF, the analyst follows the guidelines of the search process to select error-forcing context elements that have the greatest likelihood of distorting the rule, inducing a cognitive error, and failure of cognitive recovery.
| |
| The following ideas for setting priorities are the result of observations from the operating history.
| |
| Those observations are taken from the view of human error in terms of slips, lapses, mistakes and circumventions (NUREG/CR-6350 [Ref 6.3] and Reason (Ref. 6.4]). For comparison with the ATHEANA model, we note that the distinctions between slips, lapses, mistakes, and circumventions occur at the level of the unsafe act (UA)-error forcing context (EFC) pair (UA 3 ^ EFC).
| |
| 3 In tum, these can be characterized as errors of commission and errors of omission. From the operating experience, the highest priority is assigned to unrecoverable slips and mistakes (either direct mistakes or mistakes subsequent to slips or lapses due to an incorrect situation model formed under those errors).
| |
| NUREG-1624, Draft 6-8
| |
| | |
| I
| |
| : 6. Factors and Conditions Causing Operator Failures i
| |
| 4.-_-----____________ Search Process . _ _ - - _ _ _ _ _ _ _ _ _ _ _ _ _ _ 1
| |
| - - - - - - - - - - - - - - - - - - - - - Quantification - - - - - - - - - - - - - - - - >
| |
| ! l E
| |
| PSFs > ,
| |
| Unsafe Actions > HFE A
| |
| 8 J
| |
| /' l Incorporation I T ', ,
| |
| v l Plant To PRAlogic models l
| |
| Conditions Figure 6.3 Simplified ATHEANA Framework 6.4 Relationships Between Search Process, Quantification, and Incorporation into PRA At a high level, the relationships between the various activities that comprise the actual application of the ATHEANA process can be described with reference to the various elements of the framework discussed in Section 2. The framework appears in a simplified form in Figure 6.3. The search process proceeds from the identification of potential HFEs in the context of the PRA and
| |
| " backtracks" to identify possible combinations of plant conditions and PSFs that could lead to the HFE occurring. Hence, the product of the search process is a series oflists of possible HFEs, UAs, and EFCs (plant conditions and PSFs). The quantification task " moves" in the opposite direction by aggregating the likelihoods of the plant conditions and PSFs causing the UAs of concern, and, in turn, causing the HFE. The HFEs of concern. ogether with their probabilities of occurrence, are then incorporated at appropriate points in the PRA models to allow the frequencies of core damage or other undesired outcomes to be calculated. The following sections describe each of these activities in turn.
| |
| 6.5 References 6.1 Swain, A.D., and H.E. Guttmann, Handbook ofHuman Reliability Analysis with Emphasis 1 on Nuclear Power Plant Applications, NUREGICR-1278, Rev.1, Sandia National Laboistories, Albuquerque, NM, August 1983.
| |
| l 6.2 Seminara, J. L., W. R. Gonzalez, and S. O. Parsons, Human Factors Review ofNuclear Power Plant Control Room Design, EPRI NP-309, Electric Power Research Institute, Palo Alto, CA, November 1976.
| |
| 69 NUREG-1624, Draft
| |
| ------------------d
| |
| | |
| 6.- Factors and Conditions Causing Operator Failures 6.3 S.E. Cooper, A. Ramey-Smith, J. Wreathall, G.W. Parry, D.C. Bley, J.H. Taylor, W.J.
| |
| Luckas, A Technique for Human Error Analysis (ATHEANA), NUREGICR-6350, Brookhaven National Laboratory, Upton, NY, April 1996.
| |
| 6.4 Reason, J., Human Error, Cambridge University Press, New York,1980.
| |
| I l
| |
| NUREG-1624, Draft 6-10
| |
| | |
| 7 SEARCH PROCESS This section provides guidance for applying ATHEANA in performing human reliability analysis (HRA) tasks, except for the final steps of basic event quantificationand incorporation into the PRA model, which are addressed in Section 8 and 9, respectively. In order to understand this guidance and put it into practice, ATHEANA users must understand the underlying concepts and terminology presented in the ATHEANA knowledge-base, given in Part 1, as well as the motivation and basic process for ATHEANA that are given in the introductory material of this document. This report
| |
| ]
| |
| includes a glossary of key terms (Appendix E) that is expected to be an important aid to potential 1 ATHEANA users.
| |
| )
| |
| Potential users should note that the ATHEANA process is unique or unusual among other HRA methods for the followmg reasons:
| |
| 1 (1) The ATHEANA process is designed to identify and justify human failure events (HFEs) that !
| |
| previously have not been included in PRA models (especially errors of commission (EOCs). I Most current HRA methods do not formally address HFE identification and justification to the extent and in the manner that ATHEANA does.
| |
| (2) The ATHEANA process for identifying HFEs and associated unsafe actions and error-forcing contexts (EFCs) is similar to a Hazard and Operability (HAZOP) study in that:
| |
| (a) A multidisciplinaryteam, lead by the HRA analyst,is required to apply the method.
| |
| (b) An imaginative yet systematic search process is used.
| |
| (c) The ATHEANA search aids and the structure ofits search process are designed to assist the multidisciplinary team and stimulate innovative thinking.
| |
| In particular,while the beginning of the ATHEAN A process is deductive,later steps require creative thinking for which this guideline and the ATHEANA knowledge-base provide the " seeds."
| |
| Figure 1.3 illustrates the major steps in applying ATHEANA. A more detailed description of each step appears in the following sections. Most of these steps focus on the search process 'or HFEs, unsafe actions, and EFCs. Steps 1-8 are the deductive portion of the overall ATHEANA process.
| |
| Performance of these steps requires knowledge of the plant-specific probabilistic risk assessment (PRA) and plant engineering, design, and operations but no special understanding or expertise regarding human performance. Another advantage of the ATHEANA approach is that these steps need to be performed only once (i.e., do not need to be duplicated every time the PRA model is updated or modified) unless the plant's design or operations change. The remaining steps (#9 through #13B and #14A ) require both creative thinking and the understanding of human performance provided in the ATHEANA knowledge-base. Quantification of HFEs and their incorporation into the PRA model are discussed in Sections 8 and 9, respectively.
| |
| Because,like a HAZOP, creative thought or " brainstorming" is required in the later portion of this 7-1 NUREG-1624, Draft
| |
| | |
| I
| |
| : 7. Search Process search process, ATHEANA users should not treat the steps shown in Figure 1.3 as strictly sequentia Rather, ATHEANA users should expect to perform some iteration of steps and occasional" jumping ahead" during the search process. An example application of ATHEANA performed at a pressurized water reactor (PWR) nuclear power plant (NPP) is documented in Appendix A and illustrates the ATHEAN A method and process. Appendix A provides the results of the ATHEANA demonstration in a step-by-step fashion, furtherillustratinghow ATHEANA was applied (including iterations of steps and " jumps ahead"). The results of this demonstration further supplement the I simpler examples that are used in the text below.
| |
| 7.1 Preparation for Applying ATHEANA This section describes the preparatory activities required for applying the ATHEANA search process. These preparatory activities include:
| |
| . selection of the overall scope of the ATHEANA analysis a selection and training of the multidisciplinary team who will apply ATHEANA
| |
| . establishment of priorities for examining initiating events and event trees l
| |
| l
| |
| * establishment of priorities for examining candidate human failure events (HFEs)
| |
| . collection of background information While it is assumed that the activities typically performed in preparing to perform HRA (e.g., plant familiarization, gaining an understanding of the PRA model) also are performed in applying ATHEANA, these activities are not discussed here. For a discussion of the requirements of a i
| |
| " quality"HRA, refer to Part 4, Chapter 14 of the IPE Insights Report, NUREG-1560 (Ref. 7.1) and NUREG-1602 (rec 7.2).
| |
| 7.1.1 Step #1: Select the Overall Scope of the Analysis The first step in applying ATHEANA is to define the scope of the analysis to be performed. Issues that are likely to influence the decision regarding analysis scope include available resources, schedule requirements, the status of en existing plant-specific PRA, and the objectives to be accomplished by the analysis.
| |
| Part I states that the purpose of ATHEANA is to support the analysis of post-initiator HFEs. That is because, in the event histories examined in the development of ATHEANA, it is the post-initiator HFEs that represent plant functional failures with the potential to lead to core damage. In ATHEANA, pre-initiator or initia'or human actions become significant only when they create dependenciesthat can interfere with successfulpost-initiator actions. Such pre-initiator or initiator human actions are found during the search for error-forcing contexts. l l
| |
| In principle, it is concievable to expand ATHEANA to model and quantify the pre-initiator and initiator human actions that typically are modeled in PRAs as HFEs separately from post-initiator HFEs (e.g., maintenance errors). However, at this time, no significant need or advantage has been NUREG-1624, Draft 7-2
| |
| | |
| 7.0 Search Process found for such expansion.
| |
| ' Since most plants already have performed an at-power PRA, it is assumed that any HRA performed i with ATHEANA will be an update to the existing PRA. Threc different typesof updatesare possible:
| |
| (1) augmentation of the existing HRA with new HFEs
| |
| -(2) re-analysis of HFEs modeled in the existing PRA (3) both augmentation and re-analysis The performance of these three types of updates is similar, although with different resource requirements and potential impacts on the PRA model. The authors recommend performing an augmentation of the existing HRA as a first priority. An augmentation analysisis expected to be the most efficientuse ofresources with respect to showing measurable changes to the PRA model and its results. A re-analysis can be performed later, as additional resources are available or as plant needs (e.g., to suppoit regulatory relief) are identified.
| |
| In addition, while ATHEANA could be very beneficialin the analysis of human performance during low power and shutdown (LP&S) operations, the current ATHEANA guidance and search aids do not completely address some of the LP&S-specific human performance issues that have been ,
| |
| /
| |
| identified in reviews of LP&S events (e.g.,NUREG/CR-6093 (Ref. 7.3), NUREG/CR-6265 (Ref.
| |
| 7.4)). Examples of such issues which are not currently incorporatedinto ATHEANA are the higher percentage of human-inducedinitiators and the greater potential for dependencies across time phases l
| |
| of the PRA model (e.g., dependencies between human-induced initiators and post-initiator actions).
| |
| I-The product of Step #1 is a description or definition of the scope of the ATHEANA analysis to be undertaken.
| |
| 7.1.2 Step #2: Assemble and Train the Multidisciplinary Team As noted above, ATHEANA is applied by a multidisciplinaryteam, under the leadership of the HRA l analyst. It is essentialthat the ATHEANA team be comprised of people with sufficient knowledge l and experience to supply the information and answer the questions involved in the ATHEANA L search process. As a minimum, the membership requirements for an effective ATHEANA team 1 l
| |
| must include the following expertise:
| |
| *- familiarity with the issues in behavioral and cognitive science, as described in Part 1 l l
| |
| e' understanding of the ATHEANA process j i knowledge of the plant-specific PRA, including knowledge of the event sequence model l
| |
| * understanding of plant behavior, especially thermal-hydraulic performance 7-3 NUREG-1624. Draft
| |
| | |
| i
| |
| : 7. ' Search Process
| |
| .- understanding of the plant's procedures (especially emergency operating procedures) and operational practices e understanding of operator training and training programs
| |
| .' knowledge of the plant's operating expenience, including trip and incident history, backlog of corrective maintenance work orders, etc.
| |
| .. knowledge of plant design, including man-machine interface issues inside and outside the control room Therefore, it is recommended that the ATHEANA team include the following types of technical staff members:'
| |
| . an HRA analyst-
| |
| . a PRA analyst (preferably the accident sequence task leader)
| |
| . a reactor operations trainer (with expertise in simulator training)
| |
| . a Senior Reactor Operator
| |
| . a thermal-hydraulics specialist Other plant experts should supplement the expertise of the ATHEANA team by as needed, to provide additional plant information required for the ATHEANA search process, participate in <
| |
| simulator trials 'or talk-throughs, and support the collection of information needed for HFE quantification.
| |
| As noted above, the HRA analyst serves as the team leader and is also the principal expert on the information given in Part 1, the ATHEANA knowledge-base, and on the ATHEANA process. In particular, the HRA analyst must perform the following functions:
| |
| (1) Provide interpretation and guidance to the team as needed, in order to ensure that the objectives of ATHEANA, and of HRA and PRA overall, are met.
| |
| (2) Facilitate the collection ofinformation needed to supplement the experience and expertise of the team.
| |
| (3) Collect or facilitate the collection ofinformation needed to quantify the HFEs identified with
| |
| !- ATHEANA.
| |
| L The_ HRA analyst also has the responsibility of training other team members on ATHEANA.
| |
| - Appendix A, Section A.3, outlines the training provided during the demonstration of ATHEANA at a PWR NPP. The following topics should be addressed in ATHEANA team training:
| |
| NUREG-1624, Draft ' 7-4 l
| |
| I l
| |
| | |
| 1 7.0 Search Process L
| |
| f
| |
| . the character of severe accidents (as described in Part I and the introduction of this report)
| |
| . the underlying principles and objectives of ATHEANA l
| |
| * the basic principles of behavioral and cognitive science, as utilized in ATHEANA
| |
| = the confirmation of the ATHEANA perspective from the review of operational experience i
| |
| e the basic approach to event analysis (in the ATHEANA perspective, see Ref. 7.5)
| |
| * the ATHEANA process L
| |
| * any ;revious demonstrations of ATHEANA {
| |
| In addition to the presentation of the above topics, it is highly recommended that the ATHEANA team perform reviews of at least two operational events and that the team talk-through an ATHEANA demonstrationsuch as that given in Appendix A. One of these events might be one that
| |
| - has occurred at their plant. Another event might be one that already has been analyzed and documented in the database that was developed to support ATHEANA (i.e., the Human-System Event Classification Scheme (HSECS) database (Ref. 7.5), or in other ATHEANA documents, or
| |
| ~
| |
| in Appendix B of this report. The event reviews should help the team become more familiar and comfortable with the ATHEANA terminology (e.g., situation assessment, error-forcing context and its elements) and help them understand and appreciate the ATHEANA perspective. The talk-through
| |
| ! 'of a demonstration serves a similar purpose but also provides an opportunity for the team to better understand the ATHEANA process.
| |
| i l The products of Step #2 are the identification and training of the team members for the application
| |
| ' of ATHEANA at a specific plant. Team training includes not only knowledge of the ATHEANA principles and process but also review and understanding of operational events using the ATHEANA perspective.
| |
| 7.1.3 Step #3: Collect Background Information Step 3 in the ATHEANA process is similarto that which has been traditionallyperformedin HRAs.
| |
| Also, similar to traditionalHRAs, performanceof Step 3 should occur continuouslythroughoutthe ATHEANA process, rather than being performed at a single time.
| |
| ' Just as in traditionalHRAs, the HRA analyst should collect plant informationthat is relevant to HRA l
| |
| (e.g., syst'em design, plant layout, procedures, operations, training, maintenance). The entire ,
| |
| ATHEANA team should be familiar with this information, in addition to the existing PRA model, its documentation,and results. Individualmembers of the ATHEANA team should be more expert l
| |
| regarding each of these information sources and may need to identify additional staff to suppor' *he j i i team. The purpose of this more traditional collection of HRA background informationis to develop l a general understanding of the operator's performance environment for the specific plant.
| |
| In addition to the more traditional collection of background information, the ATHEANA process requires and incorporatesoperationalexperience,from both the overall nuclear power industry and the specific plant. Initially,the purpose of this additional information is to provide " feed material" for the creative thought process involved irilater ATHEANA search steps. In particular, examples of unsafe actions and challenging contexts from anecdotal experience will fulfill the following l
| |
| 7-5 NUREG-1624, Draft
| |
| : 7. Search Process purposes:
| |
| I (1) Help to establish priorities in applying ATHEANA with respect to initiators and plant functions / systems (i.e., Steps #4 and #5 of the ATHEANA process),thereby influencing the selection of high priority HFEs.
| |
| (2) Serve as templates for either similar or generalized unsafe actions and associated error-forcing contexts that must be identified in the ATHEANA search process.
| |
| Also, the information collecting activity provides a vehicle for identifying, recording, and incorporating into the HRA any operational or performanceconcerns that plant personnel (especially operators, trainers,and operations staff) may have that often cannot be accommodated by previous HRA/PRA methods. For example, a common concern among operators is the ability to successfully respond to certain support system failures (e.g., loss ofinstrument air initiators) that cause degraded conditions and loss ofindications and/or may involve difficult and lengthy equipment restoration activities. Later in the ATHEANA process, detailed, plant-specific operational info mation is required to support the ATHEANA search for unsafe actions and error-forcing contexts. Such information may include the following examples:
| |
| = temporary procedures or operating practices used when the plant status or configuration is different than normal (due to, for example, equipment or indication unavailabilitiesincluding configurations requiring NRC waivers from Limiting Conditions for Operation (LCOs)
| |
| . equipment or indications with either a recent or long history of degraded or failed performance / condition
| |
| - operators' formal or informal priorities regarding which indications to rely on (and why)
| |
| = instances ofmultiple failures, especially due to dependencies (both human and equipment)
| |
| . plant-unique initiators (considered in more detail than the PRA initiator categories) that have or can cause significant operational burdens and difficulties (e.g., the bi-annual, twice-a-day grass intrusionsin the Salem 1 circulatingwater intake structure - see Augmented Inspection Team (AIT) Report Nos. 50-272/94-80 and 50-311/94-80 (Ref. 7.6)
| |
| While the detailed information that will be required cannot be entirely anticipated (and, therefore, can be collected as needed),it is important that representationon the ATHEANA team include plant personnel who have general knowledge of past and current plant-specific hardware and operator performance. During the search process, such personnel can help, during team discussions, to identify likely or credible problems that can be later expanded and verified by more thorough information collection (perhaps through the assistance of supporting plant personnel). It also may be beneficial for the ATHEANA team (lead by " experts" on the team) to perfomi a general review of past and current plant-specific operational issues and concerns that have impacted or could potentially impact hardware (including indications) and/or operator performance.
| |
| NUREG-1624, Draft 7-6
| |
| | |
| 7.0 Search Process The ATHEANA team leader /HRA analyst is ultimately responsible for collecting needed background information and circulatingit among the ATHEANA team members before ATHEANA Steps #4 and #5 are performed. This is done in order to assist the team in becoming familiar with l important human performance contributions and contextual factors in past accidents and serious precursor events and potential plant-specific vulnerabilitiesto the development of situations that are challenging for operators.
| |
| Step #3 yields the following products:
| |
| (1) reference lists for collected background information (2) lists of source information expected to be used later in ATHEANA (3) contact lists of plant personnel who have or are expected to support the ATHEANA team with relevant plant-specific knowledge (including personnel involved in planned simulator exercises)
| |
| (4) notes regarding potential unsafe actions and challenging or error-forcingcontexts that should be considered in later ATHEANA steps 7.1.3.1 Review and Collection of Anecdotal Experience The review and collection of relevant anecdotal experience should include both plant-specific and industry wide experience. Sources of plant-specificinformation may be derived from the following sources:
| |
| * site incident / trip reports e plant documentation supporting licensee event reports (LERs)
| |
| * results of simulator exercises (including debrief'mg interviews of operators and trainers)
| |
| * Systematic Assessment Licensee Performance (SALP) reports e interviews of knowledgeable plant personnel (especially those in training and operations)
| |
| Eventually,it is anticipated that there will be a link created between a computerized version of the ATHEANA application guidance and an industry-wide experience-base. ATHEANA users will use these combined functionalitieswhich will be updated periodically with new information. However, at the present time only this report provides ATHEANA guidance and the experience-base is not completelydeveloped. Information used to develop this experience-base may be derived from the following sources:
| |
| * event-based reports (e.g., NRC Augmented Inspection Team reports (AITs), NUREGs, Office for Analysis and Evaluation of 0perational Data (AEOD) human performance reports; Institute of Nuclear Power Operations (INPO) reports) 7-7 NUREG-1624, Draft
| |
| | |
| i
| |
| : 7. Search Process e' selected full-text LERs
| |
| : e. NRC and industry information bulletins
| |
| .- L NRC Accident Sequence Precursor Program reports Human-System Event Classification. Scheme (HSECS) database developed to support ATHEANA (Ref. 7.5).
| |
| Until the experience base that will support ATHEANA is available, users should refer to the following sources:
| |
| 1
| |
| . event information in the ATHEANA knowledge-base, Part 1, Section 5
| |
| . events summarized in Appendix B of this report In addition, the following references can support the user's effort:
| |
| o Cooper, S.E., W.J. Luckas, Jr., and . J. Wreathall, " Human-System Event Classification Scheme (HSECS) Database Description," BNL Technical Report L-2415/95-1, December 21,1995.
| |
| This report describes the database structure used to analyze operational events in support of ATHEANA. It also provides a thorough analysis of three PWR full power events, under the database structure.-
| |
| 1 e Barriere, M., W, Luckas, D. Whitehead, A. Ramey-Smith,D. Bley, M. Donovan, W.
| |
| Brown, J. Forester, S. Cooper, P. Haas, J. Wreathall, and G. Parry, "An Analysis of Operational Experience During Low-Power and Shutdown and a Plan for Addressing Human Reliability Assessment Issues," NUREG/CR-6093, BNL-NUREG-52388, SAND 93-1804, June 1994.
| |
| Appendix B provides the results of the analysis of a number of PWR shutdown events under an earlier database structure. It also provides summary statistics on relevant aspects of these events. Although the events <
| |
| occurred during shutdown, the multidisciplinary factors affecting human performance are relevant to full power HFEs.
| |
| ,e . Barriere, M.T., J. Wreathall, S.E. Cooper, D.C. Bley, W.J. Luckas, and A. Ramey- ,
| |
| Smith, "Multidisciplinary Framework for Human Reliability Analysis with an
| |
| ' Application to Errors of Commission and Dependencies,"NUREG/cR-6265, BNL-NUREG-52431, August 1995.
| |
| While primarily theoretical,this report presents analyses of a number of real I
| |
| events to illustrateprinciples. Chapters 3,4 and 5, as well as Appendices A,
| |
| ' NUREG-1624, Draft 7-8
| |
| | |
| l 7.0 Search Process B and C present aspects of specific events and summary statistics from event reviews.
| |
| e S.E. Cooper, A.M. Ramey-Smith,J. Wreathall, G.W. Parry, D.C. Bley, W.J. Luckas, J.H. Taylor, and M.T. Barriere, "A Technique for Human Error Analysis
| |
| - (ATHEANA)," NUREG/CR-6350, BNL-NUREG-52467, May 1996.
| |
| l Section 5.3 " Understanding [the causes of unsafe actions] Derived from Analyses of Operational Events" summarizes key aspects of five actual events are used to illustrate unsafe actions and imponant error-forcing context elements.-
| |
| e NRC AEOD,"EngineeringEvaluation:OperatingEventswithInappropriateBypass or Defeat of Engineered Safety Features," AEOD/E95-01, July 1995.
| |
| This repon identifies 14 events in 41 months in which operators inappropriatelybypassed Engineered Safety Features (ESFs). Summaries of some of these events (which somewhat overlap with events analyzed in other sources) are provided. AEOD concludes that the number of events found indicates a potentially persistent problem that has not yet been addressed.
| |
| Most of the inappropriate bypasses would be considered errors of commission by ATHEANA.
| |
| * U.S. Nuclear Regulatory Commission, Kauffman, J.V., G.F. Lanik, R.A. Spence, and E.A. Trager, " Operating Experience- Feedback Report-Human Performance in Operating Events," NUREG-1275, Vol. 8, December 1992. j l
| |
| A report of sixteen onsite multidisciplinary studies of human performance (1990-1992) following accident scenarios (e.g., stuck open safety-relief valve, positive reactivity insertion, and partial loss ofinstrument air).
| |
| * Roth, E.M., R.J. Mumaw, and P.M. Lewis,"An Empirical Investigation of Operator Performance in Cognitively Demanding Simulated Emergencies," NUREG/CR-6208, Westinghouse Science and Technology Center, July 1994.
| |
| This repon differs from the others. Rather than a report of actual plant ,
| |
| events, it documents the results of a set of experiments performed to l
| |
| ! understand and document the role of higher-level cognitive activities (e.g.,
| |
| diagnosis, situation assessment, and response planning) in cognitively demanding emergencies,even when the use of highly prescriptive emergency operating procedures is required. The experiments were performed using training simulators at two plants. Up to 11 crews from each plant participated in each of two simulated emergencies, for a total of 38 cases.
| |
| The emergenciesincluded an interfacing system loss of coolant scenario and 7-9 NUREG-1624, Draft
| |
| : 7. Search Process a loss of heat sink scenario. In each of the scenarios, operators needed to use higher level cognitive activities to control situations not fully addressed by the procedures. About 10% of the crews never formed the correct situation assessment. The authors point out that, "lif higher-level cognitive activities must play a role in difficult scenarios, there are important implications for the kinds of training, procedures, displays, and decision aids that need to be provided to control ' room operators...as well as .for human reliability analysis."
| |
| e NRC detailed reports on events involving significant human performance problems published as a result of site visits and interviews immediately following the events (e.g., augmented inspection team (AIT) reports, integrated inspection team (IIT) reports, and AEOD human performance reports}.
| |
| These detailed reports are described in NUREG/CR-6265 (Ref. 7.4), because they are rich sources of information that helped establish the multidisciplinary framework used by ATHEANA and helped in the development of the search guidance in the current report. A sampling of these reports that were particularly useful is summarized below.
| |
| . U.S. Nuclear Regulatory Commission AEOD Human Factors Team Report -
| |
| Catawba, Unit 1 - March 20,1990,"On-Site Analysis of the Human Factors of an Event," May 1990.
| |
| . U.S. Nuclear Regulatory Commission, AEOD Human Factors Team Report -
| |
| Braidwood, Unit 1 - October 4,1990, "On-Site Investigation and Analysis of the Human Factors of an Event," October 1990.
| |
| . U.S. Nuclear Regulatory Commission, AEOD Human Factors Team Report -
| |
| Oconee, Unit 3 -March 9,1991,"On-Site Analysis of the Human Factors of an Event (Loss of Shutdown Cooling),"May 1991.
| |
| . U.S. Nuclear Regulatory Commission, AEOD Human Factors Team Report -
| |
| Crystal River, Unit 3 - December 8,1991, "On-Site Analysis of the Human Factors of an Event (Pressurizer Spray Valve Failure)," January 1992.
| |
| . U.S. Nuclear Regulatory Commission, AEOD Human Factors Team Report -
| |
| Prairie Island, Unit 2 - February 20,1992, "On-Site Analysis of the Human Factors of an Event (Loss of shutdown cooling)," March 1992.
| |
| i
| |
| * U.S. Nuclear Regulatory Commission, AEOD Special Evaluation Report,
| |
| " Review of Operating Events Occurring During Hot and Cold Shutdown and Refueling," December 4,1990.
| |
| . U.S. Nuclear Regulatory Commission, Generic Letter No. 88-17, " Loss of Decay Heat Removal," October 1988.
| |
| . U.S. Nuclear Regulatory Commission, Inspection Report No. 50-306/92-005, Prairie Island, Unit 2," Loss of RHR (February 20,1992)," Augmented Inspection Team Report, March 17,1992.
| |
| * U.S. Nuclear Regulatory Commission, Inspection Report No. 50-275/91-NUREG-1624, Draft 7-10 j j
| |
| (
| |
| | |
| , 7.0 Search Process 009, Diablo Canyon, Unit 1, " Loss of Off-Site Power (March 7,1991),"
| |
| Augmented Inspection Team Report, April 17,1991.
| |
| . U.S. Nuclear Regulatory Commission, Inspection Report No. 50-287/91-008, Oconee, Unit 3, " Loss of RHR (March 9,1991)," Augmented Inspection Team Report, April 10,1991.
| |
| . U.S. Nuclear Regulatory Commission, Inspection Report No. 50-456/89-006, Braidwood, Unit 1, " Loss of RCS Inventory via RHR Relief Valve (December 1,1989)," Augmented Inspection Team Report, Dec. 29,1989.
| |
| l '
| |
| . U.S. Nuclear Regulatory Commission, NUREG-1269, " Loss of Residual Heat Removal System,"(Diablo Canyon, Unit 2, April 10,1987), June 1987.
| |
| . U.S. Nuclear Regulatory Commission, NUREG-1410, " Loss of Vital AC Power and the Residual Heat Removal System During Midloop Operation at Vogtle Unit 1 on March 20,1990," June 1990.
| |
| The focus of the anecdotal experience review and collection activity should be upon those events or incidents that either were or had the potential to be challenging to operators. Because the U.S.
| |
| nuclear power industry has experienced only one at-power, serious accident (i.e., that at TMI-2), all of these events or incidents will be accident precursors. Consequently,the ATHEANA team should not only examine the unsafe actions and contextual elements of these precursors events and incidents but also should postulate what additional complicating factors may be needed to create an error-forcing context (EFC) and cause an associated unsafe action at their specific plant. In addition, ATHEANA users should recognize that an HFE defined through ATHEANA will consist of at least two unsafe actions: an initial unsafe act and a failure to recover. Each of these actions will have an error-forcing context (although there may be overlap or dependencies between these two EFCs).
| |
| Three types of error-forcingcontexts can be differentiated by their effect on operator performance:
| |
| (1) cognitively demanding sit'uations (2) executionally problematic situations (3) situations that are both cognitively demanding and executionally problematic The title of the first type of EFC mimics the terminology used by Roth et al. in NUREG/CR-6208 (Ref. 7.7). For this EFC type, the EFC creates a situation in which the operators' thinking becomes
| |
| !- faulty, leading to failures in situation assessment and/or response planning. EFCs that cause both situation assessment and response planning failures are considered together because, as discussed
| |
| . in Part 1, these types of failures often are coupled. ' As discussed in Part I and illustrated by the events discussed in the recommended sources listed above, EFC elements that can create cognitively demanding situations are illustrated by the following examples:
| |
| .- instrumentation and/or indication problems (e.g., combinations of previously undiscovered failures, historically unreliable indications, unavailable indications)
| |
| . multiple hardware failures, especially in combination with instrumentation and/or indication failures 7-11 NUREG-1624, Draft
| |
| : 7. Search Process e accident sequences that differ dramatically from " nominal" in the timing of plant behavior, the order expected plant responses, and the availability and reliability of equipment a unusual initiators or accident progressions, especially those similar to more familiar or l recently occurring accident sequences a unexpected or unrecognized interactions between hardware, especially for complicated systems or plant design features less well understood by operators, such as instrumentation and controls (I&C)
| |
| . dependencies between hardware failures, operator actions, and/or management and organizational factors (including those that cross temporal phases such as dependencies between pre-existing failures or initiating events and post-initiator operator actions)
| |
| . spurious or false information, indications, or a::tivations that divert operator attention The gcond type of EFC creates situations in which, while the operators' thinking is correct, plant behav!or, design, and/or configurationhinders operators from successfully performing their chosen mitigative measures (i.e., execution failures). EFC elements that can create executionally problematic situations include the following examples:
| |
| . multiple hardware failures or unavailabilities (including pre-existing failures)
| |
| . unusual plant configurations a plant design features (e.g., interlocks) that are difficult or time-consuming to recover if unintentionally triggered, disabled, etc.
| |
| = less than usual amount of time to perform needed actions (due to an unusual accident initiator or progression)
| |
| . execution requires communications between different locations and multiple operators, consists of many steps, or other workload, coordination, or communication burdens The third type of EFC is, of course, a combination of the first two types of EFCs.
| |
| 7.1.3.2 Additional Plant-Specific Information Needed for ATHEANA As stated above, it is difficult to anticipate the additional plant-specific information that will be needed is difficult to anticipate before the unsafe action and EFC search steps in the ATHEANA process. However,in order to assist in the initial identificationof potentially challenging situations for operators, it would be helpful to identify the following types of plant-specific information:
| |
| NUREG-1624, Draft 7-12 1
| |
| 1 m .
| |
| | |
| 7.0 Search Process
| |
| . equipment with historical or recent problems (e.g., frequent failures, degraded performance, unavailability)
| |
| . instrumentation / indications with historical or recent problems (e.g., frequent failures, miscalibrations or drift, degraded performance, unavailability)
| |
| = plant-unique initiators
| |
| . uniquely high or low frequencies of specific initiators
| |
| * recent history of specific initiators and common accident dynamics and/or progressions,
| |
| . plant-unique design features that are potentially troublesome
| |
| . " informal rules," developed from operational experience, training, and good practice, that can override or supersede formal rules contained in plant procedures
| |
| =
| |
| operational practices or preferences not obvious from the review of procedures (e.g.,
| |
| preferential use of a particular indication due to its perceived historical reliability)
| |
| It is admitedly difficult to specify what plant-specific sources will be most helpful in providing the above types of information. However, ATHEANA team members who represent training and operations are expected to identify the last two types ofinformation from their knowledge and experience. Interviews of operators, trainers, and other operations personnel should also be used as source information.
| |
| A variety of possible sources may address the first four information types, including the knowledge and experience of ATHEANA team members, maintenance work records, trip history, plant-specific incident reports, and interviews of maintenance and testing personnel, systems engineers, and field and control room operators.
| |
| 7.1.3.3 Other Information Needed Later in ATHEANA During the course of applying ATHEANA the need for other information and information sources may surface. However,to the extent possible identification of needed resources (both staff support and information)should,at least, occur early in the ATHEANA process. Plant resources that may be needed later in the ATHEANA process include the following examples: i a consultation with training staff, individually and, perhaps, in groups (in addition to the expertise provided by the ATHEANA team member (s) who represent the operator training department) e simulator exercises and associated debriefing interviews of operators and trainers 7-13 NUREG-1624, Draft
| |
| : 7. Search Process Later in the ATHEANA process, the training staff can assist in setting up any simulator exercises and help in the investigation of potentially challenging situations and development of error-forcing contexts. As noted in earlier process steps, the training staff can assist the ATHEANA team in identifying and understanding past or potential situations that have negative impacts on operator performance. The training staff can also be used to establish priorities (see Steps #4 and #5) and assist in identifying candidate unsafe actions and error-forcingcontexts. The simulator exercises and associated interviews will be used to support the ATHEANA process steps associated with identifying unsafe actions and error-forcingcontexts. It is anticipated that the exercises will obtain two different kinds ofinformation:
| |
| (1) support, verification,and further development of unsafe actions and associated error-forcing contexts identified by the ATHEANA team in advance of the exercises (2) identifications of new unsafe actions and error-forcing contexts 7.1.4 Establish Priorities for the Analysis The next two steps establish priorities for the HRA analysis using ATHEANA. The ATHEANA team can use prioritiesto make decisions regarding which initiators, event trees, and human failure events to analyze first, either with respect to developing an overall plan or schedule for the analysis or with respect to determining an analysis scope that both represents a significant improvement to the overall PRA model and is consistent with currently available resources. Performance of these steps need only occur if there are no overriding scope issues. For example, if the scope of the analysis is to re-analyze existing errors of(EOOs) already modeled in the plant-specific PRA, then the following two steps do not need to be. Similarly, if the purpose of the analysis is to investigate a specific human failure event or a specific accident sequence, then the ATHEANA team can skip ahead to Step #6.
| |
| There are three overwhelmingprioritizationcriteria that the ATHEANA team should keep in mind:
| |
| (1) the scope of the analysis j (2) the events or scenarios that the plant staff (e.g., operations manager, trainers) are worried
| |
| - about (3) any anecdotal experience (especially plant-specific) that may be important precursors to j more serious accidents The resources available to perform the analysis is often an important criteria as well. Note that the concerns of the plant staff (which historically have been addressed in only limited ways by existing j HRA methods) and real operational experience are the intentional foundation of ATHEANA priorities.
| |
| Priorities are established at two different levels in the steps described below. First, priorities are NUREG 1624, Draft 7-14
| |
| | |
| 7.0 Search Process establishedwith respect to accident initiators and the PRA event trees that represent them. Second, priorities are established with respect to the plant functions, and the systems and equipment that perform them, that are required to respond to accident initiators. By focusing on identified, higher priority plant functions and their associated systems and equipment, the associated human failure events defined in Step #6 also will be of higher priority. In both prioritization steps, the informationalinputsrequiredarebothplant-specific and generic, including some ATHEANA--
| |
| provided recommendations.
| |
| 7.1.4.1 Step #4: Establish Priorities for Examining Different Initiators and Event Trees Priorities for examining different initiators and event trees are used to further restrict the scope of the analysis and focus the analysis on potentially higher risk events. The existing plant-specific PRA' model, including event trees, fault trees, success criteria, initiating events and event frequencies, should be used along with Tables 7.1 and 7.2 to establish plant-specificpriorities. The ATHEANA team also may find the excerpts from operational experience given in Tables 5.6 and 5.7, which together can serve as templates or guidance for defining error-forcingcontexts, useful in identifying .
| |
| high priority initiators and event trees.
| |
| Table 7.1 provides a generic list of initiator and/or accident sequence characteristics that have potentially high risk-significance from the human perspective. This list is based upon behavioral science principles and operational experience reviews (see, for example, those given in Part 1), and PRA principles. For example, operators can develop expectations regarding the event type (based upon initial accident symptoms) and its likely progression for events that occur relatively frequently (or recently). Operators can develop similar expectations for initiators and accident sequences that have a wide range of possible conditions or trajectories. In addition, the PRA may consider od:y certain(e.g.," nominal") conditions or trajectories out of a broad spectrum. However, if a different event (but with some similar initial symptoms) occurs or if an event follows a significantly different trajectory than expected,than a potentially challenging situation is created for operators that can lead them to take incorrect actions. Challenging situations also can be created by events that have the potential for complex, hidden,or unfamiliar plant conditions. Such conditions may include: multiple hardware failures, especially those that are dependent; confusing, contradictory, or remote indications (includingthose wide-spreadproblems that can be caused by fires or seismic events); and confusing plant behavior (especially that due to degraded performance, rather than catastrophic failure, support system failures, and unusual plant configurations). If the time to core damage (or failure of a plant function) is relatively short, the ability of operators to break out of their initial
| |
| - mindset(i.e., expectations)and to correct any associated initial actions is limited. The opportunity for operator recovery ofinitial actions is similarly limited if a single functional failure leads directly I to core damage and that function can be failed by operator intervention. Note that the list of ATHEANA-suggested priorities for initiators or accident sequences contains generalized descriptions of error-forcing context elements (e.g., unusual, hidden, or unfamiliar plant conditions).
| |
| 1-7-15 NUREG-1624, Draft
| |
| : 7. Search Process Table 7.1 ATHEANA-Suggested Characteristics of High-Priority Initiators or Accident Sequences Characteristic Example Relatively high frequency events Transients, small-break loss-of-coolant accident (SLOCA))in the context of PRA Short time to core damage Large-break loss-of-coolant accident (LLOCA) in the context of PRA Potential for complex and/or hidden or unfamiliar No salient evidence or reminders; dependencies or conditions dependent failures, especially where cause and effects are far removed from each other; confusing secondary (PWRs) or support system failures; fires; seismic events Single functional failure goes to core damage (with possibility of human contribution)
| |
| Wide range of accident response, plant Confusion with similar but less complex situations dynamics / conditions represented The ATHEANA team should develop additional priorities and refine those given in Table 7.1 for their specific plant as follows:
| |
| * general initiator or accident sequence characteristics, such as those given in Table 7.1
| |
| = general characteristics of unsafe actions and associated error-forcing contexts
| |
| . examples of specific unsafe actions and associated contextual elements (comprising either a challenging situation or a complete error-forcing context)
| |
| Generic characteristics of either initiators / accident sequences or unsafe actions /EFCs are more powerful descriptions of priorities since they can represent " types" or general classes of unsafe actions and EFCs. Conversely, specific examples of unsafe actions and associated EFCs (either plant-specific or determined to be relevant to the specific plant) are " tokens" that, in principle, fit into generalized types or classes. The ATHEANA team should identify both types and tokens when establishing priorities for initiators and event trees. However, application of the differently defined priorities will require difTerent activities in later ATHEANA steps. For example, on the one hand the ATHEANA team must use the " types", or general characteristics, along with the review of the plant-specific PRA, operating experience and design, to determine which initiator / accident sequences are of the highest priority. On the other hand, the AiHEANA team should give high priority and flag all " tokens" for analysis in later ATHEANA steps. In particular, since " tokens" are already defined at the unsafe action level, the ATHEANA team must determine only how these unsafe actions are reflected in the PRA, through definition of appropriate human failure events, and complete or refine the definition of the error-forcing context.
| |
| NUREG-1624, Draft 7-16 i
| |
| _______._____m___ __._;
| |
| | |
| 7.0 Search Process i
| |
| Table 7.2 Sources of Priority Information Source Why Needed Purpose of analysis (e.g., specific initiator or system, Limit scope of analysis EOCs versus EOOs)
| |
| ATHEANA team knowledge and experience Identify plant-specific vulnerabilities Plant-specific operating experience Identify plant-specific vulnerabilities Plant-specific training / simulator experience Identify plant-specific vulnerabilities Plant-specific design Identify plant-specific vulnerabilities Industry experience (INPO or NRC reports, events Identify generic concerns that may be relevant to investigations (AITs, AEOD human perfonnances), specific plant bulletins, full-text LERs, etc.)
| |
| ATHEANA-provided examples of unsafe actions and Identify generic concerns that may be relevant to EFCs specific plant The ATHEANA team should examine plant-specific priorities for both initiators / event trees and important functions / systems / components (ATHEANA Step #5). Table 7.2 provides potential information sources for establishing such priorities. In particular, the ATHEANA team should collect information on plant-specific and industry event history (especially recent events) to identify any potential trends (e.g., high frequency events) or important anecdotal experience that are relevant tothespecificplant. Also,theknowledgeandexperienceofplant specifictrainersregardingspecific initiators or accident sequences that trigger known or suspected human performance problems should be given strong consideration. It should be noted that most of the sources shown in Table 7.2 will provide information regarding priorities at the level of unsafe actions and associated error-forcing context, in addition to information regarding specific initiators. In particular, all event-based sources with human contributions (e.g., plant-specific and industry accidents or precursor events, human performance problems identified by trainers or training) should have unsafe actions and error-forcing context elements. The ATHEANA team should identify these unsafe actions and associated error-forcing context elements from event descriptions using either the analysis approach associated with the HSECS database or the more general perspective represented by the ATHEANA HRA framework. (Event analyses using the HSECS database structure (Ref. 7 5) should be included in l ATHEANA team training.) As noted above, unsafe actions and associated error-forcing contexts identified in this step serve several purposes:
| |
| ( l (1) as descriptions! candidate priorities,both in an event-specific form and a generalized form 1
| |
| (2) as candidate unsafe actions and error-forcingcontexts to bejustified later in the ATHEANA process ;
| |
| l
| |
| .(3) in generalized forms, as templates for other unsafe actions and error-forcing contexts that will be identified later in the ATHEANA process 7-17 NUREG-1624, Draft !
| |
| : 7. Search Process It is recommended that the ATHEANA team document not only the results of this step but also the prioritization process, including judgments that are made. Table 7.3 illustrates how the ATHEANA team might document this prioritization process. (In a similar fashion, Table C.1 in Appendix C can be used to document the prioritization process.) Table 7.3, which used the suggested priority criteria from Table 7.1 and considered the types ofinformation in Table 7.2, displays the evaluation process for each initiating event evaluated. In addition, it is important that the ATHEANA team document any important contextual restrictions for each initiator identified as a high priority. Such contextual restrictions, which are likely to define the initiator in a more detailed manner than the plant-specific PRA, are needed in later ATHEANA steps in order to keep the analysis focused on high-risk /high priority events. Step #4 yields the following products:
| |
| (1) a list of plant-specific priorities for initiators and accident sequences (2) insights into possible unsafe actions (and, perhaps, associated error-forcing contexts) that should be analyzed in later steps of ATHEANA Table 7.3 Example Documentation of Prioritization Performed in Step #4 Single Functional Possible Wide Relative Time to Core Complexity / Failure Can Range of Plant Initiator Frequency Damage (CD) Unfamiliarity Lead to CD Responses Loss of Power High Fast ifearly Not especially complex Yes if all Depends on Conversion injection / pending "other" injection is "other" failures System cooling failure; failures. Actualplant treated as a otherwise slower events make this single function; somewhat familiar. same for heat removal Large LOCA Low As above; but even Not necessarily As above As above faster complex but certainly
| |
| " familiar" only in simulations Electric bus Medium Fast if early More complex and As above Quite possible failure / injection / hence error-inducing depending on degradation cooling failure; because of possible specific (Tac, Tde...) otherwise slower cascading effects. buses / loads Have had such an affected event at the plant which led to early confusion.
| |
| Loss of normal Low Fast if early More complex and As above Possible service water injection / hence error-inducing depending on cooling failure; because of possible specific failure otherwise slower cascading effects and what loads which may be subtle or are affected take time to be observable l NUREG-1624, Draft 7-18 l
| |
| | |
| 7.0 Search Process 7.1.4.2 Step #5: Prioritize Plant Functions / Systems Used to Define Candidate Human Failure Events Step 5 establishes priorities for the plant ftmetions,and associated systems and equipment, required in response to accident initiators. As in Step #4, the ATHEANA team should use the existing, plant-specific PRA model, the priority sources given in Table 7.2, and the examples of accident characteristics given in Table 7.1. In addition, the ATHEANA team should use the examples of characteristics given in Table 7.4 to identify potentially high priority plant functions / systems that have these characteristics. The ATHEANA team also may find the excerpts from operational experience given in Tables 5.6 and 5.7, which together can serve as templates for error-forcing contexts, useful in identifying high priority plant functions, systems, or unsafe actions.
| |
| Then, in Step #6, def'mition of high-priority HFEs associated with the identified, high-priority functions / systems can take place. The ATHEANA team should give strong consideration to recent plant-specific and/or industry experience and information from trainers regarding situations that are potentially challenging to operators.
| |
| In brief, the ATHEANA team should perform the following steps:
| |
| (1) Review each event tree in the plant-specific PRA (using the priorities from Step #4).
| |
| (2) Re-define each event tree in terms of high-level plant functions.
| |
| (3) Identify additional plant functions (e.g., " passive" or implied) and the systems and equipment that perform these functions that have been omitted from the event tree (due to simplification, etc.).
| |
| (4) Compare the ider.tified high-level plant functions to the characteristics given in Table 7.4, plant-specific experience (actual and simulator), industry experience, and so forth.
| |
| In producing a prioritized list of which functional losses warrant higher priority for examination using ATHEANA,it is recommended that a table, much like that shown in Table 7.5, be created to documentthe prioritizationprocess. (Table C.2 in Appendix C parallels Table 7.5 and also can be used to document this prioritization step.) Such a table, which uses the criteria from Table 7.4, should display how each function was judged and document a part of the thinking process that led to the final prioritized list. In addition, it is important that the ATHEANA team document any important contextual restrictions for each function / system identified as a high priority. Such contextualrestrictions, which are likely to define the accident sequence in a more detailed manner than the plant-specific PRA, are needed in later ATHEANA steps in order to keep the analysis focused on high-risk /high priority events.
| |
| 7-19 NUREG-1624, Draft
| |
| : 7. Search Process I
| |
| Table 7.4 ATHEANA-Suggested Characteristics of High Priority Systems / Functions Characteristics Example Scope of analysis HFE types - new EOCs versus new or existing EOOs)
| |
| Short time to core damage or functional failure Large LOCAs , ATWS Single functional failure goes to core damage No injection in a LOCA, failure of boron injection systems in ATWS Function needed early in accident response Inhibit ADS in BWR ATWS, injection in cenain sized LOCAs, boron injection in ATWS Little or no redundancy of systems / equipment that can PORV and HPI in feed-and-bleed, low pressure perform plant function injection / recirculation system for all recirculation modes Dependencies between redundant systems / equipment that can perform plant function Paucity of action cues High potential for confusion / complications unfamiliar plant conditions; similarity to other plant conditions; wide range of plant conditions / dynamics and accident response represented; cause and efTects are far removed from each other; part of a planned interaction; involves I&C (about which operators are often least knowledgeable)
| |
| Functional failure has immediate effect/ plant impact Suberiticality Functional failure can include an irreversible EOCs for inappropriate starts or stops of equipment plant / equipment damage that has no or no easy recovery options Human-intensive accident response important SGTR sequences, ATWS sequences principally for EOCs l
| |
| \
| |
| l l
| |
| NUREG-1624, Draft 7-20 1
| |
| | |
| d
| |
| ,s l
| |
| o grnu 4.o (nE, e 33:l e s ic re C r d
| |
| l
| |
| _ nv f n si L t n k/ n ai oo eudS l, qo/
| |
| t oc ct a a r at n t cit lo s s a ci ne mn u e to a. rnu t e e r n r rl o ai h
| |
| wesir b b ts s laoe el s
| |
| r aiqo ou l -
| |
| t - s uuaer i t e 'q co sseca &. n ut . eio ut r u u qnis t b n _
| |
| s reart mupn
| |
| - i n yd t oq ala
| |
| - l r _
| |
| I e ai Vre orpemis nt S er&mtoa f Rmisn cuo i
| |
| t -
| |
| t -
| |
| e o r e y e y e g b g b lb t r s y - ts y lya t )
| |
| lya )
| |
| isd r r et v n inwln l
| |
| m n e i s e l m t.
| |
| .t e
| |
| s e a o e ho e laa s a a o-4-.es. u.
| |
| vl c v t n n, d n d, ei it om t p s up u.
| |
| ti d, t.eb ip n
| |
| efrReE r e . tek at d a) e t gnu i
| |
| e uto gnuoq u oq-. w.
| |
| t gr s e o
| |
| ei qe P (ed e;e o . ai s q
| |
| _ I r o P (eb mu P (ed s
| |
| e te l i at s i
| |
| t a ly N _
| |
| ed c h I 5 r efe n =
| |
| # u mf e e iam E a.
| |
| l s m p e o s e Fi Y S G t
| |
| S l - n n n n ia n n oo t
| |
| bueuqos le le w ip d io i
| |
| d s tn ieCi t
| |
| s
| |
| 't n
| |
| s yei n lt u
| |
| c bi s
| |
| bl si s ofoos ee uye l ad s fu e t r u eml eb sct i s n Psd nimvde ca l
| |
| o of oeeikstu ad a ef r i o o at gmtoe c m Pf Dsl P r
| |
| f o f s s ly s s s o o o r o e n u
| |
| ci o t
| |
| r n s e a l y e
| |
| t a
| |
| l n e n a e iyo t i e fo dif o fooif o f tc t
| |
| umiomp P ct u e onb u cC s msoitc s s ct ts fu s s et mke v le n aA t omuu e n t e euu n sf sooa e o P t i cf l cf iol t d i
| |
| t a
| |
| i z e c t t n n y
| |
| r t r s t r s ee n e o ie o t
| |
| e n a e ir e v pd c p ci i
| |
| ua n n e u on r ed m pn p n
| |
| o d
| |
| n wnp ftn e u q i et p edui i
| |
| S er s
| |
| e e t mid a n s
| |
| e mdn el r ai o ua t r eB e q u /
| |
| S fe mt up e mteell s pa nit P D RE Pf Rd i oyc e S s ad st oye S sdami ai n
| |
| e ht f y e e o f c ht ) d) o f n n S iuqtC_ lb st ea otn
| |
| - oa i P nRoiS i
| |
| s s d e s e n
| |
| l ht oh l a,n le d sl ( o mla a m g i
| |
| o mude n iwr h t ocio(
| |
| t la yl e em f, bd o r ps yme yu nd v)in oRait l t t i igaos ct t les ant no nt a s ais minn a
| |
| t R il e r yt t r psi s c Msy MeeRoe r r( c v n
| |
| e m nd u o e t e ly c ir t i ia la o cn uq d e ly r
| |
| e D FR u e m r a n et e r
| |
| l e I m E Gl a p
| |
| t m a a a n d e le oi era eD t
| |
| d d a ly n s nr e h e laguse e l f l l
| |
| x gt uLC laidoe , de no la r
| |
| oa e ,de io n E n cl inqn t t f vd el -
| |
| ni a no nie so p i t ce isngu lel pt i i s c s m ois lgun ptc
| |
| - 5 i F uFat b
| |
| C t
| |
| ed nb oe ue s s ejoiou n cf n n e roe oiou Yf mn n Pps r Yics r cs cf 7
| |
| e l t b o e ly t
| |
| n s s
| |
| t e g) lo ly a guse e e r aD la l la
| |
| _ T momC iCa(
| |
| i nt t
| |
| e r d se po inqn i
| |
| tr ot y
| |
| r e
| |
| ng T D toh onb e ue s h a r e n P s ps r S c Glo sl e ly ly ly l
| |
| Cibs la la a Os it n
| |
| it n
| |
| e it n
| |
| Eo P e te t
| |
| o to o P P P n (afo w) o y oj i
| |
| t t t n gl n la -
| |
| n io n & i.ss v i
| |
| c la n lat i
| |
| o u b tic oec lph uge t
| |
| am e e F ui r ojoir Cich np l l R S c
| |
| _ qh ** 2CNM _ *.e9= -
| |
| : 7. Search Process Because the information sources used and the activities required of this step are expected to result in the identificationof examples at the level of unsafe actions, rather than human failure events, Step 5 yields the following products:
| |
| (1) a preliminary list of unsafe actions and, perhaps, associated error-forcing context elements (2) a list of high-priority plant functions / systems Table C.3 in Appendix C can be used to document the results of both prioritization steps, Steps #4 and #5. Both the list of unsafe actions and the list of high-priority plant functions / systems will be used in the next step, along with PRA concepts and knowledge of the plant's design and operational characteristics,to define high priority HFEs. The example unsafe actions,their generalization from examples (or tokens), and any contextual information, also will be carried through the analysis performed in even later steps of ATHEANA (e.g., the dermition of unsafe actions, the identification of unsafe action causes, and, ultimately, error-forcing contexts).
| |
| 7.2 Identification of HFEs and Unsafe Actions Using Plant / System Knowledge The next four steps in the ATHEANA process require plant / system knowledge and some knowledge of plant operations. Because a relativelylarge catalogue of potential HFEs can be generated in this process, it is suggested that HFEs be prioritized (using ATHEANA Steps #4 and #5) before proceeding to the identification of associated, potential unsafe actions. However, since potential HFEs are limited in number by the configurationand design of plant equipment and by the functions that this equipment performs, generation of this list needs to be done only once and can be re-used in later HRA/PRA updates or applications (unless the plant is modified).
| |
| These steps are relatively straightforward and are based solely upon the plant hardware (and not upon any human concerns). Consequently,it may be most efficient if the HRA analyst (perhaps with the help of a PRA analyst) generates an initial list of HFEs (and perhaps some unsafe actions) prior to assemblingthe entire ATHEANA team. The entire team can verify the HFEs already identified, then perform the remaining steps as a team.
| |
| 7.2.1 Step #6: Identify Candidate HFEs Performance of this step requires the following inputs:
| |
| * the plant-specific PRA model, especially event trees and success criteria
| |
| * knowledge and infonnation regarding accident response
| |
| * knowledge and information regarding general plant design and operations
| |
| * knowledge and information regarding system design and operations The goal of this step is to identify candidate HFEs, based upon the requirements of plant accident response. The selection ofindividual HFEs is on the basis of the system or functional requirements of the events associated with branch points on event trees. Candidate HFEs are defined as (human-caused) functional failures at the plant function, system, or component level. At this stage, HFEs NUREG-1624, DraIt 7-22
| |
| : 7. Search Process 7. Search Process are defined entirely in terms of these failure modes (i.e., are based entirely upon the design and operation of the plant) and not upon the human-centered causes for these failures. A more precise definition of the HFEs finally incorporatedinto the PRA model may be those arising from specific unsafe actions and specific reasons or explanations for these unsafe actions, that may include human-centered causes. Since the failure modes underlying the definitions of HFEs are similar to those caused by hardware faults, the number of possible HFEs is limited.
| |
| In principle, this step must be performed for each initiator and event tree, and for each function represented in each event tree. Consideration should be given to functions that are both explicitly and implicitly represented in event trees. In addition, some plant functions shown as event tree headings represent more than one system (under either an AND or OR gate) and consideration should be given to each of these systems. Finally, ::xamination of some PRA-defined initiator categories which encompass a broad range of specific initiators or plant conditions (e.g., transients, loss-of-offsite power (LOOP)) should be done. The examination should focus on potential decomposition for individual consideration (e.g., Loss of Main Feedwater events within the transient category). However, the priorities established in Steps #4 and #5 can be used to either reduce the scope ofinitiators/eventtrees and functions considered or to suggest an order of considerationin the process of HFE identification. (These priorities also may assist in determining a strategy for decomposing initiator categories.)
| |
| Using the prioritizationscheme established in previous steps, the ATHEANA team should perform the following tasks for each function represented in event trees:
| |
| (1) Identify whether the function is needed or undesired with respect to the accident response requirements for the specific initiator or sequence.
| |
| (2) Identify the system (s) or equipment that perform the function.
| |
| (3) Identify the pre-initiator status of the system (s) or equipment (e.g., normally operating, standby, passive).
| |
| (4) Identify the functional success criteria for the system (s) or equipment.
| |
| t L (5) Identify the functional failure modes of the system (s) or equipment.
| |
| (6) Assign a category number for each functional failure mode.
| |
| (7)- Apply any analysis scope criteria regarding errors of commission or omission.
| |
| (8) . Identify applicable descriptions of possible human failures that can be developed into candidate human failure event descriptions.
| |
| Tables 7.6 and 7.7 serve as guides for the ATHEANA team in performing these tasks. The numbered columns are associatedwith each of the eight tasks listed above. In fact, a blank column 7-23 NUREG-1624, Draft
| |
| | |
| (i.e., column 2) to be filled in by the ATHEANA team is specifically included in Table 7.6 for use in documentingthe results of the second task (Altemately, Table C.4 in Appendix C can be used to document the analysis performed in this step.) However,the guidance given in both Tables 7.6 and 7.7 are intended to be illustrative, rather than exhaustive. The illustrative purpose of Table 7.6 is also achieved with the examples of systems, given in the far right (unnumbered) column, that may have the characteristics shown in the other columns of Table 7.6. Similarly, examples of human actions that can fait plant systems or equipment by different functional failure modes are shown in column 8 of Table 7.7. Being illustrative, both tables should be used to trigger ATHEANA team discussions on which of the examples given are applicable and on other possible success criteria, failure modes, and human failures.
| |
| Table 7.6 can be used to accomplish the first six tasks listed above. First,with the left-most column of Table 7.6, the ATHEANA team must identify whether each plant function in each event tree (using priorities determine,d in Steps #4 and #5) is needed or undesired. Next, the systems or equipment that perform these functions must be identified. Then, the tasks associated with the remaining columns are performed for each of these systems. In column 3, the likely pre-initiator status of each system is identified. (However, the ATHEANA team should remember that some initiators can change the status of systems. In such cases, the immediate post-initiator status is more relevant that the pre-initiator status.) After having determined the pre-initiator status, the ATHEANA team must determine the functional success criteria and functional failure modes which are appropriate for each system. Table 7.6 (columns 4 and 5) provides examples of PRA functional success criteria and PRA functional failure modes associated with different types of systems of equipmentbased upon ftmetionalneed and pre-initiator status. The ATHEANA team should begin by considering those functional success criteria and failure modes represented explicitly in the plant-specific PRA. In order to complete this activity,however, the team should try to identify additional important success criteria and failure modes. Such criteria may be implicit in the PRA model, or '
| |
| may be indicated in emergency operating procedures or operating practice. Review of anecdotal experience also may be helpful in these activities. Finally, the ATHEANA team should determine the functional failure mode categories (column 6) applicable to each system.
| |
| Since most systems or equipment have multiple operationalrequirements for success (e.g., automatic actuation, continued operation for required mission time, control of operation during mission time) and, therefore, multiple opportunities for failure, it is important that ATHEANA users identify all of the functional success criteria and fu'n ctional failure modes that apply to a specific system or piece of equipment when using Table 7.6. For example, for needed, standby systems, the ATHEANA team must consider all of the example functional success criteria associated with a " standby" pre-initiator status and the functional success criteria associated with a " standby or operating" initial status.
| |
| The results of column 6 in Table 7.6 are used in Table 7.7 to perform the last two tasks listed above.
| |
| With column 7 of Table 7.7, the ATHEANA team can focus the remaining analysis steps on either errors of cemmission or errors of omission. This seventh task is inserted at this point in the analysis since the scope of the ATHEANA HRA analysis may be limited to only certain human failure modes l
| |
| (e.g., only EOCs, or only EOCs and non-backup types of EOOs). By applying scope criteria at this point,the investigation of possible human failures can be limited to only those associated with the l NUREG-1624, Draft 7-24 1
| |
| | |
| ,i ; j l
| |
| )i l1i !l 9 yOAlr Nkgm l Rl a l
| |
| ic Ri m
| |
| ;e nh ioc-laS t
| |
| u C cV i
| |
| crC s 1C, C NC, .S e; r sp e D e s
| |
| e s S V r S. u m e
| |
| s y
| |
| r o C. t A.
| |
| e C. S su s p S ta F S wPs et e
| |
| lp lu n
| |
| N R. D J .C C.
| |
| l r n pa m e A. R - . R.
| |
| C. wo l c t P A.
| |
| e s
| |
| c P_ s V C.Ll P s
| |
| t S. Ioo- c E a. l.
| |
| l.
| |
| R R W .C P S l Rr o P
| |
| l P P O FP Mll LS C
| |
| R tr Pt R I I
| |
| I I P S Lc a
| |
| ; e n -r e osP r
| |
| u yr itaC l
| |
| iag o luR
| |
| 's F et a O c
| |
| r ;
| |
| ice r t
| |
| )isC t
| |
| 3 4 3 3 6 7 8 9 n 6
| |
| ( e s e 1 2 3 4 I I et r a ew e o d t
| |
| rd m c o nM u
| |
| u s e e e F sf e
| |
| r r pi n i - a
| |
| : hgrn q n ty -
| |
| e ;.
| |
| h e .
| |
| ly r
| |
| o la u
| |
| y ihW -
| |
| : e. f RF R s e e e
| |
| . - d e
| |
| w s
| |
| r o y la c d e
| |
| n a
| |
| d e
| |
| w s
| |
| ls u
| |
| o PM m n J w w d m A d e
| |
| ta u
| |
| tc te o ly .
| |
| to t
| |
| a u o I e d e.
| |
| im m
| |
| T q d d
| |
| - n u
| |
| p it yen t
| |
| R e t
| |
| c la:.
| |
| M /a a te e u v. e e tc e e J. to es p n s e /e um n om a um ; u n p i a s at r s P r te a
| |
| ni nt a
| |
| mne tmit t o tmit
| |
| . a p ia o t n
| |
| e g py n
| |
| o
| |
| )i 5
| |
| (F lu a
| |
| i i
| |
| ti n
| |
| o im t
| |
| o m
| |
| o n
| |
| oe c s toi s
| |
| e b hw o
| |
| n n oo c is toi s
| |
| ly la n n n oio c
| |
| oi ss bd e
| |
| m o e w m
| |
| o t
| |
| o s
| |
| m e
| |
| t to n b
| |
| ts e
| |
| o ia-m to n
| |
| a hcy s le s s en r
| |
| oio p la t t m ts de m u t s m t
| |
| ls uq s
| |
| u ts t
| |
| s s um ct
| |
| - a U
| |
| n o is l s
| |
| ia y ls f ao l ia m df s
| |
| ao n
| |
| a df ao ra la i ilam s
| |
| m la i
| |
| ta i mi r S iz i
| |
| fWy u m ia se m
| |
| : f. w is p Cr t
| |
| c n t la l
| |
| f;a l l f.. no f..t c f.. en t n
| |
| f... on f
| |
| ; as t n
| |
| f f f t
| |
| e t n rp o ;s d u n c .. ic . i
| |
| . a .
| |
| . e i
| |
| .. tar
| |
| . e d
| |
| .d e ep r s ee r e
| |
| s F ei mta .a
| |
| .t .t
| |
| .vuar
| |
| . .. d'e
| |
| .tar
| |
| . md .de
| |
| . me e., ri
| |
| . de -
| |
| r m ma pn t
| |
| ap ru ipire ru rsr p g r ipsu
| |
| .cm
| |
| ; ipm uo o u.d qr u qm
| |
| .v m
| |
| :u d qr u uq q :u qr o d
| |
| :uqpe u. a n s
| |
| :u q uq :u a
| |
| ut qa t md qn i
| |
| we d d t
| |
| qh e B qt u E a F,. a u Ef o Em Ef o E e r Ef E o E c F Er e E Es E a f
| |
| ec ei t s a e s s r ym r
| |
| a d e e r s o l o
| |
| o t
| |
| m u
| |
| m e
| |
| e g
| |
| d d
| |
| e d ma am im l
| |
| ixa u M i a
| |
| r t
| |
| c a tc a olr o n e r ta o iJ. naft e
| |
| w u ms ei s tnr i) ao u -
| |
| aS te ly f ( uf ;l
| |
| - pon q rm eta -
| |
| D e
| |
| r i
| |
| r la y tee taa c tee n l e
| |
| r d f no r i pt i WA C c llaa ic repnmit r u lyrtom a s n F u )
| |
| s s
| |
| i) mem ta yet laoo l pn laow n m dei on ni t -
| |
| iaso As ;e l
| |
| i 4
| |
| (
| |
| e c
| |
| c m e m oo i os u nt os i
| |
| ucd n ha pm pr tmp ; v nl c u ot tu no ot s a is a or o u a e o av F lS a is ae me tus i )s ef n m ._.f m t o tm y f.
| |
| r e m tsd r mm i it cf 1 e u tns e n - tmout
| |
| _o na e s -.- .tm i tno e f tnd e e ji ee
| |
| : nnn . :_. mes mm
| |
| .ie n s ma e t
| |
| m p J.v inl e n ne . oio o pms pc r mn .ss e . m iptr s
| |
| ,ct , .
| |
| .u m .e i
| |
| uiu ta ed i
| |
| o n u
| |
| uo qh vd a
| |
| r n ui m rdn w qs i .ta m Eai q wm qr E (o st t
| |
| ue s ta F E (s E ad m Ead Ea m '
| |
| " t s
| |
| t e e r
| |
| py er n
| |
| e r e
| |
| R OG G wrw -
| |
| F t Y YN N Y loe- w 6 )eiss u B BT I
| |
| E V
| |
| I T B I o P p 3(
| |
| sne t D DA I A D L s-7 I e N NR S R N mS A AE S E A ;V n
| |
| e P T T P A P T oR l S SO P O S iO t
| |
| - b cP e
| |
| t j; ng T ... mo
| |
| - n i
| |
| ein n t ot ri uoi o r l
| |
| )
| |
| 2 :
| |
| a
| |
| .hf rre s ot c
| |
| (
| |
| yT e u s e nj c e C PF r pwi n h oy igdt t e h uf I - h s a P -s I -
| |
| n D I I CS si E : D; e
| |
| iJ R t
| |
| ) t 1 c .?At D
| |
| E I
| |
| S E
| |
| is6 l ;a t
| |
| n
| |
| ( n g l D mlao FJP u
| |
| t E
| |
| E D
| |
| N yvo noc I
| |
| N U omit r
| |
| )
| |
| a b
| |
| )
| |
| cen
| |
| ( ( Ar a t t 1
| |
| a e hemu lalo u v
| |
| _ d ids e
| |
| r na 4I* sq 2Cmm l 54".UQ:
| |
| e 2
| |
| | |
| l j' l lljIji j ,I)I;II 1l l ll1I
| |
| *. fj5@ "UjeE _
| |
| e n _
| |
| oo c c b a d c b d d t it r a d b 8 8 8 8 8 8 8 o rc e
| |
| o7 f #
| |
| 8 7
| |
| 8 7
| |
| 8 7
| |
| 8 7 1 7 7 7 7 7 7 fA e M s el ep nf b e ic b lb e le b lb e le b
| |
| a le b
| |
| a le b
| |
| a le b
| |
| a le b
| |
| a lba le b
| |
| a o aaaS rs t
| |
| a T
| |
| a T
| |
| a T
| |
| a T T T T T T T r
| |
| u TmT U
| |
| T t
| |
| i c
| |
| F )
| |
| l a s u te a
| |
| n t a de de l
| |
| o r
| |
| e p i
| |
| o lot r s p tr te t r p o
| |
| t o
| |
| s t t n y n t n
| |
| c o b u el v p o o l a . e cdn t c t u
| |
| u cat t r
| |
| a i e dd ic d e n a
| |
| .. mn c it a/ s s yy t a p u n yi.g F md l
| |
| a u
| |
| le t te a a l m o t o i t
| |
| m, p
| |
| ;l ua o a. n d s n q -
| |
| A s e
| |
| r t
| |
| u a .
| |
| . a i;r r
| |
| p d e
| |
| l lo e t u
| |
| a l
| |
| a d e
| |
| o c k u
| |
| f e er R l u
| |
| mm m,
| |
| p d o e
| |
| npr e.
| |
| y iu r
| |
| d t r
| |
| d m u
| |
| n iu r
| |
| d n
| |
| c a op u
| |
| P i F
| |
| a oo u igpa y. q e le o n g e o r
| |
| a m,
| |
| q e (
| |
| a b o
| |
| pk oca y r r k dl lo/c n f n t e/ann ff r r s c a d e a n r d d d p n e d p b b ) ns a
| |
| dev J. b t
| |
| ad i.i.
| |
| ne m m ed h te tne h c y t e e v k u
| |
| h e t r n uo s o et a a o a a, k n e 8( u o
| |
| . ~ n iml ta . . w au / c r ly i t
| |
| r r
| |
| e m c
| |
| a w t s- s ch at H .
| |
| d r o o o d tc depe e g p e b d e t bi e a d wa n te is v
| |
| v a ta o t
| |
| a e o r o e r r a o w o e lp yy a, yyhs t
| |
| a y ul r y
| |
| . i y
| |
| t n y y n p p y t s- nt.
| |
| el le le o le M m a
| |
| le le t
| |
| a t s ls ia l
| |
| lee r r a a /o /o t t
| |
| ;idd tcte a ;s pte oa e ;y vty
| |
| .i yr ed p gh t
| |
| a i t
| |
| a d
| |
| n a,
| |
| t s
| |
| e t
| |
| a ly e
| |
| r ht iw i.
| |
| a e
| |
| r E x ;;
| |
| v f
| |
| n
| |
| .r ypnnaa b e
| |
| r b e c ;m r
| |
| p s b y s .
| |
| a tnea u ,
| |
| o n o l o n e u u. v
| |
| : v. t o o o u ry r ia m io isuiy inb t . i y y it a
| |
| y yuu t y t r r p p
| |
| f t y r iof l
| |
| i y
| |
| .y u v rpp ls r
| |
| - ls r a p ls - u t n ao c . t t o t a .
| |
| o i p
| |
| F i n-. t c
| |
| a k. ni oo uu ian ia ni f tat s ntle i n i n t s f a i n s tu c c
| |
| a e t t n c t n t.. tn t.
| |
| : f. i
| |
| .t..
| |
| t n t..
| |
| iaiar 4 t n ic t
| |
| n t. t.-.
| |
| r, mp n e o.
| |
| i t
| |
| a e . e .
| |
| .m . ~ e ~
| |
| oorp a e m
| |
| t a
| |
| e m
| |
| m a..
| |
| s o u
| |
| ;r a m .
| |
| m m p
| |
| vp r
| |
| . m p y
| |
| -,t
| |
| .r p m p y v ;v p y ;ir o ;u iu o iu u ;u iou m i;uu t u
| |
| i;i;uuuu qqqq uu qq i;uu qq :uls pa q q t
| |
| u q q q vp qq qa i
| |
| : EE A EEEE EE EE EFI n E E A E F E SS H * * + * * * * + * + * * * * * * + + * + +
| |
| * d n O O O a r o? O O O C C O O C O O s C O C E E E e 7C O
| |
| )
| |
| O O O /
| |
| C O O O O O O O r (OE O E E E E C O
| |
| C O O E E E E E E E l
| |
| u E E E i
| |
| a F
| |
| n laoyd e
| |
| a n m
| |
| )ioMr 6t e
| |
| ( crt e o
| |
| g i 2 3 4 5 6 0 1
| |
| 7 9 8 I
| |
| I nua H FauiC l
| |
| l y F e
| |
| k i
| |
| ly L e y l a r f s ta u fo ly e r d s o d o e e p
| |
| r o e r
| |
| l'a ic n
| |
| a d e u s t a o d is t m p io e M t u o lyde le d e a m d p
| |
| o r
| |
| u l e c t lair lo e p p r a e e uu r n o p t
| |
| s s lu /e um ni t nq a e t
| |
| n ia t
| |
| u a
| |
| p o n s e
| |
| m ia t
| |
| a it mr o t n p t i.. g a )
| |
| F i
| |
| i t
| |
| n nn oo ee n c e ia o s
| |
| e
| |
| . n a
| |
| x 5 la i c is bh bd m t s b .
| |
| . hcy E (
| |
| n o t o t oi s t ow t ore t o t o t o o t n s l e ito m sde s ut a i
| |
| ls iuq ils ls
| |
| ;r t ls ls f ls l t a
| |
| 7 c n ia y ia o li a at ia e ia ia i
| |
| f a a a t s
| |
| fl f ft tu f r f f f r t.. u 7 u l n .s o.
| |
| t.. a 4 o nca .a t. t. t n
| |
| t F
| |
| .d
| |
| = .
| |
| e . i
| |
| .. ed a e u, yy A ~
| |
| .tic t
| |
| a e/ m
| |
| .de l
| |
| .a r md -
| |
| o m . . .
| |
| R . aer b ym yu pte rt --
| |
| ;,s -
| |
| y ip yr yni a P ;u o ;d u iui a ;u ut u ;u u ;u iu ;.d qr q eq t qn T Ea qt u Ef o qt Ei n E o qp Es qa t E
| |
| q E
| |
| q Er Ea zChC gNN $g 4y -;
| |
| : 7. Search Process human failure modes within the scope of the analysis. Column 8 of Table 7.7 provides examples of human failures that are either EOOs or EOCs and that are categorized by the system functional failures shown in column 6. The ATHEANA team should review the examples provided in Table 7.7 to determine which are applicable for the function and system / equipment being considered. In addition, the example failures in Table 7.7 should be expanded upon using the ATHEANA team understanding of the system /equipmentdesign and operational features. It also is important that any ideas generated by the ATHEANA team regarding specific unsafe actions and associated error-forcing contexts be documented along with the results of ATHEANA steps.2 The example human failures given in column 8 of Table 7.7, and the additional ideas generated by the ATHEANA team regarding possible human failures, are used to develop candidate human failure events,as defined for the plant-specific PRA. (See the instructions given immediately below.) In addition,the example human failures are used in the next step (Step #7) to identify possible unsafe actions. Consequently, the last column of Table 7.7 provides direction on the appropriate table to transfer to in order to perform Step #7.
| |
| Based upon the identified, relevant human failures, several candidate HFEs are expected 'to be identified for each system / equipment. Using the example human failures given in Table 7.7, these HFEs should be defined in the context of the plant-specific PRA. The associated descriptions of these candidate HFEs should have one of the following general formats:
| |
| Error of omission:
| |
| Operatorsfall to (action verb for functional failure mode) System X Error of commission:
| |
| Operators inappropriately (action verb for functional failure mode) System X The products of this step are:
| |
| (1) a list of candidate human failure events, and their associated descriptions, for each system and event tree (2) direction regarding the applicable unsafe action table to use in Step #7 for each candidate human failure event, based upon system functional failure mode, human failure mode, and example human failures 7.2.2 Step #7: Identify Unsafe Actions In order to identify unsafe actions, the ATHEANA team now must identify the different ways in 2
| |
| Experience suggests that the ATHEANA team will most easily think at the level of unsafe actions and error-forcing contexts, rather than in terms of HFEs. Consequently," thinking ahead" to unsafe actions and error-forcing ~ context is not discouraged but should be documented as it occurs. Therefore, such ideas are p eserved for future use while maintaining the systematic nature of the search process, which is desirable.
| |
| 7-27 NUREG-1624, Draft
| |
| : 7. Search Process which the operators could produce the effects characterized by the failure modes used to define candidate HFEs. The last column of Table 7.7 guides the team.to different tables (Tables 7.8a-e) based upon functional failure mode and category of failure mode. Each of the Tables 7.8a-e provid example unsafe actions for different human failures (that should have been used to define speci candidate HFEs in Step #6). The examples given in these tables should be used in conjunction with understandingof design and operational characteristics of plant systems and with plant experience (both simulator and operational), industry experience, and the plant knowledge of the ATHEANA team in discussions or brainstorming sessions to identify applicable unsafe actions and generate other possible unsafe actions. Appendix B provides some examples of unsafe actions. Because,in some cases, more than one category of functional failure mode will lead to the same table o f example unsafe cctions, the team should not be overly concerned about what category leads them to the applicable examples of unsafe actions.
| |
| Most of the example human failures and unsafe actions result directly in a f metional failure.
| |
| However, the control failures (i.e., functional failure mode category 5) addressed in Table 7.6c more often involve the effect of equipment failures on plant functions. For example, "under-cooling" in the context of the high pressure injection (HPI) system can be the result of too little HPI flow (e.g.,
| |
| too few trains operated, over-throttling, etc.) or of the HPI pumps being turned off or not operated frequently enough. The dependent effects between systems and support systems (including shared resources) also must be considered. Consequently, the ATHEANA team should also use the following sets of guide words to assist in identifying indirect effects of failure modes:
| |
| Examnles of key niant parameters to be controlled:
| |
| * temperature e pressure e level
| |
| * volume e flow / flow rate a reactivity a sub-cooling margin Examnle control failures:
| |
| a too much/little (e.g., throttling) (quantity) a too soon/ late (timing) a too fast / slow (rate)
| |
| * too many/few times (frequency) a too shon/long (duration) l
| |
| * too many/few trains (quantity and rate) l
| |
| * under/over-throttling (quantity and rate) l NUREG-16?4, Draft 7-28 l
| |
| | |
| 1!i 1Ii1 l l j1!llijl1illl)l I) 1 j1l4 I l ! l!
| |
| !! iil' lt.!l : i
| |
| : 4. N!E-e :
| |
| E s
| |
| p m
| |
| u p
| |
| g i.
| |
| (
| |
| e m s .
| |
| u r r t
| |
| a
| |
| * e e t m s w s w s
| |
| y o t u op tun p b fr a a p d p s lor t t s l o t
| |
| o s n
| |
| n a
| |
| u-e n ls deotn ls d n t
| |
| r o
| |
| t s a a eo S i r o
| |
| i l
| |
| / n smc gr r r n .mc g r r r
| |
| t c n A
| |
| * o is oa /o s* is o d icnf c mf*a d /o e e e.. t eo nd n a/tmo a t f a it r a m a /s t s r a ia. ml s ue ml s ue t a U m - f oansov t.
| |
| oanst ovi n e
| |
| t f n o
| |
| t u gl to i m t u gl o m-S l e o c ai a nmtn4 s ,
| |
| s amt n
| |
| s p
| |
| y p t u t s s s cigei uoq a. i geiu ni n
| |
| m o .it sb peoq.
| |
| .ci l l l e eisb r t pe l.
| |
| : a x a.
| |
| c.
| |
| ms iptu pa cat pmis t et ya cat ymist iet c E -
| |
| a u i si oad l f a . oad si a i
| |
| t
| |
| : 4" uk
| |
| ) qsut el s
| |
| oaoon r umr ag or t
| |
| r u mr la f s t oaoon o g r
| |
| qc e a t s
| |
| t m elogm s eu eie sl a v sl ab ot eab sl eu ab ei c a vsi ot b
| |
| - nro o k e oa t pae sk yi aeei ms s pae yi aeeisk msea s t a lhcrn bdt r bdt r rd t t s ies o, s rs rs rs r.. rds s r rs rs rs rs rs A o *p roy r r oooo aa a ta mt t t t o oooooo t
| |
| aar rtartar at r t t t t a ri nrd tab r r r r
| |
| . a
| |
| . r r a
| |
| a e ptupa e n e e e e e e pppppp e e e e e e pppppp h O pO t s OOOOOO OOOOOO t
| |
| t . * . . + + . . .*+***
| |
| n e
| |
| m p
| |
| i s
| |
| r e r m q le m
| |
| o m
| |
| o o E
| |
| /
| |
| i a fr fr f d
| |
| r s F d d n e e e v v v m a o os u o t
| |
| e m u
| |
| m el mt ea m el s H r o r t s r o yt r y yt r y e y n S l p
| |
| le n t o leb t
| |
| le t o iac ad iac r m r c in r
| |
| pt a r c f
| |
| o a x
| |
| pi oa t o/ s pi ot a E pm r r pd pe pm r
| |
| s po po am C at n u I a Inra at Ina u O = +
| |
| * E l
| |
| e .e b
| |
| i f
| |
| olaod s n 2 s i_toM d o .icre n a
| |
| 7 P . nu
| |
| :a oi l I a CFaF 8
| |
| 7 l
| |
| e e ly b r la c e c H it a p T F a
| |
| m o
| |
| t o
| |
| s l
| |
| as totu o
| |
| ne od s a t
| |
| ts -
| |
| e ie t
| |
| cM ilat f a ie y fl n u u t..t ca t.. lac F ..t i
| |
| A a /c m
| |
| -,e
| |
| .a ym m
| |
| R ;uit :u o P qi qut Ei n Ea D
| |
| 2cJm9gu e;2e 4* :
| |
| | |
| *. j 7Ih e
| |
| r
| |
| ) o i
| |
| n n gt c e
| |
| t b
| |
| u p n is e s e.
| |
| s s ig y u d A m p s e b ta RC .
| |
| m u d f
| |
| d n
| |
| t s HO RL w -
| |
| p o a d rS w ls t
| |
| s ls e e I, r a e a o n g
| |
| e d
| |
| i s
| |
| r o n smar gr lsa v
| |
| o,. es f s
| |
| g is
| |
| ( t
| |
| * is a= v c u n n _
| |
| e o d
| |
| e f"o g gl a ;
| |
| o ic v n m ic=
| |
| t *=
| |
| a/ st u ) is
| |
| )(f
| |
| : e. v r it l r o r ml d s n deri s e
| |
| . )
| |
| lao r
| |
| : w. n oev a
| |
| s e
| |
| s e
| |
| ita
| |
| * r d oa o tu ns e lao nnt i ntele t ot is o n
| |
| n r e e gl a ioga r ioe r t a eb c c io tu p
| |
| o r
| |
| ainn s s gi ts t is gu t is a e md h d a it c t ) fu iu s cio p is o ni ort t.a i*
| |
| cd e ai t c d o q e eis piof n pai f
| |
| c ma t
| |
| n A e pofr t
| |
| e r r t pa ct pmie ea o t -
| |
| e gnhg pl w at r om t o e f e
| |
| a p
| |
| totn d.
| |
| u f o uoa t
| |
| mla s rl c s o -e eirs r
| |
| si u es
| |
| -rt inev n yi
| |
| . ut au ve ro a.
| |
| st t a m s s e t
| |
| u r u ;uel d p U m s m p p g
| |
| e o o aot gn s cui v cc laii ladh t qmas lepee r
| |
| rtn at u e axn e e it r c qm i
| |
| u e mi ( -. si a s v, at ta v,i. id no mqe e p ;p m uqu a ab g=nmo un uo t
| |
| l p
| |
| pe t
| |
| n a paee g .t p q d i ui e **ua (te tun s e ;p yi sk aes .
| |
| t i emse tr u qu s ,e bdt r oe a qeq E
| |
| /
| |
| e n
| |
| gl
| |
| .b ip m
| |
| q u dddd
| |
| (
| |
| . i v wdrei p u r..
| |
| ts e ee s E (eas u e nnnn aaa a at n t n n e end lyiuq*. /
| |
| e gind te q n ea mmw e qeh t
| |
| ail rr au r.mp u, i
| |
| m e t t t t tael ua- e nann oit tn d ig p e ed t
| |
| ia l e m am ae a., ;ui; iu ipo u lf ur qf t r w t
| |
| c e oa ar vct t mn p a f a e p pp ., quu q qn eons s
| |
| y iua r
| |
| o r pi;i; e qq ee e ei g da n on yyyy n
| |
| gt tee totioaoatco l ll ll l
| |
| dn ueqqqq uuuu n gt e i
| |
| S qt e s e n ai eeee aa i ai n t llauua -a. au .
| |
| ..an l
| |
| f p ht *) b a pl / pppp iauu l
| |
| lae rl t u nre nr e nn-aa o
| |
| to oLi s onoooo -
| |
| e aa t t cc e-r ps oe o p od .
| |
| m n sb c d ).i s a s s ss tsi ot t
| |
| ssst s t t r., sr sr s s r, ds o di r gr s n s
| |
| rm s .r m.
| |
| : s. s r -lor s xr s r o r s r r r r r . oo r r oo er ono o o woo a.ou oooo a. tt oooto t i t c t
| |
| .tar t i
| |
| t t
| |
| aa t t
| |
| - a a t gaa aa t t t t aa
| |
| . r r raar su t t a r a r ur o a r
| |
| a r
| |
| e r rl r ri r r r r e e s ed e pls e a
| |
| r ppupr eel e p.enpppp f eeee reepp ppe p r A p me pp e O O "p O ap O co O O O O COO OOp r
| |
| OoO( OCOO p * * * * *** * * * * * - * *
| |
| * O d o d e t e
| |
| N t r
| |
| e v lp e
| |
| o r i e t o d d y
| |
| d e
| |
| n ly le u te n i
| |
| o s e
| |
| r ir a
| |
| ir t
| |
| a i t
| |
| n t u p p o a
| |
| r l
| |
| i a d e
| |
| o r
| |
| p or p d c
| |
| e F n p p n a
| |
| p e ig a a (
| |
| a d la i n i n d m
| |
| O s a
| |
| te a
| |
| /
| |
| d e
| |
| s e
| |
| s d te t e
| |
| r f H in t c s. a a o e m lo a r u
| |
| o r
| |
| e p
| |
| t s-e n lp r e s s c
| |
| ~ o r i
| |
| e i
| |
| o m a
| |
| t ly le y r r
| |
| i r le y
| |
| le y
| |
| t x e ta /o /o ta ta a E ta i d d n
| |
| i r
| |
| i r
| |
| u i r
| |
| p r
| |
| p n a a p o
| |
| p) o i
| |
| n o r
| |
| p or p a t up r
| |
| p r
| |
| p e t p p p n p a a n 4 t u a n
| |
| a n
| |
| y o C O .
| |
| I n I I I s C * * * * *
| |
| * r f
| |
| o f ol a yne S roied ore 0 8 C geH em t
| |
| o 3 1 O t a aFaM E CF l
| |
| e n e ia b
| |
| i r
| |
| e
| |
| . e d e
| |
| s l r m g m s i e foi t n e rd a
| |
| o F tot en ai o s h ore P u c t i las r s y ls uq ne od ls i pi e s tal ia e f.a. om t e b io t
| |
| st a
| |
| f r t r 8 e nM .
| |
| of o t... rp i
| |
| aof 7 e .t n
| |
| .e . o .d no e
| |
| F rni uo rrp rei pt l
| |
| M ;it u t a ;up ;upr a b I F qounr qa Ei n qo u Etsd a Ecd T
| |
| I 2C389tog M k: e2 1 a(,C r
| |
| | |
| "- er. f
| |
| * E -s a.
| |
| y o le t o
| |
| r u p te ta o a t l
| |
| m s -
| |
| o e r t
| |
| o r p fo t s ls ls n
| |
| e la n
| |
| a n
| |
| a n
| |
| g g g
| |
| _ m is n
| |
| is n
| |
| is n
| |
| i p io o io
| |
| - )C u ia t
| |
| na oi i t
| |
| a q t t t i i s n oi s n n E
| |
| /
| |
| n o
| |
| i ic oci i
| |
| c g
| |
| n e r
| |
| s i t t oi t it : l i
| |
| u c a t, a a inl i ss s e m A m o e. m o
| |
| m o s r f ea r
| |
| e e t i( tu t t
| |
| o pr e i u u lus ggr - c t
| |
| s s a ya a enn n r i i ei s
| |
| S y
| |
| U e t. .
| |
| len r .
| |
| n dloOtye v
| |
| e te
| |
| . tu a a. a..
| |
| o e o iv i
| |
| f l a ;y m ;r y if t c o p m
| |
| loq u - u eq te 'u.
| |
| a r r e
| |
| - -r ee t
| |
| c a
| |
| l -
| |
| oe
| |
| . a q pv v e o
| |
| r a
| |
| n :,a t
| |
| s r
| |
| pe
| |
| . ss
| |
| .l
| |
| .. o e oOO*R t
| |
| E u i s
| |
| .e . o
| |
| . =, t.. * *
| |
| * q yt n e a. e r
| |
| p ..
| |
| . rp ;
| |
| t.
| |
| y -
| |
| u .
| |
| o e ;>upm .
| |
| rp q .. ur y ng t
| |
| ;usu e
| |
| _ C t a
| |
| uqn c
| |
| us eu qn eu p
| |
| o
| |
| .s yn
| |
| ;u /u
| |
| ;uli qi l ef e s
| |
| _ d ae/es te/e t
| |
| s qe f r a n oo e t s r e sa
| |
| _ r a e u a a a ue epe ggr cerh c a vt e ec t v ol l
| |
| to iinnuea narle r
| |
| _ c arle et e sd s er
| |
| _ n ns r ndlo o e e yb i
| |
| o s r
| |
| o - to wrs s r r too s ss r r s ooo r cf e c r -r r ri o
| |
| t pivt y t t t t
| |
| a ta r mra a a r r raar rta o e e e tcirg u ep nep e pp e ee pppt e e taddd r nnnet ae a e n t
| |
| c OGO OO OOOl pUUURI
| |
| . * * . * . . . O.*+.*
| |
| A l
| |
| a )
| |
| O u Oed n d e d d e El a s e
| |
| r e ir (lo r iu t a u d rt M l u q e
| |
| r t
| |
| c u q e
| |
| le n l
| |
| oco r i a n a r n
| |
| r/
| |
| f o F n h e
| |
| /
| |
| d m h e
| |
| t d ne ot a w a w c a S m d it i
| |
| / r dee p O u e n o H
| |
| t a
| |
| u i
| |
| y My ta r y O e t c le ^-
| |
| cl pe E
| |
| l m a ta s ota
| |
| / a e i r e ei r S s s
| |
| b o) p o) b o) b p oo)
| |
| C E t sO r
| |
| pC p
| |
| t lsO t r ls p pC O iO l
| |
| aO iO ia aO E F( aE InE ( F(
| |
| aE FI nE (
| |
| + * =
| |
| l e *
| |
| * b i
| |
| s f e s oid o ynM se P r o oi t e 4 9 5 ge r c tenu 8 a ei l 7 CFa F l
| |
| e b
| |
| a l a s d ls T m es od il lyt ed fal a aur e iad f
| |
| isd l
| |
| al a es t
| |
| t o e p f. lo. d e
| |
| nM tn ut e naq c iu t. p y
| |
| . te e a/e r .. ad Fer mmdte n a. t.ol r s la u y e piwr e re Al u ip ubi ea e ;ube na ;ub o uq Ria q t h q q PF Etoniw Etom Etorore p" . )
| |
| =mC'.Sy I a::
| |
| | |
| p e
| |
| s o r o l c e ts / f s l,r s
| |
| /
| |
| t n n oe r e a n a p r tr h o t s o t n to it yy lyy ly ly o c l l l c m A laa l l a la l
| |
| a l
| |
| a / os uu uu u u te fr c t f
| |
| e n n nn n n s a e a a a a r )f a a a t n e*
| |
| t s
| |
| n mmnmm e m o
| |
| m i o ps ool a l
| |
| fe n wto ot r t
| |
| U toomtoo t t t c i e e s n s ls s A t nt n ls i rla s m
| |
| lp m
| |
| ia f f ial l
| |
| igl affi ia ls ia pad f hf r ia t n f e
| |
| a ls co e ia/
| |
| f s q u
| |
| p a r r/ nr r t rit r o e s r te se i x too ot oo/owt t n n oare no a a ut a 't t
| |
| u E a tai a U q r el e r at e ek r r or r r o e tar pc ppoppc pse pe e n p lp ep o e E
| |
| /
| |
| OOiOOloOiO s m m o,.eh ys l e s = * . .
| |
| o a x gt . a t
| |
| m e
| |
| ) C
| |
| /
| |
| E (
| |
| e i s
| |
| r pa v e
| |
| p p p s t
| |
| s ls ia o o o - i oh t r f ts t
| |
| s ts e r m iopt ph a y n t
| |
| S s l a o l
| |
| a l
| |
| a l
| |
| a l
| |
| a e c at a n s e uit u u u u t r i e r n a n n n n s r i d u a u a a a a e- y to o r l
| |
| e l ia m, act m,)sl m, m, ) m, sr S at ao g r r e e
| |
| i F pc p pnpu e p et a n ui pia uf u )t u io uo Ooc pa F a kc a t
| |
| k c p k ra c t k
| |
| c t a k r
| |
| i cp u i v
| |
| f m am a to a s a ua s b tc b s s o H u b to b s b -e mr ma mr a
| |
| ) mua mic r s r s r te) y lp e r or f r t oa ou fri o ouof n a o fr of P
| |
| r f e r m ir ( f r t e o e r e r e t t ia e m a
| |
| ef p (a pt u
| |
| pu p
| |
| pupn p e ru o )
| |
| v x o p oa os tosr to mg s C o E t u
| |
| t s te r
| |
| t r s nf i e s O c ls t r l ls e ls tel gn r e r E(
| |
| e ia a iaf F (a iaft F (a iaf F (aF la c iai o u u R F ts l l i
| |
| a
| |
| )
| |
| O i ty r
| |
| ia F O E
| |
| g e
| |
| : e. F n a (
| |
| i t
| |
| n i
| |
| ( r m ity d p f o u r g h e
| |
| H e c u S icp t
| |
| n a
| |
| e k i r c O sn ia n b ly a e O a t n e B f o l d ao E E n
| |
| ia i ta r y n / r r oM S m p o oi t e 7 8 1
| |
| o o f gc r e nu 2 1 C ls t
| |
| p r
| |
| p S ta ui l O i a a n
| |
| C F a O F E F I
| |
| O e E l b
| |
| l e i s f e
| |
| b s o o y
| |
| la do i
| |
| s P nM o
| |
| s rg itc re o 6 o e e n u P r 8 t
| |
| a ui l s ly o ly C F Fa d e la f
| |
| s 7 8 d c d u e o te a it e
| |
| p o l M a i u p r 7 t m o u b e c p a
| |
| e r a o ts s e l
| |
| b l ia u /
| |
| te a
| |
| t a
| |
| u ia n s e
| |
| g T _ lu r
| |
| d a F i
| |
| t p
| |
| o m n ia e g
| |
| T a F i
| |
| n e n l
| |
| a i ts r h y l a n o o c a o le s : h o t t s
| |
| t n
| |
| o s
| |
| ut a n e od u c y it ls ls i t taipr it o tal l
| |
| c ia y ia ia t e
| |
| n a c u fnc t la l f t
| |
| f r t u ts o t r nM u
| |
| s ta tnir F n nd n p e p e e e p F A
| |
| R ei mt a m md e ma A mo p p r P
| |
| pm p pr i pni R iu p iu to iu iuq q u iud P qa qu q qn Ei n E a E E e r E a zCXg.E$ e9 I
| |
| pM
| |
| | |
| l
| |
| : 7. Search Process The ATHEANA team should keep in mind that there may be many different ways in which a failure l I
| |
| mode may be activated. For example, the operator can commit the following errors:
| |
| not use (e.g., fail to start) a system
| |
| - make it difficult to use a system (e.g., put pumps in " pull-to-lock"or deplete system resources)
| |
| - damage (even permanently) system equipment The reasons why an operator may do these things and the potential for eventual recovery are also different. The following steps which lead to the identification of the error-forcing context address these reasons. However, as in previous steps, the team should document any ideas generated during this step regarding reasons for unsafe actions and error-forcing contexts for later use.
| |
| l The product of this task is a list of candidate unsafe actions for each candidate HFE and any associated information regarding possible error-foccingcontexts that may be relevant. Table C.5 in Appendix C can be used to document the results of this step.
| |
| 7.2.3 Step #8: Repeat Steps #6 and #7 for Support Systems After the ATHEANA team has finished performing Steps #6 and #7 for the front-line safety systems that perform the plant functions required for each initiator considered, the ATHEANA team should conduct a similar investigation of the support systems for these front-line safety systems, unless there was a prior decision to not address support systems as part of the priority assessments.
| |
| Dependency matrices developed to document the plant-specific PRA can assist in identifying which systems must be examined and for which front-line systems. In this step, the system fault tree models, rather than the event tree models, will be most helpful to the ATHEANA team in identifying the specific equipment and failure modes in support systems that can cause failures of required plant functions. Otherwise, the same process steps and documentation recommendations apply to the investigation of support systems.
| |
| 7.3 Identify Most Likely Causes of Unsafe Actions The next steps in the ATHEANA process require an integration of psychological (i.e., human) and contextual (i.e., plant conditions and triggared performance shaping factors, PSFs) factors in constructing an explanation for why a particular unsafe action might occur. Psychological factors (e.g., behavioral science, traditional human factors) provide explanations for operators' probable ,
| |
| thinking and/or behavior. The situation with which the operators' are confronted triggers this I thinking or behavior. In ATHEANA, the situation is described not only by the accident sequence defined in the PRA event tree / fault tree model, but also by the several plant conditions and triggered
| |
| ( PSFs that comprise the elements of an error-forcingcontext (EFC). Consequently,the ultimate goal of the steps described below is to identify, for each unsafe action, the EFC elements that trigger the associated psychological factors that explain that unsafe action.
| |
| Integration of psychological and contextual factors will require creative thinking on the part of the ATHEANA team. The steps and information provided below were developed to assist in this j l
| |
| 7-33 NUREG-1624, Draft I
| |
| : 7. Search Process creative process, but are not the only resource and steps to successful identification of EFCs to consider. For example, the ATHEANA team should "think ahead" to potential EFC elements provided the EFC and an appropriatelink to psychologicalfactors and the unsafe action is apparent.
| |
| In addition,conductinga reviewofoperationalexperience at several points during performance of
| |
| - the steps below is . suggested . in order to provide the ATHEANA team with illustrative examples
| |
| : or templates ofexplanations for unsafe actions. The ATHEANA team should use both industry and plant-specific operational experience, including personal necdotes, as a catalyst for the EFC search process whenever it seems helpful or necessary. In addition, since the ATHEANA knowledge-base does not yet contain all of the examples from operational events that are planned, the ATHEANA team should rely even more heavily upon their own plant-specific experience (especially that identified in establishing priorities in Steps #4 and #5) until the ATHEANA knowledge-base is appropriately expanded.
| |
| In addition,the ATHEANA team must keep in mind the restrictionsimposed by the PRA in defining HFEs and by the priorities applied in previous steps. The PRA definition of an HFE includes not only the initial human failure (i.e., inappropriate termination of a system or failure to initiate a system) but also the persistence of this failure (without correction or " recovery") until such time that core damage or function failure occurs. The amount of time to core damage or function failure also is one of the important priority issues indicated in Tables 7.1 and 7.2. As noted before, the priorities shown in these tables are a combination of initiator or accident sequence characteristics and contextual factors that appear to be characteristicof serious accidents. Consequently, Tables 7.1 and ,
| |
| 7.2 and the plant-specific priorities developed in Steps #4 and #5 should play an important role in the follow' m g steps for identifying an EFC for each candidate unsafe action.
| |
| 7.3.1 Step #9: Two Classes of Causes - Two Separate Search Paths The search for explanations (and EFCs) of unsafe actions is organized and made more efficient when the likely causes of unsafe actions are considered separately by their distinguishing I
| |
| characteristics. While several different schemes of separation are possible, the classification into mistakes, circumventions, slips and lapses seems to fit best with the descriptions of unsafe actions. j In addition, by introducing the concept of mistakes and circumventions versus slips / lapses now, !
| |
| implementationof recommendedprioritiesregardingthe risk-importance of these different classes l can occur at this point in the ATHEANA process. As noted in Part 2, Section 6.3, the most risk- i important classes of unsafe actions to consider are as follows:
| |
| .. mistakes a circumventions e unrecoverable slips or lapses
| |
| . . slips or lapses that induce mistakes l
| |
| Both mistakes and circumventionsare purposeful failures ofintention that are caused by " thinking" failures. Such cognitive failures consist of both situation assessment and response planning failures, in the terminology of the information processing model used in ATHEANA. Conversely, slips and lapses are unintentional failures in execution (i.e., response implementation failures in the i
| |
| NUREG-1624, Draft 7-34 l
| |
| l l
| |
| 1
| |
| - - - - - - . _ . _ _ - _ _ _ _ - _ _ - _ - _ _ . - _ _ _ _ _ _ l
| |
| | |
| I
| |
| : 7. Search Process information processing model). The development of explanations for candidate unsafe actions reqires in both cases, both psychological and contextual factors. The characteristics of these factors are different for the purposeful, thinking faih.res versus the unintentional, execution failures.
| |
| Consequently,the search process splits into two paths, Path A and Path B, to address mistakes and circumventions, and slips / lapses, respectively. However,just as there are several possible unsafe actions for each HFE, there can be several possible explanations for each unsafe action. Therefore,
| |
| 'he ATHEANA team must investigate both paths for possible, credible explanationsof each unsafe action.
| |
| 7.3.2 Path A: Mistakes and Circumventions As discussed above, the explanations for unsafe actions due to mistakes and circumventions are
| |
| - similar because both involve thinking failures and, consequently, the characteristics of the causes of these thinking failures are similar. This section describes the common steps, but with necessary differencesin their implementation,in the search for explanations of unsafe actions due to mistakes and circumvention. Table 7.9 serves as a roadmap for the steps and information needed to identify the " reasons" for mistakes and circumventions.
| |
| The fact that both mistakes and circumventions are " thinking" failures is the strongest commonality between these two types of unsafe actions. Because the ATHEANA process considers only rational thinking, operators must have some " reason" for their (wrong) thinking. For both nistakes and circumventions, the reasons that operators use tojustif; (heir thinking (and, ultimate 9 their actions) are based upon " rules." Rules can be either formal (i.e., written procedures) or informal (e.g.,
| |
| lessons learned in training or from operational experience, concepts of good operating practice, etc.).
| |
| The identification of both formal and informal rules relevant to an unsafe action is the first step in this path of me search for explanations or causes.
| |
| While the importance of rules is common to both mistakes and circumventions, how the rules operators use can result in unsafe actions is different for mistakes and circumventions. In both cases, operators decide if specific rules are applicable based upon their understandingof the plant state and behaviorduring a specific accident. In the case of mistakes, if the operators' understanding of the plant state and behavior is incorrect (i.e., a' failure in situation assessment), then operators may choose the wrong rule, misapply the correct rule (e.g., perform it too soon or too late, omit or add steps), omit implementation of a rule,'etc. However, for circumventions, even if the operators '
| |
| understand the plant state and behavior at a specific time in the accident progression, the plant conditions, accident dynamics, or other event characteristics may be so complex or unfamiliar that operators may make wrong decisions in selecting between rules (e.g., an informal rule overrides a formal rule due to, for example, perceived or conflicting priorities demanded by the situation), and -
| |
| 7-35 NUREG-1624, Draft ;
| |
| I
| |
| : 7. Search Process Table 7.9 High-Level Reasons for Unsafe Actions' - Mistakes and Circumventions, l Based Upon Information Processing Failures," Rules," and Contextual Factors l
| |
| Observable or Auditable Contextual Factors Information Processing " Rules" Information 2 PSFs Plant Conditions Failures (L o 10A, Table 7.14) (Step II A. Table (Step 12A) (Step 12A, Tables 7.15 7.13) thru 7.17)
| |
| Failure in Sitt.ation
| |
| * Formal or informal
| |
| * Wrong or
| |
| * Workload
| |
| * Different than usual or Assessment. resulting in * " Justify: unavailable
| |
| * Attentional nominal (e.g.,
| |
| failures in Monitoring and inappropriate actions
| |
| * Misleading resources hardware failures, Resoonse Plannine Rejected, as
| |
| * Alertness multiple failures, event (Tables 7.10 & 7.11) spurious (especially characteristics) w/o redundancy - similar, but not, Wrong situation model " classic" event (current plant state & '
| |
| low frequency expectations) with failure . - not like recent to update events
| |
| * Changes applicability of" rules" Failure in Situation
| |
| * Formal or informal
| |
| * Wrong or
| |
| * Workload Event dynamics Assessment. resulting in * " Justify" unavailable
| |
| * Attentional different than usual failures in Monitorine and inappropriate actions
| |
| * Misleading resources
| |
| * Different than usual or Response Plannine
| |
| * Timing of rule
| |
| * Rejected, as
| |
| * Alertness nominal (e.g.,
| |
| (Tables 7.10 & 7.11) application wrong spurious (especially hardware failures, (e.g., too soon or late) w/o redundancy) multiple failures, event Wrong situation , characteristics) model(expectations - similar, but not, wrong) with failure " classic" event to update - low frequency
| |
| - not like recent events
| |
| * Changes applicability of" rules" Failure in Response
| |
| * Ignore, misapply, or Wrong or . Event dynamics Plannine. coupled with or deviate from formal unavailable d:fferent than usual resulting in failures of rules
| |
| * Misicading
| |
| * Different than usual or Monitorine informal rules
| |
| * Rejected. as nominal (e.g.,
| |
| (Tables 7.11 & 7.12) " justify" inappropriate spurious (especially hardware failures, actions w/o redundancy) multiple failures, event characteristics)
| |
| * Changes applicability of" rules" Failures in Monitorine *
| |
| * Rules" for
| |
| * Wrong,
| |
| * Workload Plant parameters fail monitoring unavailable, or
| |
| * Attentional indications (Tabic 7.11) relevance disabled resources
| |
| * Unusualconfigurations
| |
| )
| |
| j
| |
| - priority
| |
| * No redundancy
| |
| * Alertness or operations Non-existent
| |
| * Evolutions in progress
| |
| * Not salient or concurrent events
| |
| ' Inappropriate actions implemented and not corrected before irreversible damage occurs.
| |
| 2 including indications and communications (e g., shift turnover, field operators. technicians, other operators).
| |
| NUREG-1624, Draft 7-36
| |
| : 7. Search Process in determining the appropriate way to implement a rule. Consequently, the implementation of the second step in this path ("how can the rule (s) be satisfied")is different depending upon whether the unsafe action under consideration is a mistake or a circumvention. Performance of the last step in this path ("what plant conditions and PSFs can activate the rules") is the same although the kinds of plant conditions and PSFs searched for will be different for mistakes and circumventions.
| |
| I In practice, mistakes can be said to correspond with situation assessment failures while circumventions can be called response planning failures. The principle result of a situation assessment failure is an incorrect situation model. In turn, the incorrect situation model can cause supplemental failures in response planning, monitoring (which can re-enforce the incorrect situation model), and implementation of the wrong opeutor actions. An incorrect situation model can be caused by misinterpretation'of (nominal) plant conditions, monitoring failures, unusual plant conditions that cause interpretation or monitoring failures, or all of these failures simultaneously.
| |
| On the other hand, strictly response planning failures (that are not caused by failures in situation assessment) are caused by failures in decision-making performed during response planning, by unusual plant conditions that cause decision-making failures, or both. Response planning failures also can cause supplementalmonitoring failures and implementationof the wrong operator actions.
| |
| Tables 7.10 through 7.12 provide examples of situation assessment, monitoring, and response planning failures,respectively. Table 7.13 is the hardware corollary of Table 7.10; Table 7.10 gives examples of failures in informationinterpretation while Table 7.13 provides examples of failures in information" transmission." Before embarking upon Path A, a review of these tables should occur..
| |
| The results of each step in Path A can be documented using Table C.6 in Appendix C..
| |
| 7.3.2.1 Step 10A: Identify Relevant Rules The first step in the Path A search for causes of mistakes and circumventions is to identify both formal and informal rules relevant to the unsafe action under consideration. Table 7.14 provides some generic examples of formal and informal rules.
| |
| A review of written procedures for formal rules should occur to identify specific procedure steps, l
| |
| the path for getting to these steps (especially if IF/THEN logic statements are used), the criteria for implementing the procedure steps, etc. This review should include the identification of both the l-procedure (s) and steps that operators are expected to use as well as procedures and steps for other
| |
| '' initiator types and accident conditions. In addition,the review should include the determinationand documentation of the practical aspects of implementing the procedure steps (e.g., timing, L coordinationwith field operators, communications between operators and different locations, etc).
| |
| I The process of identifying informal rules that apply to the unsafe action (and mistake or circumvention) is through ATHEANA team discussions (that rely upon the knowledge and experience of team members with operations and training experience), interviews of operators and trainers, simulator tests and associated debriefing interviews, and review of examples from past plant-specific or industry operating experience (e.g., events in HSECS, event reviews in Part 1, detailed event reports such as AITs). The following are some illustrative examples ofinformal rules:
| |
| 7-37 NUREG-1624, Draft
| |
| : 7. ' Search Process General C " Don't go solid in pressurizer"
| |
| = "Stop a spurious safety injection (SI) signal"
| |
| . ~ " Protect pumps" (e.g., from lack of cooling, deadheading, no lube oil)
| |
| Table 7.10 Failures in Situation Assessment i Failure is attuation -=st Search Queadoes to ideadfy EFC elements -
| |
| "Inidal" attuation saadel(immediately following laidadag event) bened on pardal set ofindications EsternalinAmesees
| |
| * What other more prominent indications could mask or be given greater attention over the key ;
| |
| * Salience bias (register only the most '
| |
| ~. prominent indications) indications for this event? Do these prominent indications "look like" a different event?" l
| |
| * Standardpractice-
| |
| * Are there any plant practices, such as systematically reviewing indications, that would lead -
| |
| operators to overlook flecting or slowly moving key indicators?
| |
| * Hiddenindications
| |
| . - Instrumentbehindpanel Are any key indications located in out-of-the-way locations such as on back pancis or located outside the control room?
| |
| . Poor human factor design Are any key indications difficult to read or present information in a misicading way?
| |
| InternalinAmences .
| |
| * Perceivedrelevance(knowledge driven reasons to look at a particular
| |
| . Indication first: e.g., relating *first out"
| |
| ' alarm to full accident and seeking only 1 confirmation ofinitial expectations)
| |
| Operator 'knows" initial diagnosis - Under what conditions can the initial symptoms of this event look a lot like those of l is correct and complete another event? l
| |
| . - Can there be a seemingly simpler explanation that accounts for some of the symptoms?
| |
| - Altematives seem too complex j Perceived minor consequences - How can the initial symptoms suggest that this event is minor or oflittle significance? :
| |
| leads to limiting investigation !
| |
| - Familiarity with seemingly similar Can this event look like an event that is used repeatedly in training or about which there l situation is a lot of attention given in training?
| |
| * Availability of attentional resources !
| |
| - Operator-inducedlossof - Can the operators inadvertently disable or remove sorre or all important indications (e.g.,
| |
| indications use CRTs to rnonitor other indications)? Can some part of the plant response disable
| |
| ' sensing (e.g., isolating key parts of the plant equipment)?
| |
| Under what conditions do the orerators have to work hard to separate out the important
| |
| - Noisy interfaces with high indications from s lot of other less important indications? Can the workload become workload excessive?
| |
| * Strategic choice !
| |
| - Perceived urgency . How can this event appear such that the operators believe there is little or no time to j prepare a" thoughtful" response?
| |
| Goals conflict. Are there conditions where the operators must select from among poorly distinguished or undesirable attemative responses?
| |
| I
| |
| (
| |
| l i
| |
| i j
| |
| NUREG-1624, Draft 7-38
| |
| . .---..-------i
| |
| : 7. Search Process Table 7.10 Failures in Situation Assessment (Cont'd.)
| |
| Failure in situation assessment l Search Questions to identify EFC elements
| |
| " Initial" situation model based on a " complete" set of relevant indica:lons Failure to recognize that the indication is "abeormal"(i c., not fully consistent with the current situation model)
| |
| * Previous successful experience with similar indications a flow can indications in this event resemble earlier events in which operators performed
| |
| - Overconfidence or generalization exceptionally well(and therefore may believe a similar event is occurring without a full on too little evidence review of all symptoms)?
| |
| * Nearly matches another plant state
| |
| * 110w can the symptoms of this event appear to suggest another plant condition that may be more familiar to the operators because of their experience or training?
| |
| * Poor displays (see Table.214)
| |
| * See Table _2J3
| |
| * faulty mental model: potential
| |
| * Is it possible that operators will misunderstand or be unauare of the plant conditions weaknesses in operators' mental because os their unfamiliarity with:
| |
| models include:
| |
| - Plant response with more than two - Plant behav}or with multiple failures failures (situations often outside range of training)
| |
| - Gaps in understanding plant - Effects of saturation, actual calculations, equipment characteristics thermal-hydraulics
| |
| - flow electrical equipment w orkt l Eqvipment operating and failure characteristics
| |
| - Reactor neutronics/kinctics kcactor physics
| |
| * Memory failurc
| |
| * Under what conditions are there times during this event when operators must rely on memorized information (either from training or in " carrying data during the event)?
| |
| a Processing limitation factors
| |
| - Workload high - Under what conditions are the operators subject to significantly increases in their mental workload during this event?
| |
| Communications interfering in tasks - What plant conditions can exist to create possibly significant distractions from the tasks at Alertness low hand for the operators?
| |
| Can this event occur at times when the operators aler* ness levels are low, such as during the middle of the night or during periods of prolonged inactivity?
| |
| " Explaining away" some of the indications
| |
| * Decide that part of the information is invalid or spurious
| |
| - Recent history ofinstrument - What has been the recent history of unreliable or faulty indications or alarms associated unreliability with any of the important parameters?
| |
| - Ir.dication inconsistent with What has been the experience, either in the simulator ,at the plant, or in other similar expectations and can be dismissed events at other plants, where operators have dismissed indications or alarms?
| |
| ("It must be wrong")
| |
| - Mental model that explains how a - What has been the experience, either in the simulator ,at the plant, or in other similar spurious signal could be generated events at other plants, where operators have developed rationalizations for indications or alarms that indicates a potential may exist fer similar problems in this event?
| |
| * Rationale by which the current *What other possible explanations could exist by which the operators' incorrect situation model erroneous situation model can explain can explain away indications that do not fit with that model, such as other concurrent activities inconsistent indications in the plant?
| |
| >
| |
| * Mental model not familiar with current *(See " faulty mental model" above.)
| |
| l plant condition and dynamics 7-39 NUREG-1624, Draft
| |
| : 7. Search Process Table 7.11 Failures in Monitoring Failure in monitoring Search Questions to identify EFC elements Response Flas Does Not Specify Appropriate Parameters to Monitor'
| |
| * Incorrect situation assessment (resulting in incorrect response plan) incorrect initial situation model Refer to Tabiq2J,9 incorrect expectations (e.g., - Refer to Tab!d,12 appropriate parameters given low priority)
| |
| * Faulty procedure (i.e., procedure does *What possible plant conditions can occur within the specification of the PRA scenario where not adequately address monitoring for the procedures do not cover all the needed monitoring activitics?
| |
| confirmatory purposes) unanalyzed or unanticipated - What conditions are feasible but for which analyses have not been performed to confirm plant state the applicability and accuracy of procedures?
| |
| Distracted from Monitoring
| |
| * Workload What conditions can exist such that the operators can be distracted from the normal or expected monitoring activities, such as:
| |
| - resourcelimitations - shortage of staff who normally perform monitoring duties?
| |
| additional failures additional plant or equipment failures?
| |
| - other demanding - other " attention-getting" alarms or annunciators not key to the event of concern?
| |
| alarms / annunciators Information ignored or Discounted
| |
| * Failure to recognize significance of information
| |
| - incorrect situation assessment - Refer to Tablell9 explain away information Refer to Tablellp ;
| |
| Information Not Available
| |
| * Equipment problems
| |
| * Refer to Tablel,1)
| |
| * Human-factors problems
| |
| * Refer to Table,,2JJ
| |
| * Feedback problems
| |
| . Non-discriminant feedback - Under what conditions does the feedback resemble or appear to confirm earlier faul7 )
| |
| - similarity ofindications situation assessments? ,
| |
| i
| |
| - confirmation-bias efrects Absence of feedback - Under what conditions can feedback be delayed or suppressed? Can the feedback indica-
| |
| - delayed feedback tions be seen from the controls that are manipulated during this event?
| |
| - no feedback
| |
| - no direct feedback near control i
| |
| l
| |
| )
| |
| ' i.e., does not specify those which would indicate situation assessment was incorrect.
| |
| ' NUREG-1624, Draft 7-40 I
| |
| : 7. Search Process Table 7.12 Failures in Response Planning Failures in response planning Search Questions to identify EFC elements Operators fail to enter or transition to correct procedure ,
| |
| * Entry or transition criteria not clear .Under uhat plant conditions are there entry or transition criteria not explicit
| |
| * Are there plant conditions where procedure criteria require judgment or interpretation?
| |
| . Arc there plant conditions where procedure enteria require mathematical analysis?
| |
| .Are there plant conditions where procedure criteria require sustained monitoring?
| |
| * Entry or transition criteria not met *Are there plant conditions where procedure criteria are not manifest at entry or transition point
| |
| - *Early"parametersfaded
| |
| - " Late" parameters not reached
| |
| * Are there plant conditions where other action criteria are reached first that cause transitions to another procedure?
| |
| Under what conditions can prominent indications suggest or create entry to another procedure?
| |
| - Perceived as more important by operators Operators do not take actions as required
| |
| * Criteria to perform actions are not clear *Under what plant conditions are there action criteria that are not explicit or clear?
| |
| *Under what plant conditions are there action criteria that require judgment or interpretation?
| |
| .Under what plant conditions are there action criteria that require analysis?
| |
| *Under what plant conditions are there action criteria that require sustained monitoCng?
| |
| . Actions s , postponed or overtaken by other actions *Are there plant conditions uhere earlier actions in the procedure have higher perceived importance, which can lead to the needed actions being overlooked?
| |
| *Can the procedure allow flexibility in priority of actions or timing, such that the operators perform the task at the wrong time or skip it because of other priorities?
| |
| *Are there plant conditions uhere a required step or steps in a procedure cannot be performed becaus6 pre-conditions have not been met?
| |
| * Deviations deliberately taken from procedure *Are there plant conditions where a required action also violates other requirements or practices''
| |
| - Tech spec., other regulatory rules
| |
| - Plantstandardoperatingpractices
| |
| - Informaloperatmg rules andpractices
| |
| *Are there conditions under which the required action creates new hazards to plant or personnel?
| |
| eAre there conditions under which the required action creates major economic consequence?
| |
| *Ar there plant conditions where the consequences of deviation perceived as snail and:
| |
| - a step is routmely omitted usually with no consequence?
| |
| - the requirementfor actwn are perceivedas " conservative ~'
| |
| - a delav can buy time for operators to take "prefe, red 7xiternattws that are less effectin?
| |
| 7-41 NUREG-1624, Draft
| |
| : 7. Search Process Table 7.13 Examples ofInformation (i.e., " Transmit") Problems Hardware 5onware Fadures (it,"information wrong," including instrument, sensor, switch, computer, and calculated parameter failures) r (failures may be known, undiscovered, or masked by other activities)
| |
| Hardware /soAware may bc:
| |
| * Randomly failed (including spurious indications, failures to respond, intermediate indications)
| |
| + Unavailable due to testing or maintenance
| |
| + Disabled by personnel e Failed due to operator actions
| |
| * Outside operating range due to plant conditions
| |
| . Provide conflicting indications
| |
| * Failed due to design flaws (e.g.," redundant" parameters not independent)
| |
| Disclav Failures (i.e.,"information misicading")
| |
| Display may:
| |
| + Be failed (e.g., a broken meter or alarm) . cither known or undiscovered
| |
| . Lack globalcues
| |
| * Lack reference context
| |
| = Have hidden indications (e.g, on back panels)
| |
| * Have distributed locations for displays or controls
| |
| * Have noisy interfaces
| |
| * Have design flaws (e.g., indicated valve position not connected with stem position) e Have delayed indication (e.g., trends not noticeable due to recorder scale and event timing)
| |
| . Have only temporary indication (e.g., parameter or trend not noticeable because only temporarily displayed due to event timing or other factors)
| |
| Other Human Factor Problems (i.e.,"information wrong and/or misleading")
| |
| Information may be wrong or misleading because of:
| |
| * Communication failures (wrong, misleading, ambiguous) (field operators, personnel in containment, IAC or maintenance technicians)
| |
| * Design flaws
| |
| * Lack of redundant instruments or other information sources
| |
| * Requirements for interpretations or hand calculations of parameters ( c.g., due to operations outside normal conditions in Prairic Island 2 shutdown event)
| |
| NUREG-1624, Draft 7 42
| |
| : 7. Search Process Table 7.14 Exainples of" Rules" Used by Operators and to be Identified in the ATHEANA Search Process l- How operators use " Rules" i ..g g,,..
| |
| Formal' leformal2 PLANTINTERVENTIONS Selection and - Specific Trammg justification ofunsafe inst-uctions which - Keep core covered action (s) direct, permit, or + Always follow your procedures could be
| |
| * Don't go solid in pres urizer interpreted to permit actions Good Practice
| |
| . Cautionary notes
| |
| * Protect pumps (e.g., stop if no tube oil pressure, no regarding potential cooling, runout, deadheaded, cycling).
| |
| required actions or plant or equipment Old Practice states to be avoided . Si on low pressurizer level
| |
| . Verifications of automatically Folklore actuated equipment + A good operator always beats auto-actuation Never feed water into an overheated vessel Confhet
| |
| * Alternatives have negative consequences Success seems imminent I
| |
| l l
| |
| J 7-43 NUREG-1624, Draft i
| |
| : 7. Search Process Table 7.14 Examples of" Rules" Used by Operators and to be Identified in the ATHEANA Search Process (Cont'd)
| |
| How operators use " Rules" l
| |
| ..ru b " Informal 2 Formal' -
| |
| INFORMATION PROCESSING Monitoring'(i.e., what + . Specific Trammg indications to monitor, instruments to a Which instruments to use when to monitor, etc.) cieck. - Which (and in what order) to respond to alarms Specific plant - Check redundant indications (especially alarmed parameters to conditions) check (e.g., to determine if criteria Exnerience for actions or - Which instruments to use (may not be all that are procedure available) transfers).
| |
| Plant parameters associated with symptom-based, functional recovery trees.
| |
| * Identify and respond to alarms.
| |
| Interpretation (part of + Specific criteria for Trainmg situation assessment) actions or . Believe your indications.
| |
| procedure transfer.
| |
| * Instructions for Good oractice when " Response . Question diagnoses (e.g., if unexpected response, Not Obtained." restore your last action).
| |
| * Procedural overrides (in Exnerience (plant-specific) cautionary notes, - Some indications are more reliable than others.
| |
| etc.).
| |
| - Some indications always give false readings.
| |
| * Implications of a Recent history of plant / equipment / instrument symptom-based, performance, functional recovery trees.
| |
| NUREG-1624, Draft 7-44
| |
| : 7. Search Process Table 7.14 Examples of" Rules" Used by Operators and to be Identified in the ATHEANA Search Process (Cont'd)
| |
| How operators use " Rules"
| |
| " rules" Formal' informal 2 l
| |
| UNDERSTANDING PLANT CONDITIONS AND CONFIGURATION 1 Equipment status Means for checkine Traming eauioment status: . Indications of performance.-
| |
| + Implications of - Believe your tagout system.
| |
| instructions after
| |
| " Response Not Folklore Obtained." - Pumps in mnout overspeed.
| |
| + Implication of + Multiple failures in one system are not possible.
| |
| ! instmetions for alarms.
| |
| - Control room indications.
| |
| - Tagouts.
| |
| Instruments / indications Means for checkine Trammg couinment status: - Instruments are very reliable.
| |
| * Established failed states. Folklore
| |
| - Tagouts. + Indication readings correspond directly with actual
| |
| + Redundant plant state or behavior, indications. = Indications are independent.
| |
| ' Plant procedures, including emergency operating procedures, abnormal procedures, emergency response guidelines, and administrative procedures (i.e., night order book).
| |
| 2 Including training, guidance for " good operating practice," "old practice" (i.e., previous operating practice),
| |
| experience, invented " rules of thumb" (referred to as " folklore").
| |
| 8 Including both data-driven and knowledge-driven monitoring.
| |
| l l
| |
| l l
| |
| l 7-45 NUREG-1624, Draft
| |
| : 7. Search Process Initiation of Long-Term Heat Removal (ecnecially residual heat removal (RHR))
| |
| * "Get to a stable condition"
| |
| ! * -"Get onto RHR" e "Stop loss-of-coolant accident (LCCA)" (e.g., feed-and-bleed scenario) ;
| |
| * Avoid recirculating sump water into the reactor coolant system (RCS) ,
| |
| . - Avoid emptying refueling water storage tank (RWST)
| |
| * Avoid containment spray actuation During this process ofidentifying informal rules, some " thinking ahead" to plant conditions that may strengthen or support the use of these rules may occur. This " thinking ahead" is encouraged and should be documented for use in the next two steps of Path A. Also, the ATHEANA team should keep track of(perhaps by means of a matrix) different unsafe actions (i.e., pump put in " pull-to-lock" or some other means of stopping a pump) that have the same or similar explanation, as developed at this point.
| |
| 7.3.2.2 Step ll A: Identify How Unsafe Actions Could Occur Using " Rules" As discussed above, implementation of this step in Path A is different for mistakes (i.e., situation assessment failures)and circumventions (i.e., response planning failures). Consequently,this report provides separate discussions below for mistakes / situation assessment failures and circumventions / response planning failures. Ultimately, however, it is not important to make distinctionsbetween the two as long as the ATHEANA team generates a good list ofideas on how Path A-type unsafe actions could occur.
| |
| For mistakes, the operators misunderstand the plant state and/or behavior, because of either situation assessment failures ofinformation interpretation (see Table 7.10), monitoring failures (see Table 7.11), or information problems (see Table 7.13). As a result, operators apply the wrong rule, apply the correct rule wrongly, omit application of the rule, etc. In principle, there are only two types of situations that must be considered:
| |
| (1) use of a wrong rule (2) wrong use or omission of the correct rule It is necessary to consider both situations keeping in mind that different rules and different associated procedure steps, implementation criteria, etc. apply, depending on which situation is being examined. Consider, first, the situation in which the operators are using the correct rule (but wrongly). In most cases, the correct rule is a formal rule in a written procedure with one single set ofprocedure steps, one set ofimplementation criteria, etc. In order to identify how the formal rule is satisfied, the ATHEANA team must identify what information (e.g., control room indications, field reports, alarms) the operators will use to get them to these procedure steps and satisfy the implementation criteria. The ATHEANA team also should identify potentially redundant sources ofinformation(e.g., flowindicationsas well as pump amperage). In addition,if there are redundant indications, the team should identify any potential dependencies between these indications (e.g.,
| |
| shared sensors or transmitters, common line). Timing ofplant symptoms also may be a factor. For NUREG-1624, Draft 7-46
| |
| : 7. Search Process example, what may be an appropriate action early in the event (e.g., stopping injection pumps) may not be appropriate later in the accident scenario when conditions have changed. In the case of the wrong rule being used, the ATHEANA team should identify the information, redundancies, and potential dependencies for both the correct and the incorrect rule. The ATHEANA team needs both sets ofinformation because, in this case, they must determine not only how the wrong rule was perceived as satisfied, but also how the correct rule could be perceived as not applicable.
| |
| Circumventions can result from failuresin situation assessment,in which case the ATHEANA team should investigate such unsafe actions as if they were mistakes. For other circumventions, the operators correctly understand plant state and behavior and are aware of the correct (probably l formal) rule but do not implement this rule as expected (see Table 7.12). There are two cases to consider:
| |
| (1) Implementationcriteria for the rule are met (and are known to be met) but operators do not implement the rule or they implement it incorrectly (e.g., omit or add steps)
| |
| (2) Implementationcriteria for the rule are not met (and are known not to be met) but operators implement the rule anyway.
| |
| In order to justify either of these cases, operators must believe that there are supplemental, complicating, or ambiguous factors in the situation that are not explicitly addressed by the (probably formal) rule. (Part 1, Section 4.2.3 introduces the concept of strategic factors to address these types of situations.) Such factors may activate other additional or conflicting rules, put the applicability of correct rule in question, change the priority of the correct rule, put priorities of rules in conflict,
| |
| , or bring into question whether or not the criteria for a rule is really met. The ATHEANA team should identify what information (e.g., indications, field reports, alarms) could indicate to operators that such factors were relevant in a particular accident sequence. The ATHEANA team can use Table 7.13 to identify how this information might be wrong or misleading. Probably it will be necessary to "think ahead" to what the (contextual) factors might be. Supplemental, complicating, or ambiguous factors include the following examples:
| |
| * additional, multiple hardware (equipment and/or indication) failures
| |
| = unavailabilities of equipment or indications e degraded performance of hardware (equipment and/or indications) e different accident dynamics or timing (than trained for or anticipated by procedures) e different ordering or sequence of plant response (than tained for or anticipated by procedures) e plant parameters different than expected (and no way to improve)
| |
| Examples of unsafe actions and challenging contexts in simulator tests (e.g., plant-specific and generic, such as those found in NUREG/CR-6208, Ref. 7.7) and operational experience (e.g., plant-specific, industry, ATHEANA-provided)may assist the ATHEANA team in identifying additional factors.
| |
| The example of premature initiation of Residual Heat Removal (RHR) introduced in Step #10, 7-47 NUREG-1624, Draft
| |
| | |
| ^ 7. Search Process continues with this unsafe action explained as a circumvention for which the operators recognize that the initiationcriteria are not met. A plausiblejustification for such an unsafe action would be if the l informal rules of" protect the RHR pumps,""get into a stable condition,"and "get onto RHR" weie ;
| |
| activated,either by real plant conditions or by the operators belief that such conditions existed. In particular, for the case of a loss of feedwater transient and subsequent need for performing feed-and-'
| |
| . bleed, ifoperatorsbelieved that feed-and-bleedactivitieswere not entirely successfulin heat removal (and were not likely to improve their performance) then they may conclude that initiating RHR is the only reasonable option for reducing Reactor Cooling System (RCS) temperature and pressure.
| |
| For this scenario, the ATHEANA team should identify what indications operators might get (that feed-and-bleed is not completely successful) that could cause operators to activate these informal rules for RHR initiation. Examples of such indications are:
| |
| * Erratic high pressure injection (HPI) pump flow (e.g., degraded pump performance) that could impact the success of" feeding" during feed-and-bleed,
| |
| * Erratic PORV behavior that could impact the success of" bleeding" during feed-and-bleed,
| |
| * RCS pressure that stays higher longer than expected (with no indication that it will drop) (also an indication that feed-and-bleed is not being entirely successful), and
| |
| * Current plant conditions make actuation of containment spray possible (which would deplete the refueling water storage tank (RWST) and available water for HPI more rapidly) (also an indication that feed-and-bleed is not being entirely successful).
| |
| In addition, the ATHEANA team should consider what indications ("real" or perceived) may lead operators to believe that plant conditions meet (or, are close enough) to the RHR initiation criteria.
| |
| In this case, the ATHEANA team should consider indications for RCS temperature and pressure.
| |
| The team should discuss which or what combinationsofindications could activate both formal and informal rules for RHR initiation. In addition, the team should recognize that these indications could be:
| |
| a measures of actual plant conditions,
| |
| . . the result ofinstrumentation failures,
| |
| * ' operator misinterpretations ofindications, e the result of monitoring failures (e.g., operators do not keep up with the dynamics of accident progression),
| |
| . the result of situation assessment failures (e.g., operators cannot separate the effects of their actions from trends in plant behavior), and i some combination of all of these failures.
| |
| NUREG-1624, Draft 7-48
| |
| : 7. Search Process The ATHEANA team should identify redundancies in indications that could assist operators in interpreting conflicting indications and dependencies between indications. Also, the ATHEANA team should identify which indicators are specified to be used in rules versus backup indicators, and which indicators the operators prefer to use (e.g., because they are or are perceived to be more ,
| |
| I reliable).
| |
| As in the previous ATHEANA steps in Path A, the ATHEANA team should encourage operators to "think ahead" to any contextual factors (e.g., plant conditions). The ATHEANA team should record these factors and save them for later steps. Also, the ATHEANA team should keep track of differentunsafe actions (e.g., pump put in " pull-to-lock"or some other means of stopping a pump) that have the same or similar explanation, as developed at this point. The use of a matrix may aid in the tracking process.
| |
| The product of this task is the identification ofinformation (either correct or erroneous) that could lead operators to implement the formal or informal rules in such a way that an unsafe action occurs.
| |
| 73.2.3 Step 12A: Under What Conditions Could the Operator Believe That the Unsafe Action Is the "Right Thing" to Do?
| |
| In this step, the elements of the error-forcingcontext are identified for each unsafe action considered.
| |
| In particular, the contextual factors that can cause unsafe actions of mistakes / situation assessment and circumventions / response planning are identified. These contextual factors should answer the question: Under what conditions could the operators believe that the unsafe action is the "right thing" to do? Due to " thinking ahead" in previous steps, some EFC elements may be identified already. However, the ATHEANA team should recognize that the EFC elements identified correspond only with an initial failure. The final step (i.e., Step #14) will address the failure of operators to recover or correct this initial unsafe action, and the EFC elements associated with the second failure.
| |
| The following contextual factors should be considered for both mistakes / situation assessment failures and circumventions / response planning failures:
| |
| 1 l (1) information problems (e.g., indication failures or faulty instrumentation design) t (2) unusual plant conditions that are unfamiliar or not understood by operators
| |
| ( Table 7.13 shows examples of general information problems and Table 7.15 shows examples of instrumentation and control design features that can be confusing to operators or may not be understood by them. Tables 7.16 and 7.17 provide examples of plant conditions that may be confusing to operators. The ATHEANA team should also refer to examples of unsafe actions and l challenging contexts in simulator tests (e.g., plant-specific and generic, such as those in NUREG/CR-6208) and operational experience (e.g., plant-specific, industry, ATHEANA-provided) to assistin identifyingpossible contextualcontributions. In particular,the ATHEANA team should consider performing some plant-specific simulator exercises designed to trigger discussions with 7-49 NUREG-1624, Draft
| |
| : 7. Search Process Table 7.15 Physics Algorithms in Instruments That Can Confuse Operators .
| |
| Indication / Algorithm or Actual Example
| |
| . Valve position indication . drive vs. stem position
| |
| . stem disk separation
| |
| . switch on solenoid
| |
| . MOV drive screw
| |
| .~ Levelindication e flashing in reference leg
| |
| . Pyuncompensated for temperature e sensor leaks e sensor isolation
| |
| . Pressure indication . indicated can be time history algorithm a improper sensorlocation
| |
| . Temperature indication . RTDs: linearity limits, ambient temperature compensation
| |
| . T/C: linearity limits, reference temperature drift indicated parameter can be calculated from .l
| |
| . Any indication .
| |
| others rather than measured directly
| |
| . plant behaves in a way to make algorithm ;
| |
| generate wrong information/ story i i.
| |
| 1 I
| |
| I l
| |
| I NUREG-1624, Draft 7 50
| |
| : 7. Search Process Table 7.16 Examples of Plant Conditions in Which the Plant Physics / Behavior Can Confuse Operators Plant Conditions / Physics Exampies
| |
| * Reaching saturation, then repressurizing . steam bubbles will have formed in hot spots, possibly interfering with flow or reflooding)
| |
| . Positive temperature coefficient . can result in unanticipated over power
| |
| . Operation of electrical equipment . effects of grounds e speed control and power in 3-phase induction (and synchronous) machines
| |
| . breaker / controller lockout circuits a selective tripping
| |
| . Transient effects beyond those analyzed and . LOCAs other than 2-inch and double-ended addressed in training guillotine)
| |
| . Multiple evolutions (which confound expected . Ramping up or down in power while equipment is physics) being tested or bought back on-line after maintenance
| |
| . Net positive suction head . draining down to mid-loop while other tests, washdown activities, etc. are being performed during shutdown 7-51 NUREG-1624, Draft
| |
| | |
| )
| |
| : 7. Search Process Table 7.17 Other Plant Conditions That Can Confuse Operators
| |
| ,- l
| |
| < PSMCondidone Details
| |
| * Plant radios
| |
| * Results in garbled communications
| |
| * Multiple equipment failures . Common causes failure
| |
| . Combinations of degraded functions, unabitability, human-induced failures, and/or " random" failures
| |
| * Partial degraded, rather than failed
| |
| * Can result in increasing combinations of failed
| |
| !nstrument/ control air pressure equipment
| |
| . Failures in selective tripping of electrical breakers
| |
| * Ambient temperature-induced failures of + Can result in increasing combinations of failed electrical / electronic equipment equipment
| |
| * Multiple problems . Combinations of any of the above or conditions indicated on other tables operators and trainers regarding possible and credible unsafe actions and associated error-forcing contexts. (Note that the unsafe actions do not have to occur and error-forcing contexts do not have to be simulated in order for the ATHEANA team to be successful in identifying credible unsafe actions and EFCs through de-briefing interviews and discussions following such simulator exercises.)
| |
| For the premature initiation of RHR in a feed-and-bleed scenario example, the ATHEANA team must search for the specific EFC elements (e.g., plant conditions) that link with the justification that has been developed so far. In particular, what plant conditions (or plant-specific hardware failures or degradations) are necessary to produce the indications that will activate informal (and perhaps formal) rules for RHR initiation? The plant conditions identified should be based upon plant-specific knowledge (e.g.,"real" HPI pump problems, based upon a history of degraded performance, and a history of RCS temperature or pressure indicator unreliability). These plant conditions, when linked to the relevant rules for RHR initiation and a concern that plant conditions may further degrade, are the EFC elements that can explain why operators may think that prematurely initiating RHR is the "right thing" to do.
| |
| The product of this step is expansion of thejustification developed in Step # 11 A to identify possible reasons why operators perform the unsafe action considered as supported by concepts from cognitive psychology and behavioral science.
| |
| NUREG-1624, Draft 7-52
| |
| | |
| 4
| |
| : 7. Search Process i
| |
| 3 7.3.2.4 Step 13A: How Could the Operator Believe the UA is the "Right Thing" to Do?
| |
| l This step builds on the previous step in completing the explanation of why an unsafe action occurs.
| |
| There are three potential causes of" thinking" failures to the explanation developed thus far for an ansafe action: (1) psychological factors,(2) contextual factors (e.g., unusual plant conditions), or (3)
| |
| (as most commonly seen in serious accidents) combinations of both psychological and contextual j factors. The ATHEANA process steps thus far have tried to guide the users to situations and contexts that are cognitively challenging. This step serves as a final check that complicating psychological factors have a consideration in the development of the error-forcing context.
| |
| The principal difference 6 im,iementing this step between mistakes / situation essessment failures versus circumventions /mponseplanning failures is in which psychological factors may be relevant to the explanation of an unsafe action. Situation assessment failures can be caused by two types of psychological factors: (1) failures in monitoring or (2) failures in the interpretation ofinformation.
| |
| Tables 7.10,7.11, and 7.12 provide examples ofinterpretation, monitoring, and response planning failures, respectively, based upon behavioral science concepts. Some of these examples are independent of contextual factors while others indicate or imply links with contextual factors. As stated at the beginning of Section 7.3, these examples should be used simply as " seeds" to trigger a creative thinking process on the part of the ATHEANA team.
| |
| The ATHEANA team also should refer to examples of unsafe actions and challenging contexts in simulator tests (e.g., plant-specific and generic, such as those in NUREG/CR-6208)and operational experience (e.g., plant-specific, industry, ATHEANA-provided) to assist in identifying possible psychological contributions. In Part 1, Tables 5.1 through 5.3 provided illustrative examples of detection, situation assessment, and response planning failures, respectively, using excerpts from operational experience.
| |
| As in the previous ATHEANA steps in Path A, the ATHEANA team should encourage operators to "think ahead" to any specific contextual factors that link to or further explain why an unsafe action could occur. The ATHEANA team should record these factors and save them for later use. In addition,the ATHEANA team should keep track of(perhaps by means of a matrix)different unsafe actions e.g., pump put in " pull-to-lock"or some other means of stopping a pump) that have the same or similar explanation, developed at this point. ;
| |
| f In order to continue further with the example of the premature initiatinn of RHR during the
| |
| ; performance of feed-and-bleed, the ATHEANA team should consult Table 7.12 for response i planning failures. The circumvention that has be explored thus far is a " deliberate deviation from procedure" but is an error of commission (rather an error of omission which the table more explicitly addresses). Also, thejustification developed so far corresponds with the operator's belief that not prematurely initiating RHR would " violate... informal rules," result in "new hazards to plant or 3
| |
| Alternately,"How could operators believe that using a rule is justified?" or"How could operators believe that a rule is satisfied?"
| |
| 7-53 NUREG-1624, Draft I
| |
| (
| |
| : 7. Search Process personnel," and may " create major economic consequences."d Plus, the discussion of strategic factors in Section 4.23 in Part I well describes the situation that has been developed (i e., oterators are convinced that staying on feed-and-bleed is less attractive than initiating RHR, perhaps even before initiation criteria are fully met).
| |
| The product of this step is the identified EFC elements for an initial unsafe action that " explain" why it might occur.
| |
| 73.2.5 Step 14A: Operators Persist in Believing That the Unsafe Action is the "Right Thing" to Do This is the final step in justifying the inclusion of an HFE in the PRA model. Activities in the previous step provided an explanation for why an unsafe action might occur and identified associated EFC elements. In this step, the failure of the operators to recover or correct from that initial failure is considered.
| |
| Given that the operators' thinking was initially wrong when responding to a specific initiator and accident sequence,it is possible that, later in the sequence, the operators will recognize their error and be able to correct their initial actions before core damage or function railure(s) occur. The definition of HFEs modeled in the PRA includes both the initial unsafe action and the failure to correct this initial failure. Priorities application (e.g., sequences with short times to core damage or functional failure, dependencies between systems that can perform plant functions) should eliminate many of the opportunities for such corrections (or recoveries). However, the ATHEANA team should investigate what opportunities for successful correction do exist, given the definition of the unsafe action and its explanation developed through the last step. For example, the amount of time available for correction is especially important. In addition, altemate or redundant sources of
| |
| % formation or additional personnel may be noticed or available later in the scenario. Next, the ATHEANA team should identify how such recovery actions might fail (i.e., the opportunities for correction are eliminated or minimized) by repeating Steps #11 A-14A, as needed.
| |
| The ATHEANA team should compare the error-forcing context developed with the characteristics of serious accidents listed in Tables 5.6 and the complicating factors not usually modeled in PRAs given in Table 5.7. Both of these tables can be considered templates for error-forcing contexts.
| |
| 'The example scenario developed thus far, if based upon real plant conditions rather than information problems, corresponds with that conjectured in previous HRA efforts (e.g., Dougherty (Ref. 7.8)) in which the operators experience a conflict of goals. However, the example provided here presents a real conflict and the "right" response to such a situation can only be decided after the accident is over and the consequences assessed. In other words, depending on the specifics of the accident sequence, the operator action ofinitiating RHR early may either be successful and avert plant damage, or be unsuccessful and cause plant damage (e.g., RHR pump failures and consequential damage due to the inability to remove heat), In both cases, the action taken by operators is a circumvention but the consequences, and th: assignment of whether that vtion is an operator failure or not, may not be forseeable at the time that operat, ors must make their decisions.
| |
| NUREG-1624, Draft 7-54 l
| |
| | |
| 3
| |
| : 7. Search Process l
| |
| It is especially important that the team look for potential dependencies between the explanations and EFC elements for the initial unsafe action and the failure to correct the initial action. Also, the team should recognize that " initial mindsets" (i.e., situation models) can be very diGicult to break. (See the Oconee 3 example, especially the diagnosis log, given in Section 5 as well as the more detailed analysis given in Appendix B.) Also, operators can be distracted (or be too busy) with other activities, thereby missing cues and opportunity for action. Finally, operators often canjustify the delay of actions beyond their criter:a for performance, especially if plant hardware is "almost" fixed or returned to service (or initially failed by operator slips or lapses) and the consequences of the action are considered extreme. (See, for example, the Davis Besse loss of feedwater event in 1985 in Appendix B.) Any new EFC elements that are associated with the recovery action should be added to the EFC identified for the initial unsafe action in order to complete the EFC for the HFE that will be modeled in the PRA.
| |
| 733 Path B: Slips and Lapses As discussed in Section 7.3.1, the explanations for unsafe actions due to slips and lapses are similar because both involve unintentional, execution failures that have similar causes. In fact, the only distinction between slips and lapses that is important to the following Path B search steps is whether such failures are unrecoverable or can induce mistakes. This section describes the steps in searching for explanations of unsafe actions due to unrecoverable slips / lapses or slips / lapses that can induce mistakes.
| |
| 733.1 Step #10B: Identify If the Slip / Lapse Is " Unrecoverable" In this step, the ATHEANA team must determine if the unsafe action that is a slip or lapse causes an " unrecoverable" failure that leads to core damage or function failure. Two ditTerent definitions of" unrecoverable" should be considered:
| |
| (1) plant hardware is irreparably damaged (2) plant hardware is so damaged, re-aligned, etc., that the time to restore this hardware is longer than the time to core damage or function failure Identification ofunrecoverable failures will rely upon the ATHEANA team's knowledge ofhardware and system design, dependencies between systems and equipment, operator controls, etc. Support from additional plant staff may be helpful as well.
| |
| For the unsafe actions due to slips / lapses that are determined to be unrecoverable, the team can I proceed to Step #12B. All other slips / lapses should be investigated further in Step #1IB.
| |
| I I
| |
| In order to assist in the identification of possible unrecoverable slips / lapses, the ATHEANA team should refer to examples of unsafe actions and challenging contexts in simulator tests (e.g., plant-specific and generic, such as those in NUREG/CR-6208, Ref. 7.7) and operational experience (e.g.,
| |
| plant-specific, industry, ATHEANA-provided). Also, as in the ATHEANA Path A steps, the ATHEANA team should encourage " thinking ahead" to any specific contextual factors with links 7-55 NUREG-1624, Draft
| |
| : 7. Search Process to or that further explain why an unsafe action could occur. Again, as in the ATHEANA Path A steps, the ATHEANA team should record these specific contextual factors and save them for later use.
| |
| 73.3.2 Step #11B: Identify If the Slip / Lapse Can Induce a Mistake In this step, the ATHEANA team must identify if a slip / lapse can cause or contribute to a failure in situation assessment. Examples of such slip / lapses are undiscovered, human-induced failures of hardware (ix., equipment or indications) and undiscovered omissions in initiating equipment. The ATHEANA team should identify such examples of slips / lapses, then briefly examine their importance in causing situation assessment failures by performing Steps #10A and #11A for mistakes. If the ATHEANA team is convinced that the slip or lapse can induce a mistake, then the ATHEANA team should continue to investigate this unsafe action. This investigation should continue in Step #12B and the work performed in Steps #10A and #11 A saved. All other slips or lapses (i.e., those that have not been shown :o be able to induce a mistake) should be dropped from further analysis.
| |
| As in Step #10B, the ATHEANA team should use examples of unsafe actions and challenging contexts in simulator tests and operational experience to assist in the performance of this step. Also, the ATHEANA team should encourage " thinking ahead" to any specific contextual factors with links to or that funher explain why an unsafe action could occur. The ATHEANA team should record these specific contextual factors and save them for later use.
| |
| 7333 Step #12B: Identify the Psychological Causes of Slips / Lapses Psychological factors, contextual factors (including triggered PSFs), or both may be the cause of slips and lapses. In this step, the ATHEANA team should determine the potential psychological explanations for unrecoverable slips / lapses and slips / lapses that can induce mistakes. Table 7.18 provides exahnples of psychological reasons for execution failures (i.e., response implementation in the information processing model). Some of these examples indicate et imply contextual factors which can be pursued f,Tther in the next step.
| |
| As shown in Step #11B, plant-specific and generic simulator and operational experience can supplement the examples given in this table to assist in the search process. Once again, in this step the ATHEANA team should encourage " thinking ahead" to any specific contextual factors that link to or further explain why an unsafe action could occur. The ATHEANA team should record and save these specific contextual factors for later use.
| |
| 733.4 Step #13B: Identify the Contextual Factors that Can Cause Slips / Lapses This step develops the final explanations for slips / lapses through identification of contextual factors or EFC elements. There are two basic paths ofinvestigation in this step:
| |
| NUREG-!624, Draft 7-56
| |
| : 7. Search Process (1) . traditional human factors concerns (2) plant history (generic or plant-specific) that can create possible patterns of operator
| |
| ! behavior that are inappropriate for the specific accident situation
| |
| - Table 7.18 Failures in Response Implementation Failures in response implementation Search Questions to identify EFC elements Operators use incorrect indications, d6 splays or controla
| |
| . Displays separated from controls .Under what plant conditions must operators use controls that are separated from the related parameter displays and indications? '
| |
| . Relevant displays & controls not easily .Under what plant conditions must operators use displays or controls that are not easily identifiable (particularly ex-control identifiable, such as being limited to a small number of CRTs or using poorly labeled local room) indicators or controls? Under what conditions are operators called on to use indicators or controli where the labe!s are unclear or wrong?
| |
| . Controls normally used in other .Under what conditions must operators use indicators or controls that are located among similar.
| |
| contexts with other displays looking groups? Can the operators be required to use controls that are usually used in different operational contexts? In these cases it is possible for operators to inadvertently use the controls il l
| |
| the way that is normal for these other contexts but are inappropriate under the accident condition .
| |
| l Operators use controls or read j displays incorrectly l
| |
| . Controls operate in non-standard .Under what plant conditions must the operators use controls that have non-stereotypical manner operating mo".s?
| |
| l
| |
| * 0n% "Open"to the left
| |
| { - 'Up"or " increase"to the left . .
| |
| . Displays have non-standard scales or .Under what plant conditions must the operators use displays that have non-stereotypical display modes indicating modes?
| |
| l
| |
| - 'Up"or " Increase"to the left
| |
| .Under what plant conditions must the operators use displays that beve multiple display ranges?
| |
| l
| |
| .Under what plant conditions must the operators use displays that have multiple display modes (e g.. CRT displays)?
| |
| Multiple operators unable to perform task
| |
| . operators not available _ .Under what plant conditions can there be insufficient operators available to perform all the necessary tasks?
| |
| -operators performing other tasks
| |
| . Coordination not available or ineffective .Under what plant conditions can the response coordinator be preoccupied with performing othei tasks? For what plant conditions can the coordinator insufficiently trained?
| |
| . Communications not effective between .Under what conditions can the communication system be inoperable?
| |
| operators .Under what plant conditions can the communication system be unavailable? j
| |
| .Under mhat conditions can the communication system be ineffective? !
| |
| - islackout spots high ambient noise
| |
| .Lu what r conditions can non-standard or ineffective language pose a particular problem in op" os (e g.. similar sounding names and equipment numbers)?
| |
| i The investigationinto human factors causes should include such traditional issues as man-machine interface (e.g., poor interface design, distributed locations for control manipulation) and possible workload problems. Such an investigation should take into consideration that there ve many other, more detailed sources ofinformation on human factors or ergonomic concerns that are related to slips / lapses (e.g., Part I of Swain's NUREG/CR-1278 (Ref. 7.9) and Ref. 7.10) that can be of use.
| |
| Of course, the identification of possible human factors-caused slips / lapses may also be aided by plant-specific or generic examples from simulator tests or operational experience.
| |
| Operating experience (both actual and simulator)cancause operators to behave in certain ways. In 7-57 NUREG-1624, Draft
| |
| : 7. Search Process particular, frequent or recent experience with certain initiators or accident sequences can " train" operators to expect the same initiators / accident sequences with the same response, despite the fact l
| |
| that either a different initiator or a different accident sequence can occur. Obviously, the best way j
| |
| l to identify such potential behavior pattems is to review plant-specific and generic simulator and operating experience for examples of similar unsafe actions and associated contextual factors. j For unsafe acticns that are unrecoverable slips / lapses, the search for EFC elements ends with this step. For slips / lapses that can induce mistakes, the investigation continues with the performance of Path A steps and the EFC elements identifiedin this step should be saved to add to the EFC elements identified through the performance of Path A steps. Also, as mentioned in Section 7.3.1, both Path A and Path B should be investigated for each candidate unsafe action.
| |
| 7.4 References 7.1 US Nuclear Regulatory Commission,IndividualPlant Examination Program: Perspectives on Reactor Safety and Plant Performance, Volumes 1, 2, and 3, Division of Systems Technology - Office of Nuclear Regulatory Research, NUREG-1560, Washington, D.C.,
| |
| October 1997.
| |
| 7.2 US Nuclear Regulatory Commission, The Use of PRA in Risk-Informed Applications, Division of Systems Technology - Office of Nuclear Regulatory Research, NUREG-1602, Washington, D.C., June 1997.
| |
| 7.3 M.T. Barriere, W.J. Luckas, D.W. Whitehead, and A.M. Ramey-Smith, BrookhavenNational Laboratory: Upton, NY and Sandia National Laboratories, An Analysis of Operational Experience During LP&SandA Planfor Addressing Human Reliability Assessment issues, NUREG/CR-6093, Albuquerque, NM, June 1994.
| |
| 7.4 M.T. Barriere, W.J. Luckas, J. Wreathall, S.E. Cooper, D.C. Bley, and A.M. Ramey-Smith, Brookhaven National Laboratory: Multidisciplinary Frameworkfor Analyzing Errors of Commission and Dependencies in Human Reliability Anolysis, NUREGICR-6265, Upton, NY, August 1995.
| |
| 7.5 Cooper, S., Ramey-Smith, A., Luckas, W., and Wreathall, J., Human-System Event ClassificationScheme(HSECS)DatabaseDescription,BNLTechnicalReport L-2415/95-1, December,21,1995.
| |
| 7.6 AIT Report, Salem Unit 1, April,7,1994, Loss ofCondenser Vacuum (and Loss ofPressure Control- RCS FilledSolid), Report Nos. 50-272/94-80 and 50-311/94-80, USNRC,1994.
| |
| 7.7 E.M. Roth, R.J. Mumaw, and P.M. Lewis,An Empirical Investigation of Operator Performance in CognitivelyDemandingSimulatedEmergencies, Westinghouse Science and Technology Center, NUREG/CR-6208, Pittsburgh, PA, July 1994.
| |
| NUREG-1624, Draft 7-58
| |
| : 7. Search Process 7.8 Dougherty, E. and Fragola, J., Human Reliability Analysis - A Systems Engineering Approach with Nuclear Power Plant Applications, John Wiley & Sons, Inc.,1988.
| |
| 7.9 A.D. Swain and H.E. Guttmann, Human Reliability Analysis with Emphasis on Nuclear Power Plants - Final Report, Sandia National Laboratories: NUREG/CR-1278, Albuquerque,NM, August 1983.
| |
| 7.10 Seminara, J., W. Gonzalez, and S. Parsons, Human Factors Review ofNuclear Power Plant Control Room Design, EPRI NP-309, March 1977.
| |
| 7-59 NUREG-1624, Draft
| |
| | |
| 8 QUANTIFICATION ATHEANA requires a somewhat different approach for quantification from those used in earlier HRA methods. Where most existing methods have assessed the chance of human error occurring l under nominal accident conditions (or under the plant conditions specified in the PRA's event trees I
| |
| and fault trees), quantification in ATHEANA becomes principally a question of evaluating the probabilities of specific classes of en or-forcing contexts (EFCs) within the wide range of altemative conditions that could exist within the definition of the scenario. However, before delving into the practical approaches for quantification, it is important to review the ATHEANA framework and to consider the interaction between the search process for EFCs and unsafe actions (UAs), and quantification.
| |
| Section 2 introduced the multidisciplinary human reliability analysis framework used in ATHEANA.
| |
| Figure 2.1 illustrates the framework. Quantification starts with definition of the human failure event (HFE) requiring quantification, and description in the context of the PRA model and the scenario ofinterest. That is, the analyst understands the HFE for which a probability is to be determined, as well as how and where that HFE and its associated probability will be factored into the PRA model to represent a failed function, system, or component. To determine the probability of the HFE of interest, and as shown in Figure 2.1, the scenario description must be in terms of those plant conditions and performance shaping factors that together form the applicable EFC. The EFC, in turn " triggers" underlying error mechanisms that result in the performance of one or more UAs. The UA, if not recovered, is the specific human action that results in the HFE ofinterest. Quantifying the probability of the HFE is a matter of determining and combining (a) the probability of the EFC (i.e., the probabilities of the appropriate plant conditions and the existence of relevant performance shaping factors that need to co-exist to make up the EFC), (b) the probability of the UA given the EFC and considering the applicable error mechanisms, and (c) the probability that the UA is not recovered before the applicable function, system, or component is " failed" in terms of the PRA.
| |
| Section 7 provided guidance on how to identify potentially significant EFCs and UAs that could lead to human failure events (HFEs). However, recognition exists that this search process is somewhat open-ended-at least at the current level of maturity of ATHEANA. In practice, the end point of the search process occurs when the analyst feels assured that the EFC is sufficiently well defined that both the frequency of the context and the conditional likelihood of the UA in that context can be estimated with an appropriate degree of confidence. Examples discussed in the demonstration provide suggestions as to the degree of specificity to be expected in these analyses (See Appendix A, Section A.6).
| |
| This degree ofinteraction between the search process and the quantification process is a feature of ATHEANA that is perhaps more explicit than in the application of other HRA methods. In practice however, such interactions have always been a part of applying these methods in PRAs. The analyst begins the search as guided by Section 7, performs early quantification using guidance from this section, considers the results, and decides either to stop, ending the ATHEANA process, or to return to Section 7 and continue the search. The intention of the following discussion is to help decide when the search process is complete or when further analysis of the context is appropriate.
| |
| 8-1 NUREG-1624 Draft
| |
| : 8. Qaantincation 8.1 Testing for Adequacy of the Error-Forcing Context Before completing the quantification step, the ATHEANA team should test for the adequacy or l
| |
| " completeness" of the EFC. By adequacy or completeness, it is meant that the definition of the EFC is sufficiently complete for understanding what operator actions are likely; these is only a limited degree of uncertainty in expecting what actions are likely. In other words, while claiming
| |
| " completeness" can never be possible in a predictive analysis such as HRA/PRA, the ATHEANA team should satisfy itself that each identified EFC describes a situation in which the occurrence of the UA is very likely and that identification of the important EFCs for the UA occurs.
| |
| The ATHEANA team can use the following four activities to test the " strength" of an EFC:
| |
| (1) performance of Step 14A of the EFC search process (2) performance of EFC trial runs (3) comparison of EFC elements with characteristics of past operational experience (4) comparison of EFC elements with human performance checklists The ATHEANA team should perform the first test, Step 14A, as part of the EFC search process, as discussed in Section 7.3.2.5. In addition, the ATHEANA team should perform'at least one of the other three tests, listed in order of preference. Tests 3 and 4 may be performed to assist in the performance of the second test. Finally, tests 2,3 and 4 may also be used in making the judgments described in the next section.
| |
| For the first test, the ATHEANA team may choose to either repeat or simply review the results of Step 14A in the EFC search process. In this step, the analysis aims at searching for reasons why the operators will persist in believing that the UAs taken initially are still the "right thing to'do." This includes perfonning reviews oflists of possible cognitive failures (often tied to contextual factors) provided from the behavioral sciences, weaknesses in operator performance observed in past operational experience, and common contextual factors observed in past serious accidents and near misses.
| |
| The ATHEANA team reviews the identified EFC with respect to these various lists, identifying and verifying what contextual factors to include in order to fit the historically observed patterns of serious accidents and near misses. Consequently, performance of Step 14A may result in the addition ofelements to the EFC description, either those that must be explicitly quantified (e.g., plant condition / hardware factors) or those that help further explain why an UA may occur (e.g.,
| |
| . psychological factors).
| |
| For the second test, there are two possible ways of doing a " trial run" of an EFC:
| |
| (1) Develop, then perform, a simulator exercise for the EFC, followed by a debriefing interview of the exercise participants (either operators or trainers).
| |
| (2) Perform a talk-through and interview with operators or trainers.
| |
| NUREG-1624, Draft 8-2
| |
| : 8. Quantification In both cases, either the "real-life performers" (i.e., operators) or the plant personnel who know the operators best (e.g., trainers) should function as the assessors of how challenging the EFC is. In the case of simulator exercises, it is not necessary for the modeled UA to actually occur. Rather, the focus should be upon infonnation gathered in the de-briefing interview regarding how challenging the EFC was, or could have been (if additional factors had been present). For both the simulator exercise de-briefing interview and the talk-through, the ATHEANA team should develop a series of questions that help to elicit the opinions of the operators and/or trainers regarding potential performance difficulties in the situation defined by the EFC. Simulator exercises or talk-throughs may also reveal additional imponant factors (e.g., plant conditions or behavior) that require inclusion in the EFC description. The EFC search process may also have included this activity. In order to satisfy that the EFC is " complete," the experts consulted mustjudge the scenario defined by the EFC to be both plausible and challenging enough that there is a reasonable chance of the associated UA occurring. As stated above, the third and fourth tests, discussed immediately below, can be performed during the simulator de-briefing or talk-through interviews to assist in performing this second test.
| |
| In the third test, the ATHEANA teams should compare EFC elements and description with characteristics of past serious accidents and near misses and simulator exercises. If available and relevant, use plant-specific experience. In addition, the ATHEANA team should use the event analysis of the TMI-2 event (Ref. 8.1) and the summary of characteristics for the simulator exercises performed in NUREG/CR-6208 (Ref. 8.2), shown in Tables 8.1 through 8.4, to make such comparisons. Either the ATHEANA team or operators and/or trainers (who have some understanding of the background and objectives of ATHEANA) may make the comparisons. As in the second test, the purpose of the third test is to determine if the EFC description is convincing with respect to whether or not the associated UA will occur. However, this third test provides examples of EFCs using past operational experience that resulted in UAs (although not necessarily UAs that would be modeled as HFEs). While the specific EFC elements will not be the same, the goal of the comparisons is to verify that the EFC identified by the ATHEANA process fits the general pattern of past accidents and near misses.
| |
| The fourth and last test is similar to the third test except that this test compares the EFC being tested to generic characteristics of challenging contexts, rather than specific characteristics observed in past operational expenence. The ATHEANA team may use the " cognitive demands checklist" provided in Appendix D of NUREG/CR-6208 when performing this test.
| |
| In addition to the evaluation of the EFC for completeness using the above guidelines, there is also a need to confirm whether the EFC and the associated UAs effectively include the potential for recovery or whether recovery needs to be analyzed separately. Discussion ofissues associated with the evaluation and quantification of recovery actions in themselves are in Section 8.3.3.
| |
| 8.2 Formulation of Quantification As mentioned in the introduction to this section, the foundation for quantifying human failure events is to consider three separate but interconnected stages in the quantification process:
| |
| 8-3 NUREG-1624, Draft
| |
| : 8. Quantification
| |
| . the probability of the EFC in a particular accident scenario
| |
| . the conditional likelihood of the UAs that can cause the human failure event
| |
| . the conditional likelihood that the UA is not recovered prior to the catastrophic failure of concern (typically the onset of core damage as modeled in the PRA)
| |
| Table 8.1. Characteristics of NUREG/CR-6208 Simulator Tests: Test ISLOCA1 Event
| |
| | |
| == Description:==
| |
| Leak from reactor coolant system (RCS) to residual heat removal (RHR) via leakage through two hot leg isolation valves on suction side of RHR train A, or via back-leakage through check valves going to cold legs, followed by break of RHR pipe in auxiliary building.
| |
| General features Snecific hinderina elernents No transition to interfacing systems Early accident symptoms (e.g., containment radiation alarms loss-of-coolant accident (ISLOCA) because of ruptured pressure relief tank (PRT) designed to procedure look like a loss-of-coolant accident (LOCA) inside containment.
| |
| Event dynamics carefully timed so that operators are directed to LOCA inside containment procedure before being directed to check for ISLOCA symptoms (then no path from inside containment LOCA procedure to ISLOCA procedurel Diagnosis ofleak required integration RHR high discharge pressure alarm (i.e., important clue) of multiple symptoms across different occurred before reactor trip (and easily missed).
| |
| systems High PRT temperature and pressure indications before trip By the time that radiation symptoms appear in the Aux. Bldg, the RHR pipe has already broken and then there is no record of high RHR discharge pressure except on alarm printout Multiple systems connected to PRT No detailed procedural guidance Eventually, step is reached that simply states "try to identify and isolate the leakage."
| |
| No procedural guidance on what symptoms or indications to look for (i.e., knowledge-drive monitoring).
| |
| No procedural guidance on what mitigating actions might be appropriate (e.g., isolating an emergency core cooling system
| |
| [ECCS) system during a LOCA).
| |
| No guidance on appropriate justifications for actions Procedure steps required adaptation to The step regarding steam generator (SG) pressure " stable or stay on appropriate path. increasing" had to be re-interpreted using training and knowledge of emergency operating procedure (EOP) background documents in order to avoid a continuous "DO" Innn j NUREG-1624, Draft 8-4
| |
| : 8. Quantification Table 8.2. Characteristics of NUREG/CR-6208 Simulator Tests: Test'ISLOCA2 Event description: Leak from RCS to RHR via leakage through two hot leg isolation valves on suction side of RHR train A, or via backleakage through check valves going to cold legs, followed by 1 break in RHR heat exchanger to the component cooling water (CCW) system General features Snecific hinderina elements No transition to ISLOCA procedure Event dynamics carefully timed so indications of radiation in the Aux. Bldg. did not appear until afler the crew passed the transition step to the ISLOCA procedure.
| |
| OR Crews transferred to safety injection (SI) termination procedure from LOCA procedure before transition step reached.
| |
| EOP rules of usage provide no basis for returning to transition step (after passed).
| |
| Diagnosis ofleak required integration Two leaks needed to be identified and isolated: 1) RCS to RHR of multiple symptoms across different leak and 2) RHR to CCW leak systems RHR high discharge pressure alarm (i.e., important clue) was suppressed; crews had to rely on indirect indicators of RHR problem.
| |
| High PRT temperature and pressure indications before trip Multiple systems connected to PRT No detailed procedural guidance Eventually, step is reached that simply states "try to identify and isolation the leakage."
| |
| No procedural guidance on what symptoms or indications to look for (i.e., knowledge-drive monitoring).
| |
| No alarms on RHR indicators (e.g., RHR di., charge pressure and temperature) that would direct the crews attention to the RHR system.
| |
| No monitoring of RHR relief valve to PRT svailable.
| |
| No procedural guidance on what mitigating r.ctions might be appropriate (e.g., isolating an ECCS system during a LOCA).
| |
| While ISLOCA procedure contained guidance for isolating RHR leak, no guidance in EOPs that addressed RHR to CCW ieak.
| |
| Procedure steps required adaptation The step regarding SG pressure " stable or increasing" had to be to stay on appropriate path. re-interpreted using training and knowledge of EOP background documents in order to avoid a continuous "DO"
| |
| ! loop.
| |
| For two crews, EOPs direction had them in a continuous "DO" l
| |
| loop between LOCA and Si termination procedure, when appropriate path was to the Post-LOCA Cooldown procedure (but no procedurally-directed way to do so because literal criteria for transitinn nre not met) !
| |
| l S-5 NUREG-1624, Draft
| |
| : 8. Quantifiention Table 8.3. Characteristics of NUREG/CR-6208 Simulator Tests: Test LHS1 Event description: Loss of heat sink event with total loss of feedwater that is never recovered, and leaking power-operated relief valve (PORV)
| |
| General featuren Snecific hinderino elements Diagnosis ofleaking PORV required PORV opened to reduce pressurizer pressure but never fully discrimination of plant behavior due recloses.
| |
| to known factors (i.e., operator PORV not reclosed but " reads" closed.
| |
| induced cooldown) versus that due to Early symptoms ofleaking PORV (e.g., decreasing pressurizer additional plant faults (i.e., leaking level and pressure) can be attributed to cooldown being PORV). controlled by operators.
| |
| Later symptoms (e.g., pressurizer level going up, bubble forming in reactor vessel, loss of subcooling, activity in the PRT) must be integrated with early symptoms in order to identify steam space leak.
| |
| Plant conditions and procedures focus Loss of Heat Sink procedure provided no explicit guidance for crew on one high priority problem dealing with a leak on the m imary side.
| |
| (when two exist). Initiating plant parameters tuned so that SG levels never reached feed and bleed criteria.
| |
| Main and auxiliary feedwater failed throughout event.
| |
| Delays introduced in trying to restore feedwater (e.g., aux.
| |
| operators going to wrong valve, being unable to manuallyjack open valves, breaking feedwater regulator valve actuators, etc.)
| |
| resulting in many calls to the control room.
| |
| Procedural guidance minimal Only procedural guidance to support the decision to manually initiate SI is in a caution that stated: "Following block of automatic Si actuation, manual Si actuation may be required if conditions degrade." (SI blocked by earlier procedure steps.)
| |
| Interpretation of caution required.
| |
| No procedural guidance EOPs do not provide any guidance in identifying a steam space leak.
| |
| Loss of Heat Sink procedure provided no explicit guidance for dealing with a leak on the primary side.
| |
| Decision-making among multiple and Manual initiation of SI would impede effects to recover conflicting goals required feedwater.
| |
| Manual initiation of SI would increase probability of having to resort to less desirable means of achieving a heat sink (i.e., feed and bleeM ,
| |
| I l
| |
| i NUREG-1624, Draft 8-6 l
| |
| : 8. Quan..ification Table 8.4. Characteristics of NUREG/CR-6208 Simulator Tests: Test LHS2 Event
| |
| | |
| == Description:==
| |
| Loss of heat sink event with total loss of feedwater, eventually recovered, and leaking PORV that could be terminated by closing the PORV block valve General features Snecific hinderina eternents l
| |
| Diagnosis ofleaking PORV required PORV opened to reduce pressurizer pressure but never fully discrimination of plant behavior due recloses.
| |
| to known factors (i.e., operator PORV not reclosed but " reads" closed.
| |
| induced cooldown) versus that due to Early symptoms ofleaking PORV (e.g., decreasing pressurizer additional plant faults (i.e., leaking level and pressure) can be attributed to cooldown being
| |
| :.ORV). controlled by operators.
| |
| Later symptoms (e.g., pressurizer level going up, bubble forming in reactor vessel, loss of subcooling, activity in the PRT) must be integrated with early symptoms in order to identify steam space leak.
| |
| Procedural guidance minimal Only procedural guidance to suppon the decision to manually initiate SI is in a caution that stated: "Following block of automatic Si actuation, manual Si actuation may be required if conditions degrade." (S1 blocked by earlier procedure steps.)
| |
| Interpretation of caution required.
| |
| No procedural guidance EOPs do not provide any guidance in identifying a steam space leak.
| |
| Loss of Heat Sink procedure provided no explicit guidance for dealing with a leak on the primary side. _
| |
| Procedure steps not appropriate for After recovering feedwater and returning to Reactor Trip specific situation. Response procedure, steps encountered that would undo actions taken to restore feedwater (e.g., closing feedwater isolation valves). j EOP step directs a manual initiation of SI if pressurizer pressure is bss than 1830 psi (which it was, but due to previous cooldown actions). (Omission of this step is only correct if PORV lenk was icninteri T l
| |
| 8-7 NUREG-1624, Draft l
| |
| : 8. Quantification While this is not dramatically different from the approach in other HRA methods, there are two aspects that set this method apart. First, both the UA and the failure to take a recovery action can be extremely dependent on the context, therefore consideration separate from the context is not valid.
| |
| For example, when the operators, based on their assessment of the situation, believe a system is not needed and turn it off, it is very unlikely that the operators would revise their assessment if there is little change in the context that led to the initial termination. Second, the relationship between the UA and the recovery opportunity are strongly dependent, especially for those cases where the UA involves a mistake, since mistakes can persist for prolonged periods of time. For example, during the accident at TMI-2, the operators persisted in their belief that high pressure injection should remain throttled for several hours despite contradictory indications (see the discussion of the TMI-2 event in Appendix B). In other words, once an erroneous action has taken place, the operators can persist in that belief even when the context does cht.nge; people are often very persistent in maintaining an erroneous belief--see the discussion on the psychological bases of ATHEANA in Section 4.
| |
| The basic process for quantification can be represented in a simple equation:
| |
| P(HFE,j) = P(EFC,)
| |
| * P(UAj lEFC,)
| |
| * P(RlEFC, A UAj A E,j) (8.1) where:
| |
| P(HFE,,,) is the probability of human failure event, HFEg ,, resulting from unsafe action U4 occurring in context EFC, and not being recovered given the EFC, the occurrence of the UA, and the existence of additional evidence following the unsafe action (E,,).
| |
| Appendix D presents a more extended discussion of the formulae that provide the basis for quantifying human failure events. In addition, Section 8.3.3 provides additional discussion of the incorporation and quantification of recovery actions.
| |
| 8.3 Quantification Process The three basic elements considered in the quantification process are: the probabilities of the EFC, the UA, and the recovery actions. Each element is discussed in turn.
| |
| 8.3.1 Quantification of EFCs The EFC represents the combination of plant conditions and performance shaping factors that are judged likely to give rise to the UA. For applications of ATHEANA that are extending analyses of existing PRAs, the EFC is often a subset of the scenario defined by the accident sequence path on an existing event tree.
| |
| For example, if the analysis being performed is of human actions that might terminate coolant injection during a medium loss-of-coolant accident (LOCA), the PRA will almost certainly have an event tree that represents core damage resulting from failure to achieve adequate coolant injection.
| |
| NUREG-1624, Draft 88
| |
| | |
| I j
| |
| l
| |
| : 8. Quantification The conditions under which operators may possibly terminate injection will encompass one or more of the paths on the tree.
| |
| Therefore, once the identification of an appropriate initiating event has occurred and the corresponding event tree is selected, the purpose of this step is to calculate the probability of the context occurring, given the occurrence of an initiating event. In some cases, the EFC may occur within the definition of an accident sequence within the event tree. In that case, it may be appropriate to model the EFC as a subset of the accident sequence. In this case, the calculation of the probability of the EFC would be conditional and dependent on the occurrence of the accident sequence.
| |
| There are two separate, though strongly related, elements to the EFC as described in Section 7: the
| |
| , plant conditions, and the performance shaping factors.
| |
| 8.3.1.1 Plant Conditions As discussed earlier, plant conditions encompass the physical state of the plant, the operability of equipment, and operations and evolutions that are under way. For example, the plant conditions would include the initiating event and its influence on the plant. For many EFCs, the initiating event would only partially define the plant conditions. For example, in the case of a medium LOCA, the plant conditions might only apply to a narrower range of leak rates than those defined by the specification of the medium LOCA.
| |
| In order to quantify the probabilities of these conditions, the ATHEANA team must gather plant-specific information. The details ofinformation to gather depends on the EFC defined using the I
| |
| guidelines in Section 7. Information that might be required may include the following examples:
| |
| = frequencies ofinitiators (especially those defined in more detail than provided in the PRA)
| |
| = frequencies of certain plant conditions (e.g., plant parameters, plant behavior) within a specific initiator type
| |
| . frequencies of certain plant configurations, evolutions, etc.
| |
| l
| |
| . failure probabilities for equipment, instrumentation, indications, etc. j
| |
| = dependent failure probabilities for multiple equipment, instrumentation, indication, etc.
| |
| failures e unavailabilities of(especially, multiple) equipment, instrumentation, indications, etc. due to maintenance or testing
| |
| . frequencies of restoration, calibration, and other latent human failures that leave (especially, multiple) equipment, instrumentation, indications, etc. failed 8-9 NUREG-1624, Draft
| |
| : 8. Quantification As stated earlier, the infonnation needed to quantify using ATHEANA will depend upon the specific EFC elements identified in the search process. The quantification of the various EFC elements identified may require a variety of different types ofinformation. Since specific EFC elements and plant-specific information sources are not predictable, this section describes the collection of f
| |
| information in a general sense only. The ATHEANA team also must consider the plant-specific information resources that are available to them for quantification purposes.
| |
| There are several ways in which the ATHEANA team may derive plant condition and hardware information listed in order of preferred usage:
| |
| (1) statistically (2) from engineering calculations (using assumptions, estimates, etc.)
| |
| (3) using quantitative judgments from experts (4) using qualitative judgments from experts Plant-specific operational experience (e.g., plant trip history, equipment failure histories, maintenance logs) is the principal source of statistically-derived information. The ATHEANA team may have already derived some information (e.g., initiating event frequencies) for the purposes of the PRA. The ATHEANA team may use industry information (e.g., generic operational experience, vendor data) if plant-specific information is not available or is too sparse.
| |
| The ATHEANA team may use engineering calculations to derive EFC element probabilities or frequencies if operational experience is not available, either because the contextual factor rarely occurs or because data are not directly collected for a specific parameter or factor. Such engineering calculations may include the following examples:
| |
| . the likelihood of equipment being demanded in certain situations (e.g., likelihood of a PORV demand given a loss of offsite power transient
| |
| = the probability of a fire spreading, given it has begun
| |
| . the time between loss of heating, ventilation, and air-conditioning (HVAC) systems and the occurrence of a room high-temperature alarm In some cases, the ATHEANA team may use existing calculations (e.g., those performed to support the PRA, those used to support other engineering analyses or licensing submittals). However, the engineering calculations that require performance do not need to be formal analyses. The ATHEANA team may use simple estimates using available information and simplifying assumptions'.
| |
| ' As in any PRA analysis, assumptions should be documented. Also, if the associated HFE probability results in either a very high or low value, the assumptions ought to be re-examined for overconservatism or over-simplification.
| |
| NUREG-1624, Draft 8-10
| |
| : 8. Quantification If data are not available to either derive the necessary frequencies or probabilities, then the ATHEANA team should interview plant personnel in order to derive the necessary inputs to quantification. In order to elicit these expeitjudgments, the team should seek out the plant personnel with the appropriate topic-specific knowledge and experience. Often plant experts are unable to provide quantitative inputs directly in the form needed for quantification. The team should construct interview questions that allow the experts to use their knowledge bases. The team then will need to interpret the information provided and transform it into the form required for ATHEANA quantification. In some cases, plant-specific experts may be able to provide rough quantitative estimates based upon their past experience and knowledge that require little manipulation to transform them into inputs. In other cases, plant experts may be able to provide only qualitative estimates which will require greater interpretation and manipulation (and probably some judgment on the part of the ATHEANA team) before producing the appropriate inputs for quantification.
| |
| 8.3.1.2 Performance shaping factors Deficiencies of performance shaping factors can require two different types of PSF-related information:
| |
| (1) probabilities of PSF deficiencies triggered by the context defined by the plant conditions and hardware EFC elements; and (2) probabilities or frequencies of PSF deficiencies triggered randomly or periodically (i.e.,
| |
| independently of the plant condition / hardware EFC elements).
| |
| From previous discussion of the theory underlying ATHEANA and the process for applying it, it should be obvious that the role of performance shaping factors is quite different in ATHEANA than it is in most previously developed HRA methods. In ATHEANA, assessments of a predefined list of PSFs is not a requirement. Rather, the team should identify PSF deficiencies that are extensions of, or important additions to, the EFC, and include them in the quantification to the extent addressed in the quantification method. For example, in one scenario, it may be that faihire of an indicator for a particular parameter is an essential feature of the EFC. Separate modeling of deficiencies in the display of that parameter would comprise double-counting.
| |
| However, the approach used to quantify the probability of UAs and the PSFs presents a potential relationship between the two to consider. Specifically, the ATHEANA team may use different quantification methods to accomplish quantification of UAs. One such method, tested briefly during the demonstration, is the Human Error Assessment and Reliability Technique. (HEART)
| |
| (Ref. 8.3). Section 8.3.2 briefly discusses this method. There are other techniques developed, such as the INTENT HRA method (Ref. 8.4), that appear to have the potential to provide probability estimates for the likelihood of UAs. However, ATHEANA demonstrations have not included tests of these other methods Each method uses different PSFs depending on the context and the type of UA. Therefore the ATHEANA analysts should examine which PSFs are in need of consideration for these methods.
| |
| l l
| |
| 8-11 NUREG-1624, Draft
| |
| : 8. Quantification Of the two types of PSFs, assessment of the crew's operating conditions for a partially developed EFC determines information associated with the first type of deficiency. PSF deficiencies that are expected tc be identified as being important to an EFC may include the following examples:
| |
| . no procedural guidance for the specific situation
| |
| - procedural guidance inappropriate for the specific situation
| |
| = no training for the specific situation
| |
| . training inconsistent with required actions
| |
| . no indications provided a no indication of actual status (e.g., position indication not read off of valve stem)
| |
| In the case of procedures, the ATHEANA team is likely to make such assessments while performing other ATHEANA process steps related to " rules." Identification of other PSF deficiencies may also occur during the EFC search process.
| |
| The ATHEANA team should perform PSF deficiency assessments as part of quantification. This identification of PSF deficiencies need only be done during quantification if it was not done previously. Regardless of when the assessment is performed, this first type of PSF deficiency is an inherent part of the context examination. Certain plant conditions, or other contextual factors, defm' ed in the EFC, trigger or reveal this type of PSF deficiency, a "go/no-go" type. If such a deficiency is identified as being triggered or revealed by an EFC, then the probability of such a deficiency is assessed as 1.0. Since they are an inherent part of the context, PSF deficiencies (with a probability of 1.0) do not make an additional contribution to the likelihood of the overall EFC.
| |
| However, such PSF deficiencies should be documented as part of the EFC. This documentaiton will be used in performing the tests for " completeness" and in making judgments regarding the conditional probability of an UA occurring, given the context.
| |
| The second type of PSF deficiency is considered similar to a type of plant condition in the sense that their probability of occurrence is essentially independent of the plant conditions. Two examples of these kinds of PSF deficiencies are as follows:
| |
| * sub-optimal human performance due to the time of day (i.e., early morning hours)
| |
| = sub-optimal crew performance due to abnormal crew makeup or structure Operator performance degradation due to these types of PSFs is well known and documented in human factors or psychological literature. Furthermore, these PSFs are not specifically tied to any context. Historical records can be of use in calculating or determining the frequency of the conditions that trigger these PSFs (e.g., early morning hour shifts, changes to normal crew assignments due to vacations, illnesses, etc.). The ATHEANA team may add such PSF deficiencies (and their quantifiable frequencies) to an EFC or use such factors in sensitivity analyses. In either case, like the first type of PSF deficiency, the ATHEANA team must later make judgments about the importance of these PSF deficiencies in assigning a conditional probability for the occurrence of an UA, given an EFC.
| |
| NUREG-1624, Draft 8 12
| |
| : 8. Quantification 8.3.2 Quantification of Unsafe Actions i
| |
| Different means of estimating a probability of a UA occurrence for three different situations are:
| |
| __(listed in order ofpreferred use):
| |
| (1) Situations where the plant conditions are such that the UA is virtually certain to occur.
| |
| Examples include those events where failed or misleading information occur that meet
| |
| . procedural criteria, for which there is limited or negligible redundancy, and the action is
| |
| " normal and expected" for what the operators believe is happening. In this case, the probability of the UA ginn the plant condition is virtually 1.0.
| |
| (2) Situations where experienced training stafhave observed similarplant conditions in training '
| |
| and have observeda consistentfraction ofcrews to take the UAs being modeled. In this case, the probability of the UA, given the plant condition, is on the basis of the trainers' experience.
| |
| Similarly, it is possible to poll or evaluate different crews in those cases where the action and the context are specific but the factors that different crews may weight are somewhat uncertain. (An example in the demonstration was the case of whether operators would shut down the only running diesel generator ifits cooling was degraded during a station blackout.)
| |
| (3) Other situations where there is no direct evidence of UAs in the analyzedplant conditions.
| |
| Since derivation of the first two methods of quantifying UAs are directly from the scenario or by judgement of the trainers, the remainder of this discussion addresses the third type of situation.. In the example evenu analyzed during the ATHEANA demonstration, a trial of each of these approaches proved all were viable as ways for quantifying UAs.
| |
| Several sources of data exist that relate the likelihood of an action given the context defined by the plant conditions.~ Some of the commonly used HRA methods provide combinations of failure probabilities and performance shaping factors. For example, the Technique for Human Error Rate Prediction (THERP) (Ref. 8.5) provides failure probability estimates and PSFs for many different types of human actions. However, as noted in the development of the ATHEANA method, THERP and similar HRA methods model actions very different from those ofconcern in ATHEANA; these methods look primarily at simple slips and lapses while reading meters and procedures or selecting controls on panels. ;
| |
| One HRA method that does, in principle, analyze the types of UAs of concern in ATHEANA is the HEART. Development of this method was from an extensive review of human-performance
| |
| ' literature to develop a Stahaw of the effects of many different types of PSFs on error probabilities.
| |
| . HEART provides one way to quantify the probabilities of'UAs in the presence of EFCs, analysts must still make requiredjudgments to evaluate the likelihood of particular PSFs, however. HEART
| |
| ~
| |
| consists of two steps to quantify the likelihood of an UA. First, the analyst identifies a generic task
| |
| . description that most closely corresponds with the context of the action being analyzed. The list of 8-13 NUREG-1624, Draft
| |
| : 8. Quantification generic task descriptions, together with their associated failure probabilities (both point value and uncertainty range) are shown in Table 8.5.
| |
| Following selection of the generic task description, there are a series of performance shaping factors to use in adjusting the failure probabilities. Table 8.6 presents the performance shaping factors used in HEART.
| |
| Users wishing to use the HEART method should refer to the above reference for details of applying the method in practice.
| |
| Table 8.5 HEART Generic Task Failure Probabilities Generic Task Description Failure Probability Totally unfamiliar, performed at speed with no real idea of 0.55(0.35 - 0.97) likely consequence Complex task requiring high level of comprehension or skill 0.16(0.12 - 0.28)
| |
| Fairly simple task performed rapidly, or given scant attention 0.09(0.06 - 0.13)
| |
| Routine, highly practiced, rapid task involving relatively low 0.02 (0.007 - 0.045) levels of skill Shift or restore system to a new or original state following 0.003 (0.0008 - 0.007) procedures, with some checking 4
| |
| Completely familiar, well-designed, highly practiced routine 4x10 (8x10" - 9x10'3) task occurring several times per hour, performed by highly motivated, highly trained and experienced person who is totally aware of the implications of failure, with time to correct potential errors, but without the benefit of significant job aids 4
| |
| Respond correctly to system commands even when there is an 2x10 (6x10+-9x10") 'j augmented or automated supervisory system providing accurate internretatinn nf the tyttem sinte Rviews of HEART observe that some of the generic task descriptions appear to incorporate some of the PSFs. When generic task description incorporates all possibly relevant PSFs, it is often the case that the resulting failure probability approaches 1.0. In practice, it is recommended that where the generic task incorporates the characteristics of a context, then application of the similar PSFs should not occur. This double-counting ofinfluences is not the intention of the HEART method.
| |
| l Concerning the use of multiple PSFs, the application of more than two PSFs to any generic task l failure probability is not recommended. Where the potential for application of more than two PSFs exists, selection should be on the basis of the two most influential PSFs.
| |
| For each scenario and UA to be evaluated, the analyst, with the operations experts (e ,,, the training staff), should identify the degree to which the expected conditions that the operator face correspond with one of the generic task conditions listed in Table 8.5. For example, does the scenario defined NUREG-1624, Draft 8-14
| |
| | |
| 1 l
| |
| l
| |
| : 8. Quantification {
| |
| Table 8.6 HEART Performance Shaping Factors I
| |
| Error-Forcing Context Maximum Increase in Failure Prnhnhilifv Unfamiliarity with a situation that is potentially important, but 17 which occurs infrequently or is novel l A shortage of time available for error detection and correction 1I i A low signal / noise ratio 10 A means of suppressing or overriding information or control 9 features that is readily accessible No means of conveying spatial and functional information to 8 ,
| |
| operators inn a form they can readily assimilate l
| |
| A mismatch between the operators' model and that imagined by 8 l the designer i No obvious means for reversing an unintended action 8 A " channel capacity overload," particularly one caused by the 6 simultaneous presentation of non-redundant information A need to unlearn a technique and apply another that requires 6 the application of an opposing philosophy The need to transfer specific knowledge from task to task 5.5 without loss Ambiguity in the required performance standards 5 A mismatch between the perceived and the real risk 4 Poor, ambiguous, or ill-matched system feedback 4 No clear, direct and timely confirmation of an intended action 4 Inexperienced operator 3 An impoverished quality ofinformation conveyed by 3 procedures and person / person interaction I ittle or nn independent checking nr testino nf nutnutc 1 by the EFC always correspond with one of the conditions, and as such does the task involve complex operations that require a high level of skill or comprehension? If so, then the nominal failure probability for the UA would be 0.16. The analyst can then evaluate the PSFs presented in Table l 8.6 to determine the degree of application.
| |
| ! In many cases, it is likely that the EFC will not completely specify the task demands as described in Tables 8.5 and 8.6. Two situations can arise by which the specifications in these tables do not match the event: first, the scenario sometimes matches different specifications; and second, the l scenario only partially matches the conditions.
| |
| In the first case, it is comparatively simple in principle to assess the relative fraction of events where the scenario matches the various task requirements. For example, perhaps in half the occurrences of the scenario (as modeled in ATHEANA), the task involves the complex operations mentioned earlier, and in the remaining half the task is completely familiar. In that case, the model of the 8-15 NUREG-1624, Draft
| |
| : 8. Quantification scenario should take place with half the frequency of the EFC being combined with an unsafe-action probability of 0.16, and half the frequency being combined with an unsafe-action probability of I
| |
| 4x10'.
| |
| 833 Quantification of Recovery Actions In ATHEANA, the modeling of recovery actions is less clear-cut than in several other HRA methods simply because the scope of the EFC used to define the context for the action can often include the characteristics that give rise to recovery actions in other methods. For example, in ATHEANA, the performance of the crew is considered to be part of the UA without treating actions or observations of other crew members as separate " recovery" elements. In addition, much of the emphasis in ATHEANA involves mistakes in understanding the plant conditions or in following inadequate or inappropriate response plans. In these cases, recovery can be much less likely than in the cases where the UAs involve simple slips or lapses such as simply selecting a wrong switch. The
| |
| - following discussion expands and illustrates these points further to provide a basis for assessing the potential for recovery actions in plant-specific applications.
| |
| In ATHEANA, the basic concept of developing a significant EFC is that the context can be strong enough that, given the associated UA, a guarantee of failure is assured. However, as discussed earlier, development of the EFC is an iterative process with quantification. The development of all
| |
| ' EFCs will not be to the point that recovery is impossible. Even for a very strong EFC, it is necessary to test the strength by developing recovery scenarios and weighing the strength of the EFC against the opportunities for recovery and the strength of the cues calling for recovery. The analyst is cautioned to consider the strength of the cues within the existing context established by the EFC and the revised situation assessment on the basis of having carried out the UA.
| |
| Development of the recovery scenarios is a systems analysis / cognitive analysis task. Given the existing plant condition at the time of the UA, the analyst must apply knowledge of the plant design and operations along with an understanding of the physics to predict what sequence of cues the plant will generate. With each new cue or evidence EiE2, ..., there is a new opportunity for recovery.
| |
| With reference to equation 8.1, consider the chance for recovery at a series of successive cues Ei ,
| |
| E2, ..., and the probability of failure to recover at each step R,, 3R ... Now as described in Appendix D, each probability of non-recovery is conditioned on the existing context up to that point.
| |
| The sequence of cues over time must be compared with the time available for recovery. Then the analyst must evaluate the total probability of non-recovery for the chain'of cues that will develop during the available time. (Note that the length of this chain may be uncertain. If so, then quantifying non-recovery for the various possible cue chains, weighted by each chain's likelihood of being the correct length, will be a strong measure of the overall uncertainty in quantification of the HFE.)
| |
| Quantification of the probability of non-recovery for the chain of cues is conditional on the original EFC, the UA and the revised context that arises out of the UA and consequent chain of cues. There
| |
| - NUREG-1624, Draft 8-16
| |
| : 8. Quantification is no formula for this process. The process finds its basi s relying heavily on judgment constrained by the knowledge in the previous sections on quantification.
| |
| An example from an earlier ATHEANA publication (Ref. 8.1) assists the analyst in assessing the significance of context in creating a strong dependent effect. The example is on the basis of an event at Oconee 3 that occurred during shutdown conditions in 1991 (Ref. 8.6). Before stroke testing the decay heat removal (DHR) suction valve from the recircuh tion sump, an operator attached a blank flange to the drop line and verified it in place. This is the large line that is used for open loop recirculation cooling following a LOCA. Immediately after the valve was opened, actuation of a reactor building emergency sump high level alarm occurrei.i. The operator took no action because this is a small sump to collect minor leakage and it fills and is pumped down routinely. The operator did not suspect a connection with the valve manipulation on the RCS bounday. So the first cue has come and gone and without recognition as evidence.
| |
| A short while later the second cue arrived. The operator observed the reactor vessel level already dropped to 20 inches and decreasing. The following table lists the full chain of cues that were generated by this event. For purposes of discussion, assume that this is the list of cues developed by the analyst to support their recovery analysis:
| |
| Table 8.7 Potential Recovery Opportunities, Oconee,1991 Accident Symptom or Cues E i . Reactor building emergency sump high level alarm E2. Reactor vessel level reading at 20" and decreasing E3. Reactor building normal sump high level alarm E4Reactor vessel ultrasonic low level alarm (i.e., no water in hot leg pipe nozzle E3. High Pressure in reactor building verifies reduction in reactor vessel level and increasing radiation E.. Low pressure injection (LPI) pump "A" current fluctuating downward E,. Evidence that reactor coolant system was not refilling Now the recovery analysis would ask, what is the probability of non-recovery (within the available time) given the original EFC, the UAs, (which have not yet been completely described), and the changes in context as a result of the UA and the string of cues? Without a consideration of the EFC and changes in context, traditional approaches that assume the associated non-recovey probabilities to be independent would generate a probability of non-recovery that is very low indeed. In fact the individual non-recovery probabilities R,, R,,, ,... would be expected to be quite low. The argument might proceed as follows:
| |
| 8-17 NUREG-1621, Draft
| |
| | |
| i
| |
| : 8. ' Quantification l The operators have stroked a valve on the RCS boundary that is protected by a temporary blankflange, potentially opening apath to containment. It ispossible that they could consider E, as the normal result ofleakage in containment, but n
| |
| it is a potentially sigm*ficant cue and would be investigated Let us assign a typical " conservative " non-recoveryprobability of 0.1.
| |
| 1 :
| |
| Now, when observation shows the reactor vessel level to be decreasing, it is l i
| |
| nearly certain that the operators will close the sump valve. They have clear evidence of a loss of RCS inventory and will certainly respond to the loss of coolant. From THERP Table 15-3for errors ofomission in carrying out written j produces we estimate the probability ofK, as 3x10~'. Thus the non-recovery ~f l probability after E, is K, x K, = 3x10'*.
| |
| As the analysis continues, it is probable that the most conservative value assigned to the individual non-recovery factors is 0.1. Let us assume that our analysts' thermal hydraulic analysis found that, by the time cue E, arrived damage would already be present. In that case, the total non-recovery 4
| |
| probability (through K 3) would be 3x10 . But this event actually continued through E pver a period of about 23 minutes before the operators decided to check the line that they had opened to the sump, as discussed in Table 8.8. Previous circumstances set them up so that they were unable to view the sequence of events as evidence of what really occured.
| |
| 8.4 Representation of Uncertainties Uncertainties exist in the estimates of the probabilities of the EFC, the UAs, and the recovery actions. The probabilities of the plant conditions are largely derived from plant experience or other operating data in the same way that many other parameters are derived in the traditional quantification tasks of a PRA. The approaches used in those traditional approaches are similarly appropriate here. - For those PSFs that are independent of the context, a similar approach to estimating the uncertainties in the plant experience orjudgment can be used as for uncertainties in the probabilities of the plant conditions. For those PSFs that are inherently associated with the plant conditions (such as the procedures are not applicable in the plant conditions), in most cases these PSFs have a probability of 1.0 given the plant conditions and do not have an associated uncertainty separate from that of the likelihood of the plant conditions themselves.
| |
| In the case of the UAs, as discussed earlier, there are three difTerent ways in which to estimate the probabilities. Different strategies provide estimates in the uncertainties in each case. First, in those cases where the probability ofthe UA occurring isjudged to be virtually certain, the recommendation is to use an uncertainty range of 0.5 to 1.0.
| |
| Second, is the case where training staff have a body of experience in training on similar scenarios where a consistent fraction of crews' commit the UA of concern. If the numbers of crews ~ being evaluated and the namber of times they commit the UA are recorded, these data can be used to j
| |
| . develop an uncertainty distribution, such as using a X2 distribution. If experienced individuals j NUREG-1624, Draft 8-18
| |
| | |
| r ,
| |
| : 8. . Quantification Table 8.8 Recovery Opportunities vs.' Actions Taken
| |
| - Accident Cues Recovery Actual Recovery Response Opportunity (Table 8.7)
| |
| Reactor building emergency sump Ei - None high level alarm Reactor vessellevel reading at 20" E2
| |
| * Erroneous operation of reactor and decreasing vessel wide range level transmitter suspected Reactor building normal sump high E3
| |
| * Washdown operations suspected level alarm Reactor vessel ultrasonic low level E4 - Investigation of cause begun
| |
| ; alarm (i.e., no water in hot leg pipe - Entered Procedure nozzle) AP/3/A/1700/07, Loss of LPIin l
| |
| DHR Mode l
| |
| i '
| |
| High Pressure in reactor building Es
| |
| * None L
| |
| verifies reduction in reactor vessel l level and increasing radiation l
| |
| Low pressure injection (LPI) pump E. - Stopped pump "A" current fluctuating downward - Opened borated water storage tank (BWST) suction isolation valves Evidence that reactor coolant system E7 - Reclosed BWST isolation valves was not refilling - NLO sent to close 3LP-19 or -20 l Event stabilized I
| |
| provide the estunates and there are no recorded data, then processes exist to generate an uncertainty distribution on the basis of their collective estimates.
| |
| I With regard to the use of the HEART method, uncertainty ranges are provided for the probabilities of failure for the generic task descriptions.' These should be used consistent with the guidelines of the HEART method itself.
| |
| Finally, as discussed above, in the case of the recovery actions, the same approach as used for other UAs making up the HFE is appropriate.
| |
| 8-19 NUREG-1624, Draft
| |
| : 8. Quantification 8.5 References 8.1 M.T. Barriere, W.J. Luckas, J. Wreathall, S.E. Cooper, D.C. Bley, and A.M. Ramey-Smith, Multidisciplinary Frameworkfor Analy:ing Errors ofCommission and Dependencies in Human Reliability Analysis, Brookhaven National Laboratory: NUREG/CR-6265, Upton, NY, August 1995.
| |
| 8.2 E.M. Roth, R.J. Mumaw, and P.M. Lewis, An Empirical Investigation of Operator Performance in Cognitively Demanding Simulated Emergencies, Westinghouse Science and Technology Center: NUREG/CR-6208, Pittsburgh, PA, July 1994.
| |
| 8.3 3. C. Williams, A Data-based Methodfor Assessing and Reducing Human Error to Improve Operational Performance,1988 IEEE Fourth Conference on Human Factors and Power Plants, Monterey, California, IEEE,1988.
| |
| 8.4 Gettman, D. l., et al., INTENT: a methodfor estimating human error probabilitiesfor decisionbased errors, Reliability Engineering and System Safety, 35,1992, pp.127-136.
| |
| 8.5 Swain, A. D. and H.E. Guttmann, Human Reliability Analysis with Emphasis on Nuclear Power Plants - Final Report, Sandia National Laboratories: Albuquerque, NM, NUREG/CR-1278, August 1983.
| |
| 8.6 U.S. Nuclear Reg'ulatory Commission,0conee Unit 3, March 8,1991, Loss ofResidual Heat Removal, Regional Augmented Inspection Team Report No. 50-287/91-008, Washington, DC, April 10,1991.
| |
| NUREG-1624, Draft 8-20
| |
| | |
| l l
| |
| 9 INCORPORATING ATHEANA SCENARIOS INTO PRA The process for incorporating human failure events (HFEs) that are identified, defined, and quantified using ATHEANA into the probabilistic risk assessment (PRA), is generally identical to that already performed in state-of-the-art human reliability assessments (HRAs). A description is provided delineating the explicit steps and practices used to incorporate ATHEANA events. In l addition, the guidance identifies some differences between ATHEANA and other HRA methods, ;
| |
| such as those used in performing the Individual Plant Examinations (IPEs), that require attention in the application process.
| |
| 9.1 Scope of the ATHEANA Guidance for PRA Incorporation The guidance regarding the incorporation of HFEs into the PRA model addresses only post-initiator HFEs. Since it is assumed that all U.S. plants already have completed HRA as part of their IPE submittal, the focus of this guidance is the addition of ATHEANA-generated post-initiator HFEs to PRA models, and not the modification of currently modeled HFEs. Specifically, the focus is on new errors of commission that would be identified as a result of applying the ATHEANA search scheme.
| |
| In principle, this guidance also could be used in re-evaluating existing HFEs in a PRA model.
| |
| However, as a result of applying ATHEANA, these HFEs may need to be redefined, which in turn may require changes to the relevant event tree / fault tree structures and dependencies with other post-initiator HFEs. Note that the subsequent discussions may not be applicable for other than "at-power" PRAs.
| |
| It is not likely that many new HFEs will be identified when using ATHEANA to add to existing PRA models. However, as discussed in the description of the ATHEANA search process (Section 7), each of these HFEs may represent more than one potential unsafe action and associated error-forcmg j context (EFC).
| |
| 9.2 Goals of PRA Incorporation The goals ofincorporating HFEs into the PRA are the same for ATHEANA as they are for existing HRA methods:
| |
| . Properly reflect the interfaces between operator actions and plant functions, systems, and equipment.
| |
| l
| |
| . Represent human-system interactions (i.e., HFEs) in the proper context of accident sequences.
| |
| . Enable and to facilitate PRA quantification.
| |
| * Facilitate cut set reviews.
| |
| l . Facilitate review and documentation of appropriate HFE and event tree / fault tree modeling.
| |
| 1 9-1 NUREG-1624, Draft
| |
| | |
| i
| |
| : 9. Incorporating ATHEANA Scenarios into PRA 9.3 Defining HFEs as PRA Events The description of the ATHEANA search process included guidance on how HFEs are to be defined for ATHEANA applications. The following key features of ATHEANA HFE definitions are important with respect to PRA incorporation:
| |
| . HFEs are defined as human-caused failures of required plant, system, or equipment functions and, by themselves, do not provide complete explanations for these failures.
| |
| i
| |
| . Each HFE has associated unsafe actions that define the specific ways in which plant, system, or l equipment functions are failed by human actions or inactions.
| |
| {
| |
| . Each unsafe action has one or more associated error-forcing contexts. Each error-forcing context consists of an explanation (from behavior science) for why the operator would perform the action or actions which fail die plant, system, or equipment fuc.ction, coupled with contextual factors (e.g., plant conditions and associated PSFs) that trigger the operator's behavior. These plant conditions and performance shaping factors (PSFs) are illustrated by the following examples:
| |
| (a) instrumentation unavailabilities and/or failures (either random, hardware failures or human-caused)
| |
| (b) human-caused, pre-initiator hardware failures (c) plant configurations (i.e., hardware unavailabilities, especially in limiting conditions of operation)
| |
| (d) gaps in procedures Typically, none of these are adequately modeled in current PRAs. Furthermore, to add the necessary modeling to PRAs directly would create an unmanageable model, and would either include many events that are not risk-important or would exclude events that would only be identified from the perspective of human performance, as guided by ATHEANA. Consequently, while the elements of an error-forcing context may look like basic events that should be included directly in the PRA (rather than "causes" of human failure), to do such direct modeling,is not practical.
| |
| . Like event tree headings, each HFE represents the consequences (e.g., plant or core damage) of operator activities over a period of time (typically determined by thermal-hydraulic calculations).
| |
| During this period of time (often called the "available time"), ATHEANA assumes that there will be operator activity, although a full, dynamic model of operator behavior is not provided (or required).
| |
| * In ATHEANA, the operator activities that occur during the time period before plant or core damage and are included in the HFE definition, are as follows:
| |
| NUREG-If,24 Draft 9-2
| |
| : 9. Incowrating ATHEANA Scenarios into PRA (a) An initial failure, or combination of failures that is followed by a second failure to recover i the initial failure (e.g., operators' initial, incorrect situation assessment and resulting actions, followea by the failure to correct that initial situation assessment).
| |
| l (b) Some or all of the activities that are associated with all four information-processing stages (monitoring / detection, situation assessment, response planning, and response implementation). However, some of these activities will not be performed or will not be performed successfully. Also, some or all of these activities will be influenced by (i.e.,
| |
| somewhat dependent upon) a previous failure in information processing (e.g., an incorrect situation assessment that results in compounding failures).
| |
| (c) Other actions that operators may take that do not result in significant changes to plant configuration, conditions, or status an'i do not create new accident sequences or plant damage states. While these actions are ncluded implicitly, generally it is not important to explicitly identify these actions. (Actions that do create new accident sequences or plant damage states should be associated with a separately defined, but dependent, HFE.)
| |
| * The HFEs, and associated unsafe actions and error-forcing contexts of highest priority using ATHEANA are those predominantly associated with plant, system, and/or equipment functions whose failure leads directly to plant or core damage and for which the available time for operator action is relatively short. (See Section 7 regarding priority screening as part of the search process, for suggestions regarding priorities to be used in applying ATHEANA). Consequently, in most cases, no subsequent (and possibly dependent) operator actions represented by HFEs need to be considered in these sequences.
| |
| 9.4 Refinement of HFE Definitions In the midst of performing HRA/PRA, there often is the need to refine the initial HFE definitions.
| |
| There are five possible outcomes of refinement:
| |
| (1) A new HFE is added to the model.
| |
| (2) An existing HFE is deleted from the model, (3) An existing HFE is subdivided into more than one HFE.
| |
| (4) An existing HFE that is used in more than one event tree or event tree branch is re-defined as several similar, but not identical HFEs.
| |
| (5) Two or more existing HFEs are combined to form a new, hybrid HFE.
| |
| l In general, performance of the appropriate refinement of HFE definitions for ATHEANA is in the same way as using existing HRA methods Four guiding factors that should be used in HFE refinement are given below:
| |
| 9-3 NUREG-1624, Draft
| |
| : 9. Incorporating ATIIEANA Scenarios into PRA (1) For either adding or de'eting HFEs, the guidance given above concerning HFE definitions should be used.
| |
| (2) An existing HFE should be split into multiple HFEs only if new information or interpretations of information indicate that actions included within the original HFE definition are independent of one another and should be modeled separately. (See aho the guidance above for HFE definitions.)
| |
| (3) An existing HFE should be re-defined as several similar, but separate, HFEs if, any of the following criteria exist:
| |
| (a) The accident sequence timing or plant conditions represented by two different initiator event trea are significantly different and these differences can significantly impact human reliability. Two or more representative PRA contexts should be used to define separate, but similar, HFEs that consequently will have different quantified probabilities (b) For an event tree for a single initiator, the variations in accident sequence timing or plant conditions represented can significantly impact human reliability. As in (a) above, two or more similar but separate HFEs should be defined (along with associated different event tree branches).
| |
| (c) Different error-forcing contexts associated with an HFE can result in different consequences with respect to plant, system, or equipment failures, requiring additional event tree branches and associated plant end states.
| |
| (4) A combination of two or more existing HFEs into a new, hybrid HFE should occur if new information or interpretations ofinformation indicate that actions associated with the original HFEs are dependent upon one another. Examination of all sequences with multiple MFEs should result in identification of possible dependencies and the need for HFE refinement.
| |
| Particular care should be given to instances of multiple HFEs if one of the HFEs is one that has been added by ATHEANA because definitions of HFEs in ATHEANA typically will include or assume more operator activity than HFEs defined using existing HRA methods.
| |
| (See also the guidance above for HFE definitions.)
| |
| 9.5 Impact on the PRA Logic Structure Familiarity with the PRA pmvides the analysts with a framework for identifying possible human failure events (HFEs), associated unsafe acts, and potential error-forcing contexts worthy of examination by ATHEANA. This part of the search process originates from the understanding that the PRA provides conceming which combinations of functional and system failures must occur in order to result in an undesired outcome (usually core damage). The ATHEANA search process enlists corresponding familiarity with plant equipment, typical operations, plant response dynamics, emergency procedures and training, and other characteristics of the plant and its operations.
| |
| NUREG-1624, Draft 9-4
| |
| )
| |
| : 9. Incorporating ATHEANA Scenarios into PRA l
| |
| Realization of the full impact of any HFE, in terms of risk-significance, does not occur until quantification and incorporation of the HFE into the PRA model. Once this is done, the assessment of the contribution of the HFE to overall risk is possible. In like manner risk-related insights gained from the results, and cost-effective risk-reducing strategies development is possible, where warranted.
| |
| Hence, an important aspect of using the ATHEANA process includes guidance on incorporating the ATHEANA-defined HFEs back into the PRA model. Since all U.S. nuclear utilities already have a PRA for their plant in response to the IPE program, this guidance assumes that such a model already exists and that the model simply requires modification to incorporate the ATHEANA-defined events. Before providing guidance on the incorporation of such events into the PRA model, it is valuable to first provide an overview of a typical PRA model as a basis for understanding how that model may need to be modified.
| |
| 9.5.1 Overview of the Typical PRA Model There is considerable variety in the details of how difTerent PRA analysts construct the PRA model for depicting nuclear power plant severe accidents. However, nearly all recent PRAs, including those performed in response to Generic Letter 88-20 and the IPE program, use inductive logic models called event trees in combination with deductive models called fault trees. (For background information on typical PRA modeling, see Ref. 9.1).
| |
| An event tree is a pictorial representation of the possible sequences of events that can occur following some initial challenge to plant operation, called an initiating event. These sequences are usually depicted by the success or failure of functions or systems that are significant in mitigating the effects of the initiating event. Necessary and sufficient combinations of functional / system successes lead to successful plant response to the initiating event; while sufficient failures are predicted to lead to damage to the reactor core, fission product release, and possible containment failure and release to the environment.
| |
| Fault trees are mostly used to model plant response at a lower, more detailed component level. Fault trees are deductive models that depict the combinations of failed equipment which must occur in order to fail the functions / systems of interest in the event trees. The basic events in the fault tree models represent the unavailability or failure states of plant equipment with the models constructed at a level commensurate with available failure data.
| |
| " Quantifying" the PRA means calculating the predicted frequencies of the sequences of events that lead to core damage. This is accomplished conceptually by first determining the probabilities of failure of the functions / systems in the model. A combination of these probabilities with the expected frequencies of the initiating events determine the expected frequencies of the undesirable core Amage sequences. The resulting solution process provides a series of expressions, each made up of the product of the initiating event and various basic event failures that together lead to damage to the reactor core. Each expression is called a " cut set" with each cut set having an associated frequency. Combining the frequencies of each cut set related to a single sequence yields an overall 9-5 NUREG-1624, Draft
| |
| | |
| j
| |
| : 9. Incorporating ATHEANA Scenarios into PRA i
| |
| GNITIATING 7 N ' 1 OK
| |
| --* \ h
| |
| \ 2 OK Sequence 3 Freqy= 1.1E 6/yr m _
| |
| Cut Sets:
| |
| \ ___
| |
| Ts gmenerData EventTree 3 CD > WFW*AFWS-CCF*HP!-PUMP
| |
| ' J \ LOFW'AFW5-CCF'HPI. VALVE
| |
| \
| |
| \
| |
| AFW3 FauRTree l l Motor Tream Tusbane Train raa, y.0,
| |
| , i p.,,,
| |
| ~
| |
| Pusny Dir. A Power St , y.3,, s.
| |
| vaa, is v.a, gre Figure 9.1. Overview of PRA Modeling.
| |
| frequency for that sequence, Combining the sequence frequencies yields the overall expected rate of occurrence (usually expressed as a probability per year) of core damage.
| |
| Figure 9.1 presents a simplified depiction of how the above modeling and data interrelate to form the PRA model. The extent to which the different modeling techniques are used and combined is dependent on such things as PRA scope and plant mode being analyzed (e.g., full power, refueling),
| |
| analyst preference, whether a detailed or only screening analysis is required, among other factors.
| |
| liowever, the above description, at least conceptually, encompasses the typical PRA modeling approach used by today's analysts.
| |
| 9.5.2 Treatment of Human Failure Events in Existing PRAs In order to address how to include the ATHEANA human failure events in the PRA model, it is first necessary to understand how PRA models have incorporated human failure events in the past. There are four places where human failure events are typically incorporated into the PRA model. These four places are shown in Figure 9.2 by highlighting the human modeling interfaces with the basic PRA model depiction shown in Figure 9.1. Each interface is discussed below.
| |
| Human-InducedInitiating Events
| |
| - The first place in the PRA model structure where human failure events are included (albeit implicitly) is in the identification of the initiating events and their expected frequencies. For a NUREG-1624, Draft 9-6
| |
| : 9. Incorporating ATHEANA Scenarios into PRA typical at-power PRA, initiating events include such challenges to the plant as turbine trips, loss of
| |
| ! feedwater, steam generate u be rupture, loss of offsite power, loss-of-coolant accidents, inadvertent l flow diversions during she.tN1, earthquake, etc. Many of these initiators can be human failure-induced, such as inadvertently _ causing a reactor scram during a half-scram test of the reactor protection circuitry. Since the frequencies of such human failure-induced initiating events are accounted for in the f!equency for each class of possible initiators, oftentimes no specific modeling of these human failure events is performed in the PRA. This is done for three reasons: first, it is assumed (even ifimplicitly) that there is little or no dependence between the cause of the initiating event and how plant staff will respond to subsequent events. Second, depending on the scope and objectives of the analysis, usually the PRA analyst only requires the initiating event frequency for the analysis and it is not necessary to understand why or how the initiator occurs. Third, in "at-power" PRAs, the human contribution to initiators is often considered to be small compared to that of hardware failures.
| |
| Human Failure Events in Event Trees Oftentimes the event trees in the PRA model explicitly depict human failure events in the event tree logic. Figure 9.3 provides an illustration. There is no industry-wide accepted rule or standard as to when to include such events in the event tree structure. However, this usually occurs when the human action ofinterest is a key part of numerous sequences in the event tree and the action is not particularly associated with a specific system or equipment item, but instead has functional repercussions regarding whether a successful or core damage outcome occurs. Sometimes, AFW HPI flNITIATING 7 g EVENTS i og Tubme Trip '
| |
| PRA Solution 4
| |
| _ 2 OK Sequence 3 Freqy = 1.1E4/yr Cut Sets;
| |
| \
| |
| n.geomer Data . EventTree 3 CD > IDFW*AFWS-CCF*HPI-PUMP k J -
| |
| \ IDFW*AFWS.CCF*HPI VALVE
| |
| \
| |
| \
| |
| name- gym Ph:
| |
| FA113 l F*
| |
| * l Fauh Tree kmr) l Motor Tram Tdmin Tram Fails Taas Faihue Data
| |
| > a I I KPIs Pusep Dir. A Power p.,, Sg y 3,, go ra _
| |
| Fa Fa p ra l
| |
| Figure 9.2. Overview of PRA Modeling with HFE Interfaces Shown.
| |
| 9-7 NUREG-1624, Draft l
| |
| 1
| |
| : 9. Incorporating ATHEANA Scenarios into PRA placement of such events in event trees is necessary to highlight the human failure event as a potentially very important part of the entire sequence of events that might occur. In current PRAs, these human failure events nearly always involve errors of omission, such as failure to depressurize the primary system in a steam generator tube rupture accident, failure to initiate feed and bleed, or '
| |
| failure to provide coolant lesel control in a boiling-water reactor (BWR) anticipated transient without scram (ATWS).
| |
| Human Failure Events in Fault Trees I
| |
| Explicit modeling of such human failure events in the appropriate fault trees may occur if the human action ofinterest is more easily associated with a specific system or equipment item in the plant, and failure of that action can contribute to failure of that system or equipment to perform its desired function. Figure 9.4 provides an illustration. Here the analyst attempts to define all the ways that human failures can credibly contribute to failure of the system or equipment ofinterest and estimates the probability of that failure, eventually in the context of each sequence in which failure of that system or equipment plays a role. The human failure events in the fault trees tend to include the following:
| |
| A1WS SLC High OperaEr Operator w/o Pressun Lowen Inktits ADS PCS Injection Level _
| |
| Figure 9.3. Illustration of HFEs in Event Trees.
| |
| i i
| |
| I l
| |
| NUREG-1624, Draft 9.g
| |
| : 9. Incorporating ATHEANA Scenarios into PRA SLC FAILS 1
| |
| h I I SIf Equip't Operator Fails Failures to Initiate SLC EU (post. initiator HFE)
| |
| BothPumps Both Squib System Lea Valves Fail Misabgned Fail Aner Testing (pre-initiator HFE)
| |
| Figure 9.4. Illustration of HFEi in Fault Trees.
| |
| (a) so-called pre-initiator errors involving omissions in maintenance, testing, or calibration activities that leave the equipment in a non-detected failed state such that the equipment cannot respond properly given an initiating event occurs (b) post-initiator events such as that shown in the illustration involving omissions in responding to sequences of events following an initiating event Failures to Perform Specific Recovery Actions l
| |
| Since not every combination of equipment failures that leads to core damage can be pre-determined before the model is solved, and for other calculation and modeling efficiency reasons, a variety of
| |
| " failure-to-recover" events are added to the PRA model during the last stages of quantification. This involves analyst examination of the sequence cut sets derived from solution of the PRA model, and on the basis of the combinations of failures in each cut set leading to core damage, the analyst postulates " reasonable" recovery actions that can be taken by the plant staff to divert the outcome ,
| |
| fmm core damage to successful mitigation of the accident. Failure to take the desired recovery 1 actions is included in the PRA model. This is done by adding events representing such failures to the sequence cut sets, thereby accounting for the probability that the plant staff will not be able to find a way to avert the core damage outcome by performing an action not explicitly included in the original model. Examples of such " failure-to-recover" events and how they are implemented in the model cut sets are shown in Figure 9.5.
| |
| 9-9 NUREG-1624, Draft L________-___-_____________.
| |
| : 9. Incorporating ATHEANA Scenarios into PRA Sequence Cut Sets Before Recovery:
| |
| TMFW
| |
| * AFWS-CCF
| |
| * HPI-CCF TMFW
| |
| * AFWS-CCF
| |
| * SWS-CCF
| |
| < TMFW
| |
| * AFWS-HVAC
| |
| * HPI-CCF j Sequence Cut Sets After Recovery:
| |
| TMFW
| |
| * AFWS-CCF
| |
| * HPI-CCF
| |
| * OPER-DEP-COND TMFW
| |
| * AFWS-CCF
| |
| * SWS-CCF (no recovery action)
| |
| TMFW
| |
| * AFWS-HVAC
| |
| * HPI-CCF
| |
| * OPER-DOOR where: TMFW = initiator; loss of main feedwater AFWS-CCF = common cause failure of AFWS HPI-CCF = common cause failure of HPI for feed & bleed SWS-CCF = common cause failure of Service Water OPER-DEP-COND = operator failure to depressurize and use condensate for steam generator feed OPER-DOOR = operator failure to open doors of AFWS rooms for ventilation Figure 9-5. Illustration of" Failure-to-Recover" Events in Cut Sets.
| |
| 9.5.3 Incorporating ATHEANA Human Failure Events in the PRA Model One of the primary criteria in the development of ATHEANA was to develop a technique that could be used in existing PRA model structures to the extent possible. Considering that, the following offers guidelines on how to incorporate the ATHEANA-defined human failure events in the existing typical PRA model.
| |
| Human-InducedInitiating Events -
| |
| . Since plant and industry experience data is used to identify and quantify the frequencies of most initiating events, no general requirement exists regarding decomposition ofinitiators into those that are human-induced and those that are not.' Nor is it necessary to model how such human-induced initiators might occur. Examination of actual experience can provide these insights and hence, using a modeling and quantification approach like ATHEANA, is oftentimes not necessary to build or quantify the PRA model.
| |
| However, this applies only when there is little or no dependence between the cause of the initialmg i event and how the plant staff will respond as the sequence of events unfolds. If there may bc a relationship between the initiating event and subsequent staff response, the ATHEANA process will ,
| |
| help uncover such relationships through identification and definition of error-forcing contexts. In . !
| |
| such cases, it may be desirable to develop or modify existing PRA models to address specific l
| |
| . NUREG-1624, Draft 9-10
| |
| | |
| i i
| |
| : 9. Incorporating ATHEANA Scenarios into PRA initiator-causing HFEs found to be of potential interest using ATHEANA (i.e., some HFEs may be analyzed as separate initiating events).
| |
| Human Failure Events in Event Trees This is the portion of the model where incorporation of the ATHEANA process will largely take place. Because the highest priority HFEs defined by ATHEANA tend to lead directly to the undesired outcome (usually core damage), the event tree structure is the ideal portion of the PRA model to_ incorporate such HFEs. Identification of these events should occur considering the initiating event being addressed, the related successes and failures associated with the undesired sequences containing the HFEs, and the possible error-forcing contexts accounted for using the 4 ATHEANA process. The HFEs should be defined so as to capture errors of commission (of highest .
| |
| 1 priority) and errors of omission which are missing from the present PRA model and would cause the i
| |
| undesired overall effect. For example, core cooling in the form of feed-and-bleed niay not be successful because the operator fails to initiate it (a form of omission which is usually found in l current PRAs) or because the operator prematurely stops feed-and-bleed thinking that it is no longer required (an error of commission to be added using ATHEANA).
| |
| Where to specifically place the ATHEANA HFEs in the event tree is largely subject to analyst preference. However, as is done currently in placing events in event trees, the expectation is that the placing of an additional ATHEANA HFE in an event tree will be deper. dent on how it relates chronologically to the demand of functions / systems involved in responding to the initiating event, where its inclusion will provide the most efficient analysis of all the possible sequences depicted by the event tree, and the logical dependencies of other events to the HFE in the sequence.
| |
| Additionally, it may be desirable or even required that if subsequent successes or failures in a sequence would significantly alter treatment of the incorporated HFE (such as due to providing new cues for action), the event tree may need to include multiple HFEs which are similar. However, definition and/or quantification would be different because of possible differences in timing, the plant status, etc.
| |
| I Figure 9.6 illustrates a possible incorporation of ATHEANA HFEs into a PRA event tree. In this illustration, incorporation of the ATHEANA HFE into the tree structure accounts for human failure '
| |
| to initiate or otherwise maintain the required function (in this case--core cooling) until a successful outcome is achieved. This illustration shows the intended (and most desirable) way ofincluding i
| |
| ATHEANA events into event trees; that is, by including a separate event tree branch that leads directly to core damage. Definition of the HFE must obviously be such that the undesired outcome I will be a direct result.
| |
| Human Failure Events in Fault Trees
| |
| . At least conceptually, incorporation of the ATHEANA method into the event trees may allow for elimination of some of the high level, functional or system-related HFEs currently modeled in the fault trees as post-initiator errors. This is because the anticipated ATHEAN/i HFEs will include 9-11 NUREG-1624, Draft
| |
| : 9. Incorporating ATHEANA Scenarios into PRA Tmfw RPS Secondary Primary (F&B) LongTenn Cooling Cooling Heat Removal OK CD OK CD CD !
| |
| ATWS EVENT TREE BEFORE ATHEANA INCORPORATION Tmfw RPS Operator Secondary Pnmary Long Term Initiates / Cooling Cooling Heat Remmalog Maintains Cooling CD i
| |
| OK CD CD CD ATWS EVEblT TREE AFTER ATHEANA INCORPORATION Figure 9.6. Illustration ofIncorporating an ATHEANA HFE in an Event Tree.
| |
| within their scope and definition, those events (typically only errors of omission) currently in the PRA fault trees. For example," failure to align the enhanced flow mode ofcontrol rod drive (CRD) injection" in a BWR PRA may be an existing human failure event in the fault tree for the CRD system. An ATHEANA-defined HFE involving the " failure to ensure adequate injection (regardless of the system)" added to the event tree would eliminate the individual CRD human failure event in the CRD fault tree since such a failure would be encompassed by the broader ATHEANA HFE definition. However, the pre-initiator HFEs and some equipment-specific post-initiator HFEs will remain in the fault trees.
| |
| While the ATHEANA development to date has not been aimed at addressing events such as the pre-initiator HFEs, the scope, definition, and quantification of these events already in the PRA could be I different. Not only would the current omission errors be considered, but these HFEs could also include errors of commission considering error-forcing contexts that may cause the undesired pre-
| |
| ~
| |
| initiator or equipment-specific HFE. Note that development of ATHEANA has not focused on these types of events, but instead on the broader events directly leading to core damage as discussed in the event tree subsection. i I
| |
| l NUREG-1624, Draft 9-12
| |
| : 9. Incorporating ATHEANA Scenarios into PRA Failures to Perform Specufic Recovery Actions As with the fault trees, some of the recovery events normally added to the cut sets after initial PRA model solution and quantification may be able to be eliminated; but only when the ATHEANA HFEs are broadly defined.to include failure to recover from the original error, as is intended with the ATHEANA process. For example," failure to switchover to an alternate water source" could be an existing recovery event added to cut sets involving loss of a primary water source. However, if an ATHEANA-defined HFE has been added to the model which involves the " failure of ensuring an adequate water supply (including consideration of switching to an attemate source when necessary)",
| |
| then the existing recovery event is no longer needed, since the broader-defined ATHEANA event already encompasses the recovery failure.
| |
| - Until the initial PRA model solution is obtained, all possible recovery considerations may not become evident. Some recovery events may, therefore still need to be applied as is currently done.
| |
| OverallSequence Quantification Considerations As with the current PRA practices, the analyst should exercise care in performing the final quantification of the accident sequences. The nature of the ATHEANA incorporation process may reduce the overall number of different HFEs in the model and reduce the number of times multiple HFEs appear in the same cut set (because of the broadly defined HFEs identified using ATHEANA).
| |
| However, entire elimination of the appearance of multiple HFEs in the same cut set may not be.
| |
| possible. When this condition does occur, the analyst must still address the same issues of considering dependencies among the HFEs in a cut set during final sequence quantification using existing HRA/PRA technology.
| |
| 9.6 Summary .
| |
| This section has provided guidance on incorporating ATHEANA-defined HFEs into existing PRAs.
| |
| Because the types of HFEs identified using ATHEANA will generally be broader in scope than many of those in the present PRA models, and the HFEs will encompass both errors of commission and errors of omission, this section has demonstrated a number oflikely effects on existing PRAs:
| |
| (1) addition ofnew ATHEANA-defined HFEs into the model, particularly at the event tree level, to cover HFEs not in the existing PRA model (2) possible elimination of some of the existing HFEs in the model since they will be encompassed by the added ATHEANA-defined HFEs l
| |
| (3) possibly having, as a result, less individual HFEs in the PRA model (This could simplify the quantification process by lessening the number of times dependencies amor.g multiple HFEs must be addressed because there will be less occurrences of multiple HFEs appearing in the same cut set (s).)
| |
| 9-13 NUREG-1624, Draft
| |
| (
| |
| | |
| 10 INSIGHTS FROM ATHEANA FOR RISK MANAGEMENT I
| |
| l The primary purpose of any nuclear plant probabilistic risk assessment (PRA) is to provide a means to understand and manage risk at nuclear power plants. Three steps must be carried out for risk I l
| |
| l management to be effective. First, identification and ranking of the risks must occur so that f resources can be applied most effectively in managing the risks. Second, a well-deflined understanding of the underlying reasons why the risks exist must be apparent. Third, identification and implementation of cost-effective solutions must take place to ensure adequate management of the most significant risks (i.e., lessened to the extent feasible and justifiable). To have an effective risk management program, the risk analysis technique must be able to supply the first two results so that identification and implementation of appropriate risk management solutions occurs.
| |
| 10.1 Overview of the Risk Management Implications of the Results From the ATHEANA Process The results of the ATHEANA process can be viewed from a variety of perspectives. At one level, is the determination as to whether there are additional risk-significant human failure events (HFEs) not currently captured in existing PRA/ human reliability analyses. In particular, a focus of the ATHEANA process is to identify errors of conunission that may be risk significant and not presently modeled in the existing PRAs for the plants. Additionally, using the ATHEANA approach, and focusing on error-forcing context may identify new errors of omission or at least a re-evaluation of the probability and risk importance of already identified errors of omission. Collectively, this information provides insights into additional human failure events that may be risk-significant, and through the PRA quantification process, updates the results of the PRA (revised core damage frequency, revised ordering of the dominant accident sequences, etc.) thereby providing a more complete quantitative assessment of nuclear power plant risk. This level of results addresses the first step mentioned above when implementing a risk management program.
| |
| At another level, the ATHEANA process, through its investigative nature, attempts to identify the underlying causes for these risk-important HFEs. The process requires the identification of conditions that may significantly increase the potential for HFEs (i.e., error-forcing contexts) in order to identify these risk-significant HFEs and quantify their likelihood. This aspect of the ATHEANA process addresses the second step mentioned above when implementing a risk management program.
| |
| The third step, risk management, can then be effectively carried out using both levels of results.
| |
| Once the results are understood in the full context of the PRA, risk management is carried out in several steps:
| |
| (1) Suggestpossible changes to reduce risk, cost, or both. Risk can be reduced through eifective changes of equipment, activities of plant personnel, and emergency response capabilities.
| |
| Better understanding of the factors affecting risk can reduce calculated risks uncertainties.
| |
| From the viewpoint of traditional PRA results this means to apply seasoned knowledge, in light of the PRA results, to envision possible changes. Some examples of risk reduction altematives follow:
| |
| 10-1 NUREG-1624, Draft
| |
| : 10. Insights from ATHEANA for Risk Management
| |
| * Changes to plant hardware-these are the obvious responses to risks involving plant equipment. These changes are often costly, however, and may involve retraining workers; therefore other attematives should also be considered, which may tum out to be more effective.
| |
| .- Changes to plant procedures-operating, maintenance, and emergency procedures, as well as off-site emergency response procedures, can be effectively modified and improved to reduce risk. Care must be taken to ensure that neither the training of personnel nor the level of performance is adversely affected by frequent or poorly analyzed procedural changes.
| |
| . Changes to plant training-training programs can be expanded to improve performance in the scenarios found to be the most significant contributors to risk.
| |
| In particular, new training techniques based on psychological understanding of significant HFE-EFC combinations can be developed. Most operational training is technology based, i.e., organized to teach facts about the plant, its operation, and hs l procedures, rather than organized to modify behavior under cognitively demanding circumstances. There are exceptions such as fire-fighting schools and the Navy's damage control school, where the focus includes intense indoctrination under physically and mentally demanding environments. Most simulator training is demanding, but focuses on programmed response to " nominal" accident sequences.
| |
| However, some recent nuclear power plant simulator training is stressing paradigms to improve the likelihood of successful communications .among operators (misunderstood, misinterpreted , and partially completed verbal interactions are common sources ofimproper situation assessment and response implementation in industrial accidents) and to force periodic team reassessment of past and future events (to break mindset and to test situation assessment).
| |
| . Improvement in underlying knowledge' can impact risk. Reducing uncertainties often has a tendency to reduce calculated average risks because the average is strongly affected by possibilities associated with upper uncertainty bounds. There are several appropriate target areas:
| |
| - Research,
| |
| - More accurate mechanistic calculations,
| |
| - Experiments to determine new physical knowledge,
| |
| - Experiments to detennine new knowledge of behavior and of the interaction between plant' conditions and human influences, and
| |
| 'An efficient way to gather and format knowledge from any of the listed sources is to convene a panel, whose members are experts in the area of knowledge sought, and conduct a formal elicitation process.
| |
| NUREG-1624, Draft 10-2
| |
| : 10. Insights from ATHEANA for Risk Management
| |
| - Improvements in PRA/HRA modeling; for example, more precise modeling of success criteria-risk models necessarily involve simplifications, approximations, and assumptions. Improvements in risk modeling are usually possible if analysts can refine their models by replacing conservative assumptions with detailed analyses.
| |
| (2) Evaluate the impact ofeachproposed change on risk and cost. The new, after change, plant-operator system is analyzed using the same tools, under the assumption that the change is in place and functioning in a realistic fashion. That is, do not assume that a fix is perfect; it will generally have some possibility of actually making things worse.
| |
| (3) Decide among the options. In addition to changes, it is usually appropriate to include the option, "Make No Change." There are fonnal tools for evaluating attemative strategies such as multi-attribute decision analysis. However, in practical applications, once the risk and cost (and their uncertainty) are well formulated, the selection of the best option is often obvious.
| |
| .10.2 Insights from ATHEANA Regarding Risk Management Using PRA The following sections discuss insights that are anticipated from the application of ATHEANA to plant-specific PRAs. Current HRA-related results identifyfor the risk-sigmficant HFEs identified thusfar such recommendations as procedure improvements, revised training focus, changes to plant status indications / alarms, improvements in ergonomic aspects of the plant design, etc. 'Ihe expectation is that a better understanding of the underlying causes of human errors anticipated from ATHEANA will result in more effectively crafted risk management options. The net result should be(1) a mere complete assessment of potentially risk-dominant HFEs, (2) a more effective management of the total risk represented by inappropriate human actions, and hence (3) a greater level of safety by further reducing the potential for HFEs.
| |
| 10.2.1 Possible Plant-Specific Insights and Subsequent Improvements ATHEANA, with its first generation documentation and guidance, was applied to a sampling of event sequences identified in a PRA from a PWR NPP. A description of this first test application is found in Appendix A. A team that included PRA and operations specialists from the plant performed this first test application. Based on the findings from this first application and their fidelity to previous expectations, as well as some unexpected results, the kinds of plant-specific insights that can be expected from wide-spread application of ATHEANA to other plants include:
| |
| . Instrumentation. Recommended changes can be exp ected in instrument design (redundancy, diversity, vulnerability to common cause failure) and in plant-status indications (more effective layout, better labeling, adding / subtracting indications and alarms, accessability).
| |
| * Procedures. Recommended changes can be expected in specific emergency procedures (eliminating points of ambiguity, providing additional cautionary notes, revisiting decision l 10-3 NUREG 1624, Draft l
| |
| l l
| |
| : 10. Insights from ATHEANA for Risk Management points in case sequence timing is other than expected for the anticipated case) and in administrative procedures to enhance communications and situation assessment.
| |
| ~
| |
| * Training. Recommended changes can be expected in some technical areas to provide operators with a better mental model of plant performance under particular degraded states and in developing specific cognitive skills. Particular focus should be in changing specific training to make operators aware of any identified error-forcing contexts, including new
| |
| . paradigms for breaking out of flawed situation models. New simulator exercises will be identified that can extend training into previously unexamined areas.
| |
| . Maintenance. Recommended changes can be expected in maintenance frequency and practices for particular equipment, to lessen the chances of some error-forcing contexts (i.e.,
| |
| those contexts that are induced, in part, due to current maintenance practices). Analysis of-ATHEANA results has indicated that cenain practices can lead to special kinds of EFCs that can have strong influence on operator performance. In particular, the following practices significantly increase the likelihood of UAs when unfamiliar event sequences occur:
| |
| - Plants allowing instruments and standby equipment to remain out of service for long time periods. Operators learn to rely on altemative indications that may not be reliable under all conditions.
| |
| - Plants allowing repeated occurrences of severe out-of-calibration instrumentation or failures ofinstruments. Operators fearn to mistrust their instruments.
| |
| - Plants allowing routine bypassing ofinterlocks and ESFs, orjumpering ofinterlocks.
| |
| . Corrective Actions. Because ATHEANA focuses on causal factors, retrospective analysis of plant events using the ATHEANA framework and information processing stages, plants can identify more effective corrective actions to incidents involving human error.
| |
| 10.2.2 Possible Insights of Value to the NRC and Industry As a Whole As plant-specific PRA studies using ATHEANA are completed and analyzed, new insights into the significant factors affecting risk should ar.cv the following objectives to be fulfilled :
| |
| . identification of new vulnerabilities (particularly regarding human-machine interfaces)
| |
| . identification of weaknesses in current training program requirements and identification of new paradigms for training
| |
| . identification of changes in operator quali6 cation exams l
| |
| NUREG-1624, Draft 10-4
| |
| : 10. Insights from ATHEANA for Risk Management e identification of additional factors to be considered when e. valuating the significance of l actual events (i.e., considering those factors that relate to human performance and inducing possible error-forcing contexts) l
| |
| . development ofinput to the NRC's Maintenance Rule identifying instruments for high-l priority maintenance, i.e., high-reliability requirements and prompt corrective action, because of their importance to human reliability
| |
| . identification of areas where the risk from HFEs are low (not risk significant from both l
| |
| ATHEANA and previous HRA perspectives) thereby providing potential for regulatory relief 10.3 Insights Regarding Additional Qualitative Benefits from Using ATHEANA Many qualitative applications of parts of ATHEANA can be useful long before extensive ATHEANA-HRA-PRA is accomplished. These arise in many areas. A few examples are provided below:
| |
| * Event analysis. The ATHEANA framework provides a multidisciplinary structure for the retrospective analysis of operational events. This point of view emphasizes the interrelationships that define error-forcing-context. It can expose immediately useful information on the causes of the events to put into place more effective barriers to the recurrence ofidentical and related types ofevents in the future. It will encourage updating of the plant-specific knowledge base with new information to help in future HRA work.
| |
| * Internal communications. The structured brainstorming approach of ATHEANA and the recommended team makeup promote individuals from different groups within the licensee's organization to work more closely toward the common goal of improving human performance. In fact, the use of ATHEANA may cause interaction among groups that heretofore has been minimal.
| |
| * Root cause analysis. When it is incorporated into the root cause analysis process, the ATHEANA framework provides a structure for examining the human contribution to significant plant problems and the underlying causes for that contribution.
| |
| 10.4 GeneralInsights ATHEANA provides a useful structure for understanding and improving human performance in operational events. As described earlier in this report, ATHEANA originates from a study of operational events and from an attempt to reconcile observed human perfonnance in the most serious j of these events with existing theories of human cognition and human reliability models, within the l
| |
| context of plant design, operation, and safety. ATHEANA provides useful structures for l accomplishing several tasks associated with the analysis of human performance:
| |
| l l
| |
| 10-5 NUREG-1624, Draft l
| |
| | |
| i
| |
| : 10. Insights from ATHEANA for Risk Management a retrospective analysis of operational events
| |
| * proactive search for HFEs, UAs, and EFCs
| |
| * root cause analysis Although the qualitative benefits are of considerable value, it is the quantitative use of the ATHEANA process in PRA that can bring clarity to the complex question of overall benefit. This integrated view of plant operation is a necessary foundation for the risk ranking ofinsights for decision-making and identifying the most cost-effective improvements. !
| |
| 4 l
| |
| NUREG-1624, Draft 10-6
| |
| | |
| I l
| |
| l l
| |
| APPENDIX A DEMONSTRATION OF ATHEANA AT A PRESSURIZED WATER REACTOR NUCLEAR POWER PLANT I
| |
| l i
| |
| l
| |
| | |
| APPENDIX A. DEMONSTRATION OF ATIIEANA AT A PRESSURIZED WATER REACTOR NUCLEAR POWER PLANT l
| |
| A.I Introduction Over the past several years, the U.S. Nuclear Regulatory Commission (NRC) has sponsored the development of a new method for performing human reliability analyses (HRAs). A major impetus for the program was the recognized need for a method that would not only address errors of omission (EOOs) but also errors of commission (EOCs). Both Sandia National Laboratories (SNL) and Brookhaven National Laboratory (BNL) have participated in the development of the new method, referred to as A Technique for Human Event Analysis (ATHEANA). Although several documents have been issued describing the basis and development of ATHEANA (e.g., Refs. A.1, A.2, A.3),
| |
| two documents were drafted to initially provide the necessary documentation for applying the method. They are the frame-of-reference (FOR) manual, which served as the technical basis document for the method, and the implementation guideline (IG), which provided step-by-step guidance for applying the method. (These two documents are now integrated into this document, NUREG-1624.) Together, the two documents presented the information needed to identify, characterize, quantify, and integrate, potential human failure events (HFEs), unsafe actions (UAs),
| |
| and their error-forcing contexts (EFCs) into probabilistic risk assessment (PRA) models. HFEs, UAs, and EFCs are critical elements of the ATHEANA method and are defined as follows:
| |
| . HFE A basic event that is modeled in the logic models of a PRA (event and fault trees), and that represents a failure of a function, system, or component that is the result of one or more UAs. An HFE reflects the PRA systems' modeling perspective.
| |
| = UA Actions inappropriately taken, or not taken, when needed by plant personnel that result in a degraded plant safety condition.
| |
| * EFC The situation that arises when particular combinations of performance shaping factors (PSFs) and plant conditions create an environment in UAs are more likely to occur.
| |
| Upon the completion of the draft FOR manual and the drafl IG in April 1997, along with several
| |
| " step-throughs" of the process by the development team, the method was ready for a third-party test.
| |
| A demonstration of the method was initiated at a pressurized water reactor (PWR) nuclear power plant (NPP)in July 1997.
| |
| The main goals of the demonstration were as follows:
| |
| a test the ATHEANA process as described in the FOR manual and the IG, e test a training package developed for the method, e test the hypothesis that plant operators and trainers have significant insight into the EFCs that can make UAs more likely and A.1-1 NUREG-1624, Draft
| |
| | |
| A.1 Introduction
| |
| ! * ' identify ways to improve the method and its documentation.
| |
| A set of four criteria to evaluate the " success" of the ATHEANA method and the demonstr identified as follows:
| |
| (1) The FOR manual and IG " work"if a documentation is understandable, and
| |
| = the process is usable.
| |
| (2) Training is effective if
| |
| . it motivates the team,.
| |
| . it facilitates the use of the FOR manual and IG,
| |
| - it enables the leader to direct the team, and
| |
| * it results in the plant team applying useful retrospective analysis.
| |
| (3) The process identifies demanding scenarios involving EOCs if a the plant operators judge the scenarios to be " demanding,"
| |
| = the plant identifies and implements " fixes" for some scenarios, and a the plant believes that ATHEANA can or will identify important problems.
| |
| (4) Users identify improvements in ATHEANA tools and processes.
| |
| A description of the training provided to the demonstration team is provided in section A.3. The results of the demonstration are evaluated against the rest of the success criteria and important findings and recommendations regarding ATHEANA that were obtained from the demonstration are presented in section A.7.
| |
| A.1.1 References-A.1 M.T. Barriere, W.J. Luckas, D.W. Whitehead, and A.M. Ramey-Smith, Brookhaven National Laboratom, and Sandia National Laboratories, An Analysis of Operational Experience During LP&S arid A Plan for Addressing Human Reliability Assessment Issues, NUREG/CR-6093, Upton, NY, Albuquerque, NM, June 1994.
| |
| A.2 M.T. Barriere, WJ. Luckas, J. Wreathall, S.E. Cooper, D.C. Bley, and A.M. Ramey-Smith, ,
| |
| Brookhaven National Laboratory, Multidisciplinary Frameworkfor Analyzing Errors of l Commission and Dependencies in Human Reliability Analysis, NUREGICR-6265 Upton, j NY, August 1995.
| |
| A.3 S.E. Cooper, A. Ramey-Smith, J. Wreathall, G.W. Parry, D.C. Bley, J.H. Taylor, W.J.
| |
| Luckas, Brookhaven National Laboratory, A Technique for ' Human Error Analysis (ATHEANA), NUREG/CR-6350, Upton, NY, April 1996.
| |
| NUREG-1624, Draft A.1-2
| |
| | |
| A.2 Demonstration Process and Schedule The first demonstration of ATHEANA began with a 3-day training session provided by the ATHEANA development team. The demonstration was scheduled to proceed over a 20-week period, with most of the actual analysis occurring during six team meetings held at the demonstration plant.
| |
| The licensee supported the analysis with two individuals from its PRA staff and two from its training staff. Both individuals from training were currently licensed operators and one of them was a senior reactor operator (SRO) "on shift" until a few months before the demonstration. The licensee also provided an operating crew to test an accident scenario on the simulator that was identified by the demonstration team using the ATHEANA method. The demonstration team was also allowed to view several scheduled training exercises on the simulator. A PRA expert, with experience in HRA (not ATHEANA), from Sandia National Laboratories (SNL) was the demonstration team leader.
| |
| Consulting and documentation support on the application of the method was provided by members
| |
| - of the ATHEANA development team.
| |
| After the initial training session and as the demonstration progressed, supplemental training was provided on several important aspects of the method (see section A.3 for details of the training sessions). The major activities from the ATHEANA process, the training provided, and the corresponding team meeting dates are presented in Table A.2.1. While the table reflects the major aspects of the method addressed at each meeting, it should be noted that the application of the ATHEANA process is iterative and that various aspects of the method were usually addressed on more than one occasion.
| |
| Table A.2.1 Process Activities, Training, and Team Meeting Date for ATHEANA Demonstration Process Activities Training Team Meeting Date Set priorities among initiating events (IEs) on the basis of criteria Covered during July 14 - 18,1997 such as the licensee's interest or their concerns regarding potential initial training problems in their plant. Prioritization can also be on the basis of factors such as IE frequency and time available for operators to prevent core damage (CD), etc.
| |
| Using guidance from the FOR manual and IG, identify possible Covered during August 5 - 8,1997 &
| |
| HFEs and associated UAs for critical functions identified in PRA initial training August 26 - 29,1997 scenarios for high priority initiating events.
| |
| Identify / derive potential EFCs that could lead to identified UAs Supplemental September 9 - 12,1997 training provided & October 7 - 10,1997 l
| |
| A.2-1 NUREG-1624, Draft
| |
| | |
| Table A.2.1 Process Activities, Training, and Team Meeting Date for ATHEANA Demonstration (Cont'd)
| |
| Process Activities Training Team Meeting Date Conduct simulator exercises to evaluate impact of reasonable Training October 7 - 10,1997 EFCs on UAs (includes information from debriefing of operators). provided for Interesting scenarios for potential simulator runs are derived from debriefing the first 3 steps of the ATHEANA process. operators after j simulator !
| |
| exercise l Supplemental November 4 - 7,1997 Quantification of EFCs and HFEs training provided l
| |
| l l
| |
| NUREG-1624, Draft A.2-2
| |
| | |
| A.3 Description of Training The development team provided the initial training on the ATHEANA method during the first 3 days of the first meeting at the participating plant. In addition to the assembled demonstration team, the training department manager, the PRA group manager, and several other interested staff from the plant attended. The goals of the initial training were as follows:
| |
| . to provide background on the development of the method, a present the underlying bases of the method, and
| |
| > provide enough details and experience on the specifics of the method to allow the demonstration team to begin the analysis and understand how they would be proceeding during the analysis.
| |
| Because the demonstration team leader was expected to have read the written documentation on ATHEANA, another goal of the training was to reiterate the critical aspects of ATHEANA, allow the team leader the opportunity to clarify any outstanding issues, and assist him in his preparation for leading the demonstration team members through the analysis. Table A.3.1 presents the general topics discussed on each day of training and how the topics were addressed.
| |
| It should be noted that the original training plan (not shown) was altered somewhat after the training had begun. Near the end of the first day, the development team agreed that the training needed to be more participatory, rather than in the lecture-only format that was being used. Therefore, on the second day, after the concepts of behavioral and cognitive science relevant to ATHEANA were covered, the ATHEANA process was exemplified by a step-through ofits application to a PWR loss of feedwater event. Essentially, a step in the ATHEANA process would be described and then the elements of the event relevant to that step would be discussed. The result of this activity was an illustration of the ATHEANA process in which the demonstration team participated.
| |
| In addition to the initial training, supplemental training was provided on three other occasions (See Table A.2.1.). The first supplemental training session reviewed the process for identifying and deriving potential EFCs that could lead to the identified UAs. This session was not originally planned, but during the application of the method, it became clear that the psychological and human factors-related guidance needed improvement. Moreover, it had been several weeks since the initial training on this topic was presented. The demonstration team leader joined members of the development team attending that session to organize a supplemental session, which focused on how to use the documentation in the FOR manual and the IG to address the human contribution to UAs.
| |
| The second instance of supplemental training provided the demonstration team guidance on strategies for debriefing the operators after the planned simulator exercise. This discussion mainly focused on the goals of the simulation, the kinds ofissues the team needed to be concerned with, and the kinds ofinformation they should try to elicit from the operators. (See sections A.5 and A.7.2 for discussions on the goals and use of simulator exercis: s in applying ATHEANA.)
| |
| The final supplemental training session addressed the quantification of EFCs and HFEs. This special training session on quantification was planned from the beginning. Quantification is the last step in the ATHEANA process and a half-day training session was presented at the beginning of the quantification of the identified EFCs and HFEs (during the last team meeting at the plant). The goal A.3-1
| |
| | |
| A.3 Description of Training .
| |
| was to make the objectives of the quantification process clear, illustrate the types of plant and PRA-related data that would need to be collected, and provide step-by-step guidance on how to derive probabilities for the HFEs. (See section A.6 for details on the plant's HFE quantification.)
| |
| Table A.3.1 ATHEANA Initial Training Topics for Each Day and Presentation Mode Day Topic Presentation Mode Dayi Introductions, goals, plans, and schedule for ATHEANA Lecture / view graphs demonstration Characteristics of Severe Accidents Lecture / view graphs Principles of ATHEANA: learning from operational experience, HRA Lecture / view graphs as a multidisciplinary process, and retrospective analysis of events Day 2 Concepts of behavioral and cognitive science relevant to ATHEANA Lecture / view graphs' Discussion of an operational event that occurred at the participating Group discussion plant, (1993 loss of main feedwater) in context of ATHEANA framework The ATHEANA process exemplified by a step-through ofits Lecture / view graphs on application to a PWR loss of feedwater event each step in process, combined with group participation in representing event in ATHEANA terms Day 3 Overview and tour of the participating plant - summary of plant Lecture / view graphs systems and unique design features (provided by plant staff) and walkdown of plant Overview of plant PRA - history, uses, current HRA, interesting PRA . Lecture / view graphs ;
| |
| sequences (provided by plant PRA staff) 3 1
| |
| Review of recent operational events at the plant (provided by plant Lecture and group j staff) discussion l ATHEANA integration / reprise of training, ATHEANA tools and Lecture / view graphs processes, overview of quantification process NUREG 1624, Draft A.3-2
| |
| | |
| A.4 Screening Process and Definition of Scenarios After completing the initial ATHEANA training session during the first demonstration team meeting, the team began applying the ATHEANA process by identifying and prioritizing the initiating events (and event trees), functions, and systems that would be used to define candidate HFEs. During the next four meetings, the team continued applying the ATHEANA process to identify the HFEs, their associated UAs, and the EFCs that could lead to the UAs. With this information, the team developed three scenarios that required quantification. As part of this scenario development, a simulator i scenario that included the potential for two of the HFEs was developed. The simulator scenario is discussed in more detail in Section A.5.
| |
| The following subsections contain brief descriptions of the steps performed and the information generated during the screening process.
| |
| A.4.1 Identifying and Prioritizing Initiators and Event Trees As a first step in identifying the important HFEs, the demonstration team began by prioritizing the existing plant-specific initiating events and related event trees by answering the following seven questions:
| |
| (1) What is the relative frequency of the event?
| |
| (2) Can operators increase the initiating event's frequency?
| |
| (3) Is there any plant history of an event, i.e., has it already occurred?
| |
| (4) What is the time frame to core damage?
| |
| (5) What is the potential for complex and/or hidden or unfamiliar conditions? -
| |
| (6) Can a single functional failure lead to core damage?
| |
| (7) Is it possible to have a wide range of plant responses?
| |
| With the information obtained (see Table A.Att-3.1 in Attachment A.3), the demonstration team selected three initiating events to examine in the next step of the ATHEANA process. The three events were (1) a medium loss-of-coolant accident (MLOCA), (2) a loss-of-offsite power (LOSP),
| |
| and (3) an anticipated transient without scram (ATWS). The major reasons for choosing these three events were as follows:
| |
| * MLOCA: While the plant operators train on different size LOCAs, they generally receive little or no simulator training on the low frequency, medium-sized LOCAs; therefore, they might have some difficulty responding to the event, especially if the event were complicated by problems with instrumentation.
| |
| * LOSP: The initiating event frequency is relatively high, and for weather-induced events, the recovery of offsite power generally takes longer to accomplish.
| |
| * ATWS: The existence of a potentially unsafe occurrence performed during a previous simulation event. (Note that this event was dropped from further consideration because of control room modifications.)
| |
| I A.4-1 NUREG-1624, Draft
| |
| _____ _ l
| |
| | |
| A.4 Screening Process and Definition of Scenarios A.4.2 Prioritizing Plant Functions / Systems Used to Define Candidate HFEs For each of the initiating events identified in the previous step, the demonstration team reviewed and re-defined each of the original plant-specific PRA event trees in terms of high-level plant functions.
| |
| To help prioritize the identified high-level plant functions, the demonstration team answered the following questions:
| |
| - Could an EOC occur?
| |
| * How much time exists until core damage (or ftmetional failure)?
| |
| * Can/does failure of the function lead directly to core damage? -
| |
| . When during an accident response is the function needed?
| |
| - What is the level of redundancy of systems / equipment that perform the function?
| |
| * What are the dependencies among redundant systems / equipment that perform the function?
| |
| - Are there action cues? How many? What are they?
| |
| . Considering the following, could there be a high potential for confusion / complications:
| |
| - unfamiliar plant conditions
| |
| - similarity to other plant conditions
| |
| - wide range of plant conditions / dynamics and accident response represented cause and effects are far removed from each other
| |
| - part of a planned interaction ]
| |
| - involves instrumentation and control
| |
| . Does the functional failure have an immediate effect/ plant impact?
| |
| - If functional failure occurs, can it cause irreversible plant / equipment from which it would be hard to recover?
| |
| * Is the response to the accident human-intensive' (i.e., does it require a lot of human actions)?
| |
| With the information obtained (See Tables A.Att-3.2a, 2b, and 2c in Attachment A.3), the demonstration team prioritized the functions for each initiator as shown in Table A.4.1.
| |
| AA.3 Identifying HFEs and UAs Using Plant / System Knowledge !
| |
| After prioritizing the functions, the demonstration team began the process ofidentifying, prioritizing, and documenting candidate HFEs and UAs. During the identification process, the team made use of the available draft ATHEANA search aids. During the prioritization process, insights were gained l
| |
| from applying the ATHEANA methodology. As a result, the team made modifications to some of the documentation tables, and in one case developed a new table format. The following two l
| |
| subsections briefly describe the activities associated with identifying and prioritizing HFEs and UAs,
| |
| (
| |
| ' Important principally for EOOs.
| |
| NUR'4G-1624, Draft A.4-2
| |
| | |
| A.4 Screening Process and Definition of Scenarios Table A.4.1 Prioritizing Functions by Initiating Event Initiator Function Priority MLOCA Makeup Medium Heat Removal Medium Long-Term Heat Removal High LOSP Support: DGs High
| |
| :l Support : Service Water High Support: Primary Component Cooling (PCC) Water Medium Depressurization Medium Heat Removal Medium ATWS Reactor Subcriticality High A.4.3.1 . Identifying Candidate HFEs In this step, the demonstration team identified individual HFEs on the basis of the prioritized system or functional requirements of the events associated with branch points on the event trees ofinterest.
| |
| The HFEs were identified by using the draft ATHEANA search aids and by answering the following questions:
| |
| * Is the function 1) needed or 2) undesired with respect to the accident response requirements for the specific initiator or sequence?
| |
| * What system (s) or equipment performs this function?
| |
| * What is the pre-initiator status of the system (s) or equipment (e.g., normally operating, standby, passive)?.
| |
| * What are the functional success criteria for the system (s) or equipment?
| |
| * What are the functional failure modes of the system (s) or equipment?
| |
| * What is the category number (i.e., a unique ATHEANA number) for each functional failure mode? '
| |
| 2
| |
| * What example HFEs are applicable 7
| |
| * What are the applicable ATHEANA and EOO tables?
| |
| 2While candidae HFEs were identified, the tables used to document this step do not contain the identified HFEs. The HFEs are iden:ified on the UA tables and are discussed in Section A.4.3.2. These new UA documenta-
| |
| ! tion tables were developed tiom insights gained during the application of the ATHEANA methodology. The new tables allowed the team to visealize the connection between the HFEs and the UAs in more efF.cient manner.
| |
| A.4-3 NUREG-1624, Draft
| |
| | |
| A.4 Screening Process and Definition of Scenarios While this step was performed for all three of the initiators identified in Table A.4.1, Tables A.Att-3.3a and 3.3b of Attachment A.3 provide documentation only for the MLOCA and LOSP initiators.
| |
| Documentation for the ATWS initiator is not included because it was later eliminated from further consideration on the basis of time and resource constraints.
| |
| A.4.3.2 Identifying of UAs To identify UAs, the ATliEANA demonstration team identified the different ways in which the operators could produce the effects characterized by the failure modes used to define the candidate IIFEs. The next-to-the last column in Table A.Att-C.3a (-C.3b) was used to guide the team to draft example UA tables for different human failures. The examples given in these tables were used in conjunction with an understanding of the design and operational characteristics of the plant systems, plant experience (both simulator and operational), industry experience, and plant knowledge expressed by members of the demonstration team during brainstorming sessions to identify the applicable UAs. Tables A.Att-3.4a and A.Att-3.4b in Attachment A.3 document the UAs identified by the demonsdation team.
| |
| Afler identifying the UAs, the demonstration team realized that in order to complete the demonstration within project constraints, a prioritization of the UAs would be necessary. With this in mind, the team informally prioritized the UAs on the basis of a " group identification" of what would most likely be the more important or more interesting (from a training viewpoint) UA s. As a result of this prioritization process, the following three UAs were identified, two for the MLOCA initiator and one for the LOSP initiator.
| |
| (1) MLOCA: (a) operators stop pump (function: makeup; system: high-pressure injection), end (b) operators operate pump oatside design parameters (function: long-term cooling; system: residual heat removal (RHR) system)
| |
| (2) LOSP: operator fails to " protect" a diesel generator -(DG) (function: support; system:
| |
| DG)
| |
| A.4.4 Identifying the Most Likely Causes of UAs (i.e, Identifying EFCs)
| |
| The next steps in the ATIIEANA demonstration process required an integration of psychological (i.e., human) and contextual (i.e., plant conditions and triggered PSFs) factors in constructing an explanation for why a particular UA might occur. The demonstration team found it relatively easy to identify contextual factors that could explain why the UAs occur. However, identification of psychological factors (e.g., behavioral science, traditional human factors) proved to be significantly more problematic'. To determine the most likely causes of UA, the demonstration team identified the following five factors:
| |
| (1) both the forr,al and informal rules relevant to the UA being considered.
| |
| 4 3
| |
| This difficulty was observed by the ATHEAN A development team and changes and improvements to the methodology have been instituted.
| |
| NUREG-1624, Draft A.4-4
| |
| | |
| A.4 Screening Process add Definition of Scenarios (2) how the UA could occur using the rules.
| |
| (3) how the operators could believe the UA is the r:ght thing to do.
| |
| I (4) what conditions under which tne operators could believe that the UA is the right thing to do.
| |
| (5) what the operators could use to determine that a problem existed. 'lhis then constituted a list of things that the operators would have to ignore to persist in believing that the UA is the right thing to do.
| |
| The results from this identification process are presented in Tables A.Att-3.5 through A.Att-3.7 of Attachment A.3.
| |
| A.4.5 Definition of Accident Scenarios Using the information presented in Tables A.Att-3.5 through A.Att-3.7 of Attachment A.3, the demonstration team developed short word descriptions for each accident scenario involving an HFE by describing the EFC associated with the UA and the respective recovery action whose non performance results in core damage. These descriptions are provided in the following subsections.
| |
| A.4.5.1 HFE #1 -Inappropriate Termination of Makeup The description of this HFE, is as follows:
| |
| A medium-sized LOCA occurs such that system repressurization is not possible. Continuous high-head injection is required to ensure the core is covered and adequately cooled. The LOCA size is such that heat rernoval is primarily through the break, with primary system pressure dropping below secondary pressure, making it unclear as to whether the steam generators are providing a heat sink or acting as a heat source. Both wide-range reactor coolant system (RCS) pressure indications fail. The failure occurs in such a way that at least one pressure indication appears to be functioning normally, resulting in indicated sub-cooling being greater than actual sub-cooling. With indicated sub-cooling being greater than actual sub-cooling, the operators may at some point start shutting off pumps as directed by procedures. If a sufficient number of pumps are tumed off, core dumage will occur unless the operators recognize that injection should be restored.
| |
| A.4.5.2 HFE #2 -Inappropriate Depletion of Resources
| |
| ' The description of this HFE, is as follows:
| |
| A medium-sized LOCA occurs such that system repressurization is not possible. Continuous high-head injection is required to ensure the core is covered and adequately cooled. The LOCA l size is such that heat removal is primarily through the break, with primary system pressure dropping below secondary pressure, making it unclear as to whether the steam generators are providing a heat sink or acting as a heat source. The LOCA also causes a demand for the use of the containment spray system; thereby, speeding the depletion of the reactor water storage tank A.4-5 NUREG-1624, Draft
| |
| | |
| A.4 Screening Process and Definition of Scenarios (RWST)*. If the operators have not completed reconfiguring the system for high-head recirculation before the RWST " empty" alarm sounds, the high-head pumps should be stopped until the reconfiguration is complete. If the RWST " empty" alarm fails (e.g., by failing two intelligent remote terminal units (IRTUs)) and the operators do not stop the pumps, it is assumed that the pumps will fail as a result ofinadequate suction. Failure of the high-head pumps would lead to core damage unless some other mechanism was found to reduce pressure, allowing use oflow-head injection pumps.
| |
| A.4.5.3 IIFE #3 - Failure to Shut Down (Temporarily) a Diesel Generator The description of this life, is as follows:
| |
| A (severe or non-severe) weather-related LOSP occurs. As a result of the loss-of-load plant trip, at least one pilot-operated relief valve (PORV) is demanded open and then fails to reclose. This ,
| |
| results in a valid sa.fety injection signal (thereby bypassing most of the protective diesel generator trips). One DG is unavailable (either short term or long term), and the other is operating under severely degradedjacket cooling conditions. The issue of concern relates to not shutting down the operating DG that could fail in minutes as a result ofinsufficient cooling (thereby suffering an irreparable failure) versus shutting down the DG, allowing the cooling problem to possibly be repaired and the diesel restered to full operating condition. Shutting down the DG would induce a station blackout; however, considering the probable I to 2 hours before core damage in this situation, such an act allows for the possible full restoration of this DG within this time frame. If the operators do not shut down the operating DG, it is assumed to suffer irreparable )'
| |
| damage and so its restoration to service is not credited. Thus, if offsite power is not recovered, core damage will occur. ,
| |
| l
| |
| 'This characteristic is important because if the LOCA is sufficiently small, the operators may have ade-quate time to align systems for alternate decay heat removal schemes; thus, eliminating the need for high-pressua recirculation.
| |
| NUREG-1624, Draft A.4-6
| |
| | |
| r A.5 Use of the Plant Simulator A.S.1 Purpose of Perfcrming the Simulation Simulatot exercises are an important part of the ATHEANA process, as they are when using almost any HRA technique. Use of the simulator, under the right conditions, allows the analysts to confirm the tendencies predicted by the analysis and uncover unforeseen conditic,ns that may alter the analytical analysis. The primary purpose of performing simulator exercises in ATHEANA is to validate that the combinations of plant conditions and PSFs (i.e., the predicted EFCs) are indeed challenging to operators and are likely to result in the predicted HFEs. In this demonstration, use of the simulator also was helpful in determining whether the ATHEANA search process might be improved to correct weaknesses or other failings of the process.
| |
| With the cooperation of plant personnel, the ATHEANA demonstrate,on project utilized the plant simulator to further examine two HFEs identified during the ATHEANA search process. A single simulator scenario was developed to observe the response of an actual operating crew to specific -
| |
| EFCs possibly resulting in the two HFEs being investigated. It was the goal of the ATHEANA team (3 verify, by using the simulator, that the " predicted" EFCs were indeed a significant challenge and would indicate a strong tendency to perform these HFEs. Additionally, it was the goal of the team to learn how the EFCs might be altered to provide an even greater tendency to perform the undesired human actions. Post-simulation discussions with the operators were another important part of the
| |
| . simulator exercise to gain the operators' perceptions even wSen they were successful in responding to the specific simulated scenario. It was recognized that the: actual responses of the crew during the simulation and the accompanying discussions would be very relevant to the quantification of the potential HFEs, given the EFCs.
| |
| A.5.2 Overview of the Simulator Scenario The scenario that was defined uting the participating plant's simulator consisted of an MLOCA initiating event with equipment faihires and other plant conditions that might induce two HFEs with one specific UA for each HFE. Various other " failures" were included that provided additional distractions. The two HFEs would result in loss of makeup and failure oflong-term heat removal, and ultimately could lead to core damage. The following descriptions provide a brief overview of the scenario and particularly its error-forcing characteristics. )
| |
| \
| |
| Initiating Event - MLOCA: A primary system LOCA of a size that provides sufficient depressurization and loss of coolant such that:
| |
| (a) system repressurization is not possible, ,
| |
| (b) high head injection is required for a considerable time to ensure the core is covered and adequately cooled, !
| |
| ! (c) heat removal is primarily accomplished by the break so that it is not clear whether the steam l i
| |
| generators are providing a heat sink or acting as a heat source, and (d) the LOCA will also cause a demand for the use of the containment spray system so that ;
| |
| depletion of the RWST and the need to switch to recirculation cooling will occur in a time period reasonable to simulate.
| |
| A.5-1 NUREG-1624, Draft
| |
| | |
| A5 Use of the Plant Simulator A liquid break of approximately 5000 gpm initial fluid loss with the plant operating at full power was used to simulate a MLOCA with these characteristics. De break size was such that the success criteria for high-pressure injection and recirculation is 2 of 4 high-pressure pumps. Note that it had been the observation of the ATHEANA demonstration team that while the participating plant's operators train on different size LOCAs, they do not generally receive simulator training on such a medium size LOCA (a low frequency event) and are thus less familiar with the anticipated conditions of such an event (i.e., the initiator itselfis part of the EFC).
| |
| HFE #1 Inanoropriate termination of makeup: The specific UA analyzed for this HFE is the operators intentionally but inappropriately shut off safety injection, i.e., " operators stop pump." He most significant pan of the EFC involves failure of the wide-range RCS pressure indication where the operators may be led to believe that RCS pressure (and, hence, degree of RCS subcooling) is
| |
| , higher than it actually is. With this misleading information, along with other accurate information, the operators may elect to terminate injection as directed by specific steps in the emergency response procedures, on the basis of combinations of sufficient subcooling, pressurizer level, and low hot leg temperatures. For this UA to be a functional failure leading to core damage, the operators would have to continue to believe that termination of makeup is appropriate.
| |
| HFE #2 Inannronriate denletion of resources: The specific UA analyzed for this HFE is when the operators inappropriately allow the high head pumps to operate using an " empty" RWST because of a failure to reconfigure the pumps for recirculation cooling before the RWST is depleted or otherwise stop the pumps to avoid them being damaged (i.e., " operators operate pump outside design parameters"). The most significant part of the simulated EFC involves failure of the RWST " empty" visual / audible alarm that is computer-driven and displayed on a criode-ray tube (CRT) (not a hardwired indication). Some of the operating crews rely upon this alarm as the cue to stop the pumps and then complete the final steps of reconfiguring the pumps for recirculation cooling.
| |
| Procedures direct operators to shut off pumps drawing from the RWST if the " empty" alarm sounds to protect the pumps from possible cavitation and damage. Failure of the alarm may delay action such that pump damage would likely occur as a result ofinsufficient pump suction. It is assumed that pump operation using an " empty" RWST will fail the pumps in a non-recoverable manner, leading to the inability to use high head recirculation.
| |
| Other failures as part of the EFCs: Other failures were also simulated during the scenario as possible diversions for cognitive attention and to more accurately reflect how plant responses often occur.
| |
| In a real response to an event, multiple failures or other difficulties often occur. Some of these are crucial to successful response to the event and some are oflittle consequence. Part of the operators' response to the event is to decipher which of these are significant Hence, other failures were introduced in the simulation which were not crucial to the HFEs ofinterest but important to simulate as part of the EFCs. These other failures were selected by the trainers as being representative of real l plant events.
| |
| = a minor steam generator tube leak,-
| |
| = ' an overspeed trip of the turbine-driven auxiliary feedwater pump when it was demanded (this was allowed to be recovered), and NUREG-1624 Draft A.5-2
| |
| | |
| A.5 Uw of the Plant Shaulator I
| |
| e a diesel generator loss of cooling concem (this was allowed to be diagnosed and eventually recovered).
| |
| i A.5.3 Shoulation Description Simulation of the MLOCA scenario and its EFCs was conducted over an approximately 2- to 3- hour period using an actual plant operating crew. While the crew was aware that observers would be present (i.e., the ATHEANA team), neither the conditions of the simulation nor its purpose was communicated to the crew beforehand. The simulation was held during the week of October 6, 1997, following some preparation the weeks before by the training staff to ensure that the simulated scenario would " unfold" with the desired EFCs. The following summarizes the six initial conditions for the exercise as well as the simulation itself.
| |
| (1) Plant operating at full power.
| |
| (2) IRTUs (intelligent remote terminal units) being repaired (hence some alarms and readouts are inaccurate or unavailable) and one channel of wide-renge RCS pressure indication (there are two indicators - one from each channel) is also out-of-service. These conditions were known to the crew but the ramifications were not explicitly communicated. The IRTU inoperable condition fails the RWST " empty" alarm. The RCS pressure-inoperable -
| |
| condition, along with a subsequent subtle failure of the other channel, provides false RCS pressure indication as well as non-conservative biases to the subcooling and reactor vessel levelindications.
| |
| (3) Minor leakage (within allowable limits) in one of the steam generators.
| |
| (4) Actual plant operating crew (all experienced but together as a crew for only a few weeks) participating in the simulation.
| |
| (5) Crew is allowed a short time to get familiar with the plant and control room status just as they would in an actual shift turnover.
| |
| (6) Control room crew consists of:
| |
| * Shift Manager performing as the senior manageinent presence on-shift as well as functioning as the Shift Technical Advisor (STA)
| |
| - Unit Shift Supervisor who is in charge of the operating crew and reads through the emergency response procedures aloud as they are performed i Primary Board Operator who operates and monitors the primary side of the plant
| |
| . Secondary Board Operator who operates and monitors the secondary side of the plant
| |
| . Work Control Supervisor whc is responsible for plant announcements, outside control room communications, and miscellaneous status monitoring and assigned duties.
| |
| Table A.5.1, Simulation Timeline Summary presents much of the simulation timeline. While not all actions or discussions are captured here, the majority of the activities including the most relevant to the HFEs are included.
| |
| A.5-3 NUREG-1624, Draft
| |
| | |
| A.5 Use of the Plant Simulator l
| |
| Table A 5.1 Simulation Timeline Summary l
| |
| Approx. Elapsed Description Comments Time (minutes) 0 Simulation begins.
| |
| 7 First signals received of containment gases MLOCA has occurred increasing and RCS pressure lowering.
| |
| 7+ Reactor trip; adverse containment is noted.
| |
| Trained rewnse using EOPs begins.
| |
| 9 Less than 40*F subcooling is noted cy crimary Emergency Feedwater (EFW) operator. Crew agrees that reactor coolant pumps pump failure simulated as a (RCPs) should be shutdown per operator's distraction (a potential part of the suggestion. Also, turbine-driven EFW pump trips EFCs) on overspeed and secondary operator identifies this and calls for field assistance.
| |
| 10 Secondary operator notes that emergency diesel EDG-A failure simulated as a generator (EDG)-A (EDGs start on safety distrr.ction (a potential part of the injection) is experiencing less than full service EFCs) water cooling and calls for field assistance.
| |
| 11 14 Various parameters monitored: containment i pressure at 14 psig and rising; RCS pressure at l 1175 psig and nearly steady; total EFW flow
| |
| >500 gpm; T,m at 562*F and trending down.
| |
| J 15 Containment isolation and containment spray initiation noted: containment pressure at 19 psig.
| |
| 17 It is noted tMt 211 secondary radiation indications initialleak in steam generator are the same as they were before the trip. does not show signs of getting worse.
| |
| 18 Crew assesses critical function summary from Crew notes that colors may not Work Control Supervisor: of note-core cooling is be entirely accurate because of Yellow; heat sink is Yellow; containment is initial condition " failures."
| |
| Orance 20-30 Various conditians monitored: containment pressure at 20 psig and slowly decreasing and containment sprays operating; RCS pressure (from operable channel) is 800 psig and slowly decreasing; subcooling at O'F; steam generators not faulted: RCPs shutdown.
| |
| 30 Crew resets safety iniection (SI) signal.
| |
| A check is made of the status of RHR pumps and 31 valves for later recirculation capability.
| |
| 31-34 Discussions held about what position to leave service water valve to EDG-A. It is decided to leave it in a way that it can be opened; use a manual valve to temporarily close the pathway.
| |
| RCS pressure noted to be 750 psig. Discussion held as to whether to keep RHR pumps running with RN nreemre hich NUREG-1624, Draft A.5-4
| |
| | |
| A.5 - Use of the Plant Simulator Table A.5.1 Simulation Timeline Summary (Cont')
| |
| Approx. Elapsed Description Comments Time (minutes) 35 A requirement for cold leg recirculation is Crew is periodically checking checked per procedures; it is noted that the RWST RWST is now at 300,000 gal - still far above the 125,000 gal threshold to begin recirculation alignment.
| |
| 38 A procedure deviation is agreed to by the crew to re-establish and maintain instrument air in spite of initial containment isolation.
| |
| 40 RCS pressure noted to be 725 psig; primary operator notes that pressure has been going up/down slightly - probably with saturation.
| |
| 41 RHR pumps stopped and put in standby.
| |
| 43-45 Crew first discusses and then begins RCS cooldown to cold shutdown including blocking of steamline pressure Si and use of the steam generator atmospheric steam dump valves (ASDVs).
| |
| l 46-54 Parameters monitored: of note: RCS subcooling at l 0*F, RCS pressure at 640 psig and slowly decreasing, RCS cold leg temps. >490*F.
| |
| l 54 It is noted that RCS accumulators are starting to -
| |
| l iniect.
| |
| f At this point (unknown to
| |
| $$ RCS pressure at $50 psig.
| |
| operators), operable RCS wide-range channelindication is failed
| |
| " stuck." Key EFC characteristic.
| |
| 57 It is noted that 150,000 gal remains in RWST. Crew" watching" RWST level l 58 RCS pra:, ore at 550 psia.
| |
| 59 RCS subcooling indication at 10*F. Indication is in error (unknown to !
| |
| operators) as a result of" stuck" RCS pressure channel. Key part of EFCs.-
| |
| 60 125,000 gal noted in RWST; get ready to align recirculation.
| |
| f 62 Procedure waming is noted about RWST " empty" An important realization about l alarm - to stop all pumps still using the RWST the alarm is noted here.
| |
| (i.e., they are not in the recirculation configura-tion). Work Control Supervisor loudly announces
| |
| , that RWST " empty" alann may not occur because l nfIRTII centue l
| |
| l A.5-5 NUREG-1624, Draft
| |
| | |
| A.5 Use of the Plant Simulator l Table A.5.1 Simulation Timeline Summary (Cont'd) i Description Comments Approx. Elapsed Time (minutes) ;
| |
| Carry-out multi-step recirculation alignment Note: RWST" empty" alarm 63-68 including piggy-backing Si and spray pumps on never comes in. Key EFC RilR for suction. characteristic. Operators finish reconfiguration before " empty" condition reached.
| |
| Parameters monitored: of note; RCS pressure at Reminder: subcooling is 68-76 550 psig RCS subcooling at 60*F, SI running, inaccurate. In reality, RCS is at pressurizer levellowering. saturation.
| |
| 76-79 Crew decides to depressurize somewhat using PORV-A and refill the pressurizer. This is carTied out.
| |
| 80 RCS subcooling at 75'F; pressurizer level at $8%. Reminder: subcooling is inaccurate. In reality, RCS is at saturation.
| |
| 80-84 Discussion held about starting an RCP as part of the shu;down steps. At issue is the 18 psig in containment and whether unisola' tion of cooling water to the RCP should be performed. Decide to have Work Control Supervisor check on the basis for this part of the response procedures.
| |
| 84-87 Status noted: 2 SI pumps running, subcooling at Crew methodically following 90-95'F, pressurizer level at about 75%. Per procedures (with " unknown" procedures, have met thresholds to stop 1 inaccurate subcooling reading)to charging pump - crew stops "A" pump because of begin shutting down injection.
| |
| earlier problem with EDG-A, and then i SI pump-cc w stops "A" SI pump.
| |
| 87 Now have I Si pump running, subcooling at 95'F, RCS hot leg temxratures about 380*F.
| |
| 88-91 Crew discusses basis for RCP restart and all except primary operator agree they should start RCP. Primary operator wants a few minutes to think about it.
| |
| 91 All agree to start RCP; subcooling noted to be at Reminder: subcooling is 100*F and pressurizer level at 63%. inaccurate. In reality, RCS is at saturation.
| |
| Cooling water path to RCP-C thermal barrier is 93-98 unisolated and eventually RCP-C is started.
| |
| 99-101 Crew holds a status review and notes: RCS Reminder: subcooling is pressure is 550 psig, lowest cold leg temp. is inaccurate. In reality, RCS is at 360*F, plant is on cold leg recire. cooling and saturation.
| |
| l k.ve stopped 1 Si and I charging pump, RCP-C ranning,"B" Si pump running, approaching 135'F subcooling threshold to shutdown other SI (cuhennlino rendino in9'A NUREG-1624, Draft A.5-6 l
| |
| | |
| A.5 Use of the Plant Sisselator Table A.5.1 Simulation Timeline Summary (Cont'd)
| |
| Approx. Elapsed Descr4 tion Coneneents Theet (neinutes 104-112 Pressurizer level going down so decide to restan SI "A" pump which is started. With temporary use of pressurizer sprays, pressurizer level is restored to 72%.
| |
| I13 114 Crew notes have 2 SI pumps running, subcooling is 120*F pressurizer level at 72% with advern containment - have exceeded thresholds considerably to shutdown an Si pump so crew shuts off SI "B" pump.
| |
| I16-119 Status check again per procedure. one RCS hot At this point, have shutdown all leg temp at 360*F with others all below that, and high nead safety injection (in pressurize level at 72%. Even though not yet at recire. mode) but RHR pumps subcooling threshold to shutdown SI (subcooling and I charging pump still now nearing 125'F), hot leg temps. threshold running. " Effectively" (360*F or less) allow start of I RHR pump (both temporarily reached UA of already running) and to stop other Si pump - crew concern (i.e., potentially shuts off SI "A" pump. insufficient injection in a MLOCA pending real RCS pressure and ability of RHR pumps / charging pump to supply coolant).
| |
| 119-121 Crew notes that pressurizer level immediately staning to drop. Everyone reminded of SI restart criteria. Review of critical functions shows all are green except containment (Yellow) with some containment isolation valves open.
| |
| 128 Continuing per procedure, crew notes: subcooling in actuality, voiding in RCS is at 125'F, pressurizer level at 78%. Simulation is considerable (>50%).
| |
| ,m.: ...A A.5.4 Post-Simulation Debrief with the Crew Immediately following the simulation, a debriefing was held with the operating crew that lasted approximately 30 minutes. The purpose of the debriefing was for the ATHEANA demonstration participants to go over the simulation with the crew and perhaps leam more about the extent to which !
| |
| the simulation represented EFCs and gain a further appreciation for the value of doing the simulator exercise. l l' i Ihe crew was told about the demonstration project and the purposes of the simulation. Discussions were then oriented around the two HFEs ofinterest (1) the possibility of allowing the high head
| |
| . injection pumps to operate on an " empty" RWST, and (2) stopping injection when it was not most appropriate to do so. In the case of the failed " empty" RWST alarm, the crew had been warned by !
| |
| the Work Control Supervisor that the alarm might not work and the crew operated flawlessly in A.5-7 NUREG-1624, Draft A
| |
| | |
| A.5 Use of the Plant Simulator tracking the RWST level and reconfiguring the coolant pumps for recirculation before the " empty" condition occurred. However, with regard to the HFE of possibly stopping injection, the crew had in fact nearly stopped all high head injection (one charging pump left running) in part on the basis of the faulty RCS pressure and subcooling indications as well as having reached RCS hot leg temperatures less than 360 F. This was done without full recognition by the crew that in actuality, significant voiding existed in the core region and hence shutting down injection was not, in reality, appropriate.
| |
| On the one hand, with regard to the possible HFE of missing the RWST " empty" threshold and allowing the high head injection pumps to continue to operate, it was clear that the crew had closely watched the RWST level during the course of the simulation, had properly noted the occurrence of the 125,000 gallon threshold to start reconfiguring for recirculation cooling, and all were made aware by the Unit Shift Supervisor of the need to stop the pumps should the RWST " empty" condition be reached. While it may have been " lucky" that the Work Control Supervisor recognized that the failed IRTU might fail the " empty" alarm, adequate attention to the RWST water level was maintained throughout the simulation. Hence, the supervisor's observation was probably not necessary to prevent the occurrence of the HFE. In conclusion, the simulated conditions had not been significantly error-forcing for a crew who understood the potential for operating the SI pumps with an " empty" RWST.
| |
| On the other hand, the HFE associated with stopping injection had been nearly completely consummated, and in panicular, the true status of the RCS and the significant voiding in the core region were not recognized by the crew. Crew members had strictly followed their emergency response procedures and by virtue of the apparent significant subcooling margin (which was in error), the adequate water level in the pressurizer, and having reached sufficiently low temperatures in the RCS, had nearly stopped all injection. During the debriefing, it was noted by the Primary Board Operator that the RCS pressure seemed non-responsive when the safety injection had been stopped and restarted during the simulation (remember, one pressure channel was known to be out of service and the other channel was " failed stuck" at 550 psig). Further, the Primary Board Operator noted that he had briefly discussed the non-responsive RCS pressure indication with the Work Control Supervisor at one point during the simulation. However, neither followed the "think it - say it" mie so the entire crew could discuss the apparent anomaly and its potential ramifications.
| |
| It was recognized during the debriefing that this had been a key communication breakdown and that if this rule had been followed, it might have led to understanding the true status of the RCS and perhaps a difference in the crew response. Additionally, the Work Control Supervisor noted that because of the IRTU and associated computer problems, he had to be involved with manually checking critical parameter status and "could not spend time checking out the "non-responsive" RCS pressure." The designed simulation was sufficiently error-forcing in that it had led to an incorrect assessment of the status of the RCS and shutting down ofinjection under less than appropriate conditions. Causing failures in read-outs that are among the least redundant indications in the control room, and failure to recognize or discuss other plant conditions that may have led to I discovery of the faulty RCS pressure and subcooling indications, together led to virtually consummating the HFE of interest. The crew noted that failing an area of low redundancy in indication and having a subtle failure mode (sticking of the RCS pressure channel), obviously NUREG-1624, Draft A.5-8 x -________ _
| |
| | |
| I A.5 Use of the Plant Simulator hampered their ability to cross-check and validate true conditions. It was noted that these characteristics are perhaps a key to other potential EFCs in other situations.
| |
| With regard to making the situation even more error-forcing had it been desirable to do so, the crew offered the fact that if the pressurizer level had also been indicating a falsely high level, they probably would have not restarted safety injection when they did (see timeline at 104 minutes) and perhaps made things worse, sooner. The crew also noted that they generally put considerable tmst in the reactor vessel level indication system (RVLIS) and subtle failures ofit could also complicate things considerably.
| |
| Also discussed was whether the crew would have let the low injection condition persist for very-long. While it would have potentially taken too long to continue the simulation to " test" this response, the STA did note that he had been monitoring core exit temperatures more closely for signs of trouble. This monitoring suggests that recovering safety injection before considerable damage to the core resulted may have been readily performed on the basis of this independent cue (although some damage might have occurred by the time the core exit temperatures are noted as being high and subsequent injection " turns-around" the core heatup). Also, the crew was monitoring the pressurizer level which would have decreased with the makeup / leakage mismatch. This would have been another significant cue for the operators to restart a high head pump.
| |
| A.5.S Conclusions As to the Usefulness of the Simulation The simulation provided valuable qualitative input into the formulation and the eventual quantification of the two HFEs ofinterest. On the one hand, the simulation provided evidence that the conditions of the simulation did indeed represent a strong EFC for the inappropriate shutoff of injection, even without the additional equipment faults suggested by the crew. The crew's strict following of the emergency response procedures could lead to less than ideal injection on the basis of the faulty RCS pressure and subcooling readings. On the other hand, the simulation provided little evidence of the degree that the conditions were caor-forcing for setting up the missing of the RWST " empty" alarm since this particular crew had successfully extrapolated the consequences of the IRTU condition. Hence, the simulation supported the thought that the ATHEANA process had identified a valid error-forcing context for at least one of the two HFEs/UAs ofinterest.
| |
| Additionally, the STA's monitoring of the core exit thermocouple provided insight that tracking this independent cue could be likely and if performed, may cause the restoration of safety injection before serious damage to the reactor core. Hence, recovery from inappropriate shutoff ofinjection may be high, particularly if this cue is monitored as was done toward the end of the simulation.
| |
| The simulation also demonstrated that not adhering to even strong tendencies such as the "think.it
| |
| - say it" rule, can occur.
| |
| All of these insights are factored into the formulation and quantification of the expressions used to describe the HFEs ofinterest under certain identified error-forcing contexts. The next section l-1 A.5-9 NUREG-1624, Draft l
| |
| l
| |
| | |
| A.5 Use of Plant Simulator -
| |
| summarizes the quantification of these two HFEs along with another HFE that w~as identified during the ATHEANA search process, but not simulated.
| |
| ~ As a final note, participation by the plant training staff in the simulation and observation of the crew's responses, may result in changes to the future plans of the training department. Particularly, they are considering strengthening training on the " link" between RCS pressure indication and subcooling indication. Additionally, thought is being given to including this scenario, perhaps with some modification, in future planned simulator training exercises.
| |
| 1 i
| |
| l i
| |
| NUREG-1624, Draft A.5-10
| |
| | |
| A.6 Quantifying the IIFEs A few weeks following the simulation, the demonstration team reassembled at the plant to estimate the likelihoods of the HFEs ofinterest. The quantification phase of the project began with an approximately 2-hour training session on the subject of quantification provided by members of the ATHEANA team. While many aspects of the quantification process were discussed, the essence of the quantification task can be summarized by the fact that there are three basic elements to be considered in the quantification process (1) the probabilities of the EFC, (2) the UAs, and (3) the recovery actions.
| |
| A.6.1 Establishing the Expressions to be Quantified Previous sections contain infonnation on the three HFEs that were of interest and were to be quantified to determine their expected likelihoods. As described earlier, conditions related to two of the HFEs were simulated,. The third HFE, having to do with the possible failure of not shutting down a degraded diesel, was not part of the simulation that was performed. Nevertheless, this HFE alsa was quantified as part of the demonstration.
| |
| The first step in the quantification process was to derive expressions that represented the likelihoods for the HFEs ofinterest. This was done in a successively detailed fashion, following the ATHEAN A HRA multidisciplinary frame work discussed in Section 2 of this NUREG. As mentioned in Section 8 of this NUREG, quantification started with a general expression at the PRA event tree-level of resolution of what had to be quantified, and finally led to an expression that contained the specific elements of the EFC, UAs, and non-recoveries to be quantified. The expressions for each of the three HFEs ofinterest are presented in the following subsections.
| |
| A.6.1.1 HFE #1 -Inappropriate termination of makeup To address this particular HFE, the demonstration team staned with an expression at the PRA event tree-level that would encompass the HFE of interest. This expression was:
| |
| MLOCA
| |
| * Failure of all injection (i.e., a medium-size LOCA and failure of all injection)
| |
| At this level, and in its most simple form, the above expression captured the intent of what was to be quantified. However, there are many ways to fail all injection; many of these are already modeled in a typical PRA. This project was interested in quantifying a panicular way as described by the following expression at the HFE-level:
| |
| MLOCA
| |
| * Operators shut offinjection and injection is not recovered The above expression appropriately describes the particular HFE that was to be quantified.
| |
| In order to quantify the likelihood of this HFE, it had to be broken down further into the specific elements that make up the EFC, UA(s), and non-recovery events that together, define the HFE. As A.6-1 NUREG-1624, Draft
| |
| | |
| A.6 Quantification of the HFEs has been discussed in the quantification approach of the ATHEANA process, quantification at this level can be represented as the following equation:
| |
| P(HFEg ,) = P(EFC;)
| |
| * P(UAj lEFC,)
| |
| * P(@EFC,lUAjjEg) Eqn (A.6-1) where:
| |
| P(HFE,y) is the probability of human failure event, HFEi , resulting from unsafe action (UA) occurring in context (EFC,) and not being recovered given the EFC, the occurrence of the .;
| |
| UA, and the existence of additional evidence (Ey ) following the UA. l Using this general equation format, the above HFE-level expression was replaced with a more detailed expression that needed to be quantified to quantify the HFE for the context believed to be error-forcing: l P(HFE #1) per year = MLOCArm
| |
| * P(failure of 2 wide-range reactor coolant system (RCS) pressure indications)
| |
| * P(crew shuts off injection (at least 3 of 4 Eqn (A.6-2) pumps per the PRA))
| |
| * P(injection is not restored before core damage) where:
| |
| MLOCArm= frequency of the initiator, MLOCA (per year), and P(-) = probability of the event described within each parenthesis Note that in this case, the occurrence of a particular LOCA size (MLOCA) and the failure of specific indicators together make up the most significant aspects of the EFC. Only one UA was quantified (crew shuts offinjection) along with a single event used to describe the non-recovery aspect of this HFE.
| |
| I A.6.1.2 HFE #2 - Inappropriate Deplegion of Resources In a similar way as for HFE #1, a successively detailed set of expressions was developed to address -
| |
| this HFE, which was also " tested" in the simulation. The PRA event tree-level expression was:
| |
| MLOCA
| |
| * Failure of high-head core cooling recirculation At the HFE-level, for the HFE ofinterest, this was further described by the expression:
| |
| NUREG-1624, Draft A.6-2
| |
| | |
| A.6 Quantification of the HFEs MLOCA
| |
| * Operators fail to shut off high head pumps when the RWST is empty and the pumps are not yet configured for recirculation .
| |
| At the EFC, UA, non-recovery level, the following expression was then derived to define the specific probabilities to be quantified:
| |
| P(Hri #2) per year = MLOCAg
| |
| * P(high head pumps are not yet l configured for recirculation)
| |
| * P(RWST " empty" Eqn (A.6-3) l alarm fails)* P(crew does not stop the pumps in time) where:
| |
| MLOCA% = frequency of the initiator, MLOCA (per year), and P(--) = probability of the event described within each parenthesis Note that in this case, the occurrence of a particular LOCA size (MLOCA), the fact that the high-head pumps are not yet configured for recirculation, and the RWST " empty" alarm has failed make up the most significant aspects of the EFC. Only one UA was quantified (crew does not stop the pumps in time). At the plant, the low-head pumps automatically reconfigure upon low RWST but the high-head pump reconfiguration, taking suction on the low-head pumps, requires manual actions.
| |
| These actions largely rely upon low-level RWST indication and the fact that if reconfiguration is not complete by the time the RWST " empty" audible alarm sounds, operators should stop the high-head pumps to avoid damaging them. The operators then can complete the reconfiguration process and restart the pumps using the containment sump as the suction supply. It was believed that failing the audible RWST " empty" alarm might induce the error ofleaving the high-head pumps mnning while the RWST depleted. In such a circumstance, no recovery for the HFE was credited because it was assumed that if the pumps continue to operate with a depleted suction source, they would fail in an irreparable manner. With no high-head recirculation, core damage would eventually result. It was recognized that it may be possible to further depressurize the plant and use low-head recirculation to cool the core. However, it was decided that such a recovery action would be examined only if the pmbability of this HFE, as calculated using the expression above, came out uncomfortably "high."
| |
| ' A.6.1.3 HFE #3 - Failure to Shut Down (Temporarily) Diesel Generator This HFE was not addressed in the simulation exercise. The scenario involving this HFE has been described earlier. In summary, it involves the failure to stop a DG which is operating under severely degradedjacket cooling conditions during an event involving a loss-of-offsite power and a stuck-open PORV such that a valid safety injection has occurred (thereby bypassing most of the protective DG trips). Additionally, the other DG is out-of-service for test / maintenance in the scenario of interest. The issue of concern is whether operators would allow the operating DG to continue ;
| |
| running, despite the fact that it could fail in minutes as a result ofinsufficient cooling (thereby !
| |
| suffering an irreparable failure), or if they would shut down the DG, allowing the cooling problem A.6-3 NUREG-1624, Draft
| |
| | |
| AM ' Quantification of the HFEs to possibly be repaired and the DG restored to full operating condition. Shutting down the DG l
| |
| would induce a station blackout; however, considering the probable I to 2 hours before core damage l in this situation, such an act allows for the possible full restoration of this DG within this time frame.
| |
| Concurrently, recover offsite power will be attempted; thereby allowing two options for recovering AC power.
| |
| In a similar way as for HFE #1 and HFE #2, a successively detailed set ofexpressions was developed to address this HFE. The PRA event tree-level expression was:
| |
| LOSP
| |
| * Stuck-open PORV
| |
| * SBO
| |
| * Non-recovery ofpower where:
| |
| LOSP = loss-of-offsite power initiator, Stuck-open PORV = a demand for and the subsequent sticking-open of a PORV which causes a valid safety injection and decreases the timing of the scenario for preventing core damage, SBO = a resulting station blackout condition (i.e., loss of all AC power), and Non-recovery of power = AC power is not restored in time sufficient to restore injection thus resulting in core damage At the HFE-level, for the HFE ofinterest, this was further described by the expression:
| |
| LOSP
| |
| * Stuck-open PORV
| |
| * DGA-OOS
| |
| * DGB cooling fails
| |
| * Operator does not " protect" DGB by shutting it down
| |
| * power is not restored At this level, DGA is described as out-of-service (DGA-OOS), and the mode of" imminent" failure for DGB is described as a cooling failure. Together, these events provide further context as to the specifics of the situation.
| |
| Finally, at the EFC, UA, non-recovery level, the following expression was derived to define the specific probabilities to be quantified:
| |
| P(HFE #3) per year = LOSP,,y
| |
| * P(PORV is demanded)
| |
| * P(PORV sticks open)
| |
| * P(DGA-OOS)
| |
| * P(DGB cooling Eqn (A*6-4) fails)
| |
| * P(operator does not shut down DGB)
| |
| * P(non-recovery of power) where:
| |
| LOSP%= frequency of the initiator, LOSP (per year), and P(-) = probability of the event described within each parenthesis NUREG-1624, Draft A.6-4
| |
| | |
| A.6 Quantification of the HFEs Again note that if DGB is not shut down, it is assumed to suffer irreparable damage and so its restoration to service is not credited as part of possibly recovering power.
| |
| A.6.2 ' Additional Considerations A number ofconsiderations were discussed as part of quantifying the specific initiator frequencies and event probabilities to derive the HFE likelihoods. These considerations generally dealt with making sure that the quantification was not done only considering the specific failure modes or initiator that was simulated or otherwise addressed in developing each scenario. It was recognized that to properly estimate the likelihood of each HFE, it should to be quantified using the broadest set of conditions that would stimulate the same EFC. With this in mind, the following sections discuss the additional considerations that went into the eventual quantification of each HFE.
| |
| A.6.2.1 MLOCA,,
| |
| Section A.5 discussed the characteristics of the LOCA that were required to produce the desired initiating conditions that would contribute to the EFC. To repeat, these characteristics were a primary system LOCA of a size where the following four conditions would occur:
| |
| (1) system repressurization is not possible, (2)- continuous injection (requiring high-head pumps for a substantial time) is required to ensure the core is covered and adequately cooled, (3) heat removal is primarily accomplished by the break so that it is not clear whether the steam generators are providing a heat sink or acting as a heat source, and (4) the LOCA will also cause a demand for the use of the containment spray system so that depletion of the RWST and the need to switch to recirculation cooling will occur in a time period reasonable to simulate'.
| |
| The demonstration team discussed to what extent portions of the Large LOCA or Small LOCA size ranges, as defined in the plant PRA, might also be applicable. Additionally, a transient-induced LOCA (such as with a stuck-open PORV) also was considered to see if this type ofinitiator might also cause the same desired characteristics. To the extent these other initiators would produce the same desired conditions, their frequencies would be added to the MLOCA frequency to obtain the overall desired initiator frequency.
| |
| After some deliberation and discussion about the thermal-hydraulic conditions that would develop for each of the initiators mentioned above, it was agreed that these other initiators would produce conditions that are too different from the desired characteristics. Hence, it was concluded that using the MLOCA frequency from the plant PRA would be sufficient to represent the frequency of the type ofinitiator that causes the desired EFC.
| |
| 8 This characteristic is also important because if the LOCA is sufficiently small, the operators may have adequate time to align systems for alternate decay heat removal schemes; thus, eliminating the need for high-pressure !
| |
| recirculation. ]
| |
| A.6-5 NUREG-1624, Draft j J
| |
| | |
| A.6 Quantification of the HFEs A.6.2.2 P(failure of two wide-range RCS pressure indications)
| |
| This particular failure was chosen as part of the EFC because of the following three factors:
| |
| l (1) it involved few failures since there are only two indicators in the control room for this indication, (2) such a failure would affect the ability of the operators to ascertain the true primary system pressure during the event, and (3) the failure was produced in such a way that it would also affcet the indication of sub-cooling by indicating more sub-cooling than was really available.
| |
| The failure of the two wide-range pressure indications was simulated by having one channel out-of-service (known to the operating crew) and failing the other channel by forcing it to operate normally until approximately 550 psig, at which point the indication " stuck" so that it provided no other change in its respouse. This subtle " stuck" failure mode was particularly important to the EFC because at first, the instrument would read normally, giving the crew a sense that its indications were not faulty. Hence, in quantifying the probability of such a combined failure of the two channels, the probability of this specific failure mode was important to the quantification process.
| |
| It was agreed that quantification of this event would involve determining the most probable ,
| |
| combinations of making the two channels unavailable (but maintaining the subtle failure mode for l the one channel) and then combining the probabilities of whatever combinations were identified.
| |
| A.6.2.3 P(crew shuts off injection (at least three out of four pumps per the PRA))
| |
| As discussed above, this is the specific UA of concern for HFE #1. The four available pumps include the two high-head safety injection pumps and the 2 chemical volume and control system (CVCS) pumps. The simulation demonstrated that the operating crew would likely maintain strict adherence to the Emergency Operating Procedures (EOPs) and without recognition of the true subcooling status, would eventually shutoff injection. This act actually was performed in the simulation. The tendency for strict adherence to the EOPs and their injection termination criteria seemed to suggest that other factors such as diversionary faults, time of day, or other operator-performance shaping factors were not necessary to " force" the undesired act. Hence, no additional factors were considered as part of the EFC.
| |
| Thus, quantification of this event focused on consideration of what was seen during the simulation and thoughts about the extent to which the scenario was indeed error-forcing.
| |
| A.6.2.4 P(injection is not restored before core damage)
| |
| The simulation did not run sufficiently long enough to " test" this event, but subsequent discussions with the crew after the simulation revealed that the shift technical advisor (STA) was closely monitoring the core exit thermocouple for signs of trouble. The crew was also aware of the critical symptoms for re-initiation of safety injection such as insufficient pressurizer level, inadequate NUREG-1624, Draft A.6-6
| |
| | |
| A.6 Quantification of the HFEs subcooling (remember, this was failing "high"), and inadequate vessel level indication. Hence, in order for the operators to fail to restore injection before considerable core damage, it was recognized that the crew would have to fail to properly respond to these other cues. It was recognized that failure to restore injection might also occur not because of operator error, but because of equipment failures such as restart failures of the safety injection pumps. All of this was considered in an attempt to identify and quantify the most likely modes of failing to restore injection in time to l prevent significant core damage.
| |
| A.6.2.5 P(bigh-head pumps are not yet configured for recirculation)
| |
| For this event, the simulation revealed that the observed crew remained well aware of RWST level as it was dropping. At the appropriate time, they began and eventually completed the reconfiguration of the high-head pumps (several steps are involved to accomplish this) before the RWST " empty" alarm was suppose to sound. This observation suggested that there was a low probability of not getting the pumps reconfigure in time. The question became "had we observed a typical crew with regard to how fast the operators were able to perform the reconfiguration?" The plant training personnel on the demonstration team had other simulated events from which to draw additional experience with regard to how often operators would or would not complete the reconfiguration in time to prevent possible damage to the pumps. This additional experience, along with what was observed, were both considered in order to arrive at a probability for this event.
| |
| A.6.2.6 P(RWST " empty" alarm fails)
| |
| In the simulation, this event had been produced by taking an IRTU out-of-service which had the subtle effect of failing the computer alarm for an " empty" RWST. Quantification of this event considered examination of the sensors and circuits involved to identify if there were any other probabilistically significant ways to fail the alarm. Consideration was also given to the operator's failing to respond to an operable alarm as a variation, but this failure event was eventually dismissed as very improbable.
| |
| A.6.2.7 P(crew does not stop the pumps in time)
| |
| This is the critical UA for HFE #2 as mentioned above. This UA was never tested during the actual simulation because the crew had already successfully reconfigure the high-head pumps, thus making the need for this action a moot point. This action is only relevant if the high-head pumps are still operating off the RWST once the RWST " empty" level has been reached.
| |
| Nevertheless, four characteristics that were considered in quantifying the probability of this event are as follows:
| |
| (1) mcognition by the observed crew that the " empty" alarm might not be observed, and hence the crew should be ready to stop the pumps without the alarm, (2) warnings are clearly evident in the plant EOPs to stop the pumps when the RWST level reaches the " empty" condition, i
| |
| A.6-7 NUREG-1624, Draft
| |
| | |
| A.6 Quantifiestion of the HFEs (3) the tendency for plant operating crews to act upon the alarm, and (4) observations by the plant training persons of other simulations.
| |
| A.6.2.8 LOSP%
| |
| This is the LOSP initiator frequency from the participating plant's PRA. The initiating event i frequency was subdivided into severe weather and non-severe weather components.
| |
| A.6.2.9 P(PORY demand) and P(PORV sticks open) )
| |
| This is simply the PORV demand and subsequent sticking-open probabilities considering the specific LOSP initiator.
| |
| A.6.2.10 P(DGA-OOS)
| |
| This value also comes from the participating plant's PRA. However, it was recognized that whether or not the operating crew would choose to shut down the operable but undercooked DG, would depend on their knowledge about the condition of this out-of-service DG. It was postulated that if the out-of-service diesel was known to be in a condition that would likely allow for quick restoration of this DG (as opposed to a lengthy restoration period), such knowledge could alter the decision regarding the operable DG. Hence, quantification of this event involved examining plant experience with regard to the fraction of time that diesel out-of-service events allow for quick restoration (the order of I hour or less) as opposed to lengthy restoration times.
| |
| A.6.2.11 P(DGB cooling fails)
| |
| This simply involved the examination and quantification of the most probable ways to fail DG cooling.
| |
| A.6.2.12 P(operator does not shut down DGB) j This is the particular UA associated with HFE #3 above. It was recognized that failing to shut down the diesel did not necessarily mean core damage would occur. Offsite power could potentially be restored in time to prevent core damage. However, failure to shut down the DG and instead run it '
| |
| to failure would preclude the option of potentially restoring this as an AC power supply (if the cause of the cooling failure could be diagnosed and corrected).
| |
| With no experience in simulations or events similar to the scenario that was postulated, quantification of this event was ultimately handled using informal elicitation of those most qualified to makejudgments regarding this probability, the plant senior reactor operators.
| |
| NU' REG-1624, Draft A.6-8
| |
| | |
| A.6 Quantification of the HFEs A.6.2.13 P(non-recovery of power)
| |
| This probability would come from the plant PRA and with consideration of the power restoration procedure. However, consideration was also given to the fact that this procedure is best suited for conditions when there is significant time available to restore power. In the postulated scenario, there is a relatively short time to restore power because of the station blackout and loss of coolant (through the stuck-open PORV) conditions. As with the LOSP-initiating event, the non-recovery of power was subdivided into severe weather and non-severe weather events.
| |
| l A.6.3 Results from the Quantification of HFEs In the following sections, the event trees and fault trees used to quantify each HFE are presented.
| |
| The specific values assigned to each basic event and the results from the quantification of each accident sequence containing the HFE are presented.
| |
| A.6.3.1 Quantification Results for HFE #1 -Inappropriate Termination of Makeup To estimate the importance and uncertainty of HFE #1, Eqn A.6-2 was transformed into the event tree shown in Figure A.6.1. Each top event, representing one of the probability factors given in Eqn A.6-2, was modeled using a fault tree. Figures A.6.2 through A.6.4 present the fault tree logic developed for each probability factor.
| |
| As discussed earlier in Section A.6.2.1, the demonstration team decided to use the MLOCA frequency from the plant PRA as the initiating event frequency; thus,5E-4 was used. To estimate uncertainty, the MLOCA frequency was assumed to be log-normally distributed with an error factor of10.
| |
| To determine the probability of failure of the two wide-range pressure indications, the fault tree in Figure A.6.2 was developed. As discussed in Section A.6.2.2, it was decided that for demonstration
| |
| , purposes, this fault tree should contain only the most probable failure events'; thus, for each train of pressure indication the following three failures /unavailabilities were included:
| |
| (1) train fails, (2) train out.of-service, and (3) train miscalibrated or common cause miscalibration of both trains and the miscalibration is applicable (i.e., causes pressure indication to respond " properly" at first, but later " hangs high.")
| |
| 'During an actual application of the ATHEANA process, it would be expected that all possible failure mechanisms would be identified and considered for inclusion. However, because of resource constraints, the demonstration team only identified those failure modes that were considered the most dominant on the basis of plant PRA expen's opinion.
| |
| A.6-9 NUREG-1624, Draft
| |
| | |
| I A.6 Quantifiestion of the HFEs Since only those combinations of basic events containing at least one miscalibration event were l considered valid for this HFE, cut sets not containing a miscalibration event were eliminated during l the cut set generation process.
| |
| For each basic event in Figure A.6.2, the following information provides a short description of the event and a short discussion of how each event's value and uncertainty distribution were determined.
| |
| This event represents the hardware failure of train A(B) I (1) WR-PI-TR-A(B)-FAILS wide-range pressure indication. The estimated failure rate for this event was taken as 8E-6 per hour with quarterly testing, resulting in a point estimate of 1.7E-2. The event was assumed to be log-nonnally distributed with an error factor of 3.
| |
| (2) WR-PI-TR-A(B)-OOS This event represents the unavailability of train A(B) wide-range pressure indication. On the basis of discussions with the plant PRA expen,'a value of IE-2 w?s used. The event l was assumed to have a maximum entropy distribution with a lower end equaling 3E-3 and an upper end equaling 3E-2.
| |
| (3) TR-A(B)-WR-PI-MISCAL This event represents the miscalibration of train A(B) wide-range pressure indication. The estimated value for this event was taken as 3E-3. The event was assumed to be log-normally distributed with an error factor of 10.
| |
| (4) WR-PI-MISCAL-APP This event represents the portion of miscalibrations that produce the desired wide-range pressure indication response (i.e., track " correctly" and then " hang up"). To maximize the potential importance of this event, its value was estimated by the demonstration team to be IE-1. The event was assumed to have a maximum entropy distribution with a lower end equaling iE-2 and an upper end equaling SE-1.
| |
| (5) WR-PI-MISCAL-CCF This event represents the common cause miscalibration of trains A and B of wide-range pressure indication. After discussion with the PRA expert, the estimated value for this event was taken as 4.2E-4. The event was assumed to be log-normally distributed with an error factor of 10.
| |
| The fault trees for the remaining two probability factors in Eqn A.6-2 are presented in Figures A.6.3 and A.6.4. The basic events in these two fault trees represent the operator actions identified and modeled as part of the ATHEANA demonstration for HFE #1. For each basic event in Figures A.6.3 and A.6.4, the following information provides a short description of the event and a short discussion of how each event's value and uncertainty distribution were determined.
| |
| NUREG-1624, Draft A.6-10
| |
| | |
| A.6 Quantification of the liFEs (1) OPS-SliUT-OFF-SI This event represents the operators shutting off enough pumps (i.e., three out of four) so that core damage is assumed to occur because of inadequate coolant inventory. After discussing the context associated with this action, the training personnel on the ATHEANA demonstration team estimated that on average 10 of 13 crews would perform this action the first time they encountered these conditions. Thus, this event's value was taken to be 7.7E-1. Furthermore, the event was assumed to have a maximum entropy distribution with a lower end equaling SE-1 and an upper end equaling 1.0.
| |
| (2) OPS-FAIL-RESTORE-SI' This event represents the operators failing to ensure that at least two pumps have been turned on to provide adequate coolant. While the ATHEANA demonstration team discussion associated with this event identified cues that should prompt the operators to take action (e.g., increases in core exit thermocouple temperatures), the discussion also indicated that the time to respond to those cues could be as short as 10 minutes. Thus, the probability that the operators would fail to restore injection was estimated to be 1E-1. The uncertainty distribution for the event was assumed to be a constrained noninformative distribution.
| |
| Using the above values, sequence number 4 in Figure A.6.1 was solved using version 6.45 of the SAPHIRE code. Table A.6.1 provides the results from this quantification. From Table A.6.1 it can be determined that the mean core damage frequency associated with HFE #1 is approximately 1.8E-9.
| |
| 7 As discussed in Section A.6.2.4, this " failure to restore safety injection" should include both operator action (s) and equipment failures given appropriate operator action. For this demonstration, only the operator action was included. This was on the basis of the assumption that hardware failure of multiple pumps, given appropriate oper-ator action, would be much smaller than failure of the operators to perform the appropriate action.
| |
| A.6-11 NUREG-1624, Draft
| |
| | |
| A.6 Quantification of the HFEs
| |
| ' i a we.a amar war
| |
| "" I "O j O.".
| |
| - - i . .. . -.
| |
| f I I i l-
| |
| : . i F""
| |
| : a Figure A.6.1 Event Tree Representation of Eqn A.6-2-MLOCA-HFE #1.
| |
| NUREG-1624, Draft A.6-12
| |
| | |
| A.6 Quantification of the HFEs i
| |
| E*JJ'. .."."
| |
| WA M l
| |
| I I i'*a"4..::" '? "" .*4.lll:."
| |
| VAArTRAIN VVR ST RAN I I I I
| |
| ..MT.''.:
| |
| . A.*r*,.*L
| |
| .. ra....T.L "J..t. 'r.:.
| |
| . A.'rTL . .A".a..'.t.L..
| |
| t rem sotas s na2 soest
| |
| "* ''C"'
| |
| VA m. .A raits VAm. Aces
| |
| " " wnn ALs vvnntR-scos t I i i
| |
| ~ . ,
| |
| . . . - - - ;,*:=;-
| |
| LA VAR M i =.oi Q 4 isso, Vanhe I I I I
| |
| .. ,p g.g . . .
| |
| 3 E4 4 JE.04 42E44 3OE43 T4MV4nnaiCAL VWtaM M VARM -CEF TR&VVRA MSCAL Figure A.6.2 Fault Tree Representation of P(failure of 2 wide-range RCS pressure indications)
| |
| A.6-13 NUREG-1624, Draft
| |
| | |
| A.6 Quantification of the HFEs i
| |
| ..o..g,g,n,,
| |
| E I
| |
| *""".""/,'""'
| |
| N6ACTON
| |
| .7 E-01 OPS-SHUT-OFF-SI Figure A.6.3 Fault Tree Representation of P(crew shuts offinjection (at least 3 of 4 pumps per the PRA)).
| |
| I I
| |
| FAILURE TO RESTORE SAFETV INJECTION SI R OPERATOR FAILE TO
| |
| ''9 UlC" 1.0E-01 OPS-FAIL-RESTORE-Si Figure A.6.4 Fault Tree Representation of P(injection is not restored before core damage).
| |
| 1 NUREG-1624, Draft A.6-14
| |
| | |
| A.6 Quantification of the HFEs
| |
| ,. Table A.6.I' Cut Set Quantification and Uncertainty Results for HFE I
| |
| #1 SEQUENCE CUT SETS (QUANTIFICATION) REPORT Family' : ATHEANA. Sequence : 4-Analysis : RANDOM Event Tree : MLOCA-HFE#1
| |
| . Case : ALTERNATE Ittit. Event : MLOCA Mincut Upper Bound : 2.284E-009 Cut % % Cut Prob /
| |
| No. Total Set Freq. ALTERNATE CJT SETS l ------ ----- ----- ---------
| |
| 1 70.8 70.8 1.6E-009 OPS-FAIL-RESTORE-SI, OPS-SHUT-OFF-SI, WR-PI-MISCAL-APP, WR-PI-MISCAL-CCF 2 79.6 8.8 2.0E-010 OPS-FAIL-RESTORE-SI, OPS-SHUT-OFF-SI, TR-A-WR-PI-MISCAL, WR-PI-MISCAL-APP, WR-PI-TR .B-FAILS 3- 88.4 8.8 2.0E-010 OPS-FAIL-RESTORE-SI, OPS-SHUT-OFF-SI, TR-B-WR-PI-MISCAL, WR-PI-MISCAL-APP, WR-PI-TR-A-FAILS 4 93.4 5.1 1.2E-010 OPS-FAIL-RESTORE-SI, OPS-SHUT-OFF-SI, TR-A-WR-PI-MISCAL, WR-PI-MISCAL-APP, WR-PI-TR-B-OOS 5 98.5 5.1 1.2E-010 OPS-FAIL-RESTORE-SI, OPS-SHUT-OFF-SI, TR-B-WR-PI-MISCAL, WR-PI-MISCAL-APP, WR-PI-TR-A-OOS 6 100.0 1.5 3.5E-011 OPS-FAIL-RESTORE-SI, OPS-SHUT-OFF-SI, TR-A-WR-PI-MISCAL, TR-B-WR-PI-MISCAL, WR-PI-MISCAL-APP 5th Perc. 7.425E-014 95th Perc. 6.087E-009 Maximum 1.333E-007 Mean 1.794E-009 Median 9.298E-011 MinCut 2.284E-009 Minimum ' +0.000E+000 Seed 12345 Size 1000 Stand. Dev. 8.893E-009 A.6-15 NUREG-1624, Draft
| |
| | |
| A.6 Quantificni..>n of the HFEs A.6.3.2 Quantification Results for HFE #2 -Inappropriate Depletion of Resources To estimate the importance and uncertainty of HFE #2, Eqn A.6-3 was tranformed into the event tree shown in Figure A.6.5. Each top event, representing one of the probabdity factors given in Eqn A.6-3, us modeled using a fault tree. Figures A.6.6 through A.6.8 present the fault tree logic developed for each probability factor.
| |
| I As discussed earlier in Section A.6.3.1, an MLOCA frequency of SE-4 was used along with a log- i nornially distribution having an error factor of 10. f The fault tree in Figure A.6.6 was developed to represent the probability that the high-head pumps are not configured for recirculation before the RWST " empty" alarm occurs. For the basic event in Figure A.6.6, the followin~g information provides a short description of the event and a short discussion of how the event's value and uncertainty distribution were determined. j l
| |
| OPS-F-R-PUMPS-RECIRC This event represents the operator action of not completing the-reconfiguration of the high-head pumps for recirculation before the RWST " empty" alarm occurs. Using experience gained from observations made on simulated large LOCA scenarios, the training staff members estimated that operators would fail to reconfigure the high-head pumps approximately 50 pcment of the time. Thus, the event's value was set at SE-1. The event was assumed to have a maximum entropy distribution with a lower end equaling 1 E-1 and an upper end equaling 1.0.
| |
| To determine the probability that the RWST " empty" alarm fails, the fault tree in Figure A.6.7 was developed. For each basic event in Figure A,6.7, the following information provides a short description of the event and a short discussion of how each event's value and uncertainty distribution were determined.
| |
| LT-1(2,3, or 4) This event represents the failure of an individual level transmitter that feeds the RWST " empty" alarm. Information provided by the plant PRA expert indicated that the component's failure rate should be estimated at 1.6E-5 per hour. Further information indicated that the components were tested quarterly, resulting in a value of 3.4E-2 for the basic event. The event probability was assumed to have a log-normal distribution with an error factor of 3.
| |
| LT-X-CCF This event represents the "first failure" portion of the common cause failure of the level transmitters. Its value and distribution were assumed to be the same as LT-1(2,3, or 4).
| |
| BETA 4LT This event represents the beta factor for failure of 4 level transmitters by a common cause failure. With no information available from the NUREG-1624, Draft A.6-16
| |
| | |
| A.6 Quantification of the HFEs PRA, it was' assumed that the value for this event was IE-2.
| |
| Funhermore, it was assumed that the uncertainty distribution for this event was a constrained noninformative distribution.
| |
| MPC-SURROGATE-IRTU This event was used to represents the unavailability of the two IRTUs whose failure would prevent the RWST " empty" alarm from occe ring. Based on information collected by the plant PRA expert, the unavailability of this event was estimated to be 7.2E-4. The event's uncenainty was estimated by a log-normal distribution with an error factor of 5.
| |
| The fault tree in Figure A.6.8 was developed to represent the probability that the operators would fr.il to stop the high-head pumps given the RWST " empty" alarm did not sound. For the basic event in Figure A.6.8, the following information provides a short description of the event and a short discussion of how the event's value and uncertainty distribution were determined.
| |
| OPS-F-STOP-PUMPS .- This event represents the operators failing to stop the high-head pumps before they would be damaged by low-suction pressure given that the RWST " empty" alarm failed to sound. While this event did not occur during the observed simulation (i.e., the operators did shut off the pumps), the training staff members estimated that five out of six operating cirws would not connect the failed / unavailable IRTUs with the " empty" alarm. The probability of this event was estimated to be 8.33E-1, and it was assumed that the uncertainty distribution for this event was a constrained noninformative distribution.
| |
| Using the above values, sequence number 5 in Figure A.6.5 was solved using SAPHIRE. Table A.6.2 provides the results from this quantification. From Table A.6.2 one can see that the mean core damage frequency associated with HFE #2 is approximately 2.0E-7.
| |
| l l
| |
| l A.6-17 NUREG-1624, Draft
| |
| | |
| A.6 Quantification of the HFEs
| |
| - -. -,- n. -
| |
| == l l * **
| |
| Figure A.6.5 Event Tree Representation of Eqn A.6-3-MLOCA-HFE #2 NUREG-1624, Draft A.6-18
| |
| | |
| A.6 Qusatification of the HFEs l
| |
| P ALUR S TO C ONF E3UR E C U TDN P-C RCIR OPSfMLTO llE ,llIC' 5.0E-01 OPS-F-R-PUIFS-RECIRC Figure A.6.6 Fault Tree Representation P(high-head pumps not yet configured for recirculation) i i
| |
| I
| |
| ,y-satu u l l
| |
| =R-ya ,R:*M.T.. Q$,,
| |
| ne os l
| |
| C -LT LT4FAL I I I I I I
| |
| W F m op ND 413 ha, a.tL . am --- ,t ,M ,Reeth. t .E ;
| |
| 34602 1 M-02 3 4E-02 34E-02 3 4E-02 3 4E-02 LT4 G F BETA 4LT L1 LT-2 LT-3 L -4 l
| |
| l Figure A.6.7 Fault Tree Representation of P(RWST " empty" l alarm fails)
| |
| A.6-19 NUREG-1624, Draft
| |
| (
| |
| L_______________________ _ _ . _ _ _ . _ _ _ _ _
| |
| | |
| A.6 Quantification of the HFEs l
| |
| 8
| |
| )
| |
| 'A2Ris.
| |
| S#WPS i
| |
| To'.J* 'F*
| |
| 8.3E41 OPSE-STOP#WPS Figure A.6.8 Fault Tree Representation of P(crew does not stop the pumps in time) l NUREG-1624, Draft A.6-20
| |
| | |
| A.6 Quantification of the HFEs Table A.6.2 Cut Set Quantification and Uncertainty Results for HFE i #2 SEQUENCE CUT SETS-(QUANTIFICATION) REPORT Family : ATHEANA Sequence : 5
| |
| -Analysis : RANDOM' Event Tree :
| |
| MLOCA-HFE#2 l
| |
| . Case : ALTERNATE Init. Event : MLOCA Mincut Upper Bound : 2.209E-007 Cut % % Cut Prob /
| |
| No. Total Set Freq. ALTERNATE CUT SETS 1 67.9 67.9 1.5E-007 MPC-SURROGATE-IRTU, OPS-F-R-PUMPS-RECIRC,
| |
| ; OPS-F-STOP-PUMPS l 2 99.9 32.0 7.1E-008 BETA-4-LT, LT-X-CCF, OPS-F-R-PUMPS-RECIRC, OPS-F-STOP-PUMPS 3 100.0 0.1 2.8E-010 LT-1, LT-2, LT-3, LT-4, OPS-F-R-PUMPS-RECIRC, OPS-F-STOP-PUMPS Sth Perc. 2.221E-009
| |
| ! 95th Perc. 8.808E-007 l
| |
| Maximum 9.421E-006 Mean 2.037E-007 l- Me d.ian 4.588E-008 l
| |
| L MinCut - 2.209E-007 I
| |
| Minimum 1.535E-010 Seed 12345 Size 1000 Stand. Dev. 5.825E-007 A.6-21 NUREG-1624, Draft
| |
| | |
| A.6 Quantification of the HFEs A.6.3.3 Quantification Results for HFE #3 - Failure to Shut Down (temporarily) a DG To estimate the importance and uncertainty of HFE #3, Eqn A.6-4 was transformed into the event trees shown in Figures A.6.9 and A.6.10. These two trees have the same general logic with only two differences. Figure A.6.9 represents the case where the LOSP initiating event occurred as a result of severe weather that also affects the recovery of offsite power. Figure A.6.10 represents the case where the LOSP initiating event occurred because of conditions other than severe weather. As discussed in Section A.6.2.10, the ATHEANA demonstration team identified that the operators' perception on how long a DG would be out of service would impact their decision to tum off a DG experiencing cooling problems. Thus, in each event tree, a distinction was made on whether the DG would be out of service for a long or short time period.
| |
| Each top event, representing one of the probability factors given in Eqn A.6-3, was modeled using a fault tree. As discussed above, the out-of-service DG top event and the top event representing stopping the DG with a cooling problem each had two separate fault trees developed to allow the modeling of the unique conditions associated with each. Figures A.6.11 through A.6.19 present the fault tree logic developed for each probability factor.
| |
| For each of the basic events in Figures A.6.11 through A.6.19, the following information provides i
| |
| a short description of the event and a short discussion of how each event's value and uncertainty distribution were determined. In addition, the same information is provided for each initiating event.
| |
| (1) LOSP-SW This event represents a severe weather LOSP initiating event.
| |
| The point estimate value for this event provided by the participating plant's PRA expert was IE-2. The event was assumed to be log-normally distributed with an error factor of 5.
| |
| (2) LOSP-NSW This event represents a non-severe weather LOSP initiating event. The point estimate value for this event provided by the participating plant's PRA expert was 4.9E-2. The event was assumed to be log-normally distributed with an error factor of l
| |
| 3.
| |
| (3) PORV-DEMAND This event represents the probability that a PORV will be I demanded given that a LOSP event has occurred. The point estimate value for this event,1.6E-1, was obtained from the Accident Sequence Precursor Program. The event was assumed to have a maxhnum entropy distribution with a lower end equaling 1.6E-2 and an upper end equaling 2E-1.
| |
| (4) PORV-FAIL-TO RECLOSE This event represents a PORV failing to reclose given that it has been demand open. On the basis ofinformation supplied by the plant PRA expert stating that both PORVs get NUREG-1624, Draft A.6-22
| |
| | |
| A.6. Quantification of the HFEs demanded " simultaneously" at 2385 psig, the point estimate value for this event was estimated by multiplying 2 times the probability that one PORV sticks open. This resulted in a value of SE-2. The event was assumed to be log-normally distributed with an error factor of 3.
| |
| (5) DG-A-OOS-S This event represents the short-term OOS unavailability of one DG. The plant PRA expen provided information stating that a DG had been OOS for less than I hour only 12 times during 4 fuel cycles. If an 18 month fuel cycle is assumed, then the point estimate for this event is 2.3E-4. The event
| |
| .was assumed to be log-normally distributed with an error factor of 10.
| |
| (6) DG-A-OOS-L This event represents the long-term OOS unavailability of one DG. The plant PRA expen provided information stating that a DG had been OOS for 33 times for a total of 538 hours during 4 fuel cycles. If an 18 month fuel cycle is assumed, then the point estimate for this event is ,1E-2. The event was assumed to be log-normally distributed with an error factor of 3.
| |
| (7) DG-B-COOLING -F This event represents the cooling failure of the other DG. On the basis of discussions with the plant PRA_ expert, its point estimate was estimated by combining cooling failures from outside the DG " black box" with the fraction of." cooling" failures from inside the DG "blac1. box." The cooling failure probability outside the DG " black box" is dominated by-failure of an air-operated valve (1.5E-3). The " cooling" failure from inside the DG " black box" was estimated by adding the probability that a DG will fail to start (5.8E-3) with the probability that it will fail to run for 1 hour (4.6E-3) and then multidying by 1E-1-the assumed fraction of failures inside the DG " black box" that were cooling failures.
| |
| Combining the " cooling" probabilities results in a value of 2.54E-3. The event was assumed to be log-normally distributed with an error factor of 5.
| |
| (8) - OPS-FTSTOP-DGB-S This event represents the operators failing to stop the DG with a cooling problem given that the other DG's OOS unavailability is for the short term. On the basis of a poll of 8 senior reactor operators currently working at the plant, the j
| |
| value for this event was set at SE-1. The event was assumed A.6-23 NUREG-1624, Draft
| |
| | |
| A.6 Quantincation of the HFEs to have a maximum entropy distribution with a lower end equaling 4E-1 and an upper end equaling 6E-1.
| |
| (9) OPS-FTSTOP-DGB-L This event represents the operators failing to stop the DG with a cooling problem given that the other DG's OOS unavailability is for the long term. On the basis of a poll of eight senior reactor operators at the plant, the value for this event was set at 1.25E-1. The event was assumed to have a maximum entropy distribution with a lower end equaling 0.0 )
| |
| and an upper end equaling 2.5E-1.
| |
| '(10) OPS-FTRES-OSP-SW This event represents the non-recovery of power given that power was lost because of severe weather. A value of 7E-1 was provided by the plant PRA expert. The event was assumed to have a maximum entropy distribution with a lower end equaling 6E-1 and an upper end equaling 8E-1.
| |
| (11) OPS-FTRES-OSP-NSW This event represents the non-recovery of power given that power was lost because of non-severe weather. A value of 3E-1 was provided by the plant PRA expert. The event was assumed to have a maximum entropy distribution with a lower end equaling 2E-1 and an upper end equaling 4E-1.
| |
| Using the above values, sequences 7 and 11 in Figures A.6.9 and A.6.10 were solved using SAPHIRE. Table A.6.3 provides the results from this quantification. From Table A.6.3 it can be determined that the mean core damage frequency associated with HFE #3 is about 5.6E-10. l l
| |
| l NUREG-1624, Draft A.6-24
| |
| | |
| I 1 1
| |
| A.6 Quantification of the HFEs l l
| |
| . os -e. a.
| |
| sac s
| |
| : a. .wcs uw.s u.
| |
| on.e 1
| |
| te
| |
| -. -.o.
| |
| ,c to. - - - .... ..... . .
| |
| l i I
| |
| I l
| |
| l l
| |
| i l
| |
| 1 . : $":
| |
| I I 5"2=:
| |
| ' :.- l :::=:
| |
| 5:2=:
| |
| Figure A.6.9 Event Tree Representation of Eqn A.6-4-LOSP-HFE#3 (Severe Weather Induced LOSP) l 1
| |
| i A.6-25 NUREG-1624, Draft
| |
| | |
| A.6 Quantincation of the HFEs
| |
| ..L.g"".':'..
| |
| =
| |
| -- 'a"
| |
| . .". ,g,''A -.
| |
| i i ! m:1 28
| |
| :- a, Figure A.6.10 Event Tree Representation of Eqn A.6-3-LOSP-HFE#3 (Non-Severe Weather Induced LOSP)
| |
| NIIREG-1624, Draft A.6-26
| |
| | |
| A.6 Quantification of the HFEs i
| |
| "oY" l 'Y*
| |
| m= poom 1.6E41 PORV-094AND l
| |
| l Figure A.6.11 Fault Tree Representation of P(PORV demanded) i "a"oi" sopRv
| |
| ~;:;~
| |
| 5.0E42 PORV FAIL TOAECLOSE Figure A.6.12 Fault Tree Representation of P(PORV sticks open)
| |
| A.6-27 NUREG-1624, Draft
| |
| | |
| A.6 Quantification of the HFEs i
| |
| " *?.07.t*'
| |
| DGAS i
| |
| A"*:#TEAM 2.3 E44 D G-A O OS-S Figure A.6.13 Fault Tree Representation of P(DGA-OOS) for Short Time Period i
| |
| " =70"'
| |
| I DGA-L L", t' .
| |
| TEE 1DE42 DG-AOOS L Figure A.6.14 Fault Tree Representation of P(DGA-OOS) for Long Time Period -
| |
| NUREG-1624, Draft A.6-28
| |
| | |
| A6 Quantification of the HFEs I
| |
| owame, mum
| |
| (
| |
| y
| |
| ,==rs.
| |
| m..,m 15E43 DG EkCOOiHG4 Figure A.6.15 Fault Tree Representation of P(DGB cooling fails) l
| |
| '#o'a t'?.!'"
| |
| OB95R D80 6+em?
| |
| O G8-NS-S wE
| |
| .. R o"o.E. .[E.u 5 0E41 O PSE TSTC P-DG B-S Figure A.6.16 Fault Tree Representation of P(operator does not shut down DGB) Given that the Other DG's OOS Unavailability is for the Short Term i
| |
| A.6-29 NUREG-1624, Draft
| |
| | |
| A.6 Quantification of the HFEs I
| |
| 's T d'L"u.;:.
| |
| D G8-NS-L a.%%. ".'.;u;A.
| |
| I 1.3E 01 O PS-F TST O P-DG B-L Figure A.6.17 Fault Tree Representation of P(operator does not shut down DGB) Given that the Other DG's OOS Unavailability is for the Long Term i
| |
| 1 I i
| |
| '130f.? l REC OSASW l
| |
| 'ElE' stt?
| |
| PCMetDef 7.0E41 OPS-FTES OSP-SW Figure A.6.18 Fault Tree Representation of P(non-recovery of power)
| |
| Given Severe Weather NUREG-1624, Draft A.6-30
| |
| | |
| A.6 Quantification of the HFEs I
| |
| '3"ETs" REC-OjN6W
| |
| =nn.= =
| |
| 3.0E41 OPS-FTES-OSP-N SW Figure A.6.19 Fault Tree Representation of P(non-recovery of power)
| |
| Given Severe Weather A.6-31 NUREG-1624, Draft
| |
| | |
| A.6 Quantification of the HFEs Table A.6.3 Cut Set Quantification and Uncertainty Results for HFE
| |
| #3 1
| |
| Sort / Slice Cut Set Report Family-> ATHEANA Event Tree-> MULTIPLE Seg-> MULTIPLE Mincut Upper Bound -> 6.019E-010 This Partition -> 6.019E-010 Cut % % Cut No. Total Set Frequency Cut Sets 1 62.0 62.0 3.734E-010 IE->LOSP-NSW, DG-A-OOS-L, DG-B-COOLING-F OPS-FTRES-OSP-NSW, OPS-FTSTOP-DGB-L PORV-DEMAND, PORV-FAIL-TO-RECLOSE 2 91.6 29.6 1.778E-010 IE->LOSP-SW, DG-A-DOS-L,.DG-B-COOLING-F OPS-FTRES-OSP-SW, OPS-FTSTOP-DGB-L PORV-DEMAND, PORV-FAIL-TO-RECLOSE 3 97.3 5.7 3.435E-011 IE->LOSP-NSW, DG-A-DOS-S, DG-B-COOLING-F OPS-FTRES-OSP-NSW, OPS-FTSTOP-DGB-S PORV-DEMAND, PORV-FAIL-TO-RECLOSE 4 100.0 2.7 1.636E-011 IE->LOSP-SW, DG-A-OOS-S, DG-B-COOLING-F OPS-FTRES-OSP-SW, OPS-FTSTOP-DGB-S PORV-DEMAND, FORV-FAIL-TO-RECLOSE Sth Perc. 9.822E-012 95th Perc. 2.191E-009 Maximum . 2.787E-008 Mean 5.597E-010 Median 1.717E-010 l
| |
| MinCut 6.019E-010 Minimum 4.369E-013 Seed 12345 Size 1000 Stand. Dev. 1.555E-009 NUREG 1624, Draft A.6-32
| |
| | |
| A.6.4 Observations The quantification of the three HFEs ofinterest demonstrated the successful application of the quantification process described in Section 8 of this NUREG. The resulting core damage sequence frequencies involving the HFEs ofinterest range in value from 2E-7 to SE-10. Without a complete
| |
| - comparison to the existing plant PRA results, it can not be equivocally stated that these are or are not important from a risk contribution perspective. Nevertheless, as with PRA, the value of the results is often determined by the insights gain by doing the process; not just by the quantification-results. While none of the quantified results are particularly " distressing," the plant staff acknowledged that performing the ATHEANA process provided valuable insights into how they might improve training as well as the recognition of ways that the training and PRA staffs at the plant may be able to more closely work together in the future.
| |
| i I
| |
| I A.6-33 NUREG-1624, Draft
| |
| | |
| A.7 Findings and Recommendations from the Demonstration.
| |
| Significant information regarding the ATHEANA method was obtained by performing the demonstration. To delineate this information and the " lessons learned," the method is first evaluated against the goals of the demonstration and the success criteria identified in Section A.1 above.
| |
| Specific impmvements needed in the method and its documentation (originally the FOR manual and IG), which were identified during the demonstration and from the results of surveys administered to the team members after the demonstration was completed, are discussed. Next, important methodological findings obtained from the simulator runs observed during the demonstration and the importance of simulator exercises to the successful application of ATHEANA are addressed.
| |
| A.7.1 Evaluation Against Demonstration Goals and Success Criteria All of the goals and criteria for success of the method and the demonstration were essentially met, including identifying several needed improvements in the ATHEANA tools and processes. This section addresses each of the four success criteria and the related goals.
| |
| A.7.1.1 Did the FOR manual and the IG " work"?
| |
| While needed improvements were identified in some of the guidance and sapport information contained in the FOR manual and IG and in the process documentation tables (see Attachment A.3),
| |
| the basic search process for HFEs, UAs, and EFCs generally worked well. The most difficult aspect of the search process was the identification of the human contribution to the EFC. That is, the demonstration team was able to use the documentation in the FOR manual and IG to identify potential HFEs, UAs, and the plant side of the EFC, but had more difficulty using the psychological and human factors-related guidance to evaluate how operators could believe that a UA is the right thing to do. After initial attempts at this part of the ATHEANA process, a supplemental training session was provided to the demonstration team on how to use the documentation in the FOR manual and the IG to address the human contribution. While the additional training was successful in that the team was able to identify potential human related EFCs, it was determined that this pan o'f the process could be improved by making the guidance more question oriented (i.e., structuring the guidance so that the analysis team must respond to specific questions, and by tieing the concepts addressed in the guidance to actual events). The latter approach will allow the analysts to review clear, real-world examples of the psychological and human facte wrelated concepts bearing on operator performance. l From the perspective of the demonstration team (as determined from discussions and the results of l the questionnaires), the main problem with the FOR manual and IG (and the method itself) was that the overall process was thought to be " cumbersome"and very labor / resource intensive. As noted above, at least pan of the problem is related to the limitations identified with the search process and the tables that were used to document the search process. These aspects of the process are being
| |
| - improved and it should be possible to significantly improve the efficiency of the process through
| |
| " computerization" and " human factoring" of the application of the method. The first application of ATHEANA may also have seemed cumbersome because the process was being evaluated and modified while it was being used. However, the application of ATHEANA will always be demanding to some extent. ATHEANA was designed to identify the types of events that could lead A.7 1 NUREG-1624, Draft
| |
| | |
| A.7 Findings and Recommendations from Demonstration to serious consequences that have not been identifed before. That is, the approach is derived from a characterization of serious accidents that have occurred in the nuclear and other industries in the past and it is clear that identifying such events will never be trivial. The most effective use of ATHEANA will come from a careful prioritization of the areas to be analyzed (so that available resources are allocated to the most critical areas) and a willingness to continue examining a plant over the long-term to eventually cover potential human error scenarios. Another way to think ofit is to keep updating the "living PRA" as resources allow.
| |
| The notion of careful prioritization points to another aspect of the ATHEANA process that needs improvement in the future. During the demonstration, it was discovered that a careful characterization of plant operations and the general strategies used by plant crews to ensure successful response to accident scenarios, can enhance the analysts' ability to establish search priorities and limit initial efforts to those contexts that are most likely to create significant problems.
| |
| Such characterizations will also assist analysts in identifying the more likely PSFs that will contribute to a particular EFC. The lesson leamed about the need to characterize the way plant crews operate was obtained primarily from the development team's observation of simulator exercises. {
| |
| in fact, the importance of simulator exercises to the application of the ATHEANA method was brought forward during the demonstration. Section A.7.2 provides more detailed discussions of the important methodological findings derived from observations of the simulator exercises conducted during the demonstration.
| |
| Other specific planned improvements in the process (IG and FOR manual) include the folloEing:
| |
| - In addition to improving the prioritization process through characterization of plant operations and plant crews, it was also determined the various functions represented in the event trees could be prioritized by the trainers and operators in terms of potential for error. Prioritization at this level will also serve to reduce the overall demands of the process.
| |
| * A specific link will be made between the tables used for documenting the process (see Attachment A3 for examples of the demonstration documentation tables used) and the relevant sections of the ATHEANA search process. This will help clarify the connection between the questions being answered in applying the process and their documentation.
| |
| A.7.1.2 Was the Training Effective?
| |
| Survey comments (obtained immediately after the initial training) from the plant personnel who participated in the training were very positive about the overall training package. Some important suggestions for improvements include a more extensive initial overview of the method directed at plant management and a brief review of PRA for the benefit of trainers and operators who need a refresher. It was also suggested that detailed training for later steps in the process, such as quantification, be presentedjust before the beginning of that step. As noted above in Table A.2.1 and in section AJ, supplemental training was provided just before the quantification process and in conjunction with the identification of potential EFCs.
| |
| NUREG-1624, Draft A.7-2
| |
| | |
| A.7 Findings and Recommendations from Demonstration One of the goals of the initial training session was to provide enough information for the trainees to be able to perform an analysis of an event that occurred at their plant and characterize it in terms of ATHEANA concepts. The idea was to give the team members experience in thinking about human errors and accident scenarios from the ATHEANA perspective. First, the training team walked through a presentation of an ATHEANA based retrospective analysis of two industry events. Next, they had the team discuss an event that had recently occurred at their plant that involved the main feedwater system, the start-up feedwater pump, and the EFS. The event became very complicated because of a combination oflimits on operation of the suction lines from the condensate storage tank; flow restrictions in some parts of the combined system; a steam-side lead on a feedwater heater; and communications that became confused because of different expectations / assumptions
| |
| , between the licensed control room operators and an operator in the field. During the discussion, the I
| |
| trainees were able to describe the event in the context of ATHEANA. However, one of the team members felt that in retrospect, an event that had a direct PRA-related link would have been more useful.
| |
| 1 After the demonstration was completed, four of the five team members responded to an additional survey on the adequacy / effectiveness of the training. There was general consensus that the training created an interest in the ATHEANA process and motivated the team to search for risk significant events. It was also agreed that the training did facilitate the use of the FOR manual and the IG, and that this training would be very important to inexperienced users of the method. In fact, the team thought that the ATHEANA process as currently developed, is very complex and that the " method appears to need more than the written materials to understand and explain it." This finding suggests that training on the use of the method is needed by most users before beginning an application. The need for training is certainly related to the fact that the documentation for ATHEANA is, and will be, fairly extensive. The need for extensive documentation is a result of the complexity of the process required to isolate potentially significant HFEs. In particular, the need for analysts (who often are engineers) to understand the basic psychological concepts and models underlying
| |
| ' ATHEANA, requires a non-trivial tutorial. Nevertheless with the improvements identified from the demonstration for the FOR and IG, the sense of complexity may be lessened. Moreover, only one of the team members, other than the team leader, had actually read much of the FOR manual or the 10 before the training. Thus, it is not surprising that the training seemed critical and the method seemed complex. Nevenheless, for novices to PRA, such as most trainers and operators, training on the ATHEANA method will always be needed.
| |
| The questionnaires also indicated that the team leader needs to be very knowledgeable about the 4
| |
| application of the ATHEANA method to avoid " inappropriately allocating time resources" on the different steps of the method. The apparent implication of this comment was that until the method is well known, one may focus too much energy (or too little) on a particular step at the wrong time.
| |
| For example one team member stated, "Ifyou spent too much time on screening, you run out of time and energy to do the meat of the method. On the other hand, if you don't do some screening, you can end up analyzing sequences that don't matter quantitatively. The team leader is key to determining the pace of the analysis." Other comments in the questionnaires indicated that the demonstration team thought the training did help the team leader. The team leader was relied upon for guidance and he "kept them on track."
| |
| A.7-3 NUREG-1624, Draft
| |
| | |
| A.7 Findings and Recommendations from Demonstration Regarding the supplemental training provided for identification of the human side of the EFCs and for the quantification process, the team felt that this training was particularly effective because of "where we were in the process." The general consensus from the team was that an overview of the method is important during initial training, but that the supplemental training just before major steps was critical. Again, the improvements in the documentation of the critical steps may reduce the importance of supplemental training.
| |
| A.7.1.3 Did the Process Identify Demanding Scenarios Involving EOCs?
| |
| This criterion was addressed primarily by answering the following questions:
| |
| - Did the plant operators judge the identified scenario as cognitively demanding and did they contain EOCs?
| |
| - Did the plant staffidentify and implement " fixes" for some of the scenarios identified?
| |
| - Do the plant staff believe that ATHEANA can or will identify important problems?
| |
| As is discussed in sections A.4, A.5, and A.6 above, the identified scenarios contained both EOOs and EOCs. Moreover, the plant operators did judge the scenarios to be demanding. The operating crew did terminate safety injection in the MLOCA scenario (in the context of failed and misleading instrumentation) and the operators on the team and those polled, felt that given the occurrence of the identified EFCs for the other scenarios (e.g., the station blackout (SBO) scenario), there was a reasonably high probability that the identified UAs would occur. Thus, the identified scenarios were perceived as being demanding. However, the scenarios identified during the demonstration also had a high probability of being recovered and the probabilities of the EFCs were determined to be low.
| |
| The probability of reaching core damage in the scenarios identified was below 1 E-8. Nevertheless, it is clear that the ATHEANA methodology provides the tools that will allow users to identify demanding scenarios in their plant. Given that a major goal of the method is to identify situations that can lead to serious accidents, it is not necessarily surprising that the events identified in this case had generally low probabilities (if serious accidents are to have low probabilities). What is important is that the method appears to be able to allow users to identify demanding scenarios and that it has the potential for identifying important accident scenarios before they occur.
| |
| The plant staff thought the method is useful in many ways. Comments from the questionnaires and from discussions with the demonstration team which support the overall benefit and usefulness of ATHEANA in identifying important problems included the following:
| |
| - One trainer noted that the scenarios were interesting to him "because they were exploring areas ofinterest where the training department had never gone before."
| |
| - One team member indicated that the model was very useful "to look for the whys of errors and then to tie errors or non-recovery together."
| |
| NUREG-1624, Draft A.7-4
| |
| | |
| A.7 Firdi;gs czd R:c:mmxditioIs fr:m Demmstratioi
| |
| * Another was struck by how the method got "into the realm ofinstrumentation failures, which tend to be rare events" and felt that the " search for data-driven quantification is refreshing."
| |
| * One noted that "the method has fewer shortcomings when applied to operations improvements, because even low frequency sequences can still produce useful insights into the kinds of errors operators make, to differences from crew to crew, etc."
| |
| * There appeared to be general consensus that the method was effective and that "if ATHEANA was implemented across the board...it would have more credibility" than other HRA methods.
| |
| It was noted, however, that it is difficult to compare methods without comparing the resources the methods require.
| |
| Thus, while there was substantial evidence that the plant staff believes ATHEANA can identify important problems, it should also be noted that the plant staff was very concerned about the usefulness of the method relative to the resources required. They were also concemed about the ability to effectively complete the method. The following comments indicated these opinions:
| |
| * One analyst noted that "the process most certainly will identify demanding scenarios or places within our structure that have the potential for human error." "However, the resources required to identify one area of concem negate the gains." This analyst also indicated doubts about any utility being able to afford the needed resources for the gain realized.
| |
| * Another indicated that theywere concemed about " screening on the basis of our current risk analysis that does not include EOCs.""Are we screening out scenarios that might be important if we included EOCs." He also stated "I am not sure how to develop a level of confidence that we have gotten the important EOCs - completeness."
| |
| As discussed above in section A.7.1.1, it is true that ATHEANA will require non-trivial resources and that completeness will not necessarily be assured. However, steps are being taken to improve the efficiency of the method and after observing the application of the method, it is thought that the resource demands will be best represented by a negatively accelerating function. That is, as additional scenarios are examined, the information gained from analyzing the previous scenarios will make the later analyses much more efficient. This " savings" will not only be because ofincreased familiarity with the method, but will also be related to the fact that much of what is identified in one set of scenarios can be used in others. Thus, the method capitalizes on redundancy in the functions l relevant to responding to the set of initiators and in their related sequences and in the knowledge gained about how to think about and identify HFEs, UAs, and EFCs. It is the position of the ATHEANA development team that the method can be practically applied and that while completeness can never be assured, many important potential accident sequences will be identified over time; thereby, increasing the safety of the plant using the method.
| |
| Several potential " fixes" identified as a result of the analysis were noted during the demonstration.
| |
| . For example, the MLOCA scenario they developed led to an unexpected sequence of events that might lead to confusion when using the existing emergency procedures, and it appears that one of A.7-5 NUREG-1624, Draft
| |
| | |
| A.7 Findings and Recommendations from Demonstration the trainers will suggest a procedural change to avoid the potential difficulties. In addition, he has decided that it would be a good idea to include a version of this scenario in the training sequence next year. For this and related scenarios, one of the demonstration team members suggested that they stress the co dependence between the RCS wide-range pressure instrumentation and the sub-cooling indication during training and that the steps to perform the switchover to recirculation should be changed.
| |
| Another particular case involved possible evolution of the MLOCA scenario in which RCS pressure j has not yet dropped below 260 psig when the procedure reaches the point to consider long-term i cooling options. A transfer to the post - LOCA cooldown procedures leads the operators to a step that says the following:
| |
| Consult TSC [ Technical Support Center] to determine if RHR System should be placed in service.
| |
| Here responsibility for deciding between RHR cooling and cold leg recirculation cooling is given explicitly to the TSC. However, it was not clear that the TSC has ever considered such a sequence of events. One member of the TSC team felt that some planning, training, or guidance might be helpful considering the subtleties of the issue.
| |
| In the quantification of the SBO scenario, the demonstration team determined there was a lack of consistency in how various operators weighed the possible consequences of alternative paths of action, when faced with conflicting issues (i.e., an over-heating DG can fail (possibly in an unrecoverable way) when starved of cooling water, but securing the DG will remove the only available source of electric power). Faced with a trade-off between short-term and long-term consequences, the operators took different, reasoned views of the best path of action. All agreed that some study of the alternatives and the probability and consequences of alternative actions could be very helpful.
| |
| One team member noted two other specific benefits from having performed the analysis. He stated "I think we have given (the] Training [ Department] some new perspectives on training - why
| |
| ~
| |
| operators make errors, what errors are important, and [the impact] ofinformal rules." He also noted that the application of the method had created a much better working relationship between the training department and the PRA group, two organizations with significant safety-related responsibility.
| |
| A.7.1.4 Did the Users Suggest Improvements in the ATHEANA Process and Tools?
| |
| Many of the suggested impro'vements to ATHEANA, made by the users, are discussed above. In particular, the need for improved documentation tables (many changes were made in these tables as the demonstration proceeded) and clearer ties between the search process in the IG and the supporting tables in the FOR manual were cited. Other suggestions included the following:
| |
| NUREG-1624, Draft A.7-6
| |
| | |
| A.7 Findings and Recortmendations from Demonstration One team member suggested that the display of a poster-sized drawing showing an overview of the method and its steps would have been helpful to keep track of where you are in the process (and where one is going)(such a drawing was provided in the IG).
| |
| The ptocess and documentation should be computerized to make the application of ATHEANA more efficient.
| |
| "A quick reference guide" should be created that would allow analysts to bypass re!iance on the
| |
| , FOR manual and the IG.
| |
| The latter suggestion could be interpreted as another reflection of the desire of some of the team members to have a simpler method. While a quick reference guide may be a useful tool for stimulating memory during the application of the method, it is acknowledged that ATHEANA is not simple and that successful application of the method will take a willingness on the part of the team members to study and team how to use the method correctly.
| |
| A.7.2 Important Methodological Findings Obtained From Simulator Exercises A.7.2.1 The Importance of Crew Characterization During the process of the demonstration project, the ATHEANA development team leamed a great deal about the participating plant, its design, its procedures, and how its operators interact and perform their tasks, as well as how they are trained. In addition to monitoring the lengthy discussions among the ATHEANA analysis team, the group took advantage of the opportunity to observe a number of examination and training scenarios in the simulator in addition to the specially designed demonstration MLOCA scenario.
| |
| Perhaps the most important lesson leamed from observing plant crews in the simulator is that the rules for setting priorities in the selection ofinitiating events, functional failures, HFEs, UAs, and EFC must be heavily dependent on a characterization of the plant crews. As can be inferred from the following discussion of the findings from the demonstration, a key first step in future applications of ATHEANA will be an initial phase ofinquiry in which the analysts will characterize the plant crews. They need to identify characteristics of the operating practices at the plant that make some kinds of UA-EFC pairs more or less likely, then set priorities to bring forward the more likely failure paths. A key step in this process will be to observe crews in action in the simulator.
| |
| During conduct of the demonstration project the team found many things that make some UAs less likely in the participating plant's control room than at plants represented in the ATHEANA database.
| |
| Primary among these factors is teamwork. Other factors include confidence in procedures, the plant computer, and formal communications. Descriptions of these factors at the demonstration plant follow.
| |
| Teamwork. Plant policy and training attempt to ensure that there is no independent action by single members of the crew. At worst it is expected that if a person feels obliged to take such action, they A.7-7 NUREG-1624, Draft
| |
| | |
| A.7 Findings and Recommendations from Demonstration would announce exactly what they had done to other members of the team. Plant communication practices require that individuals ensure, by making eye contact, that their announcement has been heard and recognized.
| |
| For some months now, there has been a strong emphasis in the simulator to insist that all crews conduct what are called a before-at-going (BAGS). The crew is expected to pause at regular intervals, taking a break in the action to conduct a BAG. During the BAG they begin with before.
| |
| In the before segment, they talk over what has actually happened up to the current point in time. Are there things that occurred that not everyone has noticed? At this point it is important to question the entire event history, to question all assumptions, and to ask what else could be going on. In the at stage, they discuss exactly where they think they are and how all that has happened earlier is consistent with where they believe they are presently. Any discrepancies are investigated. This approach is a very good way to test the situation assessment of the crew. After this recapitulation, the crew is together; they all agree on where they've been, where they are, and that they have the right picture of the situation. In the going stage, they talk their way from the cmrent situation assessment to a discussion of what they expect to happen next in the plant. This provides a background from which to judge whether their actions are having the expected effects (i.e., a basis for testing their hypotheses).
| |
| There appears to be a learning curve for conducting successful BAGS. According to the trainers, it is only after a BAG has uncovered erroneous assumptions or actions that the crew really begins to believe in the process. At the time the ATHEANA team worked at the plant, many crews were beginning to conduct the BAGS almost automatically, while others seem to have trouble remembering to start the process and, once started, to conduct it carefully and thoroughly.
| |
| In addition to the BAG paradigm, which all crews are expected to carry out, some have additional processes to help ensure they act as a consolidated team. The Shin Manager of the crew in the ATHEANA demonstration simulation insisted on several additional practices. First is the "think-it, say-it" rule. The idea is that any member the crew who has some discomfort in what the team proposes to do has an obligation to "say it" (state their concern) to the other members of the crew.
| |
| In a way this is equivalent to the old adage that there are no " dumb" questions. No one is chastised for saying something stupid, incorrect, or revealing a weakness in their knowledge. The concerns are placed on the table, everyone discusses them, and the crew moves forward together. Very.often something quite important is found in this way. While everyone else is moving rapidly along an agreed path, the one person feeling uncomfortable may have spotted a real problem.
| |
| The Shift Manager's second rule was that the crew will make no deviations from the written procedures unless all members of the team agree. In the session we observed, one member of the team was uncomfortable and Shift Manager would not move forward without that individual's positive statement of agreement. The Shin Manager had to ask several times if the person was in agreement and finally this person was able to articulate what bothered him. In the end, all agreed that he was right and the crew changed their course of action.
| |
| NUREG-1624, Draft A.7-8
| |
| | |
| A.7 Findings and Recommendations from Demonstration Confidence in procedures. All crews observed during the project, had developed a high degree of confidence in the plant emergency procedures. They have been convinced, through running many drills, that the procedures will keep them out of trouble. Even if the procedures cannot take the most direct path to success, they avoid the pitfalls that often trap other people.
| |
| Plant computer. The plant computer at the participating plant has unique capabilities and a flexible set ofdisplays. During the long construction period for the plant, operators worked with designers to develop the system that met their needs and desires. A great deal ofinformation can be easily accessed through the computer. First are the set of unusual alarms. Alarms are displayed in three tiers, red for the most important, then orange, then white. Alarms are stored in one position until they are acknowledged and then moved to another part of the screen. A great number of plant conditions that are not usually alarmed are in this set of displays. For example, if any pump is in the pull-to-lock position, then this is displayed as an alarm on the panel. Thus, a situation that is difficult to observe in many plants becomes difficult to ignore at this plant. One-line drawings of all important systems are available on the screen. On these, operators can call up representations of all the parameters-temperatures pressures, etc. There are displays where the operators can mimic strip-chart recorders with four on a single screen. Thus, for a particular accident, operators can select the parameters in which they are most interested, and display continuous adjacent output of those parameters.
| |
| Evemal communications. All operating crews are working at becoming consistent in using standard communication techniques. This is not yet perfect, but is improving. For example, all requests and orders are given to specific individuals by name and those individuals repeat back the instruction to the person who provided it by name as well. Strong emphasis is placed on ensuring that eye contact is made during these communications.
| |
| Changing prioritiesfor the search. Near the end of the demonstration project the ATHEANA development group began to integrate some of this information. It now appeared that the initial method for setting priorities among scenarios was very unlikely to elevate those scenarios leading to the greatest chance for core damage at the plant. The group tried to assemble a new list describing the kinds of scenarios that would be most troublesome. That list includes the following scenarios:
| |
| * Distraction or pressure that separates the team. Because of the strong team work and the emphasis on acting as a group, plant crews are unlikely to suffer the problems ofindependent action and poor (erroneous) communications observed in many historical events, unless some special aspects of plant conditions forces them to break out of the team mode.
| |
| * Temporarily suspend important actions. Similar to the first point, if parallel demands require the team to temporarily suspend or defer important actions, then continued distractions can make it likely that the actions are deferred longer than expected.
| |
| 1
| |
| * Force independent action (or distract others so that they concur without sufficient thought).
| |
| Again, it appears that special conditions and demands are needed that pressure the crew to modify its normal strong demand for careful and complete communications.
| |
| A.7-9 NUREG-1624, Draft
| |
| | |
| A.7 Findings and Recommendations from Demonstration
| |
| . Cognitively-demanding scenarios, something new and not previously analyzed. When an event sequence leaves the realm of well-analyzed, proceduralized, and understood plant behavior, operators are more vulnerable to developing a mind set that allows them to miss cues that would normally refocus the team.
| |
| Because of the intense teamwork at the plant and the trust in procedures, it appears that the class of sequences that have the best chance to create problems are those that disguise their safety significance for some time, so that the time to respond to prevent damage after the problem surfaces becomes quite short.
| |
| In summary, the monitoring of simulator exercises during the demonstration (both the standard i exercises and the one developed specifically using ATHEANA) led to the realization that a careful {
| |
| characterization of operating crews and general plant practices can be important to an efficient application of ATHEANA. Several other important uses of the simulator were also identified and ,
| |
| I they are described next.
| |
| A.7.2.2 Other Specific Uses of Simulator Exercises The simulator exercises were found to provide a substantial basis for the ATHEANA search process and quantification efforts. However, it is not the intention of the simulator exercises to provide quantitative data directly for the likelihood of the crew to fail on the basis of the event as modeled.
| |
| There are significant differences between the performance of the crews in simulator setting and in the plant. These include the effects of fatigue and shift cycles, the effect of surprise, the role of expectations shaped by other plant activities and so on. However, the simulator does provide a useful environment for exploring specific characteristics of events that are important in shaping the performance of crews and assisting in the judgments that underlie the search processes and the quantification process.
| |
| The particular roles fulfilled by use of these exercises in ATHEANA are as follows:
| |
| * a focused opportunity to discuss with teams of operators and other training staff what are the important characteristics of the context used in the exercise; a an opportunity to observe the styles of teamwork and problem-solving for operating crews;
| |
| * an ability to test the extent to which the context appears to be " error-forcing," either as modeled in the exercise or with additional elements as discussed with the operators and trainers; and
| |
| + an opportunity to evaluate the potential failure probability of the crew in the context of the event as modeled.
| |
| Each of these roles is further discussed below.
| |
| NUREG-1624, Draft A.7-10
| |
| | |
| A.7 Findings and Recommendations from Demonstration As well as the inputs provided by operations trainers during the brain-storming of the search process, the walk-through of scenarios in a simulator setting can provide an excellent opportunity to obtain inputs from personnel who are extremely familiar with the plant systems. While it was not done in l the demonstration, the opportunity exists to stop the simulator at key points in the scenario and ask questions about what the operators believe is happening and what they expect to see next. They can be asked questions about what effect different kinds ofinformation displays may have, why some information may be discarded, and why they may chose to deviate from a procedure or plant practice.
| |
| These discussions provide insight into how the operators' collective situation assessment and decision-making processes work in the context of the scenario. This insight can be used to better refine the context to make it more " error forcing" or to provide information about additional ways in which the failures of concem could occur. In the case of the demonstration plant, the continuing discussion among the crew members provided a centinuing source ofinformation about the scenario.
| |
| In particular, the operating crews are tra:aed to carry out a periodic BAG review of the symptoms end actions taken. During the exercise, the crew performed several of these discussions. The l ATHEANA team was able to get useful information on the diagnostic process from overhearing these BAGS. However in other cases where a crew does not provide such an on-going narrative of the event analysis, stopping the simulator for periodic reviews may be helpful.
| |
| It is recognized in the ATHEANA process that the styles ofgroup working and problem-solving can vary between crews and between difTerent plants. For example, some facilities give more emphasis on strict compliance with each step of the early emergency procedures. Such compliance has the considerable merit of systematically addressing each potential problem in turn. However, in highly dynamic events, it has the pow.ial for delaying responses or for some of the early dynamic characteristics to be overlooke i Therefore, for a plant that follows such a policy, a fast-paced event or an event with complex early dynamics is likely to be possibly more "enor forcing." However, for a plant where such strict adherence is not so much emphasized, events that may mislead operators to depart from the early procedures are perhaps more error-forcing. By observing the crew performance in the simulator, it is possible to obtain a view of the style of the crew to decide how a particular scenario might be more error forcing because of the style.
| |
| The simulator exercises can provide an ability to test the extent to which the context appears to be
| |
| " error-forcing," either as modeled in the exercise or with additional elements as discussed with the operators and trainers duiing the debriefing discussed earlier. By observing how crews transition through the decision-making points in the scenario, it is possible to detect from the discussions typically taking place between crew members where possible points of failure could exist. For example, a crew in a simulator may exhibit successful problem-solving at a critical point in a scenario that relied on a unique experience or some highly specialized knowledge (for example, how a particular sensor worked). In such cases, it may be judged that other crews may find such a scenario highly problematic, end thus the scenario may be considered error-forcing for most crews.
| |
| While it is strongly urged that simulators not be used as a direct source for data to quantify the likelil'ood of failures for a given context, the simulator can provide an opportunity to evaluate the potential failure probability of the crew. In other words, the behavior of the crew and the extent to which they found the context to be problematic can provide qualitative infonnation to helpjudge the A.7-l 1 NUREG-1624, Draft
| |
| | |
| A.7 Findings and Recommendations from Demonstration likelihood. For instance, if, dming an event, the crew found no hesitation in taking a UA and the event was accurately simulated within the limits of training simulator technology, this provides l
| |
| empirical evidence to support selection of a comparatively high-failure probability.
| |
| In conclusion, while the use of simulator exercises in ATHEANA are considered to be a support to the search process and the quantification steps, they can help add robustness and insight to deciding to what degree a particular context can be considered to be error-forcing. They can provide additional information as to what possible additional elements might be needed to make the context more difficult. Finally, the insights gained can help in making the judgments concerning the probabilities l of failures more robust.
| |
| i NUREG-1624. Draft A.7 12
| |
| | |
| l Attachment A.1 Demonstration Participants A.I.1 ATIIEANA Demonstration Team Donnie Whitehead (team leader) - Sandia National Laboratories
| |
| - Ken Kiper, Joe Dalton, Steve Kessinger, and Ed Spader - Demonstration Plant A.1.2 ATHEANA Development Team
| |
| = Dennis Bicy - Buttonwood Consulting, Inc.
| |
| * Susan Cooper - Science Applications Intemational Corporation
| |
| = John Forester - Sandia National Laboratories a Alan Kolaczkowski- Science Applications International Corporation
| |
| * Ann Ramey-Smith - US Nuclear Regulatory Commission
| |
| * Catherine Thompson - US Nuclear Regulatory Commission
| |
| - John Wreathall - John Wreathall and Co.
| |
| Att. A.1-1 NUREG-1624, Dran
| |
| | |
| Attachmert A.2 Questio:naires Attachment A.2 Questin naires Used i.n the Demonstration A.2.1 Questionnaire for Initial Training The following questionnaire was supplied to individuals attending the initial training sessions immediately after completion of the training:
| |
| Feedback on ATHEANA Training Listed below are the general topics covered in the ATHEANA training workshop. For each topic please provide a rating on a scale of 1 to 5 (with I being poor and 5 being very good) regarding the adequacy / effectiveness of the training for that topic. Also, please provide any comments or suggestions for ways to improve the effectiveness of the training or the training materials for each topic. Should anything be added or deleted?
| |
| : 1. Introduction to ATHEANA Adequacy / Effectiveness of presentation materials (1 2 3 4 5)
| |
| Comments / Suggestions for Improvements:
| |
| : 2. Why we care: the characteristics of serious accidents Adequacy / Effectiveness of presentation materials (1 2 3 4 5)
| |
| Comments / Suggestions for Improvements:
| |
| Att. A.2-1 NUREG-1624, Draft
| |
| | |
| Attachment A.2 Questionnaires Feedbackon ATHEANATraining (Continued)
| |
| : 3. Principles of ATHEANA Asanary/ Effectiveness of presentation materials (1 2 3 4 5)
| |
| Comments / Suggestions for Improvements:
| |
| : 4. Retrospective analysis of 1993, Loss of Main Feedwater event.
| |
| Adequacy / Effectiveness of presentation materials (1 2 3 4 5)
| |
| Comments / Suggestions for Improvements:
| |
| : 5. Concept of Behavioral and Cognitive Science Relevant to ATHEANA Adequacy / Effectiveness of presentation materials (1 2 3 4 5)
| |
| Comments / Suggestions for Improvements:
| |
| NUREG-1624, Draft Att. A.2-2
| |
| | |
| Attachment A.2 Questionnaires Feedback on ATHEANA Training (Continued)
| |
| : 6. The ATHEANA Process Adequacy / Effectiveness of presentation materials (1 2 3 4 5)
| |
| Comments / Suggestions for hnprovements:
| |
| 2 Att. A.1-3 NUREG-1624, Draft
| |
| | |
| Attachment A.2 Questionnaires A.2.2 Questionnaire Addressing Overall Training The following questionnaire was supplied to the demonstration team members at the completion of the demonstration. It addresses the team members opinions on the initial training and on the supplemental training provided for quantification:
| |
| Questionnaire for ATHEANA Demonstration Training
| |
| : 1. Recall that after the ATHEANA Training provided to you at the beginning of the demonstration, you were presented a questionnaire asking for your assessment of the adequacy / effectiveness of the training. Now, after working with the method over the last three months, do you have any additional suggestions for improvements to the original training materials? Please answer the questions below (if applicable) and then provide any suggested improvements or comments on the ATHEANA Training.
| |
| a) Did the ATHEANA Training adequately motivate the HRA team to perform the analysis?
| |
| Did you feel that the application process would be interesting and did you expect to find important safety related information about your plant and its operation?
| |
| b) It is assumed that the HRA team leader will have read the Frame-of-Reference (FOR) manual and the Implementation Guideline (IG) before trying to apply the method. Do you think that the ATHEANA Training helps the team leader in understanding how to direct the team?
| |
| How would you improve this aspect of the training.
| |
| c) Was the actual application of the method what you expected on the basis of the training information?
| |
| d) In retrospect, were there any aspects of the initial training that led to confusion later?
| |
| NUREG-1624, Draft Att. A.2-4
| |
| | |
| Attachment A.2 Questionnaires Training (Continued) e) Were there any critical aspects of the methodology that you feel should have been covered better or more extensively. For example, were there times during the application that you thought the " search process" should have been covered better during training.
| |
| f) How much of the FOR manual did you read before participning in the training?
| |
| Circle one: All ofit Most ofit Some ofit Very little ofit None g) How much of the FOR manual had you read by the end of the demonstration?
| |
| Circleone: Allofit Most ofit Some ofit Very little ofit None h) How much of the IG did you read before participating in the training?
| |
| Circle one: All ofit Most ofit Some ofit Very little ofit None i) How much of the FOR manual had you read by the end of the demonstration?
| |
| Circle one: All ofit Most ofit Some ofit Verylittle ofit None Att. A.2-5 NUREG-1624, Draft
| |
| | |
| Attachment A.2 Questionnaires Quantification Training
| |
| : 2. During the last demonstration meeting held at the plant the week of November 3,1997, more detailed training on tiie quantification process was presented. Listed below are the general topics covered in the ATHEANA quantification training. For each topic, please provide a rating regarding the adequacy / effectiveness of the training for that topic. Also, please provide any comments or suggestions for ways to improve the effectiveness of the training or the training materials for each topic. Should anything be added or deleted?
| |
| : a. Introduction to the ATHEANA quantification process Adequaev/ Effectiveness of presentation materials Circle one: Very effective Effective Somewhat Effective Not Very Effrtive CompletelyIneffective Comments / Suggestions for Improvements:
| |
| : b. Description of the ATHEANA quantification process Adequacy / Effectiveness of presentation materials Circle one: Very effective Effective Somewhat Effective Not Very Effective Completely Ineffective Comments / Suggestions for Improvements:
| |
| NUREG-1624, Draft Att. A.2-6
| |
| | |
| Attachaient A.2 Questionnaires Quantification Training (continued)
| |
| : c. Description of the approach for assessing the conditional probability of a UA given the EFCs (of particular interest is the description of the process for assessing the influence of PSFs) 1 Adeanaev/ Effectiveness of presentation materials Circle one: Very effective Effective Somewhat Effective Not Very Effective Completely Ineffective Comments / Suggestions for Improvements:
| |
| : d. Description of the scenarios and events to be quantified (presented as quantification examples). Please note in the comments section below how useful or helpful this presentation was in terms of understanding how the quantification was to proceed.
| |
| Adequaev/ Effectiveness of presentation materials Circle one: Very effective Effective Somewhat Effective Not Very EfTective Completely Ineffective Comments / Suggestions for Improvements:
| |
| 1 Art. A.2-7 NUREG-1624, Draft 1
| |
| i
| |
| | |
| Attachment A.2 Questionnaires A.2.3 Questionnaire Addressing the Implementation Guideline The following questionnaire w :s supplied to the demonstration team members at the completion of the demonstration. It addresses their opinions on the Implementation Guideline:
| |
| Questionnaire for ATHEANA Demonstration Implementation Guideline (IG)
| |
| : 1. The goal of the IG is to provide step-by-step instruction for applying ATHEANA, while providing at least abbreviated background information on the principles underlying the method. ;
| |
| If you have read the IG or any of the sections discussed below, please answer the questions below when applicable.
| |
| a) Sections I and 2 provide an introduction and overview of ATHEANA.
| |
| I If you have read the comparable information in the FOR manual, do you think the information in these sections is adequate? Please discuss any problems or shortcomings you identified in this section and make any recommendations for improvements. Were any pans of these chapters panicularly helpful?
| |
| l If you have not read the FOR manual, do you think the information in these sections is adequate? Do you think it would be beneficial to strengthen these sections even though additional detail is provided in the FOR manual. Please discuss any problems or l
| |
| shortcomings you identified in. this section and make any recommendations for improvements.
| |
| NUREG-1624, Draft Att. A.2-8
| |
| | |
| }
| |
| Attachneemt A.2 Questionnaires Implementation Guideline (IG) (continued)
| |
| ! b) Section 3 of the IG describes how to perfonn the search for HFEs, UAs, and EFCs. Please provide a rating for the effectiveness / usability of this section and a separate rating for the effectiveness / usability of the search documentation tables (Exhibits C.1 - C.6).
| |
| Ffrectiveness/neability of section Circle one: Very effective Effective Somewhat Effective No; Very Efrective Completely Ineffective Comments / Recommendations (Also, please indicate which parts of the search process section were particularly effective or particularly ineffective.)
| |
| Fffectiveneu/nenhility of search documentation tables Circle one: Very effective Effective Somewhat Effective Not Very Effective Completely Ineffective Comments / Recommendations (Also, please indicate which parts of the tables were either particularly effective or ineffective.)
| |
| Att. A.2-9 NUREG-1624, Draft
| |
| | |
| Attachment A.2 Questionnaires Implementation Guideline (IG) (continued) c) Section 4 of the IG describes how to quantify HFEs and EFCs. Please provide a rating for the effectiveness / usability of this section and then discuss any problems or shortcomings you identified in this section and make any recommendations for improvements.
| |
| Effectiveness / usability of auantification sect!gn Circle one: Very effective Effective Somewhat Effective Not Very Effective Completely Ineffective Comments / Recommendations (Also, please indicate which parts of the section were either particularly effective or ineffective.)
| |
| i d) Section 5 of the IG discusses how to incorporate HFEs into the PRA model. Please provide a rating for the effectiveness / usability of this section and then discuss any problems or shortcomings you identified in this section and make any recommendations for improvements.
| |
| Effectiveness /mability of PRA Integration, Chapter Circle one: Very effective Effective Somewhat Effective Not Very Effective Completely Ineffective ,
| |
| Comments / Recommendations (Also, please indicate which parts of the section were either particularly effective or ineffective.)
| |
| NUREG-1624, Draft Art. A.2-10
| |
| | |
| Att:chmmt A.2 QIestionaires A.2.4 Questionnaire Addressing the Frame-of-Reference Manual The following questionnaire was supplied to the demonstration team members at the completion of the demonstration. It addresses their opinions on the Frame-of-Reference (FOR) manual:
| |
| Questionnaire for ATHEANA Demonstration FOR Manual
| |
| : 1. The FOR manual is intended to be a technical basis document for the IG. That is, it is supposed to provide background and supportive information for understanding the basis and intent of the method and how to apply it. If you have read the FOR manual or any the sections discussed below, please answer the following questions when applicable.
| |
| a) Part 1 of the FOR manual provides a discussion of the principles and concepts underlying ATHEANA. Please discuss any problems or shortcomings you identified in this section and make any recommendations for improvements. Also, please identify any sections of Part I that were particularly helpful.
| |
| b) Part 2 of the FOR manual discusses a model of human information processing that is intended to provide structure for thinking about human enors and their causes. Please discuss any problems or shortcomings you identified in this section and make any recommendations for improvements. Also, please identify any sections of Part 2 that were particularly helpful.
| |
| c) Part 3 of the FOR manual provides specific aids for applying ATHEANA. In particular, Section 8 provides tables to assist analysts in the application of the method. Please discuss any problems or shortcomings you've identified in this section and make any recommendations for improvements. Also, please identify any sections of Part 3 that were particularly helpful.
| |
| Att. A.2-Il NUREG-1624, Draft u
| |
| | |
| Attachment A.2 QuestionIires Frame-of-Reference (FOR) Manual (continued) d) Please provide a rating for the overall usefulness of the FOR manual in applying the ATHEAHA method.
| |
| 1 Circle one: Very useful Useful Somewhat Useful Of little use Of no use e) Do you think that it would be more effective to have some of the information that is contained in the FOR manual included in the IG. If so, what parts.
| |
| 1.2.5 Questionnaire Addressing the ATHEANA Method and Process The following questionnaire was supplied to the demonstration team members at the completion cf the demonstration. It addresses their opinions on the ATHEANA method and process, regardless of whether or not they had read all of the ATHEANA documentation:
| |
| l l
| |
| Questionnaire for ATHEANA Demonstration l ATHEANA Method and Process
| |
| : 1. Over the past few months you have been presented the basic principles and concepts underlying ATHEANA and have participated in the application of the method. Do you feel that the method is a useful tool for identifying demanding scenarios involving potential human EOCs? Please discuss any problems or shortcomings you've identified in the method and make any recommendations forimprovements.
| |
| : 2. Please describe any changes in plant operator practices, procedures, or training that could result from conducting the ATHEANA demonstration at your plant.
| |
| NUREG-1624, Draft Att. A.2-12
| |
| | |
| Attachment A.2 Questionaalres ATHEANA Method and Process (Continued)
| |
| : 3. Even ifno explicit changes will result from the demonstration ofATHEANA at the plant, do you feel that the method can be used in a useful and effective manner in your plant to facilitate the identification of potentially important problems in operator practices, procedures, and training?
| |
| Please discuss any problems or shortcomings with the method that you feel might limit its useability in your plant and make any recommendations for improvements.
| |
| : 4. Were there any parts of the method that you felt were cumbersome or difficult to understand?
| |
| : 5. How would you compare the ATHEANA method and process with previous HRA methods that you have used with respect to the following activities:
| |
| : a. the ability to realistically represent operator performance?
| |
| : b. the ability to represent operational concerns ofplant stafTl
| |
| : c. the ability to represent the staffs knowledge and understanding of plant operator / crew performance?
| |
| Att. A.2-13 NUREG-1624, Draft
| |
| | |
| Attachuneet A.2 Questionnaires Specific Aspects of ATHEANA
| |
| : 6. The model of human information processing used in ATHEANA is intended to provide structure for thinking about human enors and their causes. Did you feel that the model was useful to you in thinking about human errors and their causes? Please discuss any problems or shortcomings
| |
| [. you identified in the usefulness of the model and make any recommendations for improvements.
| |
| l
| |
| : 7. ATHEANA provides a process for searching for HFEs, UAs, and EFCs. It also provides tables for documenting the results of the search (Exhibits C.1 - C.6). Please provide a rating for the effectiveness / usability of this process and a separate rating for the effectiveness / usability of the search documentation tables (Exhibits C.1 - C.6).
| |
| Effectiveness /nuhility of search process-Circle one: Very effective Effective Somewhat Effective Not Very Efrective ' Completely Ineffective Comments / Recommendations (Also, please indicate which parts of the search process were i either particularly effective or ineffective.)
| |
| NUREG-1624, Draft Att. A.2-14
| |
| | |
| !- Attachment A.2 Questionnaires l Specific Aspects of ATHEANA (continued)
| |
| : 8. The ATHEANA quantification process describes how to quantify HFEs and EFCs. Please provide a rating for the effectiveness / usability of the quantification approach and then discuss
| |
| ( any problems or shortcomings you've identified with the approach and make any i recommendations for improvements.
| |
| ! Effectiveness / usability of search process:
| |
| Circle one: Very effective Effective Somewhat Effective l Not Very Effective Completely Ineffective Comments / Recommendations (Also, please indicate which parts of the quantification approach were either particularly effective or ineffective.)
| |
| l
| |
| : 9. How would you compare the results obtained with ATHEANA to those obtained with other HRA methods with respect to:
| |
| : a. credibility?
| |
| l l
| |
| l l b. enhancements to PRA?
| |
| 1 1
| |
| : c. usefulness in risk management?
| |
| l
| |
| : d. usefulness in identifying potential " plant" fixes or improvements to facilitate operator performance?
| |
| Att. A.2-15 NUREG-1624, Draft
| |
| | |
| Attachment A.3 ATHEANA Demonstration Documentation Tables i
| |
| 1 l
| |
| 1 i
| |
| l i
| |
| l I
| |
| i i
| |
| I i
| |
| I NUREG-1624, Draft
| |
| | |
| _ >E ,I " ( fs gg yg*
| |
| d 6
| |
| e I
| |
| f i
| |
| n e
| |
| n ed ht, na _
| |
| D n-
| |
| _ W# t e"
| |
| n*
| |
| i* F v
| |
| . e, smC, ur.
| |
| e r d o
| |
| s .
| |
| Wd F e e
| |
| b veted l
| |
| s nc c ,es EF . d mF'I' F
| |
| i s
| |
| n ws pl eorarew Ph eyoo si l s.
| |
| e Y D n
| |
| e p
| |
| e lu i
| |
| _fa r
| |
| s e
| |
| Y f
| |
| I od e nee el nB s
| |
| s e e e
| |
| ? i e i s s D lts w s l C u Fgto
| |
| _ l e e s s e . - s T
| |
| s s. e y rD e e Y
| |
| t E C' I Y Y n
| |
| e e c s v o s t
| |
| a n .
| |
| e a a l u e s
| |
| _ E d t
| |
| i e
| |
| t e
| |
| h s i
| |
| m h c
| |
| p h
| |
| c ' un r
| |
| e g
| |
| :s. i t e u mr n r o d Te S nfa
| |
| _ e n e p u u s e s a i f
| |
| l t
| |
| u t o ua t e
| |
| t s g n
| |
| m o s an c d e
| |
| h e e n p r
| |
| o p
| |
| s e c d m a c t c
| |
| e Wio s
| |
| r ? s og i
| |
| l m p ki s ah t
| |
| o n
| |
| e e
| |
| inw) d l
| |
| u p Rv m toTS m
| |
| _ r i
| |
| r o s s t u t a
| |
| o a e . ol e
| |
| fo s y w e t, n a ) ot s r o oc pW co nran t z ty gd n c As la n la isl i d n a s lod o n r u m ka b i
| |
| olo e e mkn e f i s s rk . Cm r n, si o u eRe k ol v i h
| |
| _ t e a t
| |
| s c r s kay o n Oe LN t, t i
| |
| d 5
| |
| 2 t
| |
| s ep r r n oo iqu w sl se s ei eh e
| |
| ea r oi s
| |
| r s S or l
| |
| dn evge a r
| |
| e c at mpvo hpmhtn c oen b o b ac e r e e un U por t
| |
| 1 asr uv r d f p i r
| |
| pr oer ikd e p r beo n cl a l e
| |
| s
| |
| /
| |
| a s
| |
| r c
| |
| nue r
| |
| eh p
| |
| o9 s
| |
| n o
| |
| ce c l oT ikmell oswi e ces r
| |
| oe t c u ru o
| |
| d re no t r r noe e taid ac s , fo o es alu isk c a s g imess n o uMoc
| |
| _ i p hwr s me en nr t
| |
| i m.
| |
| s a t r c e it c mS uW i ampn s o mo hs os r e uew lt ui t d r o n hu m en a t r dfM o h e s pa r un e r o on s el aule1: p )
| |
| o C ia sp na ua .la ds nnu laR k t upw ns e zd or c s u i pt tael n
| |
| gi h
| |
| s np s r u ceAe u (usre i r a r t oon ruw c o er ed is ep sG .o m e e r t o
| |
| a w sh P o st i i a et k a Ans r e isS s r sic nCa k t
| |
| y a
| |
| er c e c g det nl uutam a l il c
| |
| e n r o l aae 6 eTR r
| |
| Cuet o ka er Ap Coe est r
| |
| ed ie er r
| |
| ut o a ereoE c( m d ur ecc r - p os r eht e s, f s a b o w s a c ui oceec one t o o . -
| |
| t Dh l t e r e b h Ds I u dv 3a u
| |
| .li s r eep n c o o el up
| |
| * or f i P w Mc Aa (e q r a y N Nb r
| |
| P r r Ao 2f I wc f I P o C f
| |
| i t o n
| |
| e D.
| |
| t s
| |
| C 1 o n hr no _
| |
| d I o a s
| |
| f yr 6i t t t isda g. - la o r 4 u t
| |
| i e
| |
| m o.
| |
| hs r r
| |
| h nohn o inic c
| |
| r d T t
| |
| s s u 2 ce o e
| |
| s F a Ah o - sc Mre U
| |
| n i
| |
| o ?
| |
| y S t r
| |
| _ a e a W T
| |
| a m A m i r H e e
| |
| fo t
| |
| e S I
| |
| n l F
| |
| e e
| |
| n e.
| |
| n e
| |
| n e
| |
| n o o o o
| |
| : f. N N N N e
| |
| n i
| |
| o t e c
| |
| a ' u t
| |
| s e
| |
| "?
| |
| " se y
| |
| d i
| |
| n o
| |
| e
| |
| * e t m 'gu s u
| |
| c e r
| |
| oS o
| |
| o F r sW r
| |
| eT D r ce pA o g r
| |
| 1 le e
| |
| on fi .
| |
| " a t
| |
| e w le 3- lbll o b t
| |
| t C' l isf o is s
| |
| o o
| |
| s oE o P A. PI N N A
| |
| l e y )
| |
| b c a w o
| |
| c e e 7L 4- 4 2-T- g e Ey 6 re E
| |
| 3 E
| |
| 5 E
| |
| 4 r 0 6 1 F 6. V 2( 2 4 1
| |
| )
| |
| )
| |
| )
| |
| e A A n C C i
| |
| s e O O i
| |
| p As)s i
| |
| v AL Am) u A Ll r
| |
| c CeA Ceg cia Cl a s
| |
| e cC Ora OdeC Om D
| |
| (
| |
| OxO L
| |
| E(LE L
| |
| L( l L
| |
| M(MO L L
| |
| S( S _
| |
| pp >y..- P 2g ]4gygg:
| |
| | |
| jl iI l i p*'> 9lu gg s3gs e
| |
| d ?
| |
| ir '
| |
| W"tee" l e'
| |
| m == F ''
| |
| P R'
| |
| s ?
| |
| e ,
| |
| T t
| |
| e r
| |
| TgD gw C
| |
| s e
| |
| Y n
| |
| e v d E e r
| |
| o l
| |
| u o
| |
| d m, r
| |
| e . c n w .s a s e
| |
| c s
| |
| n lo s
| |
| ^
| |
| . i h
| |
| t, sr n e
| |
| i t
| |
| o d a e r n o w u c e c lu o t
| |
| a .
| |
| q e
| |
| s f
| |
| a o
| |
| e n
| |
| n
| |
| :_te s r ia f ?
| |
| e s
| |
| p 7
| |
| W itr e
| |
| i n s e t
| |
| o la r m F s
| |
| n t
| |
| i a a. c o t o h t, s n e u u p E i 4fp l, i s lia y u e r ny I e e l ,
| |
| s t
| |
| is r
| |
| e e s ua . p m
| |
| f la g
| |
| n a v v e tn f s nd lef t le r
| |
| i m e l,
| |
| e m
| |
| f o n e .
| |
| d e d e edl e u p S e ig r
| |
| a s t
| |
| e m
| |
| e n
| |
| m s n =_
| |
| g r i
| |
| t
| |
| . n n . nk a o no a r R P h o s r . u nt ot cot a s- c H C .c t a ht i
| |
| o C t n
| |
| o e n d ie c
| |
| n an ntiseir e-R R Aev r e
| |
| p i
| |
| w r c is s iac iaupt e y y Cah o n lc le s P s e
| |
| s on cw a ms pee r mrufof ssI s a a t i
| |
| Dt I o n i o
| |
| r m
| |
| e d s e s l l l l n a to a e e rs oe opr
| |
| - t s
| |
| t s
| |
| l a y w b o
| |
| p ne k ep o o ma o a y B fs fI o l
| |
| f I d e
| |
| M M SM H P r
| |
| y iI f
| |
| i t
| |
| n e D g n
| |
| g a
| |
| d C s m o o o . i I I .o t r A t
| |
| A t rA o o o rC t '
| |
| aC t "
| |
| e.
| |
| a l aC t t t g iO l
| |
| liO r o
| |
| r o
| |
| d u n imL mL imO il J
| |
| h h e
| |
| s l
| |
| : m. SM iM S SS S S U
| |
| n k i
| |
| o r, le a
| |
| r t e n
| |
| e e
| |
| : r. be p .
| |
| : m. usnge t
| |
| r . aon a fo l
| |
| : t. elar v ge a
| |
| n . e h e u t
| |
| s s
| |
| I n lat h n i o
| |
| : o. o e e f o N Y Y o N Dim n N N n
| |
| i o e r
| |
| t u t
| |
| a ?
| |
| l ia d f f
| |
| h n o se y r
| |
| f s it wce o n C. x.
| |
| e i r C
| |
| s e e u P a.
| |
| s e y
| |
| ru Vsf t s n d e Oo c -
| |
| - r g
| |
| e lc l
| |
| a l i
| |
| fa Meru r
| |
| o t
| |
| a id yn it a
| |
| : e. '- F t o e el r D - ec r n c . ni a e p a l t na n od s-t n .
| |
| of o e u is :. n- f
| |
| : 1. . ale b, y . e p mnu m 3.
| |
| l le l
| |
| ek c le o i le goe .md 8 oo
| |
| = te b IAe^ b d ,V. b ish nCRc t
| |
| t c is t c h
| |
| i~
| |
| s s
| |
| l u
| |
| o1 O s o s e
| |
| s e
| |
| o s
| |
| of o C
| |
| M oo Y Y A. P No P _ P c - -
| |
| A l
| |
| e y ) ) )
| |
| b
| |
| * e a *
| |
| '- gu e
| |
| s 2- 4Im 4Im 4Im ) )
| |
| T E y E y Ey h 1 h
| |
| * F e
| |
| r E
| |
| 4 8
| |
| 6 re
| |
| : 2. V 3(
| |
| 8 re 5.
| |
| 5(
| |
| V 8 e 5.
| |
| 5(
| |
| V r
| |
| 8 2.
| |
| 3(
| |
| ig -
| |
| H-3 ig 1
| |
| J(H 2
| |
| ) p
| |
| )
| |
| s e .R R m) e r gH gH o eu uA r) r
| |
| 't p r p inR inR PC / se le ne) wng
| |
| / s
| |
| - c c - r o u a - n otnD
| |
| ) )
| |
| u r
| |
| t fAiser o e a fAo nerse Pc taI wn ba 2 n e i r
| |
| a RmraR ae e r t eCc elv lu r i u Calok l
| |
| T pd in e lia f pdl Te nb S eCtSVF v ial e a Xino VI nDea r
| |
| i e D GtS e u IVI t
| |
| nOjaia InVF t cl RL(CS Roe XrTo v R( CA R(Too CC
| |
| ( S(GT (L (I a
| |
| . > I* >Ifu p.$a .
| |
| . 932 .
| |
| l
| |
| | |
| _ w''n se b "
| |
| 8" s
| |
| o p
| |
| i* s s e sR
| |
| - r o R
| |
| * d s ' a ?
| |
| e '8 l e D e " s C r S' ' o T ' F C a t t
| |
| a e
| |
| v E l a
| |
| l a
| |
| l a
| |
| l a
| |
| u u u u ) )
| |
| d n n n n h ns h c a a a a n r rs is e ef r r is e ef c m s
| |
| m s
| |
| m s
| |
| m s
| |
| c n o!w! ) c n wly o o ol e e e e .
| |
| cTj e .
| |
| cTj e m da ir u
| |
| r i
| |
| u i
| |
| r u
| |
| i r
| |
| u d
| |
| e f g ,.
| |
| d le f g ,.
| |
| q q q q on g on g t
| |
| n e n e n e n e lia .
| |
| ia ah o (e i
| |
| a o r o r o r o r f s
| |
| al e io (e f e
| |
| r o s s i
| |
| t x
| |
| Ms it a
| |
| r r
| |
| e w
| |
| o i
| |
| ta r
| |
| r e
| |
| w t
| |
| a r
| |
| i r e
| |
| w t
| |
| a r
| |
| i r
| |
| e w
| |
| p m
| |
| aCr y o p
| |
| m r o s aCr o y
| |
| I t
| |
| i l t b
| |
| h t o bi to b
| |
| i to u p letot ca u p letot ca e W a g a s la g la g k af i k af z
| |
| c r m c
| |
| r m c
| |
| r m r c f i
| |
| l e S la f
| |
| i h el a lm y t
| |
| s y t s S t e
| |
| omne l
| |
| lo e omne t
| |
| i t te o i lo te t o r r o o o o e mo t t t t t
| |
| _ d m c m c m c m c s o m mmn o v r m
| |
| _ o C is n t o i s
| |
| n t o i s
| |
| n t o i s
| |
| n o c sf p c sf p n mc r t
| |
| e h o e h or i
| |
| r a r
| |
| r e a r
| |
| r e a r e a r
| |
| r e
| |
| r t i r mc uivi t P t e
| |
| v ono t
| |
| e v
| |
| o n tr e
| |
| v ono t
| |
| e v
| |
| o n o
| |
| n u i v pwn o n pwn r r o r r o t f SE fo SE
| |
| _ d u hit e h t i
| |
| u hi c t u hi c t s o o ts o
| |
| _ i s s tc a s tc a s a s a F - - F - -
| |
| i u s i u s t iu s it u n
| |
| _ c e r wtc e r w tt e r wtc e r wt c l m C h C
| |
| _ y P S a P S a P S a P S a A C A C f
| |
| i t
| |
| s D l l l l l a
| |
| e a
| |
| e a
| |
| e a a l
| |
| a C e e e d S S S S S S I e o o o o o t t to t t t s r r r r r r t l aA laA laA l aA iaA l laA iC C C iC C i C d
| |
| e im)
| |
| SI I im iO SL imO SL i iO SL m iOm imO s SL SL U
| |
| n i
| |
| o ?
| |
| t x
| |
| m r
| |
| g f
| |
| o ,
| |
| I x
| |
| o o o o o f o o N N N N N N a
| |
| i o
| |
| t t
| |
| : es a?
| |
| e y m r c n c
| |
| m n e I u c s q r e c
| |
| o tor a F D r r e o t f
| |
| t f
| |
| t f
| |
| t f
| |
| t f
| |
| L f
| |
| pt o o o o o o 1
| |
| Oi a t m n r m n r
| |
| n r
| |
| n r
| |
| 3- n in t u t u t u t u t u u t
| |
| aI t
| |
| t C d lu d d d d ld lu l
| |
| lu lu s s s s u s. s u A- Y e
| |
| C o
| |
| Y e
| |
| C o
| |
| Y e
| |
| C o
| |
| Y e
| |
| C o
| |
| Y e
| |
| C o
| |
| Y e
| |
| C o
| |
| A l
| |
| e y b e e c ivs e T ta uq 4 4 3
| |
| - 3 7 7
| |
| le e E E E e E E Rr 0 8 6 6 4 8 F 0 1 8 8 0 0 3 3 9 9 5 5
| |
| ) n n e i n ag n n m n n ia ia i
| |
| r o a r r e a t t a i
| |
| a m Tr yn a c r r oitp T e d m Tyn h tn ia r r h tnr tai f c - a ng TeOl o r e n )g a rn e)g T et f ic e T eieTet wuiq feTc f c f a f f c B oiwuqf ic it in sce r Ao iv)
| |
| Ws s er re n al mr Boi v e Ws S s et r
| |
| r eCe o r Aonpm Cs s r o
| |
| Bompm Cs i s r o
| |
| Ws Aov 5 s r r e o vr re e e s s e i )
| |
| v Ws r r e o r v) s ete s s e e r
| |
| n o CeP ml oo cop mlo S o ImS ta e c ooo w
| |
| I w nS ad oo oS tabu e sS ta 5 LoS ab usS e ta D( 1 L ( AWOCT I L I( BWaT I LdACC IL t( BCC 2
| |
| L l t AWSt BW 2 L ( CWSL AW yp yy 2hmO =h C a2 s
| |
| | |
| >! .g* $5* ,gg* yas 4
| |
| e wf "
| |
| wat c
| |
| isa*
| |
| u**
| |
| a l
| |
| P m.
| |
| m PI" r
| |
| s ?
| |
| e ** D e
| |
| r
| |
| * 7' , ,o C ,
| |
| T '",gt t
| |
| ne y ly g v li i n E r a
| |
| s r
| |
| a s
| |
| ir u
| |
| s s d d e e d n c e
| |
| c e t e
| |
| c d
| |
| e a n n . e p
| |
| t c r e
| |
| r e
| |
| s . t .
| |
| t o 6 x e p h ht r y d o d n s e o
| |
| e le n s
| |
| le s u s x
| |
| e to o -
| |
| t ia s ia s B s h ht a ma f o f o f m r
| |
| tr i i s l s p
| |
| l o a .mr w w -
| |
| t a p e ee s lae a d d s
| |
| i n f. m u I am m u E m
| |
| l o f d la oof ie it e
| |
| nmo t
| |
| I p p n f f .
| |
| s.
| |
| e f s f s a or n i
| |
| s i
| |
| s i o.
| |
| i ht isla o m.
| |
| z w
| |
| j o j i
| |
| s l .
| |
| m l
| |
| s ecus s i
| |
| s lyly
| |
| .h t 't i -
| |
| lyly r n . t n 5 le s b er e.
| |
| r o r i aw a r pt i re .
| |
| r ou o C - g n
| |
| ac e w g e t r
| |
| o papt uppn s
| |
| u s t
| |
| c r l s
| |
| t c
| |
| rl pi ru gs uv e lp n r tp pi a i
| |
| r . i n
| |
| r ex n ex p o s B e ef a
| |
| fe ef o o v e f e n n f s/ s s/
| |
| P v e ia ip ep s f
| |
| n ia o n o m Indi a f
| |
| e ur e ur r or uri a ao ca o r ht t t t e e s
| |
| c J. mMdTt ce t
| |
| s d o e c s J. o e s i"e r lt s l t m n m P .
| |
| m m P . r o
| |
| r a
| |
| s s b ni t b u
| |
| ni t a %
| |
| A S o O E
| |
| m l
| |
| A S o O E
| |
| w M l
| |
| A - - l e S u ai Ci n S Ciam y
| |
| f i
| |
| t n D l
| |
| a l
| |
| a gn gn gn gn e C e c ao no ogn no egn n a gn t o
| |
| d S S mgn t t t i t o t o o t Ioiu nes . l o 2me u . s l
| |
| me .
| |
| o d qe u s L
| |
| oiu nes .
| |
| t o e r
| |
| laA r
| |
| laA t
| |
| tr Jeqe r t
| |
| t qe
| |
| . se r t
| |
| t ne r t
| |
| tro d.. se ur qe de n iCm i
| |
| iOm C o nb ls u r o rb lu r o pb e ls u h rb li Sisfua i i iO h i haua h e ua s SL SL Siuasf S sf Sdsf U
| |
| n i
| |
| o y t r a
| |
| i .
| |
| n r m f
| |
| o t.
| |
| n i P
| |
| e o
| |
| I o
| |
| o o
| |
| o f o N N N N N N o
| |
| n i
| |
| o s u
| |
| s u
| |
| t b b a ' e e t
| |
| n " . g n
| |
| g a
| |
| e " y e
| |
| se h
| |
| o lt o
| |
| m u
| |
| " u v
| |
| r e
| |
| v r
| |
| e u 'a eg d n
| |
| d n
| |
| c
| |
| * r u u o = F g g D "Pto r f.
| |
| f o
| |
| f.
| |
| f o ir n i n
| |
| r u u I. otsa nr n
| |
| r d d
| |
| = i e u u le le .
| |
| 3- t .
| |
| = l t
| |
| b g b g d d n n t
| |
| t C . l u
| |
| lu isi isi .
| |
| s o s s t s t os o e o e o os Pt e N N A. Y C Y C Pt e A
| |
| l e y b ' e a *
| |
| '' ge n
| |
| e 7- 7- 3 3 3 3 T ' e E E 5
| |
| E 8
| |
| E 8
| |
| E 7
| |
| E 7
| |
| _ " r 5 9 9 3 3 3 3 F 3 4 4 4 4 3
| |
| ) n n in in n n ia h inyr ia h inyt r a a i
| |
| a ia r t t t TyninreweTme) aan t r Tyew t t ni ^ - aan r rla)
| |
| Ti t v rl Tit
| |
| )
| |
| a - Ti la r ).
| |
| rl Tar e
| |
| )
| |
| , r g u im s f a n r
| |
| -,Tme)
| |
| - n s 5 f n
| |
| - 6 Eof n - f n t
| |
| - fo nw t
| |
| *= f a n .
| |
| Bompmog pm Eoe oes
| |
| -_ fop S s s . s s . Cs ir o e Aompmeqf Csis r o oP rpme Csis r S
| |
| Us sP DeE As sP Bs Cs sP eo s
| |
| o Us sP cap mlob s s o mlo sf CmPml ooo L. o sf s o ml oo BoE C BeEC C DeEC
| |
| (
| |
| 2 L(tACCSt oouo BCC oo 2 L( BCCSt ACC I
| |
| L(AA t L l
| |
| ( BA L( ADL L( BD l 2E $ O*CE2 >Fyy*
| |
| ll
| |
| | |
| l -ljlIfl i I)jlljl ifilII)l(I]!)j ;ii\1I,l!llIl J
| |
| DUErj g y6 k $ ,M $ !r.F8 a . __
| |
| ht t ht e t e ic u u n yw lb i
| |
| e n ywi ba ko o o
| |
| o aP la k m#e t
| |
| n gt aP SCafv is li c g t.
| |
| n.
| |
| i m, S Cva f la c
| |
| i a " m qeL umsm, O A a. obe n J. sOAa e erob en t
| |
| is NP l
| |
| . e r e , ai s o .
| |
| _ r r t _lueiwct eL t
| |
| s ae _
| |
| e o s rs
| |
| .bd eei v s t
| |
| - ct s e - v s a e ua ca a ntot as i
| |
| P Y Csfh YCsfh ua optano s ot s ?
| |
| e D C
| |
| n M e s T F s s e
| |
| Y e
| |
| t Y n
| |
| e p p v _
| |
| E g m
| |
| u s.
| |
| ns m
| |
| u d lins, s e
| |
| p r
| |
| h se o
| |
| p o oknpe r m o n c kr phe n y ., n cra mh i..
| |
| i C a mtot e i m - t t s
| |
| Gd upec a t
| |
| Gd uo .s r fDngzL i
| |
| s -
| |
| s is pe o _
| |
| r ?
| |
| r Dngi irhp lo ht s e -. st .e l
| |
| o a fi g lt i nli y osiet a g
| |
| os mmem n si i .
| |
| t l wof s m i
| |
| t a i m
| |
| a e s et s sr o s s r t c o u puy es
| |
| , u is b 6
| |
| to
| |
| ;. .l f er o s s s s r a r o abetps y e - .y -o i f - l.b t. o ytao f l. o ua gC yoma n e et F
| |
| H gC y m m .
| |
| ~ t e
| |
| . Wno g~
| |
| I Ns s )m . n ust e n mei (eDl n rd s)n inh s u
| |
| e (eDlnr iainu a m l e te s
| |
| i s moe e o e nrlos od en o i
| |
| m, me r s o
| |
| niac t av r sm e o ooa ea o o t
| |
| i s m e, cr o i p f 3 a .
| |
| m, 3 ,a P k lufsr ehre r s r
| |
| p le t .
| |
| P. f r r s r c ir m r a S o lufshpr r
| |
| e e e e t s1 s r
| |
| a S o ets r e t
| |
| s1 r o f w o, e r h i OL . S e iad wot o g nro h o ia g loyo lo i .o o C i O f. da .w o 5 le ar t
| |
| lr e e r f 5':- s i m L y r m fa t
| |
| n c y ua t ao C c,.an p .
| |
| . c, ,
| |
| oCe- p n s .
| |
| r n r tae nl fa s
| |
| -_ d le e
| |
| ump u i
| |
| t .~,l Ci n o -
| |
| P o .
| |
| n e e qu ;4 PC i /c c. B ;x. O u m . g P (.A c bio u d r nD .
| |
| : e. I t
| |
| d . ef so et n x e u f ": o d e c e
| |
| ;y sos d .. Cro-t
| |
| .n t
| |
| o n i n
| |
| a e
| |
| r o
| |
| . pod ps en oiq L. tri sloerdu u Co r -
| |
| Ap o
| |
| n n
| |
| ia s
| |
| s e .--
| |
| b s
| |
| u
| |
| - n Ap f p a E T r
| |
| N S sl se f p I a IE T r
| |
| P r
| |
| 5 Sslo'.d -
| |
| i .
| |
| . I a y I f .
| |
| i t _
| |
| n D n e C t r
| |
| n t r
| |
| o o o o t t
| |
| d h gn gn I t o
| |
| seI me .
| |
| h s me u s.
| |
| t o e b -qe u s er be J..
| |
| y.re -
| |
| m rtiua
| |
| -.bl sa
| |
| - t .
| |
| i n r d l a a C A s.f l i
| |
| e C ?- ua sf s -
| |
| 1 U
| |
| n o i
| |
| o ?y n, t r s a o l
| |
| n i t
| |
| s m.
| |
| e s r H l
| |
| b e -
| |
| f o t e
| |
| ror pl u
| |
| i s ef ia I P lgl na o f i u N g Sd n
| |
| i o
| |
| t t
| |
| a e s
| |
| s ey .
| |
| n r e e es m se I u u sg r e c or o ta F D rr e
| |
| pt e
| |
| Oite 1 y 3- nn i le aI k h
| |
| t t C o
| |
| to A N N A
| |
| t e y h ee vse c it a ug 5 2-T l ee E El Rr 0 F 1 O.
| |
| l 1
| |
| ) r e e 6 e F
| |
| r c eit fS wf oo t p ei it r fNo oese e )m n
| |
| WfP oe e s )r ic nse 6 si t uts e P si S s sf as t
| |
| ute F s s al t ce e f
| |
| I D
| |
| (
| |
| S Lt( ObFS of ecusa y OofObW L t(
| |
| p
| |
| >p y6O s 2C g O $ % o o:
| |
| ll(lll lll' (ll'
| |
| | |
| Wo"o le g b n a p
| |
| s in e dn uqe. s
| |
| _ isR s
| |
| o R e
| |
| s
| |
| . e e ru ps i P e ebl Y Dsfu a l
| |
| . a d s a?
| |
| e 8 sD
| |
| 'e I
| |
| e n C r a o T
| |
| u Ct s F e t Y n
| |
| e v p E g m in g )
| |
| )
| |
| d ms, s u
| |
| p d i n (
| |
| s )
| |
| s f C
| |
| (
| |
| s e s
| |
| n lo e e p t n V e s C t
| |
| n u o kn pe r n ; e si P e o a c r mh te e p ,t e
| |
| s v
| |
| e De e SlvR r v e
| |
| h p .p s p o Gad up toa r Ma r mu (Vi cr f
| |
| r e c a u "s to e s e o M f gzi p h
| |
| s Ad'. o 'g h
| |
| s ph es ). e h ut pe a t
| |
| a Dni os mh s e s s eo t
| |
| a m h a is nen r to ht e mpe v
| |
| u s v
| |
| la h to Wh i Ma s s et r r c (
| |
| io mip i ol v a V i t Fm i
| |
| t n
| |
| f o u l,.b ps y oua n
| |
| e t up w ht laDmv V
| |
| s lo w E r te et r p is e r pmt e r I
| |
| gCyn mm. p o ss ts o i gmaAmv n o ht - t z
| |
| e m (eDl s) r d n h a
| |
| h p
| |
| hta "s f tc a
| |
| w s
| |
| n igDS ut e e:t as lavC o f tc a iwo h r
| |
| .es omo n msr r
| |
| tc gd c o) t i
| |
| t rP r r r r loi
| |
| . e toa a os a c iw imr o g n le m
| |
| h a
| |
| c miNV r n r e g n le o i
| |
| r o
| |
| C laSluf i
| |
| Ois fa d ehw pe e r s
| |
| e r
| |
| g l
| |
| a s s a r e r it ic a
| |
| b o /a nte e(Re hp sV(i unt ia
| |
| )s A m p er t
| |
| a b f ol a r
| |
| imL a ot o o,.nr w l
| |
| a oh r
| |
| p wS ic pi a
| |
| o n t t oC lp e a lp e n
| |
| . maf ir t e oDv n m m fa nnl c n p r t e
| |
| P n o e u gP C i,/c ce a d h
| |
| ) r rei r o p "n m o a v di a tmSl v a o t
| |
| d tud e qifns e
| |
| t o n i t
| |
| w toNoi a c h LteMA(Aa VCT oe o c hP n o ms pod n u n abips o a dq e l u - a d lu - - - - - a d -
| |
| a o d e e lu E r u r sl oe e m s o s o y I TS tsl rd s R is U C U C f
| |
| i t
| |
| n D e C t n n d r o t t o go r
| |
| ho g n t
| |
| n I
| |
| h s ni ue . h meu ,
| |
| t o bel weqer s
| |
| s e d qe s b n e r d
| |
| e h n pbl e s e a esfu i n pbl a
| |
| e s u C desfua i
| |
| a s Cd U
| |
| * n .
| |
| o g lo w
| |
| r lomg r e e rm h i
| |
| o toy n ts lm t c a c u n la alwta s u m o m
| |
| ad nt l
| |
| a dr u r y m le b CS rc o m o d m r I te en . h ly e pr toi to o
| |
| I n v e s t r i is) t An ow l
| |
| t a n o ia elc a e ts a a gn f
| |
| n md ey c ta r to gics ic r
| |
| o s
| |
| y f
| |
| o t
| |
| r mo I N et t e
| |
| ps mr t w s od ia t
| |
| f nl a s o d r ue x is e s pil l
| |
| o Oreu f N Omd
| |
| ( e ll N le Imu Biso n
| |
| i o
| |
| t t
| |
| a e s ?
| |
| a n e y r e e c s m n e I u u s q r e c
| |
| o tor a F D r r e o pt 1
| |
| Oia t 3- n in aI t
| |
| t C s s e e A. Y Y A
| |
| l e y l.
| |
| e l
| |
| e e e d d b.r v s it e o o m
| |
| T l a u e q e
| |
| 2 E
| |
| 2 i n in m
| |
| Rr 7 0 t t F 8 -
| |
| 7 o o 4 0 N N
| |
| )
| |
| n r )
| |
| e e d d r o w c ht e e C) a .
| |
| oitp le )y le )y e o / n e a i r ) Ce n W:w t
| |
| Yf P r e le d l d l P P r o iair a n tab oe oe nA t S o e S r S mtar Cmtar 3 N in sc I e S s tes towt P si d n W MWindi wla top a At a Cip Ce m s
| |
| D( DLof I
| |
| f (OduiM eril a a T A A(
| |
| 1 a ee va AMF A ANe s I (
| |
| Vop l Nes i
| |
| (
| |
| Pi r u F
| |
| F < P e
| |
| to N
| |
| 2:tM$j,$m C52 y=hy6 I
| |
| ,I l
| |
| | |
| l!l D' {=l3 r yL goh C 3s2Es3 g
| |
| n
| |
| * s r s? t i
| |
| n o
| |
| t a v e e r
| |
| p
| |
| : d. .
| |
| c te mis rtn c. a a en r m f lu i
| |
| t i e f te i, n . a, e e . op i t t n s is at s . s s s i n
| |
| : I ei a s
| |
| e nc e e e eam I
| |
| Ymd Yoo Y Y L r
| |
| f r e .
| |
| g s s d n e le or? .
| |
| pd n ne i nd E bt esvt eb le mtef n o ot a d n o o F isdon rr e u i oa pmr n s s e i sm ea ecev b d i b
| |
| H vi lu c.
| |
| i ei el b s . r d .
| |
| ne e r J., edf r o
| |
| d ne e r el RE pu t
| |
| e r r h S
| |
| o v A
| |
| mvemt oa ut oa r u plu ei Df a Dw ra y V
| |
| p a ei Df a l
| |
| : I Sh nsh d
| |
| i gn s e d et . ini s a i l ia? s n o t ys md n p s.
| |
| c ed r e ce t
| |
| e t d
| |
| u5 .
| |
| o4 s le i k n ri eb mm C u t
| |
| ta el u r y - et liel a s t
| |
| pm e iumf l
| |
| a mE f
| |
| s
| |
| . ubyic u la r
| |
| d seu t t s ad ce ut . rt o s5 s opl r
| |
| i n FI Y
| |
| e vaf in t E mdi Gk St a m m ou aT t
| |
| M$ gart s eh ai - a YSVf2 f
| |
| e D ia?
| |
| l t o n s r
| |
| oto o si s .t ht . s R c a e iwses l
| |
| t e u rd g s
| |
| r of opc poe ei .
| |
| eo nR i
| |
| Fno .
| |
| l ht al m ye r d c e. lb e hC is le n m t s aheuki ts el ig r s s s ..
| |
| o t sb e s
| |
| y i o l f e
| |
| Y Mwmtaf o Psou Y N 1 2N u
| |
| S
| |
| / ) .
| |
| s r e?
| |
| )
| |
| p n. r n b es s
| |
| s e
| |
| le v s w u o le .y fo o v i
| |
| ma r ee le o eyt e - s ss ka ran c l
| |
| i uC sP eL lp v t h t . L a t
| |
| c p ege -
| |
| b ns Mimf u L sR Nn r mL u -
| |
| u oo w el n r io m e uP lo u
| |
| y r s s
| |
| l epor r o r u cR i
| |
| e ot
| |
| ( c T o u
| |
| - t o
| |
| n r
| |
| o J. o n e s ws f L is rl a F kA ps s e eb c e t (
| |
| e m Tm. la im cf : mrPRSRPTI s u w.m6 vn c e rtcn sf e
| |
| S Wla r m ra mr La o t . r , r dI ut ula io D
| |
| i Df u Cb a RAl a SN l
| |
| a L - - - - - - - -
| |
| P ,s e e t ?t ) . or P 4 os s
| |
| n z c n n 6 g i nn ee a e s A Dsl u nC ia r
| |
| e lg nor nl i
| |
| t d
| |
| nwa ed m B uC MBoA t n at oia d r et s!p ( D ply 5 l a die s c te n m m i
| |
| o ped u eBe q T s
| |
| e s
| |
| s m P(P ul s t
| |
| r a u m r is-se"eruiabuoib ,orN .R t t r S u a DD a rmBo n ,
| |
| sh opi t rti ,.
| |
| P D R E W D T r
| |
| M T ).S t ot uf r
| |
| l a n v yel el Ci"mf coac o R 2 2 I I BI Nb o , ,SR t
| |
| y s s d c p p s e
| |
| s fo n a m m n m u u s. ni a U le d v e m p pG s m
| |
| ioar t t 2
| |
| r t
| |
| 4 3S te de m c/ s o f o
| |
| f o 2 t ar ue s n f
| |
| o i .
| |
| t ) R 2 1 t o 2 I l i
| |
| I
| |
| :A m d rC oO s
| |
| inior e t
| |
| n?d e
| |
| n m 1 te 2
| |
| f e ei i
| |
| : L %
| |
| l h m u I
| |
| f m Waq FeR ly r
| |
| a lr a
| |
| y t
| |
| e a i e
| |
| m d i
| |
| o: E E L T M i
| |
| nd oe l
| |
| a J gd gd e nes? n re e n .
| |
| ine .
| |
| iM t
| |
| t ( lgi t oru2DC n cilae 1 fh itel i, ryi d go nt fh el i, t yi nt r si c r e n d go i o
| |
| nA e
| |
| Sn i F uFat C Y s
| |
| e e ve os s
| |
| Yecaf ns un si c s
| |
| e ens Yecv af os un mC O o s) r y cL o t h m mb o eD m DM imC 2 i tod u
| |
| e d m g i un d v eSl T g)t T e i e
| |
| I M
| |
| ( M I m Md(Rle rWvem I O s
| |
| a e O
| |
| E 2 sl Cibs o 3- t t
| |
| Os?
| |
| Eo s
| |
| e s
| |
| e s
| |
| e s
| |
| e ly t
| |
| P Y Y Y Y n a
| |
| A. n e
| |
| A n l
| |
| : e. R n o
| |
| r p
| |
| l e o m
| |
| l
| |
| : iR i
| |
| t le b
| |
| it &. r l a b e p c e a la rde l u a c s u R T- v o e) pr c c e mf r eh .
| |
| a ip T F k a
| |
| t ie s
| |
| gt s
| |
| aie em or t mic ue p
| |
| M l t l R N( Pp a SR A l.l l d'l> 4 2hyl0*. O .2
| |
| | |
| ,l
| |
| )llll!lll
| |
| ,=me{**
| |
| s { k
| |
| * s3MEgw
| |
| : r n r
| |
| * e n . o o e?
| |
| sv e
| |
| aG k gs.
| |
| eionn t c a ai s s d gD o .
| |
| i ane e ra f G i t
| |
| i Ht n od o lod t
| |
| lb l. ti iss ad s a s e
| |
| id ceh os s s e
| |
| l /
| |
| luW o pac rn o e l I Y Dsl Y PS Y r
| |
| f o r ge s e odo e or?
| |
| E l bt esvt dn m e F e pr e m.
| |
| i sdon r r c e e lu H ea ev d, it, de s f vHRE ia t .
| |
| ba n si em o. o I
| |
| r en Yo Yl i N N d
| |
| i s e d s e s s d r a
| |
| e at Ha? s o
| |
| l t uol nm l u s r g ht ces c edt i
| |
| c a o 2 o y c nt.om a s C r e e lusf htn b,i. o .
| |
| G . tcts d. mead e r e.
| |
| e rV t V
| |
| e ias sf aE s sD s .rha ol o ;a. o r s preow o l
| |
| liOo Re DS n FI e efawi s N T, lAbOhl e WP p A _
| |
| i f Y L o t f e
| |
| D l a?n ee
| |
| ? i l
| |
| I 1
| |
| . t e d
| |
| e y a
| |
| o it o b r t t t
| |
| u u n n o e eol r nb le t ni s eu o Gl a Df i o o n j
| |
| r pnu e otal n yd s d s ip s de r i rba ats:
| |
| t of d - e a Peo s e d o tri s . M e t s m ih l t o
| |
| psl aa maepb r d a r u a
| |
| e hC ig r h ct iger s
| |
| . u n o t mpn i is ta unrorfeser et
| |
| .-, c t
| |
| s e h u u e yig ,
| |
| MsteP( d y Hof i t l s Y S "r ATb s 7 lu S o s c
| |
| /
| |
| s )
| |
| r?
| |
| ns n e s w s ehl e e is h
| |
| o b e o h t, e T na a s
| |
| . l f cl b i
| |
| t c eC m d n
| |
| t e
| |
| r ad ul . n o
| |
| Ns r d ug f gn .
| |
| n rotie la a a ts a om ois i.u i
| |
| u ( c f e .
| |
| rus igs r cl s e l sl oo n
| |
| r F kA o s ss mr s omp s r o s iac oi t n
| |
| r b o cf r m t
| |
| a o e a l t a e t n )t L a Pr la f ul oa oc Y 2 um s .
| |
| l au l I r
| |
| Pok r l.
| |
| e 1p ec e t ? le fo ,n n ly o zs c n st s y
| |
| .o n p e n b
| |
| i i dede e a e d a
| |
| : m. uea o utn r i l
| |
| 6l i l u t
| |
| p u s s t
| |
| s, r B at hr ok t s )
| |
| i on nwes et p ed io op l
| |
| duif wpt a n dliea r f s e s im ind st e e VV RD s
| |
| r o
| |
| s .m3e . esti eneg ue iueesl - OS ta i .
| |
| irio vs kelg sl t s s v e s r D R E ik qv nd o vl aanr A e n PA e Pt a d na n nin e lao a gVoa RvnloCh U c o /
| |
| N 2l i 24 n e
| |
| I t es g ot t S y m a -
| |
| s d - c p e er s e f e os m. D t s
| |
| le d un T 5 Uw s pi v o o s n 3 r ta i
| |
| p f
| |
| o no ede G ia f l ym t u
| |
| i oP l R
| |
| D r t ore I p Opnu o 2 2 3 t e at i i n
| |
| mfs rf a s?
| |
| e de n
| |
| n %
| |
| 5 fOo lsi et t r i im i) im G )e in 6 h eequ 0 acre y m <
| |
| nf ly4s ly0 D ur (
| |
| r0ri lu li 0 I o WF e r 1
| |
| - ri l
| |
| 3 k n
| |
| f s R a 3 oa E(rf E(ff a a5 o E' >
| |
| oso is t
| |
| a i(
| |
| nL o
| |
| l eme a?
| |
| a d h e
| |
| e t lgi e r rD t aO nei t
| |
| lutC a u
| |
| S e ae .
| |
| t i o
| |
| s s
| |
| s q sB eS eFat C s
| |
| e Y
| |
| e Y
| |
| e Y
| |
| e d
| |
| e e - F Y a nP ) ) ) s t
| |
| s uS r o t
| |
| s e mos t
| |
| s e mos o e h l cO o t eD m
| |
| p s
| |
| s c
| |
| a pM ca s gM ca p 2 -
| |
| g I
| |
| l DL imC 0 i
| |
| s y 0
| |
| 0 s(e el y
| |
| 0 0 (e5 y
| |
| l to: pp s
| |
| T 0 seol e s e ia e e s r s 0
| |
| 1 c(l auk i 0 ak 1 ch 0
| |
| 1 ak ch FDDh O O
| |
| b 2 sl Cbs i e E t
| |
| o y
| |
| . d. p n
| |
| On? s.
| |
| s s
| |
| s e l i 3- EeP e e Y
| |
| e Y
| |
| i r
| |
| a n t
| |
| t Y Y n i o u
| |
| r tu A. r e
| |
| l a p C
| |
| a A s e e, t
| |
| a v
| |
| o - 1) a(
| |
| le b )
| |
| e it : W m e n a
| |
| c 1 l
| |
| b c
| |
| n t
| |
| r o l i. e c R s.
| |
| . io ip
| |
| (
| |
| s e .
| |
| a F o p p s e
| |
| i v
| |
| r t
| |
| s .a rt p e T z A u i . e ie Gi r d
| |
| s DC S l
| |
| '* N 7cNhi.$A g p .
| |
| : >E>Y00 l lI
| |
| | |
| Att chmmt A.3 Dems MmmtatM C 3. I s- 2 1
| |
| 2 1 $ 3 d 8."
| |
| {}- -
| |
| $ a a 3 ._ a as 3
| |
| a- 13 l
| |
| E.
| |
| 3 }k $${1 E'$
| |
| L N
| |
| $$ is a f2 i j -I l
| |
| il E gg 51 !Mll p ,
| |
| $1 he i 1
| |
| k =
| |
| 15 Illh.. e m-v >
| |
| irm A ~
| |
| O f
| |
| a g {.. , i 2 . -
| |
| A t
| |
| k ks :
| |
| If !
| |
| - I.
| |
| l
| |
| - Att. A.3-9 NUREG-1624, Draft
| |
| | |
| ,1lllll ll
| |
| >~ yao~yb 2sohnj@[*oa
| |
| )
| |
| (
| |
| s h c n y t i
| |
| ig r w l o
| |
| g s
| |
| g a
| |
| e e ly l
| |
| rR lyli t a a tc laR u
| |
| c a no t b s m a.
| |
| r T u l t a s t o t S S i ct e u
| |
| a sW r
| |
| o
| |
| - e poa R A
| |
| S C mte m a r
| |
| po
| |
| :m n:
| |
| C ), ofr O eo res e
| |
| - L ri utc uv sl s
| |
| s us ag e
| |
| : e s ev r y rf pnr po o a r
| |
| o wrhih egti cc s g Imvi ol sdui t
| |
| e a
| |
| C r )
| |
| s t
| |
| o (
| |
| l e
| |
| i a b a
| |
| - t i
| |
| n T
| |
| 0 m I
| |
| 0 r E o l C
| |
| f O b c a d b c a d b c b c a d b c a d b c b c b c c s E 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 y 3 3 3 3 i
| |
| e 3 8
| |
| 3 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 , 8 8 8 8 r
| |
| o g
| |
| t e
| |
| a -
| |
| C
| |
| ) s le e M b a d F icMa Fr e F
| |
| (
| |
| lpFt p a e A C d
| |
| o M 3 5 2 2 3 5 2 2 3 5 3 4 2 2 3 5 2 2 3 5 3 , 5 3 4 5 e
| |
| r l
| |
| u i
| |
| a F r l t o y y
| |
| a ia s e lla b n t isa t
| |
| m d n
| |
| i o I t r
| |
| o a t e- S ng t s y y y c r n p y y y pi b b b b b n P m i. m b
| |
| d d d n
| |
| d d n
| |
| d n
| |
| u u p
| |
| . u p
| |
| n a
| |
| n a a n
| |
| a a t a
| |
| F I m I S t
| |
| S t
| |
| S t
| |
| S t
| |
| S S f
| |
| o n
| |
| i o ) P
| |
| )
| |
| t s F s p e e a m ) U o r t
| |
| u S G ic n s m p n o
| |
| m e g (
| |
| R e
| |
| em e g i t s m l
| |
| a mu p t
| |
| t s n a z
| |
| y s d m y ig u r m ui S r i
| |
| r R lcn o u cd a u N S oe l
| |
| h s l C R i( -) y -
| |
| DM I P
| |
| ( m I P
| |
| (
| |
| WF (Raw 1
| |
| R li I
| |
| I IS N L E RA R a
| |
| J 3
| |
| s n t
| |
| - o s i e e )y l
| |
| t t t a l f
| |
| mt v ai r o m A.
| |
| A Fo d ir p u )m R*
| |
| e*
| |
| mI rl e a Tv) e n
| |
| eP e d( ke m ta# gmg- oh o
| |
| N l
| |
| b e e
| |
| Me ad l e mel I Rl (
| |
| e a
| |
| N :M l s T te a( b c o N
| |
| 2*Ck6/,Z- Dr >h.* .
| |
| ,l 'lll1 \
| |
| | |
| S - e r n o
| |
| a a d
| |
| a i
| |
| u , b d
| |
| n (m e i m m q ta e e
| |
| )
| |
| s lor e .
| |
| at ts sy ts ht ht s r
| |
| ( l t e t r s n r r y a s v r o o e o a of o e f f u
| |
| ice t pno G ts *( n v
| |
| i g le le g D l
| |
| a 2" o b ba .
| |
| _ S C d a .n c n i
| |
| e f u ot c a c t o n t e lo hio hpt i o
| |
| _ a ).
| |
| a y mde leto C
| |
| pt pc pc c ln (
| |
| p b r a p D a n u a n u b i b . y p c i e 5f 5f r i e s
| |
| s e leir lpru l
| |
| o r d no d n S o t k
| |
| h r t
| |
| pt t n n o P pip tske a ar lyep n
| |
| : o. a, azi t
| |
| a, ita z
| |
| en o a c s I 4, ri 4, ri S hi t
| |
| me r n
| |
| o m. tono e 3 u 3 u s
| |
| O t
| |
| n b o s s l
| |
| 4 te) o N 's 's 4 eit s s r o p r n r i e e L Mm Me a ludn e Mp r
| |
| Mr F v ts ai o tnti p
| |
| : o au F u e F e F e y Cc F p Fore F c S Fd Fd r
| |
| g t
| |
| e c
| |
| C r O
| |
| : O )s t E l(e a /
| |
| i t C ba i
| |
| O T
| |
| _ I n E
| |
| _ r a d b c a d b c a d b c a d b c c a d b b c c b c s c 3c3 b c k f
| |
| o 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 8 8 8 8 8 8 8 8 8 8 A 8 8 8 8 g g 8 J3 3
| |
| _ 8 8 8 8 8 8 d 8 8 3 8 8 8 R s
| |
| i e
| |
| r o
| |
| g
| |
| ?t s
| |
| e l o
| |
| t c e r
| |
| k a C b a C
| |
| ) c D M a lP f
| |
| o F P
| |
| , s n
| |
| F A
| |
| ( iar t
| |
| a , ht d o o 2 2 3 5 2 2 3 4 5 2 2 3 3 4 5 3 4 5 3 4 5 3 4 5 b
| |
| f 2 2 3 5 2 2 3 5 M ieA e
| |
| r l vC l
| |
| . t s
| |
| u VaOnl L
| |
| i c r m W W oae o p S S isS F t r s I i a s u m) uE e n a im m
| |
| : i t
| |
| t pI w
| |
| o c
| |
| c d or n I m ta ( r e T 0, Af g i
| |
| o e r
| |
| - S y y gt mfa
| |
| (
| |
| y
| |
| (
| |
| y g
| |
| m g
| |
| m mn t at i c P b b tst b) b) t a
| |
| t a
| |
| d d r d p d p r telu a n a
| |
| n a
| |
| r et ps a n m a u n m a u r
| |
| e p
| |
| e p S s t t e re Ore t t t F S S S p S p O O in y b o f r r c ut Te n? s n n oiln v t o
| |
| o i
| |
| t mfoi s r m sC t ' e o s zt " )
| |
| ly w) o y cod e s "' n Pl p 5 lsi f m:
| |
| e k I P o Cp
| |
| )
| |
| 3 9
| |
| 3 z e i ed c c 7 )
| |
| Du (S te ht mues f ime m
| |
| el a O ) u r y p )
| |
| V o
| |
| N Y b oms l i u
| |
| DB W G s
| |
| h ig h
| |
| 8 C d e t t
| |
| ek c
| |
| h gD i S e R s u n e F l W I t
| |
| T M a a Se O ol v E D I( S I( I ( BB lI( A ( P tait t
| |
| s a v a
| |
| z hteiVr s s uD b s isS 3 n n t eA r
| |
| io e ha pn 3- t ) l e a t
| |
| e y st a
| |
| v ta z WDC t ai r o r F o m is)m2 u .
| |
| s A. d ir Re )m t
| |
| r o ue 1 23 eP A d(
| |
| e t
| |
| si u p) ph e i r d to pen e e iede u g eM e l
| |
| h N S l i D( e s
| |
| l.M a(
| |
| : I c
| |
| S e c b( to T N ypyyC c D ]ag? ?82 8
| |
| | |
| Attachment A.3 Demo Doe mentation ,
| |
| k -
| |
| II II j*
| |
| * k 5 1 s
| |
| 1
| |
| '1 g y '
| |
| l 9
| |
| f ., s 8 8 $ #.
| |
| y y
| |
| =
| |
| l i h
| |
| t v s 5 i l '
| |
| i l l I! is j i{ i 1 1 l '5Il l 1 lll fll 9 11 E l i s
| |
| B f i i 1 ) l s i e j -
| |
| t i i !
| |
| ;rl i l}
| |
| - l 2 ,1. 1 1
| |
| ;i; ,
| |
| t 41 t 1 f -
| |
| 3 $
| |
| l .
| |
| :' .x ly 1 .1 1 1 1 E- E i
| |
| E g ! {J I 3
| |
| a t rl- '
| |
| tt tt i I '! ,1 I rf a l ,
| |
| =
| |
| a t 1
| |
| & & & &tl &c &
| |
| t
| |
| &l i
| |
| 4{
| |
| i, 3
| |
| 1 ! l li i t l
| |
| 2 I l s s ]t i
| |
| i l 1 if 1 l l fi M -
| |
| h f- f 1 L il 1
| |
| Il NUREG-1624, Draft Att. A.312
| |
| | |
| 1j!l
| |
| >kf,Bf ( k3 i :
| |
| g3j$:a
| |
| - ht n r a n i n o t n i w o s e n m ee , e t
| |
| i a T e h r e o e ir g m
| |
| i S *s su w v o W p ht c n nli it )
| |
| g tew r
| |
| pe %
| |
| S wc oo e g F U
| |
| ae s w eoc t a
| |
| ig n )
| |
| n r
| |
| e l t r 5 3
| |
| ) . nf ekd r s e
| |
| fr m
| |
| a s t,
| |
| n S f
| |
| l a
| |
| n loe ta c a inm n ) e e o b nbu i p a r e isiru > o *e a c s
| |
| . r u e hc m g
| |
| 3 m s, m. e v
| |
| t a
| |
| mss h b
| |
| - e dHn m d e mn. o it n
| |
| a "tr is 0
| |
| vng.o s r l it ti ";
| |
| e ek ut pe a o igts io le c w h a 1 t n e s hi re b o ga a t s .
| |
| s t
| |
| o S is I e npo r
| |
| a i
| |
| e twp h u l(ion o p r
| |
| iniv s. el "re i
| |
| N na t
| |
| oh w g n
| |
| f i m (l eat gio r p
| |
| ia r e ur l v ro ". t r
| |
| e A g. n e vi r na
| |
| ; c d ic b, et v no a t :
| |
| o e ). f a x suis n v l f hl e .. ea o r C e. o v o yr e o w f e v d u ot nl e p r
| |
| .ta
| |
| .s
| |
| (
| |
| e s
| |
| r i d e
| |
| w O
| |
| L kl m (g it Ie a
| |
| teG Mel I
| |
| s e rpes it c
| |
| a r
| |
| d e
| |
| p p
| |
| lno ot k r
| |
| e mc d o ad ee e p t
| |
| r i
| |
| c l
| |
| e v
| |
| e s, e s e .i u ( a o r
| |
| S, Ve s e o leo g a ts p e me o s p e ud rs t t t a m fRd "s hm.i n b t o r e e o r r e e s ao r e: s. u - l%u t
| |
| a, su g ng e r u lnb". c n u t
| |
| opeh isw e ct b in . p .
| |
| 0 h y .s na p s s
| |
| r a uts s is s s t
| |
| e b
| |
| n hpu t t; c br n
| |
| . 0 e ln 3e i
| |
| y rd i
| |
| m e e r te f o i e eomt s t onC r
| |
| a po le u 1 r u
| |
| 1 t e n
| |
| O (e rp Tr e T P S o"l Mpr U *s s o( C Aab E T T C Ac s
| |
| )
| |
| d e
| |
| m e i
| |
| m ic t v n r e
| |
| o s e
| |
| C(
| |
| r u
| |
| tu h f g , r i fo H s
| |
| )
| |
| (
| |
| s
| |
| : A . p y U !. m t is u i a p r n i
| |
| o n o is g 7 le b
| |
| r i t
| |
| a a P i z
| |
| r ic t
| |
| a d s
| |
| i u
| |
| s . m d s s o n e p t p a A p r
| |
| m u
| |
| a m p o
| |
| C d e u p le b
| |
| u p ts O o p p o
| |
| a s o p ht L t s
| |
| t s d i
| |
| t s b o
| |
| M O s
| |
| p O
| |
| s p
| |
| O s
| |
| p O
| |
| s p s p
| |
| r O fo s
| |
| A U s ic ta d a m e d o i
| |
| f le de t
| |
| u i lo t a
| |
| t r a t n t n u n e o t c o a /c d S d d te /a e I E de a d t a
| |
| F t a n e s 4, n H r e
| |
| i a is .
| |
| i m
| |
| p it r n e
| |
| :o, :v, i y :j
| |
| . t
| |
| :j le .
| |
| e ;.
| |
| t a
| |
| 4 .
| |
| . i r r 3 md e l
| |
| P g p 3
| |
| M p
| |
| o lo r
| |
| .m t
| |
| t
| |
| ,u
| |
| ,u H p p
| |
| p p
| |
| pr pt q e e s s a n A.
| |
| I r e S I n I n n o c A
| |
| l e n g b iI o n c e tsp i d
| |
| T s e uL rf l u
| |
| c e
| |
| a s uo n iy s e s i() _
| |
| q e r u _
| |
| pd W h" FU I e n S Da ES .
| |
| ~
| |
| l se :. .
| |
| t e .. )
| |
| e .m u Riu F t d n e l eM l (
| |
| &*?[ta, 2 mC)a $". ?=D "
| |
| l1
| |
| | |
| l()IjiIij]
| |
| >EW=gy*>6 r yguC8ygI=E s
| |
| 5- wo t dt n d c lue n r e r ov nl a oi ce ef fd e n- . n is o n wis o t
| |
| pP eR ht ti t c mp it c
| |
| cF on m e x Tle lepe pu j
| |
| e( S p voe i n
| |
| Wh g Ced e og n e
| |
| s Fi n o "y l t a e e
| |
| t E h) ew pr o Gt S eg m a w "p ra ol t
| |
| o at t n rd e N o sf le e lood s b v nv t t r f l g e sGe z nt u oh S m "o Si lei f cgc o 4 a r
| |
| l m eo r i s ll f tn lai n smi a eei r wss r o
| |
| t y a eT h f e
| |
| m c e m t
| |
| o lo rh o i eh o n e l
| |
| : s. i f l T .e _
| |
| ir wt leps "e p t.
| |
| 4 ve .r . .
| |
| dosem e s
| |
| e ou o*l s0 a e
| |
| e si ec s
| |
| e s
| |
| e o Nct ah Y f a i c A5 v S Yr e Y Y N r
| |
| )
| |
| " s fo t..
| |
| d s d la s
| |
| . r e r o
| |
| l a -~ n e .v o
| |
| n n g s i.
| |
| g t e
| |
| pu e "
| |
| n "
| |
| d e
| |
| . is q ic d e
| |
| i t e is c
| |
| m a f"o ls a io n s r me v r
| |
| e m n mr i
| |
| t a a n t e ode c t s r
| |
| a o "
| |
| a m
| |
| /
| |
| = t u
| |
| g ta r e m
| |
| t r ai n
| |
| e e r
| |
| C
| |
| (
| |
| d e
| |
| o t
| |
| u ls a
| |
| n o
| |
| s is n i u
| |
| g a r
| |
| ht qu e
| |
| d icc u
| |
| t u
| |
| d e
| |
| r r
| |
| a g la ts o f n
| |
| a p t.
| |
| . r f iu h
| |
| i u n i
| |
| t o a r q in s is a g q s g o c n mfo n fo e ic l
| |
| e e o - g . i r i
| |
| r r t is p e vn
| |
| .o ly ) f H s f
| |
| o p
| |
| p a
| |
| m ic t
| |
| t e
| |
| s is ic ic r is d
| |
| e ui qa t r a
| |
| (
| |
| s p t o
| |
| : A t u o a t e e r e u y u s l a ta a m o lope t
| |
| U o r u m n d t. u t o a o g m m is r o p i
| |
| r ) m s le t
| |
| u o t t o t u tng i. )
| |
| s m e
| |
| o s
| |
| ( t e s a b a is t a u u a o on r le (
| |
| p t s
| |
| p s a e e ci b y p t. ;u i
| |
| y s t. r a m s _
| |
| r m s y i s k a e t
| |
| n t
| |
| n lyu q is u ._
| |
| P u p n b d t r ..
| |
| e e -
| |
| ted e d p n g
| |
| a r lig d d d d .
| |
| y m m o lor d t h
| |
| t i n n n na . a p . ,
| |
| u n ia a f
| |
| a a a) a a u iu iu :uq :u qe r t p a f e e pp p p p q q q q e n r r p A f r p e e e df o o p o o d u mm m m u
| |
| m n e e n e a e c m u o e d u n e C le b
| |
| ne a m uu pp u p p p u
| |
| h g e i.
| |
| t e
| |
| a ig t a
| |
| r t
| |
| o n b.s t
| |
| o n
| |
| p p h ts lba a n pl i
| |
| O l
| |
| a pI py p p p a u u a- e o s oy n oy o o o - t p o o to i L tsd b tob s d ts 1
| |
| : s t
| |
| s e
| |
| r i.s c a e r o d d t
| |
| s b d tsd b d
| |
| s an s s tu s s s s s s s s s s s n M O s
| |
| p s n pa Ots pt OS( O p pa Ots O p
| |
| O p
| |
| O p
| |
| O p
| |
| O p
| |
| O p
| |
| O.
| |
| p O
| |
| p O
| |
| p O
| |
| p O
| |
| p pa Ots r
| |
| f o
| |
| s d d A t e t e
| |
| e _
| |
| U r e
| |
| v i
| |
| lp e
| |
| d d d d i
| |
| e ly y f te le G.
| |
| i t
| |
| . a t. .
| |
| ir n . .
| |
| y w
| |
| e s v .v /
| |
| d te d E :/a d r y d e a I
| |
| F a r
| |
| a r n te e.
| |
| i H la i n i n m o r i
| |
| s s e
| |
| c s
| |
| e c y v t e
| |
| y y r r le u o o u le le t
| |
| n ta s s t
| |
| a n e e n i A i r
| |
| o p R
| |
| /
| |
| R
| |
| /t p
| |
| o r
| |
| o 3-t r
| |
| p p
| |
| t u
| |
| tp u
| |
| p r
| |
| p p
| |
| rp t t a
| |
| a u u n n n O O A. I I i A
| |
| l e l b -
| |
| a m T
| |
| e e
| |
| t s
| |
| y R-S R l
| |
| i R
| |
| t n
| |
| e s l l
| |
| i e
| |
| t e
| |
| mrl m e a a Tv)oh F gmi g ael l RI (
| |
| 2"C3mcJ$*.CE2 Il ) ..
| |
| >F>p1
| |
| ;i' ll
| |
| | |
| l)lll g=@35a ( g3w EMl.%gw 4 t
| |
| n lys d e p t
| |
| N
| |
| (
| |
| o i
| |
| m=
| |
| e nw T.kO S h( t t
| |
| a c
| |
| n a
| |
| n o
| |
| d e
| |
| a tnp s Woo s w I I
| |
| i t
| |
| c t
| |
| u t
| |
| u t
| |
| a e o cm RM l 4 .
| |
| ). m j e
| |
| n t
| |
| u t
| |
| u o o f e f u n s isl . foh r e i o o s s d op g n e r e3i T- e s s s le e nS o nl h g e e le e
| |
| t o r u lu r
| |
| r a i oCTS taniad n w lur u r
| |
| s tac ic af e o t N s r
| |
| o s
| |
| r o k c
| |
| uEW l<
| |
| h n coit l
| |
| af l
| |
| b e s r
| |
| s r
| |
| t c
| |
| t c o t
| |
| c oR i le s R n. e o t t o
| |
| a l at f l pi e I io c c fa oeo r
| |
| fa fa I
| |
| f g eie n Rt c m a
| |
| te t vt n n n uan o leluus e o r n fr n n a a i ) .
| |
| ami ou e a m
| |
| u m s y sl aa emfnm s
| |
| o u fF el e
| |
| m m m u le ke lail cs ua u u Fftato sa i
| |
| H l s v l l s
| |
| I s
| |
| s s
| |
| n u, h y
| |
| teD@
| |
| B . y s.a a s u s yy s o ioe m T
| |
| si
| |
| .r c
| |
| s s
| |
| I s
| |
| I s
| |
| o o o o t
| |
| or o e e e e er e a a ec e e o e e Y Y N N Y N Y Nv e N Ys pfo N YMwm NR Yr e Y Y N Y Y
| |
| ) r t d s
| |
| * d ls fon e s e la e a n se mp r l u n g - m r
| |
| g t ei e '
| |
| o a n
| |
| g i is
| |
| - a is puq ic d is t
| |
| n ic
| |
| - f"o ls a
| |
| n o s r me v r
| |
| e m c t
| |
| n i e od e o a - t a t c e t s r ti a
| |
| h m
| |
| / t u g r e tai s n "
| |
| a C
| |
| ( :
| |
| a ls a
| |
| n o
| |
| s is n
| |
| u g
| |
| m a
| |
| r h uq t
| |
| d i
| |
| e e r
| |
| u d e t m
| |
| o u g o fi a t e c u h a la t s i n p nr c f tu i r
| |
| a g s is n n ta o ef a r u q s s s ig i o c n mo n s i e ic s p lo e
| |
| - g ipn i
| |
| y fo e e ic H r s t
| |
| p a ic t e
| |
| i r ise o ly le ) f r r p
| |
| t a
| |
| s p u m t s ic ie d ui qt a r a
| |
| r (
| |
| s o p m y A s o a l t e r e tu p t u o t
| |
| m a a ta e a u s u lope t t r o n id t n m o r tu o a g m m n g u o a do o o s tr o e t
| |
| u p ) m s
| |
| s le a is t u
| |
| t u
| |
| t u ng m e s e s s le a b a e t e a o on ip r
| |
| p le (
| |
| p t s a b i
| |
| r v n is k s t n a. t n
| |
| t n s n
| |
| ci r u t b
| |
| a m y p a s
| |
| e yu n a e s y P I d t r m e e -
| |
| . w n ledr q e id s u p n b i
| |
| d le d d d d -. m ta m g d d n
| |
| a) n a
| |
| n a n a
| |
| ip u
| |
| p p bu p u o o ip d n
| |
| t i
| |
| la i
| |
| n n fa a) a r
| |
| pp p p p q :-s iu q iu qe e r t u a e A mm m n m e n
| |
| q e
| |
| q e e q
| |
| e d fo a e n
| |
| o q e m p
| |
| o p r o
| |
| r p d u pp mm p
| |
| m C uu pp u
| |
| p u
| |
| p u
| |
| p ig te a
| |
| te a
| |
| ng e t
| |
| a to b c
| |
| t o t e
| |
| a u
| |
| p ts le n a ne uu pp u p
| |
| O py ob p
| |
| o p
| |
| o p
| |
| o l
| |
| a- u u h a- r e n se n u p ht b a p h oy py p L t e tc t
| |
| c e p oc o t c o o i s
| |
| t b ob o ts lu ts s s ts r a a r o d ur d a ts b d sd ts dn t s
| |
| pm u M s O( S O
| |
| s p s pat Ots O s
| |
| p O
| |
| s p
| |
| O s
| |
| p O
| |
| s p
| |
| O s
| |
| p O
| |
| s p s ps o Ore s
| |
| p s
| |
| p s
| |
| p s
| |
| p s
| |
| p s pa n s pt a
| |
| S s
| |
| p r O O O O O Ots O( O z
| |
| f s
| |
| A d U i. :_
| |
| 6 A-de d i - d i j y l e
| |
| d f
| |
| i t
| |
| d e :iL le t
| |
| a t e
| |
| n n g
| |
| i r
| |
| a u Mc e s h y p o tc /c d a r /a E
| |
| I F
| |
| N d'
| |
| l t
| |
| e a
| |
| p p
| |
| a n
| |
| d i
| |
| t e
| |
| a d
| |
| t e
| |
| a r
| |
| e e m o
| |
| s s i, it n p r i e c
| |
| i o te ly /
| |
| r :/ ly u
| |
| a t e
| |
| a o s
| |
| :iL .-
| |
| t a
| |
| e 4 i r e ;
| |
| i r
| |
| 3- p R R .
| |
| p o
| |
| r
| |
| /
| |
| t u
| |
| /
| |
| t u
| |
| m w o r
| |
| t p p t p tp tp p a
| |
| n u u a A. I O O I n
| |
| A e
| |
| d i
| |
| c s u
| |
| p T e e
| |
| n m
| |
| u y S S - c r Ri c l
| |
| ie RR u _
| |
| a ne _
| |
| e u
| |
| F l
| |
| I n
| |
| D*r >h ~ u yCgOag='g32 ll
| |
| | |
| 1 lllll1 1 i!
| |
| > :gg~
| |
| r ( $5u B3g t..s e ly
| |
| .auc t
| |
| t e s o . . k w e N( ;b e Tiol S l t ) . l f
| |
| d a s Wof s4 h.g m e tnp r ta o cm RMoi n t h T e
| |
| fe ud g d
| |
| e f u op isls. oe l r e3i s e nS .
| |
| o o ni nl fa m e r a iC T t a a e I
| |
| t o
| |
| t aC S caf n R N k s
| |
| uEW i h dn coot l i -
| |
| c o
| |
| t c
| |
| at f oR i le s e Rno l
| |
| pi m ri lr e oeo g eieu vt s s fotcn t
| |
| n tua n o leluus e u amit emf n a i
| |
| ). uF s y sl e e t
| |
| aa eD l s l oy aica a s
| |
| isla B. .y f- Ff n k oms n v lu, h - .ts t ao
| |
| . s
| |
| . s.
| |
| or y s e
| |
| sera "a_ s e u ayp oem t
| |
| o o o e e
| |
| N N Y N Y Nv e Y Yso pf YMwO( NR r t
| |
| )
| |
| s on f e d *s l a s e e n epm u m ig t ei n r a s puq i
| |
| t f"o ls n o
| |
| . me o
| |
| n a i cde n t :
| |
| o tu g a r
| |
| u tai r u
| |
| C o is eq
| |
| ( n ig .-
| |
| ht h
| |
| ls a
| |
| n t s
| |
| n i
| |
| t o
| |
| a f
| |
| n e
| |
| r t er mf g g l n
| |
| g .o i is M. o e rn y q s
| |
| ;uio le H s ic a i
| |
| c r
| |
| c is d
| |
| e qta r u
| |
| : A ta l it a
| |
| it a e er t a
| |
| y U m o
| |
| a n m m d i lope n i
| |
| t g o o s r o <
| |
| r tu t t tng e a is u u tn on r o
| |
| * e t
| |
| e a a e ci p
| |
| yu r i t,. t t r k a
| |
| s e -_
| |
| t n .
| |
| - e n n e
| |
| P t r -
| |
| e .
| |
| m ledr m
| |
| d n
| |
| d n ( ip m r ;r p ta u o p a a u u ;u u q iu qe e ro iu p p q q q q q A m m n e e e e n
| |
| e df a e e e
| |
| C u p
| |
| up ge te a
| |
| te a ig te a
| |
| r t
| |
| o b.
| |
| n t
| |
| a u
| |
| O p p le u u la. e o o e t
| |
| c t
| |
| c e p o w t c
| |
| L t s s ts r a a r o d a M
| |
| r st pa Ots u
| |
| O s
| |
| p O
| |
| s p
| |
| O s
| |
| p O
| |
| s p
| |
| O s
| |
| p O
| |
| s p
| |
| s p
| |
| O. - O s
| |
| p f
| |
| o s "_
| |
| A du :_
| |
| U de i
| |
| d f- -- d e
| |
| y ly l n
| |
| i d le t
| |
| e t
| |
| l o
| |
| r t
| |
| n e
| |
| ig n ir a
| |
| p a
| |
| n p
| |
| U_ t n
| |
| o c
| |
| e s or o
| |
| r E /
| |
| d E l/a d p p p p
| |
| de I
| |
| F e t a n
| |
| a t a O.
| |
| h l a i m i t
| |
| o s
| |
| i w
| |
| s e
| |
| c i
| |
| i n
| |
| y ly w
| |
| y r le u e
| |
| - o a t a s e lh t
| |
| a n
| |
| 4 n p R R r p 3- o /
| |
| t
| |
| /
| |
| t
| |
| : o. o r
| |
| _ r p u p
| |
| u .
| |
| p t p tp p c
| |
| A. I s
| |
| n O t
| |
| u O
| |
| u 1
| |
| : m. I a
| |
| n A
| |
| l e
| |
| b a .
| |
| T a.,
| |
| S 6
| |
| u F
| |
| 2 g MO'.e4# C 3# 6 g~ W.E
| |
| - 1, 1 l
| |
| | |
| e vi sln )skE a S nlyr to n e ihi ta oe t d
| |
| .le a ie t e
| |
| vl eD d eg r
| |
| iob t a o n m n
| |
| T im s a wa eI e m1 ui n
| |
| .l n o c) cb c d s wb h a e ig wt e loeva Furpbe d.
| |
| jk e os eGeh n la oo s f t
| |
| o lf pt S s t y t inlea e s lf n u eh z y N oaueab ei s oi r ns e te f a e u ih ime t
| |
| t t
| |
| ie b aiqa sd is r
| |
| a .s iays t mo n h pogf iaq inte r l oidc reiip l
| |
| e r r d a es eee o a c is
| |
| / ib a o r e u p. re r el i o et s a
| |
| f iv"n r imve h ca mhh p p r y e s s ve pr pt an e yi t
| |
| aoa pf n t /
| |
| uf f u t t pC eme d le "tr io s ta . a le inPh a I i pI I s a e e p k
| |
| l i e re wly p
| |
| mb m r di v v e r p s yk MMqp pe n t
| |
| r - - oou o i i Dd iF u T
| |
| e e o N " " s Ohi t s s
| |
| e r ic d" e
| |
| o s n v ls r m c n f a io d h e r i
| |
| t a
| |
| e s
| |
| o n t a e t n
| |
| g s a / t g r r
| |
| e u ri i e r
| |
| " m o la s
| |
| o is u ou d H -
| |
| t u d e
| |
| r t
| |
| u n g ls s n
| |
| o ig f i t
| |
| s f q gr e icc
| |
| : u a a i n info a y f iuq s is n t
| |
| n t a o i m t n t r s .ig io c e lo l
| |
| i r f o e e ic s p e n pn i
| |
| mio ly r r t s g o )
| |
| s f
| |
| o p
| |
| p a c t e
| |
| i c
| |
| r c r a
| |
| i r (
| |
| u m .it a
| |
| s i it is e ota cr e p t o t P a a e l
| |
| u s t a d t m o u m n t t
| |
| np n r o m m n e O A s u p m o a e
| |
| t u
| |
| g o o e d e o mg e
| |
| B U e
| |
| )
| |
| (
| |
| s te s
| |
| s l b a is t u
| |
| a t
| |
| u a
| |
| m ist iipn ip m
| |
| S- l p s p a a e t
| |
| e ip u u r u b
| |
| a m y
| |
| y is k s t
| |
| n t n
| |
| t n u o q u q P is u s
| |
| b d}}
| |