Paper - Applying IDHEAS-G to Analysis and Documentation of Human Event in Fukushima Accident

ML22070A154
Person / Time
Issue date:	03/11/2022
From:	Chang Y, Jing Xing NRC/RES/DRA/HFRB
To:
Xing, Jing - 301 415 2410
References
Download: ML22070A154 (14)
v • d • e

Text

IDHEAS-G for Human Event Analysis in Severe Accident Operation -

Demonstration with the Fukushima Daiichi Event Jing Xing and Y. James Chang Office of Nuclear Regulatory Research, U.S. Nuclear Regulatory Commission, Washington, DC USA Abstract The general methodology of the Integrated Human Event Analysis System (IDHEAS-G) provides a framework to systematically analyze and document human performance challenges and potential failures of human actions [1]. This paper presents the outcomes of using IDHEAS-G to document and analyze human performance in Fukushima Daiichi event. There have been many reports documenting this event. This study consolidated the human performance issues in the event into a coherent framework to understand how the various contextual factors challenged human cognitive functions and led to failures of human actions. The analysis includes the following parts: 1) the operational narrative documenting the initial conditions, system responses, event evolution, and key human actions required; 2) plant and system, crew, and task context factors challenging human performance. These factors challenge human abilities to detect critical information, understand the situation, make decisions, and execute actions; 3) task analysis documenting cognitive activities involved in a task. We used one human action in Unit 1, injecting water into the reactor coolant system to cool the core or core debris, as an example to demonstrate the contextual factors, challenge to the human performance, and potential cognitive failures even though the crew managed to perform the action. 4) cognitive failure modes with examples of cognitive failures reported about the accident; and 5) the performance influencing factors that manifest the cognitive failures. Due to space limitations, this paper only presents the analysis of Unit 1. The IDHEAS-G context documentation of this operating experience would be helpful for improving operator training by explicitly characterizing the situations that the operator could face.

1. Introduction Severe accidents in nuclear power plants (NPPs) involve significant core degradation that may impact environment and public safety. Notable ones include those that occurred at Three-mile Island, Chernobyl, and Fukushima Daiichi NPPs. There have also been a number of NPP events in which reactor safety was challenged although no core damage occurred. Instrumentation and human performance issues are almost always involved in NPP events or accidents. It is important to understand human performance in the past events and learn lessons to identify potential enhancements to plant safety.

The March 2011 accident at the Fukushima Daiichi NPP involved a total loss of station power and loss of ultimate heat sink that eventually resulted in core damage following the beyond-design-basis earthquake and tsunami. Since then, many studies have been performed to understand and apply the lessons learned from that event. The studies were aimed at understanding how the severe accident occurred, identifying lessons learned, and analyzing needs or gaps in various aspects of plant operation such as instrument and control (I&C), human and organizational factors, severe accident management and training. Many lesson-learned reports, independently performed by different organizations such as the Atomic Energy Society of Japan, International Atomic Energy Agency (IAEA), Japan Nuclear Energy Safety Organization (JNES), US National Academy of Science, have notable sections on human Template EHPG_paper version 11 2015-09-21

roles in mitigating the accident and how various factors impacted human performance [2-11].

Other studies specifically focused on instruments and human factors. For examples, the French Institute for Radiological Protection and Nuclear Safety (Institut De Radioprotection Et De Sûreté Nucléaire, IRSN) published a technical report Six questions to learn from the Fukushima disaster though human and organizational factors.[12] The Electric Power Research Institute (EPRI) published a technical report severe nuclear accidents: lessons learned for instrumentation, control and human factors that studied the roles of instrumentation and control (I&C) and human factors in 19 NPP accidents including the Fukushima Daiichi [13]. The report identifies issues, gaps, and needs in I&C, human factors, and robotic provisions; Johnson and Welbourne [14] analyzed historical severe nuclear power plant events including the Fukushima event and found that deficiencies in instrumentation and human factors played an essential part in nearly every event. These studies, while sharing some common observation and findings, constitute a comprehensive resource for understanding common characteristics of human performance in the accidents.

Essentially, any NPP accident o r e v e n t can be understood as a causal chain or causal tree of failures of human p e r fo r m a n c e as well as technical factors. Human Reliability Analysis (HRA) is a way to identify and analyze human failure events by integrating human and technical factors. The new HRA method developed by the US Nuclear Regulatory Commission (NRC), the General Methodology of an Integrated Human Event Analysis System (IDHEAS-G), provides a process and guidance for systematically analyzing human performance and identifying factors that challenge human performance. The outcome of IDHEAS-G is a structured causal chain of event context, human failure events, critical human tasks, potential failure modes of the tasks, and performance influencing factors, the cognitive mechanisms underlying the human failures, and finally, the human error probabilities of the human failure. The authors used IDHEAS-G to synthesize human performance and I&C issues in the Fukushima accident identified in various lesson-learned reports and constructed a causal chain of potential failures of human performance given the conditions of the accident. This paper presents a portion of the analysis to demonstrate how IDHEAS-G can be used for analyzing nuclear power plants human task analysis.

2. Approach The analysis is based on existing documented materials relevant to the Fukushima Daiichi accident. About 200 plus documents were reviewed including reports by various organizations, conference papers, and journal articles. The work was performed in two stages, the first stage started with documenting information related to human performance and instrumentation then synthesizing the information into the IDHEAS-G framework. This stage work was performed for all the reactor units in Fukushima Daiichi NPP. The second stage is a human reliability analysis for several human events in Unit 1. With incomplete data about the events and limitations in access to the plant operators, we did not estimate the human error probabilities of the human events, yet the information and analysis in the first stage allowed us to perform a preliminary analysis on cognitive failure modes of the events and the performance influencing factors manifested by the scenario context of the accident. This paper represents one human event in Unit 1 to demonstrate the approach. This work is still on-going, as we keep adding information as new materials become available and more event analysis is to be performed. Most of the information documented is excerpted or derived from primary sources of the original accident reports and lessons learned reports. We also extracted information from research articles and conference presentations that studied human performance aspects of the Fukushima accident.

3. RESULTS IDHEAS-G includes six major steps. Table 1 summarizes IDHEAS-G process and the output of each steps. Notice that although the six steps appear to be a process in sequential order, some steps are performed iteratively. This paper presents the outcome of Step 1, Scenario analysis, to demonstrate using IDHEAS-G to systematically document the information relevant to human performance and instrumentation, as well as the outcome of Step 5, using the Basic Quantification Structure of IDHEAS-G to identify

cognitive failure modes and relevant PIFs. The results presented in this paper are described briefly and some details are omitted. Also, this paper primarily presents the information relevant to Unit 1; information about the other Units is annotated only when it is relevant to human performance in Unit 1.

3.1 Step 1 - Scenario Analysis The purpose of scenario analysis is to describe the system and human factors that affect operation and may lead to undesirable consequences. The analysis include three sections and the outcomes are documented in Tables 2, 3, 4:

1) Document the initial condition, initiating event, and boundary condition

2) Develop the baseline operational narrative

3) Analyze and document scenario context Table 2 - Initial condition, initiating event, and boundary condition of Unit 1 Initial condition: Unit 1 was operating at the licensed power level; the staffing level met the normal operation requirements.

Initiating event: An earthquake followed by a beyond-design-basis tsunami flooded portions of the plant site, damaged pumps, equipment, electrical distribution panels, batteries, and emergency diesel generators, and resulted in the loss of AC and DC power.

Boundary condition:

• Unit 1 lost AC and DC power shortly after the tsunamis arrival. Once power was lost, the control rooms lost lighting, indicators, instrument readouts, and controls.

• The Unit 1 reactor automatically scrammed as designed.

• Offsite AC power to the site was lost. Following the offsite AC power loss, the main steam isolation valves (MSIVs) in Unit 1 closed automatically to isolate the reactors.

• Isolation condenser (IC) and high-pressure coolant injection system (HPCI) failed due to loss of power.

The operational narrative should document the system automatic responses, the human responses, and the cues, indications, and basis for human actions. Additional information should be documented for the specified plant responses and human actions. The information includes component operation limitations, plant unique designs, specific human action considerations or challenges, e.g., long manipulation time, requiring special equipment and the potential interferences with concurrent tasks. Table 3 shows a short excerpt of the entire operational narrative for Unit 1.

Table 3: An excerpt of the baseline operational narrative Time Event evolution Notes T=0 Earthquake 41-51min Tsunami arrival; Damaged the site. The main control room Loss of onsite AC and DC power lost instrumentation.

51-60 I&C failed, HPCI unavailable; reactor Estimated time of core damage was between shutdown; RPV depressurized. four hours and seven hours.

Estimated time of reaching max containment pressure/design pressure was about 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

9.7h ~ Containment venting preparation 24h 24.8h Hydrogen explosion

+15.0 - Initial injection of freshwater/ seawater

+28.8 h into the reactor The purpose of context analysis is to identify the context (situations and conditions) that challenge plant and human performance in the scenario. The context analysis is divided into the following three groups:

The system context - The system context provides a birds-eye view of the scenario for a holistic understanding of the scenario progression before diving into the detailed analysis of specific HFEs.

The crew context - Crew context is centered on the conditions that affect human performance of key actions. This includes the information, stimuli, and conditions, etc. affecting the crews ability to perform the required actions in time to prevent an undesired consequence from happening.

The task context - Task context refers to the factors that challenge personnel reliably performing cognitive tasks (i.e., detect information, understanding the situation, making correct decisions, and executing actions).

Crew context is centered on the conditions that affect human performance of key actions. This includes the information, stimuli, and conditions, etc. affecting the crews ability to perceive the information related to the plant abnormality, understanding the situation, making correct decisions, and performing the required actions in time to prevent an undesired consequence from happening.

All of the above mentioned human activities are most likely to be performed in a teamwork environment. Identification of operational challenges should be based on the understanding of how these macrocognitive functions are performed. Table 3 documents the crew context for Unit 1.

Table 3 - Crew context Description Parallel activities and responsibilities

• Multiunit interactions - Multiunit interactions complicated the accident response. The units competed for physical resources and attention and/or services of the onsite staff, e.g., the competition for fire trucks to pump water into the Units 1, 2, and 3 reactors.

• Recovery actions such as cleaning debris of working areas and connecting cables.

• Emergency evacuation.

Environmental factors Environmental factors, such as smoke, flood, noise, ambient lights, high wind, radiation, seismic, extreme cold or hot temperature, impacted personnels capability:

• Visibility - Work in dark places

• Mobility - Obstacles and debris spread around the field

• Accessibility or habitability - Personnel could not access the work site or they could momentarily access the site but could not stay there to complete the work.

• Personnel physical condition - Work performed wearing protective clothing in high dose environment; radiation indications were not reliable; lack of food, coldness, and wetness.

• Communication - Communication was impaired due to environmental factors.

• Safety limits - Environmental factors exceeded the safety limits.

Additional information:

• Loss of lighting made it difficult to work, forcing control room and field personnel to use flashlights.

• The lack of food, working toilets, and relief personnel during the early stages of the accident as well as the extended length of the accident response added greatly to personnel fatigue and distress.

• Field personnel wore standard anti-contamination suits and self-contained breathing apparatus, which made their work and communications even more difficult. At one point during the accident, the Unit 1 reactor operators had to address full face masks with charcoal filters, anti-contamination coveralls, and at times had to move to the Unit 2 side of the control room and crouch down to avoid excessive radiation exposure.

Work site accessibility and habitability Important constraints in the field (explosions, tsunami) limited accessibility of equipment locations and led to discontinued field work.

Additional information:

• Workers often received instruction to evacuate from the field to the on-site emergency response center (ERC) and walk from the field to higher ground.

• It takes more than an hour for field checks to start after explosions and alerts.

• Discontinued work due to aftershocks, tsunami alerts, Flooding in the turbine buildings and lower portions of Units 1 and 2 rendered reactor control and safety systems inaccessible or unusable.

• Damage to the site from the tsunami made roads impassable and generally hindered personnel access. It was aapproximately one-and-a-half kilometers between Main Control Rooms (MCR) and the ERC. The roads were damaged by the earthquake so the walk took longer than usual.

• Hydrogen explosions, radioactive contamination, and high temperature limited access to some parts of the Units 1-4 reactor buildings.

• Attempts to check the status of the isolation condenser valves in the field were unsuccessful because of access limitations and high radiation fields.

Information availability Indicators and displays in MCR were damaged or did not work due to loss of power; gathering and interpreting the information became very difficult:

• Primary sources of information were not available; Secondary sources of information were not reliable; Personnel were lack of training, guidance, or experience in using secondary sources of information;

• Personnel did not know how to trust and verify secondary sources of information.

• Personnel were not aware that some I&C information was misleading.

Additional information:

• Unit 1 lost instrumentation readouts and the safety parameter display systems; the onsite ERC and offsite center (OFC) were unable to obtain timely information about the condition of the reactor and Units 1-4 spent fuel pools. MCR personnel reported basic reactor parameters to the onsite ERC using fixed-line telephones. This information was manually recorded on whiteboards to share information within the ERC.

• With no power for instrumentation or controls, the Unit 1 operators lost the ability to monitor plant indicators from the control room. Most critically, they were unable to check the status of the isolation condenser valves or to actuate them from the MCR.

Coordination infrastructure and effectiveness Centralized coordination was fundamental to the implementation of solutions. Coordination was needed in choosing solutions, implementing solutions, and evaluating the limits outside which the envisaged operation must be abandoned.

• Inadequate command and control between ERC, MCR, and field shift teams - Lack of clarity of roles and responsibilities within the onsite emergency response center and between the onsite and headquarters emergency response centers; these may have contributed to response delays.

• Shift team experienced interdependence with other stakeholders: for example, evacuation of the surrounding populations and working with firefighters.

• Coordination among the central and local governments was hampered by limited and poor communications.

• Protective actions were improvised and uncoordinated, particularly when evacuating vulnerable populations (e.g., the elderly and sick) and providing potassium iodide.

Additional information:

• Back and forth from MCR to ERC took about 40 minutes, assuming that workers leave as soon as they arrive. In actuality, they had to confirm their presence to their team leaders prior to departure.

• The coordination activities that would normally be performed at the OFC were conducted at the Tokyo Electric Power Company (TEPCO) headquarters ERC, which was located in Tokyo, and at Japanese government offices. This reduced the effectiveness of communications between the onsite ERC, TEPCO, and local and national government agencies. The loss of telecommunication infrastructure led to the increased involvement of the central government in the response to the accident, partly because the government perceived that it was not receiving accurate and timely information. The Japanese government contacted the headquarters and onsite ERCs directly to get information.

Decision-making infrastructure (Decision-makers, authorities and hierarchy, use of innovate solutions)

• Emergency management plans were inadequate to deal with the magnitude of the accident, requiring emergency responders to improvise.

• Decision-making processes by government and industry officials were challenged by the lack of reliable, real-time information on the status of the plant, offsite releases, accident progression, and projected doses to nearby populations.

• Different and revised radiation standards and changes in decontamination criteria and policies added to the publics confusion and distrust of the Japanese government.

• Innovative solutions were used when solutions in the emergency operating procedures (EOPs) and Severe Accident Management Guidelines (SAMGs) did not work; The operating experience feedback from past crises contributes to the development of innovative solutions.

Additional information:

The OFC, located in Okuma about five kilometers southeast of the plant, did not function as intended following the tsunami. It was never fully staffed because of access difficulties owing to transportation system damage and traffic congestion. Additionally, all of its telecommunications circuits except a satellite connection were inoperable. The OFC had to be evacuated on March 14 because of elevated radiation levels following the hydrogen explosion in the Unit 3 reactor building.

The loss of AC and DC power in Unit 1 caused its isolation condenser (IC) to shut down. As a consequence, Unit 1 essentially lost all core cooling functions. Three cooling solutions were envisaged: the emergency systems (IC, the Reactor Core Isolation Cooling (RCIC) system, and the High Pressure Coolant Injection (HPCI) system), an emergency coolant system created by linking the piping of three existing coolant systems together with use of the fire protection system pump to inject coolant, and, lastly, the use of this emergency coolant system powered by the fire trucks instead. The solutions were implemented sequentially. When it appeared that the emergency systems did not work, the innovative idea of using fire trucks was from the emergency director based on his experience in a past crisis.

Staffing

• Staffing levels at the plant were inadequate for managing the accident involving multiple reactors at a site, lasting for extended durations, and/or involving non-stranded plant conditions.

• Staffing qualification was inadequate because the use of non-proceduralized innovate solutions and skill-of-craft actions were involved.

Additional information:

• Ninety-seven personnel were working on site at the time of the earthquake. These personnel performed initial actions following the earthquake and tsunami. Additional personnel arrived to support control room staff in the following hours and days.

• Additional personnel was needed for -

o The recovery team responsible for restoring power and monitoring instruments and fire brigade units that used fire engines to inject cooling water into reactors, o a health physics team that monitored radiation levels within the Fukushima Daiichi and its surroundings, o a procurement team that provided material support.

Procedures and Guidance The planned procedures were no longer possible following the total loss of electrical power. The on shift crew had to work independently or even in isolation due to the communication problems and the many emergencies that the ERC had to manage.

Additional information:

The operators succeeded in adapting to uncertainty largely without offsite support. They set up operational procedures as well as procedures for managing the teams in the field. They were also able to develop action sequences independently, without the support of their management.

Training and experience It was difficult to establish a relationship between problems and solutions because of the personnels lack of training and previous experience:

Empirical knowledge was limited due to the division of tasks between humans and machines.

The operators did not have a situational awareness of what they were doing. They were not directly involved in the production process, but acted instead upon control and display systems that centralize information from groups of machines (alarm messages, measurement readings, etc.). The plant automation systems allowed operators to act upon technical intermediaries rather than acting directly upon work objects. Empirical knowledge is also limited because operator actions had been guided by procedures. There was inadequate training of operators and plant emergency response organizations for responding to severe accidents, including:

Understanding of nuclear plant system design and operation;

- Operators capabilities for managing emergency situations, use of ad hoc responses for bringing reactors to safe shutdown during extreme beyond-design-basis events Additional information:

The majority of the preplanned response options embodied in the TEPCO accident management procedures were not applicable to the situations that operating staff confronted following the earthquake and tsunami. Although operators underwent extensive training, that training did not cover the accident scenarios that unfolded at the plant following the tsunami. For example, although there were procedures and training for venting, these procedures assumed that power would be available to operate the venting valves from the control room. Procedures and training also assumed that plant indicators would be available in the control room. Onsite ERC staff training assumed that the safety display parameter system and communication lines with control rooms would provide good situational awareness of plant state and operator actions.

Equipment and tools Most of the centralized controls were out of order and the actions must be performed manually in a dangerous environment (aftershocks, contaminated environment, etc.). Many equipment or tools needed were either unavailable or could not be operated properly.

• Limited means of communication between the control rooms and the onsite ERC and between the control rooms and the field made it difficult to plan and carry out response efforts across the site.

• Knowledge of the installations to anticipate the course of actions was needed.

Additional information:

It was a failure of the plant owner and the principal regulator to protect critical safety equipment at the plant from flooding in spite of mounting evidence that the plants current design basis for tsunamis was inadequate. The plant owner was not adequately prepared for an earthquake and tsunami of this magnitude. The plant lacked a survivable onsite power supply, water pumping, and communications equipment, resulting in failures to transmit information and instructions in an accurate and timely manner and hindering responses to the accident.

To mitigate severe accidents, FLEX strategies were recommended for U.S plants. The National Academy of Science report recommended that the FLEX strategies at individual nuclear plants might need to be augmented to provide the resources required to implement revised SAMG. For example:

• Coping with power loss will likely require the availability of portable batteries, emergency generators, and prepared power cables.

• Depressurizing reactor pressure vessels and containments might require the availability of portable power supplies and compressed gas (air or nitrogen).

• Low-pressure water injection might require the availability of self-powered portable pumps that can generate sufficiently high pressures to overcome a partially depressurized reactor vessel or partially vented containment.

Table 4. Task context Scenario familiarity The Fukushima Daiichi nuclear accident was off the map in terms of preparation, planning, and training for severe nuclear accidents.

• The loss of nearly all onsite AC and DC power at the plant with the consequent loss of real-time information for monitoring critical thermodynamic parameters in reactors, containments, and spent fuel pools and for sensing and actuating critical valves and equipment greatly narrowed options for responding to the accident.

• Operators could not perform critical control actions from the MCR; instead, they had to take manual actions in the field. Radiation releases in the plant and limited access to personnel dosimeters hampered the ability of personnel to perform their duties, both in the MCR and in the field. Some field activities required multiple teams because of difficult onsite conditions. Flooding, debris, and other hazards caused by the tsunami challenged the field response; hydrogen explosions further set back response activities. The operators encountered situations that went well beyond their training for responding to off-normal conditions.

• When the work object itself failed, the operators firstly had difficulty in realizing the fact because they thought of it as operating independently (as a result, no one imagined that the indicators might be malfunctioning). Secondly, the operators experienced difficulties in acting directly upon it (by developing other means of measurement, for example).

Intermingled Multitasking ERC staff experienced moderate intermingled multi-tasking:

• The undersized ERC had to prioritize needs, and its attention was focused on one reactor at a time.

• The management of each reactor in turn created certain difficulties because it was not easy to prioritize actions between the reactors.

At different points in time, the onsite ERC focused attention on one unit at the possible expense of others. For example, the delay in recognizing that the isolation condenser was shut off in Unit 1 was partly explained by the fact that ERC was initially focused on Unit 2 because it could not confirm that its reactor cooling isolation system was functioning. The onsite ERC staff were trying to manage responses at multiple reactor units, which taxed their ability to maintain awareness of the rapidly changing conditions at Unit 2 and appropriately prioritize and direct response activities. ERC staff were occupied with Unit 1 through the morning and afternoon of March 12. Staff attention then focused on the Unit 3 reactor. The hydrogen explosion in the Unit 3 reactor building on March 14 caused extensive damage to the site and temporarily halted recovery activities for Unit 2.

Persistent or frequent distraction / interruption ERC staff and shift team experienced frequent distractions and interruptions, e.g.,

• ERC staffs situational assessment and decision-making were often distracted by tsunami warnings, aftershocks, and unexpected events.

• Operators work was often interrupted by after-shocks; they were also distracted by other on-going activities (explosions, evacuation, etc.).

• The tsunami warnings affected the site superintendents thinking about accident management because he was concerned that the tsunami might damage seawater pumps.

Dynamics predictability

• The accident evolution was highly unpredictable and had complex dynamics. Loss of indicators and damage of plant systems made reactor responses unpredictable.

• The accident involved different dynamics of plant systems for different reactor units. . - The on shift crew experienced the problem of anticipating events for unexpected action sequences. For example, they did not anticipate that an air compressor would be needed to open the venting valve remotely that resulted in significant delay in containment venting.

Cognitive complexity Cognitive complexity was high for ERC and shift team because one action could affect sequences of other actions.

Time pressure and other stresses

• Personnel experienced high time pressure because they had to cool down the reactor and spent fuel pool to prevent a catastrophic disaster - Coordination of depressurization and low-

pressure water injection proved impossible to accomplish under the conditions at the plant following the tsunami. There was a few hour time window for depressurization of the reactor pressure vessel (RPV) and water injection to avoid core damage due to the rapid boil-off of the water once the cooling systems stopped.

• Personnel also experienced stress from the fear the accident consequences and worrying about families.

Mental fatigue ERC staff and the on shift crew experienced high mental fatigue from working long hours and handling high-cognitive demanding situations (e.g., struggling with the status of the isolation condenser).

3.2 Task analysis One of the critical tasks was to use a fire truck to inject water into the reactor after it was clear that the isolation condenser did not work. This was an innovative strategy that was not in an existing procedures or guidance. The task analysis is documented in Table 5.

Table 5. Task analysis for the action of using a fire truck to inject water into the reactor Task Description context Successful Sufficient water injected into the reactor to cool the core outcome Task narrative Immediately after the tsunami, the Unit 1 lost both ac and dc power, therefore, the operator did not have indications of the core cooling status. The isolation condenser (IC), if working, could keep the core cool for more than a day.

However, if the IC is not working, it would only take a few hours to uncover the core. In the meantime, the IC operating status was not available to the operator before the instrumentation power was restored. The decision to use fire trucks to cool the core requires the depressurization of the RPV. This would disable the installed core cooling options including IC and the HPCI system to enable the less reliable option (fire trucks). The operator had to make the decision under a time constraint.

Plant evolution The two procedure-recommended strategies did not work; the ERC ordered the and key cues use of fire trucks. Plant operational personnel did not have the necessary skills for the task so the ERC asked subcontractors to operate the fire trucks.

17:12: ERC supervisor asked to consider use of fire trucks 18:18 ERC considered how to use fire trucks 18:30 ERC requested additional fire trucks and clearing the road 2:30 ERC ordered subcontractors 3:00 - 4:00 ERC and subcontractors searched for hose connectors 15:36 Started injection of seawater Cognitive Prepare fire trucks; activities Negotiate with subcontractors Search for the fire truck hose connectors; Inject seawater into the reactor Procedure No procedure or guidance available coverage for the task Personnel ERC team, shift team, subcontractors involved Special Fire trucks, hose connectors equipment needed Locations Only one fire truck on site was directly usable after the tsunami. The ERC requested that additional trucks be sent. However, the earthquake and tsunami

had caused considerable damage. The roads were damaged and blocked by large debris such as oil tanks and boats. These debris delayed the arrival of external fire trucks (and other equipment), and also created significant obstacles to movement within the plant once they arrived.

Environmental

• Visibility - Work in dark places - Loss of lighting made it difficult to work, forcing factors affecting control room and field personnel to use flashlights the task

• Mobility - Obstacle and debris spread about the field

• Accessibility or habitability - Accessible and habitable

• Communication - Communication was impaired due to environmental factors.

• Radiation - Field personnel wore standard anti-contamination suits and self-contained breathing apparatus, which made their work and communications even more difficult. At one point during the accident the Unit 1 reactor operators had to don full face masks with charcoal filters, anti-contamination coveralls, and at times had to move to the Unit 2 side of the control room and crouch down to avoid excessive radiation exposure.

3.3 Quantitative analysis 3.4 Identification of Failure Modes The personnels failure of performing required actions are documented at IDHEAS-G high-level failure modes, i.e., failures of the macrocognitive functions. Table 6 shows some failure modes and examples of the failure modes.

Table 6 - Examples for failures of macrocognitive functions Failure of Examples macrocognitive function Failure of The Unit 1 operators lost the ability to monitor plant indicators from the Detection MCR. Most critically, they were unable to know the status of the isolation condenser valves or to actuate them from the control room. Attempts to check the status of the valves in the field were unsuccessful because of access limitations and high radiation fields.

Operators and onsite ERC staff did not understand at first that the isolation condenser had stopped functioning because plant indicators and controls Failure of were not available. In fact, the Unit 1 operators initially assumed that the Understanding isolation condenser was working.

Because of the failure of the safety parameter display systems and lack of definite information from the Unit 1 operators, the staff in the onsite ERC and the site superintendent could not determine if the isolation condenser was functioning. At this point the operators inferred that the isolation condenser was functioning; this inference was based on indirect audible (i.e., steam generation was heard) and visual (i.e., a steam plume was observed) cues. The operators informed the onsite ERC that the isolation condenser was functioning. Miscommunications, combined with misleading water-level indicators in the reactor pressure vessel caused the onsite and headquarters ERCs to continue to believe that the isolation condenser was operating. By about 22:00 on March 11, rising radiation levels were observed in the reactor, drywell, and turbine buildings, suggesting that fuel degradation and core damage were occurring. By 23:50 the site superintendent and other onsite ERC personnel fully understood that the isolation condenser was not operating.

Decision-making The onsite ERC began to take proactive actions to restore the Unit 1 monitor systems and establish alternative water injection sources. The site superintendent directed onsite ERC staff to give priority to restoring plant

indicators, particularly reactor water level and pressure. At approximately 17:10 on March 11, he instructed onsite ERC staff to begin preparation for two alternative water injection strategies: water injection via the diesel-driven fire protection system, a mitigation strategy specified in the plants accident management procedures, and water injection through the fire protection system using fire engines, a strategy not specified in those procedures.

Failure of Action Failure of command and control - The Unit 1 operators asked the onsite execution ERC to provide batteries so that the safety relief valves could be opened from the control room. However, the ERC team member who received this request did not understand its urgency, possibly because the ERC believed that the isolation condenser was still operating normally. In fact, the onsite ERC did not act on this request for several hours.

Delayed action - The Unit 1 operators began preparations for venting the containment. Operators consulted piping and instrumentation diagrams, valve drawings, and accident management procedures. These procedures assumed that power would be available for remote valve control; consequently, they were not applicable to the then-current situation in Unit 1. The operators needed to develop a plan for venting the containment by manual valve operation. This required study of the layout and configuration of the vent valves to determine which valves needed to be opened, their locations, and whether and how they could be opened manually. Operators confronted a number of obstacles for venting containment. After various delays, venting was eventually performed from the control room when containment pressure had reached over 0.75 MPa (110 psig), almost twice the design value of 0.43 MPa (63 psig).

Failure of

• Miscommunication between the onsite ERC, headquarters ERC, and teamwork the Nuclear and Industrial Safety Agency (NISA) contributed to misunderstandings and lack of confidence by the Prime Ministers office in TEPCOs ability to manage the accident.

• Miscommunications about operations of valves and status of the isolation condenser in Unit 1;

• Miscommunications about the need for batteries to operate the safety relief valves in Unit 1;

• Portable generators were delivered with incorrect voltage and connectors;

• Breakdown in communications among the shift teams, onsite ERC, offsite ERC, NISA, and the prime ministers office about the situation inside and outside of the plant.

• Coordination of systems and equipment in monitoring, protection and decontamination is poor due to lack of infrastructure and information

• Lack of coordination between shift team and firefighters because neither understood the responsibility given to them by the site superintendent 3.5 Identification of Performance influencing factors Table 7: Performance influencing factors that led to failures of macrocognitive functions Cognitive PIFs function

• HSI was limited with respect to the cues, indications, and controls available Detection

• Operator activities associated with detection and monitoring of cues and indications was distributed between the MCR and other locations in the

plant under degraded environmental conditions (cold, noise, radiation, visibility, etc.)

• Operators and decision-makers were unfamiliar with the scenarios therefore they did not have existing mental model to fully understand the situation Understanding

• Degraded sensors and indicators may be misleading

• Sources of information may inherit great uncertainties

• Procedures were not applicable to the situations so they did not help in diagnosing problems Decision-

• Decision-making complexity: Involvement of multiple teams making

• Information for decision-making may not be available

• Difficulty in planning - A clear approach is needed from EOPs to SAMGs and the extended damage management guidelines (EDMGs)

• Decision-making during multi-unit events, including understanding effects such as MCR configuration (common control rooms vs.

separate control rooms) and distance of separation of the units

• Difficult to prioritize limited resources

• Distributed locations of decision- making

• Unclear responsibility, accountability and authority for decision-making in a crisis

• HSI for action execution is limited and distributed in multiple locations in the plant under degraded environmental factors (heat, cold, noise, Action radiation, visibility, etc.)

execution

• Equipment and tools are limited

• Manual actions needed for degraded / damaged automation

• More and different types of communication than if all of these activities took place in the MCR are required

• Action scripts need to be developed (skills-of-the-craft)

• Operators lack of knowledge of IC functions and lack of experience in its operation

• Operators are unfamiliar with the facilities

• Lack of instructions and coordination

• Staffing is inadequate either in the number of personnel or the types of personnel with special skills

• Inadequate drills and exercises to manage long-hour accident management actions Teamwork

• Complex communication configuration

• Lack of communication requirements / strategies / protocols -

• Unclear personnel responsibility on communication

• Lack of redundancies for communication technologies shared by all organizations

• Lack of mechanisms to maintain required communicationlinkages when communication technology fails

• Difficult communication between off-site and on-site - Lack of common operational picture and Lack of coordination model

• Critical Infrastructure - the on-site center may not function because no water supply, no power supply, sheltering indoors, exhaustion, and radiation.

• Command & control may not function as expected

• Lack of clarity in roles and responsibilities within the onsite ERC, particularly with respect to allocating responsibilities for responding to situations that are not covered by accident management procedures. This led to delays in developing strategies and implementing them.

Some context factors that manifest the PIFs:

Highly vulnerable site Location of emergency equipment

Prolonged station blackout In-adequate diverse electric supply system Lack of training for emergency Delays in outside help or assistance Un-expected, complex, stressful conditions Inadequacies in emergency preparedness Inadequate staffing for multi-unit events including extreme external events that could disrupt local infrastructure Lack of pre-staged protective measures and equipment for emergency responders during multi-unit events Poor command and control for multi-unit events Limited dose assessment capability for multi-unit events Limited capability for onsite and offsite radiation monitoring including AC independence and real time availability Lack of communications equipment effectiveness during a prolonged Station Blackout (SBO)

Lack of real time data on plant status (accurate and automated)

Inadequate drills and training under more realistic accident conditions EP decision-making framework - need to include expansion of response beyond plume exposure, emergency plan zone, and recovery and reentry

4. Summary To prevent severe accidents from occurring, it is important to understand how past severe accidents occurred and learn lessons from the accidents. Much work has been done in learning lessons from the Fukushima-Daiichi NPP accident. This report is not another lesson-learned report.

Instead, it synthesizes findings and lessons learned about human performance aspects in the accident and documents the findings in the structured framework of IDHEAS-G. The documentation provides a systematic understanding of human performance in the accident: The operational narrative describes how the accident occurred from a human-centered perspective; the context analysis elucidates situational factors challenging human performance; the task analysis delineates how personnel perform tasks for the required human actions; the failure modes of the human actions and the associated performance influencing factors manifested by the context present the general characteristics of how and why personnel may fail to perform required actions.

These together constitute the basis for applying lessons learned to improving design of plant systems, structures, and components, as well as procedures and training.

References

1. NRC, 2017An Integrated Human Event Analysis System - The General Methodology (IDHEAS-G), US Nuclear Regulatory Commission, NUREG-2198, in preparation.

2. Atomic Energy Society of Japan, 2011 Lessons learned from the accident at the Fukushima Daiichi Nuclear Power Plant, May 2011

3. Atomic Energy Society of Japan, 2012 Lessons Learned and Recommendations According to Nuclear Disaster Prevention Based on the Support Activities to the Accident at Fukushima Nuclear Power Stations, JAEA Review 2011-049, January 2012

4. Nuclear Regulation Authority of Japan (NRA) 2014 Analysis of the TEPCO Fukushima Daiichi NPS Accident, Interim Report, November 4, 2014

5. Tokyo Electric Power Company, 2012 Fukushima Nuclear Accident Analysis Report, Tokyo Electric Power Company, Inc. (2012).

6. Japan Nuclear Technology Institute (JANTI), 2014 Lessons Learned from Accident Investigation Reports on the Fukushima Daiichi Accident and JANSIs Supporting Activities, Revision 1, February 13, 2014

7. IAEA 2014 Human and Organizational Factors in Nuclear Safety in Light of Accident at Fukushima Daiichi Nuclear Power, International Experts Meeting, 21-24 May 2013, Vienna, Austria, September 2014

8. NEA 2014 Report On Fukushima Daiichi NPP Precursor Events, Working Group On Operating Experience, Nuclear Energy Agency Committee On Nuclear Regulatory Activities, January, 2014

9. US National Research Council 2014 Lessons Learned from the Fukushima Nuclear Accident for Improving Safety of U.S. Nuclear Plants, Committee on Lessons Learned from the Fukushima Nuclear Accident for Improving Safety and Security of U.S. Nuclear Plants, National Council, National Academies Press, 2014

10. INPO, 2011 & 2 0 1 2 Special Report on the Nuclear Accident at the Fukushima Daiichi Nuclear Power Station, Rev. 0, Institute of Nuclear Power Operations, Report No.11-005, 2011, and Lessons Learned from the Nuclear Accident at the Fukushima Daiichi Nuclear Power Station, Rev. 0, Institute of Nuclear Power Operations, INPO 11-005 Addendum, 2012.

11. Electrical Power Research Institute (EPRI), 2012 Fukushima Daiichi Accident - Technical Causal Factors, Huffman, K., Electric Power Research Institute, R e p o r t N o . EPRI-1024946, 2012.

12. Electrical Power Research Institute (EPRI), 2015 Severe Nuclear Accidents: Lessons Learned for Instrumentation, Control and Human Factors, December, 2015, Report No.

3002005385

13. French Institute for Radiological Protection and Nuclear Safety (IRSN),2015 Human and Organizational Factors Perspective on the Fukushima Nuclear Accident, IRSN, 2015

14. G. Johnson and D. Welbourne (2015), Lessons Learned From Historical Severe Accidents, NPIC & HMIT 2015, Charlotte, NC, February 22-26, 2015