Human Reliability Quantification in Severe Nuclear Accidents

On March 11, 2011, the Fukushima Daiichi Nuclear Plant was felled by an earthquake and subsequent tsunami, which damaged its four reactor buildings. (Photo courtesy of Digital Globe.)

By Hossam Shalabi

The scope of this paper is to discuss the whether we can quantify human reliability in severe nuclear accidents because of internal fires. Severe accident management (SAM) entry conditions refers to internal fires that will lead to loss of core cooling and loss of moderator cooling or excessively high radiation levels inside or outside of containment. Fire human reliability analysis (HRA) is discussed in normal situations and modified for use in severe accident situations. An operator’s action and ingenuity is vital in such events, there is a need to prepare the operators for such events through instrumentation, procedural guidance, and training. Severe accidents Management Guideline (SAMG) is knowledge-based decision among a set of complicated choices, and do not give the same amount of direction as the emergency operating procedures (EOP) addressed in HRA.

 

1.0  Introduction

The objective of fire human reliability analysis (HRA) is to properly describe and display the impact of plant operations staff on risk. You can achieve this by evaluating the factors influencing human performance during the identification, qualitative analysis, and quantification of human failure events (HFEs). HRA models reflect the “as operated” portion in the probabilistic risk assessment (PRA), which reflects the as-built and as-operated plant.

The three fundamental types of human error follow1:

  • Pre-initiators (Type A)—typically as part of system fault tree models.
  • Initiators (Type B)—as initiating events.
  • Post-Initiators (Type C)—as part of the plant response models (typically as event tree top events).

Post-Initiators (Type C)

Post-initiator human interactions happen after an initiating event and contain a cognitive element and an execution element. The cognitive element incorporates detection, diagnosis, and decision-making, while the execution element includes manipulation tasks.

Post-initiator human interactions happen in response to some cue.2, 3 The cue can be initiate an event, an alarm, a procedural step, or an observation. On the contrary, the pre- and post-initiator human interactions are dynamic and dependent on time restrictions. This will increase the level of dependency between crew members, where it increases the probability of failure. Performance shaping factors may ease the stress level, therefore decreasing the probability of failure, while other performance shaping factors may exacerbate the stress level, consequently increasing the probability of failure. Post-initiator human interactions are analyzed in a cue-response time framework.

Some of these performance shaping factors are timing, cue, procedure, training, and environment. You can identify some factors in the component context such as culture, time constraints, workload, environmental conditions, event frequency, motivation, deficient procedures, training ineffective, inadequate supervision, poor man-machine interface, and insufficient staff.

The main performance shaping factors4, 5 that contribute to human error are the following:

  1. Available time.
  2. Stress and stressors.
  3. Complexity.
  4. Experience and training.
  5. Procedures.
  6. Ergonomic and human machine interaction.
  7. Fitness for duty.
  8. Work process.
  9. Information.
  10. Job design.
  11. Supervision.
  12. Human system interphase design.
  13. Task environment.
  14. Workplace design.
  15. Physical characteristics.
  16. Attention/motivation.
  17. Skills and knowledge.

 

2.0 Fire HRA Assessments6-10

2.1 Manipulation Time Calculations

Figure 1 presents a timeline illustrating the components involved in calculating time margin. In this diagram, tavail is the total time available from the initiating event until the action is no longer beneficial. The time window (tw) is the amount of time available to perform the action including diagnosis and execution. The other variables are the time of the initiating event, the time from the initiating event until the cue(s) is received (tc), the time to diagnose the problem and formulate the response (td), and the manipulation time or time required to execute the action (tm). (1)

 

Figure 1. Total Time Available, Time Required, and the Resulting Time Margin

 

You can calculate the margin (Equation 1):

  • TSW = System time window. This is defined as the time from reactor trip to an undesired end state.
  • Tdelay = Time from start of fire (or transient in the internal events case) until cue is reached.
  • tm = Manipulation time.
  • T1/2 = Median response time.

 

Figure 2. Cue-Response Structure Timelines

 

2.2 Cognitive Modeling Using Fire Human Cognitive Reliability/Operator Reliability Experiment (HCR/ORE).

The fire HCR/ORE is an empirical method that depends on time-reliability correlations. With these two parameters, the probability of crew non-response (Pc) in a time window (T½) is given as follows (Equation 2):

Pc = 1 – Φ [ln(T/T1/2)/ σ]

Where the following is true:

  • Φ = The standard normal cumulative distribution (refer to standard normal distribution tables).
  • T = (Tsw – tm).
  • Tsw = The time window available (either the time to boil or time to CD).
  • tm = The manipulation time: The time required to complete the needed actions once they are identified.
  • T½ = The crew median response time.
  • σ = The logarithmic standard deviation.

 

2.3 Psycho-Physiological Characteristics in Internal Fire Event

The guide of psycho-psychological operator’s characteristics is the velocity of action. The velocity of action, given that the operator instantly starts to act, is characterized by the time needed to complete the following task (Equation 3):

τ = a + bH

a denotes latent respond time,

b is the quantity adversely proportional to the velocity of information processing, and

H denotes the quantity of information that human operator has to process.

If the operator doesn’t act immediately on receiving the signal, the sequence of signals is formed, and the velocity of action is characterized by the time required for service (Equation 4):

τ’ = τwt + τ

τwt is waiting time for service.

τ is responding time.

 

2.4 Functional Condition

This coefficient indicates how much less work an operator can perform in a particular functional state compared to the amount of work that he may do with optimal functional state regarding a specific activity.

The values of the coefficient range from 1 to 5. This fact is used for quantification of influences that physiological condition have on reliability of the operator. The values of coefficient are assigned to the particular functional conditions as follows:

  • Stable functional condition: 1.
  • Monotony:  1-2.
  • Fatigue: 2-3.
  • Overload: 4-5.

 

3.0  Severe Accident Management (SAM) because of Internal Fires

SAM is used when EOPs are unsuccessful. SAM guidelines are used by the command and control organization as the decision-making tools that follow:

  • Deployment of appropriate strategies.
  • Use of alternate systems that were not originally envisioned in the safety and licensing basis.
  • Strategies and/or predefined procedures.
  • International Atomic Energy Agency (IAEA) observed that “dedicated and devoted” personnel contributed greatly to response effectiveness and the avoidance of consequences, BUT “severe accident management provisions were not adequate to cope with multiple plant failures.”

 

Figure 3. Design Basis Analyses (DBA) vs. Beyond Design Basis Analysis (BDBA)

 

SAM entry conditions in this paper refers to internal fires that will lead to loss of core cooling and loss of moderator cooling or excessively high radiation levels inside or outside of containment.

 

Figure 4. Accident Severity

 

EOPs deals with the activation of emergency cooling, the response to leak, contamination events, fires, floods, and so on. Its procedures are event-based and, therefore, rely on diagnosis of the situation by control room personnel.

SAM entry criteria because of internal fires will involve the following:

  • The failure of existing procedures to gain control of accident progression.
  • Plant parameters exceeding pre-defined set points and other evidence of a severe accident, which includes significant core damage or degradation and/or any accident that causes major release of radioactivity from the reactor.

SAM entry conditions because of internal fires includes the loss of core cooling, which causes core damage and could lead to major release from the reactor and/or excessively high radiation within or outside of confinement. “Excessive” will need to be carefully defined.

 

4.0  Severe Accident Management (SAM) HRA

There are many HRA challenges in severe accidents because of internal fires. These challenges include potential psychological impacts on operators, different decision makers, the treatment of errors, recovery action feasibility and time, uncertainty effects, the effects of long scenario duration, and crew-to-crew variability.

HRA usually deals only with control room crew decision making. The Fukushima event demonstrated the following:

  • Decision makers might include government officials and regulators.
  • Decision makers outside the control room can make mistakes.13
  • Organizational responsibilities may not be clear.

As shown in section 2.1, you can increase tm by decreasing td or/and tm (see Equation 1). td or T1/2 and tm have to be redefined when dealing with severe accidents.

td or T1/2 is the response time that includes the time required to change from EOP to SAM ;and

tm the time to respond using SAM procedures.

Therefore, SAM entry conditions from internal fires (the loss of core cooling and the loss of moderator cooling or excessively high radiation levels inside or outside of containment) has to be the first check you do while using EOP and a regular check up on such conditions is required to minimize td or T1/2.

Regular training, SAM simulation, and knowledge-based decision makers will have an influence in decreasing tm. In addition to defined severe accident command system to avoid mistakes and interruptions in decision making.

Being able to decrease both T1/2 and tm will also have a positive influence on the probability of response Pc time (see Equation 2) and will also positively impact the psycho-psychological operator’s characteristics velocity of action (see Equation 3).

 

5.0  Conclusions

Severe accidents because of internal fires are uncommon. Performing SAM HRA will require expanding of existing fire HRA practices and methods. The operator’s action and ingenuity is vital in such event;, there is a need to prepare the operators for such events through instrumentation, procedural guidance, and training. Operator response assessment (HRA) is essential to determine and mitigate vulnerabilities. There is a need for valid operator behavior psychological model in severe accidents to carry such an assessment.

 

References

  1. EPRI/NRC-RES Fire Human Reliability Analysis Guidelines. November 2009. NUREG-1921.
  2. NUREG/CR-1278, “Handbook of Human Reliability Analysis With Emphasis on Nuclear Power Plant Applications”, A.D. Swain and H.E. Guttman, 1983.
  3. SHARP1 – A Revised Systematic Human Action Reliability Procedure. 1990. EPRI NP-7183-SL SHARP/SHARP1.
  4. S. Gitahi Kariuke and K. Löwe, “Increasing human reliability in the chemical process industry using human factor techniques,” Process Safety and Environmental Protection, 84(B3), pp. 200-207, May 2006.
  5. H. S. Blackman, D. I. Gertman and R. L. Boring, “Human Error Quantification using Performance Shaping Factors in the SPAR-H Method”, 52nd Annual Meeting of the Human Factors and Ergonomics Society, September 2008.
  6. NUREG/CR-1278, “Handbook of Human Reliability Analysis With Emphasis on Nuclear Power Plant Applications”, A.D. Swain and H.E. Guttman, 1983. 
  7. SHARP1 – A Revised Systematic Human Action Reliability Procedure. 1990. EPRI NP-7183-SL SHARP/SHARP1.
  8. EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities. September 2005. NUREG/CR-6850/EPRI 1011989.
  9. NUREG-1792, “Good Practices for Implementing Human Reliability Analysis (HRA),” Sandia National Laboratories, 2005.
  10. NUREG-1852, “Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to Fire”, October 2007.
  11. Savić, S., Analiza grešaka upravljanja i njihov uticaj na pouzdanost sistema “čovek-mašina“, Doktorska disertacija, Fakulltet zaštite na radu, Niš, 1992.
  12. Зараковский, Г.М., Павлов, Б.Б, Закономерности функционирования эргатических систем, Радио и связь, Москва, 1987.
  13. Dougherty, E. M. Human reliability analysis-where shouldst thou turn? Reliability Engineering and System Safety. 29, 283-299, 1990.

 

Hossam Shalabi, P. Eng, M. Eng, M.E.M., CMBB, is a senior fire protection engineer for Canadian Nuclear Laboratories. Shalabi finished his bachelor’s degree in applied science (chemical engineering) from University of Ottawa and his master’s degree in fire safety engineering from Carleton University. He completed his second master’s degree in engineering management from University of Ottawa. Shalabi is also a PhD candidate for fire safety engineering from Carleton University. He is a licensed professional engineer in the Professional Engineering Ontario’s Program.  


Shalabi is also an International Atomic Energy Agency (IAEA) fire engineering expert as well as a subject matter expert at Canadian Nuclear Laboratories (CNL) for fire modelling using CFAST & FDS and fire probabilistic risk assessment. He has more than 10 years of experience in applying fire safety engineering principles and techniques in nuclear industry, oil and gas, manufacturing, and engineering consulting. This experience includes but is not limited to experimental laboratory and field work, teaching, data analysis, computer simulation and modelling, and risk assessment. Shalabi is also a Six Sigma Master Black Belt certified, certified ISO 14001 Lead Auditor, certified ISO 9001 Lead Auditor, and certified OSHAS 18001 Lead Auditor.

No posts to display