Embed Size (px)
Citation preview
Integrated Risk Assessment CenterKorea Atomic Energy Research Institute (KAERI)
IEEE HFPP/HPRCT, Monterey, Aug. 26-31, 2007
J. Kim, W. Jung, J. Park
AGAPE-ET: Advanced Guidelines for Human Reliability Analysis of
Emergency Tasks
ν Introductionν The MDTA-based Methodν The K-HRA Methodν The AGAPE-ET Frameworkν Examplesν Conclusion
Table of Contents
ν Major activities on HRA method development in Koreaν The MDTA-based HRA method
⎫ Diagnosis failures (misdiagnosis) and their Risk Impacts ⎫ Identification and Assessment of EOCs/EOOs that might be
induced from the diagnosis failure (misdiagnosis) of an event ν The Korean standard HRA (K-HRA) method
⎫ Standardisation of the conventional HRA method by developing guidance and rules based on consensus between HRA user organisations
⎫ Only deals with EOOs for emergency tasks
ν Need for an integrated framework for application to PSA event scenarios
ν AGAPE-ET (Advanced Guidelines for Analysing Prospective human Events in conducting Emergency Tasks)
Background
ν Stages for Analysisν Stage 1: Assessing the potential for a
diagnosis failureν Stage 2: Identification of human failure
events (HFEs)ν Stage 3: Quantification of HFEs
ν Stage 1: Assessing the potential for a diagnosis failure
ν The MisDiagnosis Tree Analysis (MDTA)Method for analysing and assessing a diagnosis failure
ν Constituted as Diagnosis rules, Diagnosis causes, (Mis-) Diagnosis results
ν Constructed on the basis of the Diagnosis rules of EOP
ν Three causes to diagnosis failuresν Plant Dynamics (PD) ν Operator Error (OE) ν Instrumentation Failure (IF)
ν Results of the MDTAν All the possible (mis)diagnosis results
with diagnosis failure probabilitiesν Associated decision paths and causes
The MDTA-based Method (1/3)Stage 1: Assessment of the Misdiagnosis Potential
Diagnostic rules
Misdiagnosis causes
Mis-diagnosis results
The MDTA-based Method (2/3)Stage 2: Identification of Human Failure Events
Required functions for SLOCA
(the actual event)
Required functions for ESDE
(the misdiagnosed)
On the PSA event
sequence
On the EOP (LOCA)
On the PSA event
sequence
On the EOP (ESDE)
Reactor trip Reactor trip Reactor trip Reactor trip
HPSI HPSI (None) HPSI
LPSI in case of HPSI failure
(None) (None) (None)
(None) Isolation of LOCA (None) Isolation of
faulted SG
RCS cooldown using SG
RCS cooldown using SG
RCS cooldown using SG
RCS cooldown using SG
RCS cooldown using SCS
RCS cooldown using SCS
RCS cooldown using SCS
RCS cooldown using SCS
ν Classification of Unsafe Actions (UAs)ν UA-1: Unsafe actions related to required
functionsν Prior inappropriate actionsν Failure to perform required actionsν Failure to maintain required functions
(inapp. termination)ν UA-2: Unsafe actions related to unrequired
functionsν Manual initiation of unrequired functions
ν Steps for Identifying UAs and HFEsν Step 1: Construction of a comparison table
of the required functions between the actual event and the misdiagnosed event
ν Step 2: Identification of UAs ν For UA-1, Identify the essential functions
for the actual event that are not those for the misdiagnosed event,
ν For UA-2, Identify the required functionsthat are not required by the actual event but are required by the misdiagnosed event
ν A Rough Quantification Scheme for Assessing a Risk Impact of Diagnosis Failuresν Pr (HFE) = Pr (diagnosis failure) * Pr (unsafe action | diagnosis failure) *
Pr (non-recovery) ν Probability of a diagnosis failure: already given
ν Probability of Unsafe Actionν In the case that there is no procedural rules for the actions: 1.0 ν In the case that there are procedural rules for the actions:
ν Plant dynamics satisfy the procedural rules for committing UA: 1.0ν Plant dynamics do not satisfy the procedural rules for committing
UA: 0.1 ~ 0.05ν Probability of a Non-recovery [adapted from CBDTM]
Recovery Path (RP) Available time Probability of non-recovery
RP1: The procedural guidance on the recovery Ta > 30 min 0.2
RP2: The independent checking of the status of the critical safety functions
30 min < Ta < 1 hr
Ta > 1 hr
0.2
0.1
The MDTA-based Method (3/3)Stage 3: Quantification
ν The Korean standard HRA (K-HRA) Methodν Development of standardized procedure for the
conventional HRA ν Provision of detailed guidance and rules based on
consensus between HRA user organisations
ν Features of the K-HRA method ν Based on THERP/ASEP HRA
ν HEP = Pr (diagnosis error) + Pr (execution error)ν Diagnosis error probability is expressed by the available time
for diagnosis and adjusting PSFsν Execution error probability is a function of task type and
stress levelν Consideration of more structured PSFsν Standardization of analysis procedure, rules and criteria
The K-HRA Method (1/4)
The K-HRA Method (2/4)Overall structure
Pre -in it ia t in g
H FEs
Exec u t io n H EP
Po s t-in it ia t in g
H FEs
D iag no s is H EP
B as ic d iag n o s is
H EP
Weig h t in g f ac to r
Exec u t io n H EP
Prim ary tas k,MMI (a la rm ) ,
D ec is io n lo ad ,Pro c ed u re ,
Ed u c a t io n / Tra in in g
Task typ e o f sub task i
St res s leve l o f sub task i
B as ic exec u t io n
H EP
Sub tas k c o m p lex ity ,Pro c ed u re ,
Tas k f am ilia rity
Ava ilab le t im e ,Sc en a rio seve rity ,
En viro n m en t ,Ed u c a t io n / Tra in in g ,
Exp e rien c e
Pro c ed u re ,M an ag em en t ,
M M I
Revised exec u t io n
H EP
Task a llo w ab le t im e ,Pe rc e ived t im e ,Exec u t io n t im e
Ava ilab le t im e ,Sup erv is o r,
M M I ( f eed b ac k)
Su p e rv iso r,Pe rio d ic c h ec k
B as ic exec u t io n H EP
(5 .0 E- 3 )
We ig h t in g f ac to r
Su m (exec u t io n t im e)
Exec u t io n t im e f o r eac h
sub task
D iag n o s is ava ilab le
t im e
Rec o ve ry f a i lu re
H EP
Rec o ve ry f a i lu re
H EP
ν Assessment of Diagnosis Error ν Pr (diag. error) = Pr (nominal diag. error) * Adjusting factor
ν Pr (nominal diag. error) = f (available time for diagnosis = total allowed time – execution time)
ν Adjusting factor : Primary task (Y/N), MMI, Training, Procedure
The K-HRA Method (3/4)Diagnosis Error
0.0540.1650.8250.1650.5002.5000.8252.500
12.5000.1090.3301.6500.3301.0005.0001.6505.000
25.0000.2180.6603.3000.6602.000
10.0003.300
10.00050.000
10.00020.00060.000
보정값주관심작업(Yes/No)
MMI 수준(상, 중, 하)
절차서 수준(상, 중, 하, 없음)
교육/훈련 수준(상, 중, 하)
Yes (1)
상(1/2)
중(1)
하(2)
상
중
하
상
중
하
상
하
상
상 (1/3)
중 (1)
하 (5)
상(1/3)
중(1)
하(5)
No (20)상(1/ 2)
중(1)하(3)
Primary task
(Yes/No)
Level of MMI
(U/M/L)
Level of Procedure
(U/M/L)
Level of Training(U/M/L)
Adjusting factor
ν Assessment of Execution Errorν Pr (exe. error) = Σ [Pr (error in unit task)) * Pr (recovery failure)]
ν Pr (error in unit task) = f (task type, stress)ν Task type = f (task complexity, procedure quality, task familiarity)ν Level of stress = f (time pressure, scenario severity, task environment,
training)ν Pr (recovery failure) = f (allowed time, MMI, supervisor)
The K-HRA Method (4/4)Execution Error
단위작업복잡도 절차서 수준 시간 충분하고, 친숙한 작업인가? 단위작업 유형
Simple Response *
Step- by- Step
Dynamic
Step- by- Step
Dynamic
Dynamic
* 'simple response'는 상시 운전되는 계통의 운전 중이던 기기가 고장나서 대기 중인 기기가 자동 기동해야 할 때, auto 신호가 실패하여 운전원이 수동으로 신호를 발생시키는 경우에 국한해서 적용
단순 (단순 조작이고, MMI배열이 '상/중'이어서, 즉각적인 반응이 가능한 경우)
if- then (절차화된if- then 작업)
복잡 (연속적인 조절작업 OR 많은 입력정보를 확인, 취합해야하는 경우)
상, 중
하
하
상, 중
예
아니오
Task complexity Level of procedure Task familiarity Task type
시간긴급성 상황심각성 단위작업위험성
교육/훈련수준 스트레스 수준
Extremely HighExtremely High
Moderately High
Extremely High
Very High
Extremely High
Extremely High
Moderately High
Very High
Very High
Optimum
Moderately High
Moderately High
IE후 <= 29분
IE후 30~ 59분
IE후 >=60분
MCR상 중
하
LOCAL
예 (LOCA,안전계통 고장,Auto작동 실패)
아니오 (상태안정후 정지냉각운전인 경우포함)
해당직무가 마지막 수단일 경우(2시간 이내)
Local의 위험환경/특수의복
MCR
상 중
하
LOCAL
해당직무가 마지막 수단일 경우(2시간 이상)
MCR
상 중
하
LOCAL
Stress levelLevel of training
Task environment
Scenario severity
Time pressure
An Integrated HRA Framework(AGAPE-ET)
ν The EOP Structure of the Korean Standard NPP (KSNP)ν The KSNP EOP structure follows the CE-type EOPs, in which an initial
diagnosis, using the flowchart-based procedure, determines the response procedure.
ν The initial diagnosis can only be altered into the Functional Recovery Procedure during event response (through safety function status checking).
Event Diagnosis and Responses in a Flowchart-based Diagnostic Procedure
I. UAs/HFEs that might occur due to failure in an initial event diagnosis
II. UAs/HFEs that might occur during event responses after an initial (successful) event diagnosis
An Integrated HRA Framework (AGAPE-ET)
ν Group I: UA/HFE due to an initial event diagnosis failure
ν Events to be consideredν Case 1: A single initiating event (IE)ν Case 2: Multiple events (An IE +
Additional events that occur prior to event diagnosis)
ν Method for assessmentν Use of the MDTA method
ν Stage 1: Assessment of the misdiagnosis potential
ν Stage 2: Identification of UA/HFEsν Stage 3: Quantification of UA/HFEs
ν For Case 2, the probability that multiple events occur prior to event diagnosis is required for a scenario to be considered
ν Time of event diagnosis (based on simulator observations)
ν [6 min,14 min] after reactor trip (μ=10 min, σ=2.4 min, 95 %)
I. UAs/HFEs that might occur due to failure in an initial event diagnosis
AGAPE-ET (I)UAs/HFEs due to an initial event diagnosis failure
ν Group II: UA/HFE during event responses after an initial (successful) event diagnosis
ν Three Types of UAs consideredν Prior inappropriate actionsν Failure to perform required actionsν Inappropriate termination
ν Classification of event scenariosν Case 1: Event scenarios that are
composed of the safety functions and systems (or their alternative functions or system) associated with an initial diagnosis event(s)
ν Case 2: Event scenarios that contain additional events that require new safety functions other than those for an initially diagnosis event(s) (e.g., AE2)
ν Use of the K-HRA and MDTA methodsν For the type of ‘Failure to perform required
actions’, the K-HRA method is usedν For the type of ‘prior inapp. actions’ and
‘inapp. termination’, the MDTA framework is used
II. UAs/HFEs that might occur during event responses after an initial event diagnosis
Human Contribution to Failure of Requisite Functions
Prior acts that make a function unavailable
Failure to perform required actions
AGAPE-ET (II)UAs/HFEs during event responses
Failure to maintain a required function
Case 1 Case 2
Prior inapp. actions
ν Use of the MDTA frameworkν Plant dynamics (PD): Satisfying the procedural rules and criteria
phenomenallyν Operator error (OE): Applied only for the level of training ‘low’ν Instrument failure (IF): Likelihood of CCF
Failure to perform required actions
ν Use of the K-HRA method
Inappropriate termination
ν Use of the MDTA frameworkν Application Basis: Continuation of
the satisfied state of termination condition because the event diagnosis is correct
ν Plant dynamics (PD): Satisfying the procedural rules and criteria phenomenally in long-term manner
ν Operator error (OE): Applied only for the level of training ‘low’
ν Instrument failure (IF): Likelihood of CCF
ν Use of the MDTA frameworkν In the case that direct diagnosis
rule is available, same guidelines as Case 1 is applicable
ν In the case that direct diagnosis rule is not available, event diagnosis failure probability is considered 1.0 and the consequent EOC events are assessed using the quantification rules of the MDTA misdiagnosis cases
AGAPE-ET (II)Guidelines for use of the MDTA and K-HRA methods for the Cases of event scenarios
Case Study (1):Misdiagnosis of SLOCA (1/4)
ν Thermo-hydraulic analysis for plant dynamics (PD)
ν SLOCA can be categorized into the RCS pipeline LOCA and the PZR steam space LOCA
ν SLOCA Range: 0.38 in. ~ 1.91 in. (0.74 cm2 ~18.58 cm2)
ν Suspicious decision rules: the RCS subcooled margin (SCM)
ν T/H analysis using the MARS codeν Condition: All charging and Safety
Injection systems are operatingnormally
ν Results:ν RCS SCM: In an increasing trend over
the full range; 0.38 ~ 1.40 in. : > 15 oC(at the time of diagnosis)
ν SG Pressure: In a decreasing trend (a symptom of ESDE)
0 200 400 600 800 10000
5
10
15
20
25
30
RC
S su
bcoo
led
mar
gin
(C)
Time (s)0 200 400 600 800 1000
0
5
0
5
0
5
0
Time (s)0 200 400 600 800 1000
Time (s)
RCS SCM atCL 1.1 in. Break
RCS SCM atCL 1.4 in. Break
RCS SCM atCL 1.9 in. Break
Rx TripSI Initiation
0 200 400 600 800 100050
55
60
65
70
75
80
85
90
SG
Pre
ssur
e (k
g/cm
2 )
Time (s)
SG1&2 Pressure at CL 1.4 in. Break
Time of diagnosis
* Diagnosis Ruleν Is RCS SCM < 15 C and NOT
rising?ν Yes -> LOCAν No -> ESDE
ν Are both SG P > 75kg/cm2
and constant or rising?ν Yes -> Transientν No -> ESDE
Time of diagnosis
Case Study (1):Misdiagnosis of SLOCA (2/4)
ν Diagnosis failure probability for SLOCA
ν RCS pipeline LOCA: 6.47E-3ν SLOCA->ESDE: 6.44E-3 ν SLOCA->GTRN: 3.00E-5
ν PZR steamspace LOCA: 1.16E-2ν SLOCA->ESDE: 6.44E-3 ν SLOCA->GTRN: 5.20-3
Case Study (1):Misdiagnosis of SLOCA (3/4)
ν Risk impact (CDF)ν Fraction of RCS pipeline
LOCA: 0.9ν Inapp. term. of HPSI:
2.0E-2 ν CDF(RCS): 3.61E-7
ν Fraction of PZR steamspace LOCA: 0.1
ν Inapp. term. of HPSI: 0.1
ν CDF(PZR): 1.97E-7
ν CDF: 5.58E-7 (7.51 % ↑)
Case Study (1):Misdiagnosis of SLOCA (4/4)
ν Event scenario & HFEν [ ATWS * PSV * /HPSI ]ν Failure to maintain HPSI
(Inappropriate termination of HPSI)
ν HPSI termination conditionν RCS SCM > 15 C ν PZR Level > 33 % ν SG Level: 23.5~90 % & Steam
Removal thru. SBCS/ADVν RVHL > 16 % ν Reactivity control: OK
ν Assessment of HFEν No direct event diagnosis rule is given for PSV LOCA in ATWS recovery procedure =>
Pr(DF)=1.0ν Termination criteria of HPSI can be satisfied temporarily => Pr(UA)=1.0ν Non-recovery probability: Recovery by the procedure (0.2) and the STA (0.1)ν Pr(HFE) = Pr(DF) * Pr(UA) * Pr(NR) = 0.02
ν Risk impact (CDF)ν ATWS * PSV LOCA * HPI_term = 2.24e-5 * 1.5e-2 * 2.0e-2 = 6.72E-09 (CDF 0.09 % inc.)
Case Study (2):[ ATWS * PSV * /HPSI ]
Concluding Remarksν Advanced HRA framework (AGAPE-ET)
ν Advanced HRA framework integrating the MDTA methodand the K-HRA method has been developed and applied to example event scenarios
ν Pilot Application to Event Scenariosν Probability and risk impact of diagnosis failures for
some initiating events are unnegligibly highν Risk impact of EOCs under correct event diagnosis and
for additional events is relatively lowν Need for Use in operating and planned plants
ν For operating plants, it is necessary for identification of the risk-significant events that has the potential for a diagnosis failure, and revision of procedures and training
ν For planned plants, it is needed to use the method in the early stage of power plants and human factors design
Causes of diagnosis
failureAssessment methods Quantification data & rules
Plant Dynamics (PD)
Fraction of an event spectrum where the behavior of a decision parameter does not match the established criteria
ν Step 1: Categorization of an event spectrum from the view of event diagnosis
ν Step 2: Identification of suspicious decision rules
ν Step 3: Qualitative evaluation of the misdiagnosis potential (T/H analysis)
ν Step 4: Quantitative evaluation of the misdiagnosis potential (T/H analysis)
Operator errors (OE)
Assignment of error probabilities to influencing factors by cognitive functions
ν Errors in information gatheringν Similarity confusion ν Multiple sources of information required
ν Errors in rule interpretationν Complexity of decision rules
Instrumentation failures (IF)
Common cause failures (CCFs) of a decision parameter
ν β -Factor CCF Model
)21(** TQQ TCCF ⋅⋅≅= λββ
The MDTA-based Method (2/4)Guidance for Assessing Misdiagnosis Causes
ν Criteria for determining the level of PSFs
상 직무의 목적, 진입조건 및 의사결정에 관련된 지침이나 주의사항 등 자세히 잘 기술된 경우. 또한 해당 직무에 관한 내용이 반복적으로 언급된 경우
중 직무 필요성 및 진입조건 등 의사결정에 필요한 지침이나 주의사항이 간략하게 나마 제시된 경우하 직무 필요성이나 진입조건이 제대로 기술되지 못했거나 이해하기 어렵게 기술한 경우
상 HF 작성지침을 준수하고, 직무 조건과 필요성을 명시하며, 수행 조치를 조작기기 수준까지 구체적으로 기술한 경우. 또한 필요한 모든 수행절차가 한 절차서 내에 기술된 경우
중 직무 조건을 간략히 기술하고, 수행 조치를 계통 단위로 기술한 경우하 직무 조건과 수행 조치를 너무 복잡 또는 단순하게 기술해서 이해하기 어려운 경우
없음 해당 직무를 기술한 절차서가 없는 경우
상 정상 운전 중에 경험하는 작업이거나, 해당 직무에 친숙할 정도의 교육/훈련 빈도와 수준(해당 직무를1년에 1회 이상 수행하거나 훈련하는 경우)
중직무의 목적은 알지만, 구체적인 직무 조건이나 상황은 해당 절차서를 보아야 하는 정도의 교육/훈련빈도와 수준(EOP의 최적운전절차서에 기술된 직무와 같이 해당 직무를 2년에 1회 정도 교육/훈련하는 경우)
하 직무가 어떤 경우에 무엇을 위해 수행하는지 들어보았거나, 해당 절차서가 어떤 것인지 잘 모르는 경우(EOP의 회복운전절차서에 기술된 직무와 같이 해당 직무를 2년에 1회 미만 교육/훈련하는 경우)
상 작업의 내용과 순서를 알고 있는 정도의 실제 경험 또는 교육/훈련 빈도와 수준(해당 직무를 1년에 1회 이상 수행하거나 훈련하는 경우)
중 작업의 내용은 알지만, 구체적인 수행 절차는 해당 절차서를 보아야 하는 정도의 교육/훈련 빈도와 수준(EOP의 최적운전절차서에 기술된 직무와 같이 해당 직무를 2년에 1회 정도 교육/훈련하는 경우)
하 작업이 무엇을 위해 수행하는지 겨우 들어보았거나 해당 절차서가 어떤 것인지 잘 모르는 경우(EOP의 회복운전절차서에 기술된 직무와 같이 해당 직무를 2년에 1회 미만 교육/훈련하는 경우)
진단관점
교육/훈련 수준
수행조치 관점
수행조치 관점
절차서 수준
진단관점
The K-HRA Method (4/6)Diagnosis Error
ν Probability of execution errorsν Nominal error probability for unit taskν Probability of recovery failures
The K-HRA Method (6/6)Execution Error
Task t ype St r ess l evel Nomi nal pr obabi l i t y
Low 0. 002 Opt i mum / Moder at el y Hi gh 0. 001 Si mpl e
Response Ver y hi gh / Ext r emel y Hi gh 0. 003
Low 0. 01 Opt i mum 0. 005 Moder at el y Hi gh 0. 01 Ver y hi gh 0. 02
St ep- by- St ep
Ext r emel y Hi gh 0. 05 Low - Opt i mum 0. 01 Moder at el y Hi gh 0. 03 Ver y hi gh 0. 08
Dynami c
Ext r emel y Hi gh 0. 25
시간 긴급성 MMI 제공 감독자 복구 실패 HEP
0.05
0.2
0.2
1
0.1
0.2
0.2
0.3
0.3
1
0.2
0.3
0.4
0.5
0.6
1
1
IE후 >= 120분
IE후 60~ 119분
상
중
예
아니오
예
아니오
IE후 30~ 59분
하예
아니오
상
중
예
아니오
예
아니오
하예
아니오
상, 중
하
예
아니오
예
아니오 .
IE후 <= 29분
Allowed time SupervisorMMI Recovery failure probability
ν Event scenario & HFEν [SLOCA/MLOCA] * /HPSIν Failure to maintain HPSI
(Inappropriate termination of HPSI)ν HPSI termination condition
ν RCS SCM > 15 C ν PZR Level > 33 % ν SG Level: 23.5~90 % & Steam
Removal thru. SBCS/ADVν RVHL > 16 %
Case Study (2):[SLOCA/MLOCA * /HPSI] after correct event diagnosis
ν Assessment of HFEν In RCS pipeline LOCA
ν Contribution from PD & OE is negligibleν Contribution of IF is assessed to be very low (~ 4.77e-9)
ν In PZR steamspace LOCAν Contribution from PD: Long-term phenomenal wrong indication of PZR levelν Contribution from OE is negligibleν Contribution of IF is assessed to be ~1.44e-5 (dependent on the CCF probability of RCS
SCM and RVHL)ν Risk impact (CDF)
ν SLOCA: 4.32e-9 (CDF 0.058 % inc.)ν MLOCA: 4.32e-9 (CDF 0.058 % inc.)
