Study for Human Reliability Analysis on Emergency Feedwater Injection Under Severe Accident in Nuclear Power Plant

Abstract

The reliability of the operator's response process in severe accident has an important impact on the overall reliability of large release frequency mitigation. Severe accident involve a complex diagnostic process that need weighing the pros and cons carefully before making final decisions. Such decisions are likely to have negative effects, such as while preventing the progress of the accident in some aspects, but also aggravating others, either intentionally or unintentionally. At the same time, severe accident also involve more complex plant emergency organization, technical support organization and accident evolution mechanism than design basis accident. However, due to the lack of a clear and suitable severe accident procedure, the study on operator's response process and its reliability are relatively insufficient, unable to effectively find the weak links in operators, procedure, organizations and other influencing factors, and make targeted improvements of human reliability in SA situation are very difficult. The purpose of this paper is to study the reliability of the operator actions required to establish Emergency Feedwater (EFW) injection following reactor core damage, a typical severe accident condition of nuclear power plant. The EFW injection are described by task analysis and subject to qualitative and quantitative assessment of the safety significant potential errors and associated Performance Shaping Factors base on the foundation of SPAR-H method. A Human Error Probability of 6.11E-01(Pwd) is derived, the result shows that there is little margin for error recovery due to the short timescales in which the response is required by the operators and technical support teams. The main recommendations are providing more training for operators and technical support teams to ensuring the crew has adequate situational awareness before diagnoses or decision-making are required. The SAMGs should provide clear guidance and instructions for regular, periodic checking of key plant parameters critical to mitigating a severe accident. A wide range and narrow range value comparison of the steam generator level need to provide to support timely diagnosis. Consideration should be given to designing the SAMG initial response such that EFW injection is always diagnosed and performed by the MCR crew following SADV failure, with Technical Support Team (TST) providing support if operational. This ensures that the task can be progressed quickly following SADV failure and removes the need for handover and allowing the TST to obtain situational awareness. The task analysis and reliability assessment helpful to improve the human factor suitability, provide guidance for optimize the operator's response process and effectively improve the reliability of engineering design under a severe accident scenario.

1 Introduction

After the Fukushima nuclear accident, the reliability of important human action in the context of Severe Accident (SA) has attracted widespread attention. However, due to factors such as incomplete clear development mechanism of severe accident, complex organizational structure involved, and lack of clear rules and guidelines for human actions, the study on operator's response process and its reliability are relatively insufficient. Relevant research work is unable to effectively find the weak links in operators, procedure, organizations and other influencing factors, and make targeted improvements of human reliability in SA situation are very difficult [1,2,3]. A study for the reliability assessment for the EFW injection are carried out in this paper, which is a typical important human action and is required in SA caused by severe accident dedicated valves (SADVs) that cannot successfully open, and then the high primary loop pressure may lead to a steam generator tuber rupture (SGTR) event. Based on the existing engineering design, its reliability is evaluated in qualitatively and quantitatively, detail substantiation is provided by analysis the required operator actions are achievable or not to mitigate further adverse consequences, i.e. degradation of the fuel. This paper divided into four parts. The first part introduces severe accident and EFW injection accident sequence, and identifies the important human actions involved. The second part gives the qualitative analysis of the reliability of the operator in the response process of the accident. The third part gives the quantitative analysis results. The final part summarizes and discusses the analysis results of this assessment.

2 Accident Scenarios Analysis

2.1 Severe Accident Introduction

Severe accidents can be defined as events that are beyond the Design Basis Conditions (DBCs). The additional protection and mitigation measures that are part of the design against severe accidents are termed Design Extension Conditions (DEC). DEC events assess two different methodologies:

• DEC-A: These sequences involve failures beyond the design basis analyses, however as with DBC events, the protection measures are designed to prevent core damage.

• DEC-B: These sequences involve failures where core degradation or damage has occurred, and protection measures are designed to provide a substantial reduction in radiological release by maintaining containment integrity.

The generic features of severe accident progression are mainly dominated by physical processes relating to fuel degradation, and therefore the overall strategy to mitigate a severe accident is defined as “to maintain as many barriers between the core and environment as possible, for as long as possible”. This strategy can be largely achieved by maintaining the integrity of the reactor pressure vessel and containment.

Following any accident, if the core outlet temperature increases to above 650 ℃, then severe accident management conditions are entered. Upon entry into severe accident conditions, operators in the mian control room (MCR) are required to implement the procedurally led initial response outlined in the Severe Accident Management Guidelines (SAMGs) to open the SADVs to reduce primary loop pressure. The initial response is performed before emergency technical and decision teams would be required to support the MCR crew.

2.2 EFW Injection Scenarios Analysis and Bounding

Following a severe accident, the SAMG initial response will result in the operations team opening the SADVs to reduce primary loop pressure. In the event where the SADVs have failed to open as part of the initial response (most likely due to mechanical failure), operators must ensure that Steam Generators (SGs) are supplied with feedwater to remove heat from the high pressure primary loop prevent the occurrence of a SGTR event. Therefore, EFW injection would be required as a mitigation strategy to remove heat from the primary loop and minimise the likelihood of a SGTR.

An extract from the L2 PSA Event Tree is presented in Fig. 1, the first event ‘IE’ shows a plant damage state with high primary loop pressure as an initiating event. The second event ‘CI’ shows containment isolation. The third event ‘DEP’ represents primary depressurisation using the SADVs, and the final event ‘SG_FW’ represents SG feedwater.

Fig. 1.

L2 Event tree extract from L2 PSA

The EFW is the preferred means to inject water to the SGs to remove residual heat from the primary loop following a severe accident. The EFW consists of three identical trains corresponding to each SG, each with a dedicated feedwater storage tank. Common headers exist on the suction and discharge lines which are normally isolated. The dedicated tanks can support of water demand. Each train of the EFW is located in an individual safeguard building. See Fig. 2 for a diagrammatic overview of the EFW injection system.

Fig. 2.

Diagram of the EFW system

Manual EFW start is performed for the following DEC-B events:

• Anticipated Transient without Trip (ATWT).

• Station Blackout (SBO).

ATWT events involve the failure of the reactor trip system whenever it is called on during a nuclear power plant transient. An ATWT leading to a severe accident places a requirement for EFW to be started within 30 min following an SG low level alert, if SADVs have failed to open.

SBO events occur following a loss of offsite power and the failure of backup/emergency diesel generators. For SBO events if the recovery of the external power source of the NPP is successful, then it is possible to restore EFW injection. If the recovery of the external power source fails, then the L2 PSA claims that EFW injection is not available. A severe accident following an SBO event allows up to 60 min achieving this objective. This assessment therefore considers the bounding scenario to be ATWT, based on the most onerous timescale for task completion.

2.3 Human Response Process Analysis

In the assessed scenario, once the SADVs failure is confirmed and a further cue of low SG level limit initiated is provided, operators would subsequently be required to check whether the TST is operational and can to act as the lead for diagnosing the correct response. It is reasonable to assume that the TST Crew are functional and assembled before entry into severe accident conditions, on the basis that severe accidents would be anticipated at core outlet temperature increases and the controlled state cannot be achieved. If the TST are operational, the plant emergency organization will grant approval for the TST to take over as the primary decision-making body and will be responsible for performing the severe accident diagnoses, with instructions relayed by the TST crew to the MCR crew to control the plant. It is noted that in the event that the TST are not functional following SADVs failure, then the MCR crew are directed by the SAMG initial response to inject water into the SGs without TST input, therefore ensuring that completion of this action is not dependent upon the TST being assembled.

Achievement of EFW injection requires operators to determine a viable EFW injection and discharge route with sufficient water supplies, and to start injection from the MCR within 30 min from the low SG level limit initiated.

The assessment defines tasks as follows:

• Diagnosis Tasks (DT) – performed by the TST Crew, with support and error recovery opportunities provided by the MCR Crew.

• Action Tasks (AT) – performed by the TST Crew (giving instructions) and MCR (execution and error recovery).

The success criteria for this human action is summarised as: operators start EFW injection within 30 min from the low SG level limit initiated following an ATWT event leading to a severe accident.

3 Tasks Analysis

3.1 Tasks Overview

Figure 3 presents the guidelines used for the severe accident scenario including the actions that are expected to be undertaken prior to the requirement for EFW injection.

Fig. 3.

Tasks overview

The task steps necessary to complete EFW injection are described by the HTA in Fig. 4.

Fig. 4.

Task steps described by HTA

The safety significant tasks steps associated with EFW injection are therefore identified and grouped as follows:

DT: Determine the required strategy for EFW injection:

• Perform SAMG periodic checks.

• Detect the SG level low limit alert.

• Detect SADV failure to open.

• Determine requirement for EFW injection.

• Devise EFW injection strategy.

• Communicate strategy to MCR crew.

AT: Implement the EFW injection strategy that has selected depending on the specific injection strategy:

• Depressurisation of SGs below EFW injection pressure.

• Reconfiguration of EFW trains with EFW tanks and selected SGs via interconnector valves.

• Configuration of discharge routes (VDA/VVP/GCT), as required.

• Opening valves and starting the EFW pumps from the Hardwired Control Panel (HCP).

3.2 Diagnosis Task

Once the requirement for EFW injection has been determined, the TST are required to liaise with the operations team to devise an appropriate strategy for injection using the EFWs, based on the available plant. The strategy is then communicated to the operations team for implementation. The initial cues for operator response are provided by confirmation that SADVs have failed to open and the low SG level alert is present. The low SG level alert may occur before the initial task to open SADVs.

3.3 Action Task

The action task for EFW injection is performed by the operations team, once the strategy for EFW injection has been devised and communicated by the TST. The operations team are required to follow the strategy, configure the EFW system for injection and control/monitor flow rate to minimise the possibility of water hammer in the secondary loop.

The cues for this action task are provided by the TST who will outline the various tasks required to configure water tanks, injection and discharges routes for the EFW, as well as the safe injection limits. The TST crew may be consulted during this task for advice and support but cannot control plant, as the TST working place is configured in monitoring mode only. EFW will be configured as a knowledge based task, without procedures. Success of this action will lead to success of EFW injection.

4 Performance Shaping Factors Analysis

4.1 Cues and Human-Machine Interface (HMI)

There are two key cues for detecting the requirement for diagnosis task:

• SG low level limit alert on the KIC and TST working place.

• Operations Team recognising that the SADVs have failed to open.

The precise timing of these cues is variable, however the most onerous scenario is defined as the SG low level alert occurring before an attempt has been made to open the SADVs as part of the initial response. It is considered multiple alarms would be present in the MCR following a severe accident that could lead to a masking effect, however key indications, including low SG level, are provided on the KIC via a banner that is permanently displayed at the top of each screen. It is noted that the current design does not intend for low SG level to be associated with an alarm, as this low level is frequently reached as part of normal operation of plant. It is recommended that the SAMGs support regular checking of key parameters including SG level in order to support anticipation for EFW injection. In addition, a further recommendation for the provision of a wide range and narrow range level value comparison of the SG to support timely diagnosis.

The cues to recognise that SADVs have failed to open should be straightforward, as the SAMGs instruct the operation teams to open SADVs as part of the initial response, and will subsequently instruct operators to establish EFW injection if primary loop pressure remains high.

The SAMGs provide the necessary instructions for the TST to determine the required response and begin to devise a strategy for EFW injection. The TST would be required to collect a wide range of information using the TST working place and from consulting with the operations team in the MCR.

The series of key cues and feedback to devise the strategy are consist of:

• SG pressure.

• SG status (i.e. working, malfunctioning, damaged).

• SG level.

• EFW injection pressure.

• Steam dump valve and/or condenser dump valve position.

• EFW tank volume.

• EFW pump status and flowrate.

• EFW loop valve positions and mode (AUTO/MANUAL).

• Primary loop temperature.

• Core outlet temperature.

• Atmospheric Steam Dump/Main Steam/Turbine Bypass valve positions.

• Containment pressure (if injecting into faulty SGs, or to detect SGTR).

Operators would use this information, in conjunction with the SAMGs, to identify the SG injection limit and for how long continuous water supply is required. Implementing EFW is performed without procedures, noting that the precise actions required are dependent on the strategy selected and instructions would be developed when devising the strategy. Both MCR and TST are equipped with telephones to relay instructions, and to contact the on-site emergency control center as needed.

4.2 Time Required

The assessed scenario considers up to 30 min are available to establish EFW injection once the low SG level limit (T0) has been reached to mitigate the accident and prevent further radiological release. Conservatively, the assessed scenario assumes that T0 occurs before the SADVs have been opened as part of the SAMG initial response. Therefore, the time at which operators are made aware of the need for a response (T1) and the time at which operators will respond (T2) occurs after SADVs have failed to open, and the time between T1/T2 and completion of AT (T3) is less than 30 min. The TLA analysis assumes expected task duration of 15 min to determine the ASG injection strategy and expected task duration of 6 min to implement ASG injection on the basis of operating experience, To support the derivation of PSFs, this paper allocates up to 17.5 min for completion of DT and allocates up to 7.5 min for completion of AT. Therefore, the task is demonstrated to be achievable, with a small time margin available, for the most conservative onerous severe accident using conservative task duration data. It is noted that the duration of SG depressurisation is identified as not critical to whether this task can be achieved within 30 min (Fig. 6).

Fig. 5.

Timeline analysis

Fig. 6.

Time allocation plan for PSFs

4.3 Procedure

A dedicated procedure is not available to operators for this task, however instructions already be developed to support. The operations team and TST possess copies of all SAMGs, will liaise to communicate information and determine the required response. The purpose and structure of the SAMGs is aimed at limiting the release of fission products and maintaining containment integrity. The management guideline will identify key parameters to be monitored and will prioritise mitigation strategies according to these parameters. Due to the significant number of steps required to configure the route. It is recommended that procedures or written aids considered enabling efficient and reliable configuration of the EFW by removing the need for knowledge based tasks.

4.4 Workplace and Environment

The EFW injection task conducted in the MCR and the TST working place. During a severe accident, appropriate MCR and TST working environmental conditions can support reliable operation. If normal and standby lighting systems have failed following the severe accident (e.g. during a SBO), the MCR safety lighting system will provide the necessary illumination for the MCR. The TST safety lighting system is supplied by the common uninterruptable power supply that provides the MCR safety lighting. The design of the MCR and the TST working place, and their supporting systems are suitably resilient against the effects of a severe accident and ensure the environment remains sufficiently benign to support reliable operation.

4.5 Familiarity

Responding to a severe accident is an extremely rare event, experience of which will be limited to that providing by training. It is considered that training on severe accident conditions is likely to be infrequent and would provide limited familiarity on the conditions and stressors that would be present during an actual event.

4.6 Cognitive Workload

For DT, the operations team are required to respond to a single alert and determine failure of the SADVs, which is a straightforward task. Guidance is provided in the SAMG to help operators prioritise the severe accident mitigation strategy. To determine the strategy for injection, the TST crew are required to gather information from TST working place and the operations team according to the SAMG instructions, and process the information to determine the necessary response. The use of SAMG flowcharts and calculation aids will support TST decision making and selection of the appropriate strategy. The most cognitively demanding task relates to the calculation of SG injection limit, which is dependent on EFW flow rate, the level in each SG and the EFW water stocks. Failure to determine an acceptable injection limit could result in water hammer effects, leading to a SGTR in one or more SG tubes. DT is therefore judged moderately complex based on task analysis, however, it is considered that operators are sufficiently supported by guidance, HMI and the operations team to support task completion [4].

For AT, procedures are unavailable to support operation, however the required tasks for injection will have been devised by the operations team and TST crew and the checking sheet can be used to support the task. Actions are undertaken from the plant computer information & control system or hardwired control panel and are familiar to operators who would have experience using, or training on, the EFW system but would need to identify the necessary controls to configure and start the system as a knowledge-based task. The operations team are expected to verify the injection strategy suggested by the TST, but this consist of limited to checks on the selected strategy to confirm plant is operable and the most suitable SG is selected. The provision of a strategy supports achievability of AT, however the lack of dedicated procedure or written aid would make this task complex.

During severe accident, multiple teams are required to co-ordinate as part of the overall response. The on-site emergency control organization may also be contacted to report diagnoses and confirm implementation of actions. Operators may be required to simultaneously conduct operations and operate in a manner that cognitive workload would be high for certain activities. It is recommended that a frequent and dedicated communications channels need to be provided between the TST, MCR and on-site emergency control organization to diagnose and implement mitigation strategies affecting plant.

4.7 Situational Awareness

A good level of operator situational awareness depends on suitably qualified and experienced individuals operating in accordance with well-designed procedures & HMIs, clear communication channels and work process are present to support quick and precise transmission and retrieval of critical information between the operations team, TST, and the on-site emergency control organization.

Although the key cues and necessary feedback are provided for the operator, and the SAMG periodic checks exist to maintain operator situational awareness by regularly checking key plant parameters. Calculation aids are also provided to help plan strategies and anticipate the need for a response on plant. However, in the present phase, restricted to the information that can be collected, this performance shaping factor cannot be analysed in detail [5].

4.8 Errors and Recovery

The key potential errors associated with the MCR operator’s task of devising the EFW injection strategy are:

• Failure to detect the SG low level limit alert or failure of SADVs.

• Operators fail to identify the requirement for ASG injection.

• Failure to select a water source that can provide sufficient continuous water injection.

• Failure to configure the correct injection/discharge routes.

• Failure to start EFW pumps.

• Failure to calculate/correctly calculate safe ASG injection limits.

• Failure to control EFW injection rate to SGs.

• Strategy not correctly communicated to Operations Team.

A failure to correctly prioritise SGs for injection may result in EFW injection to malfunctioning or damaged SGs, when working SGs are available. This would not directly lead to scenario failure but may lead to containment pressure increase or ingress into the primary loop and therefore a requirement for further mitigating actions to minimise radiological release.

The latter error, relating to safe EFW injection limits, is considered the most likely to occur in a scenario with time pressures and extreme stress. The error is irrecoverable, and the consequences are significant. Therefore, it is recommended that the SAMGs provide clear warnings relating to importance of adhering to safe injection limits, and that the TST calculations are fully verified by the operations team prior to implementation.

Error of commission such as failure to select the correct mitigation strategy are minimised by the state oriented procedures. The presence of two separate teams using shared information sources and copies of the SAMGs provide credible error recovery opportunities for this diagnosis task. An opportunity for the operations team to verify the strategy exists once the strategy is devised and being communicated. Conservatively, no credit is provided for recovery to support task completion within 30 minutes in the quantitative assessment [6].

5 Quantitative Assessment

5.1 PSF Values

According to the qualitative analysis, The PSFs for determining and implement the requirement of EFW injection are derived in accordance with Part 1. A of the SPAR-H (evaluate each PSF for diagnosis). Table 1 presents the PSFs for diagnosis and actions.

Table 1. PSFs for operator response process

5.2 HEP Calculation

SPAR-H has two basic HEPs 0.01 for diagnosis and 0.001 for actions. These can be modified accordance with Part 1.B of the SPAR-H worksheet by multiplying the nominal HEP by the PSF factors given in Table 1. Human error probability P = Pd + Pa, where Pd refers to diagnosis error probability and Pa refers to action error probability. Pd and Pa are calculated according to the following equations respectively [7,8,9].

$$ P_d = 0.01 \times \prod_{i = 1}^8 {PSF_i } $$

(1)

$$ P_a = 0.001 \times \prod_{i = 1}^8 {PSF_i } $$

(2)

An adjustment factor (Part 1.C of the SPAR-H worksheet) is required for this assessment because 3 negative PSF influences are identified. Therefore, the human error probability derived in Table 2/Table 3 does not represent the final HEP. The adjustment formula is as follows:

$$ HEP = \frac{{NHEP \cdot PSF_{composite} }}{{NHEP \cdot (PSF_{composite} - 1) + 1}} $$

(3)

Table 2. HEP summary for diagnosis task

Table 3. HEP summary for action task

5.3 Dependency

This human action is required following a failure of the MCR crew to open the SADVs to reduce primary loop pressure as part of implementing the SAMG initial response section, therefore the potential for dependency exists. It is considered overly conservative to assume that TST cannot functional to support EFW injection, on the basis that severe accidents would be anticipated at core outlet temperature increases and the controlled state cannot be achieved. Dependency is assessed and presented in Fig. 5 based on the following considerations [10]:

• Opening the SADVs is performed by the operations team, however, when TST is functional, who would provide support and act as the primary decision making for this task, therefore the ‘crew’ will has significantly changed.

• Insufficient time is considered to exist between opening the SADVs and starting EFW injection, i.e. implementation actions are undertaken consecutively.

• The task location is considered to differ due to the introduction of the TST for EFW injection.

• Additional cues are provided, as opening of the SADVs is required once core outlet temperature reaches 650 ℃. Determining the need for EFW injection is also indicated by an alert for SG level low which is a key parameter that operators will be required to periodically check following a severe accident scenario (Fig. 7).

Fig. 7.

Dependency analysis

The dependency of this task on failures made prior to core damage (i.e. the Level 1 PSA) is not considered to be a credible consideration, as the transition from an EOP oriented process to severe accident management is judged to be a decoupling mechanism.

5.4 Overall Judgement and HEP

Table 4 calculates the task failure probabilities without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probabilities and the Action Failure Probabilities. The task failure probability with Formal Dependence (Pwd) are also shown.

Table 4. Task failure probabilities

6 Discuss

A Human Error Probability of 6.11E−01(Pwd) is derived, the result shows that there is little margin for error recovery due to the short timescales in which the response is required by the operators and technical support teams.

The reliable task completion is significantly impacted by the following factors:

• The short amount of time available to respond and the extremely limited margin to recover from errors. Significant errors are not recoverable to support task completion within 30 min.

• The requirement to undertake a lengthy and complex process to determine the EFW injection strategy, and then implement it.

• The requirement for different tasks to be completed by two separate teams, communicating by phone.

• Performing the above during a severe accident, where conditions are extremely stressful, and the consequences of errors/task failures are high.

• Undertaking implementation of the EFW injection strategy as a knowledge-based task.

The main recommendations are providing procedures & written aids, more training for operators and technical support teams to ensuring the crew has adequate situational awareness by removing the need for knowledge based tasks before diagnoses or action are required. The SAMGs should provide clear guidance, instructions, warnings and limits for regular, periodic checking of key plant parameters critical to mitigating a severe accident. A wide range and narrow range value comparison of the SG level need to provide to support timely diagnosis. The SAMG initial response redesign need to be considered such that EFW injection is always diagnosed and performed by the MCR crew following SADV failure. A dedicated communications channels need to be provided between the TST, MCR and on-site emergency control organization. This ensures that the task can be progressed quickly following SADV failure and removes the need for handover and allowing the TST to obtain situational awareness.

7 Conclusions

Usually, operator is often passively adapted to the characteristics of the design product, which often placed on the knowledge and memory of the operators to understand important information about plant configuration and is not conducive to the ascension of the reliability of operator, so it may also cause unnecessary human error. Although, the qualitative assessment demonstrates that the operator’s task of injecting EFW following the most onerous severe accident (ATWT leading to core damage) is achievable within the time available with a high HEP value. However there is little margin within the scenario timescale for the recovery of significant errors to support timely completion of EFW injection and have a negative effect on operator and technical support team reliability. It also is need noted that the conclusions of the assessment are also highly sensitive to the assumed task step durations that have been applied to support PSF evaluation. Furthermore, the required task is feasible based on the validation of recommendations that relating to the cues, procedures, organisation and operator during the severe accident scenario. This paper based on a relatively rough task analysis and SPAR-H PSF value process carries a conservative assessment, then further detailed analysis and optimization of SPAR-H PSF value criterion can help to carry out evaluation that is more accurate and find more recommendations that are useful.