Keywords

1 Introduction

Compared with the traditional control system, the flexibility of the operation of nuclear power plants are more advantageous and DCS is getting more and more widely used in the nuclear power plants. DCS operators monitor the plant system and perform operations mainly through the mouse on the computer screens instead of manual activities on instrument panels, signal lamps, buttons and switches in an old control room. The new man-machine interface may bring changes to operators on cognition, resulting in new human errors. The reliability of DCS has a significant impact on the safety and availability of nuclear power plants. Therefore, the safety impact of nuclear power plant DCS must be systematically evaluated and verified. Human reliability analysis plays an important role in the safety analysis of NPP operation. With the application of the digital control system in modern nuclear power plants, the operating environment of the main control room has undergone major changes, thus changing the operator’s cognitive process, behavior patterns and task characteristics, mainly on the information display, man-machine interface interaction and management, operating procedures, control and input facilities, as well as alarm systems, operator decision-making and support systems. DCS has many technical advantages, but the combination of potential human factors and DCS will produce new human error.

2 DCS Control Process Error Mode

2.1 DCS Control Features

The traditional main control room has a very large work space, with a space-specific man-machine interface. Alarms, display and control, man-machine interface components have their own unique and easy-to-see spatial location. Operators walk to the panels with different functions to perform tasks. In the DCS, the information is displayed on the video display unit (VDU) and the large display system (LDS), with the controls being operated by the mouse and the keyboard. Man-machine interfaces on DCS tend to lack physical sense of space. Operators work before computers. All these lead to the change of the cognitive process of the operators. New human error should be considered in the human reliability analysis of DCS.

The primary tasks of nuclear power plant operators are monitoring and control, such as monitoring flow, starting pumps and switching valves. The primary tasks involve four cognitive processes: monitoring and testing, situation assessment, response planning and response implementation [1]. Operators in the DCS perform the appropriate auxiliary tasks to complete the primary tasks. These auxiliary tasks are called “interface management tasks.” NUREG/CR-6690 states the general interface management tasks include the following items [2] :

  1. (1)

    Configuration: Set the man-machine interface of the computer workstation to the desired arrangement, for example by assigning software functions on the multi-purpose display.

  2. (2)

    Browse: Accessing and retrieving specific aspects of man-machine interfaces on computer workstations, such as monitors or controllers.

  3. (3)

    Arrangement: Adjust the operator’s perception of the information. It can happen on several levels, inside and inside the display, such as arranging items within a display page or window.

  4. (4)

    Access: Access the human-machine interface to determine information about its status, such as the current display’s relationship to the rest of the display network or the most recent file date. This category also includes the use of help systems.

  5. (5)

    Automation: Set shortcuts to simplify interface management tasks.

In a DCS, operators can only see part of the information at any time through the VDU on the DCS. The limited viewing area is a feature called “keyhole effect” [3]. Operators must perform interface management tasks to accessing information through the limited windows. Interface management tasks may affect the cognitive reliability of the operator. When operators conduct primary tasks, they need some attention resources to perform interface management task. Due to limited attention resources, the performance of the primary tasks maybe impaired. Slips and lapses may occur. In addition, the primary task is interrupted in a way of selection of wrong pictures, slow execution and missing steps.

2.2 Control Process of Human Error

In the past a large number of documents on human error have different definitions and classification, there are some people in the DCS error pattern and the traditional main control room the same, and because DCS has different characteristics, the need for other human error mode. The error is usually divided into error of omission (EOO) and error of commission (EOC) [4]. EOO said he forgot to carry out the task, but EOC said the wrong mission. Rasmussen classifies staff behaviors into three categories (SRK models): skill-based, rule-based, knowledge-based [5]. The form of information content in skill-based behavior is signal, and the performance of personnel behavior is mainly influenced by the schema of pre-memory and is represented by the similar structure in the space-time region. The content of the information content in the rule-based behavior is a sign, Personnel behavior is guided by pre-existing rules (IF-THEN rules); knowledge-based behavior in the face of the new scene action plan to be made in real time. The classification of human error caused by human behavior in SRK model is based on the difference of cognitive behavior between different behaviors. It is also based on the view that cognitive failure is the main failure mode of complex human-machine interface. Skill-based behavior basically requires no awareness, including two types of mistakes, lapse and slip. Knowledge-based personnel behavior requires relatively high cognitive behavior, rule-based second, the error caused by these two kinds of personnel actions is a mistake. From the error mechanism point of view, slip and lapse is the main attention or memory problems, and mistake mainly decision-making problems. This shows that the prevention of human factors caused by the behavior of skilled and regular personnel is mainly to prevent the operator’s memory and attention problems in order to avoid slip and lapse, reduce the slip and lapse can also reduce the possibility of mistake. In addition, it is in the accident conditions to reduce the operator’s decision-making errors, reduce the operator’s mistake in the accident. Since the main cause of errors is not the DCS design, but the operator’s misjudgment, the interface between the traditional master control room and the DCS may be the main cause of lapse and slip in the operator’s operation [6]. Swain and Guttmann [7] Six patterns of human error are proposed, including omission of operation, wrong object, incorrect operation, confusion of modes, improper operation and delayed operation.

2.3 DCS Cognitive Behavior Model

The cognitive process of human includes sensory, perception, memory, thinking, imagination and other cognitive activities. Through these cognitive activities, we can understand the characteristics, the nature and the interrelationships of objective things. Cognitive load has a great impact on the cognitive reliability of people, cognitive overload may make people’s cognitive process may be mistakes. However, the increase of cognitive load of operators on DCS is caused by the bottleneck of human cognitive resources (memory and attention, etc.) [8]. When the operator in the implementation of operational tasks cognitive resource needs and cognitive resource supply to match, cognitive tasks are likely to be better implemented, if the cognitive resource needs more than the supply or lack of cognitive information, the operator Cognitive performance will decline, resulting in errors.

In Budley-Hitch’s working memory model [9], Proposed that there are two independent short-term memory buffers, one is a voice loop used to process voice information and store numbers, the other is an air-space drawing board used to process the air-space information to determine the spatial relationship, and the central actuator is responsible for completing Coordinate the work and exchange information rapidly between the two memories. Operators in the DCS in the same form (oral or visual space) encoded information easily interfere with each other, while in the traditional master control room operators can form the object and the system of spatial separation, which will enable operators to form more in the operation Lasting, more reliable, clearer and more meaningful “Skyshield.” In terms of long-term memory, traditional control rooms are more “coherent” and “ecological” than DCS, and operators are able to form a “mental model” that is stronger than DCS. In terms of attention, Wickens’s SEEV model [10] four factors of concern were raised: the saliency of the signal, the effort to note the signal, the operator’s expectations of the signal, and the task’s relevance or value of the signal.

3 Simulation Experiment

The simulator in the experiment was designed and researched by China Guangdong Nuclear Power Group Co., Ltd. with reference to the Daya Bay PWR nuclear power plant so that the environment of the simulation experiment is similar to that of the nuclear power plant. The experiment is based on the accident of heat transfer tube rupture (SGTR) in the steam generator of a nuclear power plant. The task analysis method is used to explore the reliability of the secondary side cooling and depressurization operation of the operator on the DCS. Steam generator heat transfer tube rupture (SGTR) refers to the rupture of the heat transfer tube between the primary side and the secondary side. When the reactor is in a power operating condition, the pressure on the primary side is much higher than the pressure on the secondary side. When the heat pipe breaks, the primary coolant leaks through the breach to the secondary side. The experiment mainly analyzed the rupture of the heat transfer tube of a steam generator and recorded the secondary side cooling and depressurization operation of the operator on the DCS in the simulation experiment.

3.1 Task Analysis

The control tasks in the DCS consist of the primary tasks and the interface management tasks. One or more secondary tasks in the execution of the tasks fail. If the recovery is timely, the final major tasks can also be successful. If the recovery of the secondary task fails is unsuccessful, the failure or failure of the relevant secondary task causes the primary task to fail. In order to study the reliability of the operator’s secondary cooling and depressurization operation on the DCS in the background of SGTR accident, the primary tasks and interface management tasks in the DCS are analyzed and divided into observable sub-tasks to control the tasks. Human error in the primary tasks may lead to the implementation of inappropriate controls, and human error in the secondary tasks is likely to delay access control and display, hinder the operation of the operator, or select the wrong controls and displays [11]. There is no interface management task in the operation of the traditional main control room, but DCS interface management tasks occupy a large part. Analyze the primary tasks and interface management tasks in the DCS and model them as unit tasks for control tasks so that basic human error probabilities for unit tasks can be observed and calculated in simulator-based experiments or field operations studies. Unit tasks include: Operation selection, screen selection, control device selection and operation execution [12]. In this paper, the establishment of an event tree model approach, the primary tasks and interface management tasks into the event tree model, based on the results of the event tree analysis to quantify the results obtained operator DCS on the secondary side of the cooling step-down operation the reliability.

3.2 Establish the Event Tree Model

Under the background of experimental simulation of SGTR accident, the most important function of the operator in DCS is to obtain information and search information. Then according to the state parameter display on the VDU, combined with his own mental model to evaluate the status of the power plant, accordingly, Strategy and response to the implementation of behavior, need to develop a clear strategy. The establishment of the event tree model shown in Fig. 1.

Fig. 1.
figure 1

The event tree model

Full size image

Name

Content

Task category

\( {\text{S}}_{\text{tA}}^{{\prime }} \)

Operator successfully completed the A interface operation management tasks

Interface management tasks

\( {\text{F}}_{\text{tA}}^{{\prime }} \)

The operator did not complete the pre-A interface management tasks

Interface management tasks

\( {\text{S}}_{\text{tA}} \)

The operator successfully completed A operation

Primary tasks

\( {\text{F}}_{\text{tA}} \)

The operator did not complete the A operation successfully

Primary tasks

\( {\text{F}}_{\text{TA}}^{{\prime }} \)

The operator successfully corrected the error and completed the pre-A interface management tasks

Interface management tasks

\( {\text{F}}_{\text{TA}} \)

The operator successfully corrected the error and completed the A operation

Primary tasks

The value of A in the table is 1, 2, 3, and 4, corresponding to the symbols in the figure, where A = 1 indicates the operation of reverting to safety injection, A = 2 means the operation of reversion of the accidental evaporator, A = 3 means A circuit cooling operation, A = 4 indicates the stability of the accident evaporator pressure operation.

for \( {\text{F}}_{\text{t1}}^{{\prime }} \), Check the “THERP Manual”, the operator failed to complete the security before the return of the interface management tasks before the error probability of the nominal value \( 1 \times 10^{ - 3} \), Consider the impact of stress factor, amended as \( 5 \times 1 \times 10^{ - 3} = 5 \times 10^{ - 3} \); for \( {\text{F}}_{\text{T1}}^{{\prime }} \), Check the “THERP Manual”, the operator failed to complete the security before the return of the interface management tasks before the error probability of the nominal value \( 1 \times 10^{ - 3} \), Consider the impact of stress factor, amended as \( 5 \times 1 \times 10^{ - 3} = 5 \times 10^{ - 3} \).

Similarly, consult “THERP Manual” \( {\text{F}}_{\text{t1}}^{{\prime }} \), \( {\text{F}}_{\text{t2}}^{{\prime }} \), \( {\text{F}}_{\text{t3}}^{{\prime }} \) The error probability correction value is \( 5 \times 10^{ - 3} \), \( {\text{F}}_{\text{T2}}^{{\prime }} \), \( {\text{F}}_{\text{T3}}^{{\prime }} \), \( {\text{F}}_{\text{T4}}^{{\prime }} \) The error probability correction value is \( 5 \times 10^{ - 3} \).

\( {\text{F}}_{\text{t0}} \) for operators failing to detect SGTR alerts, the probability is very small in simulations and can be ignored.

The incident tree has nine wrong paths \( {\text{F}}_{1} \), \( {\text{F}}_{2} \), \( {\text{F}}_{3} \), \( {\text{F}}_{4} \), The probability of their mistakes are:

$$ {\text{P}}\left( {{\text{F}}_{1} } \right) = {\text{F}}_{\text{t1}}^{{\prime }} \times {\text{F}}_{\text{T1}}^{{\prime }} = 5 \times 10^{{{ - }3}} \times 5 \times 10^{{{ - }3}} = 2.5 \times 10^{ - 5} . $$
(1)
$$ {\text{P}}\left( {{\text{F}}_{2} } \right) = {\text{F}}_{\text{t1}}^{{\prime }} \times {\text{F}}_{\text{T1}}^{{\prime }} = 5 \times 10^{ - 3} \times 5 \times 10^{ - 3} = 2.5 \times 10^{ - 5} . $$
(2)
$$ {\text{P}}\left( {{\text{F}}_{3} } \right) = {\text{F}}_{\text{t3}}^{{\prime }} \times {\text{F}}_{\text{T3}}^{{\prime }} = 5 \times 10^{ - 3} \times 5 \times 10^{ - 3} = 2.5 \times 10^{ - 5} . $$
(3)
$$ {\text{P}}\left( {{\text{F}}_{4} } \right) = {\text{F}}_{\text{t4}}^{{\prime }} \times {\text{F}}_{\text{T4}}^{{\prime }} = 5 \times 10^{{{ - }3}} \times 5 \times 10^{ - 3} = 2.5 \times 10^{ - 5} . $$
(4)

The total probability of a mishap on an SGTR accident is:

$$ {\text{P}} = {\text{P}}\left( {{\text{F}}_{1} } \right) + {\text{P}}\left( {{\text{F}}_{2} } \right) + {\text{P}}\left( {{\text{F}}_{3} } \right) + {\text{P}}\left( {{\text{F}}_{4} } \right) = 1 \times 10^{ - 4} . $$
(5)

4 Conclusion

Compared with the traditional control system, the change of digital control system of nuclear power plant will lead to the change of cognitive activity of the operator, resulting in the new human error, which will affect the human reliability. And new human error will affect the system Bring the risk. This paper studies the reliability of the secondary side cooling and depressurization operation of the operator on the DCS in the background of the rupture of the heat transfer tube of the steam generator of the nuclear power plant and reveals the cognitive process of the operator in the SGTR accident response and the interface management tasks And the primary tasks of human error prevention and control to provide technical measures to reduce the risk and improve the safety level of nuclear power plants.