Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
Dynamic PRA Approach for the Prediction of Operator Errors
Kevin Coyne
Ali Mosleh
Center for Risk and Reliability
University of Maryland
College Park, MD
University of MarylandCenter for Risk and Reliability
2
Presentation Outline
� Presentation Outline
• Dynamic PRA Methods
• General Overview of ADS-IDAC
� Thermal Hydraulic Nuclear Plant Model
� Operator Model
• Dynamic Performance Influencing Factors
• Information Filtering and Perception
• Future Research Activities
3
Dynamic PRA
� Compared to conventional human reliability analysis techniques, dynamic simulation methods can improve the modeling of several important factors:
• Feedback between operator and reactor plant
• Timing and sequencing of events
• Success criteria
• Dependencies arising from situational context
� But, dynamic methods introduce several challenges:
• Truncation techniques needed to limit sequence explosion
• Quality of results dependent on realism of the underlying plant and operator models
• Interpretation of results
University of MarylandCenter for Risk and Reliability
4
ADS-IDAC Overview
� Accident Dynamics Simulator with the Information, Decision, and Action in a Crew Context Cognitive Model (ADS-IDAC)
� UMD has been developing, improving, and refining ADS-IDAC for nearly two decades
University of MarylandCenter for Risk and Reliability
RELAP Plant Model
Control Panel Operator IDAC Cognitive Model
Hardware Reliability
Instrument Reliability
Performance Influencing Factors
RELAP Plant Model
Control Panel Operator IDAC Cognitive Model
Hardware Reliability
Instrument Reliability
Performance Influencing Factors
5
Thermal-Hydraulic Model
� RELAP5 Thermal-Hydraulic Engine
• Recognized thermal hydraulic analysis tool
• Existing RELAP plant models can be readily adapted to the ADS-IDAC environment
� Plant models require some modifications
• Interactive controls and instrumentation
• Realistic representation of plant systems, protective features, and controls
� The current three-loop PWR plant model includes:• 200 indicators
• 90 controls
• 80 alarms
University of MarylandCenter for Risk and Reliability
6
Operator Model
� Operator actions guided by high-level goals and problem solving strategies
University of MarylandCenter for Risk and Reliability
Implements EOPs
• Active & Passive Information Gathering
• Memorized Rule-Based Actions
• Follow Written Procedures
Maintain Safety Margin
• Active & Passive Information Gathering
• Memorized Rule-Based Actions
Monitoring
Actions driven by operator’s situational assessment
• Active & Passive Information Gathering
• Memorized Rule-Based Actions
• Knowledge-Based Actions
Troubleshoot Abnormal Conditions
• Passive Information Gathering
• Memorized Rule-Based Actions
Maintain Normal Operation
CommentStrategiesGoal
7
Operator Model
� Operator profile specifies tendencies, preferences, and capabilities• PIF profiling factors
• Utilization of memorized information
• Problem solving preferences
• Threshold for diagnosing an accident condition
• Procedure pacing and adherence
• Information handling capabilities
� Operator knowledge base defines procedures, mental models, and heuristic rules
University of MarylandCenter for Risk and Reliability
8
Dynamic Performance Influencing Factors (PIFs)
� Three dynamic PIF factors have been implemented in ADS-IDAC:
• Information Loading
• Time Constraint Loading
• Criticality of System Condition
� Dynamic PIFs currently support:
• Procedure step skipping module
• Information gathering process
University of MarylandCenter for Risk and Reliability
9
Dynamic PIFs: Information Load
� Information Load PIF based on average information processing rate for each operator• “Information” includes
alarms, control panel interactions, and crew communication
• Includes both passive and active information load
� Related to operator task load
University of MarylandCenter for Risk and Reliability
−
−=
ThresholdLowerThresholdUpper
ThresholdLowerRatePerception
LoadInfoII
IIPIF
&&
&&
10
Information Load PIF
0
2
4
6
8
10
Information Processing Rate
PIF
Valu
e
tLowertupper
10
Dynamic PIFs: Time Constraint Load
� Measures amount of time available until a process parameter passes a critical threshold• Parameters and thresholds can be uniquely
defined for each operator• PIF value depends on amount of time
available and operator’s high level goal (e.g., normal operation vs. accident mitigation)
� Related to time pressure perceived by the operator
University of MarylandCenter for Risk and Reliability
i
Thresholdii
availableiP
PPt
&
,
,
−=
−
−−=
)(
)(110
,
,
lowerupper
loweravailablei
ConstrainTimeitt
ttPIF
Time Constraint Load PIF
0
2
4
6
8
10
Time Available
PIF
Valu
e
tlower
tupper
11
Dynamic PIFs: Criticality of System Condition
� Criticality of System Condition modeled after the Safety Parameter Display System (SPDS)• Measures plant deviation from
nominal (safe) conditions• Each operator can use a unique
combination of parameters, thresholds, and weighting factors
� Related to the operator’s perception of the severity of the plant state
University of MarylandCenter for Risk and Reliability
Parameter Criticality
0
5
10
Parameter Value
PIF
Valu
e
Lo-Lo
Limit
Hi-Hi
Limit
Hi LimitLo Limit
"Safe"
Value
∑
∑=
i
i
yCriticalitParameter
i
i
yCriticalitSystem
iPIF
PIFω
ω
12
Dynamic PIFs: Example
� Example Application –Steam Generator Tube Rupture• Operators utilize
procedure following strategy
� Dynamic PIFs reflect both plant dynamics and operator activities• Briefings and delays• Degrading and
improving plant status
• Periods of high task loads
University of MarylandCenter for Risk and Reliability
Key Plant Parameters
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 500 1000 1500 2000 2500 3000 3500 4000
time (seconds)
Level
0
10
20
30
40
50
Leak R
ate
(lb
m/s
ec)
SG A WR Level
PZR Level
SGTR Leak RateSGTR
Initiation
Manual Safety
Injection
Start RCS
Depressurization
Start RCS
Cool Down
Stop Safety
Injection Pumps
Equalize RCS/SG
Pressure
Dynamic PIFs
0
2
4
6
8
10
0 500 1000 1500 2000 2500 3000 3500 4000
time (seconds)
PIF
Valu
e
Time Constraint Load
Isolate
SG A
Time Available:
Low PZR Level Time Available: Low
RCS Pressure
Time Available:
Hi SG A Level
Dynamic PIFs
0
2
4
6
8
10
0 500 1000 1500 2000 2500 3000 3500 4000
time (seconds)
PIF
Valu
e
Time Constraint Load
Information LoadInfo Load: Post Trip
Alarm Cascade
Briefing
Hold
Isolate
SG A
Time Available:
Low PZR Level Time Available: Low
RCS Pressure
Time Available:
Hi SG A Level
Dynamic PIFs
0
2
4
6
8
10
0 500 1000 1500 2000 2500 3000 3500 4000
time (seconds)
PIF
Valu
e
Time Constraint Load
System Criticality
Information LoadInfo Load: Post Trip
Alarm Cascade
Hi SG A &
PZR Levels
Briefing
Hold
Isolate
SG A
Time Available:
Low PZR Level Time Available: Low
RCS Pressure
Time Available:
Hi SG A Level
High SCM &
SG A Level,
Lo PZR Level
Dynamic PIFs
0
2
4
6
8
10
0 500 1000 1500 2000 2500 3000 3500 4000
time (seconds)
PIF
Valu
e
Time Constraint Load
System Criticality
Information LoadInfo Load: Post Trip
Alarm Cascade
Hi SG A &
PZR Levels
Briefing
Hold
Isolate
SG A
Time Available:
Low PZR Level Time Available: Low
RCS Pressure
Time Available:
Hi SG A Level
High SCM &
SG A Level,
Lo PZR Level
13
Information Perception & Filtering
� All operator decisions and actions are based on perceived information
Raw data from the thermal-hydraulic model subject to filtering process
• Operator must gather information
• Biasing filter can distort information
� Differences between perceived and actual plant data can drive the operator toward error forcing situations
• Incorrect situational assessment leads to inappropriate action-rule activation
• Information distortion adversely impacts assessment of component, system, or plant state
University of MarylandCenter for Risk and Reliability
14
Modeling Potential Error Events:Branching Rules
� ADS-IDAC generates a discrete dynamic event tree (DDET) based on the application of simple branching rules
� Feedback from the plant model, information perception, and PIFs all influence the activation of branching rules
� The branching path from the initiating event to a final end state define the scenario trajectory
Error events occur when the sequence of branching events result in the failure to meet a plant need...
15
Conclusions
� Recent improvements to the ADS-IDAC code have dramatically improved the realism of plant and operator models.• RELAP5 Plant Model• Operator Goals and Problem Solving Strategies• Dynamic PIFs • Information Processing
Taken together, these factors reinforce the man-machine feedback loop and improve the ability of ADS-IDAC to model crew-to-crew variabilities and dependencies
University of MarylandCenter for Risk and Reliability
16
Future Work
� Knowledge base expansion� Model calibration
• Heuristic rules• Pace and timing of operator actions• Operator preferences/tendencies
� Validation• Halden HRA Comparison Study
� User interface• Facilitate ADS-IDAC model development,
revisions, and simulation execution
� Post processing tools• Sequence grouping and visualization• Importance measures and metrics
University of MarylandCenter for Risk and Reliability
17
UMD ADS-IDAC Project
Questions....
University of MarylandCenter for Risk and Reliability