Appendix J
Human Reliability Analysis
This appendix describes the application of human reliability analysis (HRA) in probabilistic risk assessment (PRA).
HRA refers to the theory and practice of modeling human contributions to the overall reliability of complex systems (Kirwan, 1994). This includes modeling and quantifying human errors that increase the likelihood or severity of an accident, as well as modeling and quantifying recovery actions that can reduce the likelihood of an accident or mitigate its consequences.
Human error has been shown repeatedly to be a significant contributor to the risk associated with nuclear power plant operations. Researchers from Idaho National Laboratory, for example, found that human error was a significant contributor in over 75 percent of significant operating events that occurred during a 6-year period (1992-1997), highlighting the importance of accurately estimating the human contribution to overall risk (Gertman et al., 2002).
HRA is typically performed as part of PRAs to quantify the likelihood that people will fail to take actions that
• Are required for accident prevention or mitigation (errors of omission),
• Will cause or exacerbate the consequences of an accident (errors of commission), or
• Will terminate or mitigate the consequences of an accident (recovery actions).
The Fukushima Daiichi accident reaffirms the important role that people play in responding to severe nuclear accidents, and beyond-design-basis accidents more generally. The accident exposed some of the difficult situational challenges that arise during severe accidents as well as the psychological and team processes that influence recovery actions. It is essential that human performance be portrayed accurately in nuclear plant PRAs. Some of the specific needed improvements in this regard are described in the following sections.
J.1 NEED TO MORE REALISTICALLY MODEL COMPLICATING SITUATIONAL FACTORS
In responding to severe accidents at nuclear plants, operators are likely to face complex, unanticipated conditions (e.g., multiple interacting faults, failed or degraded sensors, goal conflicts, and situations not fully covered by procedures) that require them to engage in active diagnosis, problem solving, and decision making to determine what actions to take. This is commonly referred to as “knowledge-based performance.”
There is a need for HRA methods that more accurately model the kinds of complicating situational factors that are likely to arise in severe accidents, and beyond-design-basis accidents more generally, and the psychological processes that underlie performance in these situations. Fortunately, there is growing agreement on this point in the PRA community. Indeed, several research and development thrusts have been initiated by the nuclear power industry and the USNRC to improve HRA methods along this front (e.g., Lois et al., 2009; Bye et al., 2011; Roth et al., 2012; USNRC and EPRI, 2012; Whaley et al., 2012; Chang et al., 2014).
J.2 NEED TO MODEL THE BROADER DISTRIBUTED RESPONSE TEAM
The set of human actors responding to a severe accident goes beyond the individuals in the control room and the field. It also includes the advisory and command-and-control organizational structure that influences and directs operator actions. For the Fukushima Daiichi accident, this included personnel at the plant’s emergency response center, the headquarters emergency response center in Tokyo, as well as government personnel who monitored and sought to influence the actions at the plant (see Chapter 4). This highlights the importance of more accurately modeling the multiple decision makers involved in accident response as part of HRA (Helton et al., 2010).
J.3 NEED TO CONSIDER TEMPORAL, PHYSICAL, AND PSYCHOLOGICAL STRESSORS
It is also important to more realistically model the physical and psychological stressors that are likely to influence performance in severe accidents (Siu et al., 2013). The Fukushima Daiichi accident extended over multiple days and imposed severe mental and physical fatigue on control room operators, field staff, and personnel in the plant’s emergency response center. Control room operators and field personnel were also exposed to physical stressors (e.g., loss of lighting and high radiation) as well as psychological stressors associated with risk to their lives and those of their co-workers and families.
Realistic assessments of the actual environmental factors that plant staff could encounter following a beyond-design-basis event are important for identifying gaps in preparation. For example, ensuring that plant staff will have adequate access to personal protective equipment and training for its use is important in assessing how effectively they can perform. Likewise, assessing potential radiation levels during a severe accident and how they may affect personnel access and ability to perform functions is important. The assessment of how plant staff may be injured during an external event, such as being injured by falling debris in an earthquake, needs to consider the potential for injury not just in vital areas such as the control room, but also in other parts of the plant, because the need to provide care to injured plant personnel may affect the ability of uninjured personnel to perform emergency response tasks.
J.4 NEED FOR GREATER EMPHASIS ON SEARCHING VS. SCREENING
This is also a need to place greater emphasis on searching vs. screening in conducting HRAs/PRAs to avoid prematurely screening out important sources of risk. Siu et al. (2013) point out that current PRA screening practices would likely lead to the screening out of beyond-design-basis scenarios analogous to the Fukushima Daiichi accident on the grounds that they are highly unlikely. They persuasively argue that there is a need to develop improved screening methods to reduce the possibility that important scenarios (or classes of scenarios) are prematurely screened out:
[T]he ultimate success of screening depends on the pre-screening identification of all potentially important scenarios. Care is needed to ensure that this identification process is not unduly biased by prior expectations regarding what’s likely to be important. (Siu et al., 2013, p. 8)
From a human reliability analysis perspective, there is a need to ensure that the types of situations that arise in real-world accidents and that challenge human performance are explicitly searched for and considered as part of HRAs/PRAs. Methods for systematic search of plausible complicating scenarios already exist that can provide a foundation to build upon (e.g., USNRC, 2000c).
J.5 NEED FOR GREATER APPRECIATION OF PEOPLE AS A SOURCE OF RESILIENCE AND RECOVERY
The Fukushima Daiichi accident highlights the key role that people play in accident recovery. As discussed in Chapter 4, the majority of the physical systems that had been counted on to mitigate the accident at the Fukushima Daiichi plant were unavailable because of the loss of onsite power. Recovery ultimately depended on the ingenuity of the people on the scene to develop and implement alternative mitigation plans in real time (see Chapter 4). Humans are too often treated as the “weak link” in systems; indeed, the emphasis in HRA/PRA is on uncovering ways people can fail (human errors) and estimating failure probabilities.
There is growing evidence that people are a source of system resilience because of their ability to adapt creatively in response to unforeseen circumstances (Hollnagel et al., 2006; Reason, 2008; Pariès, 2011). The Fukushima Daiichi accident reaffirmed that people are the last line of defense in a severe accident. It is therefore important that their role in recovery be better modeled in HRA and more effectively supported.
