ENLARGED HALDEN PROGRAMME REVIEW GROUP MEETING 2022

Tuesday March 29th

 Digitalization of Main Control Room (MCR)

 Advantage of Digital HMIs

▪ Flexible to present information Intuitively
▪ Flexible to implement automated functions
 Human Factors Issues of Digital HMIs
▪ Screen navigation failure possibility
▪ Key-hole effect from the limited display area
▪ Change of communication pattern
▪ Human performance during failure of digital HMIs
(due to network failure, software error, and cyber attack)

2
 Simulator Data Collection
▪ Operator training records in APR1400 full-scope simulator
LDP: large display panel
IDS: Information display system
CPS: computerized procedure system
SC: soft control
ADVALS: advanced alarm system

3
 Simulator Data Collection
▪ Operator training records in APR1400 full-scope simulator
▪ Scenario: ESDE (excess steam demand event) with CMF (Common Mode Failure)
• Complete failure in safety-channel signals (showing current value)
• Real values are presented in the safety console
• Failure of reactor protection system and engineered safety feature – component control system
• No failure in non-safety-channel signals
• Alarms occurred:
• Main steam line break with CMF
• Low temperature of cold leg loop
• Low pressure of pressurizer
• Margin limit of core operating limit supervisory system
• Automatic popup window recommends to open an abnormal operating procedure
• The initial page of this procedure warns not to trust current information in IDS/LDP
• The initial page of this procedure directs to trip the reactor

4
 Simulator Data Collection
▪ Participants
• Licensed operators of the APR1400
• Half of crew has commercial operation experience
▪ Expected crew behaviors
• Move to the safety console and obtain real information
• Trip the reactor within 3 minute (for training purpose)
• Manually actuate signals such as SIAS, CIAS, and MSIS
• Follow the instructions of SPTA, DA, and ESDE procedure
▪ Number of obtained records: 23
CMF Rea
proced ctor SPTA DA ESDE
ure trip
CIAS: Containment Isolation Actuation Signal; DA: diagnostic action; MSIS: main steam isolation signal;
SIAS: Safety Injection Actuation Signal; SPTA: standard post-trip action,
5
 (1) How reliably the operators obtained the information from
the diversity system based on the false digital information
▪ Successful data acquisition / Total simulation records
▪ Regression analysis of the data acquisition
 (2) How reliably the proceduralized tasks were accomplished
▪ Success and failure analysis using HuREX (Human Reliability data Extraction)
framework
 (3) How fast the initial emergency procedure was carried out
▪ The duration between the reactor trip and SPTA procedure entry
▪ The performance time per unit step of SPTA
▪ The performance time per unit step of DA
▪ The reactor trip time after the abnormal signal generation

6
 BIC: Bayesian Information Criterion

 Failure to acquire safety console information: 6 out of 23

training records
▪ Regression analysis for information gathering failures
• Technique: logistic regression with BIC-based stepwise variable selection
• Variable candidates: commercial operation experience, training phase, experience of
individual operators in same scenario (questionnaire), change of operator roles
• Selected variables in the statistical model
• commercial operation, experience of reactor operator
Similar training
Commercial operation Predicted prob. of
experience of the # of Success # of failure
experience regression model
reactor operator
TRUE TRUE 3 0 2.22E-16
TRUE FALSE 10 0 1.08E-09
FALSE TRUE 3 0 1.08E-09
FALSE FALSE 1 6 8.57E-01

• (Sample size is too small)

7
 2118 primitive tasks observed in 17 records
▪ Successfully moved to the safety console (6 records were excluded)
▪ 20 cognitive errors were observed (mainly in response planning)
 HEP of response planning
Cognitive
▪ (Failure #) / (success# + failure#)= 2.59E-02 activity
Task Succ. EOO EOC HEP
Alarm 90 0 0
• Cf. existing APR1400 HuREX data= 8.16E-03
Indicator 598 0 0
(about 3.17 times higher in HMI-failed scenario) Synthesis 6 0 0
Information
▪ HEP comparison in detailed tasks Value 15 0 0
gathering
Comparison 330 0 0
(IG)
• RP-entry : 6.80E-03 vs 1.13E-03 Graph 0 0 0
(HMI-failed) (general) Abnormality 88 0 0
Trend 85 0 0
• RP-information: 3.64E-02 vs 7.85E-03 Entry 146 1 0 6.80E-03
Procedure 56 0 0
• RP-manipulation: 7.32E-02 vs 1.65E-02 Response
Step 90 0 0
planning
• About 4~6 times higher in HMI-failed scenario Information 423 16 0 3.64E-02
(RP)
Manipulation 38 3 0 7.32E-02
 The HEP increased from the HEP from Situation
RP-Noti
Diagnosis
0
0
0
0
0
0
general emergency interpreting Identification 6 0 0
(SI) Prediction 0 0 0
▪ High task complexity might matter Discrete 119 0 0
Execution Continuous 0 0 0
▪ Less experienced events using diversity systems (EX) Dynamic 8 0 0
EX-Noti 0 0 0

8
EOO: Error Of Omission; EOC: Error Of Commission
 DA: diagnostic action
SPTA: standard post-trip action
 Statistics of performance time Stdev: standard deviation

▪ Reactor trip time: 2.38 min (stdev: 2.33 min)

▪ Comparison of performance time between general and HMI-failed emergencies
Reactor trip ~ entry of SPTA Time for unit step of SPTA Time for unit step of DA

Emergency with General emergency Emergency with General emergency Emergency with General emergency
digital interface failure digital interface failure digital interface failure

Mean 42.7 min 32.2 min 49.0 min 25.3 min 16.0 min 12.9 min
Stdev 85.8 min 30.7 min 54.3 min 24.5 min 24.6 min 14.2 min
N 23 46 110 210 34 223

Mean difference was significant (P<0.001)

9
 The simulator data was obtained and analyzed for understanding
the human performance/reliability under digital HMI failure
 Reliability of Information Gathering from Diversity System
▪ In addition to the support of computerized procedures and alarm systems, sufficient
training/experience was critical to the reliability.
 Reliability of Proceduralized Tasks
▪ The human reliability during proceduralized tasks decreased in digital HMI failure.
▪ This can be attributed to the unfamiliarity to the diversity system use and
ambiguous information.
 Performance Time
▪ All types of the observed performance time increased.
▪ But, due to high variability, only the change in SPTA time was significant
(2x increase).

10
 For HRA applications for digital HMI failure situations,
▪ The human error probabilities should be adjusted (e.g., about 3x increase).
▪ The human performance time should be adjusted (e.g., about 2x increase).
▪ The reliability of correct information acquisition should be counted during the
assessment.
 The analyzed data was not sufficient.
▪ Most observation times were as short as 15 min or less.
▪ A small number of records (23) were collected from a single scenario.
▪ More data should be collected considering various situations.
• What if the supportive function was not provided in CPS?
• What if the alarm information was not generated for the HMI failure?
• What if a small piece of plant information was missed or wrong?  HRP projects

11
 Performance time for reactor trip in 23 training records
▪ Average reactor trip time from alarm occurrence: 2.38 min
▪ 7 out of 23 training records failed to trip within 3 minutes
 Regression analysis for the reactor trip
▪ Technique: log-linear regression with BIC-based stepwise variable selection
▪ Variable candidates: commercial operation experience, training phase, experience
of individual operators in same scenario (questionnaire), change of operator roles
▪ Selected variables in the statistical model:
• commercial operation experience, training phase
▪ Interpretation
• Basic reactor trip time = 1.88 min
• If crews are in pre-commercial operation, the trip time increase 2.95 times
• The trip time reduced 0.71 times for each full-scope training
• Trip time after the first training = 1.33 min
• Trip time after the second training = 0.95 min
13